Build The Risk Plan. Success Will Follow.

By Scott Crowley | August 12, 2009

Photo credit: Dave Starrett

By breaking the plan down into tactical, operational and strategic components, even small to mid-size businesses can develop functional risk plans.

The last 18 months companies realized—some the hard way—that not all risk management plans are equal. Now, many businesses are throwing out the old models and adapting new, stronger and far more comprehensive plans. The problem for many small to mid-size businesses—who lack economies of scale—is where to start.

In the face of potential extreme events like terrorist attacks, blackouts, widespread pandemics and natural disasters, organizations must be prepared to sustain operations for any eventuality, no matter how remote. Given these concerns, many risk managers are asking how they can better prepare for the threats of tomorrow without compromising the ongoing demands of their business today. An organization’s risk management program must provide the direction required to navigate the current economic storm.

Characteristics of Unsuccessful Businesses

• Build The Risk Plan. Success Will Follow.
• 85 Rules of Risk Management
• Risk Perspectives
• Canada tops global threat list
• 2009 Terrorism Map (pdf)
• Risk Management: Values, Sample Mission Statement, Definition, Loss Checklist

Back to main page

Organizations that have not been successful typically demonstrate a lack of one or more of the following characteristics:

1. Leverage crisis management elements;
2. Enhance the risk management process through threat and vulnerability assessments;
3. Developing a culture of resilience.

Despite these challenging times, many businesses have weathered the economic storm by integrating crisis management elements into their business resiliency plan. Many of these resilient businesses were able to succeed at the risk mitigation planning and implementation because of their willingness to create and adopt a risk management program.

Risk Plan Should Include Key Factors

The key elements of a risk management program include:

• a culture of business continuity,
• program management,
• maintenance and audit of plan,
• develop business continuity strategies,
• and understanding the business.

The most fundamental aspect of developing a crisis management program, however, is understanding the business.

Know Your Game

Understanding your business is critical to the resiliency of your organization. Even before plans and strategies for mitigating risks are developed your organization needs to first assess the macro and micro of how the organization operates.

1. The essential steps to assessing your business include: Identifying what is critical (from a people, process, and systems perspective)
2. Understanding the threats that could harm the achievement of your objectives, as well as understanding how vulnerable the organization is to those threats.
3. Performing a comprehensive business impact analysis. Many companies have already performed such analyses for their tactical threats such as natural disaster, technological failures and criminal activity or fraud. As a result, this corporate knowledge may be leveraged to understand their critical activities to combat the operational threats caused by the economic downturn. In addition, understanding what is critical, as well as having a strategy for resilience has many rewards.

Multiple Assessments for Multiple Risks

The traditional risk management process, which most companies are accustomed to and rely upon, lacks the application of an effective threat vulnerability analysis and risk assessment.

The ineffectiveness of the traditional process was held to account during the recent credit crunch, when many companies were unable to fiscally survive, or lost market share and/or customer confidence. This is because the traditional risk management approach failed to predict emerging threats; it failed to effectively understand how those threats would be mitigated by the organization; the traditional process also failed to establish how these threats affect the short term and long term strategic objectives of the organization.

To effectively manage risk, the risk management process must include provisions to assess (or at least consider) threat, as well as the level of protection the organization currently employs to deter, deny, detect, disrupt and/or devalue the threat – simply stated – the organization’s vulnerability. Although the mitigation options continue to be on an “all hazards” approach, threats are often identified through coordinated action planning, as well as scenario testing. If you identify – and document – exactly what you want your business to achieve, then you can also begin to identify the possible vulnerabilities that could undermine your ability to achieve those goals. Planning for the unexpected then becomes less about planning for an event or crisis and more about finding ways to ensure that the critical parts of your business needed to achieve your goals are protected.

Developing a Culture of Resilience

Faced with the current economic pressures, many firms are reacting by jumping to conclusions to protect profits such as freezing infrastructure investments, mothballing new growth projects, cutting advertising and recruiting investments, as well as introducing loyalty programs for customers and personnel.

Yet, in order for an organization to be resilient, it is necessary that it be innovative and flexible at all times and effectively manage risks presented. I this highly competitive and increasingly global and complex business environment, organizations are continually challenged to determine not only how to manage risks but also the degree of uncertainty and other, associated risks, the institution is prepared to accept as plans are made to maximize opportunities and create stakeholder value.

This challenge—between structured planning and flexibility ingenuity—can be overcome by establishing a culture of resilience rather that a corporate culture of shortterm reactionary approaches to making decisions. A culture of resilience is  based on strategic planning. Organizations must also have operational solutions focused on the customer; as well as strategic solutions, focused upon the medium and longterm objectives and values of the organization.

Strategic Planning Considerations

In an economic downturn, businesses must ensure their customers remain their number one priority. Those that support their customers through these difficult times will gain appreciation and benefit from mutual advantages.

From a strategic planning perspective, organizations may wish to consider the following:

1. Focus on your competitive advantage—Know what do you do best and why.
2. Focus on Value Creation—Determine what is important and which products, customers, and channels create or destroy value. Determine what initiatives you could stop or defer.
3. Protect your customers—Understand the changing needs of your customers and react to those needs before your competitors do.
4. Protect your brand—Seek out opportunities and continue to invest in innovative solutions.

From extreme weather to terrorist attacks, critical infrastructure disruptions, pandemics and any number of natural or manmade threats, the operating environment for organizations is increasingly more demanding and complex. Not only have threat scenarios become more dangerous, but with business issues such as: financial pressures; globalization; interdependence; legislative requirements; and fierce competition, the ramifications of a disruption are greater than ever. Moreover, impacts of a disruption or crisis can have long-term effects on the financial and business health of the company.

Operational Planning Considerations

In recent years inefficiencies have been tolerated and unnecessary complexities have been built into the way organizations conduct business. For some, the competitive landscape has changed so fundamentally that the previous business model will no longer be appropriate and significant change is required.

Operationally organizations should:

1. Protect your liquidity—Make sure your finances and working capital are in good order and concentrate on effective cash management.
2. Streamline processes—Identify value-added processes and streamline processes and costs by implementing targeted cost reduction strategies.
3. Knowledge is power—Effective crisis management requires “good” business intelligence through clearly defined Key Performance Indicators (KPI), and the capability to make decisions quickly.
4. Protect your suppliers—Understand the changing needs of your suppliers and put in place effective vendor management to secure critical supply chains.
5. Use appropriate reporting templates—In order to make efficient and timely decisions, businesses should use appropriate information. Too often, companies use the same reporting templates and key performance indicators (KPI) regardless of variable changes occurring in the external environment, which affects their business models.

Tactical Planning Considerations

Strong companies will be those who act decisively, make tough decisions, and position themselves to take advantage of the upturn when it comes. Most organizations are implementing tactical solutions. If not, they should. Tactical planning should include:

1. Conduct a threat and vulnerability risk assessment to determine the real and current risks to the organization.
2. Perform a Business Impact Analysis to identify critical people, processes and systems.
3. Understand your business—hat do you do best and why, what are the threat, vulnerabilities and risks—how is it being impacted by the downturn?
4. Focus on the key drivers of value and key risks across the organization and act decisively.
5. Understand Your Response under different scenarios—test various scenarios from a financial, operations and workforce perspective to improve agility and the ability to adapt to changing conditions.
6. Protect your people—keep communication channels open, identify critical people associated with critical processes and ensure they are retained and motivated.

While the challenge may seem daunting true business resilience is achieved by integrating these concepts and linking them to your organization’s overall risk management program.

Silos need to be eliminated and plans and programs need to be integrated and mutually supported in order to achieve the synergies that will result in true resiliency and cost efficiency.

Scott Crowley is a Partner and an Enterprise Risk Services Leader at Meyers Norris Penny LLP. For more information, please contact Scott at 416.260.3277 or scott.crowley@mnp.ca.