Why is CERM so important?

What costs UK business £63 billion a year in unforeseen losses? Unplanned ICT outages.1 So what can be done to avoid catastrophic failure of engineering infrastructure and the resulting impact to business? Enter Critical Engineering and Risk Management (CERM).

The ever-increasing demands of customers, combined with the need to sustain competitive advantage in a global economy, have driven a pace of change that today's business has never experienced before. Challenges of 24/7 accessibility, speedier service and the drive for lower costs mean significant technology and communications investments are necessary to stay ahead. Add the result of global terrorism, the failure of trusted household names such as Enron and Worldcom, and the proliferation of international regulations such as BASEL II and Sarbanes-Oxley and the landscape is vastly different.

These changes are further centralising the role of technology in corporate strategy and increasing a company's dependency on information and communication systems, and the engineering infrastructure that supports them. One does not have to look too far for evidence that this is affecting the world of FM in the design and day-to-day operation of increasingly complex buildings.

However, it appears widely unrecognised by risk managers and boardrooms just how much risk there is for business disruption caused by the engineering infrastructure. At a recent 2005 business continuity seminar there was not one agenda item relating to operational risk in an engineering infrastructure sense, and the hall of exhibitors had a notable absence of engineering service providers. One could assert that this is a combination of failure of the 'risk industry' to recognise the potential for the immediate and catastrophic impact associated with infrastructure failure.

This combines with the relatively high probabilities of this happening in heavily technology-dependent businesses with traditional maintenance approaches. It appears that boardrooms sit in relative comfort, thinking that the engineering aspects of their operational risk profile are the most tangible and controllable risks they face. Take Reuters, who according to media reports were offline for ten hours following a power outage and unable to provide the market data that is their core product.

Share prices suffer from engineering complacency and under-investment, and the traditional mechanical and electrical services tender process drives out costs by encouraging savings in the most intangible yet critical elements of service design. Engineers' holidays and training are simple examples: these may be easy short-term savings for hungry contractors eager for new business but they will expose the client to long-term risks associated with increased staff attrition and low levels of critical engineering competence.

As with business continuity planning (BCP), investment banks are leading the way in managing their critical engineering systems. Banks are also adept at planning to meet the future challenges posed by increasing infrastructure complexity, even in the face of the common conflicts between IT and FM departments. Building owners and management should network with facilities staff and executives from this group to add a new perspective on engineering risk management and battle to convince core business leaders that these non-core functions require continued levels of significant investment, even in the face of competitive costs pressures.

Combine the above challenges with the increased 'risk awareness' that now permeates boardrooms, and what you get is a new horizon for the management and audit of 'operational risk'. A 2005 study by the Chartered Management Institute2 found that 70 per cent of respondents had concerns about IT systems failures and 64 per cent had concerns about communications failures. Actual disruptions continued a similar trend with 41 per cent of IT disruptions and 25 per cent of communications disruptions. Only 6 per cent of respondents to a BCI survey selected loss of power as their biggest threat but this is understandable in the current 'terror focused' geopolicitical context.

Why is Critical Engineering and Risk Management (CERM) important? Simply put: no power or cooling = no communications or IT = no business. The question is, then: What can I do to avoid catastrophic failure of my engineering infrastructure and the resulting impact to my business?

Much of the written work on this subject relates to the design phase of a project and indeed many high-profile engineering projects, especially in the US, now highlight specific design risks through the requirements of Sarbanes-Oxley or the unique demands of risk aware boardrooms. For 'live' operations, the situation is different. A traditional mechanical and electrical maintenance services partner may not be equipped - or have the right culture - to deliver the five fundamental pillars (Figure 1) of CERM, namely:

• Focus;
• Consistency;
• Compliance;
• Visibility;
• Learning and improvement.

Figure 1. The five pillars of CERM.

A new model

Although the elements above intend to provoke thought and evaluation of your current approach, it is important to select a service provider that recognises the redundancy of traditional maintenance and is willing to work closely with you to implement a completely new model. What should be clear to you is that it is not enough to rely on systems and processes. Our research shows that a very high percentage (31 per cent) of business impacts are caused by human error and these and many component or system failures can be avoided through promotion of the right behaviours and culture. This takes time, and when implementing a new CERM model - depending on the starting point - it can take up to two years to change to the desired state. Systems alone can be implemented by a proficient operator in as little as three months.

Following are five recommended steps, which when followed would reduce your exposure to engineering infrastructure risks.

Five steps to peace of mind:

1. Be clear what you want to achieve and set SMART targets;
2. Choose a CERM aware partner;
3. Realign your maintenance model (pillars);
4. Drive hard on the 'soft stuff';
5. Review formally on a regular basis.

References

1. In a survey commissioned by Microsoft.
2. CMI, Business Continuity Management, 2005 - 440 respondents.
3. Business Continuity Institute (BCI) in conjunction with IMP Events and sponsored by Hitachi Data Systems, 13-18 March 2005.

< Prev		Next >