eBook - ePub
A Risk Management Approach to Business Continuity
Aligning Business Continuity and Corporate Governance
Julia Graham, David Kaye
This is a test
Share book
- 402 pages
- English
- ePUB (mobile friendly)
- Available on iOS & Android
eBook - ePub
A Risk Management Approach to Business Continuity
Aligning Business Continuity and Corporate Governance
Julia Graham, David Kaye
Book details
Book preview
Table of contents
Citations
About This Book
Julia Graham and David Kaye, two globally recognized risk management experts with experience in 50 countries, were among the first to recognize the interrelationship of Risk Management and Business Continuity and demonstrate how to integrate them with Corporate Governance enterprise-wide. They focus on all the factors that must be considered when developing a comprehensive Business Continuity Plan, especially for multi-location or multinational companies. Endorsed by The Business Continuity Institute, Institute for Risk Management, and Disaster Recovery Institute International, the book includes: ā¢ Chapter objectives, summaries and bibliographies; charts, sample forms, checklists throughout. ā¢ Plentiful case studies, in boxed text, sourced globally in the UK, US, Europe, Australia, Asia, etc. ā¢ Boxed inserts summarizing key concepts. ā¢ Glossy of 150 risk management and business continuity terms. ā¢ Wide range of challenges, including supply chain disruptions, media and brand attack, product contamination and product recall, bomb threats, chemical and biological threats, etc. ā¢ Instructions for designing/executing team exercises with role playing to rehearse scenarios. ā¢ Guidance on how to develop a business continuity plan, including a Business Impact Analysis. Downloadable Instructor Materials are available for college and professional developement use, including PowerPoint slides and syllabus for 12-week course with lecture outlines/notes, quizzes, reading assignments, discussion topics, projects "Provides clear guidance, supported with a wide range of memorable and highly relevant case studies, for any risk or business continuity manager to successfully meet the challenges of today and the future." --Steven Mellish, Chairman, The Business Continuity Institute
Frequently asked questions
How do I cancel my subscription?
Can/how do I download books?
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
What is the difference between the pricing plans?
Both plans give you full access to the library and all of Perlegoās features. The only differences are the price and subscription period: With the annual plan youāll save around 30% compared to 12 months on the monthly plan.
What is Perlego?
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weāve got you covered! Learn more here.
Do you support text-to-speech?
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Is A Risk Management Approach to Business Continuity an online PDF/ePUB?
Yes, you can access A Risk Management Approach to Business Continuity by Julia Graham, David Kaye in PDF and/or ePUB format, as well as other popular books in Business & Assicurazioni. We have over one million books available in our catalogue for you to explore.
Information
1
A Risk-Based Approach To Business Continuity
Objectives of This Chapter
ā¢ Track the development of risk management from its roots of origin to modern practice
ā¢ Provide risk related definitions
ā¢ Develop the link between risk management and business continuity management as part of a risk management framework
ā¢ Introduce the theme of risk management and business continuity management as part of good governancd business management
Risk - a Moving Target
Ten years ago, if you had picked up this book, because of the reference to risk in the title, you probably would have been a finance director, internal auditor or treasurer. This statement should not come as a surprise to the reader. In the early 1990s Board-level interest in risk management and internal controls was largely focussed on financial and treasury issues, and although there were some organisations that took a wide-angle view of risk and controls beyond finance, even in these cases, attention was generally focussed on hazard-related or insurable risk. With broad insurance coverage at highly competitive prices freely available a decade ago, there were very few reasons for āinsurable riskā to be brought out of daily financial management to the attention of the Board.
Many risk commentators mark the terrible events of September 11.2001 as the date this all changed, but the roots of modern risk management are much older and were already deeply embedded in the management of many organisations long before that fateful day in 2001.
Man has striven to understand risk for centuries. Whether affected by storm, fire or flood, man focussed on the fear of potential events and the negative impact these might have on his property and his plans.
Attributed to the result of Fate or acts of God, risk was rarely projected, and only when records were kept did an opportunity present itself to interrogate these records and to offer predictions of the future. Peter Bernstein argues āthe revolutionary idea that defines the boundary between modern times and the past is a mastery of risk: the notion that the future is more than a whim of the gods and that men and women are not passive before nature... until human beings discovered a way across that boundary the future was a mirror of the past.ā (1). Bernsteinās book tells the story of a group of thinkers whose remarkable vision revealed how to put the future at the service of the present. By showing the world how to understand risk, measure it, and weigh its consequences, they converted risk-taking into one of the prime catalysts that drives modern Western society. Bernstein continues, āThe essence of risk management lies in maximizing the areas where we have some control over the outcome while minimizing the areas where we have absolutely no control over the outcome and the linkage between effect and cause is hidden from us.ā
Whether one holds the view that the seeds of risk management were sown in the coffee shops of Liverpool and London and the early pooling of marine risks, or that the foundations were built by individuals such as Gustav Hamilton (1974) who created a ārisk management circle,ā or the governments and authorities of the 1980s and 1990s such as Standards Australia, it has only been in the last few years that risk management has come of age and finally been accepted as an integral part of good management practice.
This book is not, however, a trip through the history of risk management and business continuity management. It is intended to provide those who have a responsibility for leading or practicing the management of risk to join us on a journey to unravel the relationship between these issues and to provide practical support to the manager, risk and business continuity practitioners.
Risk Managing Today
In the mid 1990s, when organisations were facing pressures on profit ratios and finance directors were seeking the means to reduce expenses and ways to transfer the more speculative risks, the insurance industry was in turmoil with premium costs spiralling and risk appetite reducing. Coupled with a dilution in insurer credit ratings, the spotlight turned on what had largely been a soft insurance buyer/supplier relationship; boardrooms everywhere sat up and took interest.
ā¢ One outcome of this attention was a diversion of some larger organisations away from risk transfer and insurance towards risk retention through higher levels of self-insurance. Why transfer risk to insurers which might have credit ratings less worthy than your own? Why subject your organisation to the volatility of the insurance market when the Board wanted smooth and predictable business results in an already volatile world? To give the Board peace of mind at a cost-effective price meant following these circumstances through, and an increase in demand emerged for greater emphasis on risk management practices, with an expectation of information arising from these practices to satisfy peace of mind. As a byproduct of this scenario two things emerged:
ā¢ Organisations started to gain a desire to investigate how they might manage all risks across their business, coupled with a growing division in management priorities and approach between managing the more predictable and quantifiable risk and the unforeseeable and more intangible risk.
ā¢ Business continuity management, for so long a subject of response rather than resilience and typically lodged within the domain of the Information Technology or Facilities department, started to attract wider interest as a potential key control and alternative mechanism for risk mitigation other than transfer of risk by insurance.
This situation presented and continues to present new challenges for the insurance industry. While the insurers are still collecting the bulk of premiums for non-catastrophic loss, they face a call for the harder to price one-off catastrophic event solution, coupled with a desire from the customer for solutions that move away from pure asset protection to the protection of intellectual and reputation value. These are typically much more difficult to identify, quantify and manage by the nature of their intangibility. Away from actuarial principals and with weaker balance sheets of their own in an attempt to satisfy their customers, insurers have on occasion struggled and financially suffered as they have striven to meet this demand.
For over a decade corporate governance and risk management have been entwined and, to many, synonymous with good management and control. From slender governance tendrils such as Cadbury and Turnbull in the United Kingdom have grown powerful risk management frameworks comprising broadly standardised risk policies, practices and associated organisational risk governing bodies such as the Risk Committee and Audit Committee directly empowered by the Board. Consequently there is a risk red-line running through much of what we now see arising from a huge variety of rules and guidance-setting governance, legislative and regulatory bodies and in response a plethora of solutions from consultants, professional service firms and educational institutions.
The risk-based internal control system has become an increasingly significant regulatory object, notably with the passing of the Sarbanes-Oxley Act in the USA (2). Regulatory incentives exist to have good controls in all types of āinfrastructureā or āoperationalā risk including health care, safety, environmental issues, and business continuity management. Rut caution ... control systems cannot alone provide consumer or Board level comfort.
There is nothing wrong with introducing relevant risk-related controls into the everyday business environment. However in an increasingly complex and uncertain world, full of unplanned failures, scandals and disasters, organisations must invest time and effort thinking the unthinkable, considering domino effects and complex interdependencies, and a world where the principles of risk management and control are fine when the world is organised, but are suddenly very difficult to grasp and apply when it is not. Whilst we may be comfortable to accept that the controls environment has been re-engineered and re-packaged as risk management, and serves to extend the reach of risk management into every operational aspect of organisational life, a tendency to the tick-box approach with an inward looking focus of the controls system, however re-packaged, is not a replacement for effective risk management.
Today, in a fast-moving, changing, technology-driven, often insecure and unpredictable world, risk managers can have a tendency to try and organise what cannot often be organised because individuals, corporations and governments have little choice but to try to do so. The risk management of everything holds out a promise to do so even in situations when ordinarily this would be impossible. Whilst governments and regulators are increasingly forcing this position to be adopted, beware the organisation that wraps its approach to risk management around creating a position defendable to the Board which emphases as a priority the achievement of sound processes at the expense of intellectual consideration and content.
Risks are not always compliant: āRisk is like a tarpaulin flapping in a gale. As soon as one corner is secure another is up and flapping..ā (3). Therefore, while risk management and risk control are related, they are not mutually exclusive and risk control should form part of a comprehensive or enterprise-wide risk management framework - more on which will be addressed later in this chapter.
Risk management may now also be put forward as a mechanism for organisational value management. In the public sector, in the absence of competition, risk management and risk metrics are providing a new focus for outcomes and performance, while in the private sector and especially in financial services, risk is increasingly used as a link between operational performance and capital requirements Given the range and stretch of risk perhaps risk management has caught on as a discipline ahead if its ability to deliver. In the absence of good definitional risk language, risk management professional capability and most importantly definition and measures of effectiveness, have encouraged a scientific approach to a subject sometimes more suited to the arts. Is this a risk in itself?
Whatever your view, there is a clear need to raise the risk practitioner game. Risk management should be practiced as part of regular strategic and operational processes. One route available to organisations is to improve integration of risk within the business and to bring risk management practitioners whatever their discipline and risk-related interest out of their back offices and into the business as a cohesive, professional team to better share and develop risk management capability across the risk silos that still generally exist.
There are opportunities for risk management principles which work in one risk discipline to add value in another and for risk management practices generally to add value to a business as a whole.
Risk Management Is a Balancing Act
Risk is the sugar and salt of life - too much or too little of either is unhealthy. And just as a good diet is achieved through a balance between the intake of sugar and salt, risk management is about getting the balance right between taking risk and avoiding it.
Too often the emphasis in risk management is placed on the negative or downside of risk and getting rid of it, and too infrequently on the opportunity or upside that good risk management can deliver. Risk management, and as part of this, risk control, can act as a mechanism for improvement, and differentiate an organisation from its counterparts and peers leading to real value added and competitive advantage.
More than half of Europeās top 100 companies now have a dedicated risk manager (4) As risk management continues to mature as a profession, many companies choose to focus on actively managing their risk rather than primarily concentrating on insurance buying and administration.
A variety of surveys, cast across risk managers in the United Kingdom, Europe and globally, noted that differences in risk management practice remain across the world. Although levels of government intervention in such areas as corporate governance will continue to influence the degree of difference, we can expect these differences to erode and greater consistency to emerge. The annual Centre for the Study of Financial Innovation Banana Skins Report (5) which, while focussing on the world of banking, includes risks that should feature on all risk agendas, including the spectre of the rising tide of governance and regulation and the risks associated with this. These risks feature in the survey for the first time, and are the mos...