Enterprise Risk Management

Introduction(Part 1)

John Glenn, MBCIEnterprise Risk Management practitionerHollywood/Fort Lauderdale Florida1-954-961-1674 – JohnGlennMBCI@gmail.comhttp://JohnGlennMBCI.com

Overview

Enterprise Risk Management (ERM) also is known as Business Continuity Continuation Of Operations (COOP)

Enterprise Risk Management is not Information Technology Disaster Recovery (IT

D/R) although IT D/R is an integral part of Enterprise Risk Management

What’s in a name? Enterprise Risk Management (ERM) defined

Enterprise: The entire organization, working from the profit center(s) out; holistic, all-inclusive

Risk: All risks, both external and internal; no risk is overlooked or considered “out-of-scope”

Management: Control threats through avoidance or mitigation; plan recovery to 'business as usual"

Program or project

Success or failure ROI or wasted effort and funds Enterprise Risk Management, to be

successful, must be an on-going program; while there is a beginning, there is no end

The program usually consists of projects, each with specific milestones

Who’s in charge?• The ideal candidate to sponsor an Enterprise

Risk Management program (best) or project is a very senior manager with fiduciary responsibilities, e.g., CEO, CFO, COO

Who is NOT in charge

Functional unit C*Os and VPs (e.g., VP/MIS, CIO) properly are function focused and lack enterprise fiduciary responsibility; they also may be perceived as working primarily for the good of their unit vs. the good of the overall organization

Crossing silos

Enterprise Risk Management is concerned with threats to “business as usual” from all directions

Enterprise Risk Management focuses on PROCESSES and follows critical processes from initiation to completion

Risk Management Humor

Passengers board ABC Airlines Flight 13Pilot ‘s voice comes over the intercom

“Ladies & gentlemen, welcome to ABC Airlines Flight 13

“This is ABC’s first fully automated flight; the only ABC personnel on board are the Flight Attendants

“Everything is computer controlled

“Nothing can possibly go wrong, go wrong, go . . .

Abbreviated flow diagram

What could possibly go wrong ?

Threats to “business as usual” - 1

Threats to “business as usual” come from external vendors Materials suppliers Utilities supplies Money suppliers Transportation providers “Ubiquitous others”

Threats to “business as usual” - 2

Threats to “business as usual” come from internal vendors Facilities HR/Personnel Office support (Accounting, Mailroom, etc.) IT “Ubiquitous others”

Threats to “business as usual” - 3

Threats to “business as usual” come from Government, trade groups, regulators Customers Competition Image (company, product, associations) Neighbors Events (holidays) “Ubiquitous others”

Prioritize threats

• Threats are rated by– Probability of occurrence– Impact on organization– You set the scale• Low-Medium-High• 1 to 3, 5, 10

• Avoidance & mitigationcosts are not an issue at this point

Avoid, Mitigate, or Absorb

Threats can be Avoided: usually the “high cost” option Mitigated: typically less expensive than

avoidance, but with trade-offs Mitigation includes insurance coverage

Absorption: The organization will accept the loss

Threat chart

Create a chart to list all threats to “business as usual” This is best accomplished in groups An amanuensis is a must A white board that can “write” to memory is

useful

Decision makers The residents of the Corporate Suite review the

recommendations and determine Confirm or change priorities based on business plans What measures are to be implemented to deal with

each threat When to implement the threat avoidance or mitigation

measures Smart management listens to its Subject Matter

Experts (SMEs)

About the practitioner

More than 13 years experience Certified by the Business Continuity Institute Created complete enterprise, key business unit,

and IT-specific plans for Defense, Energy, Financial, Fortune 100, Government, Insurance, International, and Transportation organizations

Currently Manager of Business Continuity for a defense industry leader managing 47 sites in 17 states

Enterprise Risk Management

an introduction(Part 2)

John Glenn, MBCIEnterprise Risk Management practitionerHollywood/Fort Lauderdale Florida1-954-961-1674 – JohnGlennMBCI@gmail.comhttp://JohnGlennMBCI.com

Best laid plans of mice & men

When the “best laid plans of mice and men” still fail to fully protect the organization, there must be a plan to “restore to business as usual” Efficiently Economically Expeditiously

Many mini-plans

Enterprise Risk Management is at once top down and bottom up

Top down since enterprise resources may be utilized to restore to “business as usual”

Bottom up since each functional unit needs its own mini-risk management plan

Why mini-plans?

Each functional unit – profit center or resource – needs its own “mini” plan If a threat is isolated to one functional unit, the

mini-plan should guide responders to determine if the unit can be recovered before there is impact on other functional units

Recovery “by the numbers”

Each mini-plan, and the organization’s overall plan, includes procedures to restore critical processes Procedures are prepared by functional unit

Subject Matter Experts (SMEs) Procedures are documented (by SMEs or

others) Procedures are validated by NON-SMEs to

assure completeness and clarity

Practice makes perfect

Restoration procedures must be practiced So responders understand their tasks So responders’ confidence is enhanced So any plan deficiencies are discovered and

eliminated

There are various exercise levels Walk-throughs to “pull the switch”

Exercises, never “tests”

Who responds?

Every response task needs at least two responders, a primary and an alternate People get sick, go on vacation, change jobs, go

to courses away from the work place Both primary and alternate must be able to do

the task Rank is not a consideration in selecting

responders

Planning ahead

A few things to consider before an event Press releases, and who will give them

Different emphasis for different audiences

Policies and procedures Work periods, family considerations, etc. Furlough of non-essential personnel

Relocation options

Training

Personnel awareness & safety training Sights, sounds, smells

Evacuation & in-place sheltering What to do if someone refuses to

Leave the building (evacuation) Stay inside the building (in-place sheltering) The lawyers say . . .

Plan maintenance

When to review the plan Depending on organization’s dynamics By trigger word changes, “P” words

Personnel Place (location) Politics (licensing, regulations, zoning) Procedure Process Product Providers (vendors) Purchasers (clients)

Planner’s role

An experienced practitioner should be involved in creating the plan and monitoring the program either As in-house staff, to manage the process and

mentor functional unit staff contributing to the plan

As a consultant and mentor to in-house personnel assigned planning tasks

Plan benefits

Potentially lower costs Reduced risk impact through avoidance, mitigation More efficient, expeditious recovery Adjusted insurance coverage

PR – “We have a plan, therefore we assure product delivery”

Enhanced employee loyalty Employees know management cares about them

Possibly enhanced stock and bond ratings

About the practitioner

More than 13 years experience Certified by the Business Continuity Institute Created complete enterprise, key business unit,

and IT-specific plans for Defense, Energy, Financial, Fortune 100, Government, Insurance, International, and Transportation organizations

Currently Manager of Business Continuity for a defense industry leader managing 47 sites in 17 states