PMI Southern Ontario Chapter PDD Ralph Dunham

May 26, 2012

Future of Risk

Resiliency – Pervasive Readiness

Effective Governance

What’s Next?

Control

Share Mitigate & Control

Accept

High Risk

Medium Risk

Medium Risk

Low Risk

Low

High

High

I M P A C T

PROBABILITY

Quantification of risk exposure (threats vs. risks)

Options available:

- Accept = monitor (some may be uninsurable)

- Avoid = eliminate (get out of situation)

- Reduce = institute controls

- Share = partner with someone (e.g. insurance)

Residual risk (unmitigated risk – e.g. shrinkage)

Source: Business Risk Assessment. 1998 – The Institute of Internal Auditors

Control It

Share or

Transfer It

Diversify or

Avoid It

Risk

Management

Process

Level

Activity

Level

Entity Level

Risk

Monitoring

Identification

Measurement

Prioritization

Risk

Assessment

A focus on costs has led to neglect of risk – meanwhile, the risk landscape has changed:

Brand damage is probably more important than direct

financial loss

◦ Contracts and insurance are not enough protection

Need to manage new and different risks

◦ More risks, which vary across the business

◦ Do you have enough information?

The cost equation has changed

◦ Factor the cost of risk management into sourcing decisions

◦ Balance ‘Just-in-time’ with ‘Just-in-case’

Not just an insurance issue

External factors versus internal

Global risks are now issues

Manage what can be managed

Understand impact of “Black

Swans”

Managing Risk To the Enterprise Is the Focus

http://www.westcountryscenes.co.uk/Birds-over.htm

“Enterprise” is too narrow

Include investors, clients, partners,

etc.

Look at “neighbourhoods”

Reliance on public sector

Review global risks and their impact

All risks are not created equal

Some risks are better mitigated

than assumed

Some risks will never be eliminated

Some risks are outside your control

Some risks are more acceptable

than others—to your organization

Impacts change over time

Combined risks are likely

Most Likely Source of the “Next Big One”

Cloud computing

Social media

Crowd sourcing

Criminal element

Cyber wars

Terrorism

Stuxnet

June 2010 attack on Natanz

facility

Specifically targets Siemens

controllers

USB Flash drive

Destroyed approximately

1,000 centrifuges

Now publicly available

Next wave of terrorism???

The biggest risks may not be included in your register

Risk assessments should include global risks

Exposed to the actions of any employee anywhere

“It won’t happen to me” syndrome

Evolution of risk over time

Combination of risks – not single point-in-time

Speed & contagion of risks, especially catastrophic

Apply greatest resource to greatest risk?

The impact of “Black Swans”

Unknown unknowns

How do you predict

probability

Plan for “no matter what”

Current planning based on

assumptions

Does insurance cover

them?

Focus on consequence vs. cause

Currently scenario or event based

Too many causes – likely to miss

one

Real issue is the effect of an event

Destructive event, non-destructive

event, people event, loss of

technology event

No “Predicted” Outcomes

Assumes outcome can’t be forecast

Focus on process of resolution

Includes ongoing reassessment based on current situation

Accommodates unplanned “detours”

Minimizes time-of-event challenges

Must include role and response of individuals

Ability to achieve key

organizational objectives

Emphasis on continuity

versus recovery

Objectives-based versus

asset-based

Focus on critical elements

for organizational success

Identify minimum levels

Resilience vs. resilient capability

Resilience similar to “healthy”

Not necessarily redundancy

Processes and documentation

good – capability better

Vulnerability is opposite of

resiliency

Never recover – adapt

Sense & respond vs. plan & react

Issues/consequence based

planning

No causal orientation

Simplifies task assignment

Better identifies responsibility

for solutions

Minimizes effort that doesn’t

address an “issue”

Function of Robustness, Redundancy, Agility,

Adaptability

How do you measure?

How do you develop?

How much is enough?

Where are the skills in the organization?

“Processes and systems by which

an organization or society operates”

Who “owns” the governance of

risk management?

Is risk management part of effective

governance?

Is governance part of effective risk management?

Role of internal and external audit

Extent of governance outside the organization

Processes and systems by which an

organization or society operates*.

In practice… ◦ Before

◦ Today

◦ Tomorrow

* Source: Webster dictionary, Wikipedia

Before Accounting

Financial Reporting

Long term approach only

Audit driven

Regulations were almost exclusively focused on legal or

audit requirements

Today – Executive Liability C-Level accountability

Fraud prevention

Ability to recover financial information

Minimize client and employee impact

Regulatory Compliance (often on several fronts)

Proof of performance

Tomorrow ◦ Scope will extend beyond the boundaries of the organization

◦ Based on corporate goals

◦ Supports future direction of organization

Structure

New markets / products

◦ Focus is on strategically managing risks

◦ Activities will be directly linked to shareholder value

◦ Outsourcing is included

◦ Compliance will be a source of:

Customer confidence

Revenue continuity

Stock value increase

Proper Business Resilience governance gives

Directors reasonable assurance that the

organization is capable of dealing with

business interruptions and crisis situations

BR Governance

ER

P

DR

P

BC

P

CM

P

What does Proper mean?

• Protecting brand

• Resolving uncertainty and variances from

expectations

• Maximizing opportunity for success and superior

performance

No excuses, no surprises

Move to capability vs. compliance – instil confidence

Compliance standards - SOX, C45, etc.

Program standard – ISO 22301, CSA Z1600, BS

25999, AUS 5050

Executive peace of mind – “Will it work?”

Publish and promote capabilities

Viewed as a maturity issue

Linkages to external factors – outsourcing

How to govern outsourcers - compliance

Who assesses outsourcer capability?

Redundancy elimination – but where is

resiliency?

Ownership of Business Resilience cannot be

outsourced

Executives are evaluated and trained to be efficient

administrators vs. effective leaders

Formal management training does not usually include

how to respond to operational crises

Measurements are usually short term and financial –

hard to establish Business Resilience criteria

Appropriate leadership response must be consistent

with pre-established vision and values

Need Risk Competent Organizations with Risk

Cognizant Leaders

Executives typically have two objectives:

Grow the value of the organization; and

Protect the core assets of the organization:

◦ Value of risk management in strategic planning;

◦ Risk adjusted rate of return; and

◦ Strategic objectives reflected in program objectives.

Traditional

• Focus on “Interruptions”

• Event monitoring is a low level activity

• “Disruptions” are a negative factor

• Business Continuity is managed in

organizational silos

• Business Continuity is measured

subjectively

• Business Continuity functions are

unstructured and divergent

• Forecasting based on history

Future

• Focus on “Unusual events”

• Event monitoring is the CEO’s job,

with Board oversight

• “Disruptions” are also an opportunity

• Business resilience is integrated

across the organization

• Resilience is quantified and managed

• Resilience is built into management

systems

• Forecasting includes risks

Operational Focus Board Focus

Rank against Known Threats Identify/Assess New Driving Forces Risk Orientation

Risk Analysis Usage

Control Responsibility

Auditor Orientation

Audit Focus

Timeframe

Skills

Special Expertise

Set Audit Frequency Allocate Resources to Key Driving Forces

Audit Strategic Management

Corporate Policeman Mgmt. Consultant/Advisor

Compliance with Procedures Confidence / Business Objectives

Past/Present Future/Present

Technical Skills, Audit Business/Industry Knowledge

Owned/Learned Access as Needed

Management

Responsibility

Skills Compliance

Program

Communication

Not Trusted Empowered/Trusted

Auditor Management

Cycle-Driven Flexible/Responsive

Periodic/One-way Continuous/Two-way/Strategic

Background

August / 08 – Maple Leaf Foods plant in Toronto confirmed

an outbreak of Listeria Monocytogenes

MLF recalled 191 products back to January / 08

The outbreak incident caused 20 deaths and cost MLF over

$30M

Media spotlight was intense

Media First 10 Days First Month

Print 408 1,011

Broadcast 1,959 3,198

Online 233 443

The Response

McCain took personal accountability, put public

health and consumers interest first and led open

and facts-based communication

Legal and financial views took lower precedence

Implemented a decisive action plan to: Keep the public informed during and after the incident

Launch a mass media management strategy

Identify risks and impacts

Rebuild customer confidence

The Results

MLF’s brand and reputation rebounded

Increased public support

Managed CFIA requirements and minimized liability

McCain named CEO of the year by the Canadian Press

for 2008

Would your Business Resilience program have

helped this organization?

What would McCain expect from your program?

What would you have to add to fully support him?

What would your program have to look like to

pass the “McCain’s governance test”?

It won’t happen

If it does happen, it won’t happen to me

If it happens to me, it won’t be bad

If it happens to me, and it is bad, there

was nothing I could have done about it

anyway