THE MAIN GOAL OF ENTERPRISE RISK MANAGEMENT IS TO IDENTIFY POTENTIAL RISKS THAT BUSINESSES MAY FACE CONCERNING THEIR ASSETS AND SUSTAINABILITY AND EVALUATE THE POSSIBLE IMPACTS OF THESE RISKS.
Enterprise Risk Management Association
Resilience and Business Continuity Management Working Group
Disasters, due to the magnitude of their impact, require the management of extraordinary situations, i.e., emergency management. In these situations, regular management structures and activities are inadequate, necessitating different approaches.
Disasters are often categorized into three main categories: natural, human, and technological resources.
Natural disasters, amid the challenging times the world is going through, encompass many disasters that trigger each other due to the limits of their resources. Individual efforts and even those of institutions may not be sufficient in the face of these major disasters, emphasizing the increasing importance of significant collaboration every day.
Natural disasters may include earthquakes, floods, droughts, fires, and tsunamis, while human-induced disasters can stem from human error or malicious intent, such as terrorist attacks. Especially with the rapid pace of technological development, technology-induced disasters have become more common; cyber-attacks and ransomware, infrastructure or data center failures, etc.
Disaster and emergency management begin and continue with risk management. Disaster management consists of four main stages:
Risk Analysis and Damage Reduction
Preparedness
Recovery
Response
Although the word "risk" is only in the name of the first stage, risk management plays an active role in each stage. This article will examine the role of corporate risk management in the management of disaster and emergency risks and focus on how businesses can be prepared for such risks.
1. Risk Analysis and Damage Reduction
To effectively manage risks that may lead to disasters and emergencies, it is essential to first identify and assess these risks. The main goal of enterprise risk management is to identify potential risks that businesses may encounter concerning their assets and sustainability and evaluate the possible impacts of these risks. These risks may accur from human error or malicious intent, as well as extremely challenging natural disasters. Therefore, comprehensive enterprise risk management outcomes help businesses understand the types of disaster and emergency risks they may encounter.
During the analysis of disaster and emergency risks, different components can be examined based on the type of disaster. For example, in the case of a natural disaster, several key components may include:
Building, ground, and structure information of the business
Structural and non-structural elements of the business
Transfer pathways for energy, water, natural gas, steam, etc., supplied by the business
Storage locations and preservation methods of flammable, combustible, or explosive materials in the business
Conditions of equipment, stocks, technology areas/hardware rooms used in the business
All these components should be carefully examined for their behaviors during and after a disaster. Precautions based on risk analyses conducted at this stage should be addressed both at this stage and in the preparation stage to prevent possible secondary disasters. These
components are given as examples, and it is emphasized that they may not provide sufficient coverage for any type of disaster. Tailored studies for each business on how to reduce both risky areas and risks in these areas according to their own conditions are beneficial.
Enterprise risk management increases businesses' sensitivity and awareness of disaster and emergency risks, helping them anticipate the potential impacts of such events. Enterprise risk management covers all areas in which the institution operates and aims to address all major risks, both internal and external, in strategic, financial, compliance, and operational categories.
Therefore, it is crucial for preparing for disasters originating from nature, human factors, and technology, as it adopts a comprehensive approach.
2. Preparedness
The benefit of an integrated system for disasters and emergencies is evident. It is essential to determine teams from the strategic level to the tactical and operational levels, define their roles, conduct and implement drills, and be prepared.
The concept of vulnerability, resilience, and flexibility come to the forefront for the notion of damageability.
Vulnerability is largely associated with the proximity of the disaster to the location and physical location. Resilience points to the issues that need to be addressed in the preparation phase. Flexibility, especially influenced by some established beliefs in our culture, may be misunderstood somewhat differently. Contrary to common belief, it is challenging for unprepared parties to demonstrate the intended flexibility.
In naitonal or international private/state disaster management plans, assining tasks to relevant people constitutes the cornerstone of the preparation phase. These tasks include:
Command (coordination)
Operation and Incident Scene Management
Planning
Logistics
Finance, procurement, and administrative affairs
Internal and external communication
Safety, health, and technology representatives can also be added to this team. Within the scope of the powers given to the team, flexibility can be ensured according to the developing events. However, the main goal is to establish these structures and increase resilience primarily.
Enterprise risk management should play a role in this integrated disaster management by taking on the responsibilities of internal consulting and program oversight. It is crucial, especially in determining the levels of strategic, tactical, and operational decision mechanisms and who will be responsible for managing events.
After these working groups are formed, detailed plans should be created by revisiting the risk analysis and damage reduction steps if necessary. Resource acquisition, which communication channels will be used at which step, designing necessary training, and many other steps are processed during this period.
Since disaster and emergency situations can be triggered by events that we may encounter only a few times in our lifetime, our reflexes that become automatic in normal flow are disabled, and we need to develop new habits for these events. The only way to do this is through drills. Business continuity plans, which should be activated in the operation of integrated disaster management, should also be examined by enterprise risk management teams and facilitated, as seen in some institutions.
"The enterprise risk management process continuously reviews the disaster and emergency risk management processes and identifies improvement opportunities"
3. Response
The teams formed during the preparation phase should come together after the incident and make decisions within the scope of assigned tasks. The institution's quick and accurate analysis of the current situation and the coordination of its resources from a single point prevent the incident from turning into a crisis and chaos.
To ensure resilience, after a well conducted risk analysis and damage reduction and preparation stages, an intervention plan should be created for operational use. The decisions to be made in this intervention plan may vary based on the competencies of relevant leaders and the flexibility of the institution, depending on the conditions of the day.
Effective and efficient use of resources is crucial at this stage. The first task after a disaster is impact and needs analysis.
The institution must determine how much impact it has been exposed to, including humans, buildings, equipment, technology, and third parties with whom it works, based on its strategic priorities and identify its priority needs.
This is achieved through Coordination (Command) Centers, Operation and Incident Scene Management teams. Especially, the importance of the coordination center being in a different location from the incident site is significant for the health of the decisions made and the fact that they are not already victims of the disaster.
Of course, in the initial moments, the information provided to external stakeholders and the information received from external stakeholders are also crucial, and communication should involve experts in the process.
Representatives of corporate risk management, especially in supporting decision mechanisms in the implementation of plans and in current situation analyses, play a role in these processes. They can contribute to the effective and efficient use of resources because they also contribute to the institution's prior determination of the resources they will need in disaster and emergency situations.
"Disaster management should be approached comprehensively, and all stages should be effectively implemented. It should be continuously renewed, reviewed, and updated as a living system."
4. Recovery
For the institution to become operational again, it must have prepared Disaster Recovery Plans by technology and Business Continuity Plans for its processes. The healing of the wounds of the disaster should be addressed not only with material but also with sociological and psychological aspects. It is essential to work with professionals in these fields.
The enterprise risk management process continuously reviews the disaster and emergency risk management processes and identifies improvement opportunities. This ensures that businesses are continually better prepared for disaster and emergency risks. For example, a business can conduct a self-assessment after each disaster or emergency event, using the lessons learned from these events to improve its processes.
Transition from "Crisis Management" to "Risk Management
Disaster management should be approached comprehensively, and all stages should be effectively implemented. It should be continuously renewed, reviewed, and updated as a living system. Responsibility sharing, integration of units, and effective communication should ensure coordination.
Emphasis should be placed on reducing damage, preparation, forecasting, and early warning to prevent incidents from turning into disasters.
A corporate structure that ensures collaboration and coordination should be established
Proactive policies should be created rather than reactive ones
A Disaster Management Center should be established
Disaster Management Plans/Organization structure should be established
The Since October 2009, the Enterprise Risk Management Association has become a member of FERMA-Federation of European Risk Management Associations, which was established in 1974 and has more than 4,000 individual members. Furthermore, with its membership to FERMA, our association aims to create a common culture regarding Risk Management and Insurance operations in Europe, additionally, develop practices for risk management, and set an international benchmark for professionals in this field. Federation of European Risk Management Associations (FERMA) membership is crucial for the Enterprise Risk Management Association to exchange experiences and information among organizations with a similar vision in European countries. Moreover, the Enterprise Risk Management Association will have the opportunity to represent our country via this membership on an international setting where each country is represented by a single association.
Comments