An executive perspective from Fusion Risk Management on critical issues affecting the enterprise across Risk Management, Business Continuity, Disaster Recovery, Crisis Management, Governance and Compliance.

• Dissatisfied with your current risk management program and planning tools?
   
• Managing Risk vs. Managing the Business
   
• Top Mistakes in Business Continuity & Disaster Recovery
   
• Data Center Transformation -- How can the enterprise achieve operations that are economical, scalable and resilient?
   
• Strategic Considerations for Enterprise Business Continuity Management
   
• Business Resilience -- Focus on the Facility or Focus on the Business Unit?
   
• Continuity Risk Management -- A new name for what we already know or is there more to it?
   
• You have an opportunity to elevate and advance your enterprise BCP program. So where should you begin? Consider starting at the top.
   

Please contact Fusion to discuss these and related topics with you.

Latest Thinking @ Fusion

Dissatisfied with your current risk management program and planning tools?

Here is what people like you tell us about the Fusion Framework Risk Management and Contingency Planning System:

• "The Fusion Framework is head and shoulders above other planning tools for ease of use..."
  -- BCP Manager, mid-size distributor
   
• "I see how we can use this system in our environment to better manage our risks..."
  -- Audit Manager, large-enterprise consumer goods manufacturer
   
• "I wish I could have a system that can do all of that..."
  -- Sr. Manager, Business Continuity Planning, large-enterprise health care company
   
• "Your system is much more flexible to meet our needs..."
  -- VP, Business Continuity Management, large-enterprise financial services firm
   
• "We really like the ability to continually evolve our plans..."
  -- Corporate EH&S Director, mid-size packaging manufacturer
   
• "We're very interested in how this can help us get accountability from everyone involved in the program..."
  -- CFO, mid-size sporting goods manufacturer

Please contact Fusion to discuss these and related topics with you.

Andy Mercker, Vice President
Fusion Risk Management

» Top of Page

Latest Thinking @ Fusion

Managing Risk vs. Managing the Business

aka "The disconnect between risk management and how the business is managed".

As we continue to pursue the vision on behalf of our clients to bring together multiple areas of risk management into a cohesive and meaningful program at the executive level, we are increasingly presented with the stark disconnect between the executive decision-making process and risk management activities ongoing throughout the enterprise.

While each area of risk management, such as Business Continuity, Disaster Recovery, EH&S, Insurance Risk Management, Audit, etc. operate under some level of mandate and with the best of intentions to protect and enable the enterprise, the reality is that these disparate activities with their disparate reporting structures and disparate definitions of what constitutes risk inadvertently create a noise level in the executive suite that disables a comprehensive approach to risk management.

Though the concept of Enterprise Risk Management has become a part of the executive dialogue, the challenge remains to establish a truly comprehensive yet manageable approach to risk management that enables executive decision making rather than distracts from the process of managing the business; causing business decisions to be made away from the risk management process.

At Fusion we have been deeply engaged in this issue, continuously advancing our top-down approach, and advancing our tools to truly address this challenge. Fusion's current state-of-the-art is a structured methodology that puts risk management in the context of how the business is organized, how it is reported, and how it is managed.

Consider that every time the decision is made to hire an individual, build a new plant, develop a new product, or make (or defer) any type of business investment, a risk-based decision is being made. Nonetheless, some businesses consider insurance to be risk management. For others, business continuity is risk management. Still others see manufacturing redundancy or supplier redundancy as risk management. Yet for those that lack the measurement process to level-set or "normalize" risk across the enterprise, the challenge to make risk management an executive decision-making tool can be insurmountable, even after spending hundreds of thousands or millions of dollars with traditional approaches from traditional consulting firms.

Today our enterprise clients are gaining the benefits of our top-down approach to risk management. It has led to "eye opening" experiences such as finding insignificant low-volume suppliers to represent critical risks to the organization. Or finding that successful consolidation efforts, when viewed through a risk management lens reflect a concentration of risk that is deemed unacceptable to the enterprise.

Looking ahead, clients who have adopted our top-down approach are now enabled at the executive level to engage in risk-based decision-making that reflects their actual risk profile across all of the risks relevant to their business operations.

Please contact Fusion to discuss these and related topics with you.

David Nolan, CEO
Fusion Risk Management

» Top of Page

Latest Thinking @ Fusion

Data Center Transformation -- How can the enterprise achieve operations that are economical, scalable and resilient?

Today, many companies' data centers have become out of sync with the needs of the business. As we engage with clients and prospective clients in mid-size and large enterprises we consistently find that CIO's struggle to align initiatives, projects and activities with strategic business objectives.

In addition, we find that many corporate data centers are becoming too costly to operate effectively relative to their size, or have grown and evolved to such an extent that they have become impossible to recover successfully from a major disruption. What's more, as IT leaders look toward future demands, and tightening budgets, their existing data centers may simply be unable to support continued growth. Some firms have simply thrown technology at the problem for a number of years, and this has created a whole new set of problems at a whole new level.

Justifiably, many IT organizations are focused on keeping applications up and running while implementing new applications that deliver business value. At the same time, new technologies are driving demand for data centers that are increasingly complex, costly, and challenging to manage. Many CIO's and other IT leaders we meet with are finding that delivering the next-generation data center environment requires a set of capabilities that may be beyond the expertise of their current staff.

As a result we see an increasing need for what can be termed "data center transformation" (DCT). Simply put, DCT typically translates into optimizing and remediating your existing environment, consolidating multiple data centers, or undertaking a multi-site data center strategy. While hot topics include virtualization, cloud computing and the like, data center transformation also includes more mundane topics such as optimizing power and cooling, considering alternatives for data back up, or evaluating software licensing and maintenance agreements. Cost, performance, availability, security and recoverability all contribute to create a complex set of requirements with wide margins for error.

Done right, DCT requires a strategic approach that begins with the current and future needs of the business, combined with a comprehensive evaluation of the hot technology topics as well as a comprehensive review of current data center operations, capabilities gaps, and projected lifecycles.

These activities, while requiring a significant initiative, can save even a mid-size enterprise millions of dollars. For large enterprise environments, the cost savings from taking the right approach can literally run into the hundreds of millions of dollars. Once this reality is recognized, it becomes well worth the investment of time and money to thoroughly consider all options.

The "noise level" around data center transformation is increasing, and the pressure is mounting to find immediate ways to cut costs. The thoughtful approach suggests balancing business requirements, costs and risk to achieve a comprehensive and unique perspective, as well as the strategies and options that quite likely would not have been otherwise considered.

As you take this more reasoned approach, you will come up with a variety of important questions and considerations such as these:

• How well is your data center strategy aligned to your business objectives?
   
• Has your company invested in "quick hit" cost savings projects without an overall strategy to ensure long term value?
   
• Have you assessed the risks of continuing to run your data center within your headquarters offices?
   
• What is the best area to find cost savings: power & cooling, automation, virtualization, consolidation, risk management?
   
• Do your software contracts allow you to move your licenses to a collocation provider?
   
• Will consolidation plans leave you with fewer options for business continuity and disaster recovery?
   
• How will your people manage the transformation while managing the data center?
   

...and there are many more.

Please contact Fusion to discuss these and related topics with you.

David Nolan, CEO
Fusion Risk Management

» Top of Page

Latest Thinking @ Fusion

Top Mistakes in Business Continuity & Disaster Recovery

I would like to share with you several mistakes we see companies make in Business Continuity and Disaster Recovery. Is your company making these mistakes? It may be costing you a great deal in terms of unmet expectations, unnecessary effort, or misguided investment.

• Investing in a Disaster Recovery or Business Continuity solution BEFORE defining your business requirements. We see companies make multi-million-dollar decisions to select vendor or internal solutions and implement recovery technology without the benefit of a clearly defined Business Continuity and Disaster Recovery strategy. The result can be over-architecting or over-building recovery solutions that do not align with business requirements.

Consider these questions:

-- How much data can you afford to lose? (Probably zero!)

-- How long can you afford to go without access to your IT systems? (it may be significantly less, or more, than you think)

Updating your Business Impact Analysis and Risk Assessment will ensure your recovery and technology solutions will give you the protection you need without over-spending. You may find new ways to save money while optimizing your recovery and continuity capabilities.

• Allowing your executive team to accept risk without fully appreciating the implications. When executives decide against a comprehensive Business Continuity and Disaster Recovery Program, they accept significant risk, typically without a clear understanding of whether they'll be able to compensate for the potential loss to the organization.

Enabling good decision making requires the ability to prioritize risk and remediation activities across the myriad of agendas in play within your enterprise, then present an effective business case in terms that executives will embrace, set in the context of your multi-year strategic roadmap aligned to business objectives.

• Allowing your Disaster Recovery and Business Continuity capabilities to become outdated. The number one cause of failure we see during a recovery is the divergence between an enterprise production environment and the recovery environment. Disaster Recovery and Business Continuity plans fail when the business has changed and the plans and recovery capabilities have not. We strongly encourage you to test often, test adequately, and keep your plans and solutions current.
• Viewing Business Continuity and Disaster Recovery as point-in-time projects rather than an ongoing program. From an executive perspective, it is an unpleasant reality that Disaster Recovery and Business Continuity capabilities require an ongoing program, not occasional quick-fix projects. Businesses are continually changing either incrementally over time or through strategic events such as mergers or acquisitions. By managing Business Continuity and Disaster Recovery as an ongoing program, your company can keep up with the incremental changes, streamline investments, and take the major changes in stride.

In summary, make sure you have a properly executed Business Continuity and Disaster Recovery program. Know that as your program becomes well aligned with your business requirements, provides adequate protection appropriate to your budget constraints, and is quickly evolving into a well-managed set of mature business processes, you will be well prepared should a business-impacting event occur.

If you have other top mistakes in BC/DR you would like to share, or if would like to learn how Fusion Risk Management helps organizations to implement and maintain well managed programs, we look forward to speaking with you.

Please contact Fusion to discuss these and related topics with you further.

John Jackson, Executive Vice President
Fusion Risk Management

» Top of Page

Latest Thinking @ Fusion

Strategic Considerations for Enterprise Business Continuity Management

Business Continuity at the enterprise level presents a daunting challenge for executives concerned about operational risks associated with vulnerabilities in critical business processes. Mid-size and large organizations are complex eco-systems with significant internal and external dependencies making business continuity complex and difficult to manage effectively.

The problem -- most businesses are built with a primary focus on optimizing quality, efficiency, and costs while rarely considering basic risk management principles to ensure continuity of operations. Too often, Business Continuity is an afterthought rather than a strategic imperative.

In reality, Business Continuity is best managed as an ongoing program designed to create business value rather than as a series of point projects which create incremental expense. As a series of projects, Business Continuity Planning quickly becomes costly, inefficient and ineffective. This traditional and tactical approach fails to deliver value because the business environment is dynamic and continually changing. The failure results from taking a tactical approach to address what has become a strategic business issue.

The tactical approach to Business Continuity typically deals with specific events at specific locations. As a threat manifests itself by exploiting vulnerability, a business interruption may occur at that location. As each location is subject to myriad threats, and as the enterprise consists of many locations, the business continuity planning process at the enterprise level becomes very complex. This complexity is further increased when the situation extends beyond an individual location, or when consolidation and cost-optimization decisions have unwittingly eliminated alternatives that may otherwise have been available to the executive management team.

Consider that any business, no matter how large or small, is built on assets and processes designed to create and deliver a company's products and services. Within each set of assets and processes, vulnerabilities exist that create risk to the business. In addition, alternatives exist that may serve to mitigate or avoid those risks altogether if given proper consideration in the midst of strategic decision making. From this perspective, addressing Business Continuity by exploring vulnerabilities and alternatives to the status quo elevates this function to the level of business strategy.

Aligning Business Continuity with corporate policy results in a number of benefits: manageable standards can be established throughout the enterprise, appropriate regulatory compliance can be achieved inline rather than as a separate process, and best practices can be leveraged across organizations. Companies that get this right enjoy considerable savings and efficiencies, and gain assured access to market regardless of unexpected events that may impact their business.

Please contact Fusion to discuss these and related topics with you.

David Nolan, CEO
Fusion Risk Management

» Top of Page

Latest Thinking @ Fusion

Business Resilience -- Focus on the Facility or Focus on the Business Unit?

Practitioners in the fields of business continuity, disaster recovery and risk management many times find themselves caught between the need to develop plans for individual facilities vs. addressing risk more comprehensively at the business unit level.

While disasters frequently focus on the facility or building as the cause, smart organizations design their continuity and risk management plans around business units and business processes. For a mid-sized or large enterprise, designing risk mitigation strategies and continuity plans at the business level means having comprehensive plans that span multiple facilities -- such as offices, manufacturing plants, R&D facilities, etc. When it comes to a specific event, it is the facility that suffers the outage, and it is the facility that must be remediated and returned to service, but the business units and processes are what keep the business operating, so the continuity and risk focus needs to be at the business unit level.

When assessing a business unit, practitioners must understand for each business unit and its associated processes how quickly these need to be back in service should an interruption occur. This translates into the type of recovery plan required and defines what mitigation alternatives are available, as well as what technologies are required, how electronic and paper based records are protected, and how voice, internet and data networks need to be reconnected. These plans also need to be extended beyond the walls of the business itself to consider how external providers, vendors and customers are impacted. In the development of risk mitigation and business continuity plans, such issues are not easily addressed, and in some cases skipped altogether.

So while recovery and remediation plans often focus at the facility level, a comprehensive business continuity and risk management plan must be focused at the business unit level. We find that when practitioners "stick to their guns" and take this approach, the organization gains a greater ability to respond to unplanned events, the executive team gains greater confidence in the overall plan, and they find it to be a much more efficient and economical path to achieving the overall goal of ensuring that the business can remain operational.

Please contact Fusion to discuss these and related topics with you.

John Jackson, Executive Vice President
Fusion Risk Management

» Top of Page

Latest Thinking @ Fusion

Continuity Risk Management -- A new name for what we already know or is there more to it?

While many of us find ourselves focused on Business Continuity, Crisis Management and Disaster Recovery, more and more I find the concept of Continuity Risk Management becoming the critically important need in many companies. This is the result of increasing vulnerabilities, recent global experiences of business-impacting incidents and events, and the legal, regulatory and business exposures tied to those risks.

Organizations have struggled for decades to get a firm handle on risk, such that they could shift from a model of "experience and react" to one of "anticipate and adjust". Protecting against every vulnerability and threat requires extraordinary investment that betrays the fiscal responsibilities and sensibilities of virtually every C-level executive. Fiduciary responsibility, on the other hand, requires executives to consider all the possibilities to the legal standard of "reasonable and prudent judgment".

Reality suggests that organizations must understand the full spectrum of risks, and then decide on a course of action for each. Unfortunately, organizations tend to address risk one project at a time and lose the context to determine how important each issue is in relation to the others.

Some things are simply more important than others!

Does your organization know which risks are mission critical and which may be deferrable? In businesses where everything is considered important to someone, it is a challenge to determine what is most important, and conversely what is not!

Risk management usually means making difficult decisions, such as having to accept some risks because there are simply not enough funds to appropriately dispose of all of them. The most common solution is for organizations to focus on well understood risks, yet do little or nothing to evaluate risk holistically across the enterprise, which usually means being seriously exposed in some areas while overspending in others.

What's required is a consolidated decision framework that clearly identifies the appropriate disposition and management of operational risk throughout the enterprise. As we begin to see varying approaches to risk management take hold in organizations -- whether the hiring of an Enterprise Risk Manager, or the elevation of security and business continuity roles to senior management positions -- we are beginning to see organizations move from focusing on discrete disciplines or risk to an overall view.

To make further progress, we now need to change our approach from one of swiftly identifying and mitigating risks, to a more managed approach of assessing risk holistically throughout the enterprise. With this approach, risks can be comprehensively identified, organized and measured within an overall framework so they can be prioritized then effectively mitigated relative to the needs of the business. Going forward, such a framework serves to provide a management paradigm to ensure the risk management program will thrive, and that people, dollar and asset resources are properly allocated.

Approaches to risk management vary across organizations of all sizes, industries and geographies. Do you find that your organization is moving (or needs to move) towards a more holistic approach to risk management? Do you find that risks within your organization are measured and managed effectively?

Please contact Fusion to discuss these and related topics with you.

John Jackson, Executive Vice President
Fusion Risk Management

» Top of Page

Latest Thinking @ Fusion

You have an opportunity to elevate and advance your enterprise BCP program. So where should you begin? Consider starting at the top.

At Fusion Risk Management, our view is that vulnerabilities and threats are endless, while the funds to address them are not. As a result, each organization must understand its tolerance for operational risk (i.e. tolerance for outages, interruptions and business impact) balanced against their appetite for investing in risk mitigation.

When organizations forego these investments, whether actively chosen or simply through a lack of decision, this represents an acceptance of risk by the executive management team. Active risk acceptance consists of prudent, thoughtful business decisions that organizations should seek to document. (Should an outage or impact occur, how much better it is for executives to clearly articulate their position on acceptable risks and pre-defined response plans, as compared to being caught off guard and scrambling to save face with customers, business partners, regulators and Wall Street).

While many BCP programs focus on managing the activities of business continuity (i.e. risk mitigation), it is equally important to manage and maintain visibility to the ongoing risks that have been accepted by the executives. Fusion endorses a straight-forward, concise approach that provides executive management with the information needed to make informed decisions about operational risks and risk mitigation choices. In fact, we do not advocate programs that suggest the goal is to mitigate every risk, nor those that simply emphasize benchmarking to what others are doing. Rather, we promote programs designed to provide the appropriate balance of risk acceptance vs. risk mitigation investments in line with the fiscal and fiduciary responsibilities of the executive management team.

Some organizations will appropriately choose to accept more risk than others. When you consider the entities that make up a large organization, its corresponding operational risks, its overall financial structure, and the strategies employed to achieve competitive advantage, no two organizations look alike -- even direct competitors in the same industry. As a result, an effective program of mitigating operational risks through effective business continuity and related contingency planning must be based on the unique profile of that organization and the unique risk tolerance deemed appropriate by the executive management team.

When your business continuity program is set in the context of operational risk management, your executive management team will better understand the choices available to them to accept or address risks, and they will better understand the value of business continuity and contingency planning delivers.

Please contact Fusion to discuss these and related topics with you.

David Nolan, CEO
Fusion Risk Management

» Top of Page

Fusion Blog
Videos, commentary and more!

"Continuity Risk in an ERM World"
On Demand Webinar
Featured Speaker: David Nolan, CEO, Fusion Risk Management
Watch Now

"Fusion is one of the best solution providers we've ever worked with - they have helped us change the way we view our business risks and delivered beyond expectations."
- Leading Online Brokerage