BCM vs ERM: The Business Case for Integration..

BCM vs ERM: The Business Case for Integration..
ARiMI – Asia Risk Management Ins0tute By MARC RONEZ Chief Risk Strategist & Master Coach Asia Risk Management Institute NOTES BCM vs ERM The Business Case for Integra9ng Business Con9nuity & Enterprise Risk Management Business Continuity Management Award 2013, 24 January 2013
Agenda for this Session Explore and discuss the ‘business case’ for integrating Business Continuity Management (BCM) & Enterprise Risk Management (ERM). þ  Conflicts & Competition between ERM & BCM functions þ  Comparing the ERM & BCM Frameworks, Process & Practices þ  Convergence of the ERM of BCM agendas þ  Understanding the life-cycle from Risk Issues to Business Disruptions & Crises þ  Strengthening Value Creation & Sustainability by Integrating BCM & ERM BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 2
3 Risks & Crises.. BCM or ERM issues? Terrorism Diseases Earthquake Pollution Bank run SubprimeExplosion NGO Attack Lawsuits BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013
Conflicts between ERM & BCM VS ERMBCM   SEPARATE often COMPETING Functions in Organizations   OVERLAPPING area of Responsibilities   Different OBJECTIVES, Focus & METHODOLOGICAL Approaches BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 4
Different Origins for ERM & BCM VS ERMBCM ≠ IT departments, with the IT Disaster Recovery program Insurance Buying / Hazard Risk Mgt Both ERM & BCM have seen Tremendous SCOPE expansion and methodological development BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 5
66 Financial & Hazard Expanding the scope of ERM Finance Losses Operational Strategic Protect & Sustain Operations Create Value with effective Risk-taking & ManagementScope increase ➜  From Value PROTECTION to Value CREATION expanding to all risk domains BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013
BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 7 ERM Manage Risks & Opportunities Effectively to Ensure Achievement of Corporate Objectives
RISK MANAGEMENT IT DISASTER RECOVERY FACILITIES MANAGEMENT SUPPLY CHAIN MANAGEMENT QUALITY MANAGEMENT HEALTH & SAFETY KNOWLEDGE MANAGEMENT EMERGENCY MANAGEMENT SECURITY CRISIS COMMUNICATIONS & PR BCM - Business Continuity Management Expanding the scope of BCM BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 8 ➜  From RECOVERY to CONTINUITY and from IT Processes to ALL Operations & Business processes
BCM… MAINTAIN KEY Business Operations during challenging times BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 9
CATALYST for the ERM & BCM ‘Explosion’! A continuous and constant stream of crises and corporate failures over the past 10-15 years have created a strong momentum for Risk, Crisis & Business management concepts. 9/11 Fukushima BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 10
1111 The ERM & BCM Explosion! Failures in managing risks effectively have triggered all over the world, efforts by: ¤ regulators, ¤ rating agencies, ¤ stock exchanges, ¤ institutional investors ¤ and corporate governance oversight bodies … insist that company senior management take greater responsibility for managing proactively risks and critical disruption on an enterprise-wide scale. BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013
ERM & BCM Best Prac9ces & Standards BCM Standards þ  ISO 22301:2012 - Societal security – Business continuity management systems (International) þ  BS 25999:2007 - Business Continuity Management (BSI/ UK) 1 Code of Practice & 2 Specification þ  SS540:2008 - BCM Framework & Technical Reference (Singapore) þ  NFPA1600 - Standard on Disaster/Emergency Management and Business Continuity Programs (ANSI/ US) BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 12 ERM Standards þ  ISO 31000:2009 - Risk Management Guideline (International) þ  COSO:2004 - Integrated ERM Framework (US) þ  AS/NZS 4360:2004 - Risk Management Standard (Australia/NZ) þ  HM Treasury’s Orange Book: 2004 – Management of Risk (UK) þ  Rating Agencies Frameworks (S&P, Moodys)
ERM vs BCM Area of Focus & Objec9ves 13 - + Target Performance Expected Potential Losses Expected Potential Opportunities Unexpected Catastrophic Losses Transformational Blue swans BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 Catastrophic Losses Black swans Unexpected Opportunities LOSS GAIN Risk Can Lead to either Negative or Positive impact depending how it is managed..
ERM vs BCM Area of Focus & Objec9ves 14 - + Target Performance Expected Potential Losses Expected Potential Opportunities Unexpected Catastrophic Losses Transformational Blue swans BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 Catastrophic Losses Black swans Unexpected Opportunities ERM – Create Shared Sustainable Value BCM – Ensure Business Con9nuity & Societal Security LOSS GAIN
BCM perspec9ve: How to Define Business Con9nuity? ¤ Business Continuity is defined in British Standard for BCM (BS 25999:2006) as: “.. The capability of an organization to plan for and respond to business interruptions in order to continue business operations at an acceptable pre-defined level”. How to understand this definition? BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 15
Components of BS 25999 Defini9on of Business Con9nuity Key components in the definition: ①  CAPABILITY to PLAN & RESPOND ②  To BUSINESS INTERRUPTION Events ③  To MAINTAIN KEY Business Operations BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 16
Components of BS 25999 Defini9on of Business Con9nuity Key components in the definition: ①  CAPABILITY to PLAN & RESPOND ➜  Planning & building readiness is essential ②  To BUSINESS INTERRUPTION Events ➜  Focus on severe to critical threats ③  To MAINTAIN KEY Business Operations ➜  Focus on key processes and resources BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 17
What is Business Con9nuity Management then. ¤ British Standard for BCM (BS 25999:2006) defines it as: An “holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities.” BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 18
BCM – Business Con9nuity Management Process... BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 19 1 - BCM Program Management 3 – DETERMINING BCM STRATEGIES 4 – DEVELOP & IMPLEMENT BCM RESPONSE 5 – EXERCISE, MAINTAIN & REVIEW Delivering better RESULTS 2 – UNDERSTAND THE ORGANIZATION
BCM process – Underlying Focus 1 – Key Activities & FUNCTIONS 4 – Identify & Assess THREATS The Trash Bin 3 – SCREEN based On CRITICALITY Not critical? 6 – EXERCISING, Maintenance & Audit BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 20 5 – Design & Implement BCM Response 2 – Business IMPACT Analysis
ERM Perspec9ve: How to Define RISK? ¤  Risk is defined in ISO 31000: 2009 as: “.. the effect of uncertainty on objectives”. How to analyse this definition? BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 21
Components of ISO 31000 Defini9on of Risk Key components in the definition: ①  OBJECTIVES ②  UNCERTAINTY EFFECTS ③  EXPOSURE to Uncertainty BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 22
Components of ISO 31000 Defini9on of Risk Key components in the definition: ①  OBJECTIVES ➜  Something important you want to achieve ②  UNCERTAINTY EFFECTS ➜  Threats, Opportunities & Volatility. Can be the result of our actions and others internal/external factors ③  EXPOSURE to Uncertainty ➜  (Your objectives and the processes and resources that support them) BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 23
ISO 31 000 Guide -‐ Risk Management Process 3 – Risk Assessment 2 -‐ Establish the Context 3.2 Risk Analysis 5 – Monitoring & Review 1 – Communica9on & Consulta9on 3.1 Risk Iden9fica9on 4 -‐ Risk Treatment 3.3 Risk Evalua9on Managers can optimize the tradeoff between Risk and Return.. while consistently and systematically, and ensuring the timely communication of risk related information across the enterprise in a transparent manner. …by identifying, assessing and assigning ownership, taking actions to mitigate or anticipate risks, and monitoring & reviewing progress BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 24
ISO 31000 – GUIDE for Managing Risk Principles Framework Process 2"–"Design"of"framework"" for"managing" •  Understanding+organiza.on+ •  Risk+Management+policy+ •  Integra.on+into+organiza.on+ •  Accountability+ •  Resources+ •  Establish+Internal/External+ Context+ 1"–"Mandate"&" Commitment" 5"–"Con8nual"improvement" of"the"framework" 3"–"Implemen8ng"Risk" Management" •  Implemen.ng+the+Framework+ •  Implemen.ng+the+Risk+ Management+Process+ 4"–"Monitoring"&"Review"of"the" Framework" 3"–"Risk"Assessment" 2"."Establish"the"Context" 3.2"Risk"Analysis" 5"–"Monitoring"&"" Review" 1"–"" CommunicaCon" &"ConsultaCon" 3.1"Risk"IdenCficaCon" 4"."Risk"Treatment" 3.3"Risk"EvaluaCon" ! 1)!creates!value.! 2)!is!an!integral!part!of!organiza6onal! processes.!! 3)!is!part!of!decision!making.!! 4)!explicitly!addresses!uncertainty.!! 5)!is!systema6c,!structured!and!6mely.!! 6)!is!based!on!the!best!available! informa6on.!! 7)!is!tailored.!! 8)!takes!human!and!cultural!factors!into! account.!! 9)!is!transparent!and!inclusive.!! 10)!is!dynamic,!itera6ve!and!responsive! to!change.!! 11)!facilitates!con6nual!improvement!and! enhancement!of!the!organiza6on.!! ! ERM is the System, Methodology & processes used by organizations to takes risk in a controlled manner so that the business is viable for a longer term (SUSTAINABILITY) while meeting the expectations of the stakeholders by CREATING SHARED VALUE in line with Corporate OBJECTIVES. BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 25
ERM process – Underlying Focus 4 – Identify & Assess THREATS Based on Likelihood & Impact 1 – Corporate OBJECTIVES & Risk APPETITE The Trash Bin 3 – SCREEN based on LIKELIHOOD × IMPACT Low Priority 9 - Review & MONITORING (KRIs) BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 26 8 – Design & Implement ERM Controls
27 In SUMMARY: Comparing BCM and ERM BCM ERM Primary Focus Key Functions (Processes & resources) Key Corporate Objectives & Risk Appetite Protected Areas Balance sheet & reputation P&L, Cash flows & Market Capitalization Operational Objectives Ensure Crisis & Business Continuity preparedness (Exercising, testing) Risk awareness & cost of risk control. Continuous process improvement, effective risk decision-making Time Horizon of Assessment Medium to long-term Short to Medium Critical Dimension of Risk focus The Business IMPACT The LIKELIHOOD Type of Loss Exposure under watch Severe to Catastrophic (High Impact) with medium to low frequency business interruptions Expected Losses: High to medium frequency loss events with medium to severe impact Strategic Objectives Ensure Continuity of Critical Operations Ensure Achievement of Corporate Objectives BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013
Nega9ve consequences of the lack of integration between ERM & BCM activities  Unhealthy Competition for Management Attention & Resources  Double works & Uncoordinated/independent efforts to deal with the same risk issues  Resulting in waste and inefficiencies (increased expenses, both programs are expensive & wrong focus)  Increasing risk of critical failure to management risk and ensure business sustainability BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 28
BCM is a NATURAL part of an ERM framework.. BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 29 You could see Business Con9nuity Management (BCM) as… Part of the management RESPONSE to an important risk issue… taking its place during the Treatment phase alongside with risk Preven9on & Transfer.
Pressure Time Potential Emerging Current Recovering Life-‐cycle from a Risk issue to a Crisis – 4 phases Media Coverage & amplification Signal CRISIS Incident OR Signal Issues Signal BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 30
Example: BP oil spill, Gulf of Mexico 2010  The catastrophe resulted in a loss of: –  Direct Cost to BP: Over $20 billion –  Market capitalization loss. i.e. cost to shareholders: $87 billion ¤ BP explosion and oil spill could have been prevented with additional spending of $7 - $12 million on safety controls BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 31
Pressure Time Potential Emerging Current Recovering From Risk issue to Crisis: BP Gulf of Mexico 2010 Media Coverage & amplification Signal CRISIS Issues Signal Opportunity to influence Difficult to influence Maintenance equipment Reports Problems Drop from news Enormous cost & damage to reputation Incident OR Signal Explosion Stop the leak & cleaning BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 32 Emergency evacuation & protection Media onslaught
Impact on BP share price / market capitaliza9on Gulf of Mexico Disaster MTBE Contamination lawsuits $243 Billions $90 Billions Enormous Shareholder Value Loss BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 33
Pressure Time Potential Emerging Current Recovering Life-‐cycle from a Risk issue to a Crisis Signal CRISIS Incident OR Signal Issues Signal Opportunity to influence Difficult to influence BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 34 Time for ACTION REACTION Too Late!
Road Map to Managing Risk & Crisis: The steps 35BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013
36 Pressure Time Potential Emerging Current Recovering Road Map to Managing Risk, Crisis & Change Signal CRISIS Incident OR Signal Issues Signal Opportunity to influence Difficult to influence Media Coverage & amplification BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013
Cover all the bases! 3 7 - + Target Performance Expected Potential Losses Expected Potential Opportunities Unexpected Catastrophic Losses Transformational Blue swans BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 Catastrophic Losses Black swans Unexpected Opportunities LOSS GAIN Shareholders and Management are typically concerned with variability below & above the target You should also be looking out for cri9cal NEW Changes in the Biz environment Organisa9ons should also be concerned with catastrophic risks & the risk of Insolvency
Road Map to Managing Risk & Crisis: The Solu9ons BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 38
How ERM & BCM can add value to each other? BCM can provide ERM with: þ  A better understanding of the critical activities (processes) and the infrastructure & resources that support these with the BIA þ  A stronger focus on exercising and testing the risk mitigation framework þ  Promotes a better understanding communication dependency between critical functions ERM can provide BCM with: þ  A broader view of risk issues þ  A better definition of Corporate Objectives & understanding of Risk Appetite þ  Systematic approach of consistently and continuously monitoring and managing risk þ  A better view of any emerging threats and promotes cross functional communication of key threats BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 39
What is preven9ng effec9ve coordina9on & integra9on between ERM & BCM?  Obstacle type 1: Resisting because of a cognitive difference of opinion about BCM & ERM mission, objectives, methodology & tools.  Obstacle type 2: Resistance due to emotional issues (Fears, ego, etc)  Obstacle type 3: Resistance due to Political or Personal issues ( Animosity, red tape, etc) BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 40
In conclusion: Three Models for ERM and BCM in a organiza9on There are three different models for ERM & BCM in Organization:   STATUS QUO - is to maintain separate silos for both disciplines with different teams, reporting lines, methodologies, etc. þ  COORDINATION – by having a central management unit/ function coordinating for both BCM and ERM activities. þ  INTEGRATION – by integrating BCM functionally & methodologically into the ERM framework.   Unfortunately, the STATUS QUO model is what many organizations are doing today. It is more than time for change! BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 41
Marc Ronez -‐ Chief Risk Strategist & Knowledge Leader at ARiMI -‐ Asia Risk Management Ins9tute An ERM & Governance expert with 20 years of experience both as a practitioner & trainer for large MNCs, Governments & Charities. Marc has an MBA from the University of Chicago GSB, an MSc in Insurance & a LLM from the University of La Sorbonne What do I do? Help managers & leaders to use Risk Management to: þ  Resolve difficult operational and business challenges þ  Take & manage risks effectively to build sustainable & profitable growth models BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 Marc’s specific areas of expertise include ERM, risk decision-making processes, corporate governance, Business Ethics, Social Responsibility, risk-aware culture, risk communication and crisis management, business model/Strategy Risk Management, corporate learning systems development. 42
Risk Management is a con/nuous journey, not a des/na/on! BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 Marc Ronez is on Linked in & WordPress You can find his profile & read his blogs at: P: sg.linkedin.com/pub/marc-ronez/1/3b6/465/ B: theriskmanagementparadox.com B: riskmanagementdemystified.com 43
ARiMI – Asia Risk Management Ins9tute BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 44
ARiMI is an applied research and business studies ins0tute that was set up in 2003 (in partnership with NUS) and has established itself as the Ins0tute of Reference for Enterprise Risk Management studies in Singapore and in the region. We FOCUS on programs: 1.  For Decision-‐Makers (Middle to Top Management): Developing PRACTICAL Knowledge & Skills in Risk & Crisis Management 2.  For Organiza9ons: Building CAPABILITIES for Sustainable and Profitable Growth by EMBEDDING Risk Aware & Crisis Readiness Culture ARiMI, Asia Risk Management Ins9tute BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 45
ARiMI -‐ Focus and Exper9se ● Crisis management & Business Continuity ● Leadership risk decision- making and Social Capital ● Reputational Risk & stakeholders management ● Corporate governance & business ethics Research ● Professional Designation Programs CERM (Certified Enterprise Risk Manager), CPRM (Certified Professional Risk Manager), ARM (Associate in Risk Management), FSRM (Fellow in Strategic Risk Management) ● Public Seminars and Workshops ● Corporate Training & learning Programs Education ● Risks & Opportunities Assessment & Mapping ● Crisis & Business Continuity Mgt ● Reputation Risk Mgt & CSR (Corporate Social Responsibility) ● Fraud Risk Mgt ● Risk Appetite & Risk Aware Culture Readiness ● Project risk management ● Risk Champions MasterClass Expertise BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013 46
47 For more information on ARiMI, check our website at: www.arimi.org BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013
Important Note: Please note that that this presentation and its contents, is the intellectual property of the Asia Risk Management Institute Pte Ltd. It has been prepared for this BCM Award session and it cannot be used for any other purposes without the specific written consent of the Asia Risk Management Institute. 48BCM vs ERM – Marc Ronez - Copyright @ ARiMI 2013

BCM vs ERM: The Business Case for Integration..

Check these out next

BCM vs ERM: The Business Case for Integration..

Recommended

More Related Content

Slideshows for you(20)

Similar to BCM vs ERM: The Business Case for Integration..(20)

Recently uploaded(20)

BCM vs ERM: The Business Case for Integration..