Thursday, March 2, 2017


Risk Management
Not just DR plan
Needed by businesses

MARK WILLIAMS, WRITING FOR The Columbus (OH) Dispatch notes that Two-thirds of small-business owners don't have a formal disaster-recovery plan, even though about half say it would take at least three months for their business to recover from a natural disaster, according to a Nationwide survey released Tuesday.

Both Nationwide and Williams missed the point: Disaster recovery is just a part of what an organization — large or small — needs.

All organizations need an ENTERPRISE RISK MANAGEMENT PLAN.


  • Limit the number of risks

  • Limit the amount of loss of

    • Human resource (personnel)

    • Customer base

    • Income (sales, product positioning)

    • Inventory

    • Productivity

    • Reputation

  • Limit recovery costs and time

  • PERHAPS reduce insurance costs

The above is just the “tip of the iceberg.” Not (yet) considered are liability coverage (for injuries, actions by the organization’s board and officers, etc.) plus the standard insurance (fire, flood, theft, etc.). Then consider vendors, including lenders, delivery of (hard or soft) product, billing and collection.

The famous expression, The best defense is a good offense applies to all segments of Enterprise Risk Management:

    Identification of critical processes

    Identification of risks to those critical processes

    Identification of options to avoid or mitigate the risks

    FINALLY, identification of ways — and means (personnel, vendors, hardware and software) to recover to at least “business as usual” in a efficient and economical manner.

While Enterprise Risk Management is not rocket science, it does demand that the practitioner have a curious mind and, hopefully, either experience or the wisdom to find – and listen to — a mentor who has experience.

What about Business Continuity?

It is a part of Enterprise Risk Management, but — as with Disaster Recovery — it is too narrowly focused. Business Continuity (BC) rarely considers risks outside of the organization’s facility. Ignored by most BC plans are vendors, lenders, customers, delivery methods, sales and marketing. Security — facility, personnel, and proprietary information — often is ignored except as it is needed for IT/MIS. Even picayunish things such as “Who are the neighbors” should be included in a true Enterprise Risk Management plan, another oft-ignored item in a BC plan. (Are the neighbors chemical plants, frequent targets of protestors, major highways?)

By the way, Personnel/HR can be a major financial risk. If the Feds swoop down and demand to compare employee lists with I-9 forms, HR better have an I-9 for each employee; failure can result in substantial penalties.

Disaster Recovery (DR), like BC, should be components of an Enterprise Risk Management plan; management must understand that unless there is a holistic plan, e.g., Enterprise Risk Management, both DR and BC plans are dangerously inadequate..

Enterprise Risk Management plans can be created even for organizations with limited budgets and limited time.

The bottom line for organizations is that Enterprise Risk Management practitioners make recommendations, management determines which recommendations to implement and when.


But being without a true Enteerprise Risk Management plan is perhaps the greatest risk of all.

No comments: