Sunday, February 27, 2011

What's in a name?






What is the "bottom line"?

What SHOULD be the bottom line?

To me, the "bottom line" is risk management at the enterprise level.

What is risk?

In the business world, and that includes all organizations regardless of profit motive or lack of same for non-profits, "risk" is anything that can interrupt "business as usual."

Risks can come from any where; from where they are expected - the usual suspects of environment, human error, and technology - and from unexpected, "non-traditional" sources such as lenders, customers, and governments at all levels, domestic and foreign.

Scanning the WWW, I find that "risk management," sans the "enterprise" prefix, often means insurance or financial risk. It has a typically narrow focus.

Does insurance risk mean "What happens if there is too little insurance" or does it mean "What happens if the insurance carrier refuses to pay or can't pay." It also means making certain all the insurance company requirements are met; all the i's are dotted and the t's crossed. (This is especially true for business interruption insurance.)

How are risks managed

First, they have to be identified.

That, as most practitioners will admit, is easier to say than to do.

Risks to WHAT?

"What" are "critical business processes," the ground-level processes that keep the business in business. A "view from 20,000 feet" has value only in the board room, and maybe not even there.

How are risks "managed"?

Typically one of three ways: they are (1) avoidance, (2) mitigation, or (3) transferrable.

Avoiding a risk usually is the most expensive option, but for some processes, it may be the only option.

Mitigation, finding ways to reduce the threat's impact, is less expensive "up front" cost, but like the old Purolator commercial went, "You can pay me now or pay me later." Mitigation may leave some "pick up the pieces" costs.

Transferring the risk usually means covering your assets with an insurance policy; sometimes this is supplemental to risk mitigation.

There actually is a fourth option: absorbing the risk. An organization might absorb a risk if the risk is to something that may soon be obsoleted, a something - product, procedures, service, etc. - that is due to be replaced or abandoned. It's simply not worth the other options.

Since most organizations lack the money to avoid all risks, the identified threats must be prioritized, a risk management function. I use "risk" and "threat" interchangeably; Merriam-Webster agrees with me (see End Note).

Management, organizational management this time, decides which of the practitioner's risk management recommendations to implement, sets an implementation schedule, and budgets for the implementation. Part of implementation includes training and exercises even if the capital cost of risk avoidance or mitigation is minimal or no cost (e.g., staff awareness).

The difference between ENTERPRISE risk management and any other type risk management is the same as Enteprise Business Continuity vs. Key Business Unit or InfoTech business continuity.

The former realizes that even in small organizations, there is a myriad of overlaps; a spider's web of inter-relationships, not all of which are blatantly obvious. Unlike an airline's routes, there may be no discernable "hubs." The only way to successfully plan to survive a business interruption is to cover all the bases, and the only way to do that is with an enterprise-level effort.

More than just BC

Enterprise Risk Management is more than just Business Continuity or Business Continuity Management It is what BC/BCM SHOULD be; how BC/BCM should be practiced but most often is not. It may not be fair, but most "senior" practitioners - currently that seems to mean anyone who can spell "BC" without regard to duration or breadth of experience - have blinders when it comes to looking beyond the facility. True the environment is considered, but little else, financial risks are left for someone else, perhaps the Chief Financial Officer's crew, succession concerns to the Board, and whatever is left over (policies and procedures, employee right-to-work [I-9s], communications, et al) to Human Resources.

Disaster recovery is part of business continuity and should cover all functional units.

GRC - Governance, Risk Management, and Compliance - a newcomer to the alphabet soup, is finding some acceptance, but when you break it down, there really is only one initial in the trio that has any real significance: "R."

According to a Wikipedia entry at,_risk_management,_and_compliance, GRC is "the umbrella term covering an organization's approach across these three areas. Being closely related concerns, governance, risk and compliance activities are increasingly being integrated and aligned to some extent in order to avoid conflicts, wasteful overlaps and gaps. While interpreted differently in various organizations, GRC typically encompasses activities such as corporate governance, enterprise risk management (ERM) and corporate compliance with applicable laws and regulations."


  • Lack of governance is a risk.
  • Failure to comply with applicable laws and regulations is a risk.

Perhaps "GRC" should be written "gRc."

Enterprise risk management must not be confused, as it often is, with a niche risk management effort.

Like Enterprise Risk Management, every functional unit should have a stand-along plan, a plan that may be called "business continuity" since it focuses primarily on the functional unit.

Lacking an enterprise plan is, to my mind, a risk that easily can be avoided.

Definition of RISK

1 : possibility of loss or injury : peril

2 someone or something that creates or suggests a hazard

3 a : the chance of loss or the perils to the subject matter of an insurance contract; also : the degree of probability of such loss

b : a person or thing that is a specified hazard to an insurer

c : an insurance hazard from a specified cause or source

4 the chance that an investment (as a stock or commodity) will lose value

Synonyms: hazard, imminence, menace, peril, pitfall, danger, THREAT, trouble

Definition of THREAT

1 an expression of intention to inflict evil, injury, or damage

2 one that threatens

3: an indication of something impending

Synonyms: hazard, imminence, menace, peril, pitfall, RISK, danger, trouble

No comments: