When viewed within the context of business resilience and business survival the case for a formalised risk management system, supported by designed-for-purpose software is compelling. Here in an exert from their book Mastering Risk Management, Tony Blunden and John Thirlwell put the case…
At the business level, a robust and efficient risk system will enable managers to react to events more quickly and with greater effectiveness. At the board level, good risk management reduces the volatility of performance and facilitates efficient resource and capital allocation. From an investor point of view, risk management encourages and allows an understanding of where shareholder value is being created or destroyed.
A good risk management system, fully embedded in the business, will prevent any blindness to risk which may affect the profitability of a business line or transaction. Risk and control perception is improved through distilling a risk culture, which leads to business optimisation. That will be reflected in a firm’s credit rating. And it will also generate a significant regulatory benefit in an improved relationship with the regulator, wherever that is applicable.
A further benefit is that if you get it right, you avoid paying the lawyers! Risk management is fundamental to successful business management. It produces true business benefits in its own right.
Business Survival – Responding to an Incident
The benefit of a robust, tested and up-to-date business survival plan should be self-evident. Business survival and recovery, or indeed any contingency arrangement, is an essential tool of risk mitigation. It uses the processes of risk in its creation and activation: horizon scanning of threats and risk assessment and scenarios. Just as with any other part of risk management, business survival helps you identify your vulnerabilities and primary objectives. In short, business survival and recovery plans are investments.
Not having an adequate plan can mean permanent loss of market share or loss of staff and the difficulty and expense of recruiting replacements. The stakes can be that high. You need to plan, test and communicate. And, of course, if you recover the business quickly, especially if an event occurs which affects both you and your competitors, you will have an immediate competitive advantage. A good business continuity plan might even mean that you can negotiate a reduction in your business interruption policy premium.
After an event, firms fall into two categories – ‘recoverers’ and ‘nonrecoverers’. Firms which invest in risk, operational resilience and governance are the most profitable and the survivors. Business survival is an investment, not a cost. If the business isn’t available, there is no business. Strategic issues do not come more critical than that. If you can get back into business before your competitors, the opportunities are endless.
How to choose the best response
When a threat turns into an incident, it will generate a response. The incident will come down to be variations on: loss of premises, staff, equipment, systems, a production line, key suppliers or outsourced activity. The business survival plan formulates those responses. The importance of each response is a mix of the results of the business impact assessment and the sum of the likelihood of the threats associated with it.
One of the lessons of the London bombings in July 2005 was that the firms which were able to respond best had concentrated their business recovery on impacts and decision making, rather than the nature of a disruption and its possible causes. As a result, following a more generic-based approach, they had the flexibility to respond to a broad range of potential scenarios.
The key point about scenarios is not to get into too much detail with them. As with much of survival planning – keep it simple. Remember also that organisational behaviours underpin recovery. A culture of fear delays escalation to senior management and the impact can be fatal. As with reputation, you may have only a short time before an incident becomes a crisis. Business survival and recovery management is a firm-wide project which involves all functions. It also involves external entities such as government, regulators, competitors, third parties and critically your customers. It is therefore best to undertake this phase by way of workshops, or a similar approach, which ensures that all the ramifications of a survival and recovery strategy are understood and that you have buy-in from everybody concerned.
Gathering the project team together will also help to ensure that strategies and countermeasures do not conflict, so that the solution for one part of the business does not create a new issue for another part of the business or expose it to unmeasured risk.
■ Make sure everybody understands the primary objectives – what needs to be achieved must be fully understood. Be pragmatic.
■ The biggest risk is generated by doing things differently. Stick as closely as possible to normal practice, or at least you have decided what will be the new normal.
Once you have agreed your approach and got everybody together, the next step is to list the response options that are currently available and then consider for each trigger which responses are suitable, and whether there is a risk of failure of the countermeasures you may wish to use.
The results of the exercise should enable you to identify a preferred recovery strategy for each response trigger and assess the effectiveness both of the strategies and of the controls you have in place for mitigating an incident. The exercise should also highlight any gaps (i.e. where there is no recovery strategy for a response trigger) and those strategies which are inadequate.
Mastering Risk Management by Tony Blunden and John Thirlwell is published by FT International. Readers of this blog are entitled to a 25% discount on Mastering Risk Management through the following URL: https://www.pearson.com/en-gb/
In our next blog, Tony and John outline how to plan your response to a calamitous event, and give a high profile example of business survival.
RiskLogix Solutions Limited
RiskLogix has worked with financial services firms around the globe, providing innovative software solutions, training and consultancy services. We provide tangible, actionable advice and guidance to help organisations achieve their strategic goals and deliver true business value.
167 City Road
+44 207 377 2250