Saturday, October 08, 2011

Business Resilience: Late Bloomers Beware...

Believe it or not, there are still some Operational Risk Management late bloomers to the "Business Resilience" concept. The topic has been talked about for years and a recent IBM study highlights where risk management has changed and how business resilience is still gaining widespread adoption among large and smaller corporate enterprises.

Late bloomers—75 percent of which have revenues of US $500M or less—are not very well prepared for managing business risks and have narrow views on risk management strategies. Their performance is at the bottom of the scale on every indicator. A majority do not have a formal risk management strategy, and their financial performance trails the pack. Yet one-half say they plan to develop a formal risk management strategy and are most likely to say that they will establish a company-wide risk management team within the next three years.

The reason why the less than $500M. business enterprises are establishing more of a company wide risk management team is a multi-faceted issue. Depending on the industry sector being highly regulated such as financial services, energy or healthcare or not could be one indicator.

IBM in all of its wisdom has developed six elements of Business Resilience that are worth exploring more in detail. IBM provides a holistic, thorough and methodical approach to business resilience – in the pursuit of mitigating your organization’s risks:

  • Integrated risk management focuses on looking at the full scope of risks facing your operations —using technology to better understand, respond to and manage those risks, even as they change.
  • Continuity of business operations heightens your organization’s ability to maintain continuous operations, with processes and infrastructures that are responsive, highly available and scalable.
  • Regulatory compliance helps assure that your business and its technology infrastructure conform to constantly evolving government and industry regulations and standards —including those regarding information integrity.
  • Security, privacy and data protection helps you safeguard and manage your most valuable assets: data, information, systems and people.
  • Knowledge, expertise and skills addresses the resilience of your business by confirming that you have the right resources in the right place at the right time, despite staff constraints and fluctuating demands for highly skilled talent.
  • Market readiness concentrates on enhancing your organization’s ability to sense and respond to shifting customer demands and fast-breaking new market opportunities.

Any significant business disruption to your enterprise could be fatal. But if you had to create a budget to devote resources to the "Business Resilience Six Elements", how would you allocate your funding? Would you put 20% in "Security, privacy and data protection" or 30%? How much would you allocate to "Continuity of Business Operations" vs. "Regulatory Compliance"?

What "Operational Risk" professionals know is that it is a continuous process that requires emphasis in one area based upon market conditions and the overall business performance of the enterprise. When business revenues are down, you can bet that the budgets will suffer and the whole resilience of the business will suffer along with it. Could this be the greatest area of vulnerability that we have today? The fact that poor economic conditions exacerbate the risk in the enterprise for potential failure should it receive an unsustainable shock to its culture, operations or reputation.

We would contend that "Market Readiness" is the most underestimated element of the six outlined by IBM. The reason has to do with the word "Opportunity". All too often risk managers are so focused helping the enterprise avoid a natural catastrophe or keep it safe from a system wide data breach that it is blind to seeing the seam in the market that would allow the business to break away from it's competitors.

So are there any lessons out there that we can learn from, in terms of organizations taking their eye off of enterprise risk management and missing a market opportunity? Having spent so much time and effort working on the other elements, that it has created a vulnerable organization in the marketplace:
In the volatile political air ignited by the nation's economic struggles, $5 buys a lot more controversy than it used to.

The announcement by Bank of America Corp. last week that it would charge customers $5 a month to use their debit cards has rung up animosity from coast to coast.

Coming amid growing anti-Wall Street protests, BofA's new fee has become a focal point for anger and frustration about the flailing economy and Washington's attempts to help the nation recover from the financial crisis.

Industry leader Nokia held onto its No. 1 slot, but its market share continued to plummet, sinking to 24.2 percent in the second quarter from 33.8 percent a year ago. Excess inventory in regions like China and Europe apparently triggered a drop in shipments. Stung by the iPhone and Android phones, Nokia recently reported a huge loss for the second quarter.


While Bank of America and Nokia are just two companies who have seen their market share and presence become the subject of business MBA student case studies, there are plenty others to make the example for paying more attention to "Market Readiness". And then there is one of our favorites, Siemens AG. After having missed the exposure to the threat of the Foreign Corrupt Practices Act (FCPA) and paid out several billion dollars to the US Government and to business services companies to rectify the internal controls, there is this:

*Stuxnet computer virus analyzed"

By Tabassum Zakaria

IDAHO FALLS, Idaho, Sept 29 (Reuters) - Behind the doors of a nondescript red brick and gray building of the Idaho National Laboratory is the malware laboratory where government cyber experts analyzed the Stuxnet computer virus.

The malicious software targets widely used industrial control systems built by German firm Siemens (SIEGn.DE). Cyber experts have said it appeared aimed mostly at Iran's nuclear program and that its sophistication indicates involvement by a nation state, possibly the United States or Israel.

The Stuxnet virus was a "significant game changer in the cyber world, said Marty Edwards, a Department of Homeland Security official in charge of a cybersecurity program in partnership with the Idaho National Laboratory, which conducts nuclear research.

The U.S. government is concerned that cyber attacks could wreak havoc on the industrial base and cost millions of dollars. The Idaho lab programs are geared toward protecting the industrial infrastructure: chemical plants, food processing facilities, utilities, water systems and transportation.

"It is probably the most important security issue that we face today," said Greg Schaffer, a top official in the DHS National Protection and Programs Directorate. "This is a problem that continues to grow."


When any prudent risk management professional in the financial, energy or high technology sectors looks at the lessons learned on an annual basis, it should help develop the strategy for exploiting a seam in the market. If you are a late bloomer in the game of business resilience and proactive enterprise risk management, heed the lessons of the marketplace and don't under estimate the element of "Market Readiness".