ibm global business services - incisive media

IBM Global Business ServicesExecutive Report

Key trends driving global business resilience and risk Findings from the 2011 IBM Global Business Resilience and Risk Study

Business ResilienceIBM Global Technology Services Research Report

Key trends driving global business resilience and risk is an IBM study that investigates how organisations are increasingly adopting integrated business resilience strategies in an uncertain environment. The report was written by the Economist Intelligence Unit, which also executed the online survey and conducted the interviews on behalf of IBM. We would like to thank all of the executives who participated in the survey and interviews for their valuable time and insight.

Yousef Valine, Chief Risk Officer, First Horizon National CorporationLee Garvin, Director, Risk Management, JetBlueKris Wiluan, CEO, KS Energy Services LimitedDr. Barbara Reynolds, Senior Advisor, Risk Communication, Centers for Disease Control and Prevention (CDC)Jean-Pierre Bourbonnais, Vice President (VP), Information Technologies and Chief Information Officer, Bombardier Aerospace

Executive summaryOrganisations are adapting to an increasingly complex global environment with more holistic approaches to business resilience planning. Traditional business continuity plans - typically with a strong IT focus - are still critical, but they are becoming part of a bigger picture, as senior executives strengthen their oversight of enterprise-wide risk management. To ensure business resilience, companies are moving toward a risk management process that both addresses the myriad types of risk that functions across the organisation face and encompasses all facets of risk management, from its identification through to mitigation.

Our research indicates that more and more businesses will adopt a more holistic approach to risk management in the next three years as they deal with growing uncertainty and the increasing interconnectedness of the varied risks they face. Only a minority (37 percent) of companies has implemented an organisation-wide business resilience strategy, but 42 percent of survey respondents say they are likely to do so within the next three years. Almost two-thirds (64 percent) say they have a business continuity plan of some sort and a robust 58 percent have dedicated contingency plans for dealing with a variety of risks.

Other key findings include the following:

Larger organisations are more likely than smaller ones to have an integrated strategy. Complexity, often associated with size, increases an organisation’s exposure to risk. Our research shows that companies with annual revenues of GBP6B or more are almost twice as likely to have implemented an integrated business resilience strategy as those with annual revenues under GBP0.65B - 56 percent compared with 30 percent, respectively. The differences are similar for other indicators of integration. For example, larger firms are more likely to have assigned overall

responsibility for enterprise risk management (ERM) to a single executive. Still, there is a significant contingent of small companies that have adopted integrated strategies. These companies also rank highly with regard to indicators of success such as revenue growth, profitability and market share.

Continuity, IT and compliance risks remain in the forefront, but companies are diversifying their strategies to build business resilience. Nearly 40 percent of survey respondents say their organisation regards business continuity as primarily an IT issue. When asked to name their ‘primary risk management concern,’ however, some name more than one, including disaster recovery (47 percent), IT security (37 percent) and regulatory compliance (28 percent). Although most have started by addressing the largest threats first, they will turn increasingly to such things as communications and training programs designed to build a more resilient culture as they adopt more holistic approaches in the next three years.

When asked to name their primary risk management concern, some named more than one including:• Disaster recovery 47 percent• IT security 37 percent• Regulatory compliance 28 percent.

Business Resilience 2

building a more resilient organisation. They are increasingly involved in most decisions involving business risk. Fifty-six percent of survey respondents say that the CIO collaborates with top IT strategists much more frequently than three years ago. At the same time, IT’s traditional roles have become more complex. A significant majority of survey respondents say that data and application security (85 percent), data protection (79 percent), infrastructure security (77 percent), security governance (75 percent), identity and access management (74 percent) and compliance management (69 percent) are part of their organisation’s broader risk management strategy.

3 Key trends driving global business resilience and risk

For a significant majority of survey respondents, their organisation’s broader risk management strategy includes: • Data and application security 85 percent• Data protection 79 percent• Infrastructure security 77 percent• Security governance 75 percent• Identity and access management 74 percent• Compliance management 69 percent.

Business resilience planning increasingly involves specialists from across the organisation, yet Chief Information Officers (CIOs) and IT professionals remain the most prominent stakeholders. In interviews, executives stress that risk management should involve everyone in the organisation. A culture that imbues responsibility for risk management at every level enables companies to respond to changes and unexpected events. The survey findings confirm this. A solid majority of respondents (60 percent) say that business resilience is considered a joint responsibility of all C-level executives. Yet as IT penetrates more deeply into every aspect of company operations, CIOs and IT professionals remain key players in

Business resilience defined

For the purposes of this report, business resilience refers to the ability of enterprises to adapt to a continuously changing business environment. Resilient organisations are able to maintain continuous operations and protect their market share in the face of disruptions such as natural or man-made disasters. Business resilience planning is distinguished from ERM in that it is more likely to build capacity to seize opportunities created by unexpected events. Another difference is that while ERM can be implemented as a management capability, an integrated business resilience strategy requires the engagement of everyone in the organisation and often means a change in corporate culture to instill awareness of risk.

Introduction: the push for business resilience Global organisations are increasingly emphasizing business resilience, that is, the ability to rapidly adapt to a continuously changing business environment. Resilient corporations are able to maintain continuous operations and protect their market share in the face of natural or man-made disasters as well as radical changes in the financial or economic climate. They are also equipped to seize opportunities created by unexpected events.

Traditionally, risk management tended to focus on a combination of risk transfer - achieved through insurance or other financial products - and business continuity planning to keep the organisation running during a crisis. Beginning in the 1980s some companies started to develop ERM programmes building on the ‘circle of risk’ first conceptualised in 1974 by Gustav Hamilton, risk manager of Sweden’s Statsföretag AB. The idea was to link different risk management activities such as identification, assessment, control, financing, monitoring and communication into a continuous process. In many cases,


About the survey

The survey, conducted by the Economist Intelligence Unit on behalf of IBM in June 2011, included responses from 391 senior executives - 35 percent of which are C-level executives. About 39 percent of respondents are from North America, 38 percent from Western Europe, 20 percent from Asia-Pacific and three percent from Eastern Europe. Companies with less than GBP322M in revenue comprise 39 percent of the responses and 48 percent of the respondents hail from companies with more than GBP0.65B in revenue. The survey covers nearly all industries, including financial services (16 percent), IT and technology (16 percent), professional services (13 percent), manufacturing (eight percent) and healthcare (seven percent).

however, each element continued to operate within organisational silos. The economic downturn beginning in 2008 triggered new interest in risk management, driving adoption of truly holistic approaches where managing risk is inherent to every decision. Today, leading organisations are pushing these concepts further to develop enterprise-wide business resilience strategies. They strive to make the ability to respond rapidly to all kinds of unexpected events - opportunities as well as threats

- part of the corporate culture. This means building a business resilience strategy that engages everyone in the organisation.

The survey conducted by the Economist Intelligence Unit for this paper found that executives now see themselves as more heavily involved in managing all types of enterprise risk. Only 30 percent of survey respondents say they do not have a formal risk management function in place, compared with 42 percent in a 2010 survey of IT executives. This indicates approaches to risk management are evolving rapidly. In particular, it suggests that the trend toward increasing use of holistic risk management approaches within the IT function, identified by the 2010 survey, is now spreading across organisations.

Contents

4 Introduction: the push for business resilience

6 Large organisations lead the way in business resilience

7 Sidebar: Follow the leader

8 Spanning the risk spectrum

8 The risk management journey

9 Case study: embedded risk management at Bombardier

11 Who is leading the charge?

12 Sidebar: Obstacles to a holistic approach

12 The strategic role of IT

14 Conclusion.

The most important force driving this trend is a growing sense that the business environment is becoming less predictable. Companies need to be better prepared for unexpected events ranging from economic shifts to natural disasters - as well as actions of competitors and regulatory authorities.


financial services, we make money by prudently assuming risks and managing them. So, risk management is nothing new to us. What is new is the need for a better understanding of the interactions among different areas of risk. Risks have become more interdependent - one risk may lead to something else.’ He explains that in the financial services industry, business continuity planning remains a critical element of a broader ERM approach. ‘Business continuity is part of any ERM programme, but compared with the other elements it’s just table stakes - the price of entry into the business. We have a well-established and well-run continuity plan and we review it regularly, but it’s only a small part of our overall ERM.’ Since banks and other financial institutions assume explicit risk as part of doing business, they have a long history of comprehensive risk management and can serve as an example for other industries.

While the majority of survey respondents say their organisations have not yet implemented enterprise-wide risk management strategies, nearly every corporation surveyed with revenues of GBP0.65B or more has moved to integrate contingency plans for different risks. This trend is expected to continue. Three quarters of survey respondents say they expect to have adopted an integrated business resilience strategy within three years; nearly one-half of these have already done so.

This broader perspective does not mean that organisations have lost sight of specialised IT and compliance risks. Most companies continue to assign risk analysis and contingency planning to dedicated specialists across the organisation. The purpose of an integrated business resilience strategy is oversight: to provide a framework for ensuring that all risks and opportunities have been systematically addressed and that senior management has been presented with a comprehensive risk profile of the organisation.

As a result, stakeholders are demanding that senior executives increase their oversight of the risk management function. Companies are increasingly expected to demonstrate that they are proactively managing risk; indeed, nearly every organisation’s annual report now includes a risk management section. Regulators, stock markets and even credit rating agencies are also looking for greater senior executive accountability for risk management.

Another driver of integrated risk management is the growing interconnectedness of different types of risk. Yousef Valine, Chief Risk Officer at First Horizon National Corporation, a large, Memphis, Tennessee-based bank holding company, says ‘In

First Horizon National Corporationfinancial services

Track and compare important trends and changes in organisations’ approach to risk and resilience by downloading the 2010 IBM Global IT Risk Study

Large organisations lead the way in business resilienceIn general, as an organisation becomes bigger and more complex and operates in more jurisdictions, the level of risk increases. Hence organisations with an integrated business resilience strategy tend to be larger. Moreover, since nearly every employee can be viewed as a source of risk, the more employees, the more uncertainty, which heightens the need for senior management oversight to ensure that diverse risk management activities are aligned with the organisation’s risk appetite. It also increases the scope of risk identification, analysis and reporting.

Among survey respondents whose organisations have annual revenues of GBP6.5B or more, 56 percent have implemented an integrated business resilience strategy. This compares with 30 percent of those with annual revenues under GBP0.65B. The differences are similar for other indicators of integration. For

example, larger firms are more likely to have assigned overall responsibility for ERM to a single executive, while respondents from the smallest organisations polled (those with GBP322M or less in revenues) are three times as likely to say they do not have a formal risk management function in place. They are also least likely to have engaged external risk management advisors.

Smaller organisations are catching up, however. Respondents from organisations in the under GBP0.65B range are more likely than larger firms to say they plan to establish a company-wide risk management team and develop an integrated risk management strategy over the next three years. This is not to suggest that smaller firms are necessarily followers. Analysis of the survey results identified a cluster of small nimble innovators that are well advanced in the move to more holistic risk management (see sidebar, Follow the leader).


Invested in new IT solutions related to risk management

Created a business continuity plan

Developed a communications or training programme to enhanceits business continuity or resilience strategies

Established a company-wide risk management team

Developed an integrated business resilience strategy

Discussed business resilience issues with supply chain partners

Responded to the recent increase in natural disastersby re-thinking business continuity strategies

Assigned overall responsibility for risk managementacross the organisation to a single executive

Engaged external risk management advisor

0% 20% 40% 60% 80% 100%

58%

64%

42%

49%

37%

46%

41%

45%

34%

38%

30%

39%

30%

42%

33%

37%

30%

37%

Last three years Next three years

Figure 1: Risk management measures adopted (percent of all respondents)


Follow the leader

Analysis of the survey results revealed that adoption of leading-edge business resilience practices is not limited to large firms. Four types of organisations were identified based on business resilience and self-reported financial performance:

• Resilient giants - 72 percent of which have GB6.5B or more in annual revenue - have adopted many holistic risk management practices and engaged a wide range of players in their resilience strategies. They lead the pack in terms of revenue growth, profitability and market share

• Small and nimble innovators - 77 percent of which have revenues of GBP322M or less - have adopted many of the same holistic risk management practices as the resilient giants. On most indicators of success, they rank second behind resilient giants, but ahead of big traditionalists and far ahead of late bloomers

• Big traditionalists rate both their business resilience and financial performance as ‘average.’ More than 80 percent have annual revenues in the GBP0.65B to GBP6.5B range.

A majority (51 percent) sees disaster recovery as the top risk management concern and 52 percent have created a business continuity plan; 40 percent do not have a formal risk management function at all. One-half say that enterprise-wide resilience strategy is a future plan

• Late bloomers - 75 percent of which have revenues of GBP322M or less - are not very well prepared for managing business risks and have narrow views on risk management strategies. Their performance is at the bottom of the scale on every indicator. A majority do not have a formal risk management strategy and their financial performance trails the pack. Yet one-half say they plan to develop a formal risk management strategy and are most likely to say that they will establish a company-wide risk management team within the next three years.

A key distinguishing characteristic of the most successful firms is a propensity to see business resilience as an issue that affects every part of an organisation. About 88 percent of resilient giants agree with this proposition, along with 82 percent of small and nimble innovators. This compares with 25 percent of big traditionalists and 36 percent of late bloomers.


Spanning the risk spectrum An integrated approach to risk management does not imply centralising risk analysis or giving equal weight to every type of risk. It entails assessing the entire spectrum of risks in a balanced way to build an overall picture of the threats and opportunities that an organisation faces. A common feature of resilient giants and small and nimble innovators is that they are more likely to say they have multiple business continuity and contingency plans that address a variety of risks. They are also more likely to say that specific IT risks are subsumed in their enterprise-wide approach, including data protection, application security, security policy management, compliance management, infrastructure security and identity and access management.

A key benefit of risk management integration - in addition to facilitating senior management oversight of the organisation’s overall risk profile - is that it allows specialised risk managers to learn from and support each other. It also captures risks that

might otherwise fall into gaps between specialties. Lee Garvin, Director, Risk Management for JetBlue, a New York-based airline, says that

avoiding this is a key part of the company’s ERM strategy: ‘Like many large organisations we worry about having silos, because sometimes events that are unforeseen or are outside the assumptions you’ve made can fall between the silos.’

Despite the trend toward a broader view of enterprise risks, 47 percent of all survey respondents say that disaster recovery remains their primary risk management concern. Yet the majority of giant resilient leaders disagree. They also disagree that IT security is the primary risk management concern. At the same time, however, 92 percent say that data protection is a specialised issue that is part of their organisation’s broader risk management strategy. This suggests that companies are not losing sight of specialised risks as they broaden their business resilience strategies to encompass a greater number of risk types.

The risk management journeyHolistic risk management has been described by several industry experts as a journey, not a destination. It is based on principles that are fairly well understood, but there is no prescription for success. An organisation’s approach depends to a great extent on the type of risks it faces and its risk appetite. Typically, a business continuity plan is the first step on the path toward more holistic approaches. Nearly two-thirds of survey respondents say their companies have already created a business continuity plan and a majority says their plan is well crafted and communicated. The next steps on the journey are typically assigning an executive to lead an enterprise-wide approach and establishing a company-wide risk management team. Nearly two-thirds (65 percent) of survey respondents say their organisation has taken both of those actions or expect to do so within the next three years. Beyond those initial steps, however, there are different paths to enterprise-wide risk management.

Some organisations see ERM as part of top-down corporate governance. Kris Wiluan, CEO of KS Energy Services Limited, a Singapore-based oilfield supply and services provider, says that managing risk is a board-level responsibility in his industry because companies carry out environmentally sensitive work in many jurisdictions around the world. ‘Our risk management group reports to an independent director who is chairman of the audit committee,’ he says. ‘He then presents the most important issues to the Board. So we see ERM as effectively an operational audit process. The difficulty is to make sure the people who operate the ERM programme understand the business, so they don’t end up barking up the wrong trees.’

JetBlueairline

KS Energy Services Limitedoilfield supply and services


Case study: embedded risk management at Bombardier

Montreal-based Bombardier Inc. is an example of a large company with a well-developed holistic business resilience strategy. The company’s Aerospace Group is a major manufacturer of corporate and commercial aircraft and it faces myriad risks in global markets. Active risk management is one of the overarching priorities of Bombardier’s long-term corporate strategic planning framework and is the responsibility of business line executives across the enterprise. At the corporate level, the Audit Services and Risk Assessment team prepares comprehensive risk assessments and integrates them across operating groups. Every part of the business is expected to adopt best-in-class risk management practices to select risks that drive value while proactively mitigating, managing or transferring risks that do not create value. The Board of Directors is ultimately responsible for this strategy through the Finance and Risk Management Committee, which consists of four independent directors.

Jean-Pierre Bourbonnais, VP Information Technologies and CIO of Bombardier Aerospace, explains how the company beefed up this already-rigorous strategy with a new corporate risk management policy and framework in 2011. The new framework is based on the ISO 31000 family of standards. ‘The corporate Risk Assessment Team has always done top-down risk assessments by conducting interviews with business unit leaders,’ he says. ‘They create a risk map that ensures that the most important risks are

actively managed. The difference today is that we’ve moved beyond defensive risk and to take a more holistic view of opportunities.’ Another change, he says, is a shift toward a bottom-up perspective of risks, so that even the smaller business units can have a real appreciation of their own risks and what they need to do about them: ‘It’s all part of a culture of addressing and speaking up about risks. The priority now is to connect the top-down and bottom-up views so that our risk management framework will be a truly holistic business resilience strategy.’

Mr. Bourbonnais says that his role as CIO has evolved as the holistic approach to risk management has taken hold. ‘As a member of the executive management team of Bombardier Aerospace, I am completely involved in all of the major strategic business decisions that are being taken.’ For example, he sits on several key committees, including those responsible for operations, engineering and programme development. He adds that his direct reports have also become more and more involved in business strategies and decisions: ‘When that happens, the IT organisation is in synch with what’s happening in the company.’

The most important challenge, Mr. Bourbonnais says, is prioritising the large number of risks that are identified though a culture of bottom-up risk awareness. This requires identifying any dependencies among different types of risk.

‘We try to figure out if there is a critical path, or a sequence for the risk materialising and the velocity with which unexpected events can occur, because by doing the right things first you can get the situation under control.’

Bombardieraircraft manufacturer

Other companies work horizontally across the organisation to roll up an enterprise-wide risk profile for senior management. Says JetBlue’s Mr.Garvin: ‘What we’re trying to do here at JetBlue is preserve our culture and make money at the same time and managing risk is what that’s all about.’ JetBlue’s ERM process involves monthly meetings of key stakeholders; a larger executive group meets quarterly. This process results in integrated reports to the executive leadership committee and to the Board. ‘We send out questionnaires and we poll all of the folks in the group,’ he says. ‘We ask them what’s on the radar, what’s no longer on the radar, what may be on the radar in the future. So everybody looks at it through their own set of glasses. This helps break down the silos because the group includes a sufficient number of VPs and directors.’

Figure 2: Level of involvement in business resilience strategy (percent involved or very involved within three years)

IT professionals

CIOs

Other C-levelexecutives

Employees

Legal advisors

Board members

Partners

0% 20% 40% 60% 80% 100%

82%

80%

71%

60%

56%

55%

46%


The Centers for Disease Control and Prevention (CDC), a US federal agency based in Atlanta, Georgia, integrates risk management at the enterprise level through a Programme Integrity Board, comprising leaders of several specialised risk management programmes. One of its members, Dr. Barbara Reynolds, senior advisor, risk communication, leads a credibility risk management programme called CDC RiskSmart. She explains that the CDC’s reputation is critical because the credibility of life-and-death recommendations depends on it. RiskSmart reaches out to everyone in the organisation to influence values and behaviours that could potentially undermine the CDC’s credibility. Other risk managers concerned with such issues as laboratory safety, physical security, finance and IT are also members of the Programme Integrity Board. ‘Detecting risk has to happen at the point where the behaviour is occurring,’ says Dr. Reynolds. ‘So the power and responsibility for detecting all kinds of risks is pushed down to all of the employees in the organisation.’ But by considering mitigation at the enterprise level, lessons learned by one part of the organisation can be shared. ‘We meet monthly,’ she says. ‘And we are constantly looking for ways to improve our behaviours, our science, our research, our safety record, our financial accountability; all of those things come together in this arena.’

Centers for Disease Control and Prevention federal agency

Who is leading the charge? As the concept of risk management expands to encompass a broader range of risks, accountability for it spreads throughout the organisation. The CIO (or equivalent) is most commonly accountable, say 42 percent of survey respondents. But 60 percent of respondents say it is a joint responsibility of all C-level executives. Notably, 90 percent of respondents from both resilient giants and small and nimble innovators say that all C-level executives share this responsibility. These resilient organisations are also more likely than other firms to say they have broadly based participation in risk management from across the organisation.

Notably, 90 percent of respondents from both resilient giants and small and nimble innovators say that all C-level executives share responsibility for risk management.

Holistic risk management involves cultural change. ‘Culture is a big focus at First Horizon,’ says Mr.Valine. ‘Risk management is everybody’s job. It’s a management capability, not a department or a function. To manage risk effectively, we have institute a way of thinking that asks three questions: ‘Should we do it?’ ‘Can we do it?’ ‘Did we do it?’ These questions help us do the right thing, make sure we can execute and achieve the intended business outcomes. A critical success factor in good risk management is candor and transparency. These questions will not be answered well if people are not willing to express themselves.’

Survey respondents confirm that broad engagement of people from across organisations is an ongoing trend. Respondents identify the players who are ‘very involved’ as follows: CIOs (45 percent), IT professionals (41 percent), other C-level executives (26 percent), legal advisers (21 percent), Board members (17 percent), employees (nine percent) and partners (seven percent). The trend toward more holistic risk management is reflected in respondent predictions of increased involvement by every one of these stakeholders over the next three years, with the greatest increase among partners and employees.


The strategic role of IT The role of the IT function is broadening as the shift toward more holistic risk management strategies progresses. This partly reflects the fact that virtually every mission-critical business process is dependent on IT support. ‘IT is a big part of our risk management because nothing can be done without it these days,’ says KS Energy Services Limited’s Mr. Wiluan. ‘We have computer hubs and backup systems in different countries and networks that have to be protected. These specialised problems are a big part of our overall risk management.’

At the same time, IT’s traditional roles have become more complex as threats to infrastructure, data integrity and data security have grown. A significant majority of survey respondents say that data and application security (85 percent), data protection (79 percent), infrastructure security (77 percent), security governance (75 percent), identity and access management (74 percent) and compliance management (69 percent) are part of their organisation’s risk management strategy.

The role of IT is also expanding in other areas of enterprise risk. More than three-quarters of survey respondents say that the IT function is expected to make major contributions toward building a more resilient organisation and a majority says it is involved in most decisions that entail business risk. Mr.Gavin says that IT is one of three ‘towers’ of ERM at JetBlue: ‘If I lose a business process, it doesn’t matter whether it’s a snowstorm, hurricane, earthquake, strike, broken piece of equipment or a fire because I’m looking at it from a process continuity standpoint, which is one tower. IT is in its own tower because our business processes depend on technology. And being an airline we have a third tower, which is emergency response.’

Obstacles to a holistic approach

Building a company-wide business resilience strategy is a complex endeavour, in which success depends on the ability to obtain buy-in from a range of stakeholders. An executive assigned to lead a holistic approach must assemble the work of multiple specialised risk managers, each with unique skills, tools and perspectives. To marshall the necessary resources, he or she must present a compelling business case to senior executives. And to be effective, risk management messages must be pushed out to everyone in the organisation who can affect risk.

Survey respondents say that the most important obstacle to building a culture of resilience is silos within the organisation. Not surprisingly, this barrier is cited twice as often by respondents from the largest organisations polled. Small and nimble innovators most frequently cite budget limitations as the top barrier, while late bloomers point to lack of C-level vision and commitment. Inability to accurately predict return on investment (ROI) from risk management improvements is also cited as a significant issue by firms of all sizes.

Our interviewees provided insights into how these hurdles can be overcome. Lee Garvin, Director, Risk Management for JetBlue, a New York-based airline, suggests that a good strategy for creating an ERM programme is to take ‘small bites’ and engage a wide range of players to understand different risks across the organisation. He stresses the need to be wary of scope creep. ‘It’s really about staying focused and staying small because it’s always easier to grow after you get it rolling.’

Yousef Valine, Chief Risk Officer at First Horizon National Corporation, a large bank holding company based in Tennessee, says that the most important obstacle is ‘creating the right culture,’ starting with the Chief Executive Officer (CEO) and the Board. ‘My selling pitch to them is that a robust risk management capability is a competitive advantage,’ he says. ‘ If the CEO doesn’t get it, you might as well pack up and go somewhere else.’



Another emerging role for IT professionals is creating technological solutions for all types of risk management problems. The potential use of cloud computing as a risk management tool is an area of intense activity. Although only 18 percent of respondents say their organisation currently sees cloud computing as a key strategic aspect of business management, considerable resources are being allocated to assessing it. About one in five respondents say their organisation is currently considering cloud computing. Another 28 percent say the cloud offers promise for the future. Twenty-one percent say their organisation is not considering it. Only six percent say that traditional methods of delivering IT services are the most effective tools for business resilience management.

The survey findings demonstrate that IT professionals are becoming increasingly involved in developing enterprise-wide risk management. About 56 percent of respondents say that in their organisation the CIO collaborates with top IT strategists much more frequently than three years ago; only three percent of respondents say that IT executives are not involved at all.

The trend toward holistic thinking implies that risks are seen less often primarily through an IT lens. Respondents are almost evenly split (40 percent vs. 42 percent) between agreeing and disagreeing that ‘business continuity is primarily an IT issue.’ However, those who say their companies have adopted an integrated business resilience strategy are less likely to agree (33 percent) than those who do not (43 percent). They are also much more likely than firms with no business resilience strategy (62 percent to 46 percent) to say that the IT function is engaged in most decisions involving risk. The IT function plays a key, albeit not exclusive, part in holistic risk management. In other words, it appears that the lines between IT risks and business risks have become more blurred in the most resilient organisations.

Figure 3: IT components of enterprise management (percent of all respondents)

Data and applicationsecurity

Data protection

Infrastructure security

Compliance management

Security governance and risk management

Identity and accessmanagement

0% 20% 40% 60% 80% 100%

85%

79%

77%

75%

74%

69%

Senior-level commitment and adequate resources are also needed to develop comprehensive communications and training programmes to support integrated risk management. One of the distinguishing features of the most resilient companies is that they are much more likely than other firms to have developed a communications strategy to push the message of resilience out to every corner of the organisation.

Companies that embrace these measures are more likely to create an effective business resilience plan. This will provide a robust foundation on which to build a long-lived competitive position supported by end-to-end (E2E) risk management.


An effective business resilience plan will provide a robust foundation on which to build a long-lived competitive position supported by E2E risk management.

Conclusion In most organisations, improving business resilience requires a shift in corporate culture because that is what shapes values and behaviour. If a company’s culture blends risk awareness with other corporate values, then people instinctively know the right thing to do when confronted with an unexpected situation and that reduces risk. Says Dr Reynolds: ‘For a typical organisation, the really bad missteps are more often value-based than they are competence-based.’ Assigning an enterprise-wide risk management team is a good start, but it must have a strong mandate to reach out across the organisation, because risk management ultimately must become part of everybody’s job.

Understanding these principles is a good first step, but in interviews, executives are clear that buy-in from the top is essential to foster broad organisational change. Promoting holistic risk management concepts to peers and employees is also critical. Taking an incremental approach with broad participation in strategy development can help, because it is easier to promote change if a new initiative is not seen as being pushed by one particular faction.

Please Recycle

© Copyright IBM Corporation 2011

IBM United Kingdom Limited PO Box 41, North Harbour Portsmouth, Hampshire PO6 3AU United Kingdom

IBM Ireland Limited Oldbrook House 24-32 Pembroke Road Dublin 4

IBM Ireland registered in Ireland under company number 16226.

Produced in the United States of America September 2011

IBM, the IBM logo and ibm.com are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the web at ‘Copyright and trademark information’ at ibm.com/legal/copytrade.shtml

Other company, product and service names may be trademarks or service marks of others.

References in this publication to IBM products and services do not imply that IBM intends to make them available in all countries in which IBM operates.

For more informationTo learn more about a holistic approach to business resilience and risk management - and how IBM can help you put it into practices - you can contact your IBM representative, request a call from an IBM representative, or visit the following websites:ibm.com/services/riskstudy

ibm.com/smarterplanet/uk/en/business_resilience_ management/overview

RLW03004-GBEN-00

ibm global business services - incisive media

Documents