PMI Southern Ontario Chapter PDD Ralph Dunham May 26, 2012
PMI Southern Ontario Chapter PDD Ralph Dunham
May 26, 2012
Future of Risk
Resiliency – Pervasive Readiness
Effective Governance
What’s Next?
Control
Share Mitigate & Control
Accept
High Risk
Medium Risk
Medium Risk
Low Risk
Low
High
High
I M P A C T
PROBABILITY
Quantification of risk exposure (threats vs. risks)
Options available:
- Accept = monitor (some may be uninsurable)
- Avoid = eliminate (get out of situation)
- Reduce = institute controls
- Share = partner with someone (e.g. insurance)
Residual risk (unmitigated risk – e.g. shrinkage)
Source: Business Risk Assessment. 1998 – The Institute of Internal Auditors
Control It
Share or
Transfer It
Diversify or
Avoid It
Risk
Management
Process
Level
Activity
Level
Entity Level
Risk
Monitoring
Identification
Measurement
Prioritization
Risk
Assessment
A focus on costs has led to neglect of risk – meanwhile, the risk landscape has changed:
Brand damage is probably more important than direct
financial loss
◦ Contracts and insurance are not enough protection
Need to manage new and different risks
◦ More risks, which vary across the business
◦ Do you have enough information?
The cost equation has changed
◦ Factor the cost of risk management into sourcing decisions
◦ Balance ‘Just-in-time’ with ‘Just-in-case’
Not just an insurance issue
External factors versus internal
Global risks are now issues
Manage what can be managed
Understand impact of “Black
Swans”
Managing Risk To the Enterprise Is the Focus
“Enterprise” is too narrow
Include investors, clients, partners,
etc.
Look at “neighbourhoods”
Reliance on public sector
Review global risks and their impact
All risks are not created equal
Some risks are better mitigated
than assumed
Some risks will never be eliminated
Some risks are outside your control
Some risks are more acceptable
than others—to your organization
Impacts change over time
Combined risks are likely
Most Likely Source of the “Next Big One”
Cloud computing
Social media
Crowd sourcing
Criminal element
Cyber wars
Terrorism
Stuxnet
June 2010 attack on Natanz
facility
Specifically targets Siemens
controllers
USB Flash drive
Destroyed approximately
1,000 centrifuges
Now publicly available
Next wave of terrorism???
The biggest risks may not be included in your register
Risk assessments should include global risks
Exposed to the actions of any employee anywhere
“It won’t happen to me” syndrome
Evolution of risk over time
Combination of risks – not single point-in-time
Speed & contagion of risks, especially catastrophic
Apply greatest resource to greatest risk?
The impact of “Black Swans”
Unknown unknowns
How do you predict
probability
Plan for “no matter what”
Current planning based on
assumptions
Does insurance cover
them?
Focus on consequence vs. cause
Currently scenario or event based
Too many causes – likely to miss
one
Real issue is the effect of an event
Destructive event, non-destructive
event, people event, loss of
technology event
No “Predicted” Outcomes
Assumes outcome can’t be forecast
Focus on process of resolution
Includes ongoing reassessment based on current situation
Accommodates unplanned “detours”
Minimizes time-of-event challenges
Must include role and response of individuals
Ability to achieve key
organizational objectives
Emphasis on continuity
versus recovery
Objectives-based versus
asset-based
Focus on critical elements
for organizational success
Identify minimum levels
Resilience vs. resilient capability
Resilience similar to “healthy”
Not necessarily redundancy
Processes and documentation
good – capability better
Vulnerability is opposite of
resiliency
Never recover – adapt
Sense & respond vs. plan & react
Issues/consequence based
planning
No causal orientation
Simplifies task assignment
Better identifies responsibility
for solutions
Minimizes effort that doesn’t
address an “issue”
Function of Robustness, Redundancy, Agility,
Adaptability
How do you measure?
How do you develop?
How much is enough?
Where are the skills in the organization?
“Processes and systems by which
an organization or society operates”
Who “owns” the governance of
risk management?
Is risk management part of effective
governance?
Is governance part of effective risk management?
Role of internal and external audit
Extent of governance outside the organization
Processes and systems by which an
organization or society operates*.
In practice… ◦ Before
◦ Today
◦ Tomorrow
* Source: Webster dictionary, Wikipedia
Before Accounting
Financial Reporting
Long term approach only
Audit driven
Regulations were almost exclusively focused on legal or
audit requirements
Today – Executive Liability C-Level accountability
Fraud prevention
Ability to recover financial information
Minimize client and employee impact
Regulatory Compliance (often on several fronts)
Proof of performance
Tomorrow ◦ Scope will extend beyond the boundaries of the organization
◦ Based on corporate goals
◦ Supports future direction of organization
Structure
New markets / products
◦ Focus is on strategically managing risks
◦ Activities will be directly linked to shareholder value
◦ Outsourcing is included
◦ Compliance will be a source of:
Customer confidence
Revenue continuity
Stock value increase
Proper Business Resilience governance gives
Directors reasonable assurance that the
organization is capable of dealing with
business interruptions and crisis situations
BR Governance
ER
P
DR
P
BC
P
CM
P
What does Proper mean?
• Protecting brand
• Resolving uncertainty and variances from
expectations
• Maximizing opportunity for success and superior
performance
No excuses, no surprises
Move to capability vs. compliance – instil confidence
Compliance standards - SOX, C45, etc.
Program standard – ISO 22301, CSA Z1600, BS
25999, AUS 5050
Executive peace of mind – “Will it work?”
Publish and promote capabilities
Viewed as a maturity issue
Linkages to external factors – outsourcing
How to govern outsourcers - compliance
Who assesses outsourcer capability?
Redundancy elimination – but where is
resiliency?
Ownership of Business Resilience cannot be
outsourced
Executives are evaluated and trained to be efficient
administrators vs. effective leaders
Formal management training does not usually include
how to respond to operational crises
Measurements are usually short term and financial –
hard to establish Business Resilience criteria
Appropriate leadership response must be consistent
with pre-established vision and values
Need Risk Competent Organizations with Risk
Cognizant Leaders
Executives typically have two objectives:
Grow the value of the organization; and
Protect the core assets of the organization:
◦ Value of risk management in strategic planning;
◦ Risk adjusted rate of return; and
◦ Strategic objectives reflected in program objectives.
Traditional
• Focus on “Interruptions”
• Event monitoring is a low level activity
• “Disruptions” are a negative factor
• Business Continuity is managed in
organizational silos
• Business Continuity is measured
subjectively
• Business Continuity functions are
unstructured and divergent
• Forecasting based on history
Future
• Focus on “Unusual events”
• Event monitoring is the CEO’s job,
with Board oversight
• “Disruptions” are also an opportunity
• Business resilience is integrated
across the organization
• Resilience is quantified and managed
• Resilience is built into management
systems
• Forecasting includes risks
Operational Focus Board Focus
Rank against Known Threats Identify/Assess New Driving Forces Risk Orientation
Risk Analysis Usage
Control Responsibility
Auditor Orientation
Audit Focus
Timeframe
Skills
Special Expertise
Set Audit Frequency Allocate Resources to Key Driving Forces
Audit Strategic Management
Corporate Policeman Mgmt. Consultant/Advisor
Compliance with Procedures Confidence / Business Objectives
Past/Present Future/Present
Technical Skills, Audit Business/Industry Knowledge
Owned/Learned Access as Needed
Management
Responsibility
Skills Compliance
Program
Communication
Not Trusted Empowered/Trusted
Auditor Management
Cycle-Driven Flexible/Responsive
Periodic/One-way Continuous/Two-way/Strategic
Background
August / 08 – Maple Leaf Foods plant in Toronto confirmed
an outbreak of Listeria Monocytogenes
MLF recalled 191 products back to January / 08
The outbreak incident caused 20 deaths and cost MLF over
$30M
Media spotlight was intense
Media First 10 Days First Month
Print 408 1,011
Broadcast 1,959 3,198
Online 233 443
The Response
McCain took personal accountability, put public
health and consumers interest first and led open
and facts-based communication
Legal and financial views took lower precedence
Implemented a decisive action plan to: Keep the public informed during and after the incident
Launch a mass media management strategy
Identify risks and impacts
Rebuild customer confidence
The Results
MLF’s brand and reputation rebounded
Increased public support
Managed CFIA requirements and minimized liability
McCain named CEO of the year by the Canadian Press
for 2008
Would your Business Resilience program have
helped this organization?
What would McCain expect from your program?
What would you have to add to fully support him?
What would your program have to look like to
pass the “McCain’s governance test”?
It won’t happen
If it does happen, it won’t happen to me
If it happens to me, it won’t be bad
If it happens to me, and it is bad, there
was nothing I could have done about it
anyway