From Hurricane Sandy to Hurricane Isaac and Colorado'swildfires, 2012 has been a year that has tested businesses'risk-management strategies.

Hurricane Sandy, for example, caused massive power outages,leaving many credit unions without power for days. Issues withmobile and Internet services led to problems with online banking,direct deposits and loan payments, and resulted in a significantneed for financial assistance.

Hurricane Sandy and other natural disasters show that riskmanagement is not just about building harder walls around the datacenter.

It's a much broader scenario that involves identifying all thepossible problem areas before disaster strikes, in orderto create a comprehensive strategy. By addressing the top lessonslearned from natural disasters, we can hope that the saying“history repeats itself” doesn't come true the next time a stormrolls in.

Lesson One: Make Risk Management Everyone'sBusiness

Within every integrated business process, risk management shouldbe embedded into every step, regardless of whether you are infinance, human resources, the supply chain or directly in the lineof business. Just because a hurricane might not strike every daydoesn't mean the business shouldn't always be prepared with aneffective governance, risk and compliance strategy throughout theorganization.

Unfortunately, at many credit unions the management ofoperational risk is siloed in different parts of the business,leading to inconsistency in how operational risks are measuredacross the enterprise.

Lesson Two: Review Risk Management and Remediation PlansEvery Six Months to Year

In today's rapidly changing business environment, new risks areconstantly being created. Businesses should go through theiroperations and ask: “Are there new viruses that could access oursystem now? Do we have our systems backed up? Have we identifiedour business-critical assets?”

The best way to review strategies is to have stress tests andscenario analyses that can be used to understand the potentialnegative impacts from rare events that are typically omitted inrisk models, such as hurricanes. Having a system in place that caneasily be modified to respond to new risks is also critical.

Lesson Three: Ensure Redundancy in CriticalSystems

Gartner Research reveals that nearly 40% of businesses thatundergo catastrophic data loss or data-center downtime neverrecover from it. This highlights the significance ofdisaster-recovery plans that include redundant systems. Withredundant systems, the business-critical data is backed up on asecondary server, so that there is essentially a cloned system.

A credit union may conduct a scenario involving a computersystem outage. If the organization has an effective risk-managementstrategy, it would know what its critical systems are — anythingthat handles transactions for customers — and would make sure thereis a redundant system in place so that if “System A” shuts down, itcan ideally flip a switch and have “System B” up and running.

Lesson Four: Have Automated Alerts andTesting

When finance uses manual, paper-based processes, even a minorerror can trigger a cascade of time-consuming and expensiveconsequences. With financial-process automation, automated controlsand alerts can identify errors early on.

Additionally, software testing is a typical way to preventpotentially risky upgrades. Traditional, manual testing strategies,however, take valuable resources away from the business and delaythe delivery of desired capabilities that may impact revenue oroperating costs. Compliance suffers because manual testing is sotime consuming that testers often do not have time to thoroughly orconsistently document tests or results.

Lesson Five: Implement a Tolerated Plan

In the midst of a natural disaster, businesses need to acceptthe fact that some systems may fail. The key is for organizationsto identify which systems they can afford to have down for an hour,a day or a week. Payroll, for example, doesn't have to be up andrunning immediately.

However, there are systems where there is no tolerance for morethan an hour — such as an ATM. Implementing a system-by-systemassessment of how long an organization can live without certainapplications helps identify which critical systems need to bebacked up.

Risk Reflection

Over the past year, many companies suffered tremendous lossesduring natural disasters due to failure in correctly anticipatingand managing risks. The goal is to integrate risk management intothe everyday lives of all managers to enable them to see and assessthe company's complete risk profile.

There is no question that this provides the most strategicbenefit to an organization. While it's impossible to say “that willnever happen again,” credit unions that implement a comprehensiveapproach to risk management will be in a better place to preventand recover from natural disasters in 2013.

Bruce McCuaig isdirector of solution marketing, SAP Solutions for Governance, Risk and Compliance,