The Time Has Come For Continuity Risk Management
- Published on Monday, October 22, 2012
- Written by David Nolan
The time has come for business continuity to align with the broader risk management culture of the enterprise. Business realities are challenging our traditional notions of business continuity and disaster recovery. Objectives are changing, and the business value you provide is being defined in new ways.
Starting with the concept that “vulnerabilities and threats are endless, but the funds to address them are not,” it is not only possible, but probable, that an organization will have to accept more risk than the executive team is comfortable with because there simply isn’t enough money to fully address every risk.
While DR/BCP programs have been around for decades and have included business impact and risk assessments (BIAs), it would be a stretch to suggest that DR/BC programs have been integral to an organization’s enterprise risk management program … until now! There are compelling drivers that are pushing DR/BCP into the risk management fold and undeniable evidence the trend is gaining momentum.
DR/BC program scope has grown slowly but steadily from its roots in IT disaster recovery planning to today’s more expansive programs that include plans encompassing critical business operations, the networks that connect them, and the information they rely on. The drivers have been defensive in nature with a focus on avoiding catastrophic losses. With the advent of continuity risk management (CRM) and a stronger connection to the emerging field of enterprise risk management, traditional DR/BC programs are more tightly aligned with the business and can have a direct impact on revenue and sales.
Some of this is evolutionary and is to be expected of an industry still in the formative stages. However, the shift to continuity risk management represents a new chapter, if not an entirely new book!
Relentless economic pressures continue to drive everyone to do more with less. Government regulations and industry standards have emerged, bringing attention to inadequate risk management practices in many industries. Deadly tornadoes, hurricanes, wildfires, earthquakes, and tsunamis have provided highly visible evidence of random devastation.
With critical supply chains broken and less than acceptable responses, organizations are keenly focused on anything that could disrupt its ability to deliver essential products and services to the market. DR/BCP is inwardly focused and driven by loss avoidance. CRM has a systemic focus, including both suppliers and customers. As organizations awaken to the broader concepts of CRM, they quickly identify critical “risk intersections” both internally and in their supply chain that must be addressed. Mitigating supply chain risks generally means that sole source suppliers must either have bulletproof continuity plans, or the organization needs to seek alternative suppliers. The client-supplier relationship is a central theme in the evolution of continuity risk management.
CRM has a rich pedigree drawn from its traditional DR/BC and risk management lineage. CRM is a blend of risk management concepts that focus on the identification and disposition of risk and DR/BC concepts focused on plans and strategies. For those coming from the risk management side it is important to respect that you can’t simply insure operational risks the same way you might insure property or liability. For the DR/BC practitioners, it is important to recognize that risk management is the management of accepted risks as much or more than managing a program. CRM embraces the notion that some risk and therefore some impact will happen and seeks to manage the actions to mitigate risk and the expectations of impact.
CRM is driven by a persistent and pervasive instinct … survival. The emergence of CRM therefore is a certainty. Vulnerabilities and threats are endless, but the funds to address them are not making it imperative to identify and prioritize risks. Risks are created when all the eggs are placed in one basket. Single points of failure are easily identified. Risk mitigation is most easily achieved by redistributing the risk across multiple entities. For the largest enterprises, this means putting suppliers on notice, requiring that they demonstrate resilience and/or placing their business with firms they can rely on. For those suppliers, this means managing risk to retain and grow revenue even more than to protect against a disaster. Part of that strategy will undoubtedly involve notifying their suppliers, and so on down the line.
This process is already in motion with the largest enterprises having served notice over the last several years. If there was any doubt as to the importance of CRM as a business strategy and process, it was eliminated in the wake of disruptions caused by the extraordinary weather events and fiscal and sovereign issues in Europe and the Middle East.
CRM must include a commitment to the business process of continuity risk management which includes the identification, measurement, prioritization, and monitoring of operational risks … risks that could disrupt an organization’s ability to fulfill its obligations. CRM must balance fiduciary pressures to minimize risk with fiscal pressures to maximize profits. This will clearly involve acceptance of potentially substantial operational risks in favor of more compelling and potentially catastrophic risks. The scope and definition of CRM must expand from its “planning” roots to its “preparedness” future. While plans can serve an organization well, there are simply too many permutations for which to plan. The concept of preparedness accepts the probability that an incident won’t play out exactly as anticipated, no matter how detailed your plan is. Preparedness means enriching a plan not through rigorous planning but with information and tools that bring the plan to life and empower users to adapt and respond most effectively.
A top-down focus on preparedness versus planning is a key differentiator for CRM versus traditional DR/BC and risk management programs. Successful CRM requires a fundamental change in the approaches, methods, and tools used. The past has been focused on planning and program management. These building blocks are central to CRM but subordinate to risk management which will govern and set direction for the programs and plans of the future.
The good news is that market-leading organizations are proving every day that it is possible to implement strategic continuity risk management programs that deliver more business value, often using less resource. The transition begins with the realization that preparedness trumps planning when it comes to long-term success. It takes root when an organization rallies around the need to manage potentially catastrophic risks rather than write plans that may never be used. It flourishes when supported by processes and systems that can make it easy and worthwhile for business users to engage in the process, keeping it alive month in, month out versus a disruptive annual ordeal.
Continuity risk management programs are coming to life in leading organizations, and as a result are pushing the need for comprehensive tools from software and service providers who truly understand the challenge. Supply chain risk management initiatives have raised stakes by requiring trading partners to upgrade their preparedness or lose business. CRM is being driven not by just the fear of sustaining a catastrophic loss in the wake of a devastating disaster, but more so to avoid a clear and present danger … the loss of revenue and profits as customers move some or all of their business to more resilient and reliable vendors. Conversely, a strong CRM program can be the key to winning new business and gaining market share.
Successful CRM is a measure of an organization’s preparedness which encompasses the management of risks, impacts, contingency plans, and programs along with expectations. The trends are undeniable, and the transformation is already under way from traditional approaches to comprehensive continuity risk management.
David Nolan, president and CEO of Fusion Risk Management, winner of BCI’s “Most Innovative Product of the Year.”