PMI Southern Ontario Chapter PDD Ralph Dunham May 26, 2012

Transcription

1 PMI Southern Ontario Chapter PDD Ralph Dunham May 26, 2012

2 Future of Risk Resiliency Pervasive Readiness Effective Governance What s Next?

3 High Medium Risk High Risk I M P A C T Share Low Risk Mitigate & Control Medium Risk Accept Control Low PROBABILITY High

4 Quantification of risk exposure (threats vs. risks) Options available: - Accept = monitor (some may be uninsurable) - Avoid = eliminate (get out of situation) - Reduce = institute controls - Share = partner with someone (e.g. insurance) Residual risk (unmitigated risk e.g. shrinkage)

5

6 Risk Assessment Risk Management Risk Monitoring Identification Control It Process Level Measurement Share or Transfer It Activity Level Prioritization Diversify or Avoid It Entity Level Source: Business Risk Assessment The Institute of Internal Auditors

7 A focus on costs has led to neglect of risk meanwhile, the risk landscape has changed: Brand damage is probably more important than direct financial loss Contracts and insurance are not enough protection Need to manage new and different risks More risks, which vary across the business Do you have enough information? The cost equation has changed Factor the cost of risk management into sourcing decisions Balance Just-in-time with Just-in-case

8 Managing Risk To the Enterprise Is the Focus Not just an insurance issue External factors versus internal Global risks are now issues Manage what can be managed Understand impact of Black Swans

9

10 Enterprise is too narrow Include investors, clients, partners, etc. Look at neighbourhoods Reliance on public sector Review global risks and their impact

11 All risks are not created equal Some risks are better mitigated than assumed Some risks will never be eliminated Some risks are outside your control Some risks are more acceptable than others to your organization Impacts change over time Combined risks are likely

12 Most Likely Source of the Next Big One Cloud computing Social media Crowd sourcing Criminal element Cyber wars Terrorism

13 Stuxnet June 2010 attack on Natanz facility Specifically targets Siemens controllers USB Flash drive Destroyed approximately 1,000 centrifuges Now publicly available Next wave of terrorism???

14 The biggest risks may not be included in your register Risk assessments should include global risks Exposed to the actions of any employee anywhere It won t happen to me syndrome Evolution of risk over time Combination of risks not single point-in-time Speed & contagion of risks, especially catastrophic Apply greatest resource to greatest risk?

15 The impact of Black Swans Unknown unknowns How do you predict probability Plan for no matter what Current planning based on assumptions Does insurance cover them?

16 Focus on consequence vs. cause Currently scenario or event based Too many causes likely to miss one Real issue is the effect of an event Destructive event, non-destructive event, people event, loss of technology event

17 No Predicted Outcomes Assumes outcome can t be forecast Focus on process of resolution Includes ongoing reassessment based on current situation Accommodates unplanned detours Minimizes time-of-event challenges Must include role and response of individuals

18 Ability to achieve key organizational objectives Emphasis on continuity versus recovery Objectives-based versus asset-based Focus on critical elements for organizational success Identify minimum levels

19 Resilience vs. resilient capability Resilience similar to healthy Not necessarily redundancy Processes and documentation good capability better Vulnerability is opposite of resiliency Never recover adapt Sense & respond vs. plan & react

20 Issues/consequence based planning No causal orientation Simplifies task assignment Better identifies responsibility for solutions Minimizes effort that doesn t address an issue

21 Function of Robustness, Redundancy, Agility, Adaptability How do you measure? How do you develop? How much is enough? Where are the skills in the organization?

22 Processes and systems by which an organization or society operates Who owns the governance of risk management? Is risk management part of effective governance? Is governance part of effective risk management? Role of internal and external audit Extent of governance outside the organization

23 Processes and systems by which an organization or society operates*. In practice Before Today Tomorrow * Source: Webster dictionary, Wikipedia

24 Before Accounting Financial Reporting Long term approach only Audit driven Regulations were almost exclusively focused on legal or audit requirements

25 Today Executive Liability C-Level accountability Fraud prevention Ability to recover financial information Minimize client and employee impact Regulatory Compliance (often on several fronts) Proof of performance

26 Tomorrow Scope will extend beyond the boundaries of the organization Based on corporate goals Supports future direction of organization Structure New markets / products Focus is on strategically managing risks Activities will be directly linked to shareholder value Outsourcing is included Compliance will be a source of: Customer confidence Revenue continuity Stock value increase

27 ERP DRP BCP CMP Proper Business Resilience governance gives Directors reasonable assurance that the organization is capable of dealing with business interruptions and crisis situations BR Governance

28 What does Proper mean? Protecting brand Resolving uncertainty and variances from expectations Maximizing opportunity for success and superior performance No excuses, no surprises

29 Move to capability vs. compliance instil confidence Compliance standards - SOX, C45, etc. Program standard ISO 22301, CSA Z1600, BS 25999, AUS 5050 Executive peace of mind Will it work? Publish and promote capabilities Viewed as a maturity issue

30 Linkages to external factors outsourcing How to govern outsourcers - compliance Who assesses outsourcer capability? Redundancy elimination but where is resiliency? Ownership of Business Resilience cannot be outsourced

31 Executives are evaluated and trained to be efficient administrators vs. effective leaders Formal management training does not usually include how to respond to operational crises Measurements are usually short term and financial hard to establish Business Resilience criteria Appropriate leadership response must be consistent with pre-established vision and values Need Risk Competent Organizations with Risk Cognizant Leaders

32 Executives typically have two objectives: Grow the value of the organization; and Protect the core assets of the organization: Value of risk management in strategic planning; Risk adjusted rate of return; and Strategic objectives reflected in program objectives.

33 Traditional Focus on Interruptions Event monitoring is a low level activity Disruptions are a negative factor Business Continuity is managed in organizational silos Business Continuity is measured subjectively Business Continuity functions are unstructured and divergent Forecasting based on history Future Focus on Unusual events Event monitoring is the CEO s job, with Board oversight Disruptions are also an opportunity Business resilience is integrated across the organization Resilience is quantified and managed Resilience is built into management systems Forecasting includes risks

34 Risk Orientation Risk Analysis Usage Control Responsibility Auditor Orientation Audit Focus Timeframe Skills Special Expertise Management Responsibility Skills Compliance Program Communication Operational Focus Rank against Known Threats Set Audit Frequency Audit Corporate Policeman Compliance with Procedures Past/Present Technical Skills, Audit Owned/Learned Not Trusted Auditor Cycle-Driven Periodic/One-way Board Focus Identify/Assess New Driving Forces Allocate Resources to Key Driving Forces Strategic Management Mgmt. Consultant/Advisor Confidence / Business Objectives Future/Present Business/Industry Knowledge Access as Needed Empowered/Trusted Management Flexible/Responsive Continuous/Two-way/Strategic

35 Background August / 08 Maple Leaf Foods plant in Toronto confirmed an outbreak of Listeria Monocytogenes MLF recalled 191 products back to January / 08 The outbreak incident caused 20 deaths and cost MLF over $30M Media spotlight was intense Media First 10 Days First Month Print 408 1,011 Broadcast 1,959 3,198 Online

36 The Response McCain took personal accountability, put public health and consumers interest first and led open and facts-based communication Legal and financial views took lower precedence Implemented a decisive action plan to: Keep the public informed during and after the incident Launch a mass media management strategy Identify risks and impacts Rebuild customer confidence

37 The Results MLF s brand and reputation rebounded Increased public support Managed CFIA requirements and minimized liability McCain named CEO of the year by the Canadian Press for 2008

38 Would your Business Resilience program have helped this organization? What would McCain expect from your program? What would you have to add to fully support him? What would your program have to look like to pass the McCain s governance test?

39 It won t happen If it does happen, it won t happen to me If it happens to me, it won t be bad If it happens to me, and it is bad, there was nothing I could have done about it anyway

40