Break Down Barriers to Enterprise Risk Management

Two people walking in a crowdAccording to legend, when asked why he chose to build automobiles, Henry Ford responded, “If I had asked people what they wanted, they would have said faster horses.”

While this possibly apocryphal story is often used to negate consumer opinion and market research, it can serve another purpose: reminding executives that the conventional way of doing something is not always the best way to provide continuous value for an enterprise and its customers. In other words, one needs to imagine what things could be like if they were different, and how they could be better – including when it comes to managing operational risk within the enterprise.

A recent report from the American Institute of Certified Public Accountants’ (AICPA) Management Accounting – Business, Industry, and Government Team surveyed business leaders about their current enterprise-wide risk management efforts. While the report revealed many insights, one of the most telling was that organizations see multiple barriers to enhanced risk oversight: competing priorities, lack of sufficient resources, lack of perceived value, perception that enterprise risk management adds bureaucracy, and lack of board or senior leadership buy-in.

Each one of these barriers may be real – or only imagined – but there’s one string connecting them all: They can all be overcome by changing the way an enterprise thinks about risk management.

A New Mindset

A business has one main objective: to fulfill its customers’ needs by providing products and services while turning a profit. With this as an enterprise’s lodestar, therefore, it is surprising to think that an organization would not be more focused on enhancing its risk management strategies – as not being properly set up to manage risk events can deeply impact a company’s ability to fulfill this main objective.

Overcoming barriers requires integrating enhanced risk management needs within an organization at the operational or enterprise level. The legacy mindset is that it belongs to a single department (risk, finance, insurance, etc.), but in fact, that is an outdated way of thinking.

When risk management is viewed as an enterprise-wide process, it focuses the entire organization on heading off disruptive events while ensuring the company stays on track toward its ultimate business goals. With this mindset, many of the barriers can be overcome: By understanding that risk management is woven into the fabric of the main objective, its value is realized, and it becomes a high priority for everyone, including senior leadership – thus ensuring resources are allocated toward it.

There are several actionable steps an enterprise can take toward calibrating its approach and removing some of the barriers preventing enhanced risk management strategies.

5 Steps to Enhancing Risk Management Programs

  1. Know your company’s business. Understand what the business plan is, what your company is trying to accomplish, how it is measuring success, and what metrics matter.
  2. Gather and organize the facts – and then analyze them. Put the pieces of the puzzle together and look for meaningful insights into and nuances of how the business operates, as well as where the risks are. Building an information foundation will show any strategic holes as well as opportunities, and allow the enterprise to tie risk management goals and objectives to the business plan to ensure they are strategically aligned.
  3. Assign responsibility. Formal assignment of risk management to a qualified senior-level manager who can be provided with appropriate funding is an important success factor, as this executive can project-manage, own the program, and monitor progress to goals.
  4. Build a business case. Related to the last point, however, is that one person can’t win on their own. Everyone needs to buy into the need to allocate resources to and prioritize risk management. When everyone in the organization can understand how a program will support the company’s objectives and fulfill its mission, risk management becomes a valuable factor in a business transaction that will help the organization increase its brand value and revenues.
  5. Lean on technology. One section of the AICPA report asked respondents whose organizations had not yet implemented an enterprise-wide process why they hadn’t done so. More than half believed, “risks are monitored in other ways.”

Now, this may be true – but how successful are these ways? Do they really give you a handle on all of the risks and controls in place? Are they integrated throughout the organization? Are you spending a lot of time with your current processes, but yielding only minimal value? Are you using outdated data management programs, or spreadsheet and word processing software that need to be updated manually? Is the data from your current process producing defendable, actionable business decisions?

This is where technology becomes critical to enhancing risk management. Applying automation to the process improves workflow efficiency while making everything more accurate, by basing the risk management ecosystem on real-time data and eliminating the human element. Additionally, it gives executives everything they need at their fingertips to make better business decisions, using tools like heat mapping and graphs.

The best technology will allow you to capture structured data instead of creating traditional plan documents. Think of that structured data as an information foundation that shows how everything works and interrelates. Being able to capture your planning information in a database allows you to know who is responsible for every piece of information, as well as what information is missing – and this ownership keeps people engaged.

With a data-driven system, you can leverage tools that help you formulate the right response to an unfolding situation, with the ability to take only the parts of each plan that directly apply, and create a targeted action plan in minutes.

Static, document-based plans just can’t keep up when you realize how different each situation will be. The fact is, those binders often wind up being set aside when incidents occur, but that is not the case when you have an information foundation and the right tools to put you in command and control. Managing data over documents allows you to provide clear metrics on where your risks are, so you can prioritize where to focus – giving an executive team confidence that the risk management program is a center of excellence in the company.

One of the perceived barriers in the report is that robust risk management strategies will add levels of bureaucracy no one wants to deal with – and they can if they are done in an outdated fashion. But when you can leverage technology that enables you to become more effective, efficient, and economical, the value of what you’re providing to your internal constituency goes through the roof. And when value goes up, bureaucracy goes down – adding even more value.

Reimagining the Possibilities

While organizations have been progressing toward identifying, assessing, and managing key risks, there are still barriers, both actual and perceived. Yet for a risk management program to be successful means reimagining what it means to manage risk and looking to new possibilities, then tying the program to business objectives.

Realizing the intense importance of risk management requires a change of mindset and company culture. This is only the first step of several strategies, but without it, it becomes very difficult (or even impossible) to overcome the other barriers.

No one is saying it’s easy to think differently – Henry Ford would certainly agree with that – but risk management is ultimately what protects a company’s ability to fulfill its purpose, and that’s a great reason to change your mind.

How Do GDPR and CCPA Differ, and What’s Next?

CCPA-GDPR BlogIn five months, the state of California, which counts itself as the world’s fifth-largest economy by GDP, will implement a comprehensive set of data privacy regulations known as the California Consumer Privacy Act (CCPA). Poised to take effect on Jan. 1, 2020, CCPA follows closely on the heels of the European Union’s sweeping 2018 data privacy law, known as the General Data Protection Regulation (GDPR).

Regardless of whether your responsibilities regularly include managing consumer data, these policies are likely already affecting your organization, its operations, and its bottom line. We aim to provide a clear understanding of the meaning of data privacy as it applies to these policies, to illustrate how GDPR and CCPA differ from one another, and to survey the political and economic landscape to get a better understanding of the future of federal data privacy regulations in the US.

What is Data Privacy?

Simply put, data privacy as it pertains to consumer protection is best understood as the “right to be forgotten,” by corporations who would otherwise harness, process, and utilize consumer data for a variety of purposes. In this case, consumer data can be as overt as a name, address, or Social Security number, as dystopian as cellular phone records or location triangulation, or as seemingly inconsequential as a preferred brand of breakfast cereal or frequency of visits to a gas station. In an era in which large enterprises regularly suffer data breaches caused by either corporate negligence or nefarious espionage, the risk of maintaining massive, minimally-protected datasets containing millions of potentially identifiable data points has become untenable.

Understanding GDPR

Recognizing that “…rapid technological developments and globalization have brought new challenges for the protection of personal data” and that efforts hitherto by global corporations to adequately self-police against these challenges had been otherwise ineffective, the European Union elected in 2016 to step in on behalf of its citizens. Their goal, as listed in the policy text, was to ensure that “the protection of natural persons in relation to the processing of personal data [be considered] a fundamental right.”

To meet these goals, GDPR sets forth seven principles:

  • Lawfulness, fairness, and transparency
  • Purpose limitations
  • Data minimization
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality
  • Accountability and compliance

Corporations who receive consumer data in the course of doing business must adhere to these principles with regards to their standards and methods of not only storing that data but also of utilizing it to further their business. Described within these principles is the requirement for internal and external auditability. Further, it is incumbent upon the corporations to provide consumers with a process to request the erasure of their stored personal data that is straightforward and swift. The penalties for failing to adhere to these requirements are significant and subject violating corporations to significant financial and reputational risk.

How CCPA Differs

Though CCPA and GDPR share a similar purpose and similarly strict penalties for violation, CCPA is significantly more prescriptive than its European counterpart. The Californian policy differs in its scope of application and in its limitations of data collection and sets forth a different set of rules regarding accountability and compliance.

Compared to GDPR, there are certain areas in which CCPA is less stringent. For example, CCPA does not require that corporations have a “legal basis” for collection and use of consumer data. Likewise, under CCPA, the transfer of personal information outside the US is unrestricted, and businesses are not required to appoint a data protection officer, though it is encouraged. Additionally, the right for California residents to access and expunge their own data is limited to information received within the past twelve months.

However, unlike GDPR, CCPA more broadly defines personal information to specifically include household information. Further, CCPA grants individuals the right to permanently opt-out of the collection and use of any personal data and requires that businesses provide consumers with a means of ensuring that a permanent opt-out capability is available both on websites and mobile applications.

The two policies also provide different approaches to the privacy rights of children. While GDPR requires that parents provide consent for the processing of their children’s personal information, CCPA strictly addresses the sale, rather than the processing, of children’s information and requires that businesses first obtain opt-in consent. Children are also classified differently in the context of these policies. In the EU, children are defined as under the age of 16, although member states can lower the age to 13 at their option. In California, parents must provide consent only for kids under 13.

What’s Next

The current state of data privacy regulations at the federal level is comprised of hundreds of laws that are primarily designed to address specific industries, such as healthcare or finance. These regulations are often mirrored or more closely defined at the state level. Likewise, in terms of enforcement, the Federal Trade Commission is empowered to protect consumers against unfair or deceptive practices. These deceptive practices can include a corporation’s failure to adhere to its own published privacy policies or its inability to secure consumers’ personal information, among others.

Since the implementation of GDPR and the passage and pending implementation of CCPA, Congress has renewed its interest in installing an overarching regulation to manage consumer data privacy in the US. As is often the case in Washington, both major parties agree that there is a fundamental need for policy but differ on their ideas for its design. It does appear that there is bipartisan agreement that any policy passed at the federal level would be primarily enforced by the FTC.

Although an all-encompassing data privacy bill has yet to be brought to the floor in Congress, it should be said that Congress has not been entirely unwilling to vote on more directional consumer protection policies. In 2019 alone, Congressional officials in the House and Senate have introduced bills including the Information Transparency and Personal Data Control Act, the Commercial Facial Recognition Privacy Act, the Digital Accountability and Transparency to Advance Privacy Act, the Social Media Privacy Protection and Consumer Rights Act, and the American Data Dissemination Act. Enfolded within these myriad bills are many, though not all, of the requirements found in GDPR and/or CCPA, and all would provide the FTC with the capability to impose and enforce penalties on violators.

In an increasingly digital world, the privacy of personal data is paramount. Now faced with more stringent regulations, businesses will need to ensure that they act with the best interests in mind of not only their stockholders but also their consumers.

Want to know more?

Learn more about data privacy regulations and how Fusion can help you to navigate them.

7 Ways Digital Transformation Boosts Risk Management Efficiencies

Digital transformation meeting

Risk management in even a small organization can quickly consume more than the available time and resources. In a larger organization, it can be overwhelming. Achieving optimum efficiency is a must in order to mitigate risks, ensure resiliency and recovery, and function within a tight budget. Digital transformation is not just about technology, it is about reimagining risk management efficiency through dynamic databases and automation. Consider these seven ways that a digitally-transformed system dramatically changes how risk management tasks are performed.

1. Enter data once and use it anywhere.

Companies tend to have documents, spreadsheets, and databases used for risk management scattered in multiple places. Through digital transformation, it is possible to create a dynamic relational database that can serve as a single source of truth: an information foundation for the entire enterprise. This information foundation contains comprehensive risk management data about employees, facilities, applications, servers, vendors, processes, plans, and more. By eliminating siloed databases in favor of a single source of truth, information can be entered once and applied seamlessly across systems, greatly increasing operational efficiencies and ensuring data accuracy.

2. Build plans easier and faster.

Risk management plans multiply as businesses expand and new risks are identified. Developing new plans has traditionally been a time-consuming and cumbersome task, especially if no plan exists that can be used as a general guideline. But when companies work with a trusted partner to digitally transform their processes, plan development becomes easier and faster by virtue of the vendor’s pre-built libraries, checklists, and templates. An expert risk management vendor will have encountered innumerable risk scenarios and packaged that experience into time-saving tools that provide businesses with a structured approach to plan development.

3. Leverage modern technology.

Technology is transforming every area of business today – and risk management should not be the exception. Through digital transformation, companies can take advantage of modern tools and technologies that can change the way organizational risk management is done. For example:

  • Automation capabilities that eliminate routine administrative activities
  • Seamless integration with applications such as Salesforce as well as emergency notification systems, configuration management databases, situational intelligence, etc.
  • Real-time updates to organizational data
  • Enhanced methods of data capture, data collection, and data analysis
  • Workflows to speed up and streamline business processes

4. Identify gaps readily.

It is very difficult for risk management personnel to detect missing, improper, or inadequate recovery strategies when faced with hundreds of different departments, functions, and applications. A risk management system can alert personnel to any risk management planning gaps that might appear as changes are made in applications and processes in various areas of the organization. In fact, it can not only identify gaps but can also prioritize where greater risks exist. For example, a robust system can differentiate between a critical business process that has gaps in its recovery capabilities and a lower-tier service that needs to be addressed.

5. Collect data from subject matter experts easily.

It can be tough to collect risk management data from experts spread across the enterprise. It is not uncommon to have to go back to the same expert multiple times to fill in blanks, which is frustrating for both the risk management staff and the expert. Digital transformation of risk management facilitates the process of gaining input from subject matter experts across the organization through customizable portals, user-friendly interfaces, and automated workflows and emails. Risk management staff can specify exactly what information needs to be provided, eliminating the need for repeated contacts with the subject matter expert. Plus, a good system will enforce consistent standards and best practices (for instance, through the use of dropdown menus), relieving risk management personnel of the responsibility to check and correct data entry.

6. Generate reports instantly.

Generating reports can consume hours every week at a smaller firm; larger firms may have staff dedicated to the task on a full-time basis. But with a strong risk management system, enterprise-level reporting is made easy. Because all data is stored in a single information foundation, reports can be run instantly to provide the data and insight necessary to make strategic decisions about risk management, resource deployment, and organizational resiliency.

7. Eliminate annual updates.

Everybody – risk management personnel, executives, and all other employees alike – understandably dread the “annual update” process. Fortunately, massive updates that require the tedious manual review of global information to check for needed changes are eliminated when an organization embraces digital transformation. They are replaced with automated self-checks where the system regularly evaluates existing data across risk domains to identify where updates need to be made and then collects or solicits that information directly or sends an alert about the required update. Automated workflows and approval processes also serve to keep information accurate and up-to-date year-round.

Digital transformation is ultimately not about technology – it is about reimagining how business gets done. By boosting efficiency in these very practical ways, a digitally-transformed system can help risk management take a quantum leap forward. Rather than working endlessly on keeping the essentials of a program up-to-date, risk management personnel can leverage the full advantages of robust automation and modern tools, freeing them to focus on core and value-added activities that will systematically improve and strengthen organizational resiliency across the enterprise.

Automating the Flow of Information Across Risk Management

Up-to-date and accurate information is mission-critical for risk management. It was also next to impossible to achieve when Excel, Word, and SharePoint were the industry-standard tools, since documents became outdated almost as soon as they are created. The situation improved with the evolution of solutions such as business continuity software, crisis management programs, emergency notification applications, and the like. These tools often use automation to collect and update data on an ongoing basis.

Unfortunately, solutions all too often exist in silos sectioned off from one another. These walls prevent businesses from leveraging automation to collect, distribute, and analyze information from an end-to-end risk management perspective. This poses a barrier to top-level planning, management, recoverability, and resiliency.

Digital transformation is essential to integrate the full suite of risk management tools and allow automation to thrive across all areas of risk. Consider the following benefits of end-to-end automation:

  • Information can be entered once and applied in multiple areas. People become irritated if they are asked to provide the same information time and again for various risk management functions. But if risk management systems are integrated through digital transformation, people’s expertise can be solicited once and applied seamlessly across systems, greatly increasing operational efficiencies and ensuring data accuracy.
  • Huge and cumbersome once-a-year updates disappear. Massive updates that require the tedious manual review of global information to check for needed changes are eliminated with digital transformation. They are replaced with automated self-checks where the system regularly evaluates existing data across risk domains to identify where updates need to be made and then collects or solicits that information directly or sends an alert about the required update. Automated workflows and approval processes also serve to keep information accurate and up to date year-round.
  • Enterprise-level reporting is made easy. If risk management tools and systems are siloed, global reporting is a challenge. With full integration, reports can be run instantly that provide the data and insight necessary to make strategic decisions about risk management, resource deployment, and organizational resiliency.
  • Gaps that represent risk can be readily identified. It is very difficult for risk management personnel to detect missing, improper, or inadequate recovery strategies when faced with hundreds of different departments, functions, and applications. An integrated risk management system can do so automatically. It can not only identify gaps, but can also prioritize and locate where greater risks exist. For example, the system can differentiate between a critical business process that has gaps in its recovery capabilities and a lower-tier service based on the connectedness of the data.

Ultimately, digital transformation opens the door for automation that fundamentally changes how companies collect, manage, use, and act upon data. This automation enables businesses to work from a common operating picture, strengthen recovery strategies, and respond quickly and confidently to any crisis or incident.

Why Do We Manage Risk?

If it is to identify the potential for loss before it occurs, and be able to take appropriate actions to reduce or avoid loss, then the concept of resilience is fundamental to risk management.

After three or more decades of compliance-oriented risk management driven by regulatory requirements and industry standards, many enterprise organizations are now working to redefine their risk management programs to bring risk and resilience together.

Industry practitioners have found that simply trying to extend a compliance-oriented approach hasn’t worked. Allowing various functional groups or individual departments to develop their own siloed approaches has proven impossible to bring together into a coherent enterprise program after-the-fact. Simply reacting to audit findings is proving less tenable over time as the demands of corporate governance continue to grow.

It is encouraging to see similar recognition across regulators and standards bodies. Last summer, the Bank of England, in conjunction with the Financial Conduct Authority, issued a discussion paper on operational resilience highlighting the need for integrated programs. Other groups are also more formally addressing the challenge – achieving compliance doesn’t necessarily ensure that risk will be managed effectively nor that operations can be sustained at acceptable levels when risks materialize.

In the ever-growing compliance realm, many times what’s been missing is an organization’s ability to achieve and maintain resilience, ensuring that its people, assets, and processes are protected and preserving the trust it has established in the marketplace.

To address these issues and related challenges, Fusion recently hosted an Innovation Day, Fusion’s information sessions that bring leading industry practitioners together to focus on establishing effective operational programs. The common topic is the need to build an “information foundation” that addresses risk and resilience together from the beginning.

Learn more in our latest eBook The Inflection Point in Enterprise Risk Management is Underway.

Building a Comprehensive Management System for Information Security

It is clear increased scrutiny means that a more rigorous and comprehensive process must be in place for assessing and managing risk. There is more pressure on companies to manage third parties efficiently.

That means tossing out the spreadsheets and doing away with legacy GRC solutions in favor of an integrated solution for an assessment and management process that incorporates third parties in broader risk management and resiliency strategies.

The solution must provide third parties with access to information, due dates, and standardized assessment work-streams through a secure portal designed with ease-of-use in mind.

When an organization brings third parties into the solution, with shared information and standardized processes, it establishes a higher level of control over vendor relationships; saves time and effort during the assessment process; significantly lowers risk exposure; enables better decisions and improves accountability and oversight.

Vendors can log in and access questionnaires and assessments that address risk, impacts, dependencies, and compliance. This model provides for easier review, scoring, and analysis of that information so organizations can make the most prudent decisions possible about potential third-party risk.

An example of increasing the efficiency of the assessment and onboarding process is to automate the pre-risk assessment and scoping procedure that evaluates the vendor’s potential risk tier and determines the level of detail which the company should vet that potential vendor.

Some vendors might be put through a complete assessment across many domains (information security, privacy, legal, compliance, and business continuity/disaster recovery) because they are handling sensitive customer or employee data.

Others might not undergo as intense a assessment because they are not involved in the processing or storage of sensitive data. Automating much of this activity speeds the process and let’s internal team members focus their efforts on higher-risk providers.

Regardless of the level of scrutiny, any vendor included in enhanced third-party management allows an organization to develop, test and maintain contingency and crisis responses that consider impacts from any disruptions to those partners.

It dramatically increases visibility by providing metrics and reports that identify what processes are effective, and which require more attention. It also allows various departments within an organization to seamlessly collaborate on risk assessments across information security, legal, compliance, finance, and IT.

Between malicious hackers and rigorous privacy regulations, today’s business climate is fraught with risk. Now more than ever, companies must overcome challenges associated with managing third-party relationships that can result in unforeseen operational and compliance risks, threats to business resilience and loss of revenue and credibility.

A company cannot simply have internal risk management and resiliency measures in place and assume they are protected. Industry has seen time and again that third parties who are not fully vetted, and do not undergo a rigorous risk assessment process, can do as much damage to a company as an internal failure.

Accountability does not stop within the walls of an organization — it can extend to a partner on the other side of the world. And, if the security and data management processes of third-party service providers are not complete, consistent and compliant, then neither are an enterprise’s.

Check out how Fusion can help make your vendor risk management a reality.

Extend Your Community with Fusion

Communities of occasional users can provide meaningful information and act far faster when the right system is put in place. These communities are made up of the knowledge experts and are the operational specialists. These are the trusted vendors that are part of your extended organization.

The occasional users will thrive when you provide a personalized experience that only gives them what they need. The result will be subject matter experts and frontline workers contributing key information directly that allows you to fully understand the organization and manage effectively.

But for a community to be trusted, the information pathway must be secure. And of course, information must be easy to contribute and retrieve to encourage broad groups to contribute easily without any friction. Automation must drive action to keep a diverse community operating as a unit.

The whole system must seamlessly connect your communities to the information foundation you are building. By integrating information directly, you can reduce effort and errors in translating or reentering data. This also allows you to trigger immediate responses automatically to mitigate risk and drive action with ease, as no time is lost with information immediately available in your core system.

With the right technology at the center, risk managers, business continuity managers, and IT managers are reaping the benefits of extending access to key information to various communities that contribute and share information to better manage risk in a completely secure way. And by building on the central information foundation, each community can interact across communities when it makes sense.

Communities that are important to a risk manager can come in many forms, and constituents may be part of multiple communities at once:

  • Vendors who are looking to achieve or maintain trusted vendor status
  • IT disaster recovery exercise participants
  • Departmental business continuity plan users
  • The entire enterprise who needs a way to share situational intelligence or receive alerts related to safety and security
  • Executives and managers who need to approve program deliverables on a timely basis

A large banking customer has defined a community encompassing their vast IT organization as occasional users of the risk system targeted at participating in full-day IT recovery exercises. The community can contribute to plan building and submit issues or improvement suggestions and can even be assigned follow-up work so improvements are tracked and completed.

Another consumer financial services company has defined a community around policy adherence, allowing two-way communications through a simple application when policy managers need to communicate about specific findings. Data flows directly to the core risk system to trigger workflows and impact metrics.

A major retailer has established a vendor community as part of their third-party management program where vendors respond directly to security assessments and then stay engaged once they are approved. Engagement beyond the initial assessment includes receiving and electronic sign-off requests on adherence to changing policies, participation in business continuity exercises, and getting called to action during an incident to keep the companies operating successfully together. Because everything is integrated, important changes can be alerted to exactly who needs to know virtually immediately.

Establishing these communities meant configuring a portal to access controlled pieces of the risk system directly and integrating selected capabilities and building blocks to fit each group’s needs. Having the right system makes the process easy and creates an engaging experience so users contribute and receive information easily. The result for the risk manager is much greater insight and the ability to impact outcomes with more complete information. The alternative is going backwards and ignoring the importance and power of engaging communities directly.

Ready to learn more about how to engage your communities? Check out our Community Connector.

6 Keys to Success for the Continuity Risk Management Practitioner

For decades, “having a plan” was synonymous with business continuity success. There are many reasons why that notion came to be the accepted standard. Unfortunately, it wasn’t true then, and it certainly is not true today. Business continuity management is the business process of managing and responding to risks that can result in the disruption of an organization’s ability to continue to deliver its products and services to the market. It’s hard to imagine a “plan” suffices in support of something this fundamental.

The illusion has been that a plan equals being prepared. The reality is that few people report using a plan “as planned.” The primary value of a business continuity plan is that, in theory, it contains the information and guidance necessary to support and direct response activities. Unfortunately, a “plan” has taken the form of a document that is too often outdated, inaccurate, or too cumbersome. A document is an ineffective organizing principle for capturing and accessing the information necessary to support a leadership team, especially at a time of crisis.

Business continuity success depends on first embracing the concept of preparation over planning. Similarly, a successful business continuity manager is more valued because the product of his/her work effort is an organizational capability and strength rather than a document. There are six keys to success for any business continuity manager individually and for the company they represent:

  1. Knowledge – Very few people truly know how an organization works, how it might break, and how it can be protected. Information is at the core of knowledge, and the successful business continuity manager has the facts at their fingertips.
  2. Organization – It can be difficult to put knowledge to work if you are not very organized. Organization is a force multiplier. It sets the foundation to leverage knowledge more effectively and efficiently.
  3. Resourcefulness – Resources are always limited. Even more so at a time of crisis. There is a huge difference between resources and resourcefulness. The resourceful business continuity manager is more creative, innovative and effective. They’re more about getting things done with what they have than letting a shortage of resources paralyze them.
  4. Judgment – By definition, risk management initiatives often run counter to the prevailing energy of the organization. Successful business continuity managers are realistic and use sound judgment, careful to use limited funds and resources wisely.
  5. Emotional Intelligence – There is a place and time for everything. The successful business continuity manager is able to engage stakeholders because they have been able to fit their agenda more effectively into the primary motivation of their constituency.
  6. Communication and Collaboration – Organizations are complex organisms, and it can be very difficult to communicate in the best of times. At a time of crisis, collaboration is at a premium, and the successful business continuity manager has cultivated the relationships to become uniquely qualified to bring the organization together, leveraging their knowledge, organization, resourcefulness, judgment, and emotional intelligence.