The addition of new technologies, like cloud computing, and social media we have new ways to access and publish important data and statistics about our trade or industry sector. Our ability to make good decisions should largely be based on the data that can be obtained about the subject at hand, and on the analysis of results identified. This should be the basis for the most informed decisions made, yet many of the business managers who interpret the results all too often prefer to use their own gut-instinct than believe the report in front of them.

Is it natural? Yes, but that does not make it right. If a business is going to invest millions of dollars into its data and information systems over a long period of time ensuring automated processes are closely linked to business activity then ensuring that the results are taken seriously is an imperative. To assess a set of results and dismiss them is one matter, but to ignore them altogether is another.

The latter course is the dangerous path that a large number of managers find they are taking because they do not have time in their schedule to understand the results. This is a case of making time to ensure that the groundwork is laid before the critical decision must be made. For example are all those meetings necessary? If they are then can someone else attend? Or can the work be done another way? It is necessary to step back and understand the analysis before making that decision. Remember in most non-critical matters 80 percent of your return comes from 20 percent of your effort and often inordinate effort is spent attaining perfection, when it need not be. Non-critical matters can always be temporarily put on the back-burner, or delegated, when time is of the essence for a critical decision.

Business is in a state of continuous improvement. Look at the history of any corporation, it is unlikely to be run the same way today as it was twenty years ago. Yet that seems to be the way in which some decision are often made. For that improvement to be truly effective across the corporate culture then informed decision making needs to be a part of that picture. Some elements that require thought:

◊ Informed decision making requires more holistic thinking

◊ Sound science is a critical component of sound decision making

◊ The scientific results are a means to making informed decisions, not an end in themselves

◊Provided with reliable information and reliable tools to process it, people will make decisions that are good for themselves and their corporation.

Armed with some thinking in each of these areas it is possible to make better use of the information available throughout the decision making process.

My biggest concern here is not what Google is not doing now – that is what they should have always done. If any government wishes to censor the Internet they have to find a way to do it themselves and not expect co-operation from an international corporation.

The point here is that any company that is operating internationally has a duty, perhaps more than any single nation state, to function in association with international treaties. This type of issue will not be going away any time soon, it also applies to a variety of on-line services such as social networking sites. Twitter has found itself being blocked in China in relation to freedom of speech. In my view it is better to be blocked than to comply.

Now China is certainly not the only country to violate the basic freedoms or even make attacks on people’s rights of thought, conscience, opinion, speech, and expression. Switzerland with its ban on minarets attacks religious freedom. From a business perspective these can be complex questions, for Google in particular breaching their “Don’t be evil” motto has an impact on their business ethics. How each corporation acts is of-course entirely up to them, but it is important to make consistent policy and live by it.

The Corporate Risk Tightrope

Risk taking is often seen as essential to business growth – it is true that many corporations would not be here today but-for the risks taken in the past. There is however a difference between the risks taken in order to grow a business and the risk of failure due to loss of key assets. We all know failure to innovate will cost companies more than just revenue. It has the potential of destroying market share and consumer confidence. One is a matter of expediency the other a matter of delinquency.

A properly designed risk management program should be designed to provide corporate ‘peace of mind’. It should provide a structured and disciplined approach to assessing and managing the uncertainties and opportunities faced. It is necessary to formulate a clear and precise plan that will address the protection of specific assets and enable business continuity in the event of the unthinkable occurring. Corporate risk management in underpinned by the creation of a sound asset protection program.

Download this article as a PDF file

Is your corporation up-to the challenge?
Some of the categories of risk that need to be considered include:

• Loss of premises
  • Disaster Recovery
  • Business Continuity
  • Fail-over sites
• Loss of Employees
• Financial Risk
  • Corporate Reporting
  • Unionization
• Legal Exposure
  • SOX, and other similar regulatory requirements have made their mark on the corporate landscape in how we complete our corporate financial reporting.
  • The Legal impact for IT has been increasing exponentially since Y2K.
• Human Rights
  • Privacy
  • Discrimination
• HR Exposure
  • Disabilities
  • Sexual Harassment
• Mergers and Acquisitions
• Demergers & Divestitures
• Joint Ventures
• Corporate Policy
  • Theft
  • Fraud
  • Identity Theft

Loss of Premises
Loss of premises is perhaps the most dramatic way in which a corporation can be affected in the event of a disaster. Consider this. In the UK recently there was a fire at a petroleum depot that was located on the edge of an industrial complex.

A major industrial disaster

We all know how disasters strike – it is always somebody else’s problem, well not on this occasion. The fire took place on Sunday morning at 7am, I was attending a wedding and staying in a hotel just 5 miles away at the time. Fortunately no-one was working in the vicinity, at the time the fire started, but it caused wide-spread devastation, including closing the UK’s major motorway. (Picture courtesy of the BBC).

The building next to the depot was the headquarters for a major electrical retailer, which was at least 700 or 800 yards away from the depot, that employed over 500 people. All of the windows were blown out of this building and power was cut as the neighbouring depot went up in smoke.

Here are pictures of some of the businesses premises impacted by the explosion that I took a month or so later.

None of these buildings caught fire, but all were closed for a minimum of 6 months, some eventually had to be bulldozed and rebuilt. Many smaller business of-course failed to re-open from the disaster.

Our electronics chain had a full disaster recovery plan ready – they simply opened at their disaster recovery site – All key workers reported to the new site on Monday morning and all other workers were at new desks within a month. Neither the Customer Services Helpline, not the IT facility was not located at the HQ building. The systems were located at another site in the town, and there was no necessity tom activate the failover site. By normal opening time, 10am, all stores in the nationwide chain opened on time and suffered no defect as a result of this disaster.

On-going disaster planning – Many companies have a need for an in-house disaster plan but cannot justify the additional technical staffing and overhead costs. It is essential to engage the right facilities that will ensure a rapid response at a minimal cost.

Simple measures can often be taken to limit the scope of a disaster – e.g. locating the control station for a major North American electrical grid supplier under the flight path to a major airport was a disaster waiting to happen – especially as the company had adequate land available to build this facility elsewhere.

I have not here even considered terrorist attack – where many high-profile international businesses need to take additional precautions.

Loss of People
Loss of premises is perhaps the most dramatic way in which a corporation can be affected in the event of a disaster, yet it is the people that are perhaps the heart of the corporation. I recently took a short flight with most of the major officers of one company attending a strategic meeting. Thankfully nothing untoward happened – but the fact remains that no more than two key personnel should have been on that flight.
Critical Personnel include:

• Key employees
• Corporate executives (the CEO, CFO, CMO, etc.)
• External Stakeholders

Necessary to identify all employees who are key to business continuity and create policies to ensure continuity. Do not make the mistake of assuming that all key employees are senior in nature even the most junior of personnel can hold critical roles – for example the junior IT operator who monitors all of the overnight jobs, lack of adequate coverage could at the very worst mean loss of revenue.

Many organizations are starting to limit their risk in each area by succession planning. The key in succession management is to create a match between the future needs and the aspirations of individual employees. One intent is increase the retention of employees because they recognize that time, attention and development that is being invested in them for the purpose of career and corporate development. All this assumes there is a meeting of the minds, without which plans mean very little.

Legal Exposure

The collapse of the financial institutions in the USA in the fall of 2008, and the subsequent collapse in business confidence is a clear example of the failure to consider this aspect of corporate risk adequately. The full story will take some time to become available, but it is clear to this commentator that SOX compliance and poor risk management were at the heart of the collapse. All banks have to manage risk as part of their obligations under the Basel II accord. It is clear that neither of these requirements were managed correctly.

It is also clear that self-management of compliance issues cannot continue. There will be a beefing up of statutory compliance bodies as a result, this must be considered as part of the corporate risk plan.

Fraud & Theft
We have heard it said before that corporate theft is a victimless crime. According to one firm of Corporate Investigators “Internal theft and fraud is estimated to cost Canadian business in excess of $4.3 Billion annually. It is estimated 80% of small business bankruptcies result from the misappropriation of corporate assets.”
As a result today the corporate executive faces a very real challenge to protect corporate assets. Identity theft also has a place in the corporate realm, but here we are not talking about stealing the corporate credit rating, but the company assets – at the head of the list being the client list.

Protecting the client list is no less of a concern today than it was 100 years ago. However using the CRM system the tech-savvy salesperson is more easily equipped to walk out the door with a copy of the client list than ever before – and furthermore the victim does not even know it has happened until they start losing customers – the worst case scenario could be business closure and job losses. Now tell me there are no victims!

Mergers, Acquisitions, Demergers and Divestitures, Joint Ventures

It not the intent here to comment on the risks inherent with pre-merger negotiations of any deal. I assume pre-acquisition due diligence has been carried out. For most organizations it is the post-acquisition surprises that can have the greatest impact start as soon as the deal is finalized.

The impact can be across all areas in particular: integration issues; personnel issues; obsolete equipment requiring replacement; plant & office closures; warranty exposures; major contracts. Satisfying the enhanced customer base is a risk of its own.

From a business perspective in an M & A situation the organization will have new staff, new cultures, new reporting methods, duplicate systems that all have to be brought into a single coherent unit. The quicker the new business structure is identified the less the potential fallout.

It is rare that a merger ends in no job-losses and everyone knows this – so it is important to identify the new corporate structure as part of the deal. Previously happy staff suddenly find the smallest excuse to leave.
The IT impact may in itself be a reason to put up the STOP! sign before the merger is negotiated. We have all seen it – Corporation A uses System X while Corporation B uses System Y – incompatibilities can become a major concern. Additionally failure to deal effectively with the volume of data, the complexity of systems integration can have disastrous consequences for the companies and executives involved. There are some rare examples where the total IT costs related to the merger outweighed the benefits sought.

Demergers or divestitures also lead to cross system issues. Who owns what piece of data and who can access it, particularly for the business intelligence system.

Your corporate risk plan will need to be revised or even completely re-written as a result of the changing business structure.

Insurance

If you speak with an insurance broker of provider then they will assure you they are capable of providing ‘a solution’, yet is this really another solution? Insurance is only really capable of minimizing the fallout after the fact. It is good to know that the buildings or the people are insured but this alone does not keep the business running.

To paint a picture an event results in a branch office being destroyed with the loss of 50 lives. Insurance will allow compensation to be paid to the grieving families, and it will allow the building to be re-built. However the coverage is nothing more than the normal standard of insurance that is expected in the workplace.
Whilst it can alleviate some of the financial risks the money that the insurance settlements will bring is not in itself protection against the risks involved, this requires an active risk management program.

Building a Comprehensive Risk Management Program

The first step in corporate protection is to develop and maintain programs to identify and assess and categorize risks, then to ensure active plans are in place to monitor  mitigation activities and track the status. There is a need for a high-level corporate group to monitor all of these risks. This requires C-Level sponsorship across all categories and regular reviews to ensure that

• Risk Planning
  • Per Business unit
  • Each business unit is expected to assess prospective risks faced.
  • Per Location
• Locations must each have a separate working plan .
  • IT plan
  • Each system requires some form of fail-over capability and certain at-risk businesses should locate their Data Centre off-site
• Impact of non-implementation

Ultimately all corporate risk relates to financial risk management. We all tend to define risks in terms of their effects on a firm’s accounting results—such as earnings, net interest income, and return on assets, etc. They also have an insurance impact. Professional management of the risk is the key to success.

There are two main things that need to be covered when defining a recovery plan:

• Protect documents and data,
• Create a check-list of “what-ifs” and write out what your businesses’ response would be,

Documents and data are critical to the success of the business. It is often said that people are the most valuable asset to a business, but its data comes in a very close second. A single premises business has a potential for further risk as all the non-human assets are stored in a single location. Think of the risk of a fire. Computers (or Servers) must be regularly backed-up with the copies being retained off-site.
It is important to know what your insurance policy covers, but it is also important that key documents are kept off-site. Many insurance policies only cover the essentials e.g. the stock in a store fire, but it is essential to have all IT equipment included. For the small business it can be the red-tape around a policy that can ensure a smaller business does not re-open. Off-site back-ups of computer files and important documents at least ensures that aspect of the business can re-start.

Implementing Business Intelligence solutions it has historically always decided that a data warehouse would simply be re-populated on a new system as part of the disaster recovery plan. In the early days of data warehousing solutions it was possible to simply re-populate the database on a new environment. This is no longer an option for a Business Intelligence solution as the complexity of systems continues to grow. It is essential to consider mission critical the BI system is along with every other corporate application.

In determining how mission critical any system is there are a number of factors that need to be identified. These include:

• Goals generic to the industry sector
• Factors unique to the business being measured
• Applications and their contribution to global business goals
• Corporate legacy architecture

When assessing various parts of the architecture they forget to ask how important is this to the success of the corporation as a whole. E.g. how critical is the success of the passenger check-in system to the success of an airline? The answers will determine a league table of the system criticality.

How mission critical is your BI Solution?

The truth is it will never be the most critical system in the organisation, but it can no-longer simply be repopulated from old data. In our airline example systems relating to safety and ensuring planes continue to depart on-time will always be the most critical of systems. The analytics provided by the BI solution will have become very important in today’s business world.

Closed-loop analytics is becoming increasingly important to many corporations. In one telecom company this capability was so closely tied to the CRM system that Customer Service agents would simply be unable to function correctly without the BI input into the process.

“I want to close my account, and transfer my telephone number to provider X”, takes the agent to a decision based process, that will firstly determine whether the customer is one that the company wishes to retain. Assuming they have retention value the process will provide a set of alternative offers that can be presented to the customer, with the express intent of retaining them. Each step in the process combines the knowledge of the BI system with the capabilities of the CRM. Clearly a mission critical system – central to Disaster Recovery. Not having the two components working smoothly together will damage corporate responsiveness. Agreed the systems are not as mission critical as those necessary to keep the cellular network active, but crucial nonetheless.

According to Wayne Eckerson of TDWI “the litmus test is whether a data warehouse becomes so mission critical that when it goes down people begin to have problems”. This in my view is more the test of when the BI system need to have automatic failover applied to it (as DR is concerned with more than individual machine failure). Many of the database vendors, such as IBM, Oracle and Teradata include failover.

Failover would not have been possible for a server located in the world trade centre on September 11^th 2001, but recovering from the disaster means alternative systems come back on-line within the prescribed time.

Many data warehouses contain derived and aggregated data, which forms the basis upon which specific business decisions can occur. This data needs to be stored and associated with the decision made as an historical check-point. Whenever advanced analytics functions are engaged it is often necessary to update the data warehouse. It is unlikely this data will ever appear in any operational system, placing the data warehouse firmly in the critical path for disaster recovery.

There may be some operations managers that feel adding the data warehouse to the list of critical systems means that other systems are removed. It however important to remember that the role of the data warehouse is to retain historical subject oriented data and is not a backup of associated operational source systems.

The continuity of business ultimately depends on the recovery of the data warehouse as a part of a recovery from a disaster in order to sustain the business and grow from the point of the disaster and moving forward, which often necessitates innovative advances in the marketplace to demonstrate the effectiveness of the corporation.

Peter B. Giblett