Expert Commentary

Enterprise Risk Management in Uncertain Times

No company is immune to potentially disruptive or catastrophic events. So what separates the business that is quick to recover from the business that is slow—or even unable—to get back on track? Prevention, detection, and prudent response.

Enterprise Risk Management
October 2007

Consider the possible threats that companies face today: data privacy and IT security breaches; market instability and currency crises; overtaxed power grids; fuel shortages; pandemics; hurricanes, tsunamis, earthquakes, and other natural disasters; terrorist attacks; and more. As remote as these potential risks might be, should they arise, they could certainly wreak havoc on your business.

In fact, your business is far more likely to be affected by disruptive events than it was even a few decades ago. The potential impact of a business disruption spreads upstream to your supply chain and downstream to your customers and—thanks to globalization—to your employees, partners, locations, and processes around the world.

That's why risk intelligence in these uncertain times calls for thinking above and beyond traditional business continuity planning. Ensuring that you have offsite data storage, supply chain alternatives, or secondary production facilities is no longer enough. Companies must consider not only internal repercussions, but also the effects of the extended enterprise. What happens if, for example, your sites are disabled, personnel are injured, or communications or transportation systems are effectively shut down in any sector?

Infinite Causes, Finite Effects

One of the first steps a company can take in preparing for possible disruptions is to engage in scenario planning. Scenario planning is valuable in that it sheds light on potential catastrophes. But it does have its drawbacks: namely, that possible negative events are virtually limitless. As a result, management could become trapped in mind-numbing—and never-ending—"what-if" discussions.

That's why a complementary practice, called a business impact analysis, is needed. A business impact analysis fills a critical knowledge gap: identifying how an organization's finite assets and processes could be affected by a catastrophe or a series of disruptive events.

Consider the following three areas of impact, as well as how a company might address such business consequences.


As a result of certain catastrophic events, employees could be unable to commute to company offices or worksites. Risk Intelligent businesses, therefore, establish contingency plans that ensure that work can be done remotely.

Supply Chain

Disruptive events could make it difficult to procure raw materials, thereby crippling production, inventory, and distribution. Due to heavy interdependencies with suppliers and sources, businesses should be vigilant in structuring and monitoring these relationships. Companies might also rethink their single-source supplier relationships, as such "concentration risk" could leave them vulnerable to supply interruptions.


If disruptions to transportation and distribution systems prevent you from getting your product to market, or if your customers can't pay in a timely manner, you might not be able to meet your financial obligations. When drawing up contingency plans, businesses should consider such items as capital reserves, committed lines of credit, and their ability to rapidly implement tactical cost reductions, as the need arises.

Being Practical and Prudent

One of the biggest challenges of maintaining business continuity lies in determining what's practical and prudent. That is, once you make an informed decision as to what level of risk your company is willing to accept, how can you effectively prevent (when possible), detect, and respond to a broad range of disruptive events?

For best results, we recommend breaking risk management and business continuity activities into three stages: anticipation and preparation, first response, and recovery. With respect to anticipation and preparation, businesses should form response teams ahead of time and identify their predetermined responsibilities and authority.

In the first response stage, the primary objective is to contain the problem and protect people, facilities, the community, the critical infrastructure, and so forth. The recovery phase focuses on getting back to "business as usual" as quickly as possible. Immediate recovery activities, as well as post-recovery reevaluation and adjustment, should be included in this phase.

Certainly, many companies already have some degree of risk management structures and programs in place. This brief discussion is not meant to invalidate those programs, but to present additional issues for consideration. It is also intended to deliver a warning: Both past and current events indicate that it is not just a possibility that a significant disruptive event will affect your business. Rather, it is an inevitability.

Bad things happen. Prudent companies prepare for them.

Damian Walch is a director in the Security & Privacy Services Practice of Deloitte & Touche LLP. He can be reached at 312-486-4123 or at

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.

Like This Article?

IRMI Update

Dive into thought-provoking industry commentary every other week, including links to free articles from industry experts. Discover practical risk management tips, insight on important case law and be the first to receive important news regarding IRMI products and events.

Learn More

Featured Video

Featured Products

Quality Risk Management Fieldbook

Quality Risk Management Fieldbook

This step-by-step guide is not a textbook but is the perfect resource if you lead a small business, nonprofit, government entity, or political subdivision and do not have risk management expertise or staff. Everything is included to help you work alongside your insurance agent to protect and preserve your organization. Learn more.

IRMI Glossary of Insurance and Risk Management Terms

Glossary of Insurance and Risk Management Terms

This best-seller from IRMI gives you quick answers to questions involving unfamiliar insurance terminology. The definitions are written in plain English with a focus on practical application. Learn more.


Social Media

User ID: Subscriber Status:Free