BCM vs ERM: The Business Case for Integration..
-
Upload
marc-ronez -
Category
Business
-
view
119 -
download
1
description
Transcript of BCM vs ERM: The Business Case for Integration..
ARiMI – Asia Risk Management Ins0tute
By MARC RONEZ Chief Risk Strategist & Master Coach Asia Risk Management Institute
NOTES
BCM vs ERMThe Business Case for Integra9ng Business Con9nuity & Enterprise Risk Management
Business Continuity Management Award 2013, 24 January 2013
Agenda for this Session
Explore and discuss the ‘business case’ for integrating Business Continuity Management (BCM) & Enterprise Risk Management (ERM).
þ Conflicts & Competition between ERM & BCM functions þ Comparing the ERM & BCM Frameworks, Process & Practices þ Convergence of the ERM of BCM agendas þ Understanding the life-cycle from Risk Issues to Business
Disruptions & Crises þ Strengthening Value Creation & Sustainability by Integrating BCM &
ERM
BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 2
3
Risks & Crises.. BCM or ERM issues?
Terrorism Diseases
Earthquake
Pollution
Bank run
Subprime Explosion
NGO Attack Lawsuits
BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013
Conflicts between ERM & BCM
VS ERM BCM
SEPARATE often COMPETING Functions in Organizations OVERLAPPING area of Responsibilities Different OBJECTIVES, Focus & METHODOLOGICAL
Approaches
BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 4
Different Origins for ERM & BCM
VS ERM BCM
≠ IT departments,
with the IT Disaster Recovery program
Insurance Buying / Hazard
Risk Mgt
Both ERM & BCM have seen Tremendous SCOPE expansion and methodological development
BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 5
6 6
Financial & Hazard
Expanding the scope of ERM
Finance Losses
Operational Strategic
Protect & Sustain
Operations
Create Value with effective Risk-taking
& Management Scope increase
➜ From Value PROTECTION to Value CREATION expanding to all risk domains
BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013
BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 7
ERM Manage Risks & Opportunities Effectively to Ensure Achievement of Corporate Objectives
RISK
MAN
AGEM
ENT
IT DISAS
TER RE
COVE
RY
FACILITIES M
ANAG
EMEN
T
SUPP
LY CHA
IN M
ANAG
EMEN
T
QUAL
ITY M
ANAG
EMEN
T
HEAL
TH & SAF
ETY
KNOWLEDG
E M
ANAG
EMEN
T
EMER
GEN
CY M
ANAG
EMEN
T
SECU
RITY
CRISIS COMMUNICAT
IONS & PR
BCM - Business Continuity Management
Expanding the scope of BCM
BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 8
➜ From RECOVERY to CONTINUITY and from IT Processes to ALL Operations & Business processes
BCM… MAINTAIN KEY Business Operations during challenging times
BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 9
CATALYST for the ERM & BCM ‘Explosion’!
A continuous and constant stream of crises and corporate failures over the past 10-15 years have created a strong momentum for Risk, Crisis & Business management concepts.
9/11
Fukushima
BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 10
11 11
The ERM & BCM Explosion!
Failures in managing risks effectively have triggered all over the world, efforts by: ¤ regulators, ¤ rating agencies, ¤ stock exchanges, ¤ institutional investors ¤ and corporate governance oversight bodies
… insist that company senior management take greater responsibility for managing proactively risks and critical disruption on an enterprise-wide scale.
BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013
ERM & BCM Best Prac9ces & Standards
BCM Standards þ ISO 22301:2012 - Societal
security – Business continuity management systems (International)
þ BS 25999:2007 - Business Continuity Management (BSI/UK) 1 Code of Practice & 2 Specification
þ SS540:2008 - BCM Framework & Technical Reference (Singapore)
þ NFPA1600 - Standard on Disaster/Emergency Management and Business Continuity Programs (ANSI/US)
BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 12
ERM Standards þ ISO 31000:2009 - Risk
Management Guideline (International)
þ COSO:2004 - Integrated ERM Framework (US)
þ AS/NZS 4360:2004 - Risk Management Standard (Australia/NZ)
þ HM Treasury’s Orange Book:2004 – Management of Risk (UK)
þ Rating Agencies Frameworks (S&P, Moodys)
ERM vs BCM Area of Focus & Objec9ves
13
- +
Target Performance
Expected Potential Losses
Expected Potential
Opportunities
Unexpected Catastrophic
Losses
Transformational Blue swans
BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013
Catastrophic Losses
Black swans
Unexpected Opportunities
LOSS GAIN
Risk Can Lead to either Negative or Positive impact depending how it is managed..
ERM vs BCM Area of Focus & Objec9ves
14
- +
Target Performance
Expected Potential Losses
Expected Potential
Opportunities
Unexpected Catastrophic
Losses
Transformational Blue swans
BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013
Catastrophic Losses
Black swans
Unexpected Opportunities
ERM – Create Shared Sustainable Value
BCM – Ensure Business Con9nuity & Societal
Security
LOSS GAIN
BCM perspec9ve: How to Define Business Con9nuity?
¤ Business Continuity is defined in British Standard for BCM (BS 25999:2006) as:
“.. The capability of an organization to plan for and respond to business interruptions in order to continue business operations at an acceptable pre-defined level”.
How to understand this definition?
BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 15
Components of BS 25999 Defini9on of Business Con9nuity
Key components in the definition:
① CAPABILITY to PLAN & RESPOND
② To BUSINESS INTERRUPTION Events
③ To MAINTAIN KEY Business Operations
BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 16
Components of BS 25999 Defini9on of Business Con9nuity
Key components in the definition:
① CAPABILITY to PLAN & RESPOND ➜ Planning & building readiness is essential
② To BUSINESS INTERRUPTION Events ➜ Focus on severe to critical threats
③ To MAINTAIN KEY Business Operations ➜ Focus on key processes and resources
BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 17
What is Business Con9nuity Management then.
¤ British Standard for BCM (BS 25999:2006) defines it as:
An “holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities.”
BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 18
BCM – Business Con9nuity Management Process...
BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 19
1 - BCM Program
Management
3 – DETERMINING BCM
STRATEGIES
4 – DEVELOP & IMPLEMENT BCM
RESPONSE
5 – EXERCISE, MAINTAIN &
REVIEW
Delivering better RESULTS
2 – UNDERSTAND THE
ORGANIZATION
BCM process – Underlying Focus
1 – Key Activities & FUNCTIONS
4 – Identify & Assess THREATS
The Trash Bin
3 – SCREEN based On CRITICALITY Not
critical?
6 – EXERCISING, Maintenance & Audit
BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 20
5 – Design & Implement BCM Response
2 – Business IMPACT Analysis
ERM Perspec9ve: How to Define RISK?
¤ Risk is defined in ISO 31000: 2009 as:
“.. the effect of uncertainty on objectives”.
How to analyse this definition?
BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 21
Components of ISO 31000 Defini9on of Risk
Key components in the definition:
① OBJECTIVES
② UNCERTAINTY EFFECTS
③ EXPOSURE to Uncertainty
BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 22
Components of ISO 31000 Defini9on of Risk
Key components in the definition:
① OBJECTIVES ➜ Something important you want to achieve
② UNCERTAINTY EFFECTS ➜ Threats, Opportunities & Volatility. Can be the result of
our actions and others internal/external factors
③ EXPOSURE to Uncertainty ➜ (Your objectives and the processes and resources
that support them)
BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 23
ISO 31 000 Guide -‐ Risk Management Process
3 – Risk Assessment
2 -‐ Establish the Context
3.2 Risk Analysis
5 – Monitoring & Review
1 – Communica9on & Consulta9on
3.1 Risk Iden9fica9on
4 -‐ Risk Treatment
3.3 Risk Evalua9on
Managers can optimize the tradeoff between Risk and Return..
while consistently and systematically, and ensuring the timely communication of risk related information across the enterprise in a transparent manner.
…by identifying, assessing and assigning ownership, taking actions to mitigate or anticipate risks, and monitoring & reviewing progress
BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 24
ISO 31000 – GUIDE for Managing Risk
Principles Framework Process
2"–"Design"of"framework""for"managing"
• Understanding+organiza.on+• Risk+Management+policy+• Integra.on+into+organiza.on+• Accountability+• Resources+• Establish+Internal/External+
Context+
1"–"Mandate"&"Commitment"
5"–"Con8nual"improvement"of"the"framework"
3"–"Implemen8ng"Risk"Management"
• Implemen.ng+the+Framework+• Implemen.ng+the+Risk+
Management+Process+
4"–"Monitoring"&"Review"of"the"Framework"
3"–"Risk"Assessment"
2"."Establish"the"Context"
3.2"Risk"Analysis"5"–"Monitoring"&""
Review"
1"–""CommunicaCon"&"ConsultaCon"
3.1"Risk"IdenCficaCon"
4"."Risk"Treatment"
3.3"Risk"EvaluaCon"
!1)!creates!value.!2)!is!an!integral!part!of!organiza6onal!processes.!!3)!is!part!of!decision!making.!!4)!explicitly!addresses!uncertainty.!!5)!is!systema6c,!structured!and!6mely.!!6)!is!based!on!the!best!available!informa6on.!!7)!is!tailored.!!8)!takes!human!and!cultural!factors!into!account.!!9)!is!transparent!and!inclusive.!!10)!is!dynamic,!itera6ve!and!responsive!to!change.!!11)!facilitates!con6nual!improvement!and!enhancement!of!the!organiza6on.!!!
ERM is the System, Methodology & processes used by organizations to takes risk in a controlled manner so that the business is viable for a longer term (SUSTAINABILITY) while meeting the expectations of the stakeholders by CREATING SHARED VALUE in line with Corporate OBJECTIVES.
BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 25
ERM process – Underlying Focus
4 – Identify & Assess THREATS Based on Likelihood & Impact
1 – Corporate OBJECTIVES & Risk APPETITE
The Trash Bin
3 – SCREEN based on LIKELIHOOD × IMPACT
Low Priority
9 - Review & MONITORING (KRIs)
BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 26
8 – Design & Implement ERM Controls
27
In SUMMARY: Comparing BCM and ERM
BCM ERM Primary Focus Key Functions (Processes &
resources) Key Corporate Objectives & Risk Appetite
Protected Areas Balance sheet & reputation P&L, Cash flows & Market Capitalization
Operational Objectives
Ensure Crisis & Business Continuity preparedness (Exercising, testing)
Risk awareness & cost of risk control. Continuous process improvement, effective risk decision-making
Time Horizon of Assessment
Medium to long-term Short to Medium
Critical Dimension of Risk focus
The Business IMPACT The LIKELIHOOD
Type of Loss Exposure under watch
Severe to Catastrophic (High Impact) with medium to low frequency business interruptions
Expected Losses: High to medium frequency loss events with medium to severe impact
Strategic Objectives
Ensure Continuity of Critical Operations
Ensure Achievement of Corporate Objectives
BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013
Nega9ve consequences of the lack of integration between ERM & BCM activities
Unhealthy Competition for Management Attention & Resources
Double works & Uncoordinated/independent efforts to deal with the same risk issues
Resulting in waste and inefficiencies (increased expenses, both programs are expensive & wrong focus)
Increasing risk of critical failure to management risk and ensure business sustainability
BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 28
BCM is a NATURAL part of an ERM framework..
BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 29
You could see Business Con9nuity Management (BCM) as… Part of the management RESPONSE to an important risk issue… taking its place during the Treatment phase alongside with risk Preven9on & Transfer.
Pressure
Time Potential Emerging Current Recovering
Life-‐cycle from a Risk issue to a Crisis – 4 phases
Media Coverage & amplification
Signal
CRISIS
Incident OR Signal
Issues Signal
BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 30
Example: BP oil spill, Gulf of Mexico 2010
The catastrophe resulted in a loss of: – Direct Cost to BP: Over $20 billion – Market capitalization loss. i.e. cost to shareholders:
$87 billion
¤ BP explosion and oil spill could have been prevented with additional spending of $7 - $12 million on safety controls
BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 31
Pressure
Time Potential Emerging Current Recovering
From Risk issue to Crisis: BP Gulf of Mexico 2010
Media Coverage & amplification
Signal
CRISIS
Issues Signal
Opportunity to influence Difficult to influence
Maintenance equipment
Reports
Problems
Drop from news
Enormous cost & damage to reputation
Incident OR Signal
Explosion
Stop the leak & cleaning
BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 32
Emergency evacuation & protection
Media onslaught
Impact on BP share price / market capitaliza9on
Gulf of Mexico Disaster
MTBE Contamination lawsuits
$243 Billions
$90 Billions
Enormous Shareholder Value Loss
BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 33
Pressure
Time Potential Emerging Current Recovering
Life-‐cycle from a Risk issue to a Crisis
Signal
CRISIS
Incident OR Signal
Issues Signal
Opportunity to influence Difficult to influence
BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 34
Time for ACTION
REACTION Too Late!
Road Map to Managing Risk & Crisis: The steps
35 BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013
36
Pressure
Time Potential Emerging Current Recovering
Road Map to Managing Risk, Crisis & Change
Signal
CRISIS
Incident OR Signal
Issues Signal
Opportunity to influence Difficult to influence
Media Coverage & amplification
BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013
Cover all the bases!
37
- +
Target Performance
Expected Potential Losses
Expected Potential
Opportunities
Unexpected Catastrophic
Losses
Transformational Blue swans
BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013
Catastrophic Losses
Black swans
Unexpected Opportunities
LOSS GAIN
Shareholders and Management are typically concerned with variability below & above the target
You should also be looking out for cri9cal NEW Changes in the Biz environment
Organisa9ons should also be concerned with catastrophic risks & the risk of Insolvency
Road Map to Managing Risk & Crisis: The Solu9ons
BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 38
How ERM & BCM can add value to each other?
BCM can provide ERM with: þ A better understanding of the critical activities (processes) and the
infrastructure & resources that support these with the BIA þ A stronger focus on exercising and testing the risk mitigation framework þ Promotes a better understanding communication dependency between
critical functions
ERM can provide BCM with: þ A broader view of risk issues þ A better definition of Corporate Objectives & understanding of Risk
Appetite þ Systematic approach of consistently and continuously monitoring and
managing risk þ A better view of any emerging threats and promotes cross functional
communication of key threats
BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 39
What is preven9ng effec9ve coordina9on & integra9on between ERM & BCM?
Obstacle type 1: Resisting because of a cognitive difference of opinion about BCM & ERM mission, objectives, methodology & tools.
Obstacle type 2: Resistance due to emotional issues (Fears, ego, etc)
Obstacle type 3: Resistance due to Political or Personal issues ( Animosity, red tape, etc)
BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 40
In conclusion: Three Models for ERM and BCM in a organiza9on
There are three different models for ERM & BCM in Organization: STATUS QUO - is to maintain separate silos for both disciplines
with different teams, reporting lines, methodologies, etc.
þ COORDINATION – by having a central management unit/function coordinating for both BCM and ERM activities.
þ INTEGRATION – by integrating BCM functionally & methodologically into the ERM framework.
Unfortunately, the STATUS QUO model is what many organizations are doing today. It is more than time for change!
BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 41
Marc Ronez -‐ Chief Risk Strategist & Knowledge Leader at ARiMI -‐ Asia Risk Management Ins9tute
An ERM & Governance expert with 20 years of experience both as a practitioner & trainer for large MNCs, Governments & Charities. Marc has an MBA from the University of Chicago GSB, an MSc in Insurance & a LLM from the University of La Sorbonne
What do I do? Help managers & leaders to use Risk Management to:
þ Resolve difficult operational and business challenges þ Take & manage risks effectively to build sustainable & profitable growth models
BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013
Marc’s specific areas of expertise include ERM, risk decision-making processes, corporate governance, Business Ethics, Social Responsibility, risk-aware culture, risk communication and crisis management, business model/Strategy Risk Management, corporate learning systems development.
42
Risk Management is a con/nuous journey, not a des/na/on!
BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013
Marc Ronez is on Linked in & WordPress
You can find his profile & read his blogs at: P: sg.linkedin.com/pub/marc-ronez/1/3b6/465/ B: theriskmanagementparadox.com B: riskmanagementdemystified.com
43
ARiMI – Asia Risk Management Ins9tute
BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 44
ARiMI is an applied research and business studies ins0tute that was set up in 2003 (in partnership with NUS) and has established itself as the Ins0tute of Reference for Enterprise Risk Management studies in Singapore and in the region.
We FOCUS on programs:
1. For Decision-‐Makers (Middle to Top Management): Developing PRACTICAL Knowledge & Skills in Risk & Crisis Management
2. For Organiza9ons: Building CAPABILITIES for Sustainable and Profitable Growth by EMBEDDING Risk Aware & Crisis Readiness Culture
ARiMI, Asia Risk Management Ins9tute
BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 45
ARiMI -‐ Focus and Exper9se
● Crisis management & Business Continuity
● Leadership risk decision-
making and Social Capital ● Reputational Risk &
stakeholders management ● Corporate governance &
business ethics
Research
● Professional Designation Programs
CERM (Certified Enterprise Risk Manager), CPRM (Certified Professional Risk Manager), ARM (Associate in Risk Management), FSRM (Fellow in Strategic Risk Management)
● Public Seminars and
Workshops ● Corporate Training &
learning Programs
Education
● Risks & Opportunities Assessment & Mapping
● Crisis & Business
Continuity Mgt ● Reputation Risk Mgt &
CSR (Corporate Social Responsibility) ● Fraud Risk Mgt ● Risk Appetite & Risk
Aware Culture Readiness ● Project risk management ● Risk Champions
MasterClass
Expertise
BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 46
47
For more information on ARiMI,
check our website at: www.arimi.org
BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013
Important Note: Please note that that this presentation and its contents, is the intellectual property of the Asia Risk Management Institute Pte Ltd. It has been prepared for this BCM Award session and it cannot be used for any other purposes without the specific written consent of the Asia Risk Management Institute.
48 BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013