Never ending project
Enterprise risk management, a/k/a enterprise business continuity or Continuity Of OPerations - starts off as a project, but if it is to be successful - that is, if it is expected to help an organization survive a disaster event - it must become an on-going program, a series of "continuation" projects.
Every project needs a Very Senior Manager as its sponsor. The higher up the management ranks the sponsor, the more respect the program will inherit and the more cooperation will be forthcoming. This is especially true when risk management is first introduced.
Every project needs a Statement of Work (SOW) and a Project Plan..
This SOW and project plan needs to be created with cooperation from the sponsor and approved by the plan sponsor. Hopefully the sponsor's fellow executives will concur with the sponsor and word will "filter down" to the mid-level managers and line personnel that risk management is a good thing and will benefit all hands.
The best sponsor is a flag waver for risk management; someone who believes in the process and shares the belief with everyone from the Board to the vendors.
As with all projects, the risk management project must have reasonable, attainable goals - reached though the combined efforts of the sponsor and the practitioner.
Deliverables must be defined and include reviews by the Subject Matter Experts (SMEs) who provided information, and the sponsor.
Deliverables by name
My list of deliverables includes
Even an in-house program can, perhaps should, start with a proposal. This is what needs to be done; this is how the organization will benefit. Here are a few concerns even before commencing a program.
- Statement of Work and Project Plan
These contain basically the same general information. The SOW "spells it out" in general terms and while it includes anticipated phase completion dates, it rests on the Project Plan to set tracking and staffing parameters. The SOW's audience normally is the Executive Suite and the staff in general. The Project Plan is more for the Project Manager and the sponsor to track the project's progress. The PM will provide a status report to the sponsor at least once every two weeks. This assures that slippage will be identified and reported in time to eliminate problems or adjust expectations "because."
Should the practitioner be the PM?
I have worked both ways, and frankly, I learned a lot from having a PM on board. The only concern I have when a PM is named is making sure that we go together to report to the sponsor. Let the PM write the reports, but the practitioner needs to review these before they go to the sponsor, especially if the PM has little or no risk management experience..
- First plan deliverable
The first scheduled plan deliverable is the Business Impact analysis.
This is a misnomer since the deliverable includes
- Identification of critical processes
- Identification of identified risks or threats
- Identification of means to avoid or mitigate the threats identified above
- Prioritization of the risks or threats listed above.
- Recommendations to avoid or mitigate risks or threats based upon impact on the organization and knowledge of the organization's direction
While management is considering implementation of practitioner recommendations, the practitioner will create
- Plan maintenance procedure
- Staff awareness program
- Exercise procedures .
The practitioner also should create risk management-related Policies and Procedures for such things as
- alternate site expenses - limit or per diem
- alternate site housing - how many to a room
- communication between alternate site and management
- communication between employee and family - any limits, who pays
- conjugal visits - at home or on site, and who pays for transportation, after how long
- education penalties - if employee is forced to abandon a course due to recovery requirements
- insurance - is there someone to help family members file claims
- maximum allowable work hours before required time off
- on-site transportation - bus, taxi, rental vehicle
- overtime compensation - pay, comp time, other
- pay - how is it made, to whom (if direct deposit is not possible)
- travel to/from alternate site
By the way, many of these P&Ps apply equally to the responders remaining at the original site to restore the facility or establish a new facility.
Policies and procedures need top management approval and should be vetted by Legal.
- Second plan deliverable
This deliverable includes the response plan based upon managements' implementation decisions. The specific response plans - for all functional units - probably will vary somewhat from normal, day-to-day operations.
Ideally, response plans will be one task-per-sheet of paper, with the preceding task identified in the header and the following task identified in the footer
This deliverable also includes
- Exercise policy
- Maintenance procedure
- Appendices (or addendum)
- Contact list
- Relevant Policies and Procedures
- Other documents as deemed necessary
If I wrote it, you can quote it.