Wednesday, June 11, 2008

ERM-BC-COOP: SMBs and Understanding ERM

The June 6 issue of CPM Industry Insider has a couple of articles of general interest.

The first, titled Survey: 40 Percent Of Small Businesses Have No Disaster Preparedness Plan reports that a "new national survey reveals that a startling number of small businesses remain unprepared to face a potential disaster, be that a hurricane, tornado, wildfire or computer virus, and the majority of these businesses have no plans to change."

I doubt anyone will be surprised when they read the complete article at

The other article that caught my attention was headlined Executives Generally Confident With Enterprise Risk Management Efforts, Though Questions Remain.

The leed (cq) reads: "American executives may not fully grasp the scope of their companies' Enterprise Risk Management (ERM) needs, according to the results of a survey recently conducted by Accretive Solutions, in conjunction with Harris Interactive."

I can empathize with Small-Medium Business (SMB) owners; they usually are operating on a tight budget and thay can't afford a high-priced consultant to come in to create a Business Continuity plan, nor can they afford the training (is there anyone other than the owner and perhaps the owner's spouse, to train?). Plan maintenance? Out of sight, out of mind.

Despite the financial strain, SMBs need business continuity plans, perhaps moreso than the Fortune 100s. Northrop Grumman was hit, hard, by Katrina, but because it has the financial muscle, it managed to buy its way out of the mess left behind by the storm. While I lack specifics - I doubt anyone has hard numbers - I suspect many SMBs in Katrina's path never came back after the winds died down and the waters receded.

What is an SMB to do?

There are several options that are worth investigating.

One is joining (or forming) a group of like-businesses. Most of us know about the Independent Grocers Alliance, the IGA markets (see Car dealers have "interest" groups, why not jewelers or refuse haulers or ... pick a business.

An organization, such as the IGA, could employ a consultant or, if it is a national organization, employ a full-time program manager, to create plans for each entity and the organization.

An alternative is for professional service organizations - accountants, insurance agents, etc. - to offer planning services as a "value added" service.

Many SMBs depend on accounting firms to do the books on a quarterly basis; likewise, all organizations need insurance of one or more types. For the insurance agent, it makes good business sense for the insureds to have professionally developed plans.

Joe's Garage needs a plan, but it can't afford to pay my rates and it can't keep me busy.

But if Joe of Joe's Garage and Sara of Sara's Feed and Seed and several others in the area get together (what's the common link? The Chamber of Commerce, of course) - ahh, then I can make a living and keep busy and "they" will have plans created by an experienced planner.


Back to the Enterprise Risk Management article.

"Thirty-nine percent of respondents to this survey of Executive-level decision-makers at Fortune 1000 companies labeled IT security, a significant concern of any effective Enterprise Risk Management strategy, as their number one worry over the coming twelve months while at the same time just 6 percent of respondents expressed any discomfort with their existing ERM efforts.

"Since ERM is still such a new, unfamiliar concept for many executives, these results highlight two key points,” said Dirk Hobgood, Executive Vice President and Chief Financial Officer for Accretive Solutions ( “First, many executives are still in need of more education as to what Enterprise Risk Management means and entails, and second, that a surprising number of companies believe themselves to be protected when in fact their exposure to several key, unmitigated risks continues to be very real.”

These two paragraphs tell me that the surveyed executives fail to understand that, in most cases, IT is NOT the profit center; that IT is a RESOURCE for the profit center - along with Facilities, HR, Finance, Accounting, etc.

As Bob Dylan's song, Blowin' in the Wind, goes: "When will they ever learn?"

Still, I suppose just knowing the term "enterprise risk management" is a step forward.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
Planner @

No comments: