全球風(fēng)險(xiǎn)管理專業(yè)人士協(xié)會(GARP)致力于為風(fēng)險(xiǎn)管理?xiàng)l線上的各級人員，包括各大金融機(jī)構(gòu)的風(fēng)險(xiǎn)從業(yè)者和監(jiān)管機(jī)構(gòu)人員提供風(fēng)險(xiǎn)教育和最新行業(yè)資訊。GARP China微信公眾號將持續(xù)轉(zhuǎn)載“GARP Risk Intelligence”系列文章，介紹科技、企業(yè)文化與治理、能源等領(lǐng)域?qū)Σ僮黠L(fēng)險(xiǎn)、信用風(fēng)險(xiǎn)、市場風(fēng)險(xiǎn)和資產(chǎn)負(fù)債管理的影響。讓我們一起全面認(rèn)識風(fēng)險(xiǎn)，防范風(fēng)險(xiǎn)，化解風(fēng)險(xiǎn)。

　　將兩個(gè)看似毫不相關(guān)的事物結(jié)合起來，來創(chuàng)造更好、更有用的東西常常是創(chuàng)新的基石。 想想時(shí)鐘收音機(jī)、輪式行李箱等產(chǎn)品吧，或者將肉放在兩片面包之間做成三明治，你會發(fā)現(xiàn)這種創(chuàng)新方法多么有效。

　　這種方法也能用于商業(yè)領(lǐng)域，特別是保護(hù)公司業(yè)務(wù)免受風(fēng)險(xiǎn)侵害時(shí)。 許多公司將風(fēng)險(xiǎn)管理和保持業(yè)務(wù)連續(xù)性視為同一工作流程下的兩種任務(wù)。傳統(tǒng)上，保持業(yè)務(wù)連續(xù)性始于業(yè)務(wù)影響評估，但許多公司并未超越這一步，即使確定可能出現(xiàn)問題，也未能制定戰(zhàn)術(shù)計(jì)劃或戰(zhàn)略決策來減少影響——這無疑是錯(cuò)誤的。 為了達(dá)到較佳效果，兩者必須結(jié)合起來并互相適應(yīng)。“蝴蝶結(jié)”模型可能是幫助我們達(dá)到這一目標(biāo)的有力工具。

　　錯(cuò)誤的方法

　　Business continuity traditionally starts with a business impact assessment, but many companies don't go beyond that, making no tactical plan or strategic decisions on how to reduce impact once they have identified what could go wrong.

　　The risk management process has been more mature, identifying various ways to treat problems, assigning it to someone, and trying to reduce the likelihood of the event occurring, but not doing much to reduce the impact of the event.

　　Organizations must move beyond simplistic goals of creating a business continuity plan using legacy business continuity/disaster recovery tools, or demonstrating compliance to a standard or policy using legacy governance, risk management and compliance software tools. Those approaches incorrectly move the focus to, “do we have our plans done?” or create a checklist mentality of, “did we pass the audit?”

　　企業(yè)差異要求不同解決方案

　　In addition to legacy approaches, benchmarking must be avoided, because it can provide misleading conclusions about acceptable risk and appropriate investment, and create a false sense of having a competitive advantage over others in the industry. Even companies in the same industry should have their own ideas about what constitutes risk, because risks are driven by business strategy, process, how they support customers, what they do, and how they do it.

　　Take the retail industry. Two organizations may sell the same basic product – clothing – but one sells luxury brands and the other sells value brands. The latter store's business processes and strategies will focus on discounts and sales as well as efficiencies in stocking and logistics. The former will focus on personalized service and in-store amenities for shoppers. These two stores may exist in the same industry and sell the same thing, but they have vastly different types of merchandise, prices and clientele, which means their shareholder value and business risks will look very different from each other.

　　Businesses need to understand levels of acceptable risk in their individual organization and map those risks to their business processes, measuring them based on how much the business is impacted if a process is disrupted. By determining what risks are acceptable, and what processes create a risk by being aligned too closely to an important strategy or resource, leadership can make rational decisions at the executive level on what extent they invest in resilience – based not on theory, but on reality.

　　“蝴蝶結(jié)”型模型

　　Source: ASQS

　　Using the bowtie model, organizations can appropriately marry business continuity and risk management practices.

　　The bowtie model – based on the preferred neckwear of high school science teachers and Winston Churchill – uses one half of the bow to represent the likelihood of risk events, and the other half to represent mitigation measures. The middle – the knot – represents a disaster event, which may comprise disruptions like IT services going down, a warehouse fire, a workforce shortage or a supplier going out of business.

　　To use this model, first, determine every possible disruption to your organization through painstaking analysis of your business processes. Then determine the likelihood of each disruption (the left part of the bowtie), as well as mitigating measures one can take to reduce the impact of the disruption should it occur (the right part of the bowtie).

　　The mitigating measures are especially key here, as they aren't always captured in traditional insurance- and compliance-minded risk assessments. Understanding mitigation measures as well as the likelihood of risk events can change perspectives on how much risk an organization can take, because the organization then will understand what its business continuity and response capabilities are.

　　Mitigation methods like being ready to move to an alternate workspace are more realistic than trying to prevent events entirely; at some point, you can accept the risk because you know how to address the impact.

　　為什么結(jié)合模型有效?

　　Where risk management struggles is where business continuity can shine: understanding what creates shareholder value, what makes an organization unique in its industry among its competitors, and how it distinguishes itself. Alternately, risk management brings a new perspective to the idea of business continuity by focuses on types of disruptions, their likelihoods, and how to prevent them.

　　To create a panoramic view of where an organization can be harmed if something bad happens, businesses must merge the concepts of business resilience (dependencies, impacts, incident management and recovery) and risk management (assessment, controls and effectiveness) and optimize them.

　　Bringing the two views together and performing holistic dependency mapping of entire ecosystem allows an organization to treat both as a single operational process, bringing data together to create actionable info (based on the “information foundation” the company has created about impacts to business operations that can result from a wide variety of disruptions and risks) to empower decisive actions and positive results.

　　Using the bowtie method to create this holistic view, companies get the best of both worlds. They ensure they understand the possibilities of various disruptions, are taking steps to mitigate the possibilities of disasters, and have prepared responses to disasters should they strike. This approach to risk management will help keep a business up and running and ensure greater value for shareholders – this year and in years to come.

　　Robert Sibik是Fusion Risk Management公司的高級副總裁。本文有刪減。

金程推薦，FRM一級智能***計(jì)劃體驗(yàn)班 0元體驗(yàn)。學(xué)習(xí)素材+人工智能完美結(jié)合，為FRM學(xué)員通過保駕護(hù)航;權(quán)威名師嘔心瀝血，傾情打造;小班制管理，班主任督學(xué)，1對1私教。

FRM課程詳情在線咨詢

相關(guān)推薦：FRM培訓(xùn)機(jī)構(gòu) FRM考試報(bào)名 FRM考試時(shí)間 FRM是什么

▎來源金程FRM，更多內(nèi)容請關(guān)注微信號金程FRM。原創(chuàng)文章，歡迎分享，若需引用或轉(zhuǎn)載請保留此處信息。

返回首頁