May 17, 2012

Posts Comments

You are here: Home / Archives for Information / Organizational Resiliency

Increased Risk Management Implementation into Corporate Culture Now Claims to Fuel Better Performance

March 5, 2012 By Leave a Comment

According to Jonathan Blackmore, Ernst & Young advisory risk partner for Europe, the Middle East, India and Africa has said in a recently released E&Y report, “…..many executives have no idea what the return on their risk investment is … if they say that their return is neutral, I tell them that I don’t think that’s good enough.”

That comment pretty much matches the inputs and comments that our staff receives whenever the topic of investment(s) in risk prevention or even risk mitigation implementation strategies are proposed.  And, with minimal basic or empirical research done in this area, most risk management consultants or in-house risk team leaders still have a challenge to convince upper management that investments in disaster preparedness activities should be properly and adequately funded in any fiscal year budget.

That effort may have received a boost of support now judging from the results claimed in a new report —“Turning Risks into Results:  How Leading Companies Use Risk Management to Fuel Better Performance” — recently announced by Ernst & Young.

The study found that the companies that ranked in the top 20% for investments in risk-focused personnel, processes and technology generated nearly three times the earnings before interest, taxes, depreciation and amortization (EBITDA) than the companies ranked in the bottom 20%.

Using a global survey (based on 576 interviews with companies a review of more than 2,750 analyst and company reports), the report assessed the maturity level of risk management practices and then determined a positive relationship between risk management maturity and financial performance.  The report also claims to have identified the leading risk management practices that differentiated the various maturity levels and organized them into specific risk components.  Given those claims and assumptions, the findings of the report go on to suggest that:

  1. The top-performing companies (from a risk maturity perspective) implemented on average twice as many of the key risk capabilities as those in the lowest-performing group,
  2. Companies in the top 20% of risk maturity generated three times the level of EBITDA as those in the bottom 20%,
  3. Financial performance is highly correlated with the level of integration and coordination across risk, control and compliance functions integrated into the culture of the organization and management teams.
  4. Effectively harnessing technology to support risk management is the greatest weakness or opportunity for most organizations.

Also according to the report, “…to turn risk into results, the companies in the top 20%, for example, talk about risk with external stakeholders. They perform stress tests to validate how much risk is tolerable. They put in place standardized assessment and reporting tools and incorporate risk issues into business planning. And they monitor risk and manage it with the help of technology.”

Good risk management goes beyond keeping the business out of trouble and protecting the brand, according to the E&Y report. It includes embedding risk management into performance management and optimizing risk management functions.

Click here to read the full E&Y report, and pass this information along to those business continuity, risk or crisis management and disaster preparedness team members in your organization.

For those smaller private sector companies, perhaps, introducing this content to their PS-Prep strategy planning teams would be a good idea as well.

Please let us know your thoughts and comments regarding this newly released report.

Photo courtesy of risk_measurement.presentermedia.com

Filed Under: Business Continuity Info, Corner Office Viewpoint, Organizational Resiliency, PS-Prep Program, Risk Management Tagged With: , , , , , , , , , , , , , , , , , , , , ,

E-Discovery — A Recent Court Decision to Adopt Default Standards is Made by the District of Delaware

February 28, 2012 By Leave a Comment

Photo courtesy of blog.advanceddiscovery.com

Judging from several comments received, it appears that many of our readers are taking a “side lines” approach to just watching the e-discovery dynamic develop its own way to walk and talk as remains only a potential risk mitigation event for them as either individuals or as associates of the organizations for which they work.

While there is nothing wrong with that approach, it behooves them to stay informed to stay current and “safe” and, to that point, our staff has made e-discovery a part of its “watch list” of internet content search efforts, so that as relevant material issues are reported, our staff may share that information with our readers on a timely basis.

Such is the case in a recent posting by the Morgan, Lewis & Bockius LLP group announcing that the District of Delaware has adopted a set of default standards for E-Discovery.

Time will tell if this decision by the District of Delaware will impact the continuation of an apparent recent trend on the part of the federal courts, and an attempt to lower the costs associated with e-discovery by offering guidelines designed to streamline the process of e-discovery.

Click here to read the full comments of the Morgan, Lewis & Bockius LLP group.

Click here to also read the Default Standard referenced in this reported event.

If applicable, please pass this information along to those associates in your organization who are responsible for e-discovery related risk management.

Perhaps business continuity planning, crisis management or PS-Prep strategy planning team members may also have a long-term interest in these developments and would want to add this content to their resource reference libraries.

Filed Under: Corner Office Viewpoint, Cybersecurity, Information Security, Organizational Resiliency, PS-Prep Program, Regulatory Compliance, Risk Management Tagged With: , , ,

Business Continuity Management + Supply Chain Management = Supply Chain Continuity Management

February 23, 2012 By Leave a Comment

Jan Husdal  is an often referenced writer on the topic of supply chain risk management — and, our staff values his comments and ideas on this critical component of global business continuity.

In addition, our staff receives many queries on the topic of supply chain management, and, several have requested a recommendation of a good book to address this topic.

With those two thoughts in mind, our staff would like to quote a recent statement by Husdal regarding a book he had just reviewed on the topic — Husdal states “…as far as I can see, this is the first book that explains in detail why and how business continuity thinking should be part of supply chain management. It successfully marries Business Continuity Management with Supply Chain Management, thus creating Supply Chain Continuity Management.

The book referenced above is titled “A Supply Chain Management Guide to Business Continuity” by Betty A. Kildow, and in that book, Kildow illustrates how a well-functioning supply chain is the key to a well-functioning business.

We welcome our reader’s suggestions for other supply chain management related book titles that they have read and would like to pass on to others….

If applicable, please pass this information along to those risk management, disaster preparedness and supply chain continuity management team members in your organization.

Click here  to read Husdal’s full review of this book.

Filed Under: Business Continuity Info, Corner Office Viewpoint, Organizational Resiliency, Risk Management Tagged With: , , , , , , , ,

Business Continuity Awareness Week 2012 — Reminder — March 19-23

February 21, 2012 By Leave a Comment

 

Photo courtesy of blog.clearrisk.com

Business Continuity Awareness Week (“BCAW”)  2012 is fast approaching and with this year’s BCAW 2012 theme about time, we should all be aware of the fact the time is not usually on your side in a crisis — therefore our staff recommends participation in BCAW 2012 for all business continuity planners.

First a few general reminders:

  1. the Business Continuity Awareness Week (BCAW) is the global educational event for people to learn more about Business Continuity Management (BCM).
  2. BCAW is facilitated by the Business Continuity Institute (BCI), the prestigious international membership body for BCM — approaching 7,000 members in some 100 countries.
  3. In a crisis, people are making decisions under pressure, options are reduced and media scrutiny may be at its greatest.  Indeed, how well or badly a crisis is managed may have greater consequences for the organization than the original incident.  Whether a small business or a major multi-national, the challenges are the same, it’s just that some have further to fall!

Our staff supports the premise of BCAW 2012 – i.e. …dealing effectively with an incident on any scale requires Business Continuity Management (BCM) – a set of practices and capabilities, which have been crafted into a tried and tested framework to help you identify and manage the consequences of disruption to your organization regardless of cause.

BCAW 2012 will provide the opportunity for disaster preparedness and risk management teams to;

  1. engage with business continuity professionals from around the world,
  2. learn about the importance of dealing effectively with incidents on varying scales, and,
  3. develop methodologies and strategies on how to make an organization more resilient.

Some of the highlights of BCAW 2012 will include: (a) New research: The BCI and its partners will be publishing new research and papers throughout the week, (b) BC24: the ground breaking, multi-role, online incident simulation game to test your organization’s crisis management skills, and informally benchmark with organizations across the world, (c) New webcasts: A multiple free offering of webcast presentations which will run throughout the week, (d) BCAW 2012 Forum: a LinkedIn Forum for newcomers to ask questions of the BC community and for more experienced practitioners to debate the hot topics in the industry, and, (e) In-house Awareness Opportunities – This will be an opportunity for existing BCM practitioners who are looking to run awareness raising activities within their own organizations.

If you are interested in participating, sponsoring or just being an active listen to these valuable opportunities, or, if you have any questions about BCAW 2012CLICK HERE.

If applicable, please pass this information along to those business continuity or crisis management planning groups in your organization, and, to those PS-Prep strategy planning teams in private sector companies.

Filed Under: Business Continuity Info, Corner Office Viewpoint, Organizational Resiliency, PS-Prep Program, Risk Management Tagged With: , , , , , , , , , , , , , , , , , , , , ,

Threats for 2012 Global Business Continuity — New Survey Results Released

February 17, 2012 By Leave a Comment

Photo courtesy of gpnetnow.com

Business continuity and risk management planning groups would benefit from reviewing the results of a new survey report recently released by the Business Continuity Institute and given the title “Horizon Scan 2012”.

In this report, four hundred and fifty eight (458) organizations — reporting from the U.K., USA, Australia, Canada and South Africa — during the period of 5-20 December, 2011, have indicated that business continuity practitioners are applying business continuity management to a wider range of threat categories than those with which the BC discipline is more traditionally associated, and, perhaps, equally important, it raises the question as to the extent that individual organizations can deal with these challenges by themselves.

A short list of the threats identified by survey participants in this report would include: unplanned IT/Telecom outage(s), adverse weather, cyber-attack, acts of terrorism, utility interruption(s), availability of workforce(s), new laws and/or regulations, social/civil unrest, major customer/supplier disruption(s), or the availability/cost of credit/finance.

Of particular importance and/or interest is the section dealing with the evaluation of threats as perceived by the primary activities of operational groups within an organization — e.g. the top three threats as seen by the information and communications group are stated as: (1) unplanned IT / Telecom outage, (2) Data breach and (3) Cyber-attack …..While the top three evaluated threats as seen by the manufacturing group are: (1) Supply chain disruption, (2) Unplanned IT/Telecom outage, and (3) Product safety incident.

Our staff recommends that this report be added to the reading resource libraries of those disaster preparedness, crisis management and/or risk management planning teams in your enterprise level organizations.  And, if you are a private sector smaller company, please share this information with your PS-Prep strategy planning groups.

Click here to read more, and to download and view the full report.

Again, we thank the Business Continuity Institute for making this resource available to all BC/DR planning teams.

Filed Under: Business Continuity Info, Organizational Resiliency, PS-Prep Program, Risk Management Tagged With: , , , , , , , , , , , , , ,

Risk Management and Crisis Response Traits

February 7, 2012 By Leave a Comment

In a recent article written by Kevin M. Quinley, entitled “Avoid These Seven Traits that Will Sink Your Risk Management Program!”, the topic of organizational crisis management in the context of product liability is addressed from an interesting adaption of consultant Jim Lukaszewski’s presentation identifying seven behaviors that spell trouble when it comes to how an organization will act when faced with an unexpected crisis or disruptive event.

Quinley’s article should focus our readers’ attention on several perceived typical reactions by organizations when faced with a disruptive event — like a product liability claim or law suit.  And, by learning from this information, it could be a first important step for an organization to take toward building a strong corporate risk management and mitigation plan against these potential threats.

A quick summary of those typical reactions expressed by both Llukaszewski and Quinley are:

  1. Denial
  2. Victim Confusion
  3. “Testosterosis”
  4. Arrogance
  5. Scapegoating
  6. Media-Phobia
  7. Whining Parties

Click here to read Quinley’s full article.

If applicable, please pass this information along to those risk management team members in your organization.  And, in some cases for smaller companies in the private sector, PS-Prep strategy and business continuity planning groups could add this content to their library of available reference materials as well.

Filed Under: Business Continuity Info, Corner Office Viewpoint, Organizational Resiliency, PS-Prep Program, Risk Management Tagged With: , , , , , , , , , , ,

Black Swans in the Boardroom

February 7, 2012 By Leave a Comment

Photo courtesy of ashfordbirder.blogspot.com

Judging from recent comments and inputs from our readers, many business continuity planning teams fully realize that the risk landscape facing their organizations is changing, and, while they and their upper management teams can see that a new risk landscape is emerging, it remains difficult to define what is behind those changes or how their risk management strategies should respond to them.

Trying to keep this awareness out of a negative light, Armoghan Mohammed and Richard Sykes (both part of the PricewaterhouseCoopers International Limited group) have written and recently released a report entitled “Black Swans Turn Grey: The Transformation of Risk”.

Our staff agrees with Mohammed and Sykes’s belief that through a better understanding and management of risk strategy, organizations will be more resilient and better positioned to pursue their corporate objectives.

First a little background on the concept of risk and a “black swan event”.  In 2007, the Nassim Nicholas Talleb wrote about “The Black Swan: The Impact of the Highly Improbable”, and, the term “black swan” was quickly adopted and became one of the three (3) major types of risks now recognized by risk management methodologies – the other two are “known risks” and “emerging risks”.

Mohammed and Sykes argue and suggest that recent experience(s) indicate that events that fit the description of “black swans” are happening more and more frequently –therefore they ask the question, “Are black swans actually turning grey?”

Exploring this approach and tying it, as well, to a real need to map out the new risk landscape, align it with the requirement for board members to better understand this reality, and integrate this reality into the management leadership so that organizations develop a risk aware culture with explicit focus on the risk appetite of the organization and then align that risk appetite with the objective marketing and growth strategies for that organization.  In other words, the board has the responsibility — building on an enterprise risk management methodology – to: (1) fuse strategy more closely with risk, (2) articulate a more explicit and holistic risk appetite and (3) promote and support more active collaboration within their organizations to build stronger resilience levels across total business management systems.

Click here to read Mohammed and Sykes’ full whitepaper.

If applicable, please pass this information along to those risk management and business continuity planning teams in your organization, and, where needed, introduce these thoughts to PS-Prep strategy planning teams, as well.

Filed Under: Business Continuity Info, Corner Office Viewpoint, Organizational Resiliency, Risk Management Tagged With: , , , , , , , , , , , , , ,

Risk Awareness Concerns and Organizational Risk Management System Potential Integration(s)

February 5, 2012 By Leave a Comment

Photo courtesy of meship.com

By: Lisa DuBrock, CPA, CBCP, MBCI

Recently in an article written by Subrata Guha entitled “New ISO IEC 20000-1: Alignment with ISO 27001”, Guha makes the point that, “…. since ISO 20000-1 and ISO 27001 are so closely linked, there is a strong argument that these two standards should be implemented as a single management system – and, that the new release of ISO 20000-1 makes this process easier than ever before.

I contend that the melding of those 2 standards is certainly an excellent idea —especially since some well-defined areas such as incident management, change management, and security management link up so well. And, I believe that many companies have done just that; whether they implement the standards together or individually and then knit the individual management systems and overlapping control structures together.

What I’d like to propose today is — depending on your own corporate and organizational culture — to consider a coupling of two other standards that have a natural affinity to work together.  Those standards are ISO/IEC 27001:2005 Information Security Management System and ASIS SPC.1 Organizational Resilience:  Security, Preparedness and Continuity Management System.

Both the ISO 27001 and the ASIS SPC.1 standards build their foundation on the concept that management identifies, adopts, implements, monitors, updates and, most importantly, manages their related management system(s) based on that particular organization’s appetite for risk – i.e. Risk Appetite.

As with any organization’s business management system (BMS), the process of implementing that BMS to a standard (i.e. ISO 27001 or ASIS SPC.1) begins with and is based on the scope that the organization sets for its BMS.

In this instance, both ISO 27001 and ASIS SPC.1 adhere to the management system requirements of: Management Commitment (including resourcing, training and awareness, and approval of the system), Internal Audit, Management Review and Continual Improvement.

Both of these standards also require a statement of applicability (SOA).  However they differ in how the SOA is defined.  In SPC.1 the SOA documents the strategic weighting of security management, preparedness, emergency management, disaster management, crisis management and business continuity management.   In ISO 27001 the SOA is a documented statement describing the control objectives and controls that are relevant and applicable to the organizations ISMS.

What really differs between these standards, however, is the context of the risk process.  For ISO 27001, the context is based on the information assets identified within the scope of the management system.  Within SPC.1 the Organizational Resiliency Management System is based on legal and other requirements, information about significant hazards and threats and protection of critical not just information assets (physical, intangible, environmental and human).

By having an organization integrate the implementations of both ISO 27001 and ASIS SPC.1 standards simultaneously, it would almost be a certainty that a stronger and more clear understanding of risk and what is needed for that organization’s mitigation of those risks (i.e. to be more secure) would be achieved.

If you agree or not with this opinion, please share your comments and inputs regarding this potential integrated approach.

Filed Under: Business Continuity Info, Corner Office Viewpoint, Information Security, Organizational Resiliency, Risk Management Tagged With: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

PRIVATE SECTOR UPDATE — DHS Presents State of America’s Homeland Security

January 29, 2012 By Leave a Comment

Photo courtesy of DHS

PS-Prep strategy planning groups, along with all business continuity and risk management members of teams in organizations of all sizes should be interested in listening to Janet Napolitano, Department of Homeland Security Secretary (DHS), as she delivers the second annual State of America’s Homeland Security address, on Monday, January 30 2012 at 1:00 PM EST.

Increasing our nation’s security and resilience remains a goal achieved through strong connections between DHS and our nation’s private sector.

Click here to watch Janet Napolitano’s presentation LIVE on Monday, January 30 2012 at 1:00 PM EST.

Filed Under: Business Continuity Info, Homeland Security Dpt, Organizational Resiliency, PS-Prep Program, Risk Management Tagged With: , , , , , , , ,

Business Continuity and Emergency Management Plan Testing — Need Help Pitching the Need?

January 28, 2012 By Leave a Comment

Photo courtesy of blog.abn.org.au

Many of the readers of this website belong to emergency management and business continuity planning teams.  And, hopefully, those disaster preparedness focused teams are testing their emergency, continuity and disaster recovery plans regularly.

But if not, or if those risk management centered groups are looking for some useful information to assist the testing of those BC/DR plans, then, an article written by Jim Satterfield is a valuable resource to turn to when you need content and reasons to convince your fellow BC/DR team members – or even upper management — that funding and support is justified to test your plans.

As Satterfield says, “Everyone has a role in a crisis. Some are strategic, some are tactical. How decisions are made in a crisis is critical to the outcome. Because of this, the following holds true:

  1. Practicing emergency response helps assure that the response can proceed predictably during a crisis or disaster;
  2. Participation in exercises familiarizes everyone with the vulnerabilities, impacts, plans, mitigation strategies, incident management and crisis communications;
  3. Testing allows problems or weaknesses to be identified and used to stimulate necessary and appropriate changes; and
  4. Errors committed and experience gained during testing will provide valuable insights and lessons learned that can be factored into the planning/updating process.”

The full posting by Satterfield is in two parts, so be sure to read the entire posting, and, if applicable, pass this info on to those associates in your organization or even those disaster recovery and first responder teams in your community’s Emergency and Crisis Management Response areas.  And if your organization is in the private sector, please get this info to in-house team members of the PS-Prep strategy planning leaders.

Click here to read Part 1 and Click here  to read Part 2 of Satterfield’s postings.

Filed Under: Business Continuity Info, Homeland Security Dpt, Organizational Resiliency, PS-Prep Program, Risk Management Tagged With: , , , , , , , , , , , , , , , , , ,
« Older Posts
Newer Posts »