I'm glad the world didn't end during DRJ Spring World 2017 conference as more than 1,000 of the world's business continuity and disaster recovery specialists were there!
It was a great conference and I had the pleasure of presenting on building resiliency across the organization's value chain, and the key relationship between business resiliency and operational risk management. Both topics were on the minds of attendees as shown by their questions:
- Outside of surviving a high profile disaster, how do we make customers understand the value that our resiliency program adds to our product or service?
- If the company has a critical Third-Party vendor and that vendor outsources, who owns the relationship and the potential risk exposure?
- Also, more than 20% of the conference sessions dealt with resiliency or risk. Experts are, indeed, thinking about the importance of business resiliency to the organization and how risk should be more broadly considered than just recovery.
In a previous blog, Driving Resiliency Through Operational Risk Management, I spoke about the direct correlation between driving business resiliency (versus recovery only) and operational risk management (ORM). I believe collaboration between ORM and business continuity programs is a precursor to improving business resiliency, and the top three reasons are:
- The bigger picture - looking outside typical business continuity type risks, like natural or man-made disasters, broadens our horizon. Considering the potential risk and impacts from supply chains, reputation impairment, social media, regulatory compliance, or even the risk culture within the organization, highlight new risks that could have larger affects on the organization's resiliency. Coupled with a view across the value chain, resiliency teams are better able to anticipate how these new risks might impact the going concern of the organization.
- Aligns the Forces - the ORM "umbrella", by its very nature, aligns risk functions across the organization, including their methodologies, approaches, resources and outcomes. The key is for ORM to get separate functions on the same page, working together, aligned on priorities, and striving toward agreed upon and appropriate outcomes. Individuals, or siloed groups trying to manage risk may feel that their efforts don't affect the outcomes, but a larger, more coordinated approach does.
- Drives Risk Maturity - as risks become more complex, fluid and pervasive, risk approaches need to mature to enable the organization to become resilient to those risks. ORM is a discipline that continues to evolve and mature, unlike siloed risk functions that attempt to reactively deal with risks as best as they can. Every organization should evaluate their holistic risk management capabilities against a maturity model (refer to my blog), determine where they currently stand and what the end goals are in terms of risk maturity.
Organizations that are able to align siloed risk functions under the auspices of their ORM programs have a better chance at becoming risk-proactive, even opportunistic. As ORM and Business Resiliency are considered together and measured against the bigger picture of the organization's value chain. Functions such as business operations, business continuity, supply chain management and internal audit can understand the risks that impact their organization and implement better measures to ensure the resiliency of the organization.
Send me your comments at Patrick.firstname.lastname@example.org or connect with me @pnpotter1017.
Author: Patrick Potter
Category: RSA Fundamentals, Blog Post, Securing the Digital World
Keywords: Operational Risk Management, ORM, Resiliency, Risk Management