Getting Ready for ISO 22301:2012 Certification, Part 1

Our two-part blog series Getting Ready for ISO 22301 Certification will give you a comprehensive overview on how to prepare for third-party certification to this international management standard. Part one will focus on required general steps to implement a compliant business continuity management system. It will explain what is needed to fully understand the steps needed to plan, build, deploy and internally audit your business continuity management system.

Part two will provide a deeper dive into what the typical internal challenges are and the suggested solutions to address them.

Background: ISO 22301:2012 was published by ISO in 2012 as a harmonized standard with multiple inputs from national standards bodies, industry and academia. This is the world’s first ISO standard focused on business continuity. This complements the disciplines noted in ISO 27031  for IT disaster recovery.

Outlined below are 15 key steps to take to prepare for your certification audit.

  1. Listening to presenterObtain senior management support and commitment to the program and certification goal. Appoint a Champion empowered to provide the required resources.
  2. Identify interested parties (internal, external, government and community members) and their unique requirements.
  3. Define business continuity program objectives, scope, and policy and exclusions (if any).
  4. Define management framework, including three mandated procedures: document control, internal audit, and corrective action. Adopt the Plan, Do, Check, Act Model (Common to all ISO Management Standards)
  5. Conduct risk assessments, apply risk treatments and update methodologies as needed.
  6. Define recovery time objectives and recovery point objectives.
  7. Define resources and align with your business continuity management strategy.
  8. Define response and recovery actions via data centric recovery plans.
  9. Implement training and awareness program throughout your organization and extend to your supply chain as identified as part of the risk assessment.
  10. Exercise and test your program activities using independent staff, enabling impartiality.
  11. Learn from each event in testing and benchmark experiences of multiple functions.
  12. Communicate the necessary information in a consumable format. Test knowledge regularly via interviews, tests and exams as appropriate.
  13. Measure and evaluate against the initially set Resiliency program objectives
  14. Conduct an internal audit and maintain records demonstrating compliance.
  15. Make improvements based on the information found from the steps above and include top management to review processes and drive change. Continue the PDCA cycle as noted in 4.

The 4 step certification process, includes:

  1. Design, develop and implement system (15 steps)
  2. Interview and select accredited* registrar. Obtain references and interview lead auditor if possible. Check for ‘chemistry’, if in doubt do not engage. Remember registrars must be impartial however much provide value throughout the assessment process.
  3. Conduct stage 1 (remote) and stage 2 (onsite) audits. Close correction action requests fully and promptly ensuring both compliance and effectiveness of remedy is demonstrated.
  4. Obtain certification, celebrate, and prepare for first surveillance audit

*Accreditation from UKAS, ANAB, or equivalent

Throughout this process you’ll learn how to engrain the business continuity discipline across your enterprise. Achieving ISO 22301 Certification puts you within unique group of companies committed business resilience. It not only allows you to obtain a better understanding of your organization, but also implement a business continuity strategy with proper response tactics. Ultimately, you will be able to better drive alignment of resilience capabilities in parallel with key management initiatives to drive continual improvement. In part two of this series we’ll break it down further and discuss challenges and solutions during the process.

Community Spotlight Vlog: BOX

The next in our Community Spotlight Blog Series features Crisis and Emergency Program Manager Shelly Munoz and Director of Compliance of Renuka Darbha! Check out our next vlog and hear how Box utilizes Fusion to improve their enterprise business continuity and risk management program.

Discover What’s Possible 

Want to hear more success stories? Check out our resource page for success stories, guides, and more!

Break Down Barriers to Enterprise Risk Management

Two people walking in a crowdAccording to legend, when asked why he chose to build automobiles, Henry Ford responded, “If I had asked people what they wanted, they would have said faster horses.”

While this possibly apocryphal story is often used to negate consumer opinion and market research, it can serve another purpose: reminding executives that the conventional way of doing something is not always the best way to provide continuous value for an enterprise and its customers. In other words, one needs to imagine what things could be like if they were different, and how they could be better – including when it comes to managing operational risk within the enterprise.

A recent report from the American Institute of Certified Public Accountants’ (AICPA) Management Accounting – Business, Industry, and Government Team surveyed business leaders about their current enterprise-wide risk management efforts. While the report revealed many insights, one of the most telling was that organizations see multiple barriers to enhanced risk oversight: competing priorities, lack of sufficient resources, lack of perceived value, perception that enterprise risk management adds bureaucracy, and lack of board or senior leadership buy-in.

Each one of these barriers may be real – or only imagined – but there’s one string connecting them all: They can all be overcome by changing the way an enterprise thinks about risk management.

A New Mindset

A business has one main objective: to fulfill its customers’ needs by providing products and services while turning a profit. With this as an enterprise’s lodestar, therefore, it is surprising to think that an organization would not be more focused on enhancing its risk management strategies – as not being properly set up to manage risk events can deeply impact a company’s ability to fulfill this main objective.

Overcoming barriers requires integrating enhanced risk management needs within an organization at the operational or enterprise level. The legacy mindset is that it belongs to a single department (risk, finance, insurance, etc.), but in fact, that is an outdated way of thinking.

When risk management is viewed as an enterprise-wide process, it focuses the entire organization on heading off disruptive events while ensuring the company stays on track toward its ultimate business goals. With this mindset, many of the barriers can be overcome: By understanding that risk management is woven into the fabric of the main objective, its value is realized, and it becomes a high priority for everyone, including senior leadership – thus ensuring resources are allocated toward it.

There are several actionable steps an enterprise can take toward calibrating its approach and removing some of the barriers preventing enhanced risk management strategies.

5 Steps to Enhancing Risk Management Programs

  1. Know your company’s business. Understand what the business plan is, what your company is trying to accomplish, how it is measuring success, and what metrics matter.
  2. Gather and organize the facts – and then analyze them. Put the pieces of the puzzle together and look for meaningful insights into and nuances of how the business operates, as well as where the risks are. Building an information foundation will show any strategic holes as well as opportunities, and allow the enterprise to tie risk management goals and objectives to the business plan to ensure they are strategically aligned.
  3. Assign responsibility. Formal assignment of risk management to a qualified senior-level manager who can be provided with appropriate funding is an important success factor, as this executive can project-manage, own the program, and monitor progress to goals.
  4. Build a business case. Related to the last point, however, is that one person can’t win on their own. Everyone needs to buy into the need to allocate resources to and prioritize risk management. When everyone in the organization can understand how a program will support the company’s objectives and fulfill its mission, risk management becomes a valuable factor in a business transaction that will help the organization increase its brand value and revenues.
  5. Lean on technology. One section of the AICPA report asked respondents whose organizations had not yet implemented an enterprise-wide process why they hadn’t done so. More than half believed, “risks are monitored in other ways.”

Now, this may be true – but how successful are these ways? Do they really give you a handle on all of the risks and controls in place? Are they integrated throughout the organization? Are you spending a lot of time with your current processes, but yielding only minimal value? Are you using outdated data management programs, or spreadsheet and word processing software that need to be updated manually? Is the data from your current process producing defendable, actionable business decisions?

This is where technology becomes critical to enhancing risk management. Applying automation to the process improves workflow efficiency while making everything more accurate, by basing the risk management ecosystem on real-time data and eliminating the human element. Additionally, it gives executives everything they need at their fingertips to make better business decisions, using tools like heat mapping and graphs.

The best technology will allow you to capture structured data instead of creating traditional plan documents. Think of that structured data as an information foundation that shows how everything works and interrelates. Being able to capture your planning information in a database allows you to know who is responsible for every piece of information, as well as what information is missing – and this ownership keeps people engaged.

With a data-driven system, you can leverage tools that help you formulate the right response to an unfolding situation, with the ability to take only the parts of each plan that directly apply, and create a targeted action plan in minutes.

Static, document-based plans just can’t keep up when you realize how different each situation will be. The fact is, those binders often wind up being set aside when incidents occur, but that is not the case when you have an information foundation and the right tools to put you in command and control. Managing data over documents allows you to provide clear metrics on where your risks are, so you can prioritize where to focus – giving an executive team confidence that the risk management program is a center of excellence in the company.

One of the perceived barriers in the report is that robust risk management strategies will add levels of bureaucracy no one wants to deal with – and they can if they are done in an outdated fashion. But when you can leverage technology that enables you to become more effective, efficient, and economical, the value of what you’re providing to your internal constituency goes through the roof. And when value goes up, bureaucracy goes down – adding even more value.

Reimagining the Possibilities

While organizations have been progressing toward identifying, assessing, and managing key risks, there are still barriers, both actual and perceived. Yet for a risk management program to be successful means reimagining what it means to manage risk and looking to new possibilities, then tying the program to business objectives.

Realizing the intense importance of risk management requires a change of mindset and company culture. This is only the first step of several strategies, but without it, it becomes very difficult (or even impossible) to overcome the other barriers.

No one is saying it’s easy to think differently – Henry Ford would certainly agree with that – but risk management is ultimately what protects a company’s ability to fulfill its purpose, and that’s a great reason to change your mind.

Community Spotlight Vlog: ARM

The next in our Community Spotlight Blog Series features Director of Business Continuity Ken Clark and Senior Global Business Continuity Manager Chris Glennie of ARM! Check out our first vlog and hear how ARM leverages Fusion for success within their business continuity program.

Discover What’s Possible 

Want to hear more success stories? Check out our resource page for success stories, guides, and more!

Resiliency Through Relationships

Guest Blog Series

We are excited to debut our Guest Blog Series featuring some of the amazing experts from the Fusion community with their industry insights. Our first guest blogger is Resilience Manager at Network Rail Rina Singh, MBCI with her first post titled Resiliency Through Relationships.

Rina is passionate about all things business continuity, risk management, and organisational resilience. With more than a decade of experience, she is currently equal part of a dynamic award-winning resilience team at Network Rail and runs her own blog the Resilience Pod, dedicated to helping organisations and individuals become resilient in a world full of disruptions.

–       Marketing Associate Bridget Anders

People talkingCollaboration is important in most professions, but in business continuity management, it’s essential. Whilst digital transformation through systems and processes make our daily lives much easier, it’s still about people and relationships. The idea of using automation via technology is to save time, and that time needs to be spent building relationships and developing strategies.

While technology improves efficiency, the resilience of a company cannot be solely reliant on one person or one department. It must be through a collaborative effort across the company. It’s a joint effort in all aspects, but this can be difficult in a siloed environment where communication is sparse. If you get that relationship right, you may be able to influence in ways you never knew you could to ensure resiliency. That’s why building and maintaining those relationships are so important. Here are four key tips to empower resiliency through relationships! 

1. People must know you exist

This sounds obvious, but if people don’t know who you are, they can’t come to you. Start with a basic introduction over a coffee or tea with your subject matter experts and stakeholders before getting in to the nitty gritty. Then build it up via lunch-and-learn sessions for example. This way your first interaction with them isn’t you asking something of them via email but taking the time to get to know them. It also takes some people more time to warm up than others. Don’t let this discourage you – be consistent in your efforts.

Find a way you can relate with them and doing so face-to-face when possible. We are in that digital age now where it’s easy to message each other or pick up the phone. While this is necessary sometimes, it’s so important to meet in-person to strengthen that connection when trying to influence resilience activities. If you are there, they can see you, making things much more tangible. Then when you do email them later, they remember you and the connection made.

A great example is through a lot of effort I put into trying to get hold of one stakeholder via email to meet about business continuity management activities. I consistently emailed this person and followed up but kept getting nowhere. But when we did meet, it was great, because the way one can come across in an email is completely different than how they can come across in person. Now, even though this person is busy, they will always take the time to respond to my emails. That’s purely from the relationship I have built, which is important because when something is required, they know me, and my name is out there.

2. Create a mutually beneficial relationship

You must be authentic and transparent to create a mutually beneficial relationship. It’s more than just small talk; you must genuinely listen to subject matter experts and stakeholders. It’s that personal touch and level of understanding with the other person. Don’t hide your personality, adding that personal touch is so important.

You can give, give, give, but there comes a time when you think “well, I am doing all this stuff for you, why should I do more? What’s the incentive?” Naturally, as human beings, we are selfish, and we want something back.

Helping each other is mutually beneficial because if you do me a favour, I will remember it. When you need something, I will know that you helped me, and I will want to do that because all of the help you’ve given me. If you are helping another department by introducing them to another stakeholder, they will remember that. It’s proving that credibility and following through on it.

3. Educate others on business continuity management

You must translate the requirements into simple steps avoiding all jargon and showcasing the value of doing this work. The simple question, “what’s in it for me?” comes to mind. A part of this process is training so they understand what business continuity means to them, rather than just telling people what to do. Once they understand the “why,” it provides clarity and gives them part ownership, which in turn helps build that relationship and promote a collaborative culture.

Educating also means you must be educated on the wants and needs of subject matter experts and stakeholders. Listen to their concerns and apply that in your planning. So when you’re communicating activities you have all of the information you need to educate others properly. These things take time, but showing people that you truly value them by giving them your time is important.

4. Continue the relationship

Even if it’s just going for a coffee or catching up weekly for two minutes, that really makes a difference to understand your stakeholders. You need to stay up-to-date on what their concerns and constraints are in their business area. It’s important to remember that you must stay committed to approach but be flexible on some of the details when you can to accommodate your fellow colleagues.

Always follow up, whether it was your first interaction or your ninetieth. Be sure they know you are listening and want to collaborate with them. This also helps them remember what was discussed and also feel like you really value their time.

Empower a culture centered on teamwork and collaboration

By building these relationships through helping others and listening to their concerns, it gives people a sense of community. They know they can come to you and vice versa, which can make the difference when ensuring organisational resilience.

Essentially, we can’t get things done if we don’t involve other people, and if you don’t have that relationship it’s not going to happen. This creates siloes. All this will not only move your business continuity programme forward, but also create an example for others to empower a more collaborative culture for better resiliency. After all, resiliency is achieved through relationships.

How Do GDPR and CCPA Differ, and What’s Next?

CCPA-GDPR BlogIn five months, the state of California, which counts itself as the world’s fifth-largest economy by GDP, will implement a comprehensive set of data privacy regulations known as the California Consumer Privacy Act (CCPA). Poised to take effect on Jan. 1, 2020, CCPA follows closely on the heels of the European Union’s sweeping 2018 data privacy law, known as the General Data Protection Regulation (GDPR).

Regardless of whether your responsibilities regularly include managing consumer data, these policies are likely already affecting your organization, its operations, and its bottom line. We aim to provide a clear understanding of the meaning of data privacy as it applies to these policies, to illustrate how GDPR and CCPA differ from one another, and to survey the political and economic landscape to get a better understanding of the future of federal data privacy regulations in the US.

What is Data Privacy?

Simply put, data privacy as it pertains to consumer protection is best understood as the “right to be forgotten,” by corporations who would otherwise harness, process, and utilize consumer data for a variety of purposes. In this case, consumer data can be as overt as a name, address, or Social Security number, as dystopian as cellular phone records or location triangulation, or as seemingly inconsequential as a preferred brand of breakfast cereal or frequency of visits to a gas station. In an era in which large enterprises regularly suffer data breaches caused by either corporate negligence or nefarious espionage, the risk of maintaining massive, minimally-protected datasets containing millions of potentially identifiable data points has become untenable.

Understanding GDPR

Recognizing that “…rapid technological developments and globalization have brought new challenges for the protection of personal data” and that efforts hitherto by global corporations to adequately self-police against these challenges had been otherwise ineffective, the European Union elected in 2016 to step in on behalf of its citizens. Their goal, as listed in the policy text, was to ensure that “the protection of natural persons in relation to the processing of personal data [be considered] a fundamental right.”

To meet these goals, GDPR sets forth seven principles:

  • Lawfulness, fairness, and transparency
  • Purpose limitations
  • Data minimization
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality
  • Accountability and compliance

Corporations who receive consumer data in the course of doing business must adhere to these principles with regards to their standards and methods of not only storing that data but also of utilizing it to further their business. Described within these principles is the requirement for internal and external auditability. Further, it is incumbent upon the corporations to provide consumers with a process to request the erasure of their stored personal data that is straightforward and swift. The penalties for failing to adhere to these requirements are significant and subject violating corporations to significant financial and reputational risk.

How CCPA Differs

Though CCPA and GDPR share a similar purpose and similarly strict penalties for violation, CCPA is significantly more prescriptive than its European counterpart. The Californian policy differs in its scope of application and in its limitations of data collection and sets forth a different set of rules regarding accountability and compliance.

Compared to GDPR, there are certain areas in which CCPA is less stringent. For example, CCPA does not require that corporations have a “legal basis” for collection and use of consumer data. Likewise, under CCPA, the transfer of personal information outside the US is unrestricted, and businesses are not required to appoint a data protection officer, though it is encouraged. Additionally, the right for California residents to access and expunge their own data is limited to information received within the past twelve months.

However, unlike GDPR, CCPA more broadly defines personal information to specifically include household information. Further, CCPA grants individuals the right to permanently opt-out of the collection and use of any personal data and requires that businesses provide consumers with a means of ensuring that a permanent opt-out capability is available both on websites and mobile applications.

The two policies also provide different approaches to the privacy rights of children. While GDPR requires that parents provide consent for the processing of their children’s personal information, CCPA strictly addresses the sale, rather than the processing, of children’s information and requires that businesses first obtain opt-in consent. Children are also classified differently in the context of these policies. In the EU, children are defined as under the age of 16, although member states can lower the age to 13 at their option. In California, parents must provide consent only for kids under 13.

What’s Next

The current state of data privacy regulations at the federal level is comprised of hundreds of laws that are primarily designed to address specific industries, such as healthcare or finance. These regulations are often mirrored or more closely defined at the state level. Likewise, in terms of enforcement, the Federal Trade Commission is empowered to protect consumers against unfair or deceptive practices. These deceptive practices can include a corporation’s failure to adhere to its own published privacy policies or its inability to secure consumers’ personal information, among others.

Since the implementation of GDPR and the passage and pending implementation of CCPA, Congress has renewed its interest in installing an overarching regulation to manage consumer data privacy in the US. As is often the case in Washington, both major parties agree that there is a fundamental need for policy but differ on their ideas for its design. It does appear that there is bipartisan agreement that any policy passed at the federal level would be primarily enforced by the FTC.

Although an all-encompassing data privacy bill has yet to be brought to the floor in Congress, it should be said that Congress has not been entirely unwilling to vote on more directional consumer protection policies. In 2019 alone, Congressional officials in the House and Senate have introduced bills including the Information Transparency and Personal Data Control Act, the Commercial Facial Recognition Privacy Act, the Digital Accountability and Transparency to Advance Privacy Act, the Social Media Privacy Protection and Consumer Rights Act, and the American Data Dissemination Act. Enfolded within these myriad bills are many, though not all, of the requirements found in GDPR and/or CCPA, and all would provide the FTC with the capability to impose and enforce penalties on violators.

In an increasingly digital world, the privacy of personal data is paramount. Now faced with more stringent regulations, businesses will need to ensure that they act with the best interests in mind of not only their stockholders but also their consumers.

Want to know more?

Learn more about data privacy regulations and how Fusion can help you to navigate them.

Why Protecting the Brand Matters

Ah, branding. The marketing and communication department loves it and most of the rest of the company doesn’t really care that much. But, branding is about more than just fonts and colors. Organizations must protect their reputation that comes with the brand.

Brand Concept. The meeting at the white office table.

A big component of business continuity and risk management is protecting a company’s reputation. Often times many focus solely on the financial aspect.

Don’t get me wrong – financials are very important – but there is so much more that goes into protecting your brand reputation.

There are so many factors as to why people buy a product or service, and having a good brand is usually a large part of that. Yes, sometimes people simply just need something specific at the time, or they are making an impulse purchase, but having longstanding customers and/or clients who will advocate for your product or service only comes with a strong brand.

Consumers are less likely to work with your company or buy your product if they don’t trust you, and a company’s brand plays a large role in that trust. For example, if they see that all of your users’ information was somehow searchable on the internet, they aren’t going to give you their information and, ultimately, not work with you or buy your product or service.

More than 40% of businesses never reopen after a disaster, for those that do, only 29% were still operating after 2 years.

And many times, a damaged brand will negatively impact financials. There is some truth to the common saying, “any press is good press,” but typically it’s a short-term strategy. In general, sometimes business is boosted for a very short period of time but declines in the long-term. And if it’s bad enough, it will put an organization out of business. This is, of course, situational, so this isn’t completely the case all of the time, but it does happen a lot. According to the Federal Emergency Management Agency (FEMA), more than 40 percent of businesses never reopen after a disaster, for those that do, only 29 percent were still operating after two years.

Then there’s the phrase, “that’ll never happen to us.” Wrong. Natural and manmade disasters can hit at any moment. Billions of people have been affected by data breaches and cyberattacks, many brick and mortar retailers have already filed bankruptcy this year, and, in the past month, there have been multiple severe earthquakes that have hit around the world. It’s not if something happens but when something happens. And, if people find out you didn’t even try to prevent said negative thing from happening, they won’t trust you.

What’s more, with the world of social media and almost everyone constantly being connected, there is really nowhere to hide either.

Complaints on Twitter, Google reviews, and Yelp are just a few places your brand could be impacted. Just one video or tweet can go viral and change everything. Yes, not every single post will go viral, but a multitude of similar complaints can still really do some damage. Being prepared for these types of situations, help organizations make improvements and properly communicate.

It is important to remember that social media is not all bad and can be used as a medium to help relieve some of these pressures and impacts. The key though is sticking to your brand values. If you know something is coming up, depending on the situation, you can use social media to let people know what is going on or lead people back to your site with the information they might need. It is a good way to keep people updated in real-time, address issues, and elevate your brand.

In the UK, one company who has created a witty name for itself is Tesco Mobile. It’s known for hilarious tweets and clever replies. In its case, Tesco Mobile also uses social media to manage inquiries and complaints. For them, the playfulness works.Tesco Mobile Tweets

Oracle also uses social media as an avenue for its brand, but it takes a much different approach. It often posts industry insights and keeps people updated on things happening at Oracle. It also manages complaints with more care in a fact-based manner.Oracle Tweets Both Tesco Mobile and Oracle use social media to communicate, but in different voices that reflect each company’s brand. There are a number of ways social media can be used to strengthen a brand, and organizations must find what is right for their company by aligning with the company’s voice and brand. It’s also important to remember social media is just one aspect of what makes up a company’s brand, but due to its wide reach, it can be a large component.

So why does protecting the brand matter?

In this case, the little things really do matter. If you waver, people will likely get confused. How you present yourself affects people’s perception of your brand. Transparency and consistency are key, whether that is on social media, in a press release, on your website, or via email. That doesn’t mean you have to tell the public everything, but you cannot twist the truth because that can lead to a whole other slew of trust issues. People understand that mistakes happen, but they have to trust that you are doing the right thing in a bad situation. And, you have to consistently show them that.

So how do you protect your brand in a constantly connected world with infinite disruptions and risks?

Well, the short answer is quite simple: easily accessible information (a.k.a. an information foundation that holds all of the organizational knowledge), which can be done through a secure business continuity management software. If you have a system that already holds regularly updated data, then it makes searching for the answers you need so much easier, especially during a crisis or incident. You can use this information to make more educated decisions, which enables you to be transparent because you have the single source of truth.

A good system should not only give you the ability to make a data-driven decision, instead of guessing what the right thing to do is based on what you think you know, but also allow you to track progress. This way you are working with facts, which in extreme cases can save a business. And since you have the facts, you can solve the issue (or mitigate the impact) and communicate the right information internally and externally quicker.

As laid out, there are an infinite amount of risks to your company’s brand, making it impossible to look at every single way something could go wrong. But, when you have the data you need, you can prioritize based on impact and likelihood. Thus, allowing you to properly prepare from prevention and impact reduction to communicating results and analysis, which in the end, protects your brand reputation.

Learn More About How Fusion Can Help

Want to learn more about making sure your brand reputation is protected through easily accessible information? Check out the Fusion Framework System.

7 Ways Digital Transformation Boosts Risk Management Efficiencies

Digital transformation meeting

Risk management in even a small organization can quickly consume more than the available time and resources. In a larger organization, it can be overwhelming. Achieving optimum efficiency is a must in order to mitigate risks, ensure resiliency and recovery, and function within a tight budget. Digital transformation is not just about technology, it is about reimagining risk management efficiency through dynamic databases and automation. Consider these seven ways that a digitally-transformed system dramatically changes how risk management tasks are performed.

1. Enter data once and use it anywhere.

Companies tend to have documents, spreadsheets, and databases used for risk management scattered in multiple places. Through digital transformation, it is possible to create a dynamic relational database that can serve as a single source of truth: an information foundation for the entire enterprise. This information foundation contains comprehensive risk management data about employees, facilities, applications, servers, vendors, processes, plans, and more. By eliminating siloed databases in favor of a single source of truth, information can be entered once and applied seamlessly across systems, greatly increasing operational efficiencies and ensuring data accuracy.

2. Build plans easier and faster.

Risk management plans multiply as businesses expand and new risks are identified. Developing new plans has traditionally been a time-consuming and cumbersome task, especially if no plan exists that can be used as a general guideline. But when companies work with a trusted partner to digitally transform their processes, plan development becomes easier and faster by virtue of the vendor’s pre-built libraries, checklists, and templates. An expert risk management vendor will have encountered innumerable risk scenarios and packaged that experience into time-saving tools that provide businesses with a structured approach to plan development.

3. Leverage modern technology.

Technology is transforming every area of business today – and risk management should not be the exception. Through digital transformation, companies can take advantage of modern tools and technologies that can change the way organizational risk management is done. For example:

  • Automation capabilities that eliminate routine administrative activities
  • Seamless integration with applications such as Salesforce as well as emergency notification systems, configuration management databases, situational intelligence, etc.
  • Real-time updates to organizational data
  • Enhanced methods of data capture, data collection, and data analysis
  • Workflows to speed up and streamline business processes

4. Identify gaps readily.

It is very difficult for risk management personnel to detect missing, improper, or inadequate recovery strategies when faced with hundreds of different departments, functions, and applications. A risk management system can alert personnel to any risk management planning gaps that might appear as changes are made in applications and processes in various areas of the organization. In fact, it can not only identify gaps but can also prioritize where greater risks exist. For example, a robust system can differentiate between a critical business process that has gaps in its recovery capabilities and a lower-tier service that needs to be addressed.

5. Collect data from subject matter experts easily.

It can be tough to collect risk management data from experts spread across the enterprise. It is not uncommon to have to go back to the same expert multiple times to fill in blanks, which is frustrating for both the risk management staff and the expert. Digital transformation of risk management facilitates the process of gaining input from subject matter experts across the organization through customizable portals, user-friendly interfaces, and automated workflows and emails. Risk management staff can specify exactly what information needs to be provided, eliminating the need for repeated contacts with the subject matter expert. Plus, a good system will enforce consistent standards and best practices (for instance, through the use of dropdown menus), relieving risk management personnel of the responsibility to check and correct data entry.

6. Generate reports instantly.

Generating reports can consume hours every week at a smaller firm; larger firms may have staff dedicated to the task on a full-time basis. But with a strong risk management system, enterprise-level reporting is made easy. Because all data is stored in a single information foundation, reports can be run instantly to provide the data and insight necessary to make strategic decisions about risk management, resource deployment, and organizational resiliency.

7. Eliminate annual updates.

Everybody – risk management personnel, executives, and all other employees alike – understandably dread the “annual update” process. Fortunately, massive updates that require the tedious manual review of global information to check for needed changes are eliminated when an organization embraces digital transformation. They are replaced with automated self-checks where the system regularly evaluates existing data across risk domains to identify where updates need to be made and then collects or solicits that information directly or sends an alert about the required update. Automated workflows and approval processes also serve to keep information accurate and up-to-date year-round.

Digital transformation is ultimately not about technology – it is about reimagining how business gets done. By boosting efficiency in these very practical ways, a digitally-transformed system can help risk management take a quantum leap forward. Rather than working endlessly on keeping the essentials of a program up-to-date, risk management personnel can leverage the full advantages of robust automation and modern tools, freeing them to focus on core and value-added activities that will systematically improve and strengthen organizational resiliency across the enterprise.

Success Is More than Attendance

Client Engagement Blog Series

Before, we talked about creating a company-wide culture of business continuity management in our Company Engagement Series, from taking the first steps and getting priorities together to checking in on your program. So now that you have your company engaged, let’s talk about engaging your client. In the Client Engagement Series, we share insights on what we’ve learned while growing our client engagement program. Here we explore the strength of your user group program.

People speaking in a group around a tableYou have a technology user group or client engagement program … and people are coming to your meetings! Is that how you measure the success of your program? Or is success more than attendance?

At Fusion Risk Management, we believe that success for a user group/client engagement program involves much more than simple attendance. In fact, since it is a user group or client engagement program, we believe that success must be measured by those things that our users or clients consider to be important. To determine what metrics to use to assess the efficacy of our program and to actually see how we are doing by those metrics, we ask for feedback from every member at every meeting. We’d like to share three of the top metrics we have identified so you can apply them as appropriate to your user group/client engagement program. Here goes!


User groups/client engagement meetings are all about sharing information. However, you shouldn’t have your own experts do all the sharing! Sharing needs to take place among all the people who attend the meeting. Clients can share their success stories, best practices, lessons learned, tech tips, and – of course – their questions. At each meeting, you can ask attendees what they would be interested in learning about or sharing about at future meetings, and ask their feedback on the quality and relevance of the various presentations/discussions that took place at the current meeting.


For your user group/client engagement program to be strong, sustainable, and dynamic, you need to build a true community, connecting people locally, regionally, globally, and virtually. Participants want to be connected with their peers and with industry experts. They want to be able to collaborate with one another and network with one another inside and outside of scheduled user group/client engagement meetings.


If you want to truly set your user group/client engagement program apart from the rest, help your members to grow professionally. Make sure you are actively engaged in advancing their program and supporting their business goals. Encourage them to speak at industry conferences or participate in panel discussions. Give them the confidence to apply for industry awards. Boost their career growth, and your clients will give you their total loyalty!

Attendance is the first step in any user group/client engagement program. Creating an environment where people can share, connect, and grow is what truly makes for success

Regional User Group Program

We are committed to the success of our clients and building a community that inspires others! Learn more about our the program!

Is Your User Group Limping Along or Growing Strong?

Client Engagement Blog Series

Before, we talked about creating a company-wide culture of business continuity management in our Company Engagement Series, from taking the first steps and getting priorities together to checking in on your program. So now that you have your company engaged, let’s talk about engaging your client. In the Client Engagement Series, we share insights on what we’ve learned while growing our client engagement program. Here we explore the strength of your user group program.

People in a group talkingLots of tech companies have user groups – and a lot of those user groups limp along half-heartedly with inconsistent and often dwindling attendance. In contrast, a prospect recently came to our Fusion user group in London. He was astounded and said to me, “The vibe in this room is amazing. People are excited to be here. People are relaxed. People are telling stories. People consider this a trusted, safe environment. This is not a sales event; it’s a place where people get excited about opportunities, excited to learn more, excited to hear from other people, excited to go back to the office and employ what they’ve discovered. There’s an almost tangible trust in the room – people are comfortable talking about challenges and brainstorming with other client on how to overcome or solve those challenges.”

Quite honestly, I could end this blog right there, because his comments say it all. But let me enumerate the key points.

First, to grow a strong and sustainable user group – or, as we prefer to term it, a client engagement program – you need to deliver value to your clients. That means putting your clients and their needs first. If you put your company first and just try to cross-sell or up-sell your products and services, your clients will be annoyed. They will recognize that the “user group” is actually just a sales event and feel that they have been subject to a “bait and switch.” Instead, you want your clients to feel that they have received great value for the investment of their time, concentration, and interaction.

Second, to deliver value, you need to create opportunities for engagement. In other words, don’t just talk “at” your clients! Even if you are providing great information, talking “at” people is a sure way to see their eyes glaze over in boredom. You need to engage them. For example, have your clients act as presenters. Encourage attendees to ask questions, make comments, request more information, and even challenge something that is stated. Facilitate break-out sessions where attendees can interact with one another about a given topic. You want people to talk, because talking generates excitement!

Third, to encourage engagement, you need to build a culture of trust. Be clear that this is a place where questions can be asked, problems can be raised, and issues can be discussed. Foster an environment of mutual respect, where not only are your own internal experts offering help, but clients are helping clients, sharing their knowledge and experience freely.

When you deliver value, create opportunities for engagement, and build a culture of trust, you will grow a strong and sustainable user group/client engagement program. Plus, you’ll find that your business goals for new leads, new clients, and new sales are also met as a natural outgrowth of your program! After all, when your current clients are engaged and excited, they are going to look for more ways to use your products and services, and they will spread the word to their peers and colleagues.

Don’t settle for a client engagement program that limps along … take action to help it grow strong!

Regional User Group Program

We are committed to the success of our clients and building a community that inspires others! Learn more about our our program and find a group near you!