Issue Archive: May/June 2009

Special Report: Risk & Continuity - How They Relate and Integrate

     To explore the relationship between risk and business continuity, Continuity Insights spoke with Jim Mitchell, director of professional services at eBRP, and Kevin Hall, president of Global AlertLink. Hall and Mitchell provided their perspectives on a variety of issues including, implementing a risk management program, how risk relates to BCP, identifying and quantifying risk, integration, how tools can help organizations manage and mitigate risk, and more.

What is the relationship between business continuity and risk management?

Jim Mitchell: Effective business continuity management (BCM) should be risk-based. The primary focus of BCM is the prevention of and response to disruptive incidents. Risk management helps quantify the likelihood of particular risks, but also helps determine which critical business assets (facilities, people, processes, technology, and supply chain components) are most vulnerable. Those factors help a BCM program create objectives to address certain risks. There are many risks that can be mitigated (prevented, diminished or transferred) by non-BCM means, but in every organization there are ‘residual risks’ that cannot be effectively or economically mitigated; those are the risks on which BCM ought to be focused.

Kevin Hall: It depends on whether you are looking at the issue in traditional sense or with an eye toward the future. Traditionally, these have been silos within companies, often never interacting or collaborating. Today, and into the future, these worlds will converge. We are seeing more and more clients move in this direction. After all, is there really a difference? It should be a full lifecycle of thought, from risk analysis through continuity of operations. And, even though you didn’t ask, shouldn’t DR (disaster recovery) be involved here somewhere too? We are so connected to technology in every business process that it has become one of the top risks within a company.

At what level in an organization should a risk management program be implemented?

JM: There is no right or wrong answer to where the risk management program should lie—the only wrong approach is the failure to address enterprise risks at all. In some industries and organizations risk management may be most appropriate at C-level staff, in others it may logically reside inside a particular department—finance or compliance, for example. Regardless of where it lies in the organization, what’s important is that risk management is seen as an important source of reliable decision-support information.

KH: It should be implemented throughout the organization. With a renewed focus on risk, such as the Standard & Poors ratings, risk is not just a departmental issue. It is a culture. It becomes part of the way in which business is operated. Understanding risk throughout the organization and managing risk is an entire enterprise thing. Remember, if you have no risk, you are not growing. Every business needs a level of risk, and your management needs to determine what that level is as well as where the comfort zone is. The only way to truly do this is to understand your organization’s real risks.

How long should it take to implement a risk management program?

JM: There are many variables that can impact the implementation of a risk management program (just as there may be many perspectives regarding what constitutes a complete program). When implementation of a risk management program is seen as a project, no one looks for results until the ribbon-cutting ceremony. When thought of as an incremental process, results can be surfaced at every step along the way. Building a risk assessment program should be more like an archeological dig, than a manufacturing process. A systematic approach to risk analysis can yield discoveries that can be addressed long before the complete ‘program’ is implemented. Rather than a focus on the timeline of implementation, there is much greater value in focusing on results.

KH: A true risk management program has no end. It is a program, which means it is continual. Moving from a single process to a perpetual process is a small example of the way individuals need to change their thinking. The program should be created with standards but should as the company evolves. If you are doing the same things five years from now and your company has changed entirely, you should revisit your program.

How should risk management and business continuity programs integrate?

JM: BCM should be an intrinsic part of a successful risk management program. Disaster recovery and business continuity planning are ‘insurance’ that an organization can survive potential risks that it cannot otherwise mitigate.

KH: First, in mindset. These groups should not think in their specific silos. I would encourage the two groups to do cross training or work with each other on a daily basis to truly understand what the other group does on a regular basis. By interacting, you will find that many goals and objectives are very similar and complementary. I would also recommend that you look at technology to help this integration. Our solution was built with this integration as the focus. Bringing those worlds together within an enterprise that have traditionally been on their own is exactly what Global AlertLink facilitates.

How does your tool help to identify risks?

JM: Toolkit uses a risk assessment methodology based on the nine-step NIST-800-30 qualitative risk assessment standard. Toolkit utilizes that process to enable analysis of risks to several classes of assets: locations (facilities), people (teams), processes (business functions) and technology components (hardware, databases, and networks).

KH: Most everyone is familiar with impact analysis. Obviously, that is a critical element in any program. Global AlertLink offers the most advanced business impact analysis tools on the market. Understanding dependencies among resources, people and processes is a critical first step. Our solution goes well beyond probable risks, by identifying true risks. What risks have impacted our organization over the last year? How much time and money have we lost due to these interruptions? With Global AlertLink, we have groups around the globe managing both small events as well as large incidents. By doing so, not only do we provide the teams with the resources they need to resolve the issues, but we also build a wealth of knowledge regarding true risks that are impacting our organization. This allows you to focus on the real risks that are already making impact to your organization rather than the ones that may impact your company. The combination provides complete coverage for your organization.

How does your tool help to quantify risks?

JM: Toolkit’s risk assessment enables the assessment of individual assets (a facility, a process, etc.).

KH: Global AlertLink allows you to quantify risks in a number of ways. From interacting, surveying, and polling your global team to tracking and quantifying risks that have occurred and are occurring, Global AlertLink allows you to understand not only the probable risks but also the real risks. With our solution, you are able to track the impact of real events, both cost and time. Our state-of-the-art visual modeling makes it easy to understand dependencies and see risks without them getting lost in the mass of reports.

Who is your audience?

JM: Risk assessment is fully integrated into our core product—Toolkit. While our primary buying audience is generally BC and DR planners and managers, our customers tell us that once in place, Toolkit often gets used for its operational value—by risk managers, records managers, IT operations and other non-BCM functions.

KH: It depends on the company. Some organizations have moved closer to the convergence era, while others still see silos. Our preference is enterprise risk management or business continuity, but every company offers a different focus area. Sometimes it is IT…sometimes it is CFO. Finding your way through to the right person is quite a process. Our goal is to find individuals who understand the holistic approach and value a solution that can help their organization be on the leading edge of the convergence concept.

Does your tool address all types of risk (e.g. financial, operational, facility, etc.)? How?

JM: Yes. Because of its flexibility, Toolkit’s risk assessment tools can be used to analyze any type of threat—financial, reputational, regulatory, operational, etc. Because Toolkit includes separate risk assessments for locations, processes, teams and technology components, it can be used to address any type of risk.

KH: Yes. We’ve architected the solution to be flexible to help address all types of risks. We do not push a pre-defined process down to the organization. Each organization and each group within the organization do things a bit differently. This flexibility is why our solution is able to be quickly adapted to the entire enterprise. Even though each group can create and maintain their own procedures, Global AlertLink allows you to link them together for truly holistic responses.

Is your tool in sync with standard risk management practices (such as Standard & Poors or RIMS)? And does it use standard terminology?

JM: Toolkit’s inherent flexibility lets the user organization impose risk terminology of their choosing; threats, vulnerabilities, likelihoods, impacts and mitigation are all completely customizable by the user organization (with no programming skills or knowledge required).

KH: Yes. This is another way in which Global AlertLink clients benefit from our flexible technology. It is easily able to adapt to changes in standards and areas of focus….even within the same enterprise.

How do you define enterprise risk management, and is that what your tool seeks to provide?

JM: Enterprise risk management is a process for identifying the threats an organization faces, and its vulnerabilities to those threats, and determining the most appropriate means of treating those vulnerabilities, or mitigating those threats. While eBRP Toolkit seeks to provide organizations with tools to help meet those needs, we are cognizant that there may be certain types of operational risks that our asset-based tools cannot help identify. We believe Toolkit can be a valuable asset to a successful risk management program, but not the only asset.

KH: We define enterprise risk management as the process of defining and understanding an organization’s risks and ensuring the organization maximizes opportunity potential, while minimizing risk impact. CI

Understanding and Mitigating Risk with eBRP

There are inherent risks in day-to-day operations—single points of failure that may not be obvious, but which an asset-based risk analysis can uncover. Understanding the dependencies and interdependencies of locations, business functions, supply chain and technology systems can identify risks that may never have been acknowledged otherwise:

• Company A had a Level 3 business process that was performed in a single location. They determined that several Level 1 business processes depended on the output of that Level 3 process. Splitting the Level 2 process across two geographically diverse locations, they were able to mitigate the potential impact of an outage at that original location.
• Company B found a small team of experts were the sole knowledge base for a critical operation. By documenting the day-to-day operational processes the team performed in their Business Continuity Plan, the team was able to assure that the critical operation could continue to be performed—even if they were somehow disabled.
• Company C (with decentralized data centers) found that four critical IT applications relied on another single, low-rated system. By increasing the availability of the underlying system there were able to reduce the vulnerability of each of the critical applications, at a reasonable cost.
• Company D determined that a supplier was the sole source of a critical customer—facing service—and that the supplier had no BCM program. Helping the supplier develop their own Business Continuity Plan and by sourcing the service concurrently to a second supplier, resulted in lower the risk to their customers and their reputation.

For more information, visit www.ebrp.net.

Integration, Holistic Incident Management and Planning from Global AlertLink

Global AlertLink is the first and only truly integrated solution on the market. By integrating planning tools, incident management, emergency notification and risk management in one application, Global AlertLink saves time and money, providing a single solution for all of your needs. And when we say integrated, we mean truly integrated. There is no need to buy separate modules. Global AlertLink comes fully equipped with all areas covered.

     Created through 30 years of consulting experience in some of the highest profile events around the globe, Global AlertLink is built for real-world situations. Our solution integrates groups within an enterprise to provide a complete solution for all areas, including business continuity, crisis management, security, disaster recovery, information technology, enterprise risk management, issues management, and much more. One solution standardizes plans and response as well as brings groups together before and during an event.

     Our industry leading visual modeling tools allow you to visualize your enterprise and all the many risks that exist within. Build models through teamwork, surveys or integration with other applications. From the model, ensure your enterprise is covered with a sophisticated plan, well beyond the static document plans.

     Global AlertLink offers easy-to-use collaboration, online meetings and information sharing. Teams are able to share ideas, collaborate on risk, prepare plans and truly manage incidents holistically. With Global AlertLink, each team may be responsible for the upkeep of information and plans. Yet, you can link them together and share information making management easier than ever before.

For more information, visit www.globalalertlink.com.