Monthly Archives: November 2011

Immediate Vault Immediate Access

Preparedness in a Changing Climate

Posted on by

Could Mother Nature disrupt your business? This is an old tale for many companies who make their homes in states that regularly experience extreme weather — but what about the rest of us? When the tail end of Hurricane Irene tracked over the Northeast this past August, it left behind some of the worst flooding and storm damage the region had experienced in more than 70 years. Meanwhile, Texas is coming off the harshest drought the state has ever experienced while a rash of tornadoes has been plaguing the South and Midwest. The February 2011 blizzard brought Chicago and New York to a standstill and did I mention Hawaii reported snowfall — in June?

As extreme weather becomes more widespread, no one is safe from nature’s wrath. Having a disaster preparedness plan, including backup and recovery for critical systems, will help your organization mitigate risk and maintain compliance, even in the event of a natural disaster.

Is Your Business Prepared?
Is your business ready? Could it recover in the event of an extreme weather occurrence or natural disaster? Plenty of companies think they are doing the right things in risk management. They are conducting regular business continuity business impact analyses (BIAs) and putting disaster recovery plans in place for their key applications, but often these activities are standalone processes with outputs held by business owners in emails, filing cabinets or limited file shares. IT security or risk management teams may have little visibility of any of this documentation, and as a result, have no easy way to identify emerging IT or business risks that might affect business continuity or disaster recovery planning. More serious still, senior business executives often also lack insight and simply assume that IT can get a data center up and running again quickly — completely failing to understand the extent of what might happen to the business while those critical processes are down.

Requirements for Preparedness
A GRC approach to disaster preparedness calls for greater control and visibility. It’s important that organizations look at this as a business function, not just an IT function.

An important part of disaster recovery planning is to be able to differentiate between your organization’s critical and non-critical functions and activities. You should be able to measure the value of your business processes and IT assets in order to risk-rate them according to the potential impact of an outage. How will this effect revenues, brand image, stakeholder confidence and customer loyalty? By doing this risk-rating, you can focus your disaster recovery plans on critical or high-value systems and processes and tie them to the company’s bigger risk concerns.

Another cornerstone of disaster planning is centralization of all of your analyses, plans and related documentation in a single repository. Centralization is not just about improving access and control, but also about making it easier to standardize by bringing everything together in one place so you can more easily view and respond to any overlaps, inconsistencies and gaps. Furthermore, it helps improve reporting by providing a holistic view of your business resilience program at any point in time.

As we’ve learned with all the events of this year, Mother Nature can be fickle. Even with plenty of warning of what’s coming, you can’t always be sure your assets will be protected. Your best option is to be very sure that you are prepared with options to keep your most critical operations running, and that you know exactly how to implement them.

Committing to Change: Don’t Be Afraid of What You Find
Once you have identified what your company needs and you have committed to making the required changes to your current preparedness program, you may have to brace yourself for some of the things you may discover as you start to delve deeper. Some examples of typical problems are:

  • Disaster recovery plans are missing, incomplete, or not fully adequate
  • There is a significant gap between the risk and business strategies
  • Vague plans for on-call/emergency coverage
  • Lack of staff training/expertise for disaster recovery plans

Ultimately, most of these issues can be resolved with proper planning and clear communications. IT, finance, legal and the business departments all need to be on the same page when it comes to disaster planning. What is important to the marketing department, for example, may not be viewed as a high value business process by IT and as a result may not be tiered appropriately — leaving the marketing department out of luck in the event of an outage. Without clear, deliberate and well thought out plans, the risk to both businesses and employees increases and the recovery process takes more time than it should — eating away at revenue and reputation.

buy lasix online www.suncoastseminars.com/assets/top/lasix.html no prescription pharmacy

How Can You Make Sure Your Company Is Ready?
Once you have identified the issues with your preparedness plan, and the improvements you need to make, you are well on track to ensuring the readiness of your company.

As I touched on earlier — communication and collaboration is of the utmost importance. You need to ensure a common understanding across departments of the processes, assets and functions that are of most importance to the business and, therefore, to its customers.

buy zetia online www.suncoastseminars.com/assets/top/zetia.html no prescription pharmacy

This understanding is what will underpin the risk-rating and BIAs that will drive your preparedness planning.

Next is tying together people, processes and technology to avoid conflicts, gaps and wasteful overlaps. Specialist software tools can support this effort by streamlining workflows and making it easy for non-technical users to carry out activities like running real-time reports. These tools also typically provide the central repository you need for all your documented output.

Finally, training and testing are absolutely vital to a solid disaster preparedness plan. What good is a robust plan, if no one knows what to with it?

Preparedness depends on knowing exactly what to do, when to do it and how to do it.

buy augmentin online www.suncoastseminars.com/assets/top/augmentin.html no prescription pharmacy

There is no second chance when a disaster strikes, only lessons learned.

RIMS ERM Conference: A Q&A on the Future of ERM

Posted on by

What does the future hold for enterprise risk management? That’s exactly what a panel Q&A session touched on during the recent RIMS ERM Conference. Carol Fox, director of strategic and enterprise risk practice for RIMS, moderated the discussion between attendees and:

  • Ryan Egerdahl, risk manager at Bonneville Power
  • Mary Gardner, chief risk officer at Zurich North America
  • Rob Torok, risk management consultant with IBM Global Services

To kick off the discussion, Fox asked the panelists what the biggest changes in ERM were within the last 10 years?

Mary: A really big issue is going to be risk based capital. Where do we require it and where are we going to reduce our investment so we can write insurance in growing areas of the world. We want to reduce our risk so we can free up our risk capital so we can go into growing areas such as BRIC nations.

Question: Have you spent much time talking aobut enterprise content management, like records management, which I’m hearing more and more about?

Rob: One of the things we’re rigorous about is information security, with both internal data and the data that belongs to our customers and our clients. We have an enourmous amount of customer data. Because of that, there are an enourmous amount of controls IBM has put into place.

Mary: It’s an emerging risk. In fact, On October 13th the SEC indicated that all companies will be required to provide information on past breaches and what they might expect in future breaches and what impact that may have on their financial statement. That’s scary and we need to figure out what that means. It’s something to definitely consider.

Question: Having a risk taxonomy — is that effective? Does it help you manage risks? By separating them into various categories?

Mary: I would say yes. We identify risks in each business division and analyze them. It’s kind of a top down, bottom up approach. We look at the different kinds of inputs. We also use that to determine systemic risks and see where we have risks concentrated in one particular area or business.

Rob: An organization must have a standard risk taxonomy. Everybody in the organization must look at those risks and talk about how those risks affect each particular business unit. We’ve developed a template of about 150 risks. That template is a fine starting point, but don’t use IBM’s or any other company’s template — it won’t apply to you.

A client gave me a list of 504 risks and asked me to comment on it. The reason they had 504 risks was because many risks were repeated in each business unit and geography. This is because they never had a standard taxonomy. That list could’ve dropped by 40 or 50% easily if they had a standard language or taxonomy.

Mary: Companies need to think of their standard taxonomy as a living document.

Question: What do you do to help identify emerging risks?

Ryan: I’m less concerned about the unknowables. i’m concentrating on the big risks facing us now. we have enough to worry about right now in our business alone.

Rob: I haven’t got a clue what that next risk is, but allow yourself to think broadly about it.Ddon’t close your eyes to things. Don’t shoot down ideas of someone who says “hey, what about this or what about that?”

Mary: Keep it simple. We can make this ERM process so complicated sometimes. Maybe if we just get back to basics it would be much better.

Ryan: If you’re just starting the ERM journey, don’t rush into the GRC software immediately — wait until you’re mature enough in the process to get there.

Mary: Get out of the box. There are  a lot of conversations that may spur thoughts. Talking to risk managers in other industries may spark ideas.

Rob: What about your business and social network? What are they worried about? I’m not talking about things that have already occurred, but what has not happened yet in their enterprises. Use that information to help you think about risks in your own enterprise.

 

RIMS ERM Conference Awards Excellence in the Field

Posted on by

The final day of the RIMS ERM Conference in San Diego was highlighted by the first-ever ERM Award of Distinction Luncheon, at which two people within the industry were honored for their innovative ERM programs that have demonstrated, with measurable value to their organization, enterprise risk management success. Essentially, the award was created to honor organizations that have shown tremendous committment to the ERM discipline. The criteria that the judging panel took into consideration included:

  • The scope of the ERM program and how it engages different levels throughout the organization
  • Its link or connection to the company’s overall mission
  • Its ability to create additional value for the organization

Honorable mention for the ERM Award of Distinction went to Goodwill Industries International. With the assistance of Deloitte’s Governance, Risk & Regulatory Services team and as as part of its national pro bono program, Goodwill developed an ERM program template to help member agencies improve their risk management practices. With a template in place, Goodwill was able to provide valuable guidelines to its members, that in-turn has helped protect one of the organization’s most vital assets — its name.

“This is a remarkable story and great example of how an ERM program can protect against reputational risks in a decentralized management structure,” Seaman said.

Jacqueline Fifield of Deloitte accepted the award on behalf of Goodwill.

The big winner of the 2011 ERM Award of Distinction was Paychex, Inc., a company that implemented an ERM program to add value throughout the entire organization, making sure its scope went beyond traditional risk oversight. As Seaman noted, “value creation was the focus of Paychex’s ERM program, and it certainly hit the mark. This is an exceptional example of an ERM program that set out to uncover opportunities for the company to reinvent itself, and it was directly responsible for generating significant revenue.”

Accepting the award was Allan Smith of Paychex, Inc.

Nowell Seaman, Jacqueline Fifield, Allan Smith and Mary Roth at the ERM Award of Distinction Luncheon.

Nate Booth on the 6 Approaches to Change

Posted on by

Welcoming guests to the first annual RIMS ERM Conference, author and consultant Nate Booth delivered a keynote speech on that touched on, among other things, the six approaches to change, which are:

  1. Avoidance approach
  2. Apathetic approach
  3. Resistant approach
  4. Reactive approach
  5. Anticipatory approach
  6. Creative approach

He stressed that the most successful companies use the creative approach and also react quickly to change, anticipate change and create change — using Apple and Zappos as examples. Booth also reminded everyone of two important beliefs that most people fail to recognize:

  1. Change creates opportunity
  2. There is always a way to use change to your advantage

Wise words that are not always lived by — especially in the business world.