Thursday, April 19, 2018

Enterprise Risk Management (ERM)

Real risk management
Vs. Disaster recovery
& Business Continuity

ONE OF THE PROBLEMS WITH THE TERM “RISK MANAGEMENT” is that it means different things to different people.

For many. “risk management” means something related to insurance.

To others, “risk management” means patient safety.

To this scrivener, “risk management” should be prefaced with the word “enterprise” and it should include everything and anything that might impact “business as usual.”

ENTERPRISE RISK MANAGEMENT is more than “just” insurance, although it includes insurance as a way to mitigate loss due to a risk.

It also is more than “just” patient safety,” although in a medical environment patient safety should be a primary concern.

Enterprise risk management is the maturing of a process that started with Disaster Recovery (DR), a function associated solely with Information Technology (IT) or Management Information Systems (MIS). I got my start with DR on a data company’s national network.

DR morphed into Business Continuity, (BC). Business Continuity focused on an organization’s profit center(s) and what it took to keep the profit centers profitable. BC was primarily “within the confines of the organization’s building(s).” (Business Continuity in “government speak” is Continuation Of OPerations, COOP.)

The trouble with business continuity is that it failed to consider “I/O” – input and output.

Even organizations lacking product production – e.g., widgets, doo-hickies, and thingies of all types and shapes – still have I/O. Production facilities are more obvious candidates for enterprise risk management, but all organizations – even non-profits – need a viable (read “proven”) enterprise risk management plan.

Even charities need a plan. What happens if contributions dry up; how will commitments to clients be sustained?

Then there is image. The organization’s image can make or break it. In this day and age of “social” media, an organization is well advised to monitor what is being said about it.

Never forget regulators. EVERYTHING is regulated by some government or association somewhere. (OK, almost everything except the media, social and otherwise.)

Enterprise risk management is not nuclear science; it is “thinking outside the box” to identify ALL threats to “business as usual.” After the identification comes triage – which threats are most likely to occur. Then comes decisions to avoid (expensive) or mitigate the threats. Even if a threat is considered highly unlikely, the plan should include how to respond to it “in the event of.” Insurance may be part of the mitigation plan, but the policy must be c-a-r-e-f-u-l-l-y read and vetted by both an insurance adjuster (not associated with the insurer) and a lawyer who specializes in insurance.

    What type insurance to consider? Here are five broad categories: Business interruption, Directors and Officers, Liability, Physical hazards (fire, flood, etc.), Workers’ compensation. The list is NOT “all inclusive.”

One thing an enterprise risk management practitioner cannot be is an expert in all industries or even all organizations in one of the North American Industry Classification System (NAICS) classifications. (NAICS superseded the Standard Industrial Classification (SIC) system. It was developed jointly by the U.S. Economic Classification Policy Committee (ECPC), Statistics Canada , and Mexico's Instituto Nacional de Estadistica y Geografia , to allow for a high level of comparability in business statistics among the North American countries. 1)

The practitioner must
  • Have highly visible support from senior management
  • Work closely with Subject Matter Experts – the people who actually do the work
  • John Donne was spot on when he penned “No man is an island.”2. This is especially true with enterprise risk management.

    Finally, management must commit to both exercising the plan and maintaining the plan. Lack of either and the plan won’t be worth the paper on which it is printed. (Yes, Virginia, there should be a paper copy, “just in case.”)


    Sources

    1. http://tinyurl.com/yaoym7y2

    2. Complete poem at: http://tinyurl.com/yajdumzj

    PLAGIARISM is the act of appropriating the literary composition of another, or parts or passages of his writings, or the ideas or language of the same, and passing them off as the product of one’s own mind.

    Comments on Real risk management


    No comments: