To sign-up for the Disaster Resource GUIDE, go to:
Business Continuity Planning and Enterprise Risk Management
by John R. Phelps
Disasters like 9/11 and Hurricane Katrina have arguably changed the “worst case scenario” paradigm for business continuity planning and risk management. Shortly after Katrina struck New Orleans, many business continuity planners were hauled into the C-suite to explain how such a tragedy would have impacted their company. In many cases, the person responsible for Business Continuity Management (BCM) was instructed to draft a plan to address a “Katrina-like” event. Many of us with both a BCM and Enterprise Risk Management (ERM) responsibility felt somewhat conflicted because, although it is important to have a plan for such an unlikely catastrophe, there are other serious risks that have a nearly certain likelihood of occurring. Risks like privacy, fraud and inaccurate data cost many organizations millions of dollars each year. Emotions run high in the face of rare and disastrous events, causing a rush to allocate funds and efforts to safeguard against them. Integrating BCM as part of a comprehensive ERM program allows a more reasoned and less emotional understanding of the universe of business risks faced by the company. This approach produces efficiencies with regards to how organizations react to catastrophic risk.
ERM provides the context with which to understand risks and how they interact with the business enterprise. By including BCM into such a program, the organization begins to understand how BC planning fits with other risks like the colors of a rainbow. In order to understand how both highly skilled fields can compliment each other, it is important to understand what ERM means.
WHAT IS ERM?
Most people associate “traditional risk management” with the guy that buys the insurance. For years, risk management professionals were relegated to paperwork and number crunching behind closed doors. For the past twenty years, risk management focused on dealing with insurable risks, as opposed to operational risks where outcomes can be influenced by how the risks are proactively managed. In other words, risk managers never felt they had a role in helping the organization to manage market, reputation or outsourcing risks. Instead, their expertise was applied to property, liability, and worker injury risks. In this context, business continuity and risk management were content to coexist in very separate “silos” of responsibility, failing to take advantage of the efficiencies offered by integrated risk assessment and treatment.
Within the past several years, forward-thinking organizations and professionals have begun to view the management of risk in a different light. The term Enterprise Risk Management was coined to distinguish traditional risk management from a more comprehensive and pro-active view of operational risk in an organization. ERM is a business capability and requires the organization to look at risk from a completely different perspective—as a partner and source of opportunity for the business. To exist and be productive, every organization must take risks. The question is, how can the enterprise risk manager help operational areas take those risks and use them to the advantage of their companies. Those that take risks intelligently are those that are going to win in today’s economy. In order to take risks intelligently, the organization needs a construct to evaluate risks from the boardroom to the mailroom—from power outages to hurricanes to data management or threats to brand equity.
The other distinguishing aspect of ERM is that the risk management department does not own the process. Done correctly, ERM will be embedded into the operational areas and systems. The risk manager may be the wizard of tools and steward of the governance structure, but application of the process is “owned” by the business units. In a mature structure, leaders and managers in areas like brand, finance, human resources, facilities and information technology understand their risk management responsibilities. There is a common governance structure that brings these disciplines together to provide oversight of the process and how it is pro-actively addressing risks like reputation, data quality, privacy of information and, yes, business interruption.
BCM AND ERM, TOGETHER AT LAST
BCM and disaster recovery are natural components of ERM. According to the Disaster Recovery Institute, Business Continuity is “the ability of an organization to provide service and support for its customers and to maintain its viability before, during, and after a business continuity event.” All the resources and plans that make up a business continuity plan are developed to address business interruption risk in an organization and should be part of a comprehensive ERM program. For the last few decades, unfortunately, the analysis of business functions has been based upon an “impact” perspective as developed during a business impact analysis (BIA), the gold standard used to determine “criticality” of business functions. The purpose of a BIA is to assess the impact a business function has on the overall organization and to develop recovery objectives. It is not designed to provide a full risk assessment. In other words, the BIA does a poor job of assessing the likelihood of disruption to business functions and the effectiveness of controls already in place. In addition, it rarely, if ever, evaluates the business continuity risk against a tapestry of other enterprise level risks.
More mature ERM programs have the force of corporate policy that requires leaders and managers to understand risk before they take it. At Blue Cross and Blue Shield of Florida, the process starts with the BIA and then it is run through the Enterprise Risk Management filter, to add the “likelihood” and “effectiveness of control” perspective. A key component of the process is the tools that have been created for the ERM program, especially the method and evaluative criteria for assessing risk. This provides a unified understanding of each risk based upon the same criteria. This method is used for all risks, including business interruption. The outcome of the ERM assessment process is the development of a specific risk index. Two different functional areas with the same impact may have very different risk indices when calculated using the ERM methodology. This helps management understand two important dimensions. First, by comparing the risk indices, a greater understanding of which “important” functional areas are more important than the others, is created. Second, management can understand how the risks of interrupting important business functions compare to other risks in the company like reputation or market risk. This supports decisions concerning the allocation of limited resources in terms of risk treatments. Specific to business continuity, in some cases, this process causes the organization to re-consider the application of planning resources for certain functional areas. This perspective would not have been known had management relied upon the BIA alone.
ERM, by its definition, is a very high-level view of risk in an organization. A component part of an ERM program is the mitigation of catastrophic risk from natural and human causes. Many organizations are beginning to recognize the opportunity they have from embedding or incorporating BCM into an overall program to identify, evaluate and mitigate risk. Boards expect the organization to have a comprehensive and effective process for identifying, measuring and managing risk. By viewing BCM as a risk management function and embedding it into the enterprise level ERM program, which has been aligned with the strategic imperatives of the company, boardroom expectations are met and alignment achieved.
JOINING ERM AND BCM
Both BCM and ERM use scenario analysis to drive planning. After being approached to develop plans for Blue Cross and Blue Shield of Florida in the event of another Hurricane Katrina, the hurricane threat was modeled using an outside catastrophe modeling company. Modeling revealed that the odds of the home office being struck by a Category-3 hurricane or higher, are once every 70,000 years. In addition, each of the buildings were designed to withstand category 3 hurricanes, and the new, state of the art, hardened data center is located 20 – 30 miles inland from the home office facility. This caused management to think differently about the resources it would take to relocate thousands of critical employees for a “smoking hole” type event. As a result, a staged approach was chosen to emphasize more likely scenarios but provide some pre-planning in case the worst-case scenario does happen. The hurricane scenario analysis gave us another prism with which to view our hurricane risk.
Scenario analysis can be effectively used for a multitude of risks other than hurricanes, pandemics or power outages. The process is equally valuable for events like unintentional release of data, unethical boardroom shenanigans, and supply chain failure. To illustrate how BCM and ERM can work together, consider a regulated company that needs to make state filings for rate increases. During the BIA, it was reported that the risk of lost revenue from not making timely filings (as a result of a major, unexpected disruption like a fire or long term power outage for example) would be in the range of $2 – $5 million per week. Through the BIA lens, then, this department would be deemed critical.
After the BIA, the people in the department responsible for the filings were interviewed using an ERM process of risk profiling. The risk of not making the filing (interruption of services from the filings department) was evaluated according to impact (similar to BIA but with an established scale and criterion), likelihood and effectiveness of controls. These factors were combined into a single risk index for that specific department. It was determined that the risk index was relatively low due to existing controls including the ability to re-file renewal increases post disaster. This perspective indicates that this department is not “critical” after all. In other areas, the Enterprise Risk Management Assessment supported the BIA findings. For example, customer service functions were critical under both the BIA and the ERM assessment. What this supports is a decision around the application of limited resources. Developing extensive plans to recover customer service areas within a minimal amount for downtime is essential. Allocating resources to recover the filings department is foolish. Ah, the efficiency of ERM!
THREE MODELS FOR ERM AND BCM IN A COMPANY
When joining together BCM and ERM, there are three different models. The first model is having a central management for both BCM and ERM, which is Blue Cross and Blue Shield of Florida’s model. The second model is to create a shared responsibility with BCM and integrate it functionally into the ERM program. The third, and least efficient way to maintain BCM and ERM programs, is to maintain separate silos for both disciplines. Unfortunately, this is what many businesses are doing today. The danger of maintaining separate BCM and ERM efforts—the “silo mentality,” is that both are working according to their own strategy. Nothing could be less efficient or effective.
To support the integration of ERM and BCM, Blue Cross and Blue Shield of Florida has created a risk council to provide a single governance structure. The risk council is made up of director level representatives from Information Technology, Human Resources, Service, Compliance, Internal Audit and so forth. The risk council is responsible for “controllership” of operational risk as well as general oversight and control. Part of the oversight responsibility extends to BCM and provides assurance that understanding the business interruption risk and mitigation of that risk, is clearly understood and pro-actively addressed. High-level executive support has been established though the Operating Committee, which includes the Office of the Chief Operating Officer.
THE KATRINA EFFECT
When we consider large, highly publicized risks similar to Hurricane Katrina, management often reacts emotionally. “What would we do if it hit OUR company? How would we serve our customers? This could bankrupt the company!”, and so on. These are serious questions, but if management panics about such improbable occurrences, companies could bleed millions of dollars per day from other risks like fraud and “dirty data”. Organizations need to address the “Katrina-like” event, certainly, but they need to do so as part of a comprehensive understanding of all the company’s significant business risks.
ERM helps provide an understanding of the relationship of risks, which cannot be obtained from a traditional risk management or business continuity perspective. ERM and its associated methodology and tools provide an opportunity for business continuity professionals to burst out of their silo to observe how business interruption risk relates to the other enterprise level risks. This approach also elevates BCM to a higher strategy with Boardroom and c-suite attention. Companies that can achieve this level of maturity with their business continuity program will make better decisions about the allocation of limited capital.
There are few organizations that have taken their business continuity program to this level. The psychology of risk is one that constantly gets in the way of making truly informed decisions. Without factual and logical risk assessment methodologies, emotion at all levels of the organization will triumph reason. Throughout the world, in every organization, people are making decisions about risks based on past experiences and emotions. ERM and its methodology will continue to fly the banner of reason in a battleground of emotion. At one time, people relied on the woolly caterpillar to tell them about how harsh the winter will be. Now we have meteorology. In just the same way, an ERM approach to understanding business risk will help the BC professional declare victory over the business interruption risk. The woolly caterpillar of business continuity is about to become extinct.
About the Author