Business Continuity Strategies – Protecting Against Unplanned Disasters – Third Edition

Author: Kenneth N. Myers

In this book, the author discusses strategies for addressing two classes of catastrophic crises that can happen to an organization: the failure of computers, and violence and terror in the workplace.

Many times, the author fights two things concerning the first class:

–    Deciding too easily for a disaster recovery site where all business software is duplicated
Making the wrong questions to the business people when determining the BIA.

As far as the latter is concerned, the consultants turn out to be asking the questions mainly structurally wrong, eg do not ask:

–    How long can you do without a PC?

Because then the answer is always something very short-lasting, like “24 hours”

Ask the question differently by confronting them with the actual situation that has occurred:

–    IT and the server network are available for 14 calendar days. What are you going to do and what do you need to continue / save the business?

Because of this other approach to ask the questions, the business people are much more aware of the problems that might arise and they start thinking better.

The author also gives a number of examples of alternative approaches to a number of branches in organizations during times of crisis, which can be applied in a large number of companies. This is to temporarily bridge the PC-less period, the time that the ICT department needs to make everything back up and running.

In this book the author tackles the question in a solid way. The first chapter is therefore about defining the issue. Then the chapters on computer problems and violence come to the workplace. Then he gives some advice on how to approach a contingency plan. He also gives some attention to awareness and training.

Apart from the number of alternative examples of the possible practices in case of a computer outage, for which a disaster recovery website is good and what is not, and how the questions need to be asked to the business for drawing up a BIA and the related contingency plan, the book remains theoretically at a good level. It therefore classifies itself on a level above that of beginners.

Implementing Enterprise Risk Management

Editors: Fraser; Simkins and Narvaez

This 650-page book is intended to be a textbook / exercise book, which I believe can be used in a Bachelor’s program for Enterprise Risk Management. It consists of 35 chapters, actually 35 stories, each of which is completed with a questionnaire as a guide for a discussion by a team of students. It is accompanied by another book, namely “Enterprise Risk Management – today’s leading research and best practices for tomorrow’s executives”. The latter is the associated theory book.

Does this mean that you must have to read the theory book first? Not if you already have a good basic knowledge of ERM.

The following items from this book are most memorable to me:

  • The PAPA model of LEGO: Park, Adapt, Prepare and Act. The aim is to determine the overarching strategic response based on how quickly things change in a scenario with respect to the probability that a scenario occurs.
  • The determination of the Risk Appetite based on 7 questions:
  1. How much risk do we think we take now? (Risk perception)
  2. How much risk do we actually take? What evidence do we have? (Risk exposure)
  3. How much risk do we usually like to take? If this is less than under point 1. then we do not feel comfortable. (Risk propensity / culture)
  4. How much risk can we take on / safely? (Risk capacity) This must be greater than under points 1., 2. and 3.
  5. How much risk do we think we should take? (Risk attitude)
  6. How much risk do we actually want to take? (Risk appetite)
  7. How can we implement measures and limits within the processes, products and business units to ensure that our total risk appetite is not exceeded? (Risk limits)
  • What UW (University of Washington) decided about their ERM Model:

    • Assess the risks in the context of the strategic objectives, and identify the interrelation of risk factors throughout the institute, not just for each function exercised.
    • Handle all types of risks: compliance, financial, operational, and strategic.
    • Grow a general awareness that allows individuals to focus their attention on risks with a strategic impact.
    • Improve and reinforce UW’s culture of compliance, while protecting the decentralized, collaborative entrepreneurial orientation of the institute.

  • Three lines of defense of the TD Bank: 1) the business and the accountants, 2) setting standards and challenging business to improve their governance, as well as their risks and control groups their responsibilities and liabilities, and 3) a independent internal audit.
  • The ERM objectives of Zurich Insurance Group:

    •     Protect the basic capital so that the risks that are taken do not exceed the risk tolerance.
    •     Improve the value creation and contribute to an optimal risk / return profile.
    •     Support decision-makers with consistent, timely and correct information about the risks.
    •     Protecting the reputation and brand through a healthy culture of risk awareness and a disciplined and informed risk-taking.

This is just a small sample of the valuable examples that the book displays.