INTEGRATING RISK MANAGEMENT AND BUSINESS CONTINUITY June 2012 Sami Ahmed Assistant Vice President - MRC Paolo De Rosa Senior Vice President - MRC
Introduction Purpose Raise your knowledge and awareness of the reasons and processes to integrate Business Continuity Management (BCM) with Risk Identification and Assessment into an effective Enterprise Risk Management (ERM) Framework. Scope Background Method of integration Advantages of integration Governance structure Summary 1
Background What is a risk? Effect of uncertainty on achieving objectives The chance of something happening that will have an impact on objectives Is measured in terms of a combination of the likelihood of an event occurring and their consequences How do you control risk? Eliminate risk Avoid risk Transfer risk Retain risk Change the activity, cease it all together to eliminate the risk Change the activity to reduce the likelihood and/or consequence of the resulting from the risk Transfer the risk via contract, insurance or other means Accept that the risk is intrinsic to activity implement level of controls based upon risk appetite Increased exposure 08 June 2012 2
Background Business Continuity Management Exercise and Audit Understand the Organization Develop Business Continuity Plan Determine BCM strategy (BIA) 3
Background Business Continuity Management Process BCM Process Functions Filter Threats Plans Recovery of Business from Interruptions 4
Background What is Enterprise Risk Management? Enterprise risk management (ERM) is a structured, consistent and continuous way of managing risk. Allows companies to better understand and address the material risks ERM adds value by: Reducing risk Increasing potential opportunities Reduce overall uncertainty 5
Background Enterprise Risk Management ISO 31000:2009 6
Background Principals The values of risk management practices within the organisation Define the purpose How ERM should look and feel Ensure relevance to the organisation s culture 08 June 2012 7
Background Risk Management Framework Commitment Accountability Dedicated resources Relevant to the organisation Integration Adoption Review and Improvement 08 June 2012 8
Background Risk Management Process What is the Risk? How serious is the Risk? How do we mitigate the Risk? How do we sustain the mitigation of the Risk? 08 June 2012 9
Background Enterprise Risk Management Process ERM Process Likelihood Filter Impact Controls Protects against threats to Strategic Objectives 10
Background Traditionally some organisations have maintained separate Business Continuity Management and Enterprise Risk Management arrangements Silo effect ERM Process Threats Impacts BCM Process Likelihood Functions Filter Filter Impact Threats Controls Plans Protects against threats to Strategic Objectives Recovery of Business from Interruptions 11
Disadvantages of Silo Overall two separate practices may result in: The key risks threatening the organisation may not be mitigated In turn resulting in: incorrect investment in controls increased expenses a reduced bottom line 12
Our proposition ERM and BCM should be completed together BCM is part of an effective ERM Framework 13
Traditional BCM Business Impact Analysis Business Impact Analysis Division 1 Division 2 Division 3 Division Function/Process Scenario 1 Function/Process Scenario 4 Plan 1 Plan 1 Function/Process Scenario 2 Function/Process Scenario 5 Plan 2 Function/Process Scenario 3 14
Typical ERM Risk Identification and Assessment Risk Identification And Assessment Division 1 Division 2 Division 3 Division Risk Scenario 1 Control 1 Risk Scenario 2 Control 2 Risk Scenario 3 15
New Approach to Enterprise Risk Management Framework Enterprise Risk Management Framework Division 1 Division 2 Division 3 Division Risk Function/Process RIA -Control 1 BCM Plan 1 Risk Function/Process RIA -Control 2 BCM Plan 2 Risk Function/Process 16
How can we integrate? A combined process Business Strategy Interviews and workshops Key RM activity BCM activity Integrated RM/BCM activity Key risks / threats Key processes Identification of Risks Impact of interruptions upon key processes Risk Map Risk Register Threats, Impact, Likelihood Dependencies Vulnerabilities Impact Risk Strategy & Controls (Preventative) Business Continuity Plans (Mitigation) 17
How can we integrate? Business Impact Analysis The Risk Likelihood Consequence Risk Rating Function affected Risk 1 Almost certain Very High Function 1.. Function n Risk 2 Likely High Function 2.. Function n Enterprise Risk Register Risk Risk Risk Rating Financial risk Risk 1 Risk 2 Strategic risk BCP Operational risk IT Risk BCM is a means of controlling relevant disruption related risks to the organisation 18
Why integrate? Considerations: BCM looks to provide ERM with: A better understanding of the critical activities (processes) and the infrastructure & resources that support these An existing risk mitigation framework Promotes whole of business communication of critical functions ERM looks to provide BCM with: A broader view of risk Systematic approach of consistently and continuously monitoring and managing risk Promotes cross divisional communication of key threats A better view of any emerging threats 19
Why Integrate? Traditionally BCM: Concentrates on mitigating the high consequence threats to functions such as an earthquake, flood or fire Then looks to mitigate the threats through Business Continuity Plan Disadvantage of segregation : Business may lose focus upon the high likelihood low consequence risk responses e.g. fraud, privacy breaches, data losses etc due to high impact priority Mitigation through BCM 20
Why Integrate? Traditionally ERM: Prioritises risks and risk treatments based upon Likelihood and Consequence Concentrates upon high likelihood and high consequence risks Mitigation through ERM Disadvantage of segregation: Business may lose focus upon the high consequence low likelihood e.g. disruption events due to low risk rating resulting in lower treatment priority 21
Why integrate? An integrated approach provides: Better coverage of the risk map Better prioritisation of resources More pragmatic risk treatment More efficient investment in risk management Mitigation through ERM Mitigation through BCM 22
Governance Structure Two possible ways to integrate: One division/department for both ERM and BCM Dedicated resources for the two practices for risk identification and mitigation Threats and Impacts rated based upon ERM tools Monitored by Chief Risk Officer or Chief Financial Officer Risk Management Division ERM BCM Useful for organisations BCM and/or ERM teams that require further maturity 23
Governance Structure Two separate departments May have been developed as a reaction to specific reactive needs Consistent and continuous communication between BCM and ERM teams Threats and Impacts rated based upon ERM tools Monitored by Senior Management and the Board ERM Team BCM Team Useful for organisations with already established separate BCM and ERM teams 24
Governance Structure Ways to initiate change Cultural adoption through incentives by: reward through recognition increase initial divisional budgets for risk management individual/divisional KPIs What s necessary? Champions and resources Commonality between ERM and BCM i.e. tools, definitions etc. Promotion of benefits to other stakeholders e.g. CFO, Board etc. Who can support you? IT Audit Function C Suite Operations 25
Governance Structure An integrated governance framework will: Creates Efficiency Improves Risk Profile Promote a Risk Aware Environment Implement effectives systems that: Are sustainable Strengthen Independence of RM Function Align with Business Objectives Managing Risk is Everybody's Responsibility 26
Summary What have we learnt? Background BCM, ERM, silo effect due to separation Method of integration Consideration of key risks when developing the BCP Advantages of integration Efficient coverage of risk map and use of resources Governance structure Framework, implementing change, benefits THANK YOU!! Questions? 27
This document and any recommendations, analysis, or advice provided by Marsh (collectively, the "Marsh Analysis") are intended solely for the entity identified as the recipient herein ("you"). This document contains proprietary, confidential information of Marsh and may not be shared with any third party, including other insurance producers, without Marsh s prior written consent. Any statements concerning actuarial, tax, accounting, or legal matters are based solely on our experience as insurance brokers and risk consultants and are not to be relied upon as actuarial, accounting, tax, or legal advice, for which you should consult your own professional advisors. Any modeling, analytics, or projections are subject to inherent uncertainty, and the Marsh Analysis could be materially affected if any underlying assumptions, conditions, information, or factors are inaccurate or incomplete or should change. The information contained herein is based on sources we believe reliable, but we make no representation or warranty as to its accuracy. Except as may be set forth in an agreement between you and Marsh, Marsh shall have no obligation to update the Marsh Analysis and shall have no liability to you or any other party with regard to the Marsh Analysis or to any services provided by a third party to you or Marsh. Marsh makes no representation or warranty concerning the application of policy wordings or the financial condition or solvency of insurers or reinsurers. Marsh makes no assurances regarding the availability, cost, or terms of insurance coverage.