establishing a sustainable risk management & contingency planning … · 2019-11-26 ·...
Post on 16-Jul-2020
4 Views
Preview:
TRANSCRIPT
Establishing a Sustainable Risk Management & Contingency Planning
ProgramD id N l CEODavid Nolan, CEO
Fusion Risk Management, Inc.
© 2010 Fusion Risk Management, Inc.Fusion Framework®...Simply, Better!™
TOPICSCompelling QuestionsChallenges & ObstaclesContinuity Risk ManagementConstituents, Drivers and Risk ToleranceEntities and Risk SourcesBusiness Alignment & Risk IntersectionsRisk Disposition Framework / Processes
© 2010 Fusion Risk Management, Inc.
pProgram Structures and SustainabilityFrom BCP to Sustainable Risk ManagementQuestions
Compelling QuestionsDo you know how much your firm spends on risk?Do you know how those decisions get made?Are threats, vulnerabilities, impacts and controls part of the management consciousness?Are your activities connected with revenues, profits and market share?Are you managing risk or managing plans or simply reacting to everything?
© 2010 Fusion Risk Management, Inc.
g y gAre you a valuable asset or an expense?Does your management understand you? Do you understand them?
Challenges and Obstacles
AmbiguityStructureCommunicationProcess
I
© 2010 Fusion Risk Management, Inc.
IgnoranceApathyConfusion
Bottom’s Up BCPStakeholders
Executives, M BOD
Threats, Impacts,
Audit and Compliance
Manager
1Assessment, Compliance
& Audit
Managers, BOD
BCP Manager
© 2010 Fusion Risk Management, Inc.
Program DataMaturity, Test, & Impact
History
Threats, Impacts, Notes & Evidence
-Administration-Documentation
-Follow-up -Reporting
Regulations, Standards, and Required Evidence
Leading or Begging?
© 2010 Fusion Risk Management, Inc.
Continuity Risk Management…Define Program ScopeDocument ConstituencyP i iti B i D iPrioritize Business DriversDefine Risk TolerancesDefine / Organize EntitiesDefine Credible ThreatsIdentify Risks that Exceed TolerancesEstablish Mitigation Strategies/Residual Risk Profiles/Costs
© 2010 Fusion Risk Management, Inc.
g gMitigate or Document Risks Per PlanMonitor, Validate, Refine
…not garden variety BCP/DR.
Fitting in the Bigger Picture
Operational Risk Program Management ActivitiesRisk Assessment
Property & Casualty
Business Impact AssessmentCapability & Gap AssessmentContingency PlanningRisk and Activity MonitoringRisk and Activity ReportingLoss PreventionProperty ProtectionMitigation Investment ManagementInsurance Program ManagementEducation and AwarenessAudit and ComplianceContinuity
Compliance
Marketplace
Safety
Supply Risk
© 2010 Fusion Risk Management, Inc.
Audit and ComplianceRisk
Preventive Measures
Contingency Plans
Alternative Resources/
AssetsInsurance Active Risk
Management
Risk Management Constituency
$$
© 2010 Fusion Risk Management, Inc.
Business Drivers
Board of Directors
Executive Team
Regulators and Rating Agencies Continuity Risk Management Drivers
Fiscal and Fiduciary Management
Customers, Shareholders,& Employees
Quality & Brand Equity
Fiscal and Fiduciary Oversight
© 2010 Fusion Risk Management, Inc.
Rating Agencies Continuity Risk Management DriversOperational ImpactFinancial ImpactCompliance Impact
Compliance
Risk Tolerance…Operational Disruption
How long can you function if you are unable to perform essential services?How much of a disruption can you absorb and return to normal?
FinancialWhat are the sources of financial risk and how do they develop over time?
C li /R l t
© 2010 Fusion Risk Management, Inc.
Compliance/RegulatoryWhat contractual obligations would be breached, including regulatory, client and supplier agreements?
…a measure of pain!
Risk Response
Fiscal“Best Practices”
Excessive
Fiduciary
Identify &
Basic Measures
Advanced Measures
© 2010 Fusion Risk Management, Inc.
Residual Business Impact
Do Nothing
Identify & Accept
Where’s Your BCP Risk?There is a lot more to
a company than a data center…and a lot more risk…and a lot
more opportunity!
© 2010 Fusion Risk Management, Inc.
Impacts to the Data Center or HQ are far reaching but they are
highly protected ti i t
Major Risk Epicenters
operations in most cases.
© 2010 Fusion Risk Management, Inc.
Impacts to Factories, Warehouses and
Suppliers may not be as far reaching, but are
f t d
Local Risk Epicenters
more frequent and visible, especially related to health,
safety, and compliance.
© 2010 Fusion Risk Management, Inc.
Business Alignment
© 2010 Fusion Risk Management, Inc.
Lines of business
Public Infrastructure
Service Providers
Business Alignment
Service ProvidersSuppliers
Facilities
© 2010 Fusion Risk Management, Inc.
Lines of business
“Risk Intersections”
Product 2
Product 3
Product “n”
Risk ProfilesDemographicsThreatsControlsLikelihoodsImpactsInherent RiskResidual RiskAlternativesMetricsContingency Plans
Process 1Process 2Process 3Process 4Process 5
Process “n”Product 1
© 2010 Fusion Risk Management, Inc.
Entity 1 Entity “n”
Process 1
Entity1.1
Entity1.2
Entityn.1
Entityn.2
Program Evolution/Maturity
Risk Management
Strategic•Business Valueg
Program Management
•Priorities•Brand Equity
Evolving•Currency/Completeness•Test/Validation•Activity Management
© 2010 Fusion Risk Management, Inc.
Plan Management
IT…Business Operations…Supply Chain
Tactical•Assets•Resources•Documentation
y ance
)
Major
Impact Matrix
Inhe
rent
Impa
ct to
Com
pan
erat
iona
l, Fi
nanc
ial,
Com
plia
Significant
Moderate
Minor
BC Risk Sources•Factories•Co-manufacturers•Suppliers•Logistics•Shared Services•IT Operations•Business Offices
© 2010 Fusion Risk Management, Inc.
Inherent Risk Likelihood
I
(Ope
Insignificant
Major/
Expected
MonitorControls Improve Effective Risk
Risk/Control MatrixR
isk
Expo
sure
(Impa
ct x
Lik
elih
ood) Significant
Likely
Moderate/
Possible
Minor/
Unlikely
Controls Improve
Accept/ Monitor
Management measures residual risk as a function of inherent risk factored for impact, likelihood and controls.
© 2010 Fusion Risk Management, Inc.
Excessive Adequate RefinementNeeded
Inadequate
Control Activities
Insignificant
Remote
pReduce
MonitorRisks
Decision Framework: Flying Blind
© 2010 Fusion Risk Management, Inc.
Decision Framework: Active Management
© 2010 Fusion Risk Management, Inc.
Risk/Response Profiles• Loss of IT Services
• Loss of Business Operations
• Personnel Disruption
© 2010 Fusion Risk Management, Inc.
• Third Party Impact
Continuity Risk Management Elements
Incident Response
Salvage & Restoration
IT Preparation & Response
Damage Assessment
Evacuation
Contingency Planning
© 2010 Fusion Risk Management, Inc.
Business Unit Preparation &
Response
Crisis Management
Emergency Management
Sustainable Risk/Program Management
Financial Risk/Impacten
t Operational Risk/Impact
Management & Governance
Threats and Controls
Compliance Risk/Impact Management
Program Management
Impact Management
Business Alignment
Proc
ess
Alig
nme Risk/Impact
Management
FacilitiesSuppliers
Service ProvidersPublic InfrastructureHuman Resources
© 2010 Fusion Risk Management, Inc.
Plans &Procedures
Step 1 Step 2 Step 3
Risk Management Workflow
Risk Management RepositoryRegional ApprovalsReports &
Dashboards
Risk Management Repository
Analysis
© 2010 Fusion Risk Management, Inc.
Local UpdatesTeams, Rosters, Resources
Central Program Managementand Monitoring
Template Plans and Standards
From BCP to Continuity Risk ManagementWork backwards! (Solve)Define program scope: breadth and depth(Know)p g p p ( )Accept the concept of accepting risk. (Understand)Present choices, not answers. (Inform)Monitor controls and risks. (Manage)Drive plans from the program. (Enable)Stop trying to drive programs from plans! (Support)
© 2010 Fusion Risk Management, Inc.
Stop trying to drive programs from plans! (Support)Refine your approach/automate (Improve)
QUESTIONS
© 2010 Fusion Risk Management, Inc.
Establishing a Sustainable Risk Management & Contingency Planning
ProgramD id N l CEODavid Nolan, CEO
Fusion Risk Management, Inc.
© 2010 Fusion Risk Management, Inc.Fusion Framework®...Simply, Better!™
top related