Tuesday, 28 October 2014

A case study of the integration of ERM and BCM as an independent function

At the 2014 BCI World Conference and Exhibition, participants will have an opportunity to listen to a real case study of the integration of Enterprise Risk Management (ERM) and Business Continuity Management (BCM) as an independent function. This is an innovative and forefront role for the ERM and BCM function.

In my presentation, I will show how the traditional reporting structure and work functions of ERM and BCM in an organisation are usually separated from each other. The ERM and BCM functions are typically part of the executive management team and the head of ERM and BCM reports to the executives such as the CEO or the CFO.

I will share with you the real life case in Malaysia where the ERM and BCM functions are integrated as a 'single' function and act as an 'independent' unit - assuming the roles and responsibilities similar to those of the Internal Audit - separated from the Management. The integrated ERM and BCM independent function reports functionally to the Board of Directors via the Board Audit Committee and administratively to the CEO.

The integrated ERM and BCM function will serve as the foundation for a well-governed and well-managed organisation that is built on a solid resilient foundation of BCM and supported by three pillars of Corporate Governance - Governance, Risk and Compliance.

In order to ensure the effectiveness of an integrated ERM and BCM independent function in an organisation, the following pre-requisite criteria must be established:
  1. An integrated ERM and BCM Charter clearly stating the independent, authority, position, roles and responsibilities of the ERM and BCM functions
  2. Unbiased support from the Board of Directors and the CEO on the independent roles and responsibilities of the integrated ERM and BCM function. The Board of Directors via Board Audit Committee is responsible for the oversight of the work of the integrated ERM and BCM function and for the performance and oversight of the Head of Integrated ERM and BCM function, and ensures that it has a sufficient amount, and quality of resources to fulfil its roles
  3. The appointment of the Head of integrated ERM and BCM function must be approved by the Board of Directors. The Chair of the Board Audit Committee is consulted before the appointment of the Head of integrated ERM and BCM function or the termination of his/her employment and conducts entry and exit interviews with the same
  4. The Head of integrated ERM and BCM function and the supporting subordinates should possess strong knowledge in the disciplines on both ERM and BCM
  5. The Management shall know its role as risk owners and BCM process owners, and these must be clearly communicated and supported by the Management
I will also share with you the benefits of an integrated ERM and BCM independent function and some of the limitations that you may face if you implement the said function in your organisation.

In conclusion, I will share the key takeaways on the lessons learnt from the Malaysian experience that can be adapted to your organisation since there is no 'one-size-fits all' integrated ERM and BCM function. The ultimate goal of the integration is to have a synergy between the two functions as an independent function that will contribute towards a well-governed and well-managed organisation.

Chong Chen Voon is currently the Managing Director of GRC Consulting Services and an Executive Director of EJF Group, a group of consulting firms providing Consulting, Advisory and Training services.

Chong will be discussing 'the integration of ERM and BCM as an independent function' on day one of the BCI World Conference on Wednesday 5th November. You will find him in seminar room 3 starting at 13:10.

Monday, 27 October 2014

Business continuity: human resources as powerbrokers?

The proposition that human resources hold one of the golden keys to successful business continuity will be presented on day two of the BCI World Conference and Exhibition in the Listen Stream. David Evans and Lynne Donaldson of Corpress LLP will argue that the HR role in business continuity is often understated, possibly not understood and for many organisations undervalued.

Please share your thoughts with us on how important HR (Personnel) are to your BCM process: are they heavily engaged or just reactive when pushed and how much time do you spend working with them?

Placing people at the heart of the continuity process has an inherent logic about it: organisations are after all a collection of people with a few facilities, procedures, a purpose and maybe some cash holding them together. The more effectively people work together, then the greater the chance that an organisation will be successful. At a simplistic level, shared goals, good leadership and competent people are a good place to start.

Indeed, according to the BCI Good Practice Guidelines, business continuity is “the capability of the organisation to continue to deliver………” and without the right people in the right place at the right time, there is no capability.

Is there a danger that in stripping down an organisation to assess the causes of failure and analyse business impacts we lose sight of the important role of staff and contractors? It may be easier to consider that an activity or a process can fail due to physical disruption, equipment failure or other losses leading to impacts on the organisation rather than examine the role played by the individuals tasked with developing, maintaining and implementing the process.

If this was the case, then people could legitimately be relegated to a footnote in the BIAs relating to loss of key people or teams. Alternatively we could focus on recovery rather than impact, perhaps creating a starring role for HR when things start to go wrong, when response teams are required to act rapidly and implement the plans and arrangements that have been carefully crafted to recover and ultimately protect the organisation.

It would be easy for business continuity to become technology bound: there is a wealth of failures and impacts that affect organisations when equipment breaks, facilities are damaged or the utilities fail. Plenty to keep us occupied and as a result a dangerous path to take, one where we forget the social side of the equation and concentrate on the technology and the systems.

People + Technology + Systems = Organisation
This blog is being written on the day the Bank of England Governor Mark Carney launches an investigation into the crash of the CHAPS payment system. He promises to discover what went wrong and if officials had responded properly. For officials read people. You can almost picture the inquisitor sitting down with a blank sheet of paper and starting to write down the questions to be answered:
  • Who caused it?
  • Who responded when the problem occurred?
  • Who was competent and possibly not so competent?
  • Who checked the work?
  • Who solved it?
  • Who is to blame?
I accept that there is an equally valid list along the lines of what went wrong and why; “who” is only one of Kipling’s six honest serving men. But it illustrates how important people are in the equation. Which takes us to HR or, if you prefer, Personnel.

From the day you arrive in your new job until you decide to part company with the organisation, HR play a key corporate role in your business life. The culture you work in, the competence and skills of your co workers and yourself, and even your role itself are all guided by the hands of HR. They protect the organisation, including managers and staff from breaching workplace legislation. They have a significant input to the establishment of strategy and its delivery, because nothing happens without people. All major projects, most major investments and nearly all changes to the business will at some point involve them.

Let me introduce you to a professional group of people who work from the top to the bottom of the organisation, have had contact with everyone in it, help to develop their capability and foster their engagement, and protect you from a wide range of legal liabilities.

Not only that, but as soon as the problems occurs and the world is looking a little less rosy, it would be kind of helpful to have a team who know what skills are available, where they are located, help you communicate across the organisation and ultimately, help build a resilient culture.

But more of that during the presentation, if you can’t wait and want to share experiences or request more detail on how to get HR engaged, then please email us at contact_us@corpress.uk

Friday, 24 October 2014

Business continuity and information security – a good fit?

During my interaction with senior management as a business continuity/information security consultant, especially amongst IT centric organisations, I am invariably asked a question: "We come across too many ISO standards which have common themes. In your opinion, which are some of the Standards that come very close especially from an implementation perspective?"

As you can see this is a very loaded question from the senior management who are typically fed up with too many rules, regulations and standards trying to govern their lives. Also, whilst they want to adhere to all applicable regulations and standards they want some optimisation of their costs in implementation.

My typical answer to this is as follows: "If your emphasis is on service management please combine ISO 9001:2008 and ISO 20000:2011. In fact implement only one standard and ignore the other. If your emphasis is on information security and business continuity please combine ISO 27001:2013 (ISMS) and ISO 22301:2012 (BCMS) implementation."

From historical perspective both ISO 27001 and ISO 22301 have emerged from British Standards and have a sort of a common past. Leaving that aside, information security, as the pundits drum into us, is all about confidentiality, integrity and availability of information. Business continuity, on the other hand, is about availability (of information or business) in case of a disaster. In companies where information is business, these two standards merge quite well.

All this however, has to start with scope of the ISMS/BCMS. What is the context of the organisation that is planning to implement the BCMS/ISMS and does the context match in both cases? If the context matches we have a winner and we can choose to implement both management systems together with a common project plan/team. Typically, BCMS and ISMS (at least in mature organisations), come under the ‘Risk Department’ organisationally. If this is not the case, it would be worthwhile to make organisational changes before commencing implementation of BCMS/ISMS.
In my address at the BCI World Conference and Exhibition, I will be looking at this from a practical perspective to explain how we can implement BCMS and ISMS together along with common features of both the standards.

So …happy interactions!

Ramesh Ramani will be discussing 'Business continuity and information security – a good fit?' on day one of the BCI World Conference and Exhibition on Wednesday 5th November. You will find him in seminar room 3 starting at 9.20.

Wednesday, 22 October 2014

Genoa: The city where maths kills people

On October 9th, 2014 - with HI CARE Association and PANTA RAY - the BCI Italian Forum was launched, the first Business Continuity Institute affiliated network in Italy for business continuity professionals. In a conference held in Milan, I had the chance to point out how the culture on this topic in our country is still very low and how it is important to pursue a radical change in mentality and in the approach to crisis management.

There was no need for the umpteenth flood in Genoa to confirm how urgent the need for change is. But unfortunately just a few nights before our forum, the Bisagno river overcame its embankments killing one person (in 2011 the victims were 6). The city woke up with a widely spread black-out, Enel declared that over 2,000 clients had no power, schools and universities were closed, several blocks were flooded and economic and infrastructural damages were significant (circa €200 million of public expenses and approximately €100 million of private damages to companies and shops).

A scene we are used to, not only in Genoa unfortunately. But there is a good piece of news, we finally found the guilty party: maths! The President of the Liguria Region Burlando declared: “It is the first time that mathematical models are wrong.” He must have missed all the financial slumps in the history of the world. “The phenomenon that was registered yesterday has never happened before and our weather forecasting models could not anticipate it. The model is still valid though, until now it has always predicted the weather so that we never made mistakes related to severe crises”. Good to know.

I think we can list thousands of reasons that led to the umpteenth tragedy: bureaucracy, soil consumption (which in Italy is twice the European average), the lack of resources, the typical Italian mentality that is nothing but focused on prevention and planning, etc. All valid considerations that highlight the need for careful reflections. But, maths?

I really do not want to concentrate the attacks on President Burlando, but I do have to highlight these statements because they reveal a problem that I have to face quite often as a business continuity and crisis management consultant, either with public entities and private companies. Here is the deal: Business continuity is often confused with risk management, a discipline that – by definition – is based on probability calculation and therefore on mathematical models. This is a problem, since business continuity is meant to ensure resilience to an organization regardless of the probability of occurrence of a potential disruption. Business continuity is applied on the so-called 'residual risk', or the part of risk which is not manageable or computable. Outcome: when mathematical models fail and no business continuity practices are embedded in the organization, disasters happen!

Risk management (and math, of course) is a fundamental discipline, as weather forecasting is fundamental as well. But thinking that they never fail is crazy and not doing anything but rely just on math models is criminal. It has to be said pretty clear, because people die and companies fail. The Ferraris Stadium in Genoa is right next to the Bisagno river. What if the 'math models' fail again on a football match day, when the area is full with thousands of supporters?

Earlier this year, we held a conference at the Chamber of Deputy with Joseph Bruno - Commissioner of the New York City Office of Emergency Management as the guest speaker. We discussed these topics and we presented the crisis management model of the City of New York to politicians and the highest members of institutional entities. Now we have launched this BCI Italian Forum, which is completely free and aims at aggregating the most important competencies on the subject to create a network in Italy as well. I want to stress a concept I already mentioned during my speech at the conference in Milan: there are no excuses anymore! Each of us needs to accept his/her own responsibilities and act to raise the awareness on prevention and preparedness in this country. Otherwise, to find the guilty party you just need to look in the mirror.

Alberto Mattia is Managing Director at Panta Ray, a management consulting company specialized in business continuity and crisis management and Secretary-General at HI CARE Association, a non-profit organization dealing with territorial security projects in Italy. Graduated in Economics and Finance at the Università Bocconi in Milan - Italy, Alberto has started his career in the US at BT Radianz and then JPMorgan Chase Bank. He has then worked as a Project Manager at Centrobanca and as a Risk Manager at UniCredit Group.

Monday, 20 October 2014

Business continuity vs risk management

According to ISO22301, business continuity is defined as the capability of an organisation to continue the delivery of its products or services at acceptable predefined levels following a disruptive incident.

Risk management on the other hand is the systematic process of understanding, evaluating and addressing the risks that an organisation faces in order to mitigate against them.

So that all sounds quite clear. The former is more concerned with the management of a disruptive incident after the event and so deals with the consequences, while the latter focusses on the management prior to any incident taking place and so deals with the threats. Two very distinct disciplines, aren’t they?

If you go back to the basics however, risk management assesses the likelihood of an incident occurring and the impact that it would have on the organisation. If one of the aims of risk management is to mitigate against the impact of an incident, then isn’t this moving into business continuity territory? Doesn't this mean that business continuity is just a function of risk management?

This is the issue that is up for discussion on day two of the BCI World Conference and Exhibition on the 6th November. Panel members from a wide variety of organisations on both sides of the debate will clash as they discuss the motion ‘business continuity can only ever be subservient to risk management’. Don’t miss out on this opportunity, book your place at the conference and join the debate.
There was an error in this gadget