Monday, August 4, 2008

ERM-BC-COOP: Bottom line

The Bottom Line for Enterprise Risk Management (ERM), Business Continuity (BC), and Continuation Of Operations (COOP) practitioners IS the bottom line.

When proposing ERM (a/k/a BC and COOP) to a person with fiduciary responsibility the first question the practitioner should expect to be asked is "What's the ROI?" ROI=Return On Investment.

In other words, if the organization puts up "n" units of local currency, what is it going to buy the organization.

It is a good question. It is a legitimate question. It is a difficult to answer-with-hard-facts question.

After all, if there is a program in place and a risk is avoided or mitigated to a pittance, how can the practitioner tell the organization "the program saved 'n' units of local currency or "because of the program, the organization was able to make 'n' units of local currency in revenue." If a competitor or neighbor goes "belly up" and the planner's organization survives the threat, the "incident," then the practitioner can point to the competition or neighbor and say with some confidence "there, but for the ERM program, goes this organization."

It's wonderful when an organization's senior management is so enlightened that it recognizes the importance of its personnel and places them at the top of the list of resources to protect. Unfortunately many organizations are run by people from the MBA school of thought that considers people a renewable resource. (They are, but like trees, it takes time to "grow" them into the job.)

Given all that, we're back trying to show a benefit to the bottom line.

We have a new ally, perhaps several.

According to an article in ZD Net Asia (,3800011228,63005446,00.htm) by Nathaniel Forbes, director of Forbes Calamity Prevention ( the "U.S. credit rating agency Standard & Poor's (S&P) started evaluating the enterprise risk management (ERM) capabilities of non-financial companies that it covers.

"S&P currently evaluates risk management at banks, insurance, energy and agribusiness companies, and now wants to do so for companies in other sectors. The S&P 500 index of American companies is well known. S&P rates companies, governments and debt instruments all over the world."

He predicts that "The other ratings agencies won't be far behind in making similar announcements if S&P succeeds in selling its concept of ERM evaluations to its customers."

Forbes contends that "Extrapolating an ERM evaluation to a logical, eventual conclusion, if a company didn't have a business continuity management (BCM) program, its credit rating could be lowered. The consequence? Borrowing money would cost more, and for the large companies that S&P reviews, that could be a material consequence."

The article includes a sample calculation that is worth sharing. It goes like this:

"Suppose" Forbes suggests, "one of those companies rated by S&P wanted to issue a bond for US$200 million to build a new plant in.. Suppose that, due in part to its assessment of the company's risk management, S&P lowered the company's credit rating from, say, A- (upper medium grade) to BBB+ (lower medium grade). As a result, the company is forced to pay a 4.1 percent coupon instead of 3.9 percent to make the bond attractive to investors or underwriters. Based on US$200 million, two-tenths of 1 percent (the difference between 4.1 percent and 3.9 percent) is US$400,000.

"What could you do for US$400,000? Could you develop a company BCM program for US$400,000? Could you hire an experienced, certified BCP professional to run it for US$400,000? Set up a recovery site? Could you make a company genuinely more resilient--and therefore more credit-worthy--for US$400,000? As we say in Minnesota, "You bet'cha!" The benefit side of the BCP cost-benefit equation would be much easier to quantify."

Something to think about when the CFO asks "what's the ROI?"

It provides a better answer than asking in response "What's the ROI on liability or property insurance?"

For most organizations, even NGOs, non-profits, and charities, The Bottom Line IS the bottom line.

Anything an ERM practitioner can do to enhance the bottom line - not just protect it but enhance it - makes the effort to "sell" ERM a little easier.

The entire article, with included links, is well worth reading.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
Planner @

No comments: