1 / 30

Enterprise Risk Management

Enterprise Risk Management. Introduction (Part 1). John Glenn, MBCI Enterprise Risk Management practitioner Hollywood/Fort Lauderdale Florida 1-954-961-1674 – JohnGlennMBCI@gmail.com http://JohnGlennMBCI.com. Overview. Enterprise Risk Management (ERM) also is known as Business Continuity

oakes
Download Presentation

Enterprise Risk Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Enterprise Risk Management Introduction (Part 1) John Glenn, MBCIEnterprise Risk Management practitioner Hollywood/Fort Lauderdale Florida 1-954-961-1674 – JohnGlennMBCI@gmail.com http://JohnGlennMBCI.com

  2. Overview • Enterprise Risk Management (ERM) also is known as • Business Continuity • Continuation Of Operations (COOP) • Enterprise Risk Management is not • Information Technology Disaster Recovery (IT D/R) although IT D/R is an integral part of Enterprise Risk Management

  3. What’s in a name? • Enterprise Risk Management (ERM) defined • Enterprise: The entire organization, working from the profit center(s) out; holistic, all-inclusive • Risk: All risks, both external and internal; no risk is overlooked or considered “out-of-scope” • Management: Control threats through avoidance or mitigation; plan recovery to 'business as usual"

  4. Program or project • Success or failure • ROI or wasted effort and funds • Enterprise Risk Management, to be successful, must be an on-going program; while there is a beginning, there is no end • The program usually consists of projects, each with specific milestones

  5. Who’s in charge? • The ideal candidate to sponsor an Enterprise Risk Management program (best) or project is a very senior manager with fiduciary responsibilities, e.g., CEO, CFO, COO

  6. Who is NOT in charge • Functional unit C*Os and VPs (e.g., VP/MIS, CIO) properly are function focused and lack enterprise fiduciary responsibility; they also may be perceived as working primarily for the good of their unit vs. the good of the overall organization

  7. Crossing silos • Enterprise Risk Management is concerned with threats to “business as usual” from all directions • Enterprise Risk Management focuses on PROCESSES and follows critical processes from initiation to completion

  8. Risk Management Humor Passengers board ABC Airlines Flight 13 Pilot ‘s voice comes over the intercom “Ladies & gentlemen, welcome to ABC Airlines Flight 13 “This is ABC’s first fully automated flight; the only ABC personnel on board are the Flight Attendants “Everything is computer controlled “Nothing can possibly go wrong, go wrong, go . . .

  9. Abbreviated flow diagram • What could possibly go wrong ?

  10. Threats to “business as usual” - 1 • Threats to “business as usual” come from external vendors • Materials suppliers • Utilities supplies • Money suppliers • Transportation providers • “Ubiquitous others”

  11. Threats to “business as usual” - 2 • Threats to “business as usual” come from internal vendors • Facilities • HR/Personnel • Office support (Accounting, Mailroom, etc.) • IT • “Ubiquitous others”

  12. Threats to “business as usual” - 3 • Threats to “business as usual” come from • Government, trade groups, regulators • Customers • Competition • Image (company, product, associations) • Neighbors • Events (holidays) • “Ubiquitous others”

  13. Prioritize threats • Threats are rated by • Probability of occurrence • Impact on organization • You set the scale • Low-Medium-High • 1 to 3, 5, 10 • Avoidance & mitigationcosts are not an issue at this point

  14. Avoid, Mitigate, or Absorb • Threats can be • Avoided: usually the “high cost” option • Mitigated: typically less expensive than avoidance, but with trade-offs • Mitigation includes insurance coverage • Absorption: The organization will accept the loss

  15. Threat chart • Create a chart to list all threats to “business as usual” • This is best accomplished in groups • An amanuensis is a must • A white board that can “write” to memory is useful

  16. Decision makers • The residents of the Corporate Suite review the recommendations and determine • Confirm or change priorities based on business plans • What measures are to be implemented to deal with each threat • When to implement the threat avoidance or mitigation measures • Smart management listens to its Subject Matter Experts (SMEs)

  17. About the practitioner • More than 13 years experience • Certified by the Business Continuity Institute • Created complete enterprise, key business unit, and IT-specific plans for Defense, Energy, Financial, Fortune 100, Government, Insurance, International, and Transportation organizations • Currently Manager of Business Continuity for a defense industry leader managing 47 sites in 17 states

  18. Enterprise Risk Management an introduction (Part 2) John Glenn, MBCIEnterprise Risk Management practitioner Hollywood/Fort Lauderdale Florida 1-954-961-1674 – JohnGlennMBCI@gmail.com http://JohnGlennMBCI.com

  19. Best laid plans of mice & men • When the “best laid plans of mice and men” still fail to fully protect the organization, there must be a plan to “restore to business as usual” • Efficiently • Economically • Expeditiously

  20. Many mini-plans • Enterprise Risk Management is at once top down and bottom up • Top down since enterprise resources may be utilized to restore to “business as usual” • Bottom up since each functional unit needs its own mini-risk management plan

  21. Why mini-plans? • Each functional unit – profit center or resource – needs its own “mini” plan • If a threat is isolated to one functional unit, the mini-plan should guide responders to determine if the unit can be recovered before there is impact on other functional units

  22. Recovery “by the numbers” • Each mini-plan, and the organization’s overall plan, includes procedures to restore critical processes • Procedures are prepared by functional unit Subject Matter Experts (SMEs) • Procedures are documented (by SMEs or others) • Procedures are validated by NON-SMEs to assure completeness and clarity

  23. Practice makes perfect • Restoration procedures must be practiced • So responders understand their tasks • So responders’ confidence is enhanced • So any plan deficiencies are discovered and eliminated • There are various exercise levels • Walk-throughs to “pull the switch” • Exercises, never “tests”

  24. Who responds? • Every response task needs at least two responders, a primary and an alternate • People get sick, go on vacation, change jobs, go to courses away from the work place • Both primary and alternate must be able to do the task • Rank is not a consideration in selecting responders

  25. Planning ahead • A few things to consider before an event • Press releases, and who will give them • Different emphasis for different audiences • Policies and procedures • Work periods, family considerations, etc. • Furlough of non-essential personnel • Relocation options

  26. Training • Personnel awareness & safety training • Sights, sounds, smells • Evacuation & in-place sheltering • What to do if someone refuses to • Leave the building (evacuation) • Stay inside the building (in-place sheltering) • The lawyers say . . .

  27. Plan maintenance • When to review the plan • Depending on organization’s dynamics • By trigger word changes, “P” words • Personnel • Place (location) • Politics (licensing, regulations, zoning) • Procedure • Process • Product • Providers (vendors) • Purchasers (clients)

  28. Planner’s role • An experienced practitioner should be involved in creating the plan and monitoring the program either • As in-house staff, to manage the process and mentor functional unit staff contributing to the plan • As a consultant and mentor to in-house personnel assigned planning tasks

  29. Plan benefits • Potentially lower costs • Reduced risk impact through avoidance, mitigation • More efficient, expeditious recovery • Adjusted insurance coverage • PR – “We have a plan, therefore we assure product delivery” • Enhanced employee loyalty • Employees know management cares about them • Possibly enhanced stock and bond ratings

  30. About the practitioner • More than 13 years experience • Certified by the Business Continuity Institute • Created complete enterprise, key business unit, and IT-specific plans for Defense, Energy, Financial, Fortune 100, Government, Insurance, International, and Transportation organizations • Currently Manager of Business Continuity for a defense industry leader managing 47 sites in 17 states

More Related