"Strive not to be a success, but rather to be of value" --Albert Einstein
This article by Saul Midler on Scenario Planning Vs. Resource Planning recently caught our eye and for a good reason. The link between Corporate Risk Management and Operational Risk Management is Business Continuity Management. Brilliant!
More importantly as he indicates:
"The danger of undertaking an operational risk assessment before the BIA / RDA activity is that a business case may be built to remediate the biggest operational risk without realising that impact or the consequence is low. This is essentially defining a solution before identifying a problem.
Think about 9/11 where 320 companies FAILED to return to business, 2800 workers DIED and 135,000 workers lost their jobs. By contrast a number of organizations did recover and continued operations. These include:
• Cantor Fitzgerald who lost 658 staff and resumed operations two days later;
• Marsh & McLennan with 3,200 staff over 8 floors;
• Morgan Stanley with 3,500 staff over 17 floors;
• NY Port Authority with 2,000 staff over 23 floors.
New school thinking saved these organizations. No one could possibly have thought of the scenario that two airplanes could cause structural integrity failure of both World Trade Centre skyscrapers resulting in the collapse and complete destruction of the precinct. The businesses that did survive did so because they adopted a resource loss philosophy that included office facilities, technology systems and, of course, staff.
While the scenario of airplanes being used as weapons of mass destruction is not a new concept for planning purposes, (in fact it was hypothesized long before 9/11) the fact is that organizations today have adopted an "All-Hazards" mind set. As a result of the new worldview, "Business Continuity Management" as previously mentioned, has provided a much needed conduit between Corporate Risk and Ops Risk."
What does this "All-Hazards" mentality mean for the cure to unplanned disruptions or untested scenarios? It means that you move to the proactive side of the line and away from the reactive mode that so many organizations are still coping with. The old "It will never happen" to us syndrome.
Global 500 public organizations, small private businesses and non-governmental organizations have true stories and cases that are considered a security risk crisis. Confronting a crisis in one organization will be completely different at another, based upon the type of organization, number of employees, geographic locations and their senior executive process for dealing with a significant disrupting event.
The following question was asked at “Company A” and the top answers were:
What are the top five incidents/events that could cause a significant crisis within your organization?
- Fire or Flood
- Violent weather/damage to facility
- Workplace violence
- Industrial accident
"When the question was asked a different way, to a different group at the same company, the results were even more telling:"What are five incidents/events that have caused your organization significant crisis in the last three years?
- Counterfeit products or major disruption in the supply chain
- Alleged ethics violation of Foreign Corrupt Pracctices Act (FCPA)
- Geopolitical unrest in key overseas markets
- Extended loss of electricity at a manufacturing plant
- Data Breach/intellectual property theft by a nation state
What is your current readiness factor for the potential of environmental or natural disaster, supply chain disruption, economic espionage, ethics scandal, data breach, employee kidnapping, sabotage, terrorism, workplace violence and other legal risks?
Throughout the enterprise the functions of physical security, information security, legal and financial liability have all become specialized and these same security risk professionals, have become subjected to the potential for a blindside incident.
For example, the HR recruiter is more focused on the security risk of hiring a person with a criminal record of violence and substance abuse problems.
The Chief Security Officer (CSO) is more focused on the physical and information security of facilities and the Chief Operating Officer (COO) may be more focused on daily operations and securing the resilience of the supply chain.
Post a Comment