From Hurricane Sandy to Hurricane Isaac and Colorado’s wildfires, 2012 has been a year that has tested businesses’ risk-management strategies.
Hurricane Sandy, for example, caused massive power outages, leaving many credit unions without power for days. Issues with mobile and Internet services led to problems with online banking, direct deposits and loan payments, and resulted in a significant need for financial assistance.
Hurricane Sandy and other natural disasters show that risk management is not just about building harder walls around the data center.
It’s a much broader scenario that involves identifying all the possible problem areas before disaster strikes, in order to create a comprehensive strategy. By addressing the top lessons learned from natural disasters, we can hope that the saying “history repeats itself” doesn’t come true the next time a storm rolls in.
Lesson One: Make Risk Management Everyone’s Business
Within every integrated business process, risk management should be embedded into every step, regardless of whether you are in finance, human resources, the supply chain or directly in the line of business. Just because a hurricane might not strike every day doesn’t mean the business shouldn’t always be prepared with an effective governance, risk and compliance strategy throughout the organization.
Unfortunately, at many credit unions the management of operational risk is siloed in different parts of the business, leading to inconsistency in how operational risks are measured across the enterprise.
Lesson Two: Review Risk Management and Remediation Plans Every Six Months to Year
In today’s rapidly changing business environment, new risks are constantly being created. Businesses should go through their operations and ask: “Are there new viruses that could access our system now? Do we have our systems backed up? Have we identified our business-critical assets?”
The best way to review strategies is to have stress tests and scenario analyses that can be used to understand the potential negative impacts from rare events that are typically omitted in risk models, such as hurricanes. Having a system in place that can easily be modified to respond to new risks is also critical.
Lesson Three: Ensure Redundancy in Critical Systems
Gartner Research reveals that nearly 40% of businesses that undergo catastrophic data loss or data-center downtime never recover from it. This highlights the significance of disaster-recovery plans that include redundant systems. With redundant systems, the business-critical data is backed up on a secondary server, so that there is essentially a cloned system.
A credit union may conduct a scenario involving a computer system outage. If the organization has an effective risk-management strategy, it would know what its critical systems are — anything that handles transactions for customers — and would make sure there is a redundant system in place so that if “System A” shuts down, it can ideally flip a switch and have “System B” up and running.
Lesson Four: Have Automated Alerts and Testing
When finance uses manual, paper-based processes, even a minor error can trigger a cascade of time-consuming and expensive consequences. With financial-process automation, automated controls and alerts can identify errors early on.
Additionally, software testing is a typical way to prevent potentially risky upgrades. Traditional, manual testing strategies, however, take valuable resources away from the business and delay the delivery of desired capabilities that may impact revenue or operating costs. Compliance suffers because manual testing is so time consuming that testers often do not have time to thoroughly or consistently document tests or results.
Lesson Five: Implement a Tolerated Plan
In the midst of a natural disaster, businesses need to accept the fact that some systems may fail. The key is for organizations to identify which systems they can afford to have down for an hour, a day or a week. Payroll, for example, doesn’t have to be up and running immediately.
However, there are systems where there is no tolerance for more than an hour — such as an ATM. Implementing a system-by-system assessment of how long an organization can live without certain applications helps identify which critical systems need to be backed up.
Over the past year, many companies suffered tremendous losses during natural disasters due to failure in correctly anticipating and managing risks. The goal is to integrate risk management into the everyday lives of all managers to enable them to see and assess the company’s complete risk profile.
There is no question that this provides the most strategic benefit to an organization. While it’s impossible to say “that will never happen again,” credit unions that implement a comprehensive approach to risk management will be in a better place to prevent and recover from natural disasters in 2013.