Your definitive guide to enterprise risk
More than ever, the basic lesson for business managers and for business continuity professionals is: anything can happen!
This book by Andrew Hiles is a guide to best practices in understanding risk and business impact. It provides essential guidance for the identification, management and control of risks confronting businesses. What might happen? How will our enterprise be affected? What will the impact be? Answering these questions accurately and objectively is essential to Business Continuity Management, business success – and even business survival.
The helpful examples all have their roots in real cases and come heavily laden with pragmatism. Over fifteen years experience in blue chip environments, large and small, public and private, has gone into developing the methods described. Others come with a respected pedigree from a variety of industries.Your own right way for risk management means picking, matching and tailoring from the cases, guidance and examples provided, and building on existing best practice within your organization.
Why This Book?
Some fourteen years ago I was founder and Chairman of Survive, the international user group for business continuity management. Almost ten years ago Survive gave birth to the Business Continuity Institute (the industry’s professional association). Both bodies were concerned with the issues of recovering from business disasters. Typically the recovery involved doing something different: alternate locations, operations, equipment, IT and telecommunications facility. It all implied a hiatus – an interruption, a period of uncertainty and disruption, before a semblance of normality was restored.
The Business Continuity profession included the disciplines of risk management and an understanding of the impact on the business, should those risks actually occur. But then, so did many other functions within the business. Maybe the IT Disaster Recovery function was separate from business contingency planning. Operational Risk Management then had a fairly narrow role, typically looking at specific operational functions. Insurance was something else, often the remit of the Finance Director or someone called a Risk Manager who was, in fact, mainly concerned with insurance aspects. There was usually someone else responsible for compliance issues, while yet another person was accountable for health and safety issues. An audit function was responsible for fraud. Typically, the organization had no overall view of risk and no individual with overall responsibility for it: fragmentation was normal.
Then, a few years ago, there appeared an emerging tide of acknowledgment that these risk-related functions should be brought together. The reason may not always have been logic: sometimes, it stemmed from downsizing and a putting together of these functions for productivity, rather than strategic reasons. For some, Y2K projects created a sense of urgency and an impetus that promoted this as pragmatic logic. Some companies had the vision to take a holistic approach to risk management and to create what we have come to call Enterprise Risk Management.
We have been privileged to help a number of companies through this process and facilitate the creation or enhancement of their risk resilience: in short, helping them move from an expectation of disruption and subsequent recovery to a position where effective risk management all but eliminates the disruption.
Several years ago, I was presenting a workshop on disaster recovery planning to an international audience and a German in the front row was looking increasingly puzzled. At the coffee break, I asked him if, perhaps, I was using unfamiliar terms or whether I was not making myself clear. “No,” he said. “I understand perfectly what you say. It’s just that, in Germany, we are not allowed to have a disaster.” Now, many years later, it is evident that he had a point. While we cannot legislate disasters, we can seek to minimize them. Of course, the unimaginable can always happen (as we have learned from recent horrific events) and we have to be prepared to deal with the human and business consequences of it. But increasingly foresight can prevent many situations that previously may have become unexpected disasters.
This book results from a wish to share best risk management practice – not from the perspective of a theorist, but from a practitioner’s viewpoint.
A classic title from Rothstein Publishing (2002), by Andrew Hiles, Hon FBCI.