BUSINESS CONTINUITY MANAGEMENT IN THE ERM FRAMEWORK

Presented by: Eneni Oduwole

ERM Africa 2011 Conference, Johannesburg, South Africa

Organised by Terrapinn

25th Feb. 2011

… Business as usual

Business Continuity Management (BCM)

• The Business Continuity Institute (BCI), UK and the DisasterRecovery Institute International (DRII), USA define BCM as:

‘the holistic management process that identifies potentialimpacts that threaten an organisation and provides aframework for building resilience with the capability of aneffective response that safeguards the interests of its keystakeholders, brand, reputation and value cresting activities’

… Business as usual

Points to Note

• A BCM strategy must ensure the following:

– Timely identification of incidents that could disruptbusiness activities

– Risk Assessment of these threats

– Incorporating appropriate response and recovery plansinto day-to-day business processes

– Integrated approach in determining and managing likelythreats to the organization’s continuity

… Business as usual

Another definition of BCM

• PriceWaterhouseCoopers defines BCM as:

‘the organization’s effort to limit the effects of a crisis byproviding uninterrupted operations and service’

• It also advises that the following processes are involved inBCM:

– Risk Management

– Crisis Management

– Emergency Management

– Business Recovery

– IT DR Recovery

… Business as usual

More Points to Note

• The discipline, Risk Management, is expressly stated as a BCMprocess

• This definition gives the notion that BCM has a 3600 approachin managing threats to an organization’s continuity

• It also suggests that the effect of the threat should becurtailed in such a way that the firm’s growth, expansion orbusiness strategy is not hampered in any way

… Business as usual

How does BCM translate to effective ERM?

• ERM in a broad context refers to a framework for managinguncertainties within an organization; it continually assessesthe risk-reward trade-off

• The main objective of having an ERM framework in place is toensure long term business sustainability and comparativeadvantage

• The main thrust of BCM is also to ensure businesssustainability and comparative advantage in the long run

… Business as usual

Why is this outlook necessary?

• In recent times, potential threats to an organization’scontinued existence / long term survival have been of variedtypes

• The circumstances that lead to business disruptions havebecome broad based

• Cross-border and global incidents threaten a firm’s businessactivity

• The ripple or multiplier effect of a bad decision by a keystakeholder in managing its threats could expose otherorganizations and economies to unexpected risks of continuity

… Business as usual

Examples of likely threats

• Socio-political unrests

• Market uncertainties

• Global Climate changes / acts of God

• Poor infrastructural development by Government

• Short-sighted Strategic Planning

• Economic Recessions

• Supply chain continuity

• Sabotage

… Business as usual

How can BCM be imbibedas an effective ERM tool?

This can be achieved byResilience Planning /Resilience Building aroundall aspects of theorganization’s businessactivities whether financialor non-financial

… Business as usual

What is Resilience?

• It is the capacity to cope and feel competent

• It is also the capacity to deal with change and continue todevelop

• Resilience planning usually involves the change of anorganization’s attitude and behaviour towards managing alltypes of uncertainties

• Often times, it reflects the organization’s culture, values andoutlook to its short, medium and long term sustainability

… Business as usual

How to develop a resilient culture

• Increase corporate intelligence:– Present the value proposition of an integrated BCM

framework to key stakeholders in a manner that addressestheir business interests and not just the risk manager’s

– Prove to key stakeholders the benefit of cost-savings, profitpreservation and resultant increase in brand equity

– Train key stakeholders periodically

– Put in place a culture of continuous improvement bycarrying out periodic assessment of relevant risks

– Report key findings in a clear and simple way

… Business as usual

Developing a resilient culture…

Appoint BCM Champions at the following levels in the organization:

Executive

Management

Senior Management / Heads of Departments

Heads of Units / Sub-groups

… Business as usual

Developing a resilient culture (cont’d)

• Empower and train BCM Champions to act on the following:– Update of BCM Strategies and relevant documentation

such as the Business Continuity Plans (BCPs), Call trees,Contact lists and Service Level Agreements

– Reflect business process changes in BCPs

– Train staff within areas of jurisdiction on roles andresponsibilities defined in the BCP

– When necessary, take drastic action

– Request for invocation of BCP from the Chief RecoveryCoordinator

… Business as usual

Developing a resilient culture (cont’d)

• Timely identification of New Risks

– Liaise with all risk groups for risk assessments andharmonization of new threats and vulnerabilities theorganization is exposed to

– Consider all industry-wide, nation-wide or global threats tothe firm’s business activities for assessment

– Consider all likely risks the organization might be exposedto by change of its existing strategy and ensure thatresponse and contingency plans are in place to handleunexpected incidents

… Business as usual

Developing a resilient culture (cont’d)

• Deploy Change Management strategies:– The paradigm shift of considering all forms of disruptions

in a BCM strategy succeeds only when there is effectivechange management

– Develop a plan / chart for infiltrating BCM into theorganization; track and monitor progress made regularly

– Ensure adequate communication of new viewpointsregularly with a consistent message

– Ensure that change managers, in this case, BCMChampions monitor progress made and report to the RiskManagement function periodically; at least monthly

– Change management is effected with the meaningful useof emotional intelligence

… Business as usual

Developing a resilient culture (cont’d)

• Subscribe to use of emotional intelligence:

– Understanding the heartbeat and corporate politics of theorganization

– Understanding the language and interests of keystakeholders

– Where necessary, lobbying support groups to assist withgetting the buy-in of non-converted stakeholders they caninfluence

– Use all acceptable means and methods of communicationto pass the message

… Business as usual

Way forward…

• Develop a BCM Strategy after assessing likely threats to theorganization’s business activities

• Document the processes for responding, resuming, recoveringand restoring business without loss of time, business orcontinued growth

• Ensure that a comprehensive Business Continuity Plan is inplace and approved by the Board

• Empower BCM Champions to review their BCPs as and whendue

• Response and recovery strategies should be included inpolicies and procedures of all business areas across theorganization

• Test BCPs periodically

… Business as usual

As a result…

• Business Continuity Plans must be:

– All encompassing (capture all categories / types offinancial and non-financial threats)

– Be consistent with current routine business practices andprocedures

– Accessible to key stakeholders and drivers

– Easy to understand and follow

– Inclusive of all recovery plans, call trees and contact lists ofkey service providers

… Business as usual

In conclusion…

• Since the purpose of ERM is to ensure business continuity, aBCM strategy should not be limited to only natural or physicaldisasters

• It should provide a framework that gives reasonable assuranceof continuity irrespective of the type of incident

• In planning for unforeseen incidents, we must put our best footforward always…

• Allow no loose ends; your business’ chain of survival must notbe broken

… Business as usual 20… Business as usual

Thank you

Eneni Oduwoleeneni.oduwole@gtbank.com

234-8033045896; 234-7055676960