High Performance Risk Management

LOS ANGELES—Risk managers, whose job once focused on a basic “bucket of risks,” and making decisions about which risks are transferable and which ones the company should retain, have been “migrating along an evolutionary path which is allowing us to be more strategic,” said Chris Mandel, senior vice president of strategic solutions at Sedgwick, at the RIMS ERM Conference 2017.

During the session “The Trouble with ERM,” he noted that risk managers now need to alter their focus. “The question for risk managers now is, how do we get our organizations to focus on long-term success and recognize the link between strategy and risk?” he said.

Erin Sedor, president at Black Fox Strategy, said that personal experience taught her the importance of connecting with the CEO and aligning with the company’s strategy when setting up a program. “You need to know what they are talking about and understand strategy,” she said.

Unable to find a satisfactory definition of strategy for ERM, Sedor came up with her own: “A strategic business discipline that allows an organization to manage risks and seize opportunities related to the achievement of its objectives.” She added that, unfortunately, enterprise risk is not a term that resonates with the C-suite, but strategy is.

She identified three major problems with ERM that can dampen its prospects:

  1. A limited view of the organization’s mission, growth and survival.
  2. Silos. Breaking through them is a nonstop process, no matter how a company tries to improve the situation—especially in the areas of risk management, continuity planning and strategy, which typically happen in very different parts of the company. “It is important to link risk management and continuity planning in the strategic planning process, because that will get some attention and get the program where it needs to be,” she said.
  3. Size. Because ERM programs are notoriously huge, she said, “the thought is that ERM will cost too much money, take too many resources and take too long to implement. And that by the time it’s finished, everything will have changed anyway.”

Starting the process by “saying you’re going to focus on mission-critical,” however, can help get the conversation moving. “Because as you focus on that, the lines between risk management, continuity planning and strategic planning begin to blur,” she said.

Sedor described mission-critical as any activity, asset, resource, service or system that materially impacts (positively or negatively) the organization’s ability to successfully achieve its strategic goals and objectives.

She said to find out what mission-critical means to the organization, what is the company’s appetite and tolerance for mission-critical, and the impacts of mission-critical exposures on the organization. “Risk managers will often ask this question first, but you have to come to grips with the fact that not every risk is a mission-critical risk,” she said. “And not everything in a risk management program is mission-critical.” Using that context helps in gaining perspective, she added.

When viewing risk management, continuity planning and strategic planning from a traditional perspective, strategic planning is about capturing opportunity and mitigating threats; risk management is the identification, assessment and mitigation of risk; and business continuity planning is about planning for and mitigating catastrophic threats.

Looking at them from a different vantage, however, strategic planning is planning for growth; risk management allows you to eliminate weaknesses that will impede growth, which is why it’s important; and continuity planning will identify and mitigate the threats that impact sustainability. “That is how they work together,” she said, adding, “you are also looking at weaknesses that, when coupled with a threat, will take you out. Those are your high-priority weaknesses. Using a mission-critical context makes it all manageable.”

At this point, if a risk manager can gain enough leverage to talk to executives throughout the organization about what mission-critical means to the company, its impact, and then about tolerances and creating a more integrated program, “all of a sudden, you’ve talked about ERM and they didn’t even know it,” she said. “They thought you were talking about strategy.”

Wildfires a Reminder to Update Disaster Preparedness Plans

Raging across the country, threatening businesses and residences alike, wildfires are a reality, burning a reported 1.9 million acres in the U.S. so far this year. West of Santa Barbara, firefighters have battled an intense fire for almost a week. Wildfires are also burning in Arizona and New Mexico. In Canada, the Fort McMurray blaze burned for weeks and scorched some 2,400 square miles of land—more than 1.4 million acres. In five of the past 10 years, in fact, wildfires have ranked among the top 20 worldwide loss events.

Interstate2

Companies that haven’t already done so may want to assess the impact such a disaster could have on their business as well as what actions can be taken to mitigate damage. While most businesses believe they are prepared for a fire, especially if their building is equipped with fire alarms, fire extinguishers, smoke detectors and an evacuation plan, these measures may not be enough when stress and confusion take over, according to Interstate.

Organizations could face utility interruption, impacting gas and phone syDocument recovery3stems; they may have flooding from sprinklers, which, mixed with soot, can cause other complications; there may be smoke damage, which can by carried throughout a building through air conditioning systems; and there can be chemical residue from fire suppression systems.

There also may be asbestos hazards from older building materials, ceiling and floor tiles and pipe insulation.

Planning ahead for data loss resulting from damaged computers and burned paper documents is also advised.

Interstate lists four questions companies need to ask in advance of such a disaster:
Interstate 1

Overcoming ‘Balkanization’ of Business Continuity Planning

Fragmentation

To be sustainable, organizations must prepare for crises that occur or risks that crystalize. General responses to those threats include alternative office sites, IT back-ups and communication protocols. As reality demonstrates over and over, it is critically important to have a strong leader in a crisis situation, be it the captain of a ship in a storm, the commanding officer of a platoon under fire or the CEO of a company in turmoil. A cacophony of contradicting orders or disintegration in the line of command is the surest way to increase a disaster’s impact and the time needed to recover.

Instead of creating a strong BCP landscape with clear lines of command and control, however, we more often see “balkanization,” or fragmentation of responsibilities. Business continuity planning, environmental health and safety, operational risk and IT disaster recovery are different teams with overlapping roles and responsibilities for crisis management.

The newest buzzword is resilience, which is discussed in a growing number of articles and lectures and defined as the “ability to bounce back to a normal operating status after a state of crisis.” There are also a number of overlapping areas with the aforementioned functions—and that is just on an intra-company level. The OECD has issued Guidelines for Resilience System Analysis, urging member states to set up resilience management on a country level basis.

Recent private initiatives like the 100 Resilient Cities (100RC) by the Rockefeller Foundation brings resilience management to an urban level. So if a natural disaster hits a major city, thousands of firms, and the city itself, will invoke a patchwork of crisis plans. For a larger disaster, there might also be a national crisis plan. Are there clear lines of command, however? Is everybody aware of what to do? We doubt it.

Modern BCP management does not need more specialization and buzzwords, but coordination of the different functions and initiatives to provide a clear, consistent and timely response. One of the most pressing tasks is establishing a common risk language to ensure that all stakeholders involved in the process have the same understanding. For example: While the 100RC initiative is coining the term CRO for chief resilience officer, the acronym is also widely used as an abbreviation for chief risk officer. So while talking about roles and responsibilities of a CRO, everyone involved should have a clear understanding about which CRO is meant.

100RC also looks at urban resilience in terms of surviving and thriving, regardless of the challenges—be they acute shocks (such as severe weather or earthquakes) or chronic stress (long term unemployment and violent crime)—and it seeks a much wider remit than the traditional concept of resilience as “the ability to bounce back from an event.”

The response is to call for a more coordinated approach working across multiple stakeholders through the chief resilience officer who, according to Michael Berkowitz (President of 100RC) “needs to build connections across not just various departments of municipal government, but across an entire ecosystem of people and places.” This is welcomed, since it is both forward looking and holistic in its approach to solving some of the world’s major issues in the next 20 years. Given that most entities are no longer stand-alone enterprises, but part of an increasing global network of customers, suppliers, regulators and other stakeholders, disaster recovery cannot be handled effectively by an individual member of that network. Instead, the entire group needs to collaborate to create an effective disaster recovery program. A central CRO who coordinates the needs of the various parts of the network seems to be the best way.

While we see this forward looking risk management approach to resilience as a welcome development, it does further complicate interaction between resilience and BCP by muddying command and control and introducing the potential for more stakeholders into an already complex chain. What is required for this to work is very clear planning and, one could argue, the ability for external (such as municipal) CROs to assume command of enterprises under his or her jurisdiction.

As of now, in most jurisdictions it is the responsibility of the CEO and the board to determine and define risk capacity and risk appetite. This leaves little room for outsourcing BCP or resilience planning. The key question, then, is whether a change in mindset and approach is required to enable the development of network-wide recovery solutions, thus overcoming the balkanization of BCP.