• News
• Bookshop
• Events
• Anti Money Laundering
• Conveyancing/HIPS
• Financial Management
• Human Resources
• Information Technology
• International Firms
• Jobs & Careers
• Knowledge Management
• Marketing, Business Development
• Mergers
• Outsourcing
• Professional Indemnity
• Risk Management

Feature

posted 5 Nov 2004 in Volume 7 Issue 6

Down to risk business

Regulatory pressures have forced firms to think about risk like never before, but that far from means that risk-management strategies have improved. Julia Graham, director of risk at DLA, argues that firms need to think beyond regulatory compliance to embrace enterprise-wide, business-continuity management, a discipline that will enable firms to face their tangible and intangible risks.

While there is a perception shared by many that the quality of risk management is improving, many of the improvements we are currently seeing are driven by regulatory pressure rather than a commercial desire to manage risk better. Indeed, with the wheels of risk faced by management spinning ever faster, it is perhaps that extra spin added by the demands of Sarbanes-Oxley that keeps our US cousins slightly behind the game when it comes to practising enterprise risk management?

Designing and implementing an enterprise risk-management framework

Lord Levene in his speech to the World Affairs Council in April 2004¹ spoke of the rising complexity of tangible and intangible risks faced by businesses, and the challenges he considered business must rise to meet these, as the new three Rs:

1. Raise risk to the board room;
2. Respond to a challenging risk environment;
3. Return to strength and stability.

In a presentation to the Houston Forum in September 2004, Lord Levene added: “In the world of risk, time never stands still and the threats and challenges which assault our businesses continue to emerge and evolve – from the faults in the earth to the fault in ourselves. Companies need to recognise that the risk environment has changed and that they cannot rely on 20th-century management techniques to solve 21st-century problems².”

So how do we get risk onto the boardroom table? There is no magic answer, but an organisation will benefit from a simple mechanism that allows it to articulate what it wants to deliver, measure where it is up to in the delivery process and to facilitate effective and efficient communication of risk goals and achievements to an organisation’s risk managers, who are its employees and partners. How do you explain to a board how well you are doing in risk management if you don’t know where you are heading? How do you capture the hearts and minds of your employees and partners if they don’t know what your risk priorities are and why?

A risk-management framework can, as its name suggests, act as a vehicle for establishing the boundaries within which an organisation can position its approach to managing risk and the detail required for risk-management delivery. There are numerous framework models offered variously by the large consulting houses, promoted within the rules and guidelines of regulatory bodies such as the Financial Services Authority (FSA) in the UK and Basel in Europe, as well as those that have been developed down a more academic route.

Categorisation of risks is the bedrock of a framework in that it provides the basis for storing and then analysing data. For example, “if loss data is haphazardly stored, any values derived from the data will reflect its irregularity³”. And, importantly, categorisation provides the language for risk management and, consequently, a means of achieving the communication that is key to successful design and implementation of an organisation’s risk-management strategy and approach.

How an organisation categorises risk should be driven in part by the nature of an organisation’s core business and in part by the complexity of its assessed internal and external risk environment. Accordingly, a framework can only designed and then embedded within an organisation after an assessment of risks has been undertaken and the risks clustered into categories in such a way that the nature, complexity and objectives of the organisation are reflected. Typically, an assessment might emerge into half a dozen or so categories along the lines of:

• Strategic – strategic management;
• Group – functional or geographic profile;
• Financial – balance-sheet management;
• Operational – infrastructure;
• Governance – legislative and regulatory – corporate governance and compliance;
• Business – core business.

For each category, an organisation will need to understand what it needs by way of policies, risk-tolerance levels for risk, processes, tools and techniques, management information, and scenarios against which all of these might be stress tested. Used as components, these can then provide the building blocks from which a framework can be constructed. How complex and detailed components need to be should, however, not only be driven by the complexity of an organisation, but also by its culture: there is little point having hugely complex and wordy policy statements, for example, if there is no appetite for complexity within an organisation. Better to have short and simple statements that get read and acted upon, than award-winning tomes that sit unused on a shelf.

Once you have a framework, you can start to conduct a current-state, risk-management analysis using the framework as a benchmark. Assess this against what you consider is needed for the future and then design an action plan to complete. The initial risk assessment should provide an indicator as to what the priorities should be. Given that risks are dynamic, risk assessments will require regular updating and priorities sense-checked against these.

BCM comes of age

If you want to stay in business when you hit a problem, then I assume that you have a business-continuity plan (BCP). But where does business-continuity management (BCM) and an organisation’s BCP sit within this framework? BCM is part of risk management, part of corporate governance and part of quality management. BCM in the modern business is an enterprise-wide professional discipline embracing all strategic and operational aspects of an organisation, contributing to business reliance and long-term business performance. “The outcomes of BCM today need to contribute a substantial benefit to the continuity of an organisation before a major disruption, as well as following the disruption⁴.”

The British Publicly Available Standard on business-continuity management (PAS 56)5 defines BCM as: “A holistic-management process that identifies potential impacts that threaten an organisation and provides a framework for building resilience, and the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities.”

That’s quite a statement – so what does it mean? Where does BCM sit within the risk-management framework? Given the above, then the answer is across the base of the risk framework as an enterprise-wide control mechanism, as it’s only once an organisation has analysed its business and understood its risks, that it can design and implement effective BCM.

BCM isn’t about fighting fires when something happens, it’s about understanding what might be at risk and developing strategies if things do go wrong. BCM isn’t about having plans to recover a business that are over elaborate, it’s about having plans that suit the nature of your business. BCM isn’t an appendage to the business, and for it to be effective, it must be an embedded management process - as part of risk management, and in turn, as part of good business management.

Just as with enterprise risk management⁶, BCM should consider all types of risk to a business, and plans should be in place that are able to respond to any type of disruption, whether or not the material assets of a firm are affected.

From roots grown in the 1980s, until the early 1990s, BCM was certainly around, but largely to be found in the domain of the IT department with a focus on recovery following disruption to technology-driven systems. The type of desktop we enjoy today was largely unknown and businesses relied on a remote box somewhere feeding dumb technology. Business continuity was consequently largely about the back-up and recovery of data stored in anonymous and usually offsite boxes, which more frequently than not resembled vending-machine technology in size and noise emission.

While you didn’t have to be affected by a terrorist act to suffer a disruption to an IT service (a workman can just as easily cut off power to your building and systems as a terrorist), it was undoubtedly the terrorist activities of the 1990s, which brought into focus a recognition by organisations of the wider business need for the ability to respond and recover following disruption beyond the IT environment. Stories of failure rates of businesses that could not respond to disruption surfaced: it’s estimated for example, that about 40 per cent of the businesses affected by the Manchester bomb in June 1996 went out of business, never to recover.

Around this time, a rising tide of corporate governance hit UK business shores and, as a consequence, business continuity became a boardroom topic – the board had a duty to know that the balance sheet was protected. The synergy of BCM with risk management is clear.

Today, the FSA expects all regulated organisations (and those entities that regulated organisations deal with through supplier and/or outsourcing arrangements) to have in place a risk-based BCM framework, including an appropriate BCP. This expectation, outlined in the FSA Handbook7 states: “A firm should have in place appropriate arrangements, having regard to the nature, scale and complexity of its business, to ensure that it can continue to function and meet its regulatory obligations in the event of an unforeseen disruption.” Expecting the unexpected8, produced by the National Counter Terrorism Security Office (NaCTSO), London First and The Business Continuity Institute (BCI), talks of planning to avoid a negative business impact. But, importantly, the FSA, as well as highlighting the negative effects of disruption, recognises the upside of BCM in that any organisation that implements business-continuity plans to levels of good practice can, in their opinion, issue a signal of confidence to customers and stakeholders that the firm is well managed and can deal with a crisis, which takes us back to the overall risk principle that effective risk management is part of and not an appendage to good management. This requirement is echoed increasingly by other regulatory bodies. For example, the Australian Prudential Regulation Authority (APRA)9 set out a prudential standard for BCM in July 2004. APRA considers BCM an important component of a risk-management framework and specifies that regulated organisations need to consider scenarios that include:

1. Utility failure, for example, electricity, water and telecommunications;
2. IT-systems failure;
3. Compromised physical or IT security;
4. Fire threat or damage;
5. Bomb threat or damage;
6. Loss of key staff;
7. Damage or loss of critical paper and electronic records.

As with the FSA, APRA promotes an approach that should be tailored to suit the nature and scale of an organisation’s operations and designed to increase “resilience to business disruption arising from internal and external events and reduce the impact on the organisation’s business operations, reputation or profitability.” It places responsibility for management firmly on the board table. The consequences of failing to plan could be:

1. Loss of work to competitors;
2. Failure within your supply chain;
3. Loss of reputation;
4. Human-resource issues;
5. Health and safety liabilities;
6. Higher insurance premiums.

And, if you are unlucky enough to suffer more than one of the above from the same incident, then this may present a worse case scenario and force you out of business.

The need to think enterprise wide is further supported by a raft of research, most notably, that produced by Rory Knight and Deborah Pretty of Oxford Metrica10 in their authoritative work on the impact of catastrophes on shareholder value. They argue that there is a significant variation in the long-term recovery capability of organisations in the aftermath of a catastrophe, the success of which would seem to be more down to the quality of management and their ability to manage a recovery than support based solely on the existence of catastrophe insurance.

While Knight and Pretty focus on larger corporates, their conclusions are supported in practice at all business levels. For example, in research commissioned by AXA in the UK during 2004, which focused on smaller businesses11, their chief concerns were:

• The threat of litigation;
• The cost of compliance with regulation – and the cost of non-compliance;
• The threat of IT failure.

AXA quotes its willingness to share its experience with clients to help them take a well-informed view of risk, and it’s interesting to note that a specific value-added service it promotes is a free guide to business-continuity planning made available on its website, www.axa4business.com. Even AXA as a major insurer accepts that risk mitigation goes beyond spend on insurance. Too often, I’ve found in organisations that BCM remains in the domain of the IT and/or facilities functions, rather than as part of a risk-management framework – and, too often, I’ve heard the analogy of risk and consequently BCM, translated as part of insurance outside the risks associated with client management and associated professional and regulatory governance of an organisation or firm’s partners and employees. There are signs, however, that this tide is turning and it’s healthy to see the emergence of organisations, such as the Law Firm BCP Forum operating in London. I wonder, however, how many law firms are part of the risk function and how many practitioners of BCM in law firms are professionally equipped to manage, as evidenced through accreditation awarded by the Business Continuity Institute (BCI)?

How to do it

But perhaps the best way to explain where BCM fits is to take a little time to go through the management process and ask three initial questions:

1. What type of business do you represent – is your business small or complex, single or multiple site, UK or international?
2. What is driving your need to engage?
3. Who is going to act as sponsor?

Armed with answers to these simple questions, you can start to enter the management process and take the key steps shown in figure one.

There are plenty of freely available sources of information waiting to help you:

• Visit the website of the BCI at www.thebci.org. There you will find advice on the competencies required to deliver effective BCM and guidelines on practice;
• Most regulators including the FSA also have advice and papers that are of generic appeal;
• Talk to your insurance company as they often have experts who can assist you to either get started or to raise your BCM game;
• Join a focus group. For the world of law look no further than the Law Firm BCP Forum (contact clive.restall@allenovery.com).

No man is an island

In my previous article on risk management¹², I used a quotation: “No man is an island, entire of itself, every man is a piece of the continent, a part of the main…” (John Donne) BCM introduces an interesting spin on this quotation, for when we talk of continuing in business following a disruption, we should consider not only the impact of that disruption on a particular business, organisation or set of individuals, but also to the very fabric of the economy and society in which we do business¹³.

These are grand words, but reflect on them. The suspension of a financial institution’s operations could cause critical problems during and after a disaster. For example, residents in a disaster area might not be able to access funds and funds might not be transferable, denying access to salaries and pensions. Consequently, in addition to organisations suffering their own internal strife following disruption, society itself could bear the brunt of the suffering through loss of services just when it needed their support the most.

In a firm, risks should be assessed from the top down and bottom up, during periods of planned and unplanned change; and from all angles of risk categories (regulatory, financial as well as hazard-related risks). And, business-continuity plans need just the same approach so as to control these risks. n

References:

1. Speech to the World Affairs Council – Lord Levene – Chairman of Lloyd’s: April 2004 
2. Speech to the Houston Forum – Lord Levene – Chairman of Lloyd’s: September 2004
3. ‘Operational Risk Event Classification’ by Gene Laverez in Garp Risk Review: 2001/02 
4. Australian Prudential Regulation Authority: Draft prudential standard on BCM, July 2004
5. PAS 56 2003 – Guide to BCM, BSI, March 2003
6. ‘No man is an island’, published in Managing Partner, July/August 2004
7. The Financial Services Authority: fsa.gov.uk
8. Expecting the unexpected: brochure and CD: www.london-first.co.uk: 2003
9. Australian Prudential Regulation Authority: Draft prudential standard on BCM: July 2004
10. The Impact of Catastrophes on Shareholder Value: Knight & Pretty: 2001
11. AXA: www.axa4business.com: Mark Cliff: 2004
12. See Managing Partner, Vol 7/iss 3, page 16
13. Business Continuity Planning at Financial Institutions: Bank of Japan: 2003

Julia Graham is director of risk strategy at DLA. She can be contacted at julia.graham@dla.com