Category Archives: Strategic Risk Management

Resiliency in 2018: Q&A With BCI’s David Thorp

Posted on by

Organizational resiliency is a focus of the Business Continuity Institute (BCI) and executive director David Thorp. It was the theme of this year’s annual Business Continuity Awareness Week, which Risk Management Monitor covered in May, and was the focus of BCI’s updated manifesto.

We reached out to Thorp to get his insight on organizational resiliency, how businesses can improve their continuity plans and for ways to better incorporate them into their culture.

Risk Management Monitor: What companies have best demonstrated resilience?

David Thorp: A few examples of organizations that have displayed a high level of resilience are Apple, TomTom, and PostNL.

Apple displayed resilience when they reemployed Steve Jobs to reshape the company.

TomTom started by making software for Palm computers. It has dealt with a rapidly changing marketplace and over the years it has:

  • produced navigation software for PDAs (personal digital assistant)
  • produced its own navigation devices
  • developed live traffic information
  • acquired a digital mapping company
  • developed navigation software for smartphones
  • struck up deals with car manufacturers

PostNL (formerly TNT) has had to adapt to the decline in regular mail as well as tapping into the requirement to deliver more packages (outside working hours) as a result of an increase of web shops.

RMM:  What do organizations most commonly overlook in their continuity planning?

DT: Two most commonly overlooked aspects are keeping plans up to date and exercising/testing.

Business continuity management is often initiated as a project, usually assisted with external expertise. Internal personnel frequently have this role in addition to their “normal” functions. As the organization changes, these plans often get overlooked. After one or two exercises have been carried out, the focus on exercising quickly diminishes.

Unfortunately, these two aspects have a large impact on the ability to recover as planned. It could be argued that this is an indication of a lack of management commitment.

RMM: Why do so many companies overlook their continuity planning and emergency preparedness?

DT: The biggest reason is that it is not a requirement for many organizations. When not required by a regulator or a customer, the organization must:

  1. know about continuity planning and emergency preparedness
  2. understand their risk
  3. understand its value before there is a possibility of it being implemented

By not having done a risk or impact analysis, it is also easy for organizations to think that a disruptive event will not happen to them and therefore not worth the hassle and investment.

RMM: How much time and effort does creating and initiating a business continuity plan take?

DT: This depends on the size and complexity of the organization, the ambition level and the resources available. For small organizations, it is possible to create and exercise plans within a month—but this would typically take a little longer as the required people will also have other tasks. For a large and more complex organization, it may take two-to-three years to reach the desired maturity level.

RMM: What advances would you like to see the global risk management community achieve with regard to planning and preparedness?

DT: I would like to see a better understanding of each other’s disciplines and a better collaboration between them. There is much overlap between the two disciplines and with better collaboration, we can more efficiently and effectively minimize risks and improve the continuity. We are currently working on better understanding how we achieve synergy between business continuity and risk management. We see this as being a prerequisite for achieving organizational resilience. Collaboration with other disciplines is also necessary.

RMM: We’ve seen examples of reputation crises that have in some cases forced companies to close. How can organizations avoid these pitfalls?

DT: A major factor in managing the extent of the reputation damage is the quality of the crisis communication. How well and honestly you inform those affected and of course how you deal with social media makes the difference in how you are perceived. The subsequent actions need to be in line with the messages communicated.

RMM: What has changed in the BCI’s Manifesto for Organizational Resilience that risk professionals should know about?

DT: The manifesto is built on the simple premise that resilience is not the responsibility of one part of the organization—it is the responsibility of discipline within an organization working closely together toward a common purpose. Risk Management, emergency planning, disaster recovery, security, facilities management, business continuity management, supply chain management, IT management, HR management…all have an equal role to play in delivering resilience.

The manifesto contains our undertaking to seek out alliances with other professional bodies along the spectrum of what might be termed “resilience disciplines” in order to work collaboratively. This would make organizations more resilient than if we each work within our own silo.

Starbucks And Coffee Industry To Reassess Strategies

Posted on by

The coffee industry is poised for moderate growth in the next five years, but is warned of an emerging risk: an informed consumer, according to a recent IBISWorld report.

“Despite long-term, aggregate declines in healthy eating, consumers are more aware of health issues associated with fatty foods and are increasingly going out of their way to avoid them,” its latest Coffee & Snack Shops industry report notes. Consumers who are more aware of the nutritional information of a Starbucks Frappuccino, for example, may be less inclined to make repeat purchases. “The healthy eating index is expected to stagnate [in] 2018, but as consumers’ diets progressively improve, this driver continues to pose a threat to industry operators,” IBISWorld said.

Last week, in Starbucks’ financial release, President and CEO Kevin Johnson acknowledged his clientele’s evolving tastes. “We must move faster to address the more rapidly changing preferences and needs of our customers,” he said.

And so, with the Seattle-headquartered roaster and retailer leading the charge, the industry is expected to get creative and a bit more versatile. In its five-year forecast, IBISWorld suggests that coffee alone can no longer fuel the industry’s expansion, which is expected to stay resilient at an annualized rate of 0.9% to $51 billion. “Nontraditional, high-margin menu items, such as iced coffee drinks, breakfast items and wraps,” featured in “unsaturated markets while experimenting with different store formats,” will help generate growth, the report stated.

Furthermore, the collective habits may change everything from coffee retailers’ food and beverage offerings to their physical store layouts. The IBISWorld report stated:

Major operators, such as Starbucks and Dunkin’ Donuts, are expected to expand their menus and remodel the designs of their locations over the five years to 2023 to increase sales and draw a wider range of customers.

Assessing the Risk of Growth
The forecast was certainly prophetic, considering that Starbucks announced plans to close 150 stores due to underperformance just last week. It seems that more manageable expansion efforts will level some profit margins; where Starbucks wanted to hit 3-5% growth, 1% is more pragmatic. According to the company’s statement:

Starbucks is optimizing its U.S. store portfolio at a more rapid pace in FY19, including shifting new company-operated store growth to underpenetrated markets, slowing licensed store growth, and increasing the closure of underperforming company-operated stores in its most densely penetrated markets to approximately 150 in FY19 from a historical average of up to 50 annually. In FY19, this will result in a slightly lower growth rate in net new company-operated stores. 

Last August, Risk Management Monitor reported that Starbucks’ expansion efforts were to the point that there was almost a store on every corner—with an estimated 3.6 locations within a one-mile radius of each other. The realization marked the end of an aggressive growth strategy, in which 8,000 shops were added over a seven-year period. It was also underscored by a 1% downgrade in its share price. IBISWorld still ranks ‘Bucks as the leader of the coffee and snack shops market in the U.S. with a 23.2% market share (followed by Dunkin’ Brands at 17%), and the move is apparently part of a refocused strategy.

Michael J. Mazarr, a senior political scientist at RAND Corporation noted that reassessing Starbucks’ growth rate will help maintain its leadership status. And while businesses can learn by following the company’s example, they should ask deeper, more strategic questions.

“Clearly a major risk to a company like [Starbucks] would be even a modest swing in consumers who believe that the company has gotten too big. The fascinating questions would be: ‘To what extent did they analyze this?,’ ‘anticipate possible changes?,’ ‘think clearly about risks and outcomes?,’ and ‘did they get some assumptions or expectations slightly wrong?” Mazarr told Risk Management Monitor. “Businesses obviously have invalid expectations all the time—not all of those cases are examples of failed risk management or being blind to consequentialist thinking. Sometimes they are trying to think deeply and rigorously about consequences; they just guess wrong.”

Mazarr has contributed to Risk Management magazine with an article exploring consequence management and the “character of risk,” which you can read here.

LIRR Misses Critical Juncture for Positive Train Control

Posted on by

Last week, the Long Island Rail Road (LIRR) confirmed interruptions in its ability to fully install positive train control (PTC) across its system by the end of the year. Newsday reported that the LIRR system, which is a unit of the Metropolitan Transportation Authority’s (MTA) network, failed 16 out of 52 factory tests performed in early March using a computerized simulation of the new technology.

Although its PTC contractor continues to investigate the cause of the failures, MTA officials said they believe it stems from the complexity and density of the LIRR, which is the busiest commuter railroad in the country averaging more than 311,000 daily riders.

PTC is designed to eliminate human error by using four components: GPS satellite data, onboard locomotive equipment, the dispatching office and wayside interface units. The system communicates with the train’s onboard computer, allowing it to audibly warn the engineer and display its safe braking distance based on its speed, length, width and weight, as well as the grade and curvature of the track, according to railroad operator Metrolink.

buy xifaxan online rxbio.com/images/milestones/jpg/xifaxan.html no prescription pharmacy

If the engineer does not respond to the warning, the onboard computer will activate the brakes and safely stop the train.

An approved PTC System must protect against:

  • Passing a stop signal.
  • Train-to-train collision.
  • Overspeed on curves and other civil restrictions.
  • Unauthorized incursions by a train into a work zone.

The installation began in January as part of a $1 billion safety upgrade, although it had been on the LIRR’s strategic plans for years. So far, substandard testing results are not instilling much confidence that PTC will be complete by the federal deadline of Dec. 31, 2018. If that deadline is missed agencies without properly-installed PTC may face fines of up to $25,000 per day, as enforced by the U.S. Rail Safety Improvement Act of 2008.

MTA Board member Neal Zuckerman told Newsday he is less concerned about meeting a federal deadline than he is about “having a system that works for riders.”

“It is better to have this right than fast,” Zuckerman said. “A nonfunctioning system is not worthwhile. It’s a waste of money and time and ultimately will not serve the needs of the riders.”

The LIRR is not the only major transit system to be missing the mark. Risk Management Monitor reported on Amtrak’s struggle to meet the deadline in February and that by the end of 2017, only 8% of NJ Transit’s locomotives and none of its tracks were updated with PTC.

Efforts to upgrade train technology has been a nationwide priority. There have been a number of accidents in recent years. The most recent was a major derailment occurring on Dec. 18, 2017 when an Amtrak train derailed near Tacoma, Washington, killing three passengers and injuring about 100. That crash was the result of excessive speed in a steep curve, which experts suggested could have been prevented with PTC’s automatic braking technology. Amtrak Train No. 501, on its inaugural run, was traveling 80 miles per hour in an area limited to 30 miles per hour when it derailed on an overpass, sending the train’s 12 coaches and one of its two engines careening onto the highway below.

As previously reported in Risk Managementa similar derailment in Philadelphia in May 2015 that killed eight, was also blamed on excessive speed and could have been avoided if PTC had been in place.

After Congress passed the PTC Enforcement and Implementation Act of 2015 it also authorized the FAST Act, which allocated $199 million in PTC grant funding and specifically prioritized PTC installation projects for Railroad Rehabilitation and Improvement Financing funding. The Association of American Railroads estimates that freight railroads will spend $10.6 billion implementing PTC, with additional hundreds of millions each year to maintain.

buy nizoral online rxbio.com/images/milestones/jpg/nizoral.html no prescription pharmacy

 The American Public Transportation Association has estimated that the commuter and passenger railroads will need to spend nearly $3.6 billion on PTC.

High Performance Risk Management

Posted on by

LOS ANGELES—Risk managers, whose job once focused on a basic “bucket of risks,” and making decisions about which risks are transferable and which ones the company should retain, have been “migrating along an evolutionary path which is allowing us to be more strategic,” said Chris Mandel, senior vice president of strategic solutions at Sedgwick, at the RIMS ERM Conference 2017.

During the session “The Trouble with ERM,” he noted that risk managers now need to alter their focus. “The question for risk managers now is, how do we get our organizations to focus on long-term success and recognize the link between strategy and risk?” he said.

Erin Sedor, president at Black Fox Strategy, said that personal experience taught her the importance of connecting with the CEO and aligning with the company’s strategy when setting up a program. “You need to know what they are talking about and understand strategy,” she said.

Unable to find a satisfactory definition of strategy for ERM, Sedor came up with her own: A set of decisions made at a given point in time, based on business intelligence, that when successfully executed, support the purpose, growth & survival of the organization.

She added that, unfortunately, enterprise risk is not a term that resonates with the C-suite, but strategy is.

She identified three major problems with ERM that can dampen its prospects:

  1. A limited view of the organization’s mission, growth and survival.
  2. Silos. Breaking through them is a nonstop process, no matter how a company tries to improve the situation—especially in the areas of risk management, continuity planning and strategy, which typically happen in very different parts of the company. “It is important to link risk management and continuity planning in the strategic planning process, because that will get some attention and get the program where it needs to be,” she said.
  3. Size. Because ERM programs are notoriously huge, she said, “the thought is that ERM will cost too much money, take too many resources and take too long to implement. And that by the time it’s finished, everything will have changed anyway.”

Starting the process by “saying you’re going to focus on mission-critical,” however, can help get the conversation moving. “Because as you focus on that, the lines between risk management, continuity planning and strategic planning begin to blur,” she said.

Sedor described mission-critical as any activity, asset, resource, service or system that materially impacts (positively or negatively) the organization’s ability to successfully achieve its strategic goals and objectives.

She said to find out what mission-critical means to the organization, what is the company’s appetite and tolerance for mission-critical, and the impacts of mission-critical exposures on the organization. “Risk managers will often ask this question first, but you have to come to grips with the fact that not every risk is a mission-critical risk,” she said. “And not everything in a risk management program is mission-critical.” Using that context helps in gaining perspective, she added.

When viewing risk management, continuity planning and strategic planning from a traditional perspective, strategic planning is about capturing opportunity and mitigating threats; risk management is the identification, assessment and mitigation of risk; and business continuity planning is about planning for and mitigating catastrophic threats.

Looking at them from a different vantage, however, strategic planning is planning for growth; risk management allows you to eliminate weaknesses that will impede growth, which is why it’s important; and continuity planning will identify and mitigate the threats that impact sustainability. “That is how they work together,” she said, adding, “you are also looking at weaknesses that, when coupled with a threat, will take you out. Those are your high-priority weaknesses. Using a mission-critical context makes it all manageable.”

At this point, if a risk manager can gain enough leverage to talk to executives throughout the organization about what mission-critical means to the company, its impact, and then about tolerances and creating a more integrated program, “all of a sudden, you’ve talked about ERM and they didn’t even know it,” she said. “They thought you were talking about strategy.”