How to Talk to Your CEO About ERM

How to Talk to Your CEO About ERM Presented to: The Association of Continuity Professionals September - 2016 1 Copyright Donald Byrne - 2016

Lots of Material to Cover 2 2 Copyright Donald Byrne - 2016

Start With Terminology Language is confusing and it’s misuse can be dangerous during a

American English, World’s Largest Language • Great for poets and writers. • Tough on lawyers and international treaties and regulations. • ISO has dropped the term “stakeholder” and replaced it with “interested party. ” 4 Copyright Donald Byrne 2016 – All Rights Reserved

Take the Word - Hazard • There approximately 62 synonyms for this term. • Some of them are: § Danger § Threat § Risk all of which represent very different concepts. 5 Copyright Donald Byrne 2016 – All Rights Reserved

Hazards: Events That Pose a Danger A snow storm is a danger. But not

Threats: Events That Pose a Danger to You 7 Copyright Donald Byrne 2016 –

Risks Involve Uncertainty “Something doubtful or not known with total confidence. ” Uncertainty is

Where Risk Comes Into Play Measurable doubt that carries a consequence. 1 9 1 Dr. Frank Knight: University of Chicago - Risk Uncertainty and Profit (1921) Copyright Donald Byrne 2016 – All Rights Reserved

An Increasingly Popular Term 10 Copyright Donald Byrne - 2016

Another Term - Resiliency • Defining resiliency is like nailing Jello to the wall.

Technical Definition Originally a term used in Material Science 12 Copyright Donald Byrne 2016

A Good Example 13 Copyright Donald Byrne 2016 – All Rights Reserved

One Way to View the Concept of Resiliency It’s the shock absorber built into the business plan! 14 Copyright Donald Byrne - 2016

More on Resiliency Potter Stewart Associate Justice of the United States Supreme Court “I shall not today attempt further to define the kinds of material I understand to be embraced within that shorthand description ["hard-core pornography"]; and perhaps I could never succeed in intelligibly doing so. But I know it when I see it, and the motion picture involved in this case is not that. ” Jacobellis v. Ohio (1964) 15 Copyright Donald Byrne 2016 – All Rights Reserved

Sometimes It’s Obvious 16 Copyright Donald Byrne 2016 – All Rights Reserved

17 Copyright Donald Byrne 2016 – All Rights Reserved

An Emergent Property Other examples: Health Safety Quality 18 Copyright Donald Byrne 2016 –

CEO Profile 19 Copyright Donald Byrne - 2016

CEO Concerns – Truly an Out Look How will the shareholders react? ? What will this do to our culture? What will the regulators do? How will the community and market react? CEO What will the Board think? How will the lawyers react? Executive Team “How will it affect profits? ” Middle Management “What does this mean to my department? ” Knowledge Workers “What does this mean to my job? ” 20 Copyright Donald Byrne - 2016

“Why Should We Care? ” 3 Reasons 1. Key role of BCM and CM play in protecting vital assets 2. Impact on valuation 3. Mandated compliance 21 Copyright Donald Byrne - 2016

Be Ready to Answer 3 Questions What How should I do? should I do it? Why should I do it 22 Copyright Donald Byrne - 2016

#1 - The Role of BCM in Business 23 Copyright Donald Byrne - 2016

Protection of Intangibles is Essential Studies by the Brookings Institute show a change in the contribution of various assets to corporate valuation. • 1982 - 68% tangible assets • 1992 - 38% tangible assets • 2002 - <15% tangible assets Consider the valuations of: • Google 24 • Apple • Facebook, etc. Copyright Donald Byrne - 2016

#2 - Crisis Management and Valuation Facts After initial reflex (10 days), market begins to assess company’s response. i. e. , change in market cap adjusted for market movement Cumulative Abnormal Returns (%) • Study of twenty-two companies over a 9 month period after a disaster occurred Effective Crisis Response Ineffective Crisis Responses • 22% difference in share price • Study extended to 3 years – 33% to 40% Challenge • On average a crisis occurs every 4. 5 yrs • On average a CEO’s tenure is <5 years • 25 50 75 100 125 150 175 200 225 250 Trading Days After the Event Source: “The Impact of Catastrophes on Shareholder Value, ” Rory F. Knight & Deborah J. Pretty, Templeton College, University of Oxford, p. 3. 25 The ability to manage a crisis is vital to: • Shareholder value • Long-term brand value • Customer loyalty • Employee retention Copyright Donald Byrne - 2016

Other Studies “The Impact of Catastrophes on Shareholder Value” Rory Knight & Deborah Pretty “The Effect of Supply Chain Disruptions on Long Term Shareholder Value” Kevin Hendricks and Vinod Singhal “Companies on risk. The benefits of alignment” Ernst & Young 26 Copyright Donald Byrne - 2016

#3 - Some BC/CM Practices Are Mandatory They are the law! • Compliance is an everyday responsibility. • Everyday, the environment gets more complex! 27 Copyright Donald Byrne - 2016

The Challenge: Regulations Are Equally Applied 28 Copyright Donald Byrne - 2016

Take the U. S. as an Example: 29 Copyright Donald Byrne - 2016

U. S. Example - Continued Laws Passed Annually by U. S. Congress Total = 292, 798 30000 25000 20000 15000 10000 5000 0 1973 1975 1977 1979 1981 1983 1985 1987 1989 1991 1993 1995 1997 1999 2001 2003 2005 2007 2009 2011 2013 2015 As reported by https: //www. govtrack. us/congress/bills/statistics 30

The Number of Agencies Continue to Grow > 4, 000 federal employees enforcing these laws 31 Copyright Donald Byrne - 2016

Administrative Law, Rules, Regulations 32 Copyright Donald Byrne - 2016

Other Agencies Also Set Rules 33 Copyright Donald Byrne - 2016

16 CIKR Industries (Non-Government) 34 Copyright 34 Donald Byrne - 2016

Each CIKR Has One or More Regulators 35 Copyright Donald Byrne - 2016

Level of Compliance Differs by Industry 36 * This graphic is for illustration purposes only and not meant to be a precise representation Copyright Donald Byrne - 2016

How Are You Tracking Legislation? FINRA 4370 Some Conclusions BC & CM NERC Reliability Standards Electrical Safety Code USA PATRIOT Act HIPAA OSHA 29 CFR - 1910 Rules FFIEC Appendix G Reports Statutes Paperwork Reduction Act NFPA 5000 37 SOX SEC 17 a Filings SQF 2. 1. 6. 3 Graham, Leach, Bliley Copyright Donald Byrne - 2016

“Pop Quiz” Who will decide if… … you have a quality business continuity plan? … you trained your fellow employees adequately? … you met the “standard of care? ” … you have any liability? … you are prepared? A. Your Shareholders? B. The Board of Directors? C. DHS/FEMA? Answer “D” 38 Copyright Donald Byrne - 2016

The 1 st World Trade Center Attack 39 Copyright Donald Byrne - 2016

Landmark Case • The victims of the 1993 World Trace Center bombings sued the Port Authority of New York and New Jersey for damages. • A decision was handed down in 2006, assigning liability for the bombings to the Port Authority. The decision declared that the agency was 68% responsible for the bombing, and the terrorists bore only 32% of the responsibility. • In January 2008, the Port Authority asked a fivejudge panel of the Appellate Division of the New York State Supreme Court in Manhattan to throw out the decision, describing the jury's verdict as "bizarre. ” 40 Copyright Donald Byrne - 2016

Final Outcome On April 29, 2008, a New York State Appeals Court unanimously upheld the jury's verdict. WHY? Under New York law once a defendant is more than 50% at fault, he/she/it can be held fully financially liable. 41 Copyright Donald Byrne - 2016

Explaining Value to Your CEO: The “Elevator Pitch” 42 Copyright Donald Byrne - 2016

Getting and Holding Executive Attention 1. Risk Management 2. Regulatory Compliance 3. Reduced Liability 4. Improved Valuation 5. Better Supply/Demand Chain Management 6. Effective Governance 7. Enhanced Public-Private Partnership 8. Corporate Social Responsibility 9. Offsets Cyber Threats 10. A Tool for Reputation Management 43 Copyright Donald Byrne - 2016

Public Sector Concerns 1. Resilient Communities Mean Job Creation 2. Grow/Maintain the Tax Base 3. Net Contributor of Resources 4. Counters the “Brain Drain” 5. Stronger Supply Chain 6. Citizen Satisfaction 7. Quality of Life Enhancements 8. Social Responsibility 9. Cyber Security 10. Other Mission-driven Goals 44 Copyright Donald Byrne - 2016

To Succeed Requires Credibility 45 Copyright Donald Byrne - 2016

Adoption of Standards 46 • Standards provide a level of confidence and comfort • Businesses will develop sophisticated justification models Copyright Donald Byrne - 2016

Value of Certification 1. Independently Tested – Impartial Framework 2. Principles and Practices are Current and Maintained 3. Repeatable Process with Measurement Criteria 4. Helps Eliminates Ambiguity 5. Predictable Outcomes Associated with Levels of Achievement 6. Recognized Internationally as a Commitment to Excellence 7. Makes Benchmarking and Comparisons Easier 8. Set an Expectation for Continuous Improvement 9. Forms the Basis for Good Management Practices (e. g. , PDCA) 10. Offsets One of the Biggest Threats – Information Risk! 47 Copyright Donald Byrne - 2016

Other Sources of Credibility 48 Copyright Donald Byrne - 2016

Global Impact of BC/CM Standards http: //www 3. weforum. org/docs/M edia/The. Global. Risks. Report 2016. pdf 49 Copyright Donald Byrne - 2016

2016 Projections http: //www 3. weforum. org/docs/Media/The. Global. Risks. Report 2016. pdf 50 Copyright Donald Byrne - 2016

Some Closing Thoughts 51 Copyright Donald Byrne - 2016

How Soon? The works of two authors Malcolm Gladwell: The Tipping Point Geoffrey A. Moore: Crossing the Chasm 52 Copyright Donald Byrne - 2016

Example 1: The Telephone How Used General Operations Multi-functional & Indispensible Business Tool Identified Use Culture Shift Market Penetration Non. Specific Limited Use Soft $ 53 Hard $ Argument Type Obvious Value Ubiquitous (None Needed) Copyright Donald Byrne - 2016

Example 2: The PC How Used General Operations Fabric of Society The Internet Culture Shift Identified Use The “Killer App” : Spreadsheets : Word Processing : Others Entertainment & Education Non. Specific Soft $ Hard $ Argument Type 54 Obvious Value Ubiquitous (None Needed) Copyright Donald Byrne - 2016

On the Horizon – A Preparedness Shift e r e How Used General Operations e W Resiliency H e Ar Operationally Pervasive Continuity of Operations Budgeted Line Item Culture Shift Disaster Recovery Identified Use Committed Resources Dedicated Technology Non. Specific Insurance Optional Commitment Soft $ 55 Hard $ Argument Type Obvious Value Ubiquitous (None Needed) Copyright Donald Byrne - 2016

An Example of a Developing Meme 56

What’s Next? 57 Copyright Donald Byrne - 2016

The Next Wave - Adaptability 58 Copyright Donald Byrne - 2016

There Is A Lot More To Say! 59 Copyright Donald Byrne - 2016

I Hope I Cleared Up Some Confusion 60 Copyright Donald Byrne - 2016

Help You Feel Better Prepared 61 Copyright Donald Byrne - 2016

On-going Process 62 Copyright Donald Byrne - 2016

The Good News 63 Copyright Donald Byrne - 2016

64

Making Progress, But More to Do! 65 Copyright Donald Byrne - 2016

66

Remember, Your Not Alone! 67 Copyright Donald Byrne - 2016

We’re Done! 68 Copyright Donald Byrne - 2016

Safe Travels Home 69 Copyright Donald Byrne - 2016

How to Talk to Your CEO About ERM Don Byrne September - 2016 METRIX 411, LLC dbyrne@METRIX 411. com (603) 714 4206 70 Copyright Donald Byrne - 2016