The document provides an overview of enterprise risk management (ERM). It discusses key aspects of developing an ERM program including identifying threats, prioritizing risks, creating recovery plans, and testing plans through exercises. The ideal sponsor of an ERM program is a senior executive like the CEO or CFO. ERM requires both top-down support and bottom-up mini-plans from each business unit. Regular training and plan maintenance are important for success.

1. Enterprise Risk Management Introduction (Part 1) John Glenn, MBCI Enterprise Risk Management practitioner Hollywood/Fort Lauderdale Florida 1-954-961-1674 – [email_address] http://JohnGlennMBCI.com Copyright 2010, John Glenn MBCI

2. Overview Enterprise Risk Management (ERM) also is known as Business Continuity Continuation Of Operations (COOP) Enterprise Risk Management is not Information Technology Disaster Recovery (IT D/R) although IT D/R is an integral part of Enterprise Risk Management

3. What’s in a name? Enterprise Risk Management (ERM) defined Enterprise : The entire organization, working from the profit center(s) out; holistic, all-inclusive Risk : All risks, both external and internal; no risk is overlooked or considered “out-of-scope” Management : Control threats through avoidance or mitigation; plan recovery to “business as usual"

4. Program or project Success or failure ROI or wasted effort and funds Enterprise Risk Management, to be successful, must be an on-going program; while there is a beginning, there is no end The program usually consists of projects, each with specific milestones

5. Who’s in charge? The ideal candidate to sponsor an Enterprise Risk Management program (best) or project is a very senior manager with fiduciary responsibilities, e.g., CEO, CFO, COO

6. Who is NOT in charge Functional unit C*Os and VPs (e.g., VP/MIS, CIO) properly are function focused and lack enterprise fiduciary responsibility; they also may be perceived as working primarily for the good of their unit vs. the good of the overall organization

7. Crossing silos Enterprise Risk Management is concerned with threats to “business as usual” from all directions Enterprise Risk Management focuses on PROCESSES and follows critical processes from initiation to completion

8. Risk Management Humor Passengers board ABC Airlines Flight 13 Pilot ‘s voice comes over the intercom “ Ladies & gentlemen, welcome to ABC Airlines Flight 13 “ This is ABC’s first fully automated flight; the only ABC personnel on board are the Flight Attendants “ Everything is computer controlled “ Nothing can possibly go wrong, go wrong, go . . .

9. Abbreviated flow diagram What could possibly go wrong ?

10. Threats to “business as usual” - 1 Threats to “business as usual” come from external vendors Materials suppliers Utilities suppliers Money suppliers (lenders) Transportation providers “ Ubiquitous others”

11. Threats to “business as usual” - 2 Threats to “business as usual” come from internal vendors Facilities HR/Personnel Office support (Accounting, Mailroom, etc.) IT “ Ubiquitous others”

12. Threats to “business as usual” - 3 Threats to “business as usual” come from Government, trade groups, regulators Customers Competition Image (company, product, associations) Neighbors Events (holidays) “ Ubiquitous others”

13. Prioritize threats Threats are rated by Probability of occurrence Impact on organization You set the scale Low-Medium-High 1 to 3, 5, 10 Avoidance & mitigation costs are not an issue at this p oint

14. Avoid, Mitigate, or Absorb Threats can be Avoided: usually the “high cost” option Mitigated: typically less expensive than avoidance, but with trade-offs Mitigation includes insurance coverage Absorbed: The organization will accept the loss

15. Threat chart Create a chart to list all threats to “business as usual” This is best accomplished in groups An amanuensis is a must A white board that can “write” to memory is useful

16. Decision makers The residents of the Corporate Suite review the recommendations and Confirm or change priorities based on business plans Determine w hat measures are to be implemented to deal with each threat Decide when to implement the threat avoidance or mitigation measures Smart management listens to its Subject Matter Experts (SMEs)

17. About the practitioner More than 13 years experience Certified by the Business Continuity Institute Created complete enterprise, key business unit, and IT-specific plans for Defense, Energy, Financial, Fortune 100, Government, Insurance, International, and Transportation organizations Formerly Manager of Business Continuity for a defense industry leader managing 47 sites in 17 states

18. Enterprise Risk Management an introduction (Part 2) John Glenn, MBCI Enterprise Risk Management practitioner Hollywood/Fort Lauderdale Florida 1-954-961-1674 – [email_address] http://JohnGlennMBCI.com Copyright 2010, John Glenn MBCI

19. Best laid plans of mice & men When the “best laid plans of mice and men” still fail to fully protect the organization, there must be a plan to “restore to business as usual” Efficiently Economically Expeditiously

20. Many mini-plans Enterprise Risk Management is at once top down and bottom up Top down since enterprise resources may be utilized to restore to “business as usual” Bottom up since each functional unit needs its own mini-risk management plan

21. Why mini-plans? Each functional unit – profit center or resource – needs its own “mini” plan If a threat is isolated to one functional unit, the mini-plan should guide responders to determine if the unit can be recovered before there is impact on other functional units

22. Recovery “by the numbers” Each mini-plan, and the organization’s overall plan, includes procedures to restore critical processes Procedures are prepared by functional unit Subject Matter Experts (SMEs) Procedures are documented (by SMEs or others) Procedures are validated by NON -SMEs to assure completeness and clarity

23. Practice makes perfect Restoration procedures must be practiced So responders understand their tasks So responders’ confidence is enhanced So any plan deficiencies are discovered and eliminated There are various exercise levels Walk-throughs to “pull the switch” Exercises, never “tests”

24. Who responds? Every response task needs at least two responders, a primary and an alternate People get sick, go on vacation, change jobs, go to courses away from the work place Both primary and alternate must be able to do the task Rank is not a consideration in selecting responders

25. Planning ahead A few things to consider before an event Press releases, and who will give them Different emphasis for different audiences Policies and procedures Work periods, family considerations, etc. Furlough of non-essential personnel Relocation options

26. Training Personnel awareness & safety training Sights, sounds, smells Evacuation & in-place sheltering What to do if someone refuses to Leave the building (evacuation) Stay inside the building (in-place sheltering) The lawyers say . . .

27. Plan maintenance When to review the plan Depends on organization’s dynamics, but at least annually By trigger word changes, “P” words Personnel Place (location) Politics (licensing, regulations, zoning) Procedure Process Product Providers (vendors) Purchasers (clients)

28. Planner’s role An experienced practitioner should be involved in creating the plan and monitoring the program either As in-house staff, to manage the process and mentor functional unit staff contributing to the plan As a consultant and mentor to in-house personnel assigned planning tasks

29. Plan benefits Potentially lower costs Reduced risk impact through avoidance, mitigation More efficient, expeditious recovery Adjusted insurance coverage PR – “We have a plan, therefore we assure product delivery” Enhanced employee loyalty Employees know management cares about them Possibly enhanced stock and bond ratings

30. About the practitioner More than 13 years experience Certified by the Business Continuity Institute Created complete enterprise, key business unit, and IT-specific plans for Defense, Energy, Financial, Fortune 100, Government, Insurance, International, and Transportation organizations Formerly Manager of Business Continuity for a defense industry leader managing 47 sites in 17 states