Monday, July 6, 2009

How much protection can we afford ?


I used to ask my peers: How far away from our organization do we have to go to assure continuity?

Primary vendor?

Vendor's vendor?

Now, in light of several Category 5 storms and the financial crisis that turned into a tsunami swamping some major players, the question becomes: How prepared must an organization be to survive a disaster event?

The answer, of course, is the old stand-by: what is the organization's "risk appetite?" How much is management willing to risk?

I can hear the rank-and-file muttering: "Sure, management will risk OUR pay checks and pensions and benefits, but not its own." There's some sad truth in that as evidenced by the collapse of several "name" organizations.

We - risk management practitioners - play odds makers on a regular basis when we - with input from Subject Matter Experts (SMEs) both inside and, I hope, outside the organization - prioritize risks. The most common risk rating mechanism is Probability vs. Impact; what is the probability a risk will occur and what impact can the risk be expected to have on the organization if it insists on occurring?

Most of the time, picking the fruit from the long-hanging branches is sufficient. If you live on the US' southern Atlantic coast or along the Gulf of Mexico the chances are pretty good that you'll see flooded streets sometime between June 1 and November 30; almost as likely are Category 1 and, maybe, Category 2 storms.

But usually not Category 5 Katrinas.

Since most organizations lack unlimited funds, management (hopefully) uses our recommendations to determine what threats are the most "threatening."

Build a Cat 5-proof building when the likelihood of a Cat 5 storm is relatively small? Probably not the best Return On Investment (ROI) an organization can make. (Yet, here in Southeast Florida, even private residences are reinforced concrete block structures (CBS) with wind mitigation required. Economies of scale - sort of, since CBS still is a tad more expensive that the slapped-together-ply board used some other places I've lived.)

Does that mean we can ignore Cat 5 storms altogether? Hardly. It means we mitigate as much as we can and make plans - in the case of a storm - to get us and our organization's raison d'être out of the way.

Some threats are less obvious; perhaps only on the radar of a few specialists.

The current financial disaster, for example.

I'm not a financier and I don't play one on tv so I didn't see the storm clouds that gathered before the collapse of Wall Street and housing markets and the related domino effect. Being a skeptic, had I really been watching the markets, I might have wondered how long can the upward trends continue.

Like most small investors, my portfolio "ain't what it used to be." Nor is my retirement fund.

Big organizations, including government agencies, should have had "rainy day" funds. Many, like the State of Florida, did.

Problem is, it wasn't just a rainy "day," the financial storm was a continuing deluge.

How can anyone prepared for a threat at that level? Unlike a Cat 5 storm, there was not much the average organization could do to mitigate the risk. Southwest Airlines, which managed to weather the 9-11 storm that grounded airlines coming into, going out of, and traveling around the US now finds itself in financial trouble. I doubt it will file for bankruptcy, but it's had to tighten its fiscal belt a notch or two more than it did following 9-11.

If the disaster was localized to the US, organizations could have been advised to move funds into foreign currencies. But the debacle is worldwide.

The old advice to move money into bonds, especially municipals, when the market dipped normally is sound. But this time both stocks and bonds have taken a hit.

So the question I put to you: What COULD have been done to keep a GM, for example, from layoffs?

Who should have told AIG that it was putting too much money into pig-in-a-poke products (and would anyone have listened, anyway?)

I didn't see this coming, and frankly, I'm not certain what - short of keeping a stable of SMEs from sundry disciplines on retainer - an organization could have done - should be doing - to mitigate this and future "Cat 5" threats, be they weather or financial or pick-a-risk category.

John Glenn, MBCI
Enterprise Risk Management/Business Continuity practitioner
Ft. Lauderdale FL
Planner @

No comments: