BCM vs ERM: The Business Case for Integration..

ARiMI – Asia Risk Management Ins0tute

By MARC RONEZ Chief Risk Strategist & Master Coach Asia Risk Management Institute

NOTES

BCM vs ERMThe Business Case for Integra9ng Business Con9nuity & Enterprise Risk Management

Business Continuity Management Award 2013, 24 January 2013

Agenda for this Session

Explore and discuss the ‘business case’ for integrating Business Continuity Management (BCM) & Enterprise Risk Management (ERM).

þ  Conflicts & Competition between ERM & BCM functions þ  Comparing the ERM & BCM Frameworks, Process & Practices þ  Convergence of the ERM of BCM agendas þ  Understanding the life-cycle from Risk Issues to Business

Disruptions & Crises þ  Strengthening Value Creation & Sustainability by Integrating BCM &

ERM

BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 2

3

Risks & Crises.. BCM or ERM issues?

Terrorism Diseases

Earthquake

Pollution

Bank run

Subprime Explosion

NGO Attack Lawsuits

BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013

Conflicts between ERM & BCM

VS ERM BCM

 SEPARATE often COMPETING Functions in Organizations  OVERLAPPING area of Responsibilities  Different OBJECTIVES, Focus & METHODOLOGICAL

Approaches


Different Origins for ERM & BCM

VS ERM BCM

≠ IT departments,

with the IT Disaster Recovery program

Insurance Buying / Hazard

Risk Mgt

Both ERM & BCM have seen Tremendous SCOPE expansion and methodological development


6 6

Financial & Hazard

Expanding the scope of ERM

Finance Losses

Operational Strategic

Protect & Sustain

Operations

Create Value with effective Risk-taking

& Management Scope increase

➜ From Value PROTECTION to Value CREATION expanding to all risk domains



ERM Manage Risks & Opportunities Effectively to Ensure Achievement of Corporate Objectives

RISK

MAN

AGEM

ENT

IT DISAS

TER RE

COVE

RY

FACILITIES M

ANAG

EMEN

T

SUPP

LY CHA

IN M

ANAG

EMEN

T

QUAL

ITY M

ANAG

EMEN

T

HEAL

TH & SAF

ETY

KNOWLEDG

E M

ANAG

EMEN

T

EMER

GEN

CY M

ANAG

EMEN

T

SECU

RITY

CRISIS COMMUNICAT

IONS & PR

BCM - Business Continuity Management

Expanding the scope of BCM


➜ From RECOVERY to CONTINUITY and from IT Processes to ALL Operations & Business processes

BCM… MAINTAIN KEY Business Operations during challenging times


CATALYST for the ERM & BCM ‘Explosion’!

A continuous and constant stream of crises and corporate failures over the past 10-15 years have created a strong momentum for Risk, Crisis & Business management concepts.

9/11

Fukushima


11 11

The ERM & BCM Explosion!

Failures in managing risks effectively have triggered all over the world, efforts by: ¤ regulators, ¤ rating agencies, ¤ stock exchanges, ¤  institutional investors ¤ and corporate governance oversight bodies

… insist that company senior management take greater responsibility for managing proactively risks and critical disruption on an enterprise-wide scale.


ERM & BCM Best Prac9ces & Standards

BCM Standards þ  ISO 22301:2012 - Societal

security – Business continuity management systems (International)

þ  BS 25999:2007 - Business Continuity Management (BSI/UK) 1 Code of Practice & 2 Specification

þ  SS540:2008 - BCM Framework & Technical Reference (Singapore)

þ  NFPA1600 - Standard on Disaster/Emergency Management and Business Continuity Programs (ANSI/US)


ERM Standards þ  ISO 31000:2009 - Risk

Management Guideline (International)

þ  COSO:2004 - Integrated ERM Framework (US)

þ  AS/NZS 4360:2004 - Risk Management Standard (Australia/NZ)

þ  HM Treasury’s Orange Book:2004 – Management of Risk (UK)

þ  Rating Agencies Frameworks (S&P, Moodys)

ERM vs BCM Area of Focus & Objec9ves

13

- +

Target Performance

Expected Potential Losses

Expected Potential

Opportunities

Unexpected Catastrophic

Losses

Transformational Blue swans


Catastrophic Losses

Black swans

Unexpected Opportunities

LOSS GAIN

Risk Can Lead to either Negative or Positive impact depending how it is managed..

ERM vs BCM Area of Focus & Objec9ves

14

- +

Target Performance


Expected Potential

Opportunities


Losses



Catastrophic Losses

Black swans


ERM – Create Shared Sustainable Value

BCM – Ensure Business Con9nuity & Societal

Security

LOSS GAIN

BCM perspec9ve: How to Define Business Con9nuity?

¤ Business Continuity is defined in British Standard for BCM (BS 25999:2006) as:

“.. The capability of an organization to plan for and respond to business interruptions in order to continue business operations at an acceptable pre-defined level”.

How to understand this definition?


Components of BS 25999 Defini9on of Business Con9nuity

Key components in the definition:

①  CAPABILITY to PLAN & RESPOND

②  To BUSINESS INTERRUPTION Events

③  To MAINTAIN KEY Business Operations


Components of BS 25999 Defini9on of Business Con9nuity


①  CAPABILITY to PLAN & RESPOND ➜  Planning & building readiness is essential

②  To BUSINESS INTERRUPTION Events ➜  Focus on severe to critical threats

③  To MAINTAIN KEY Business Operations ➜  Focus on key processes and resources


What is Business Con9nuity Management then.

¤ British Standard for BCM (BS 25999:2006) defines it as:

An “holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities.”


BCM – Business Con9nuity Management Process...


1 - BCM Program

Management

3 – DETERMINING BCM

STRATEGIES

4 – DEVELOP & IMPLEMENT BCM

RESPONSE

5 – EXERCISE, MAINTAIN &

REVIEW

Delivering better RESULTS

2 – UNDERSTAND THE

ORGANIZATION

BCM process – Underlying Focus

1 – Key Activities & FUNCTIONS

4 – Identify & Assess THREATS

The Trash Bin

3 – SCREEN based On CRITICALITY Not

critical?

6 – EXERCISING, Maintenance & Audit


5 – Design & Implement BCM Response

2 – Business IMPACT Analysis

ERM Perspec9ve: How to Define RISK?

¤  Risk is defined in ISO 31000: 2009 as:

“.. the effect of uncertainty on objectives”.

How to analyse this definition?


Components of ISO 31000 Defini9on of Risk


①  OBJECTIVES

②  UNCERTAINTY EFFECTS

③  EXPOSURE to Uncertainty


Components of ISO 31000 Defini9on of Risk


①  OBJECTIVES ➜  Something important you want to achieve

②  UNCERTAINTY EFFECTS ➜  Threats, Opportunities & Volatility. Can be the result of

our actions and others internal/external factors

③  EXPOSURE to Uncertainty ➜  (Your objectives and the processes and resources

that support them)


ISO 31 000 Guide -‐ Risk Management Process

3 – Risk Assessment

2 -‐ Establish the Context

3.2 Risk Analysis

5 – Monitoring & Review

1 – Communica9on & Consulta9on

3.1 Risk Iden9fica9on

4 -‐ Risk Treatment

3.3 Risk Evalua9on

Managers can optimize the tradeoff between Risk and Return..

while consistently and systematically, and ensuring the timely communication of risk related information across the enterprise in a transparent manner.

…by identifying, assessing and assigning ownership, taking actions to mitigate or anticipate risks, and monitoring & reviewing progress


ISO 31000 – GUIDE for Managing Risk

Principles Framework Process

2"–"Design"of"framework""for"managing"

•  Understanding+organiza.on+•  Risk+Management+policy+•  Integra.on+into+organiza.on+•  Accountability+•  Resources+•  Establish+Internal/External+

Context+

1"–"Mandate"&"Commitment"

5"–"Con8nual"improvement"of"the"framework"

3"–"Implemen8ng"Risk"Management"

•  Implemen.ng+the+Framework+•  Implemen.ng+the+Risk+

Management+Process+

4"–"Monitoring"&"Review"of"the"Framework"

3"–"Risk"Assessment"

2"."Establish"the"Context"

3.2"Risk"Analysis"5"–"Monitoring"&""

Review"

1"–""CommunicaCon"&"ConsultaCon"

3.1"Risk"IdenCficaCon"

4"."Risk"Treatment"

3.3"Risk"EvaluaCon"

!1)!creates!value.!2)!is!an!integral!part!of!organiza6onal!processes.!!3)!is!part!of!decision!making.!!4)!explicitly!addresses!uncertainty.!!5)!is!systema6c,!structured!and!6mely.!!6)!is!based!on!the!best!available!informa6on.!!7)!is!tailored.!!8)!takes!human!and!cultural!factors!into!account.!!9)!is!transparent!and!inclusive.!!10)!is!dynamic,!itera6ve!and!responsive!to!change.!!11)!facilitates!con6nual!improvement!and!enhancement!of!the!organiza6on.!!!

ERM is the System, Methodology & processes used by organizations to takes risk in a controlled manner so that the business is viable for a longer term (SUSTAINABILITY) while meeting the expectations of the stakeholders by CREATING SHARED VALUE in line with Corporate OBJECTIVES.


ERM process – Underlying Focus

4 – Identify & Assess THREATS Based on Likelihood & Impact

1 – Corporate OBJECTIVES & Risk APPETITE

The Trash Bin

3 – SCREEN based on LIKELIHOOD × IMPACT

Low Priority

9 - Review & MONITORING (KRIs)


8 – Design & Implement ERM Controls

27

In SUMMARY: Comparing BCM and ERM

BCM ERM Primary Focus Key Functions (Processes &

resources) Key Corporate Objectives & Risk Appetite

Protected Areas Balance sheet & reputation P&L, Cash flows & Market Capitalization

Operational Objectives

Ensure Crisis & Business Continuity preparedness (Exercising, testing)

Risk awareness & cost of risk control. Continuous process improvement, effective risk decision-making

Time Horizon of Assessment

Medium to long-term Short to Medium

Critical Dimension of Risk focus

The Business IMPACT The LIKELIHOOD

Type of Loss Exposure under watch

Severe to Catastrophic (High Impact) with medium to low frequency business interruptions

Expected Losses: High to medium frequency loss events with medium to severe impact

Strategic Objectives

Ensure Continuity of Critical Operations

Ensure Achievement of Corporate Objectives


Nega9ve consequences of the lack of integration between ERM & BCM activities

 Unhealthy Competition for Management Attention & Resources

 Double works & Uncoordinated/independent efforts to deal with the same risk issues

 Resulting in waste and inefficiencies (increased expenses, both programs are expensive & wrong focus)

  Increasing risk of critical failure to management risk and ensure business sustainability


BCM is a NATURAL part of an ERM framework..


You could see Business Con9nuity Management (BCM) as… Part of the management RESPONSE to an important risk issue… taking its place during the Treatment phase alongside with risk Preven9on & Transfer.

Pressure

Time Potential Emerging Current Recovering

Life-‐cycle from a Risk issue to a Crisis – 4 phases

Media Coverage & amplification

Signal

CRISIS

Incident OR Signal

Issues Signal


Example: BP oil spill, Gulf of Mexico 2010

 The catastrophe resulted in a loss of: –  Direct Cost to BP: Over $20 billion –  Market capitalization loss. i.e. cost to shareholders:

$87 billion

¤ BP explosion and oil spill could have been prevented with additional spending of $7 - $12 million on safety controls


Pressure


From Risk issue to Crisis: BP Gulf of Mexico 2010


Signal

CRISIS

Issues Signal

Opportunity to influence Difficult to influence

Maintenance equipment

Reports

Problems

Drop from news

Enormous cost & damage to reputation

Incident OR Signal

Explosion

Stop the leak & cleaning


Emergency evacuation & protection

Media onslaught

Impact on BP share price / market capitaliza9on

Gulf of Mexico Disaster

MTBE Contamination lawsuits

$243 Billions

$90 Billions

Enormous Shareholder Value Loss


Pressure


Life-‐cycle from a Risk issue to a Crisis

Signal

CRISIS

Incident OR Signal

Issues Signal



Time for ACTION

REACTION Too Late!

Road Map to Managing Risk & Crisis: The steps

35 BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013

36

Pressure


Road Map to Managing Risk, Crisis & Change

Signal

CRISIS

Incident OR Signal

Issues Signal




Cover all the bases!

37

- +

Target Performance


Expected Potential

Opportunities


Losses



Catastrophic Losses

Black swans


LOSS GAIN

Shareholders and Management are typically concerned with variability below & above the target

You should also be looking out for cri9cal NEW Changes in the Biz environment

Organisa9ons should also be concerned with catastrophic risks & the risk of Insolvency

Road Map to Managing Risk & Crisis: The Solu9ons


How ERM & BCM can add value to each other?

BCM can provide ERM with: þ  A better understanding of the critical activities (processes) and the

infrastructure & resources that support these with the BIA þ  A stronger focus on exercising and testing the risk mitigation framework þ  Promotes a better understanding communication dependency between

critical functions

ERM can provide BCM with: þ  A broader view of risk issues þ  A better definition of Corporate Objectives & understanding of Risk

Appetite þ  Systematic approach of consistently and continuously monitoring and

managing risk þ  A better view of any emerging threats and promotes cross functional

communication of key threats


What is preven9ng effec9ve coordina9on & integra9on between ERM & BCM?

 Obstacle type 1: Resisting because of a cognitive difference of opinion about BCM & ERM mission, objectives, methodology & tools.

 Obstacle type 2: Resistance due to emotional issues (Fears, ego, etc)

 Obstacle type 3: Resistance due to Political or Personal issues ( Animosity, red tape, etc)


In conclusion: Three Models for ERM and BCM in a organiza9on

There are three different models for ERM & BCM in Organization:   STATUS QUO - is to maintain separate silos for both disciplines

with different teams, reporting lines, methodologies, etc.

þ  COORDINATION – by having a central management unit/function coordinating for both BCM and ERM activities.

þ  INTEGRATION – by integrating BCM functionally & methodologically into the ERM framework.

  Unfortunately, the STATUS QUO model is what many organizations are doing today. It is more than time for change!


Marc Ronez -‐ Chief Risk Strategist & Knowledge Leader at ARiMI -‐ Asia Risk Management Ins9tute

An ERM & Governance expert with 20 years of experience both as a practitioner & trainer for large MNCs, Governments & Charities. Marc has an MBA from the University of Chicago GSB, an MSc in Insurance & a LLM from the University of La Sorbonne

What do I do? Help managers & leaders to use Risk Management to:

þ  Resolve difficult operational and business challenges þ  Take & manage risks effectively to build sustainable & profitable growth models


Marc’s specific areas of expertise include ERM, risk decision-making processes, corporate governance, Business Ethics, Social Responsibility, risk-aware culture, risk communication and crisis management, business model/Strategy Risk Management, corporate learning systems development.

42

Risk Management is a con/nuous journey, not a des/na/on!


Marc Ronez is on Linked in & WordPress

You can find his profile & read his blogs at: P: sg.linkedin.com/pub/marc-ronez/1/3b6/465/ B: theriskmanagementparadox.com B: riskmanagementdemystified.com

43

ARiMI – Asia Risk Management Ins9tute


ARiMI is an applied research and business studies ins0tute that was set up in 2003 (in partnership with NUS) and has established itself as the Ins0tute of Reference for Enterprise Risk Management studies in Singapore and in the region.

We FOCUS on programs:

1.   For Decision-‐Makers (Middle to Top Management): Developing PRACTICAL Knowledge & Skills in Risk & Crisis Management

2.   For Organiza9ons: Building CAPABILITIES for Sustainable and Profitable Growth by EMBEDDING Risk Aware & Crisis Readiness Culture

ARiMI, Asia Risk Management Ins9tute


ARiMI -‐ Focus and Exper9se

● Crisis management & Business Continuity

● Leadership risk decision-

making and Social Capital ● Reputational Risk &

stakeholders management ● Corporate governance &

business ethics

Research

● Professional Designation Programs

CERM (Certified Enterprise Risk Manager), CPRM (Certified Professional Risk Manager), ARM (Associate in Risk Management), FSRM (Fellow in Strategic Risk Management)

● Public Seminars and

Workshops ● Corporate Training &

learning Programs

Education

● Risks & Opportunities Assessment & Mapping

● Crisis & Business

Continuity Mgt ● Reputation Risk Mgt &

CSR (Corporate Social Responsibility) ● Fraud Risk Mgt ● Risk Appetite & Risk

Aware Culture Readiness ● Project risk management ● Risk Champions

MasterClass

Expertise


47

For more information on ARiMI,

check our website at: www.arimi.org


Important Note: Please note that that this presentation and its contents, is the intellectual property of the Asia Risk Management Institute Pte Ltd. It has been prepared for this BCM Award session and it cannot be used for any other purposes without the specific written consent of the Asia Risk Management Institute.

48 BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013

BCM vs ERM: The Business Case for Integration..

Business

Transcript of BCM vs ERM: The Business Case for Integration..