<<

. 36
( 131 .)



>>




Business continuity and operational risk management
Bearing in mind the earlier chapters, it is also appropriate to consider business
continuity and operational risk management at this stage. Since business con-
tinuity can be affected for an array of reasons management should be prepared
as part of its risk strategy. One preliminary issue is whether a business does in
fact consider operational risk management and business continuity as being
entwined. The basis for this discussion is the experience of many organisations
where operational risk management and continuity planning are considered to
be two entirely separate disciplines. This has also been borne out by the sur-
veys cited above. So often, according to risk practitioners, the two departments
never really work together to any significant extent. Yet according to many risk
advisors they are one and the same. Continuity planning is simply one of the
opportunities “ and an increasingly important one “ available to the modern
risk manager.
Part of the problem, as ever, relates to definitions. Ask a dozen people for a
definition of risk and there will surely be at least 15 answers. To be clear in this
section we are talking here about operational risk; nasty surprises that come
along and divert the organisation from its strengths and objectives (see also
Chapter 5 regarding risk management culture).
The science or art (depending on your point of view) of risk management
has an unfortunate foundation in people who called themselves risk managers,
but were in reality buyers of insurance programmes. Other ˜risk managers™,
including company secretaries, treasurers, auditors, lawyers, facilities man-
agers, continuity managers, health and safety managers, security managers
and business directors, all cheerfully ploughed their own risk furrows quite
independently.
Part B “ Overview of the Economic Aspects of Business Risks
172




Different perceptions of risk
A business director could cheerfully accept an exposure of, say, £10
million “ or £100 million “ and sees doing so as a business profit opportun-
ity; comfortably fitting within the assets and cash flows that are managed
on a daily basis. The ˜insurance buyer™ in the same company, however,
may be spending millions buying insurance for PCs, photocopiers and
bent wings on their motor cars. The lawyer may be cheerfully transferring
risks to other contracting organisations without it being part of the job
description to consider the residual risks on their own organisation if that
party failed to meet those contracted responsibilities.



Continuity management, on the other hand, comes into the 21st century from a
20th century foundation of IT and facilities managers owning the responsibil-
ity for and developing continuity facilities for their services. Fortunately, the
science of continuity management has moved on somewhat. Increasingly, the
business impact analysis is a vital tool, and there is more ownership and exer-
cising by business managers. It is a history, however, that is still not easy to
shake off fully “ consider the background and the reporting lines still of some
continuity managers.


The evolution of risk management in practice
Looking at risk management first, the ground has shifted noticeably, from that
under the old ˜insurance buyers™ and in different ways at the same time. First,
their employer™s organisation is almost certainly undergoing such major change
that the old organisation of just a few years ago, and the new, are barely recog-
nisable as one. Following mergers, it is likely to be much, much, bigger and
much more international. Computerisation and communications have created
different marketing, service delivery and cost saving opportunities. These
developments have reduced the need for locations and people dramatically.
The focus on creating value (see also above) at each individual stage of the
supply chain has created new critical dependencies in third party organisa-
tions that are less easy to supervise in detail. These dependencies have fright-
eningly shorter and shorter periods where delay can be tolerated before
destructive damage occurs. Entirely new risks “ e-commerce, internationalism,
media and others “ have evolved; as have customers™ expectations been raised
towards a seamless 24 hour/7day service (see also Chapter 11).
E-commerce “ where basic entrepreneurial instincts are fuelled by ever
more powerful computers, along with telecommunication and data mining
tools “ is one huge area where the rewards of the first pioneer are totally dispro-
portionate to the rest. In that atmosphere of headlong sprint and laying bets so
large that they will create “ or kill “ careers, the risk and continuity managers
asking for time and resources to plan effectively can be ignored.
Chapter 8 “ Business interruption and risk management 173



Sometimes it is an ˜old™ risk that, because of these changes, now has a new
potential for total, organisation-wide, and simultaneous destruction across
individual business units; miles or even countries apart. What good is it being
able to produce good products if the world has lost confidence in the products™
name and will not buy them?
Conversely, these larger corporations have opportunities to absorb much
more risk within the strength of their balance sheets and cash flows. They are
large enough also to have some flexibility to keep them in their marketplaces
while problems are being resolved without stakeholders feeling an unaccept-
able impact.

New challenges
The challenges that are currently facing this new generation of risk managers
therefore include:
Make best use of the new strengths within the organisation;
A consistency when approaching risk evaluation, risk tolerance and risk
management; leading to seamless risk decision making;
Both a bird™s eye view and a detail view across the organisation at the same
time;
Managing second-hand, destructive risks or timescales in suppliers;
Risks that are beyond the ability of the insurance industry to support;
Communication on matters of risk and thus managing diverse expectations;
and
Keeping up with change.
There are now more opportunities for the organisation to die, and die more
quickly; and the concept of ˜killer risks™ is increasingly emerging. The brand
and stakeholder confidence concerns (see Chapter 9) are such killer issues; as
is solvency (see above), and business and financial control. Dependencies on
central group-wide facilities such as computerisation and communications to
deliver the products on time to an acceptable standard, also the intellectual
assets within the organisation (see Chapter 11), are just a couple more among
others. These are all not unfamiliar to the continuity manager.
As is mentioned elsewhere in this book and discussed further in Chapters
9, 21 and 22, the changing regulatory needs are also demanding a more ˜holis-
tic™ approach to risk management. Stakeholders have no interest in internal
organisational boundaries. They concern themselves only with the potential for
unacceptable impact on the shareholding, or on any other relationship they
may have with the organisation itself. These regulatory needs, including Turnbull
in the UK, are driving organisations to consider enterprise-wide operational
risks more formally. These organisations, however, are more comfortable with
the clearer-cut aspects of financial risk and indeed they have experiences,
sophisticated strategies and controls, developed over many years. The evalu-
ation and cost/benefit analysis of non-financial, operational risk, decision mak-
ing, however, is not as simple to quantify. Some are clearly struggling with the
Part B “ Overview of the Economic Aspects of Business Risks
174



commercial decision making that is being demanded. The SERM approach can
be useful in this regard (see also Chapters 2 and 3).
It™s worth considering at this point where the insurance programme fits
into this new style corporation and its ˜killer™ risks. Insurance is indeed
extremely useful eventually; but where is that value in those crucial, threaten-
ing, minutes and hours after a disaster where survival of the organisation and
its dependencies is the only challenge? The organisation and its most crucial
dependencies need to survive first to fully gain, later, the value of its insurance
programme! This is discussed in more depth below.


Stakeholders
The risk manager will consider that the organisation is no more than the brand
value, its intellectual and free value asset, together with the combined influence
and support of its stakeholders. These stakeholders, with their quite different
interests (and ways of responding when upset!), are at the centre of the risk man-
ager™s thoughts. This is true of the continuity manager too. They include:
Employees
Suppliers
Customers and distributors
Regulators
The media
Private and quoted shareholders
Bankers
The public “ via their impression of the brands
The environment
And others ¦


Risk evaluation
When evaluating risks, the risk manager measures them against the agreed risk
tolerance levels of the organisation itself. If the risk, and/or the potential
impact, is not acceptable to the organisation, then the risk manager sets out to
bring these aspects within that agreed tolerance level. It is rare that the risk
manager can remove all risk or impact altogether. In addressing unacceptable
risks, the risk manager can consider the commercial realism of a range of
options and the relative value of each option. They are:
Reduce the likelihood or the potential frequency;
Ensure that the impact is reduced to an acceptable level; whether that be in
human, operational or financial terms;
Transfer the impact to another organisation, e.g. a counterparty, an insurer, a
captive insurer, the financial market or another; or
Prepare for the incident by way of continuity planning of business critical
issues.
Chapter 8 “ Business interruption and risk management 175



The suggestion here therefore is that contingency planning is just one of
the options available to the risk manager. If credible, tested plans can be in
place so that the organisation can manage through an incident without serious
damage, then surely that is one of the options alongside risk expenditure
and resources. This is especially so where risk management constrains the
organisation from doing what it is best doing and when dealing with low
frequency, high impact exposures. Resultant expenditure incurred after the dis-
aster can often be an insured expense “ a benefit close to finance directors™
hearts. Before we leave this though we do need an important stress on credible,
tested plans ¦ This is all familiar to the continuity manager; who sets out
to identify risks and evaluate them within the context of the impact on safety,
and the urgencies, survival needs and responsibilities of the organisation.
However, one should also include here not just business continuity plans but
also, wherever contingency planning is needed, kidnap, extortion, bomb threat,
suspicion of major fraud, succession planning, media attack, product recall and
others. These have common denominators of course but the needs of each must
be met.
The thesis then brings us back almost full circle. It may not be cost
effective “ or just unachievable “ to remove risk altogether by risk manage-
ment. Continuity planning may be the only answer left when all that is realis-
tically preventive can be done. All of these measures though “ ones that can
include business decision making, security, health and safety, resilience in pro-
duction lines, etc. “ are, with continuity planning, best effective when all
are part of a relatively seamless process of risk and impact understanding and
management.
Even the challenges to risk managers and to continuity planners are simi-
lar. First, how to get the attention of the board to the point that the right level of
priority is given. How to gain resources for risk and continuity management in
competition with projects that are about what is happening today (not what
may or may not happen sometime in the future). How indeed to get the direct-
ors to give more than lip service and concede fully, that not only this thing may
happen, but it may happen within the ever-shorter tenancies of that particular
top job!
No doubt General William Reader must have had a bad meeting when he
came out with the following quotation: ˜The art of management consists of issu-
ing orders, based on inaccurate, incomplete and archaic data, to meet a chal-
lenge which is dimly understood and which frequently will be misinterpreted,
to accomplish a purpose about which many of the personnel are not enthusias-
tic.™ If we recognise that risk management and continuity management are both
commercial business issues, they “ with special challenges of acceptability and
urgency “ need to fit somewhere within this picture of management as
described by the General. Not an easy task.
Each discipline is evolving within itself. There is real value in them work-
ing much more closely together and each providing valuable support for the
other. Who is more important? This is difficult to say, especially until they each
find their true potential in today™s challenging business environment.
Part B “ Overview of the Economic Aspects of Business Risks
176



Crisis management: a view from the US
Today™s business environment requires that crisis management is prioritised,
especially since September 11. Events that span from the threat of Y2K to ter-
rorist attacks mean that, as demonstrated above, killer threats to the business
exist in many ways. While this topic can, of course, form a book in itself, it is
useful to consider the approach in the US in terms of important business risks
such as the environment and health and safety from the perspective of the
external advisor.


Managing an environmental, health and safety crisis
The world collectively breathed a great sigh of relief on 1 January 2000, when
the much anticipated and greatly feared Y2K bug failed to bite, and the long
predicted worldwide crisis never happened. In the weeks leading up to the new
millennium, even those of us who had convinced ourselves that everything was
under control and that no crisis would actually occur, had quietly stashed away
some extra cash and loaded up a bit more than usual at the grocery store, just in
case. In hindsight, many questions are being asked about why we survived the
stroke of midnight unscathed. Was it all just a hoax? Was it misinformation? Or
perhaps, was it due to the unprecedented planning and testing of computers
and computer-related equipment that had taken place in preparation for the
new millennium?
Those who believe that the Y2K bug was exterminated by the enormous
planning efforts of Corporate America think there is a lesson to be learned from
this experience; namely, there is no substitution for good planning. That con-
cept is certainly true when it comes to planning for and managing a crisis in the
environmental, health and safety (EHS) arena. Unfortunately, despite an organ-
isation™s best efforts, it is almost inevitable that somewhere, sometime, a very
serious EHS accident will occur. Experience has shown that companies caught
without a comprehensive EHS crisis management plan suffer both severe pub-
lic relations troubles and significant legal liability (see also Chapters 9, 16, 17
18 and 19).


Preventing an environmental, health and safety crisis
There is an increasing threat level emerging from events like acts of terrorism
and large-scale disasters (the flooding of New Orleans) that poses a very high
secondary risk of environmental and human health damage.

<<

. 36
( 131 .)



>>