Concern over business continuity is the main factor fuelling growing corporate interest and investment in what is becoming known as integrated or enterprise risk management. It is no coincidence that this desire for a comprehensive approach to business risk – pure, commercial and financial – has come at a time when managers everywhere are under increasing pressure to respond quickly to market developments, while simultaneously streamlining processes and cutting costs.
Almost everywhere, asset utilisation levels have risen dramatically. But whether it takes the form of downsizing, outsourcing or just-in-time manufacturing, driving higher earnings through greater efficiency increases the number of potential stresses and strains on the supply chain. In essence, all businesses - and, in particular, those businesses with highly integrated activities - have become more vulnerable to significant losses.
There are some key risk implications of increased competition and the drive for greater efficiency.
There have been several examples in recent years of the link between process discontinuity and shareholder value.
Share price movements are volatile for many reasons. However, these examples serve to underline why it is not a good idea to compartmentalise risk management into the spurious categories of pure (insurable risks), commercial and financial risks. They also highlight the importance of process interdependency – where decisions or incidents in one area of activity can have disproportionate repercussions elsewhere in the organisation. Unfortunately, it often takes a crisis to reveal the obvious.
Integrating risk management
There are numerous ‘high level’ approaches to the concept of integrated risk management. Figures 1 and 2, prepared by Lisa Meulbrook of Harvard Business School, illustrate the now generally accepted view that successful risk management requires a combination of retention, mitigation and transfer (insurance), and that businesses need to identify and profile the full range of risks they face.
Almost all risk managers are now focusing on the ‘big picture’ and trying to assess how to retain, mitigate or transfer potential risks in such a way as to maximise brand and shareholder value. There is nothing new here in terms of the overall objective, and my own company has been using this approach to profile company risk for many years. But, in our experience, strategic risk profiling in isolation has a number of limitations.
For example, a comprehensive listing of all possible risks can lead to mental indigestion. Also, attempts to assess the likelihood and potential impact of each risk can often end up as an inconsistent and subjective ranking by only a few members of senior management. But the most serious limitation of this high level approach is that it seeks to map risks rather than conduct an objective assessment of the critical processes which underpin cash flow and shareholder value.
Risk assessment and analysis of process data from many leading US and European multinationals over a period of years has led us to conclude that, while high level profiling of risk is important, a more detailed and forensic examination is essential. This will identify and, more importantly, measure the criticality of each step in the production process, and solutions to eliminate or reduce both existing and potential financial losses to an acceptable level. Core processes in the value-added chain, key areas of risk and the potential negative business impact are summarised in Figure 3.
There are four separate but related steps to protecting process continuity.
Step one risk identification and ranking This initial review highlights vital links in the value-added process and analyses internal perceptions of the likelihood and impact of various causes of disruption to the supply chain.
Step two risk valuation and insurance This detailed review, based on site data, examines the risk quality of sites and processes and benchmarks them against industry experience (see below). Based on this analysis, recommendations can be made regarding risk mitigation and insurance priorities.
Step three mitigation and implementation This stage focuses on delivering solutions in the form of measures to mitigate risk (eg back-up, supply sources, improved systems, operator training etc) and a risk insurance programme with adequate capacity to cover those potential losses that businesses do not wish to retain.
Step four risk auditing and monitoring – Having established a set of business continuity standards, it is important to maintain them. This stage involves regular process and site inspections.
The benefits of the “process” approach to managing operational risk are that it allows a business to
A unique feature of our approach to business continuity risk management is the emphasis on measuring the absolute and relative vulnerability of particular processes and production sites in terms of maximum potential loss. It is important for companies to be able to benchmark their appetite for risk and risk mitigation against comparable businesses.
Using data collected from within an organisation, we can demonstrate the risk quality of particular sites or processes and compare them with other sites. Figure 4 illustrates what a risk quality map might look like for a multinational with various sites worldwide.
The quality risk map is a very valuable guide to what areas of potential exposure need attention to reduce potential losses to an acceptable level. Our process brings together the two important elements needed to reduce the process of risk – engineering and risk financing. It then allows the organisation to be assessed to a world benchmarked risk quality standard and by integrating with vendor assessment programmes these standards can be used as the basis of an accreditation programme to ensure critical inputs.
Enhancing shareholder value
The benefits of the process approach to business continuity go beyond risk reduction and loss control (see Figure 5).
The experience of General Motors and John Deere shows that there is an urgent need to drill down and explore in detail both how a disruption to any process arising from an external/internal event will impact on business continuity and financial performance, and the relative financial benefits of risk mitigation, risk retention and transfer, and/or a combination of these solutions. The primary motivation for doing this should not be the need to comply with the Turnbull Report or any other guidelines, but to sustain the business in the face of constant change and growing competition.
Ken Davey is managing director of FM Insurance Co Ltd, responsible for FM Global’s international operations, Tel: 01753 750000, e-mail firstname.lastname@example.org