Enterprise Risk Management in Uncertain Times
October 2007
No company is immune to potentially disruptive
or catastrophic events. So what separates the business that is quick to recover
from the business that is slow—or even unable—to get back on track? Prevention,
detection, and prudent response.
by Mark
Layton and Damian_Walch
Deloitte & Touche
Consider the possible threats that companies face today: data privacy and
IT security breaches; market instability and currency crises; overtaxed power
grids; fuel shortages; pandemics; hurricanes, tsunamis, earthquakes, and other
natural disasters; terrorist attacks; and more. As remote as these potential
risks might be, should they arise, they could certainly wreak havoc on your
business.
In fact, your business is far more likely to be affected by disruptive events
than it was even a few decades ago. The potential impact of a business disruption
spreads upstream to your supply chain and downstream to your customers and—thanks
to globalization—to your employees, partners, locations, and processes around
the world.
That's why risk intelligence in these uncertain times calls for thinking
above and beyond traditional business continuity planning. Ensuring that you
have offsite data storage, supply chain alternatives, or secondary production
facilities is no longer enough. Companies must consider not only internal repercussions,
but also the effects of the extended enterprise. What happens if, for example,
your sites are disabled, personnel are injured, or communications or transportation
systems are effectively shut down in any sector?
Infinite Causes, Finite Effects
One of the first steps a company can take in preparing for possible disruptions
is to engage in scenario planning. Scenario planning is valuable in that it
sheds light on potential catastrophes. But it does have its drawbacks: namely,
that possible negative events are virtually limitless. As a result, management
could become trapped in mind-numbing—and never-ending—"what-if" discussions.
That's why a complementary practice, called a business impact analysis, is
needed. A business impact analysis fills a critical knowledge gap: identifying
how an organization's finite assets and processes could be affected by a catastrophe
or a series of disruptive events.
Consider the following three areas of impact, as well as how a company might
address such business consequences.
People
As a result of certain catastrophic events, employees could be unable to
commute to company offices or worksites. Risk Intelligent businesses, therefore,
establish contingency plans that ensure that work can be done remotely.
Supply Chain
Disruptive events could make it difficult to procure raw materials, thereby
crippling production, inventory, and distribution. Due to heavy interdependencies
with suppliers and sources, businesses should be vigilant in structuring and
monitoring these relationships. Companies might also rethink their single-source
supplier relationships, as such "concentration risk" could leave them vulnerable
to supply interruptions.
Finances
If disruptions to transportation and distribution systems prevent you from
getting your product to market, or if your customers can't pay in a timely manner,
you might not be able to meet your financial obligations. When drawing up contingency
plans, businesses should consider such items as capital reserves, committed
lines of credit, and their ability to rapidly implement tactical cost reductions,
as the need arises.
Being Practical and Prudent
One of the biggest challenges of maintaining business continuity lies in
determining what's practical and prudent. That is, once you make an informed
decision as to what level of risk your company is willing to accept, how can
you effectively prevent (when possible), detect, and respond to a broad range
of disruptive events?
For best results, we recommend breaking risk management and business continuity
activities into three stages: anticipation and preparation, first response,
and recovery. With respect to anticipation and preparation, businesses should
form response teams ahead of time and identify their predetermined responsibilities
and authority.
In the first response stage, the primary objective is to contain the problem
and protect people, facilities, the community, the critical infrastructure,
and so forth. The recovery phase focuses on getting back to "business as usual"
as quickly as possible. Immediate recovery activities, as well as post-recovery
reevaluation and adjustment, should be included in this phase.
Certainly, many companies already have some degree of risk management structures
and programs in place. This brief discussion is not meant to invalidate those
programs, but to present additional issues for consideration. It is also intended
to deliver a warning: Both past and current events indicate that it is not just
a possibility that a significant disruptive event will affect your business.
Rather, it is an inevitability.
Bad things happen. Prudent companies prepare for them.
Damian
Walch is a director in the Security & Privacy Services Practice of
Deloitte & Touche LLP. He can be reached at 312–486–4123 or at dwalch@deloitte.com.
Opinions expressed in Expert Commentary articles are those of the author and are
not necessarily held by the author’s employer or IRMI. This article does not purport
to provide legal, accounting, or other professional advice or opinion. If such advice
is needed, consult with your attorney, accountant, or other qualified adviser.