Building business continuity through risk management
Presented by Kimberley Hart
Monday 10th October 2016
APM North West branch and Risk SIG conference
Alderley Park, Macclesfield
Falcon's Invoice Discounting: Your Path to Prosperity
Building business continuity through risk management, presented by Kimberley Hart, 10th Oct 2016, APM North West branch conference
1. Building business
continuity through risk
management
The resilience myth?
Kimberley Hart
Risk and Resilience Lead, Internal Audit and Risk Management
Corporate Services
2. Session Objectives
• To consider the impact of risk
perception on the achievement of
objectives
• To explore the relationship between
effective risk management, project
management and organisational
resilience
Kimberley Hart
Internal Audit and Risk Management
Slide 2
3. My current role
• Risk and Resilience Lead
• Directorate for Children & Families support
and thematic lead for building resilience
• Chair of the Manchester Business
Continuity Forum
Slide 3
Kimberley Hart
Risk and Resilience Lead, Internal Audit and Risk Management
Corporate Services
4. Responsibilities
• Incident Management: co-ordinating response in a Council-
wide incident, communication, triage, prioritising service
recovery council-wide
• Risk Management: assisting services through support and
challenge in developing practical mitigation of their risks
enabling them to deliver their objectives
• Business Continuity Planning: production and testing of
corporate and service business continuity plans for critical
Council services
• Advice and Assistance Programme: information and
support to businesses & voluntary organisations
• Consultancy work: a charged service for the provision of
advice on risk and business continuity management
Kimberley Hart
Internal Audit and Risk Management
Slide 4
5. Let’s play a game…
Slide 5
Perception of reality
Kimberley Hart
Risk and Resilience Lead, Internal Audit and Risk Management
Corporate Services
7. Your perception is your
reality!
Slide 7
“Reality is merely an illusion, albeit a very persistent one.”
Albert Einstein
Kimberley Hart
Risk and Resilience Lead, Internal Audit and Risk Management
Corporate Services
8. Perception of risk….
Slide 8
Kimberley Hart
Risk and Resilience Lead, Internal Audit and Risk Management
Corporate Services
• Risk can be defined as the element of
uncertainty of which affects decision making
and planned outcomes.
• Risk factors may be either positive
opportunities or negative threats.
• Essentially, they are the factors that help or
hinder the achievement of our objectives.
9. The Rumsfeld Effect
“There are known knowns; there are things we
know we know. We also know there are known
unknowns; that is to say we know there are
some things we do not know. But there are also
unknown unknowns – the ones we don’t know
we don’t know….”
Slide 9
Kimberley Hart
Risk and Resilience Lead, Internal Audit and Risk Management
Corporate Services
10. What is business
continuity?
Slide 10Kimberley Hart
Risk and Resilience Lead, Internal Audit and Risk Management
Corporate Services
‘The strategic and tactical capability of the
organisation to plan for and respond to incidents
and business disruptions in order to continue
business operations at an acceptable
predefined level’
11. Slide 11
Business continuity planning
process…
ISO 22301
• Identify and manage current and
future threats to your business
• Take a proactive approach to
reduce the impact of incidents
• Keep critical functions up and
running during times of crisis
• Minimise downtime during incidents
and improve recovery time
• Demonstrate resilience to
customers, suppliers and other
stakeholders
Kimberley Hart
Risk and Resilience Lead, Internal Audit and Risk Management
Corporate Services
12. BC planning as ‘First Aid’ for
the business?
• Protects reputation
• Protects people and services
• Prevents incident deterioration
• Maintains the most essential/time critical services
• Promotes efficient service recovery
• No panic – reduces stress
Kimberley Hart
Internal Audit and Risk Management
Slide 12
13. What is resilience?
Slide 13
Kimberley Hart
Risk and Resilience Lead, Internal Audit and Risk Management
Corporate Services
Resilient adj. the ability (of an organisation)
to recover quickly from any incident that
prevents it from delivering its services
14. What are the risks affecting
business continuity?
Slide 14Kimberley Hart
Risk and Resilience Lead, Internal Audit and Risk Management
Corporate Services
15. National Risk Register of Civil
Emergencies
An assessment of the likelihood and potential impact of a
range of different risks that may directly affect the UK.
It is designed to:
• Increase awareness of the kinds of risks the UK faces
• Encourage individuals and organisations to think about
their own preparedness.
The register also includes details of what the
Government and emergency services are doing to
prepare for emergencies.
Kimberley Hart
Risk and Resilience Lead, Internal Audit and Risk Management
Corporate Services
Slide 15
16. What kind of risks would
you expect to see on the
National Risk Register?
Slide 16
Kimberley Hart
Risk and Resilience Lead, Internal Audit and Risk Management
Corporate Services
17. Highest Priority Risks
• Risk of terrorist and other malicious attacks
• Pandemic Influenza
• Coastal flooding
• Widespread electricity failure
• Major transport accidents
• Major industrial accidents
• Disruptive industrial action
• Severe weather
Kimberley Hart
Risk and Resilience Lead, Internal Audit and Risk Management
Corporate Services
Slide 17
18. • Do you create a risk register for your projects or
programmes?
• Do you maintain and review a risk register? How
often?
• Who is involved in the production of
project/programme risk registers?
• How are risks identified?
• Are the risks specific to the project or do they take
into account the broader context?
• How are risks reported and escalated?
Slide 18
Risk Management in action
Kimberley Hart
Risk and Resilience Lead, Internal Audit and Risk Management
Corporate Services
19. A world in which all projects
succeed?
• Understanding uncertainty and risk in order to
make informed decisions is at the heart of the
management of planned change through
project-based working.
• Once understood, risks can be taken in pursuit
of value with eyes open. Other risks can be
avoided or contingency plans put in place, or
existing plans can be reviewed and revised.
Slide 19
Kimberley Hart
Risk and Resilience Lead, Internal Audit and Risk Management
Corporate Services
20. Manchester Business
Continuity Forum (MBCF)
• Aims to reduce the economic and social impact of
emergencies and speed up the subsequent recovery
through partnership working.
• Offers a forum through which businesses, voluntary
sector and emergency responders can co-ordinate and
integrate emergency preparedness arrangements.
• Sharing good practice information to promote effective
business continuity and emergency planning.
• Will share information about incidents where possible.
www.manchester.gov.uk/businesscontinuity
21. Session Objectives
• To consider the impact of risk
perception on the achievement of
objectives
• To explore the relationship between
effective risk management, project
management and organisational
resilience
Kimberley Hart
Internal Audit and Risk Management
Slide 21
23. This presentation was delivered
at an APM event
To find out more about
upcoming events please visit our
website www.apm.org.uk/events
Notas do Editor
Strategic and operational leadership in implementing effective risk and business continuity management
Strategic and operational leadership in implementing effective risk and business continuity management
I speak fluent French
I am a Girl Guide Leader
I am a keen scuba diver
Take a minute to scan your surroundings. Are you in a familiar place or somewhere new? Stop and just look around you for a moment. Pick out an object, maybe something you hadn’t noticed before, and focus your attention on it. If you really focus, it might get brighter and more “real” than it was when it was just an unnoticed piece of the background noise of this session.
Now, try to view your surroundings from the point of the object. Some people can do this with no effort, and for others, it takes some concentration. Depending on how adept you are at focusing your concentration, you may notice a slight shift in your perception – a weird jump in reality, where you are suddenly viewing the world from a different perspective.
Did it work? Whether you noticed anything or not, your perception did change, albeit for an instant. It’s important to be conscious of your perception, because if you’re not, someone else will create it for you.
Things aren’t always what they seem. Marketers and magicians rely on this fact to make you see things – the way they want you too see them. Artists do too.
Risk Management is a simple, common sense process; it is an intuitive skill used by everyone in their day to day lives and one of the main ways in which people keep themselves safe and make sensible and appropriate decisions.
Scenario 1: Identify risks that the cyclist faces in cycling to work, write down all the threats and opportunities (2 min)
Scenario 2: Identify risks that a commuter faces catching a train to work, write down all the threats and opportunities (2 min)
Which is the most risky???
Threats:
Death
Head Injury
Injury
Reputation
Financial
Damage to the bike
Sunburn/frost bite
Opportunities:
Exercise
Sunlight
Reputation
Financial
Role model
Environment
Scenario 2: Identify risks that a commuter faces catching a train to work, write down all the threats and opportunities
Risks:
Being late/unreliable
Cramped
No exercise
Financial
Opportunities:
Environment
Less stressful than driving
Social
The infamous quote from the then US Defense Secretary, Donald Rumsfeld, in 2002, referring to Saddam Hussein’s rumoured weapons of mass destruction. This has inspired researchers at City University London and demonstrates important implications for measuring the reliability of people’s self awareness of their knowledge.
Business Continuity is often described as ‘just common sense’. It is about taking responsibility for your business and enabling it to stay on course whatever storms it is forced to weather. It is about “keeping calm and carrying on”!
BC is about building and improving resilience in your business; it’s about identifying your key products and services and the most urgent activities that underpin them and then, once that ‘analysis’ is complete, it is about devising plans and strategies that will enable you to continue your business operations and enable you to recover quickly and effectively from any type disruption whatever its size or cause. It gives you a solid framework to lean on in times of crisis and provides stability and security. In fact, embedding BC into your business is proven to bring business benefits.
Business Continuity (BC) is defined as the capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident. (Source: ISO 22301:2012)
Business Continuity Management (BCM) is defined as a holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities. (Source: ISO 22301:2012)
At the heart of good BC practice, sits the BCM Lifecycle.
The BCM Lifecycle shows the stages of activity that an organization moves through and repeats with the overall aim of improving organizational resilience. These stages are referred to as the Professional Practices and are made up of Management and Technical Practices.
Business continuity is about understanding and managing risks to the everyday running of an organisation. It helps you to prepare for an emergency or disruptions by planning different ways of working so that you can continue to deliver your key functions.
For example, if your premises were affected by a fire or flood, how would you carry on your core business?
Understanding how you can get your organisation up and running quickly after an incident means that you are much more likely to continue providing employment, meet customer need and ultimately, survive the incident.
The ability to respond and recover quickly from an unexpected incident is a measure of 'resilience' and is an important aspect of building safer and stronger communities. In other words, we need to make sure that the City can cope with incidents and can return to 'business as usual' as quickly as possible.
What are the benefits of planning to respond to incidents?
Does business continuity create ‘false’ assurance that risks are being managed?
Experience shows that developing a Business Continuity Plan can help to reduce the impact and costs of an emergency. It means your organisation is much more likely to continue trading / delivering services if an incident or emergency were to happen.
Having a plan in place can also help to reduce your insurance premiums, so it may be worth checking with your provider...
Although major emergencies are thankfully rare, smaller scale disruptive incidents affect us much more frequently and highlight the need for us to be prepared.
By their very nature and definition, emergency incidents tend to disorientate and overwhelm those involved. Those who have been involved in such events highlight how much easier and more organised the whole experience would be if response strategies have been ‘rehearsed’ previously with tried and tested plans to use.
If you know who will take on key roles, have checklists, contact lists and procedures in place, a tested framework for communications and some practised skills to draw on, then your response to a crisis will be more assured and better than the most intelligent improvisation.
Writing a plan is fairly easy, the hard bit is the planning process itself and getting the right people involved.
Risk that have a lovely BCP/BCM framework on paper – but what if it’s not tested? What if people don’t buy into it? Tick box exercise to meet demands of regulators/legislation?
What if resilience is compromised by organisation change? E.g. WAR and property rationalisation, H&SC integration, impact of PSR and Devo Manc?
What do you think??? (dependent on time)
Cyber, partnership risk, corp security? Loss of building, staff, ICT, systems? Usually say that it doesn’t matter about the type of risk, it’s the impact of risk that matters, however strong case for the management of specific risks
Is anyone aware we have one? Has anyone ever read it? What about GM community risk register?
Projects/programmes usually affect organisational change – does anybody consider how org change might impact on resilience/BC?
What happens when controls fail?
What happens when we don’t invest in risk and resilience?
Strategic and operational leadership in implementing effective risk and business continuity management