Skip Navigation Links.
Collapse IRMI OnlineIRMI Online
Expand How To Use IRMI OnlineHow To Use IRMI Online
My Paid Publications
Expand What's NewWhat's New
Expand DashboardsDashboards
Expand Commercial Liability InformationCommercial Liability Information
Expand Commercial Property InformationCommercial Property Information
Expand Commercial Auto InformationCommercial Auto Information
Expand D&O, PL, E&O, EPLI InformationD&O, PL, E&O, EPLI Information
Expand Workers Compensation InformationWorkers Compensation Information
Classifications and Cross-References
Collapse Risk Mgt. and Multiline InformationRisk Mgt. and Multiline Information
Expand Risk Management -- Why and HowRisk Management -- Why and How
Collapse Free Risk Management and Multiline CommentaryFree Risk Management and Multiline Commentary
Expand Brand Equity and Product RecallBrand Equity and Product Recall
Expand Catastrophe Risk ManagementCatastrophe Risk Management
Expand Corporate AviationCorporate Aviation
Expand Corporate Fraud PreventionCorporate Fraud Prevention
Expand Cyber and Privacy Risk and InsuranceCyber and Privacy Risk and Insurance
Expand Drafting and Interpreting Insurance PoliciesDrafting and Interpreting Insurance Policies
Collapse Enterprise Risk ManagementEnterprise Risk Management
Add Spreadsheets to Your Risk Inventory (July 2009)
The Role of the CIO in the Risk Intelligent Enterprise (February 2009)
Where Was Enterprise Risk Management? (November 2008)
Critical Role for the Chief Audit Executive: Aligning Risk Assessment (October 2008)
Chief Audit Executives and Risk Management Silos (March 2008)
Risk Management's Chief Audit Executive (December 2007)
Prescribing Risk Intelligence for the Life Sciences Sector (December 2007)
Enterprise Risk Management in Uncertain Times (October 2007)
Taking Risks To Create Value—It's What Capitalism's All About! (September 2007)
Risk Management Practices Cannot Be "Bolted On" (July 2007)
When Risks Marry and Multiply (June 2007)
Balancing Risk Probability and Vulnerability (May 2007)
Addressing the Full Spectrum of Risks (May 2007)
Bridging the "Silos" (April 2007)
Traditional Risk Management Inadequate To Deal with Today's Threats (March 2007)
The Alchemy of Enterprise Risk Management: Examples from the Investment World (December 2003)
Practical ERM Applications: Risk Integration (September 2003)
Implementing Enterprise Risk Management: Getting the Fundamentals Right (June 2003)
ERM Lessons Across Industries (March 2003)
Practical ERM Applications: Capital Allocation (November 2002)
Practical ERM Applications: Assessing Capital Adequacy (September 2002)
The Language of Enterprise Risk Management: A Practical Glossary and Discussion of Relevant Terms, Concepts, Models, and Measures (May 2002)
Implementing Enterprise Risk Management: The Emerging Role of the Chief Risk Officer (January 2002)
ERM and September 11 (November 2001)
Modeling the Reality of Risk: The Cornerstone of Enterprise Risk Management (July 2001)
Enterprise Risk Management in the Financial Services Industry: From Concept to Management Process (November 2000)
Enterprise Risk Management in the Financial Services Industry: Still a Long Way To Go (August 2000)
Enterprise Risk Management: What's Beyond the Talk? (May 2000)
Expand Internal ControlsInternal Controls
Expand NanotechnologyNanotechnology
Expand Political RiskPolitical Risk
Expand Risk Management TechnologyRisk Management Technology
Expand SecuritySecurity
Expand Terrorism Risk Management & InsuranceTerrorism Risk Management & Insurance
Expand IRMI InsightsIRMI Insights
Expand IRMI Update Newsletter ArchivesIRMI Update Newsletter Archives
Expand Risk Finance InformationRisk Finance Information
Expand Construction InformationConstruction Information
Expand Personal Lines InformationPersonal Lines Information
Expand Claims, Caselaw, LegalClaims, Caselaw, Legal
Expand Insurance IndustryInsurance Industry
Expand Glossary of Insurance & Risk Management TermsGlossary of Insurance & Risk Management Terms
Expand SearchSearch
Terms of Use
Privacy Statement
System Requirements
Support

Enterprise Risk Management in Uncertain Times

October 2007

No company is immune to potentially disruptive or catastrophic events. So what separates the business that is quick to recover from the business that is slow—or even unable—to get back on track? Prevention, detection, and prudent response.

by Mark Layton and Damian_Walch
Deloitte & Touche

Consider the possible threats that companies face today: data privacy and IT security breaches; market instability and currency crises; overtaxed power grids; fuel shortages; pandemics; hurricanes, tsunamis, earthquakes, and other natural disasters; terrorist attacks; and more. As remote as these potential risks might be, should they arise, they could certainly wreak havoc on your business.

In fact, your business is far more likely to be affected by disruptive events than it was even a few decades ago. The potential impact of a business disruption spreads upstream to your supply chain and downstream to your customers and—thanks to globalization—to your employees, partners, locations, and processes around the world.

That's why risk intelligence in these uncertain times calls for thinking above and beyond traditional business continuity planning. Ensuring that you have offsite data storage, supply chain alternatives, or secondary production facilities is no longer enough. Companies must consider not only internal repercussions, but also the effects of the extended enterprise. What happens if, for example, your sites are disabled, personnel are injured, or communications or transportation systems are effectively shut down in any sector?

Infinite Causes, Finite Effects

One of the first steps a company can take in preparing for possible disruptions is to engage in scenario planning. Scenario planning is valuable in that it sheds light on potential catastrophes. But it does have its drawbacks: namely, that possible negative events are virtually limitless. As a result, management could become trapped in mind-numbing—and never-ending—"what-if" discussions.

That's why a complementary practice, called a business impact analysis, is needed. A business impact analysis fills a critical knowledge gap: identifying how an organization's finite assets and processes could be affected by a catastrophe or a series of disruptive events.

Consider the following three areas of impact, as well as how a company might address such business consequences.

People

As a result of certain catastrophic events, employees could be unable to commute to company offices or worksites. Risk Intelligent businesses, therefore, establish contingency plans that ensure that work can be done remotely.

Supply Chain

Disruptive events could make it difficult to procure raw materials, thereby crippling production, inventory, and distribution. Due to heavy interdependencies with suppliers and sources, businesses should be vigilant in structuring and monitoring these relationships. Companies might also rethink their single-source supplier relationships, as such "concentration risk" could leave them vulnerable to supply interruptions.

Finances

If disruptions to transportation and distribution systems prevent you from getting your product to market, or if your customers can't pay in a timely manner, you might not be able to meet your financial obligations. When drawing up contingency plans, businesses should consider such items as capital reserves, committed lines of credit, and their ability to rapidly implement tactical cost reductions, as the need arises.

Being Practical and Prudent

One of the biggest challenges of maintaining business continuity lies in determining what's practical and prudent. That is, once you make an informed decision as to what level of risk your company is willing to accept, how can you effectively prevent (when possible), detect, and respond to a broad range of disruptive events?

For best results, we recommend breaking risk management and business continuity activities into three stages: anticipation and preparation, first response, and recovery. With respect to anticipation and preparation, businesses should form response teams ahead of time and identify their predetermined responsibilities and authority.

In the first response stage, the primary objective is to contain the problem and protect people, facilities, the community, the critical infrastructure, and so forth. The recovery phase focuses on getting back to "business as usual" as quickly as possible. Immediate recovery activities, as well as post-recovery reevaluation and adjustment, should be included in this phase.

Certainly, many companies already have some degree of risk management structures and programs in place. This brief discussion is not meant to invalidate those programs, but to present additional issues for consideration. It is also intended to deliver a warning: Both past and current events indicate that it is not just a possibility that a significant disruptive event will affect your business. Rather, it is an inevitability.

Bad things happen. Prudent companies prepare for them.

Damian Walch is a director in the Security & Privacy Services Practice of Deloitte & Touche LLP. He can be reached at 312-486-4123 or at .

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.
Advertisements
    
 
© 2000-2012 International Risk Management Institute, Inc. (IRMI). All rights reserved.