One challenge for business continuity professionals is to bring together multiple areas of risk management into a cohesive and meaningful program, and make it impactful and relevant to the executives. It needs to be done well, quickly, and with everyone’s buy in — without speding a lot of money.

Impossible? Maybe. A business need nonetheless? Absolutely.

As executives become more aware of “risk management”, we increasingly witness the stark disconnect between the executive decision-making process and the multitude of risk management activities across the enterprise.

Here is what we find:

• Fragmentation: Each type of risk management, such as Financial Risk Management (Currency, Interest Rates, Commodities), Business Continuity, Disaster Recovery, EH&S, Insurance Risk Management, Compliance, Audit, etc. operate under some level of executive mandate,with the best of intentions to protect and enable the enterprise.
• Lack of precision and detail: Disparate activities, overlapping initiatives, inconsistent judgment,stove-piped reporting structures and widely differing definitions of “risk” create a mixed metaphor that leads to less effective decision-making
• Unmanaged Risk:“We’ll get to that later.” How can a company survive if the business response fails? Can IT recover the business or does the business need to complete the process? Could a supplier failure cause you to shut down? Weak links can cripple a company.
• Waste: Companies are spending money and “doing things”… too often they are the wrong things … to the exclusion of more important things. Spending money and resources to perfect something that works is a waste if another critical link in the chain is weakened or ignored as a result.
• Flawed Reporting: Information rolled up from disparate sources take inordinate amount of resource and rarely delivers the message effectively.

Though the concept of Enterprise Risk Management has become a part of the executive dialogue, the challenge remains to establish a comprehensive yet manageable approach that enables executive decision-making. The argument for ERM is compelling when you consider that vulnerabilities and threats are endless, but the funds to address them are not. With an enterprise view of risk, an organization theoretically can invest where they can protect and mitigate the most serious risks. Ultimately risk management means accepting some level of ongoing risk that is managed within the risk tolerance limits set by the organization.

A firm should first be focused on making sure that all significant operational, financial, and regulatory risks are identified, measured and prioritized. Does your organization measure the potential operational and financial impacts that may result from a disruption to not only your IT operations, but also headquarters offices, call centers, factories, distribution centers, and suppliers?

There are many tools to mitigate risk. Risk management can provide insurance coverage. Facilities can provide fire suppression, and backup power. IT has a highly evolved suite of options to protect the datacenter and the data. Procurement can manage vendors more closely and diversify the sourcing of materials. Business operations can distribute resources to ensure continuity, albeit at reduced capacity, in the event of a disruption to the business process. Continuity planners can write contingency plans. All cost money.

Risk management is the essential coordination and balancing of all of these activities with cost. Besides the fact that these activities are too often overstated and rarely coordinated, there is too much focus on what is being done, and not enough on what risks remain. There is always risk.

Not unlike hiring an architect to design a house before breaking ground, it is essential to develop a risk management framework before expending resources and committing money to mitigate risks. How sure are you that you are working on the most important things? Is there something you are missing? Can you compare disparate risks through one lens? As you mitigate risks and/or as things change, do new priorities rise to the top? Only with a comprehensive framework can you manage lesser risks while you mitigate more pressing ones.

In boxing parlance, it’s the punch you don’t see coming that hurts the most! What are the risks you haven’t identified and which ones have you misunderstood or underestimated? Are you focusing on familiar and obvious things to the exclusion of obscure, yet critically important things?

How do we know what is critical?

Within our organization, we have developed a “top-down” approach that enables an organization to quickly identify “hot spots” where significant risks may lurk. Generally risks are created circumstantially as a by-product of other business decisions. Consolidation and optimization can drive efficiencies but concentrates exposures and reduces capacity that could be useful for continuity of operations. Every well-intentioned business decision has an offsetting consequence. (a.k.a. risk). Finding hot spots can be simplified and precision enhanced by coming top down and looking for where you have consolidated, where you have “optimized, where you are most “efficient”, and where you are dependent on a single or sole source, resource, or asset.

While most organizations would like to think they make prudent decisions, considerate of risk, few are wired to do so. Does your organization incentivize managers to optimize profits? Of course they do! Do those incentives consider the risks created by their actions? Sometimes! How much more risk would you take on for another $1,000,000 in profit? We’ve seen companies take actions to save $100,000 that create risks that could bring down the firm.

From this seemingly simple change in perspective, we have seen “eye opening” experiences result -- such as an enterprise finding that a small, sole source supplier is essential to multiple products that could cause hundreds of millions of direct losses-- or finding that a major division achieved its company leading margins by consolidating operations and putting all their eggs in one basket– or learning that the business response to an IT outage was more important than the IT response, yet no plans were in place. There are so many more anecdotal stories like this, it has become clear that taking a fresh look at addressing these challenges is well worth the effort.

The marketplace is evolving quickly and risk managers from all facets of the business have begun to collaborate. We know they’re on the right track when they have implemented a comprehensive framework to organize their program and they are as conversant in the risks they are living with as they are with the actions they are taking. Information must flow from top to bottom, and back up again. It must flow across the organization out to and including suppliers, service providers and public services. When it does, then we will know that the organization has crossed the chasm from Business Continuity Planning to Continuity Risk Management.