SlideShare une entreprise Scribd logo

The RM To BC Route Presentation Notes John Agius 21052012

John Agius
John Agius

Accompanying notes (paper) to the presentation with the same title prepared for the G31000 International Conference on ISO 31000 Standard, Paris - France 21-22 May 2012

Business
1  sur  10
The RM to BC route – how ISO 31000 benefit Business Continuity John Agius – May 2012 Accompanying notes (paper) for the presentation with the same title prepared for the G31000 ISO 31000 Conference 2012 - Paris, France, 21 – 22 May 2012, Paris, France Abstract What is commonly termed as “business continuity” is a type of disruption-related risk influencing the achievement of organizational continuity objectives and in particular the uninterrupted delivery of key products and/or services. Disruption-related risks should be treated as such and are best dealt with as part of the treatment options available within the risk management discipline. Continuity plans are one of the tools that can be adopted to manage disruption-related events. Moreover, experience dictates that organizations that decide to implement BC have RM, together with the basic BC prerequisites, already established through the RM process within the organization. Thus, taking the RM to BC route is not only the right way but the most efficient and best effective approach. Introduction Consciously or not, organizations deal with risk. In handling risks effectively and efficiently an organization is able to ensure continuity of its operations and the delivery of its key products and services. In other words, the management of risk makes it possible for organization to achieve objectives. And objectives do not always materialize as expected. As a result organizations operate in a continuum of uncertainty. This uncertainty effect from the handling of probable threats, missed or would-be opportunities and/or potential disruptive incidents on set-objectives is termed ‘risk’ (ISO 31000, 2.1). “Many organizations have a well-established RM function, maintain a corporate risk-register (RR) and have risk-assessment (RA) embedded in the organization in as much as all managers are expected to assess risks as part of their normal practices and procedures. Threat assessments, therefore, may already be available for the organization’s activities. However the presence of a risk management function is not a pre requisite for an effective BCM programme” (BCI-GPG, 2010: 53). ISO 31000 Conference Paris, France 21 – 22 May 2012 1 © J. Agius
The first part of the BCI statement is true whereby ‘all’, and not simply ‘many’, organizations that decide to implement BC have RM established within the organization. Hindsight indicates that this is the case every time. The statement that “the presence of a RM function is not a pre requisite for an effective BCM programme”, i.e. the handling and treatment of disruption-related risks, is only true if such a function is implemented independently of or in total absence of a BC programme. However, BC or the handling of disruption-related risks cannot exist without an RM function and an RM function would not be complete without a BC programme. “RM and BC only exist as a consequence of risk awareness. Every company … accurately or otherwise, has risk management nearer the board and above business continuity” (Power Peter, 2010). This in no way implies that RM is above BC or vice versa since both specialisms are an equal and integral part of the same concept of management. In this regard, it must be stated that there is also a historical perspective on how RM emerged from traditional management and how the failures of RM led to the establishment of BC as we know it today with the three philosophies (management, RM & BC) running in silo. However, modern management thinking is currently exploring avenues on how to reintegrate the different management systems into an “overall integrated management system”. This new thinking may well consider incorporating established scientific research to help substantiate the scientific value of modern management development. One example is Turner’s “Disaster Sequence Model” (DSM) which established how disaster events resulting in disruption- related incidents do not occur instantly. Turner’s research ably developed by Toft and Reynolds indicates that there is always an incubation process that triggers an incident that leads it into a disaster. The DSM model by Turner (1978) indicate the sequence of events that initiates from a series of unnoticed set of events leading to the onset of an incident, then into a crisis, followed by a process of rescue and salvage (recovery) attempt and possibly a disaster, if things do not turn right. The following sections look at: 1. A concise historical view of Management, RM and BC phases 2. The Disaster Sequence Model - DSM 3. The treatment of risk 4. How ISO 31000 can benefit BC 5. Conclusions 1. A concise historical view of Management, RM and BC phases: Management: Management (general) was traditionally based on intuition and limited informed decision-making of day-to-day management issues. Management tools have been developed over time e.g. SWOT (Strengths, Weaknesses, Opportunities and Threat) and the 4D’s (Define, Design, Do, and Deliver) and other useful tools. These management tools streamlined management into a quasi-scientific model. Yet, general management (as it was initially labelled) was broad and lacking focus on specific management issues amongst them ‘threats’ and the effect these had on management objectives. ISO 31000 Conference Paris, France 21 – 22 May 2012 2 © J. Agius
Eventually, when the effects of threats started to get complicated and serious, focus on threat management was needed. As a result RM emerged and later evolved as an independent management system. Risk Management: The handling of threats and the effects these had on organizations was initially perceived as the management of risk (nowadays it is referred to as the down-side of risk). The first RM concepts were based on tools specifically developed to manage risk emerging from the effects that threats were having on organisations. One of the tools to manage threats was the 4T’s. This was based on measures to terminate, treat, transfer or take the risk with a view to ensure that organizations continue to move forward in achieving their objectives. What the 4T’s and other RM tools failed to take into consideration were risks arising as a result of missed and would-be opportunities and those emerging from the effects unexpected disruption- related events had on the objectives set by organizations. Through the introduction of sophisticated technological systems and processes and high market demands, the effects of disruptive incidents began to leave their mark on organizations set to deliver critical products and services. Since RM lacked the capacity to manage disruptive situations and disruption was no longer limited to MIS or computer-installation systems, organizations had an urgent need to identify methods to handle the effects from disruptive events. Initially, DRP (disaster recovery planning) in the US attempted to provide the solution. This “inevitable created the demand for third party consultancy … initially aimed entirely at Data Processing or MIS (as IT/ITC was then generally called) and was technical in nature” (BCI GPG 2010, 9). However, the problems emerging as a result of the ‘risk from business disruption’ were beyond data processing and MIS. Consequently, rather than entrenching the BC principles within existing general or business management systems or within the risk specialism, a new discipline was developed as a totally separate management philosophy This philosophy was to be named business continuity management (BCM). It is noteworthy the fact that the strong focus in the search for solutions to disruption-related risks led to the total neglect of the difficulties encountered by issues related to the up-side of risk. As a result, issues related to missed and would-be opportunities have been totally ignored. Some risk practitioners still argue against the up-side element in risk and continue to consider the management of opportunity as a separate issue outside of risk management. Business Continuity: According to the BCI-GPG-2010 (p. 9), the first signs of BCM evolved out of disaster recovery planning (DRP). The first known use of the term “Business Continuity” is said to have been made by Ron Ginn (later to become the inaugural BCI Chairman) back in 1986, after he had researched the subject in the United States and interviewed many leading practitioners. Ginn wrote a book entitled “Continuity Planning” which postulated an application of the DRP skill-set to a much wider range of business risks and potential operational interruptions. In 1988 a UK organization by the name of “Survive” created a forum in which DR people could share their experiences and knowledge. Eventually, in 1991 “Survive” dropped the references to DRP and re-branded itself “The Business ISO 31000 Conference Paris, France 21 – 22 May 2012 3 © J. Agius
Continuity User Group”. This step had a significant impact in changing the external perception of the subject. Concurrently, two of the largest US-owned DR companies also changed their position, seeing “Continuity” as a more upbeat message than “Recovery”. It can therefore be said that the appearance of BCM is the result of the failure of RM and DRP from providing a plausible solution to the effects disruptive-related incidents were having on organizations during the late 1970’s and the mid-1980’s. 2. The Disaster Sequence Model - DSM: Natural, man-made or systems failures do not happen instantly. These are caused through latent defects that build up within the natural environment, systems and processes. Badly managed and/or not managed at all, latent defects can lead to disasters. In his DSM model Turner describes the sequence of events associated with the developments leading to disasters (Toft & Reynolds, 1997). At the most general level the model consists of three separate but interrelated parts: • the incubation period of actions and events prior to a disastrous situation • the event triggering the incident/disaster and the immediate aftermath of recovery, and • the learning process through investigation, analysis, reports and recommendations. The DSM model can be easily adopted to better understand how to effectively manage risks from disruptive-related events. The different stages of Turner’s DSM model are as follows (Toft & Reynolds, 1997: 22): 1. Stage I – notionally normal starting point: (a) Initially culturally accepted beliefs about the world and its hazards; (b) Associated precautionary norms set out in laws, codes of practice, *mores and ** folkways, 2. Stage II – the incubation period: the accumulation of an unnoticed set of events which are at odds with the accepted beliefs about hazards and the norms for their avoidance. 3. Stage III – precipitating event: forces itself to the attention and transforms the general perception of Stage II. 4. Stage IV – onset: the immediate consequence of the collapse of cultural precautions becomes apparent. 5. Stage V – rescue and salvage: first stage adjustment – the immediate post-collapse situation is recognised in ad hoc adjustments which permit the work of rescue and salvage to be started. 6. Stage VI – full cultural readjustment: an inquiry or assessment is carried out and beliefs and precautionary norms are adjusted to fit the newly gained understanding of the world where knowledge gained is absorbed into the culture of organisations/society. *Mores: customs, conventions. Practices **Folkways: The unconscious group ways of doing things (living, ISO 31000 Conference thinking & acting) serving as compelling guides of conduct Paris, France 21 – 22 May 2012 4 © J. Agius
Disaster Sequence phases relevant to the understanding of disruption-related risk & disaster events Turner’s DSM model can be easily applied to the effective understanding and management of day to day business activity, risk situations and disruption events as well as to aid the continued advancement of management. The incorporation of advanced management tools and models like Turner’s DSM provides for a systematic and structured approach to the assessment and treatment of disruption-related risk events. 3. The treatment of Risk: Good risk management (RM) entails effective treatment to the “internal and external factors and influences that make it uncertain whether and when organizations will achieve their objectives” (ISO 31000: Introduction). Generally risk treatment to the first two types of risks: • ‘threats’ and • ‘opportunities’ is dependent on “the way in which consequence and likelihood are expressed and the way in which they are combined to determine a level of risk” (ISO 31000, 5.4.3). In the case of the third type of risk: • ‘disruption-related’ the ‘time’ factor is added to the ‘consequence’ and ‘likelihood’ factors associated to the other types of risks. This is so because time may drastically affect the level of consequential impact of a disruptive incident. ISO 31000 Conference Paris, France 21 – 22 May 2012 5 © J. Agius
Risk treatment can involve (ISO 31000, 2.25, 5.5.1): • avoiding the risk, o by terminating it altogether; o by deciding not to start or continue with the activity that gives rise to the risk whether the risk is the result of a ‘threat’, an ‘opportunity’ or a ‘disruptive incident’. • taking or increasing the risk, o to pursue opportunities; o to take full advantage and maximize the benefit; o to decide whether a ‘disruptive incident’ to key products and/or services needs intervention to reduce the likelihood of occurrence, the shortening of the period of disruption and/or limiting the impact from disruption. • removing the source, o and make sure that the threat, opportunity and/or disruptive incident do not negatively affect the organization. • changing the likelihood and/or consequence; o by intervening to change the probabilities; o by modifying the potential impact; o by modifying the probability and impact levels of potential disruptive incidents. • sharing it with others, o by passing it on to insurance; o by contracts and risk financing o by seeking new partnership to share the threat and/or maximise opportunity; o by subcontracting to specialist organizations and share the threats/benefits; o by equally applying the above to situations emerging from disruptive incidents. • retaining the risk o by informed decision; o by doing nothing about it; o by being ready to intervene should the threat, opportunity and/or disruptive incident arise. • invoking continuity procedure o to reduce the likelihood of disruption (ISO 22301, 8.3.4.3. (a)) o to shorten the period of disruption (ISO 22301, 8.3.4.3. (b)) o to limit the impact of disruption on the organization’s key products and services (ISO 22301, 8.3.4.3. (c)) o “preparing and implementing risk treatment plans identifying resource requirements including contingencies” (ISO 31000, 5.5.3), reliance, dependence, etc; o “establish, implement and maintain a formal and documented process for business impact analysis (BIA), risk assessment (RA) and other assessment techniques that establishes the context of assessment, defines the criteria and evaluates the potential impact” with regards to “disruption related risks” (ISO 22301, 8.3.3.4 (c)); o “establish documented plans that detail how the organization will manage a disruptive event and how it will recover or maintain its activities to a predetermined level, based on management-approved recovery objectives” (ISO 22301, 5.4.5). ISO 31000 Conference Paris, France 21 – 22 May 2012 6 © J. Agius
4. How ISO 31000 benefit BC: The benefits of using the ISO 31000 route to BC rather than managing the two approaches in silo are many. With a frame-of-mind focused on disruption-related risks, the following is a list of benefits within the ISO 31000 standard documentation applicable to the development of BCMS: Principles: • creates value to the organization; • is an integral part of the organizational processes; • aids the decision making process; • explicitly addresses the principle of uncertainty resulting from the effect of disruptive events; • it is systematic, structured and timely; • is based on the best available disruption management information; • is tailored to the organization; • takes human and cultural factors into account; • it is transparent and inclusive; • it is dynamic, iterative and responsive to change, and • facilitates continual improvement and enhancement of the organization in terms of improving the overall integrated management system. Framework: • Makes use of the Plan-Do-Check-Act (PDCA) cycle amply aided by the ISO 31000 framework of Design, Implement, Monitor & Review and Continual Improvement model; • Provides the necessary mandate, commitment, support and funding by top management and the Board of directors much needed for the successful implementation of an effective BCMS activity; • The required elements for managing the risk of disruption effectively and in line with other organisational: o Risks, o context, o RM and BC policies, o accountability, o roles and responsibilities, o organizational processes integration, o functional activities, o resources required to implement the BC plan, o critical and alternate staff, o awareness and training programs, o internal and external communication and reporting mechanisms most essential for the successful implementation of a BCMS incorporating the identification of: organizational vulnerabilities; continuity and recovery team members; ISO 31000 Conference Paris, France 21 – 22 May 2012 7 © J. Agius
scope, purpose and value to the organization, as well as, the necessary lines of defence (BoD: Board of Directors, RMSC: Risk Management Steering Committee & IAC: Internal Audit Committee) for the necessary sponsorship, direction and audit of the RM and BCMS implementation mechanisms. • The development of a strategy to implement the organizational, RM framework and processes to facilitate the risk assessment (RA) and business impact analysis (BIA) of the BC plan and the identification of variances that can be translated into potential opportunities; • The framework monitoring and review - having established processes in place help to establish a well-managed organization; regular departmental/unit status reports of BC progress; internal and/or external audits to sustain the BCMS implementation; regular RM and BC audits with a view to validate performance against controls; • Top management support and involvement towards the concept of continual improvement of the framework encouraging departments/units to establish the culture and attitude that RM and BC are not static and nearly everything the organization does can be improved and ought to be reviewed to enable the identification of new opportunities. Process/es: • An established, globally agreed to and supported RM process/es directly affecting BCMS; • The use of enterprise-wide risk management (EWRM) processes and guidelines; • In-depth awareness and understanding of the organization and its context; • An establish risk assessment process providing well founded risk identification, analysis and evaluation methodology; • A systematic and logical approach to the management of all types of risk incorporating the effective handling of threats, opportunity considerations and disruption related risks that can be modified through one or more treatment options; • Established communication and consultation structure with customers, stakeholders and management; • Effective monitoring and review of all aspects of organizational risks and disruptive eventualities Others: • Increased competitive advantage supported by a globally designed and agreed to RM standard; • Greater understanding of the effects of disruptive events in relation to the other organizational risks; • Enhanced customer confidence; • Improved stakeholder trust and support; ISO 31000 Conference Paris, France 21 – 22 May 2012 8 © J. Agius
5. Conclusions: Organizations of all types and sizes face internal and external factors and influences that make it uncertain whether and when they will achieve their objectives. As stated earlier on, the effect this uncertainty has on an organization’s objectives is “risk” (ISO 31000, 2.1). Risks can be of three different types namely: • Threat • Opportunity • Disruption-related In acknowledging that organizations operate in an ‘uncertain’ environment, ISO 31000 illustrates that objectives can have different aspects within different fields/specialisms of management. Being the organizational efforts and/or actions to obtain or accomplish a goal, organizational objectives are not always achieved as planned. The route from designing and setting objectives to their launch, implementation and materialization passes through a complicated environment of ‘uncertainty’ thus ‘risk’. Risk, RM and BC are part of an overall integrated management system that are best treated utilizing established and well researched RM tools. RM & BC architecture within an overall Integrated Management System Thus, the integration of RM and BC is not only beneficial it is also more efficient and less costly. The launch of the “risk management” standard (ISO 31000: 2009 series) and of “business continuity” (ISO 22301: 2012 series), as well as of other standards, “will further increase the use of international best practice” (CMI, 2012) in management. These are not perfect and will require continuous updating in line with new thinking. This development will continue to further reduce the gap between the different management concepts towards the promotion and the integration rather than the fragmentation of modern management thinking and practice. ISO 31000 Conference Paris, France 21 – 22 May 2012 9 © J. Agius
Bibliography G31000 (2012) “ISO 31000 International Conference 2012, Paris, France – 21 – 22 May 2012”, at http://www.g31000conference2012.org/ ----------<>---------- BCI, GPG (2010) Good Practice Guidelines 2010, Global Edition, Berkshire: BCI CMI (2012) “Planning for the worst, The 2012 BCM Survey”, Reproduced at http://www.managers.org.uk/sites/default/files/u28/4354BCMreport2012v3.pdf ISO 22301 (exp.) Societal security – Business continuity management – Requirements, Secretariat: SIS, ISO/TC 223 ISO 22313 (exp.) Societal Security – Business continuity management systems – Guidelines, Secretariat: SIS, ISO/TC 223, ISO 31000 (2009) Risk management – Principles and guidelines, Geneva: ISO ISO 31000 (2009) Risk management – Risk assessment techniques, Geneva: ISO/IEC Power, Peter (2010) “Risk and Continuity: Convergence is in the air…” Reproduced at Continuity Central, http://www.continuitycentral.com/feature0765.html April 2012 Toft, B. and Reynolds, S. (1997) Learning from Disasters: a management approach, Leicester: Perpetuity Press, p. 22. Turner, B. A. (1978) Man-Made Disasters, Wykeham, London ----------<>---------- John Agius M.Sc. (Leic.) RCDM, MIAP, Dip. Law & Admin., Dip. J&PW The RM to BC Route - How ISO 31000 benefits Business Continuity Risk and Business Continuity Management have been developed as a result of the effects of uncertainty that organizations face in achieving their objectives. The likelihood of deviations from set objectives, whether negative and/or positive, compels organizations to be proactive and prepared to intervene in good time to manage adverse effects and pursue opportunities. In the event of business disruptions organizations are obliged to provide for resiliency and to ensure that alternative arrangements are in place for business to continue to operate whatever the circumstances. John’s presentation tackles the process RM plays in establishing an effective and efficient BCMS and how ISO 31000 benefit this process. About the Author: John is a Risk-and-Business-Continuity manager having strong industry and academic experience in the profession and the associated resilience disciplines. Originating from electronics and Computing John moved from DRP in Data Processing and MIS way back in the 1970’s to RM and BC as known today. Coupled with his 30+ years of professional experience in Management, the Police, Law, Security, planning & environmental enforcement and Telecommunications his knowledge is backed by an MSc in Risk, Crisis & Disaster Management from the University of Leicester in England and various other prestigious certifications. He is a part-time visiting lecturing staff at the University of Malta and other tertiary and further education institutions lecturing Risk Management and Assessment. LinkedIn profile - http://mt.linkedin.com/in/johnagius ISO 31000 Conference Paris, France 21 – 22 May 2012 10 © J. Agius

Recommandé

Crisis management and communications
Crisis management and communicationsCrisis management and communications
Crisis management and communications
Daniel Galle
 
Getting our risk management right on track 2011 dc
Getting our risk management right on track 2011 dcGetting our risk management right on track 2011 dc
Getting our risk management right on track 2011 dc
Diane Christina
 
Crisis communication management
Crisis communication managementCrisis communication management
Crisis communication management
AqeelAhmed170
 
Risk Management Frameworks
Risk Management FrameworksRisk Management Frameworks
Risk Management Frameworks
Daniel Kapellmann Zafra
 
Let's Talk about Risk
Let's Talk about RiskLet's Talk about Risk
Let's Talk about Risk
Markus Aeschimann
 
Incorporating Risk Management into BCP
Incorporating Risk Management into BCPIncorporating Risk Management into BCP
Incorporating Risk Management into BCP
Ron Andrews
 
Security In A Crisis
Security In A CrisisSecurity In A Crisis
Security In A Crisis
shanehenry
 
Exploring the link between Organsiational Resilience and Crisis Management
Exploring the link between Organsiational Resilience and Crisis ManagementExploring the link between Organsiational Resilience and Crisis Management
Exploring the link between Organsiational Resilience and Crisis Management
Alex Serrano
 

Recommandé

Crisis management and communications
Crisis management and communicationsCrisis management and communications
Crisis management and communications
Daniel Galle
 
Getting our risk management right on track 2011 dc
Getting our risk management right on track 2011 dcGetting our risk management right on track 2011 dc
Getting our risk management right on track 2011 dc
Diane Christina
 
Crisis communication management
Crisis communication managementCrisis communication management
Crisis communication management
AqeelAhmed170
 
Risk Management Frameworks
Risk Management FrameworksRisk Management Frameworks
Risk Management Frameworks
Daniel Kapellmann Zafra
 
Let's Talk about Risk
Let's Talk about RiskLet's Talk about Risk
Let's Talk about Risk
Markus Aeschimann
 
Incorporating Risk Management into BCP
Incorporating Risk Management into BCPIncorporating Risk Management into BCP
Incorporating Risk Management into BCP
Ron Andrews
 
Security In A Crisis
Security In A CrisisSecurity In A Crisis
Security In A Crisis
shanehenry
 
Exploring the link between Organsiational Resilience and Crisis Management
Exploring the link between Organsiational Resilience and Crisis ManagementExploring the link between Organsiational Resilience and Crisis Management
Exploring the link between Organsiational Resilience and Crisis Management
Alex Serrano
 
IT Policy, RISK MANAGEMENT
IT Policy, RISK MANAGEMENTIT Policy, RISK MANAGEMENT
IT Policy, RISK MANAGEMENT
University of Basrah
 
UCI Exec. MBA &amp; Forum for Corp. Directors July 2009 - Board Governance: E...
UCI Exec. MBA &amp; Forum for Corp. Directors July 2009 - Board Governance: E...UCI Exec. MBA &amp; Forum for Corp. Directors July 2009 - Board Governance: E...
UCI Exec. MBA &amp; Forum for Corp. Directors July 2009 - Board Governance: E...
prosenzw69
 
Crisis management presentation
Crisis management presentationCrisis management presentation
Crisis management presentation
iChange
 
A structured approach to Enterprise Risk Management (ERM) and the requirement...
A structured approach to Enterprise Risk Management (ERM) and the requirement...A structured approach to Enterprise Risk Management (ERM) and the requirement...
A structured approach to Enterprise Risk Management (ERM) and the requirement...
Hassan Zaitoun
 
Common failures of risk management
Common failures of risk management Common failures of risk management
Common failures of risk management
Surajit Datta
 
Crisis Management
Crisis ManagementCrisis Management
Crisis Management
NorthTec
 
Risk Management in Business
Risk Management in BusinessRisk Management in Business
Risk Management in Business
paperpublications3
 
Enterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusEnterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy Jacobus
Deddy Jacobus
 
B288
B288B288
B288
performanceweb
 
Risk management standard_030820
Risk management standard_030820Risk management standard_030820
Risk management standard_030820
สปสช นครสวรรค์
 
Enterprise Risk Management (ERM); From theory to practice
Enterprise Risk Management (ERM); From theory to practiceEnterprise Risk Management (ERM); From theory to practice
Enterprise Risk Management (ERM); From theory to practice
Segun Ogunwale
 
Crisis management
Crisis managementCrisis management
Crisis management
Ahmed EL-KOSAIRY
 
B288
B288B288
B288
performanceweb
 
Risk Governance Conference - Board Governance and Emerging Risks in the 21st ...
Risk Governance Conference - Board Governance and Emerging Risks in the 21st ...Risk Governance Conference - Board Governance and Emerging Risks in the 21st ...
Risk Governance Conference - Board Governance and Emerging Risks in the 21st ...
FERMA
 
51_operational_risk
51_operational_risk51_operational_risk
51_operational_risk
Hafeez Farooq
 
Erm Presentation Bsw Approach &amp; Methodology
Erm Presentation Bsw Approach &amp; MethodologyErm Presentation Bsw Approach &amp; Methodology
Erm Presentation Bsw Approach &amp; Methodology
steinkamps6
 
Effects of Risk Management Practices on the Performance of Insurance Firms in...
Effects of Risk Management Practices on the Performance of Insurance Firms in...Effects of Risk Management Practices on the Performance of Insurance Firms in...
Effects of Risk Management Practices on the Performance of Insurance Firms in...
International Journal of Science and Research (IJSR)
 
Sharing Practice on Enterprise Risk Management (ERM)
Sharing Practice on Enterprise Risk Management (ERM)Sharing Practice on Enterprise Risk Management (ERM)
Sharing Practice on Enterprise Risk Management (ERM)
Diane Christina
 
Security Risk Management Essay
Security Risk Management EssaySecurity Risk Management Essay
Security Risk Management Essay
Apa Papers For Sale Trinity
 
Discussion1From time to time most organizations make improvement.docx
Discussion1From time to time most organizations make improvement.docxDiscussion1From time to time most organizations make improvement.docx
Discussion1From time to time most organizations make improvement.docx
madlynplamondon
 
Risk Management Essay
Risk Management EssayRisk Management Essay
Risk Management Essay
Pay For Paper The American College of Financial Services
 
Risk managemnt 2_gc-cp-rapm-090327
Risk managemnt 2_gc-cp-rapm-090327Risk managemnt 2_gc-cp-rapm-090327
Risk managemnt 2_gc-cp-rapm-090327
Alberto Garcia Romera
 

Contenu connexe

Tendances

UCI Exec. MBA &amp; Forum for Corp. Directors July 2009 - Board Governance: E...
UCI Exec. MBA &amp; Forum for Corp. Directors July 2009 - Board Governance: E...UCI Exec. MBA &amp; Forum for Corp. Directors July 2009 - Board Governance: E...
UCI Exec. MBA &amp; Forum for Corp. Directors July 2009 - Board Governance: E...
prosenzw69
 
A structured approach to Enterprise Risk Management (ERM) and the requirement...
A structured approach to Enterprise Risk Management (ERM) and the requirement...A structured approach to Enterprise Risk Management (ERM) and the requirement...
A structured approach to Enterprise Risk Management (ERM) and the requirement...
Hassan Zaitoun
 
Common failures of risk management
Common failures of risk management Common failures of risk management
Common failures of risk management
Surajit Datta
 
Crisis Management
Crisis ManagementCrisis Management
Crisis Management
NorthTec
 
Risk Management in Business
Risk Management in BusinessRisk Management in Business
Risk Management in Business
paperpublications3
 
Enterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusEnterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy Jacobus
Deddy Jacobus
 
Effects of Risk Management Practices on the Performance of Insurance Firms in...
Effects of Risk Management Practices on the Performance of Insurance Firms in...Effects of Risk Management Practices on the Performance of Insurance Firms in...
Effects of Risk Management Practices on the Performance of Insurance Firms in...
International Journal of Science and Research (IJSR)
 

Tendances (18)

IT Policy, RISK MANAGEMENT
IT Policy, RISK MANAGEMENTIT Policy, RISK MANAGEMENT
IT Policy, RISK MANAGEMENT
 
UCI Exec. MBA &amp; Forum for Corp. Directors July 2009 - Board Governance: E...
UCI Exec. MBA &amp; Forum for Corp. Directors July 2009 - Board Governance: E...UCI Exec. MBA &amp; Forum for Corp. Directors July 2009 - Board Governance: E...
UCI Exec. MBA &amp; Forum for Corp. Directors July 2009 - Board Governance: E...
 
Crisis management presentation
Crisis management presentationCrisis management presentation
Crisis management presentation
 
A structured approach to Enterprise Risk Management (ERM) and the requirement...
A structured approach to Enterprise Risk Management (ERM) and the requirement...A structured approach to Enterprise Risk Management (ERM) and the requirement...
A structured approach to Enterprise Risk Management (ERM) and the requirement...
 
Common failures of risk management
Common failures of risk management Common failures of risk management
Common failures of risk management
 
Crisis Management
Crisis ManagementCrisis Management
Crisis Management
 
Risk Management in Business
Risk Management in BusinessRisk Management in Business
Risk Management in Business
 
Enterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusEnterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy Jacobus
 
B288
B288B288
B288
 
Risk management standard_030820
Risk management standard_030820Risk management standard_030820
Risk management standard_030820
 
Enterprise Risk Management (ERM); From theory to practice
Enterprise Risk Management (ERM); From theory to practiceEnterprise Risk Management (ERM); From theory to practice
Enterprise Risk Management (ERM); From theory to practice
 
Crisis management
Crisis managementCrisis management
Crisis management
 
B288
B288B288
B288
 
Risk Governance Conference - Board Governance and Emerging Risks in the 21st ...
Risk Governance Conference - Board Governance and Emerging Risks in the 21st ...Risk Governance Conference - Board Governance and Emerging Risks in the 21st ...
Risk Governance Conference - Board Governance and Emerging Risks in the 21st ...
 
51_operational_risk
51_operational_risk51_operational_risk
51_operational_risk
 
Erm Presentation Bsw Approach &amp; Methodology
Erm Presentation Bsw Approach &amp; MethodologyErm Presentation Bsw Approach &amp; Methodology
Erm Presentation Bsw Approach &amp; Methodology
 
Effects of Risk Management Practices on the Performance of Insurance Firms in...
Effects of Risk Management Practices on the Performance of Insurance Firms in...Effects of Risk Management Practices on the Performance of Insurance Firms in...
Effects of Risk Management Practices on the Performance of Insurance Firms in...
 
Sharing Practice on Enterprise Risk Management (ERM)
Sharing Practice on Enterprise Risk Management (ERM)Sharing Practice on Enterprise Risk Management (ERM)
Sharing Practice on Enterprise Risk Management (ERM)
 

Similaire à The RM To BC Route Presentation Notes John Agius 21052012

Discussion1From time to time most organizations make improvement.docx
Discussion1From time to time most organizations make improvement.docxDiscussion1From time to time most organizations make improvement.docx
Discussion1From time to time most organizations make improvement.docx
madlynplamondon
 
STRATEGIC RISK ADVISORY SOLUTIONS_Risk Management_Newsletter
STRATEGIC RISK ADVISORY SOLUTIONS_Risk Management_NewsletterSTRATEGIC RISK ADVISORY SOLUTIONS_Risk Management_Newsletter
STRATEGIC RISK ADVISORY SOLUTIONS_Risk Management_Newsletter
Dion K Hamilton
 
The evolving role of IT managers and CIOs
The evolving role of IT managers and CIOsThe evolving role of IT managers and CIOs
The evolving role of IT managers and CIOs
IBM Rational software
 
12-RISK-MANAGEMENT-PROCEDURES-METHODS-AND-EXPERIENCES-RTA_2_2010-09.pdf
12-RISK-MANAGEMENT-PROCEDURES-METHODS-AND-EXPERIENCES-RTA_2_2010-09.pdf12-RISK-MANAGEMENT-PROCEDURES-METHODS-AND-EXPERIENCES-RTA_2_2010-09.pdf
12-RISK-MANAGEMENT-PROCEDURES-METHODS-AND-EXPERIENCES-RTA_2_2010-09.pdf
Gabayo
 
5242020 Originality Reporthttpsucumberlands.blackboar.docx
5242020 Originality Reporthttpsucumberlands.blackboar.docx5242020 Originality Reporthttpsucumberlands.blackboar.docx
5242020 Originality Reporthttpsucumberlands.blackboar.docx
BHANU281672
 
Discussion 1Improving Risk Management Capabilities        To .docx
Discussion 1Improving Risk Management Capabilities        To .docxDiscussion 1Improving Risk Management Capabilities        To .docx
Discussion 1Improving Risk Management Capabilities        To .docx
charlieppalmer35273
 
Enterprise risk management
Enterprise risk managementEnterprise risk management
Enterprise risk management
Anu Damodaran
 
CHAPTER 34Turning Crisis into OpportunityBuilding an ERM.docx
CHAPTER 34Turning Crisis into OpportunityBuilding an ERM.docxCHAPTER 34Turning Crisis into OpportunityBuilding an ERM.docx
CHAPTER 34Turning Crisis into OpportunityBuilding an ERM.docx
keturahhazelhurst
 
DISUSSION-1RE Chapter 15 Embedding ERM into Strategic Planning.docx
DISUSSION-1RE Chapter 15 Embedding ERM into Strategic Planning.docxDISUSSION-1RE Chapter 15 Embedding ERM into Strategic Planning.docx
DISUSSION-1RE Chapter 15 Embedding ERM into Strategic Planning.docx
madlynplamondon
 
Crisis Management and Communications by W. Timothy Coombs, P.docx
Crisis Management and Communications by W. Timothy Coombs, P.docxCrisis Management and Communications by W. Timothy Coombs, P.docx
Crisis Management and Communications by W. Timothy Coombs, P.docx
faithxdunce63732
 

Similaire à The RM To BC Route Presentation Notes John Agius 21052012 (20)

Security Risk Management Essay
Security Risk Management EssaySecurity Risk Management Essay
Security Risk Management Essay
 
Discussion1From time to time most organizations make improvement.docx
Discussion1From time to time most organizations make improvement.docxDiscussion1From time to time most organizations make improvement.docx
Discussion1From time to time most organizations make improvement.docx
 
Risk Management Essay
Risk Management EssayRisk Management Essay
Risk Management Essay
 
Risk managemnt 2_gc-cp-rapm-090327
Risk managemnt 2_gc-cp-rapm-090327Risk managemnt 2_gc-cp-rapm-090327
Risk managemnt 2_gc-cp-rapm-090327
 
Essay On Risk Management
Essay On Risk ManagementEssay On Risk Management
Essay On Risk Management
 
STRATEGIC RISK ADVISORY SOLUTIONS_Risk Management_Newsletter
STRATEGIC RISK ADVISORY SOLUTIONS_Risk Management_NewsletterSTRATEGIC RISK ADVISORY SOLUTIONS_Risk Management_Newsletter
STRATEGIC RISK ADVISORY SOLUTIONS_Risk Management_Newsletter
 
Manigent Aligning Risk Appetite And Exposure
Manigent Aligning Risk Appetite And ExposureManigent Aligning Risk Appetite And Exposure
Manigent Aligning Risk Appetite And Exposure
 
Proposal for an Implementation Methodology of Key Risk Indicators System: Cas...
Proposal for an Implementation Methodology of Key Risk Indicators System: Cas...Proposal for an Implementation Methodology of Key Risk Indicators System: Cas...
Proposal for an Implementation Methodology of Key Risk Indicators System: Cas...
 
Bank Risk Management and Risk Culture
Bank Risk Management and Risk CultureBank Risk Management and Risk Culture
Bank Risk Management and Risk Culture
 
The evolving role of IT managers and CIOs
The evolving role of IT managers and CIOsThe evolving role of IT managers and CIOs
The evolving role of IT managers and CIOs
 
Enterprise risk management
Enterprise risk managementEnterprise risk management
Enterprise risk management
 
Risk management erm
Risk management ermRisk management erm
Risk management erm
 
12-RISK-MANAGEMENT-PROCEDURES-METHODS-AND-EXPERIENCES-RTA_2_2010-09.pdf
12-RISK-MANAGEMENT-PROCEDURES-METHODS-AND-EXPERIENCES-RTA_2_2010-09.pdf12-RISK-MANAGEMENT-PROCEDURES-METHODS-AND-EXPERIENCES-RTA_2_2010-09.pdf
12-RISK-MANAGEMENT-PROCEDURES-METHODS-AND-EXPERIENCES-RTA_2_2010-09.pdf
 
5242020 Originality Reporthttpsucumberlands.blackboar.docx
5242020 Originality Reporthttpsucumberlands.blackboar.docx5242020 Originality Reporthttpsucumberlands.blackboar.docx
5242020 Originality Reporthttpsucumberlands.blackboar.docx
 
Discussion 1Improving Risk Management Capabilities        To .docx
Discussion 1Improving Risk Management Capabilities        To .docxDiscussion 1Improving Risk Management Capabilities        To .docx
Discussion 1Improving Risk Management Capabilities        To .docx
 
Enterprise risk management
Enterprise risk managementEnterprise risk management
Enterprise risk management
 
CHAPTER 34Turning Crisis into OpportunityBuilding an ERM.docx
CHAPTER 34Turning Crisis into OpportunityBuilding an ERM.docxCHAPTER 34Turning Crisis into OpportunityBuilding an ERM.docx
CHAPTER 34Turning Crisis into OpportunityBuilding an ERM.docx
 
DISUSSION-1RE Chapter 15 Embedding ERM into Strategic Planning.docx
DISUSSION-1RE Chapter 15 Embedding ERM into Strategic Planning.docxDISUSSION-1RE Chapter 15 Embedding ERM into Strategic Planning.docx
DISUSSION-1RE Chapter 15 Embedding ERM into Strategic Planning.docx
 
Crisis Management and Communications by W. Timothy Coombs, P.docx
Crisis Management and Communications by W. Timothy Coombs, P.docxCrisis Management and Communications by W. Timothy Coombs, P.docx
Crisis Management and Communications by W. Timothy Coombs, P.docx
 
Business Continuity Management
Business Continuity ManagementBusiness Continuity Management
Business Continuity Management
 

Dernier

Cracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptxCracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptx
Workforce Group
 
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
lizamodels9
 
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Dipal Arora
 
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
Renandantas16
 
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service BangaloreCall Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
amitlee9823
 
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
lizamodels9
 
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
daisycvs
 
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Dipal Arora
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
dollysharma2066
 
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
rajveerescorts2022
 
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
Sheetaleventcompany
 

Dernier (20)

How to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityHow to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League City
 
John Halpern sued for sexual assault.pdf
John Halpern sued for sexual assault.pdfJohn Halpern sued for sexual assault.pdf
John Halpern sued for sexual assault.pdf
 
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
 
Cracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptxCracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptx
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023
 
Organizational Transformation Lead with Culture
Organizational Transformation Lead with CultureOrganizational Transformation Lead with Culture
Organizational Transformation Lead with Culture
 
RSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors DataRSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors Data
 
Falcon Invoice Discounting platform in india
Falcon Invoice Discounting platform in indiaFalcon Invoice Discounting platform in india
Falcon Invoice Discounting platform in india
 
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
 
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
 
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
 
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service BangaloreCall Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
 
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
 
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
 
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
 
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
 
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
 
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptxB.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
 
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
 

The RM To BC Route Presentation Notes John Agius 21052012

  • 1. The RM to BC route – how ISO 31000 benefit Business Continuity John Agius – May 2012 Accompanying notes (paper) for the presentation with the same title prepared for the G31000 ISO 31000 Conference 2012 - Paris, France, 21 – 22 May 2012, Paris, France Abstract What is commonly termed as “business continuity” is a type of disruption-related risk influencing the achievement of organizational continuity objectives and in particular the uninterrupted delivery of key products and/or services. Disruption-related risks should be treated as such and are best dealt with as part of the treatment options available within the risk management discipline. Continuity plans are one of the tools that can be adopted to manage disruption-related events. Moreover, experience dictates that organizations that decide to implement BC have RM, together with the basic BC prerequisites, already established through the RM process within the organization. Thus, taking the RM to BC route is not only the right way but the most efficient and best effective approach. Introduction Consciously or not, organizations deal with risk. In handling risks effectively and efficiently an organization is able to ensure continuity of its operations and the delivery of its key products and services. In other words, the management of risk makes it possible for organization to achieve objectives. And objectives do not always materialize as expected. As a result organizations operate in a continuum of uncertainty. This uncertainty effect from the handling of probable threats, missed or would-be opportunities and/or potential disruptive incidents on set-objectives is termed ‘risk’ (ISO 31000, 2.1). “Many organizations have a well-established RM function, maintain a corporate risk-register (RR) and have risk-assessment (RA) embedded in the organization in as much as all managers are expected to assess risks as part of their normal practices and procedures. Threat assessments, therefore, may already be available for the organization’s activities. However the presence of a risk management function is not a pre requisite for an effective BCM programme” (BCI-GPG, 2010: 53). ISO 31000 Conference Paris, France 21 – 22 May 2012 1 © J. Agius
  • 2. The first part of the BCI statement is true whereby ‘all’, and not simply ‘many’, organizations that decide to implement BC have RM established within the organization. Hindsight indicates that this is the case every time. The statement that “the presence of a RM function is not a pre requisite for an effective BCM programme”, i.e. the handling and treatment of disruption-related risks, is only true if such a function is implemented independently of or in total absence of a BC programme. However, BC or the handling of disruption-related risks cannot exist without an RM function and an RM function would not be complete without a BC programme. “RM and BC only exist as a consequence of risk awareness. Every company … accurately or otherwise, has risk management nearer the board and above business continuity” (Power Peter, 2010). This in no way implies that RM is above BC or vice versa since both specialisms are an equal and integral part of the same concept of management. In this regard, it must be stated that there is also a historical perspective on how RM emerged from traditional management and how the failures of RM led to the establishment of BC as we know it today with the three philosophies (management, RM & BC) running in silo. However, modern management thinking is currently exploring avenues on how to reintegrate the different management systems into an “overall integrated management system”. This new thinking may well consider incorporating established scientific research to help substantiate the scientific value of modern management development. One example is Turner’s “Disaster Sequence Model” (DSM) which established how disaster events resulting in disruption- related incidents do not occur instantly. Turner’s research ably developed by Toft and Reynolds indicates that there is always an incubation process that triggers an incident that leads it into a disaster. The DSM model by Turner (1978) indicate the sequence of events that initiates from a series of unnoticed set of events leading to the onset of an incident, then into a crisis, followed by a process of rescue and salvage (recovery) attempt and possibly a disaster, if things do not turn right. The following sections look at: 1. A concise historical view of Management, RM and BC phases 2. The Disaster Sequence Model - DSM 3. The treatment of risk 4. How ISO 31000 can benefit BC 5. Conclusions 1. A concise historical view of Management, RM and BC phases: Management: Management (general) was traditionally based on intuition and limited informed decision-making of day-to-day management issues. Management tools have been developed over time e.g. SWOT (Strengths, Weaknesses, Opportunities and Threat) and the 4D’s (Define, Design, Do, and Deliver) and other useful tools. These management tools streamlined management into a quasi-scientific model. Yet, general management (as it was initially labelled) was broad and lacking focus on specific management issues amongst them ‘threats’ and the effect these had on management objectives. ISO 31000 Conference Paris, France 21 – 22 May 2012 2 © J. Agius
  • 3. Eventually, when the effects of threats started to get complicated and serious, focus on threat management was needed. As a result RM emerged and later evolved as an independent management system. Risk Management: The handling of threats and the effects these had on organizations was initially perceived as the management of risk (nowadays it is referred to as the down-side of risk). The first RM concepts were based on tools specifically developed to manage risk emerging from the effects that threats were having on organisations. One of the tools to manage threats was the 4T’s. This was based on measures to terminate, treat, transfer or take the risk with a view to ensure that organizations continue to move forward in achieving their objectives. What the 4T’s and other RM tools failed to take into consideration were risks arising as a result of missed and would-be opportunities and those emerging from the effects unexpected disruption- related events had on the objectives set by organizations. Through the introduction of sophisticated technological systems and processes and high market demands, the effects of disruptive incidents began to leave their mark on organizations set to deliver critical products and services. Since RM lacked the capacity to manage disruptive situations and disruption was no longer limited to MIS or computer-installation systems, organizations had an urgent need to identify methods to handle the effects from disruptive events. Initially, DRP (disaster recovery planning) in the US attempted to provide the solution. This “inevitable created the demand for third party consultancy … initially aimed entirely at Data Processing or MIS (as IT/ITC was then generally called) and was technical in nature” (BCI GPG 2010, 9). However, the problems emerging as a result of the ‘risk from business disruption’ were beyond data processing and MIS. Consequently, rather than entrenching the BC principles within existing general or business management systems or within the risk specialism, a new discipline was developed as a totally separate management philosophy This philosophy was to be named business continuity management (BCM). It is noteworthy the fact that the strong focus in the search for solutions to disruption-related risks led to the total neglect of the difficulties encountered by issues related to the up-side of risk. As a result, issues related to missed and would-be opportunities have been totally ignored. Some risk practitioners still argue against the up-side element in risk and continue to consider the management of opportunity as a separate issue outside of risk management. Business Continuity: According to the BCI-GPG-2010 (p. 9), the first signs of BCM evolved out of disaster recovery planning (DRP). The first known use of the term “Business Continuity” is said to have been made by Ron Ginn (later to become the inaugural BCI Chairman) back in 1986, after he had researched the subject in the United States and interviewed many leading practitioners. Ginn wrote a book entitled “Continuity Planning” which postulated an application of the DRP skill-set to a much wider range of business risks and potential operational interruptions. In 1988 a UK organization by the name of “Survive” created a forum in which DR people could share their experiences and knowledge. Eventually, in 1991 “Survive” dropped the references to DRP and re-branded itself “The Business ISO 31000 Conference Paris, France 21 – 22 May 2012 3 © J. Agius
  • 4. Continuity User Group”. This step had a significant impact in changing the external perception of the subject. Concurrently, two of the largest US-owned DR companies also changed their position, seeing “Continuity” as a more upbeat message than “Recovery”. It can therefore be said that the appearance of BCM is the result of the failure of RM and DRP from providing a plausible solution to the effects disruptive-related incidents were having on organizations during the late 1970’s and the mid-1980’s. 2. The Disaster Sequence Model - DSM: Natural, man-made or systems failures do not happen instantly. These are caused through latent defects that build up within the natural environment, systems and processes. Badly managed and/or not managed at all, latent defects can lead to disasters. In his DSM model Turner describes the sequence of events associated with the developments leading to disasters (Toft & Reynolds, 1997). At the most general level the model consists of three separate but interrelated parts: • the incubation period of actions and events prior to a disastrous situation • the event triggering the incident/disaster and the immediate aftermath of recovery, and • the learning process through investigation, analysis, reports and recommendations. The DSM model can be easily adopted to better understand how to effectively manage risks from disruptive-related events. The different stages of Turner’s DSM model are as follows (Toft & Reynolds, 1997: 22): 1. Stage I – notionally normal starting point: (a) Initially culturally accepted beliefs about the world and its hazards; (b) Associated precautionary norms set out in laws, codes of practice, *mores and ** folkways, 2. Stage II – the incubation period: the accumulation of an unnoticed set of events which are at odds with the accepted beliefs about hazards and the norms for their avoidance. 3. Stage III – precipitating event: forces itself to the attention and transforms the general perception of Stage II. 4. Stage IV – onset: the immediate consequence of the collapse of cultural precautions becomes apparent. 5. Stage V – rescue and salvage: first stage adjustment – the immediate post-collapse situation is recognised in ad hoc adjustments which permit the work of rescue and salvage to be started. 6. Stage VI – full cultural readjustment: an inquiry or assessment is carried out and beliefs and precautionary norms are adjusted to fit the newly gained understanding of the world where knowledge gained is absorbed into the culture of organisations/society. *Mores: customs, conventions. Practices **Folkways: The unconscious group ways of doing things (living, ISO 31000 Conference thinking & acting) serving as compelling guides of conduct Paris, France 21 – 22 May 2012 4 © J. Agius
  • 5. Disaster Sequence phases relevant to the understanding of disruption-related risk & disaster events Turner’s DSM model can be easily applied to the effective understanding and management of day to day business activity, risk situations and disruption events as well as to aid the continued advancement of management. The incorporation of advanced management tools and models like Turner’s DSM provides for a systematic and structured approach to the assessment and treatment of disruption-related risk events. 3. The treatment of Risk: Good risk management (RM) entails effective treatment to the “internal and external factors and influences that make it uncertain whether and when organizations will achieve their objectives” (ISO 31000: Introduction). Generally risk treatment to the first two types of risks: • ‘threats’ and • ‘opportunities’ is dependent on “the way in which consequence and likelihood are expressed and the way in which they are combined to determine a level of risk” (ISO 31000, 5.4.3). In the case of the third type of risk: • ‘disruption-related’ the ‘time’ factor is added to the ‘consequence’ and ‘likelihood’ factors associated to the other types of risks. This is so because time may drastically affect the level of consequential impact of a disruptive incident. ISO 31000 Conference Paris, France 21 – 22 May 2012 5 © J. Agius
  • 6. Risk treatment can involve (ISO 31000, 2.25, 5.5.1): • avoiding the risk, o by terminating it altogether; o by deciding not to start or continue with the activity that gives rise to the risk whether the risk is the result of a ‘threat’, an ‘opportunity’ or a ‘disruptive incident’. • taking or increasing the risk, o to pursue opportunities; o to take full advantage and maximize the benefit; o to decide whether a ‘disruptive incident’ to key products and/or services needs intervention to reduce the likelihood of occurrence, the shortening of the period of disruption and/or limiting the impact from disruption. • removing the source, o and make sure that the threat, opportunity and/or disruptive incident do not negatively affect the organization. • changing the likelihood and/or consequence; o by intervening to change the probabilities; o by modifying the potential impact; o by modifying the probability and impact levels of potential disruptive incidents. • sharing it with others, o by passing it on to insurance; o by contracts and risk financing o by seeking new partnership to share the threat and/or maximise opportunity; o by subcontracting to specialist organizations and share the threats/benefits; o by equally applying the above to situations emerging from disruptive incidents. • retaining the risk o by informed decision; o by doing nothing about it; o by being ready to intervene should the threat, opportunity and/or disruptive incident arise. • invoking continuity procedure o to reduce the likelihood of disruption (ISO 22301, 8.3.4.3. (a)) o to shorten the period of disruption (ISO 22301, 8.3.4.3. (b)) o to limit the impact of disruption on the organization’s key products and services (ISO 22301, 8.3.4.3. (c)) o “preparing and implementing risk treatment plans identifying resource requirements including contingencies” (ISO 31000, 5.5.3), reliance, dependence, etc; o “establish, implement and maintain a formal and documented process for business impact analysis (BIA), risk assessment (RA) and other assessment techniques that establishes the context of assessment, defines the criteria and evaluates the potential impact” with regards to “disruption related risks” (ISO 22301, 8.3.3.4 (c)); o “establish documented plans that detail how the organization will manage a disruptive event and how it will recover or maintain its activities to a predetermined level, based on management-approved recovery objectives” (ISO 22301, 5.4.5). ISO 31000 Conference Paris, France 21 – 22 May 2012 6 © J. Agius
  • 7. 4. How ISO 31000 benefit BC: The benefits of using the ISO 31000 route to BC rather than managing the two approaches in silo are many. With a frame-of-mind focused on disruption-related risks, the following is a list of benefits within the ISO 31000 standard documentation applicable to the development of BCMS: Principles: • creates value to the organization; • is an integral part of the organizational processes; • aids the decision making process; • explicitly addresses the principle of uncertainty resulting from the effect of disruptive events; • it is systematic, structured and timely; • is based on the best available disruption management information; • is tailored to the organization; • takes human and cultural factors into account; • it is transparent and inclusive; • it is dynamic, iterative and responsive to change, and • facilitates continual improvement and enhancement of the organization in terms of improving the overall integrated management system. Framework: • Makes use of the Plan-Do-Check-Act (PDCA) cycle amply aided by the ISO 31000 framework of Design, Implement, Monitor & Review and Continual Improvement model; • Provides the necessary mandate, commitment, support and funding by top management and the Board of directors much needed for the successful implementation of an effective BCMS activity; • The required elements for managing the risk of disruption effectively and in line with other organisational: o Risks, o context, o RM and BC policies, o accountability, o roles and responsibilities, o organizational processes integration, o functional activities, o resources required to implement the BC plan, o critical and alternate staff, o awareness and training programs, o internal and external communication and reporting mechanisms most essential for the successful implementation of a BCMS incorporating the identification of: organizational vulnerabilities; continuity and recovery team members; ISO 31000 Conference Paris, France 21 – 22 May 2012 7 © J. Agius
  • 8. scope, purpose and value to the organization, as well as, the necessary lines of defence (BoD: Board of Directors, RMSC: Risk Management Steering Committee & IAC: Internal Audit Committee) for the necessary sponsorship, direction and audit of the RM and BCMS implementation mechanisms. • The development of a strategy to implement the organizational, RM framework and processes to facilitate the risk assessment (RA) and business impact analysis (BIA) of the BC plan and the identification of variances that can be translated into potential opportunities; • The framework monitoring and review - having established processes in place help to establish a well-managed organization; regular departmental/unit status reports of BC progress; internal and/or external audits to sustain the BCMS implementation; regular RM and BC audits with a view to validate performance against controls; • Top management support and involvement towards the concept of continual improvement of the framework encouraging departments/units to establish the culture and attitude that RM and BC are not static and nearly everything the organization does can be improved and ought to be reviewed to enable the identification of new opportunities. Process/es: • An established, globally agreed to and supported RM process/es directly affecting BCMS; • The use of enterprise-wide risk management (EWRM) processes and guidelines; • In-depth awareness and understanding of the organization and its context; • An establish risk assessment process providing well founded risk identification, analysis and evaluation methodology; • A systematic and logical approach to the management of all types of risk incorporating the effective handling of threats, opportunity considerations and disruption related risks that can be modified through one or more treatment options; • Established communication and consultation structure with customers, stakeholders and management; • Effective monitoring and review of all aspects of organizational risks and disruptive eventualities Others: • Increased competitive advantage supported by a globally designed and agreed to RM standard; • Greater understanding of the effects of disruptive events in relation to the other organizational risks; • Enhanced customer confidence; • Improved stakeholder trust and support; ISO 31000 Conference Paris, France 21 – 22 May 2012 8 © J. Agius
  • 9. 5. Conclusions: Organizations of all types and sizes face internal and external factors and influences that make it uncertain whether and when they will achieve their objectives. As stated earlier on, the effect this uncertainty has on an organization’s objectives is “risk” (ISO 31000, 2.1). Risks can be of three different types namely: • Threat • Opportunity • Disruption-related In acknowledging that organizations operate in an ‘uncertain’ environment, ISO 31000 illustrates that objectives can have different aspects within different fields/specialisms of management. Being the organizational efforts and/or actions to obtain or accomplish a goal, organizational objectives are not always achieved as planned. The route from designing and setting objectives to their launch, implementation and materialization passes through a complicated environment of ‘uncertainty’ thus ‘risk’. Risk, RM and BC are part of an overall integrated management system that are best treated utilizing established and well researched RM tools. RM & BC architecture within an overall Integrated Management System Thus, the integration of RM and BC is not only beneficial it is also more efficient and less costly. The launch of the “risk management” standard (ISO 31000: 2009 series) and of “business continuity” (ISO 22301: 2012 series), as well as of other standards, “will further increase the use of international best practice” (CMI, 2012) in management. These are not perfect and will require continuous updating in line with new thinking. This development will continue to further reduce the gap between the different management concepts towards the promotion and the integration rather than the fragmentation of modern management thinking and practice. ISO 31000 Conference Paris, France 21 – 22 May 2012 9 © J. Agius
  • 10. Bibliography G31000 (2012) “ISO 31000 International Conference 2012, Paris, France – 21 – 22 May 2012”, at http://www.g31000conference2012.org/ ----------<>---------- BCI, GPG (2010) Good Practice Guidelines 2010, Global Edition, Berkshire: BCI CMI (2012) “Planning for the worst, The 2012 BCM Survey”, Reproduced at http://www.managers.org.uk/sites/default/files/u28/4354BCMreport2012v3.pdf ISO 22301 (exp.) Societal security – Business continuity management – Requirements, Secretariat: SIS, ISO/TC 223 ISO 22313 (exp.) Societal Security – Business continuity management systems – Guidelines, Secretariat: SIS, ISO/TC 223, ISO 31000 (2009) Risk management – Principles and guidelines, Geneva: ISO ISO 31000 (2009) Risk management – Risk assessment techniques, Geneva: ISO/IEC Power, Peter (2010) “Risk and Continuity: Convergence is in the air…” Reproduced at Continuity Central, http://www.continuitycentral.com/feature0765.html April 2012 Toft, B. and Reynolds, S. (1997) Learning from Disasters: a management approach, Leicester: Perpetuity Press, p. 22. Turner, B. A. (1978) Man-Made Disasters, Wykeham, London ----------<>---------- John Agius M.Sc. (Leic.) RCDM, MIAP, Dip. Law & Admin., Dip. J&PW The RM to BC Route - How ISO 31000 benefits Business Continuity Risk and Business Continuity Management have been developed as a result of the effects of uncertainty that organizations face in achieving their objectives. The likelihood of deviations from set objectives, whether negative and/or positive, compels organizations to be proactive and prepared to intervene in good time to manage adverse effects and pursue opportunities. In the event of business disruptions organizations are obliged to provide for resiliency and to ensure that alternative arrangements are in place for business to continue to operate whatever the circumstances. John’s presentation tackles the process RM plays in establishing an effective and efficient BCMS and how ISO 31000 benefit this process. About the Author: John is a Risk-and-Business-Continuity manager having strong industry and academic experience in the profession and the associated resilience disciplines. Originating from electronics and Computing John moved from DRP in Data Processing and MIS way back in the 1970’s to RM and BC as known today. Coupled with his 30+ years of professional experience in Management, the Police, Law, Security, planning & environmental enforcement and Telecommunications his knowledge is backed by an MSc in Risk, Crisis & Disaster Management from the University of Leicester in England and various other prestigious certifications. He is a part-time visiting lecturing staff at the University of Malta and other tertiary and further education institutions lecturing Risk Management and Assessment. LinkedIn profile - http://mt.linkedin.com/in/johnagius ISO 31000 Conference Paris, France 21 – 22 May 2012 10 © J. Agius