by Ken Murphy
When Hurricane Sandy ravaged the East Coast late last month with devastating winds and record storm surges, the issue of risk management suddenly became very real to both people and companies in the region. While planning for catastrophic natural disasters is only one part of any comprehensive risk management strategy, it sure rises up the priority list when the storm is right outside your window, the power’s knocked out and flood waters rise. Suddenly, it’s easy to see why the human element is an important part of any company’s disaster plans.
Sandy hit just a few weeks after SAPinsider focused on Governance, Risk, and Compliance (GRC) for its October Special Report, so the issue was fresh on my mind when the storm blew through. Many of the Special Report partner articles were prescient in their discussion of issues that pertained – sometimes on a frightening scale – to the people, businesses and industries most affected by the storm.
One partner, for example, describes a hypothetical situation of an attack at a remote power substation and asks readers to ponder the possible scenarios arising from such an attack: “What are the economic, health, and safety costs of delayed action in preventing or mitigating the effects o
f a power outage due to equipment failure, sabotage, or error?”
Mitigating the effects of a power outage, as it turns out, became one of the most indelible images of Sandy coverage when failed backup generators at New York University’s Tisch Hospital forced the evacuation of hundreds of patients, including nearly two dozen infants from the NICU.
This gets to the heart of what Norman Marks, Vice President and Evangelist for Better Run Business at SAP, discusses in the SAPinsider Special Report: operationalizing risk management. Whether it’s a mega-event or a daily decision, a top-to-bottom organizational approach that keeps risk management aligned with business strategy and that addresses operational processes must be part of a comprehensive and effective risk management strategy regardless of the technology platform in place. This approach, Marks says, is for all facets of risk management, from natural disasters to financial risks to operational errors that can often lead to the most damage.
Marks notes a recent report on the banking industry that reveals operational failures – “the failures of people and processes on a daily basis” – are more likely to cause serious damage to a bank than the risks that banks have historically focused on, such as credit and market risks.
Avoiding this scenario depends on doing away with a siloed approach to risk management. “The people responsible for managing risk should be the same people responsible for managing performance,” Marks writes. “You can’t manage one without the other.”
Having only seen images and read accounts about the pressure-packed, life-saving NICU evacuation, I can’t speak intelligently about the technology platform the hospital had in place, but if they didn’t have an organizational approach or appreciation of risk management before Sandy, they likely do now.
With the storm raging, flood waters rising, and power and backup generators knocked out, the power of a comprehensive organizational approach to risk management where everyone has their job to do became clear. If they hadn’t been briefed on risk management processes before the storm, hospital personnel didn’t show it; successfully evacuating patients in conditions that had to have been difficult to plan for. Infants on life support required five people to evacuate; three to carry the incubator down nine flights of stairs – in the dark – and another two to deliver life-saving measures usually performed by now nonoperational respirators.
Marks writes about how day-to-day employee failures pose risks to an organization. Technology aside, we see from the NYU Tisch Hospital evacuation how an organizational approach to risk management can instead lead to success. Tisch employees shared a common business objective: the safety and well-being of patients. When disaster struck, everyone from the janitors to the top surgeons made that vision a reality.
You can read more about the SAPinsider Special Report on GRC , including Marks’ “A New Risk Management Mandate” here.