Tuesday, June 24, 2008

ERM-BC-COOP: Out of sight . . .

Yesterday nothing happened.

Same as the day before and the day before that.

About 9 months ago a VP-level customer asked what he could expect if something went bump in the night. My organization provides IT support to the customer, but the customer is, wisely, looking for something more . . . as in "What about MY people who use YOUR applications and boxes?"

He asked the right person who then asked me.

I had to reply that "not much - we don't have a comprehensive plan."

Trumpets blast, banners wave, and the call goes out to Assemble the Troops.

Somehow, the "troops" never got the message.

And the project, which never got off the ground, was forgotten.

Jump ahead 8 months.

Someone realizes we are no farther along in meeting our customer's request than we were 8 months previous.

More trumpets, more banners, more cries to rally the troops.

Lots of chatter, but no substance.

Most ERM-BC-COOP practitioners know the story.

If the practitioner lives in an area visited by hurricanes, along about September - well into the June to December hurricane "season" - people suddenly discover they lack a survival plan and solicit planners to give them a plan - and be quick with it !

Come November 31st, when the season "officially" ends, they suddenly decide that since they escaped the wrath of weather one more time, maybe they don't need a plan after all.

When the risk is out of sight, the push for a plan is out of mind.

There's only one minor problem with the theory.

There is more than one risk.

Worse, not all risks are as obvious as a hurricane.

Worse still, most risks are not as easily predictable as a hurricane - modern technology allows storms to be tracked for days before landfall. 'Course hurricanes are fickle; they may seem to be aimed at, say, Florida's east coast and end up churning up the middle of the Gulf of Mexico to Mississippi and then on up to southern North Carolina - ask the folks in Charlotte NC. Sometimes a nervy storm will criss-cross Florida and no one knows with any precision where it will go next.

Enterprise Risk Management, ERM, looks at all risks to the enterprise and, doing that, looks at all risks to all the components that make up the enterprise.

Our - I like to think "my" - VP-level client wants, as I understand the requirement, a pseudo-enterprise plan, "pseudo" because the client's operation is one of very many which make up the global enterprise. In my scheme of things, the client's plan will consist of multiple functional unit plans which will "roll up" into the operation plan which, should someone higher up "see the light," would roll up into a true enterprise plan.

The person who asked me about the existence of a plan, a proponent of planning, thought she was dangling a carrot before me when she suggested the plan would be a model for other organizations. While that is enticing, the real carrot is the opportunity to help an organization protect itself - starting with its most important resource: people.

Will the project for the VP-level customer ever get underway?

Like the old Frank Sinatra song, I have "high hopes."

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
Planner @ JohnGlennMBCI.com

No comments: