What Does Enterprise Risk Management Have to do With Business Continuity?

The set of circumstances surrounding last year’s destructive hurricanes – particularly Katrina, Rita and Wilma – was overwhelming for many companies. Some found they had underestimated the destruction the hurricanes would cause, and the need for human relief outweighed so many other considerations.

Other companies, however, weathered the storm by activating disaster recovery plans and continuing to serve their customers with little impact. Their businesses continued to operate, in spite of the devastating effect the storms had on their employees. What made their experiences so different? The answer is an integrated process, a major principle of Enterprise Risk Management (ERM).

Here’s how one company used this process to create a solid business continuity plan, helping it survive disaster.

Call Center Stands Up to Hurricane Wilma
Located just 15 miles from Ft. Lauderdale, Florida, the Convergys Tamarac Contact Center employs over 1,000 customer service representatives and support staff. On a daily basis, it handles customer service requests for clients in industries ranging from telecommunications to financial services to health care, serving clients in the program areas of credit and collections, wireless, long-distance, cable and video and emergency preparedness.

When Hurricane Wilma headed toward Florida last October, Convergys knew it needed to step up to the plate if the company was going to survive the storm with little to no impact. The company got started right away, long before the storm ever hit land.

First, the corporate Business Continuity Planning Group began providing storm updates to its Florida and Gulf Coast sites through its global tracking software. Then, just 72 hours before Hurricane Wilma struck, the Tamarac Incident Command Team (ICT) met to discuss its business continuity plan. Program by program, the ICT began invoking its site and program plans over the next 60 hours. Here are some of the company’s key initiatives:

• Contingency routing plans: The team designed its programs with intelligent contingency routing plans that had built-in business rules to automatically trigger routing changes based upon the current situation in the network or in the contact center. Because of the programs’ design, the team was prepared to re-route call volumes seamlessly to other Convergys call centers if need be, so there would be no interruption of services.
• Corporate call-in number: As the storm hit the area, the Tamarac ICT closed the call center for the safety of its employees. Sixty hours later, even though power had not been restored to the area, the Tamarac center reopened its doors thanks to generator power, alerting its employees through a corporate call-in number.
• Cross-training employees: Due to the devastation of the storm, only 10 percent of the facility’s customer care reps were able to report to work that first day. Fortunately, Tamarac’s customer service reps had been trained on multiple call types, helping offset the depleted staff. They also used automated voice solutions that were able to handle unplanned volume spikes. Large call volumes continued to be re-routed to other call centers.
• 
  

  Generator power for eight days:

  The Tamarac site ran on generator power over the next eight days as commercial power slowly returned to the area. Two of four air conditioning units were inoperative, but the facility escaped structural damage. One reason: This site, like all Convergys call centers, was built to meet rigorous, standardized infrastructure requirements.

• Providing basic necessities: Convergys also took steps to ensure the quality of life for its employees. “There was no public water and sewage was backing up,” says site Incident Commander, John Sargis. “Convergys sent trucks filled with water, food, diapers and other supplies to help feed and clothe the staff as they endured two weeks without basic city services.”

Enterprise Risk Management is the Key to Broader Business Continuity
So how did Convergys manage to get through the hurricane with such a minimal impact on its business? The fact is, Convergys call centers, including the Tamarac facility, have remained efficient and productive throughout the past two years, despite facing events ranging from hurricanes to fires to tsunamis.

That’s because of Convergys’ Business Continuity and Disaster Preparedness and Recovery plan – a plan that first asks “What’s the worst that can happen?” Notably, the plan is supported by an executive team that itself trains to respond to events that may become a corporate crisis. By focusing on strong executive and financial commitment, integrated planning with processes to protect mission-critical elements and a well planned and understood communication strategy, Convergys operations are prepared to meet the needs of its clients and their customers, regardless of whatever disruptive events may occur.

Companies that successfully continue or recover operations in spite of tremendous odds practice risk management against a specific risk – the risk of disruption to operations. They’ve taken the time to identify and assess the potential risks, validate and measure the necessary controls, take specific actions to mitigate or optimize the risks, then monitor the action plans.

The same process underpins a successful Enterprise Risk Management (ERM) program; one that takes into account any risk that could disrupt strategic or operational plans. If you broadly define risk as a “chance” that something will happen (good or bad) that impacts the organization (positively or negatively), you start to see a much wider picture.

Consider the following: What if…

• Your acquisition due diligence process fails to properly assess and identify issues that could potentially lead to major earnings-per-share losses?
• A disgruntled employee misappropriates confidential information (yours or your customers’) and publishes that information?
• Your assets are confiscated or nationalized by a change in government control?
• You fail in a major new product release?
• The government enacts significant regulations that impede your growth?
• Everything happens at once?

In other words, what worries keep you up at night? Can your company survive if one or more of these events actually happens?

A successful ERM program requires the same level of executive sponsorship, process governance, integrated planning, accountability and communications strategy that support successful business continuity planning.

The beauty of ERM is that you don’t limit the stakeholders to considering only certain hazards and you don’t limit them to considering only the risks over which they have control. That way you surface all kinds of risks – physical, environmental, security, technology, financial, regulatory, compliance, etc.

ERM makes risk accountability a visible and documented process, not only for the manager who is making a particular decision or preparing a particular plan, but also for the executives and the audit committee. By grouping and ranking risks, management and the Board of Directors are better informed about the overall risks facing the organization through an enterprise-wide prism.

For example, one manager might think an action has no risk – but that action could create a huge risk for another manager. ERM makes those silo decisions and action plans transparent to the wider organization. As a result, planning becomes more collaborative. To be truly effective, an organization cannot conduct ERM in a vacuum. Partnerships are required. At Convergys, both Risk Management and Internal Audit are equal ERM partners with defined roles in support of the risk owners.

The ERM Framework
An ERM framework identifies who owns what part of the process. See Figure 1 to understand how Convergys’ ERM framework works, and what teams need to take responsibility for which areas.

How can you implement a successful ERM program in your company? Here are a few tips:

• Keep it simple.
• Maintain dialogues with the executive sponsors and the risk owners throughout the process.
• Validate (a very important step).
• Give risk owners help in creating mitigation plans.

By tying strategic and operational plans to the ERM process, ERM becomes an integral part of overall planning and not a one-time, stand-alone project.