2. Context
• The meaning of “risk” has expanded in definition
and understanding – well beyond financial
instruments and safeguards
• Greater numbers of risk assessment tools
• Broader multi-disciplinary application
• Renewed interest and opportunity in examining
“risk” as applied to continuity planning
• Implications for continuity practitioners
3. Types of Risk
• Hazard
• Natural hazards, accidents, fire, other insurable hazards
• Financial
• Interest and exchange rate volatility, loan defaults, asset-liability
mismatch
• Operational
• Systems, processes, people – succession planning, HR, IT, control
and regulatory systems
• Strategic
• Inability to adjust to environmental changes, e.g. geo-political,
market, competitor, customer, etc.
4. Risk Management & BCM
Risk Management
• “RM is the process which aims to help organizations
understand, evaluate and take action on all their risks
with a view to increasing the probability of their success
and reducing the likelihood of failure” (IRM)
Business Continuity Management
• “Business Continuity Management is a holistic
management process that identifies potential impacts
that threaten an organization and provides a framework
for building resilience and the capability for an effective
response that safeguards the interests of its key
stakeholders, reputation, brand and value creating
activities” (BCI)
5. Risk Management & BCM
ITEM RM BCM
Key Method Risk Analysis Business Impact Analysis
Key Parameters Impact and Probability Impact and Time
Incident Type All types – though usually
segmented
Events causing significant
damage to critical
functions/ capabilities
Size of Events All (costs) – though
usually segmented
Strategy planning -
incidents threatening
survival
BCI “Good Practice Guidelines” (2007)
7. Managing Risk
• Process Dimension (Technical)
• Systems, structures, strategies and tools
• Application of sound processes and rational logic
• Results reinvested through a learning cycle
• People Dimension (Human)
• Belief and value systems
• Knowledge, skill and competency
• Success dependent on the human element
8. Risk is Evolving
From To
Risk as individual hazards Risk in context of business strategy
Risk identification and assessment Risk portfolio development
All risks Critical risks
Risk mitigation Risk optimization
Risk limits Risk strategy
Risks with no owners Defined risk responsibilities
Risk quantification Risk monitoring and measurement
Risk is not my responsibility Risk is everyone’s responsibility
13. Risk Management Trends
• Growing numbers of “emergent” or “wicked” problems
• Greater need for comprehensive BCM and EM governance
models – tools – processes and adaptive strategies
• Greater need for awareness, understanding and acceptance of
ERM, RM and BCM risk mitigation/ management strategies
• RM profile continues to gain prominence in business and
government, e.g. ERM, but challenging with limited resources
14. Implications for Practitioners
Risk - Context
• Complex and multi-faceted
• Multi-disciplinary in understanding and application
• Integrally tied to innovation and resilience
• Rarely falls neatly into functional areas
• Emerging risks = emerging opportunities
• Management of risk is not technically difficult
• Embedding an RM culture is far more challenging
15. Implications for Practitioners
Risk - Practice
• Risk management as normal business strategy
• Holistic, inter-functional planning
• Clear, realistic and generalizable RM plans
• Understand the risk tolerance/ profile – build for resilience,
not just recovery
• Risk measures anchored to routine governance and
business processes
• Leverage current communication tools
• Consider blending RM with BIA
• Gradually increase testing complexity
• Embrace risk audits
• Build awareness, training and certification
• Accept that all RM plans are dynamic
16. Risk Management Exercise
Room Discussion
Your CEO believes that true enterprise resiliency is
achievable. Discuss.
Small Group Discussion
Your CEO wants to incorporate a very robust risk
management tool into either the BIA or the
Strategy component of the company BCP. You
develop one. Discuss.
17. References
• BCI, “Risk and Business Continuity Management”
• Canadian Centre for Management Development, “A
Foundation for Developing Risk Management Learning
Strategies in the Public Service”
• Ernst & Young, “BCM – Current Trends”
• IMA, “ERM: Frameworks, Elements and Integration”
• IRM, “A Risk Management Standard”
• IRM, “A Structured Approach to Enterprise Risk Management”
• IRM, “Risk Appetite and Tolerance: Guidance Paper”
• IRM, “Emergent Risks”
• ISO 31010, “Risk Management-Risk Assessment Techniques”
• Klein, Luc “Is Business Continuity Management a Misnomer?”
18. References
• KPMG, “Enterprise Risk Management”
• Lenhart, Carol “Exploring the Interrelationship between
Risk Management and Business Continuity: An Interview
with David Kaye”
• Price, Waterhouse, Coopers, “Exploring Emerging Risks”
• PRMIA.org, “Future of Risk Management and
Compliance: Global Trends and Perspectives”
• The Conference Board, “Bouncing Back: How Companies
Approach Resilience”
• UNESCO, “Risk Management Training Handbook”
19. Recommended Reading
• Bestoutcome, “Risk and Issue Management Workshop”
• Deloitte, “ERM Management Survey Report – 2012”
• Gartner, “BCM: Key Performance Indicator – Key Risk
Indicator Mapping”
• Hubbard, Douglas, “The Failure of Risk Management”
• IRM, “Risk Culture Under the Microscope”
• PRMIA, “Future of Risk Management and Compliance:
Global Trends and Perspectives”