Rachelle Loyear has spent over a decade managing programs in corporate security organizations. Focusing strongly on security risk management, she has been responsible for ensuring enterprise resilience in the face of many different types of risks, both physical and cyber. She has recently co-authored “The Manager’s Guide to Enterprise Security Risk Management: Essentials of Risk-Based Security.” Rachelle is certified as a Master Business Continuity Professional (MBCP) through DRI International, as an Associate Fellow of Business Continuity International (AFBCI), as a Certified Information Security Manager (CISM) through ISACA, and as a Project Management Professional (PMP) through the Project Management Institute (PMI). She is a member of the Global Security Risk Management Alliance and is vice-chair of the Crisis Management and Business Continuity Council of ASIS International as well as serving on that organization’s IT Security Council.
Christopher P. Skroupa: How can organizational resilience be a driver to increase executive engagement in and excitement for enterprise risk management?
Rachelle Loyear: Organizational resilience is an increasingly hot topic in business publications and conferences because the nature of our business environments has, in the last decade, become increasingly volatile, changeable and threatening to the long term business planning model that executives used to be able to rely upon. The “five-year plan” used to be a detailed document with reliable forecasts and trends. Now, while businesses might be able to set general goals for five years, the idea that we can predict the marketplace for most things that far out is almost laughable.
And that’s where the resilience concept comes in. The resilient organization must be able to pivot quickly to either avoid the negative impact of risk or embrace and take advantage of the positive impacts of risk. Executives in resilient enterprises know that this ability to adapt quickly relies mainly upon seeing those risks coming as far out as possible—and that’s where the two ideas of resilience and enterprise risk management truly come together.
Skroupa: How does employing risk management in an enterprise increase resilience, even without a formal resilience program?
Loyear: Managing risk is the main pathway to becoming more resilient. Enterprise risk management is about continual environmental scanning—identifying both positive and negative risks, assessing them and either treating them in some way if needed, or simply accepting them as within tolerance.
The critical piece is being aware of risks. Being constantly blindsided by unknown risks makes being resilient in the face of those impacts much much harder. It comes down to the old saying: “Knowledge is power.”
So even in an organization that has no resilience program (or maybe hasn’t even heard of the term “organizational resilience”) understanding risks, knowing what might come, having a plan in place to deal with it, or at least not being paralyzed by shock when it occurs—all that combines to make you resilient whether you want to call it that or not.
At the risk of loading this up with too many old sayings, I’ll trot another one out. Eisenhower once said, “In preparing for battle, I have always found that plans are useless, but planning is indispensable.” And that’s how ERM makes a company more resilient—it’s forethought about what you might do in “battle” that gives you the flexibility once there to either execute the plan, or change it on a dime if you need to, because you’ve thought it out ahead of time.
Skroupa: If a formal resilience program is in place, how can using ERM principles increase the effectiveness of that program?
Loyear: Formal resilience programs are even better, of course. Any time executives give thought to the concepts of risk management and making the enterprise more nimble and better adapted to deal with risk and change, they are automatically making themselves more flexible and better prepared. It’s a virtuous cycle that having a formal program steadily improves by having regular, documented reviews of the overall enterprise risk environment.
If you are working with a formal ERM program, even better, because you will be revisiting the topics in a measured way and ensuring you keep focus on that goal of always being aware of the risk situation. Risk management helps you also by giving you the opportunity to also revisit your tolerance levels to see if they have changed as the risk environment evolves.
Skroupa: What should executives and boards be asking about and be expecting to see from a resilience program that is managed through ERM principles?
Loyear: There are two places where executives and boards need to ensure they are getting what they need in a resilience program managed with ERM principles. The first is program development; the second is ongoing management.
Initially, in program development, the resilience program leader must be intimately familiar with the entire enterprise; needs to partner closely with all of the business leaders; needs to understand what the overall business mission and goals are; and needs to be able to communicate well enough and work well enough across all lines of business to determine the assets, programs, processes, and functions that are critical to ensuring the resilience of the organization in the face of risk and change.
That foundation of awareness and strategic partnership across the enterprise is the bedrock of what executives need to look for in the person developing the risk-based resilience program. ERM cannot be done in a vacuum. It’s not the job of the risk manager to decide alone what’s important, what’s not, and what risks need to be treated or can be accepted. That can only be decided by business leadership—the real “owners” of risk. The attitude of the risk manager, of knowing that the role of managing risk is in ensuring the business can make educated risk decisions on tolerance and response, and knowing the role is not in forcing the business to eliminate risk just because it exists, is paramount. I could talk for hours on how critical this is, but this is meant to be a short interview.
Once a resilience program is up and running within the tolerances set by the business, executives need to look for two things. First, regular reporting to executives and the board on whether risks are being managed within the set tolerances. This is not a lengthy or involved report. Many risk managers want to prove their usefulness by overwhelming leadership with registries of hundreds of risks they are tracking and mitigating. That’s not useful for senior leadership. Pick five to ten of the critical risks, make sure the executives agree on the tolerance, and regularly report if those tolerances are still “in the green” or if circumstances might be pushing against tolerance and need to be adjusted.
The second thing to look for from an executive level is regular risk forecasts. What are the new risks on the horizon? Do they need to be examined? Do they need to be treated? Most of all, do they need to be added to the top five to ten risks that are reported on regularly?
From an executive and board perspective, that’s really all to look for. The ERM program will, of course, have much more going on at the operational level, but those details can be left to a competent risk team and their strategic partners in the business. The board needs the big picture. The key risks and their status plus risk horizon. Those things will enable the enterprise to understand the business risk environment and to respond resiliently when any of those identified risks—or even surprise risks—appear and impact the organization they are responsible for.
Christopher P. Skroupa is the founder and CEO of Skytop Strategies, a global organizer of conferences.