Upload
john-glenn
View
325
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Introduction to Enterprise Risk Management for BBA & MBA candidates
Citation preview
Enterprise Risk ManagementEnterprise Risk Management
Introduction(Part 1)
Introduction(Part 1)
John Glenn, MBCIEnterprise Risk Management practitionerHollywood/Fort Lauderdale Florida1-954-961-1674 – [email protected]://JohnGlennMBCI.com
Copyright 2010, John Glenn MBCI
OverviewOverview
Enterprise Risk Management (ERM) also is known as Business Continuity Continuation Of Operations (COOP)
Enterprise Risk Management is not Information Technology Disaster Recovery (IT
D/R) although IT D/R is an integral part of Enterprise Risk Management
Enterprise Risk Management (ERM) also is known as Business Continuity Continuation Of Operations (COOP)
Enterprise Risk Management is not Information Technology Disaster Recovery (IT
D/R) although IT D/R is an integral part of Enterprise Risk Management
What’s in a name?What’s in a name? Enterprise Risk Management (ERM) defined
Enterprise: The entire organization, working from the profit center(s) out; holistic, all-inclusive
Risk: All risks, both external and internal; no risk is overlooked or considered “out-of-scope”
Management: Control threats through avoidance or mitigation; plan recovery to “business as usual"
Enterprise Risk Management (ERM) defined Enterprise: The entire organization, working from
the profit center(s) out; holistic, all-inclusive Risk: All risks, both external and internal; no risk
is overlooked or considered “out-of-scope” Management: Control threats through avoidance
or mitigation; plan recovery to “business as usual"
Program or projectProgram or project
Success or failure ROI or wasted effort and funds Enterprise Risk Management, to be
successful, must be an on-going program; while there is a beginning, there is no end
The program usually consists of projects, each with specific milestones
Success or failure ROI or wasted effort and funds Enterprise Risk Management, to be
successful, must be an on-going program; while there is a beginning, there is no end
The program usually consists of projects, each with specific milestones
Who’s in charge?Who’s in charge?• The ideal candidate to sponsor an Enterprise
Risk Management program (best) or project is a very senior manager with fiduciary responsibilities, e.g., CEO, CFO, COO
• The ideal candidate to sponsor an Enterprise Risk Management program (best) or project is a very senior manager with fiduciary responsibilities, e.g., CEO, CFO, COO
Who is NOT in chargeWho is NOT in charge
Functional unit C*Os and VPs (e.g., VP/MIS, CIO) properly are function focused and lack enterprise fiduciary responsibility; they also may be perceived as working primarily for the good of their unit vs. the good of the overall organization
Functional unit C*Os and VPs (e.g., VP/MIS, CIO) properly are function focused and lack enterprise fiduciary responsibility; they also may be perceived as working primarily for the good of their unit vs. the good of the overall organization
Crossing silosCrossing silos
Enterprise Risk Management is concerned with threats to “business as usual” from all directions
Enterprise Risk Management focuses on PROCESSES and follows critical processes from initiation to completion
Enterprise Risk Management is concerned with threats to “business as usual” from all directions
Enterprise Risk Management focuses on PROCESSES and follows critical processes from initiation to completion
Risk Management HumorRisk Management Humor
Passengers board ABC Airlines Flight 13Pilot ‘s voice comes over the intercom
“Ladies & gentlemen, welcome to ABC Airlines Flight 13
“This is ABC’s first fully automated flight; the only ABC personnel on board are the Flight Attendants
“Everything is computer controlled
“Nothing can possibly go wrong, go wrong, go . . .
Passengers board ABC Airlines Flight 13Pilot ‘s voice comes over the intercom
“Ladies & gentlemen, welcome to ABC Airlines Flight 13
“This is ABC’s first fully automated flight; the only ABC personnel on board are the Flight Attendants
“Everything is computer controlled
“Nothing can possibly go wrong, go wrong, go . . .
Abbreviated flow diagramAbbreviated flow diagram
What could possibly go wrong ? What could possibly go wrong ?
Threats to “business as usual” - 1Threats to “business as usual” - 1
Threats to “business as usual” come from external vendors Materials suppliers Utilities suppliers Money suppliers (lenders) Transportation providers “Ubiquitous others”
Threats to “business as usual” come from external vendors Materials suppliers Utilities suppliers Money suppliers (lenders) Transportation providers “Ubiquitous others”
Threats to “business as usual” - 2Threats to “business as usual” - 2
Threats to “business as usual” come from internal vendors Facilities HR/Personnel Office support (Accounting, Mailroom, etc.) IT “Ubiquitous others”
Threats to “business as usual” come from internal vendors Facilities HR/Personnel Office support (Accounting, Mailroom, etc.) IT “Ubiquitous others”
Threats to “business as usual” - 3Threats to “business as usual” - 3
Threats to “business as usual” come from Government, trade groups, regulators Customers Competition Image (company, product, associations) Neighbors Events (holidays) “Ubiquitous others”
Threats to “business as usual” come from Government, trade groups, regulators Customers Competition Image (company, product, associations) Neighbors Events (holidays) “Ubiquitous others”
Prioritize threatsPrioritize threats
• Threats are rated by– Probability of occurrence– Impact on organization
– You set the scale• Low-Medium-High• 1 to 3, 5, 10
• Avoidance & mitigationcosts are not an issue at this point
• Threats are rated by– Probability of occurrence– Impact on organization
– You set the scale• Low-Medium-High• 1 to 3, 5, 10
• Avoidance & mitigationcosts are not an issue at this point
Avoid, Mitigate, or AbsorbAvoid, Mitigate, or Absorb
Threats can be Avoided: usually the “high cost” option Mitigated: typically less expensive than
avoidance, but with trade-offs Mitigation includes insurance coverage
Absorbed: The organization will accept the loss
Threats can be Avoided: usually the “high cost” option Mitigated: typically less expensive than
avoidance, but with trade-offs Mitigation includes insurance coverage
Absorbed: The organization will accept the loss
Threat chartThreat chart
Create a chart to list all threats to “business as usual” This is best accomplished in groups An amanuensis is a must A white board that can “write” to memory is
useful
Create a chart to list all threats to “business as usual” This is best accomplished in groups An amanuensis is a must A white board that can “write” to memory is
useful
Decision makersDecision makers The residents of the Corporate Suite review the
recommendations and Confirm or change priorities based on business plans Determine what measures are to be implemented to
deal with each threat Decide when to implement the threat avoidance or
mitigation measures Smart management listens to its Subject Matter
Experts (SMEs)
The residents of the Corporate Suite review the recommendations and Confirm or change priorities based on business plans Determine what measures are to be implemented to
deal with each threat Decide when to implement the threat avoidance or
mitigation measures Smart management listens to its Subject Matter
Experts (SMEs)
About the practitionerAbout the practitioner
More than 13 years experience Certified by the Business Continuity Institute Created complete enterprise, key business unit,
and IT-specific plans for Defense, Energy, Financial, Fortune 100, Government, Insurance, International, and Transportation organizations
Formerly Manager of Business Continuity for a defense industry leader managing 47 sites in 17 states
More than 13 years experience Certified by the Business Continuity Institute Created complete enterprise, key business unit,
and IT-specific plans for Defense, Energy, Financial, Fortune 100, Government, Insurance, International, and Transportation organizations
Formerly Manager of Business Continuity for a defense industry leader managing 47 sites in 17 states
Enterprise Risk ManagementEnterprise Risk Management
an introduction(Part 2)
an introduction(Part 2)
John Glenn, MBCIEnterprise Risk Management practitionerHollywood/Fort Lauderdale Florida1-954-961-1674 – [email protected]://JohnGlennMBCI.com
Copyright 2010, John Glenn MBCI
Best laid plans of mice & menBest laid plans of mice & men
When the “best laid plans of mice and men” still fail to fully protect the organization, there must be a plan to “restore to business as usual” Efficiently Economically Expeditiously
When the “best laid plans of mice and men” still fail to fully protect the organization, there must be a plan to “restore to business as usual” Efficiently Economically Expeditiously
Many mini-plansMany mini-plans
Enterprise Risk Management is at once top down and bottom up
Top down since enterprise resources may be utilized to restore to “business as usual”
Bottom up since each functional unit needs its own mini-risk management plan
Enterprise Risk Management is at once top down and bottom up
Top down since enterprise resources may be utilized to restore to “business as usual”
Bottom up since each functional unit needs its own mini-risk management plan
Why mini-plans?Why mini-plans?
Each functional unit – profit center or resource – needs its own “mini” plan If a threat is isolated to one functional unit, the
mini-plan should guide responders to determine if the unit can be recovered before there is impact on other functional units
Each functional unit – profit center or resource – needs its own “mini” plan If a threat is isolated to one functional unit, the
mini-plan should guide responders to determine if the unit can be recovered before there is impact on other functional units
Recovery “by the numbers”Recovery “by the numbers”
Each mini-plan, and the organization’s overall plan, includes procedures to restore critical processes Procedures are prepared by functional unit
Subject Matter Experts (SMEs) Procedures are documented (by SMEs or others) Procedures are validated by NON-SMEs to
assure completeness and clarity
Each mini-plan, and the organization’s overall plan, includes procedures to restore critical processes Procedures are prepared by functional unit
Subject Matter Experts (SMEs) Procedures are documented (by SMEs or others) Procedures are validated by NON-SMEs to
assure completeness and clarity
Practice makes perfectPractice makes perfect
Restoration procedures must be practiced So responders understand their tasks So responders’ confidence is enhanced So any plan deficiencies are discovered and
eliminated
There are various exercise levels Walk-throughs to “pull the switch”
Exercises, never “tests”
Restoration procedures must be practiced So responders understand their tasks So responders’ confidence is enhanced So any plan deficiencies are discovered and
eliminated
There are various exercise levels Walk-throughs to “pull the switch”
Exercises, never “tests”
Who responds?Who responds?
Every response task needs at least two responders, a primary and an alternate People get sick, go on vacation, change jobs, go
to courses away from the work place Both primary and alternate must be able to do
the task Rank is not a consideration in selecting
responders
Every response task needs at least two responders, a primary and an alternate People get sick, go on vacation, change jobs, go
to courses away from the work place Both primary and alternate must be able to do
the task Rank is not a consideration in selecting
responders
Planning aheadPlanning ahead
A few things to consider before an event Press releases, and who will give them
Different emphasis for different audiences
Policies and procedures Work periods, family considerations, etc. Furlough of non-essential personnel
Relocation options
A few things to consider before an event Press releases, and who will give them
Different emphasis for different audiences
Policies and procedures Work periods, family considerations, etc. Furlough of non-essential personnel
Relocation options
TrainingTraining
Personnel awareness & safety training Sights, sounds, smells
Evacuation & in-place sheltering What to do if someone refuses to
Leave the building (evacuation) Stay inside the building (in-place sheltering) The lawyers say . . .
Personnel awareness & safety training Sights, sounds, smells
Evacuation & in-place sheltering What to do if someone refuses to
Leave the building (evacuation) Stay inside the building (in-place sheltering) The lawyers say . . .
Plan maintenancePlan maintenance
When to review the plan Depends on organization’s dynamics, but at
least annually By trigger word changes, “P” words
Personnel Place (location) Politics (licensing, regulations, zoning) Procedure Process Product Providers (vendors) Purchasers (clients)
When to review the plan Depends on organization’s dynamics, but at
least annually By trigger word changes, “P” words
Personnel Place (location) Politics (licensing, regulations, zoning) Procedure Process Product Providers (vendors) Purchasers (clients)
Planner’s rolePlanner’s role
An experienced practitioner should be involved in creating the plan and monitoring the program either As in-house staff, to manage the process and
mentor functional unit staff contributing to the plan
As a consultant and mentor to in-house personnel assigned planning tasks
An experienced practitioner should be involved in creating the plan and monitoring the program either As in-house staff, to manage the process and
mentor functional unit staff contributing to the plan
As a consultant and mentor to in-house personnel assigned planning tasks
Plan benefitsPlan benefits
Potentially lower costs Reduced risk impact through avoidance, mitigation More efficient, expeditious recovery Adjusted insurance coverage
PR – “We have a plan, therefore we assure product delivery”
Enhanced employee loyalty Employees know management cares about them
Possibly enhanced stock and bond ratings
Potentially lower costs Reduced risk impact through avoidance, mitigation More efficient, expeditious recovery Adjusted insurance coverage
PR – “We have a plan, therefore we assure product delivery”
Enhanced employee loyalty Employees know management cares about them
Possibly enhanced stock and bond ratings
About the practitionerAbout the practitioner
More than 13 years experience Certified by the Business Continuity Institute Created complete enterprise, key business unit,
and IT-specific plans for Defense, Energy, Financial, Fortune 100, Government, Insurance, International, and Transportation organizations
Formerly Manager of Business Continuity for a defense industry leader managing 47 sites in 17 states
More than 13 years experience Certified by the Business Continuity Institute Created complete enterprise, key business unit,
and IT-specific plans for Defense, Energy, Financial, Fortune 100, Government, Insurance, International, and Transportation organizations
Formerly Manager of Business Continuity for a defense industry leader managing 47 sites in 17 states