Risk management challenges facing multinational organisations.

Businesses are becoming increasingly vulnerable to a wide variety of risks as companies become more international and the speed of development in technology and e-commerce gathers apace. Public and regulatory interest in business and corporate governance have been given a sharper focus through a series of high profile failures over recent years, including the collapse of the Bank of Credit and Commerce International (BCCI), the Barings trading disaster and the Maxwell business mismanagement.

More recently, increased dependency on technology has presented new risks that have resulted in some well-publicised incidents: computer hackers obtaining credit card information from Visa and PowerGen, the London Stock Exchange failure, the Love Bug virus, the Barclays problem with access to confidential client information, plus a spate of critical computer thefts in the City of London. As the Turnbull Report, published last year, warned: “The increasing reliance on technology has created risks which will only increase with the growth of e-commerce. These could have a significant impact on businesses such as extreme financial loss, commercial embarrassment or regulatory implications.”

The problems are multiplied for multinational organisations, with mission-critical applications spanning time zones and national borders. International businesses are more vulnerable as they operate under different conditions, in different environments, relying on a larger number of suppliers with differing procedures and standards of service.

Key issues affecting risk in international companies include differences in infrastructure, language, culture, service standards, staff quality and training, outsourcing facilities, and local environmental conditions.

Then and now...
For many years, the computing resources of most enterprises were located in a secure, probably bomb-proof, building, which housed the organisation's mainframe along with a massive array of hardware components. An army of technicians and programmers was responsible for keeping this complex computing environment and its many programs running, in addition protecting the hardware, software and data from failures and losses attributed to power supply problems. Business was such that a company could tolerate an occasional 24-hour outage.

Today, our working environment has changed with the advent of desktop computing, the networking and internetworking of computers, and the shift to an information-based economy. Computing equipment, programs and information resources are no longer maintained in centralised locations. With the boom of e-business, many of today's businesses rely heavily on instantaneous, round-the-clock access to electronic information in order to operate, and a software, hardware or power supply problem can quickly bring a company's operations to a halt. Multinationals today use a huge range of custom and off-the-shelf applications. They are often run across the web and sometimes on systems controlled by suppliers or customers. Because they support vital business functions, if there is a crash the systems must be brought back up in minutes rather than hours, and no business can afford to have its system down for days. But different regions of the world differ widely in the quality of physical recovery sites and the quality of staff at those sites, according to IT managers.

For manufacturers there is another dimension. With many multinationals having a single manufacturing source for a product, a problem in one country can have a knock-on effect in many others.

Reputation risk
Reputation is an asset that needs to be managed proactively. Many companies have realised that the scrutiny under which business operates today and the amount of information in the hands of consumers and other external parties, makes reputation a vital asset, and for some industries the most important. These days, organisations need to look at a variety of issues beyond public relations programmes. Specifically, companies need processes that will identify vulnerabilities and help prevent problems from arising.

Think globally, act locally
Within a global organisation, some operations will be fairly small and others fairly significant in size. A standard business continuity plan might be overkill for a small location but grossly inadequate for a large facility. An organisation needs a proactive and systematic approach to identify external issues that could affect it, and a process of casting a look internally and examining processes, procedures, policies and issues that could impact and damage the company's reputation.

Ideally this should incorporate:

  • a communication language that is easy to understand and is flexible;
  • a positive and proactive risk management culture within all levels of the organisation including peripheral businesses;
  • a system which can be expanded to monitor changes in the company ‘environment'; and
  • a global/local system, serving the needs of the different parts of the organisation.

    The biggest challenge is often making senior management aware of the critical nature of technology. Managing critical dependencies in power and communications is not something that can be left to the technicians. Dependencies often arise out of the interplay between business plans, process design and systems architecture which means that senior managers must be involved in risk identification as well as risk management solutions.

    Dependency modelling (DM) is a methodology which uses top-down, goal-oriented logic to build relevant, realistic models which can be easily translated into actionable reports. It works the opposite way round to many risk management tools; rather than attempting to isolate those things that could go wrong, it is based on a model of those things which must go right in order to ensure continuity within the business environment.

    DM enables analysis of the corporation, the company, the department, the project or any combination of those elements. It shows how every detail of the structure is dependent upon the others, identifies weakness and the consequential effects of that weakness, and demonstrates the effectiveness of potential countermeasures. It will qualify and quantify proposed changes.

    DM's traffic light nomenclature is easy to understand and provides an effective audit trail: problem areas putting the business at risk (red); identified risks under effective control (amber); and situations where there is no or very low business risk (green).

    The great strength of DM is the simplicity of its logic and the power of its reasoning. Strategic planning will quickly take on a new sharpness as your mind reflects the ‘dependency logic' which DM uses. In effect, dependency modelling is a complete philosophy – use it well and it can achieve the impossible. You decide upon the parameters and DM does the rest.

    Cultural issues
    In so many organisations, the business continuity policy sits on a shelf gathering dust. This can be avoided through the development of a positive risk culture. Achieving this requires the involvement of in-house staff and third-party suppliers in the development, implementation and day-to-day management of policy. Risk culture workshops held locally allow risk issues to be raised, discussed and recorded. Used in conjunction with dependency modelling, an organisation can effectively identify and monitor changes in the internal and external environments.

    The vulnerability of the organisation that has no effective policy should keep all executives awake at night. Being on top of business continuity issues brings benefits which, like peace of mind, cannot be measured. But what can be quantified are the operational savings, the minimisation of costly risk and the enhanced reputation that come from running a business that does not make mistakes.