Abstract
Risk management is a decision-making process involving considerations of political, social, economic and engineering factors with relevant risk assessments relating to a potential hazard. In the last decade, a number of risk management tools are introduced and employed to manage and minimize the uncertainty and threats realization to the organizations. However, the focus of these methodologies are different; in which companies need to adopt various risk management principles to visualize a full picture of the organizational risk level. Regarding to this, this paper presents a new approach of risk management that integrates Hierarchical Holographic Modeling (HHM), Enterprise Risk Management (ERM) and Business Recovery Planning (BCP) for identifying and assessing risks as well as managing the consequences of realized residual risks. To illustrate the procedures of the proposed methodology, a logistic company ABC Limited is chosen to serve as a case study Through applying HHM and ERM to investigate and assess the risk, ABC Limited can be better evaluated the potential risks and then took the responsive actions (e.g. BCP) to handle the risks and crisis in near future.
Keywords
1. Introduction
Risk management is the decision making process that takes into consideration political, social, economic and engineering factors with relevant risk assessments relating to a potential hazard (Absolon, 1994; Jeynes, 2002). It allows the development, analysis and comparison of regulatory options as well as the selection of the optimal regulatory response for safety from that hazard. In order to provide an effective platform for practitioners on utilizing these risk management principles efficiently, a large variety of tools and approaches are introduced in the last decades. For example, Hierarchical Holographic Modeling (HHM) is one of the well-known approaches in risk identification (Haimes et al., 1995) whereas Enterprise Risk Management (ERM) is a systematic approach to managing risk (Meier, 2000). However, the focus of these methodologies are different (e.g. HHM focuses at general risks and ERM focuses at enterprise risks); thus, it is realized that companies need to adopt several risk management principles to visualize a full picture for organizational risk level.
In recent years, several researchers proposed that integration of risk management methods is a new generation to improve achievement of their objectives and to generate better information for decisions (Cha et al., 2008). Concerning there is sheer volume of principles, it is, however, difficult to determine which methods can best fit to each other. Therefore, this paper intends to propose a new methodology of combining three different risk management models, namely HHM, ERM and Business Recovery Planning (BCP) to identifying and assessing risks as well as managing the consequences of realized residual risks. Furthermore, the information shared among these methods can clearly complement each other; and the results of the poposed hybrid risk managmement methodology have been demostrated poistively as illustrated in the case study of a logistic company.
The rest of this paper is organized as follows: Section 2 introduces the current methodologies of risk management. In Section 3, a hybrid risk management methodological approach is presented through a case study in a logistic company. Finally, Section 4 discusses the findings and concludes the paper.
2. Background to Risk Management Methodologies
2.1. Hierarchical Holographic Modeling (HHM)
In the risk management concept, Hierarchical Holographic Modeling (HHM) is mostly used in the real world. HHM is the generalization of concept of Hierarchical Overlapping Coordination (HOC) (Haimes, 1981). HOC considers the decomposition and coordination problems of scalable and complex systems, which the structure have more than one hierarchical overlapping structure. The risk in each systems may have own risk. The hierarchical control of risk and ultimately determine the risks of overall system have a harmonizing effect to subsystems.
HHM emphasizes the two or more multiple views from difference characteristics. By analyzing systems along functional, temporal, modal, geographic, political etc., one can develop a list that identifies sources of risk, with respect to all aspects of the system. Haimes (1998) detailed these advantages of hierarchical decomposition:
Decomposition methods can reflect the internal hierarchical nature of large-scale systems
Trade-off analysis can be performed among subsystems and the overall system
Through decomposition, the complexity of a large-scale multi-objective system can be relaxed by solving several smaller problems
Adds both robustness and resilience to modeling by capturing various systems aspects and other societal elements
Adds more realism to the entire modeling process by recognizing that the limitations of modeling complex system via a single model are circumvented by a model that addresses specific aspects of the system
HHM is useful for scalable organization to analyze the complex and hierarchical systems. The multiple models can be developed and coordinated to capture the essence of multiple dimensions and perspectives.
2.2. Enterprise Risk Management (ERM)
Besides HHM approach, it would like to introduce Enterprise Risk Management (ERM) approach to further analyze on the internal risks, which included managerial, financial and technical risks. ERM represents a fundamental shift in the way businesses must approach risk (Aon, 2005). According to Miccolis & Shah (2000), ERM is a rigorous approach to assessing and addressing the risks from all sources that threaten the achievement of an organization's strategic objectives. Anderson (2000) stated that ‘enterprise-wide’ suggests an elimination of functional, departmental or cultural barriers so that a truly holistic, integrated approach is taken to manage risk with the intent of creating value. Thus, it could be used to achieve organization's strategic and financial goals.
The ERM framework defines essential components, suggests a common language, and provides clear direction and guidance for enterprise risk management. Therefore, entity objectives can be viewed in four categories: (i) strategic, (ii) operations, (iii) reporting, and (iv) compliance. On the other hand, ERM considers activities at all levels of the organization including enterprise-level, division or subsidiary and business unit processes. In this section, our group would like to use ERM framework to identify risk, access risk and define risk response for each risk factor.
2.3. Business Continuity Planning (BCP)
A Business Continuity Planning (BCP) is a collection of policies, procedure, protocols and information that is developed, complied and maintained in readiness for use in the event of business interruption. The BCP lists out the steps which an organization needs to take action in order to resume its service and business as soon as possible. A business recovery plan ensures an organization can continue to provide limited service no matter what happens. Otherwise, the organization may not be able to respond immediately to prevent service breakdown. Resumption, recovery and restoration phases of all identified agency functions are discussed below.
Resumption: Interim procedures to resume survival-critical agency functions
Recovery: Interim procedures to continue processing survival-critical, mission critical, and essential agency functions prior to restoration of the stricken facility
Restoration: Returning to reconstructed and permanent facility. All processing restored. Backlog cleaned-up.
Under this risk management method, it should identify critical agency functions and workarounds. Instructions and information on what to do including essential details on procedures, directions, and schedules should be attached at all.
3. A Case Study
Fig. 1 illustrates the hybrid methodological approach to the development of risk management projects. Generally, HHM and ERM are first integrated to identify and assess the risks of the company. The modeling approach (i.e. HHM) is organized to deal with both holographic and hierarchical considerations to identify particular events or circumstances relevant to the organization's objectives (risks and opportunities); and then utilize the concept of ERM to assess the risks in terms of likelihood and magnitude of impact, to determine a response strategy, and to monitor progress. By identifying and proactively addressing risks and opportunities, BCP is used to create and validate a practiced logistical plan for how an organization will recover and restore partially or completely interrupted critical function(s) within a predetermined time after a disaster or extended disruption.
Hybrid risk managment methodology
3.1. Company Background
ABC Limited is the world's leading express and logistics company offering customers innovative and customized solutions from a single source. With global expertise in express, air and ocean freight, overland transport and contract logistics, ABC Limited combines worldwide coverage with an in-depth understanding of local markets. ABC Limited's international network links more than 120,000 destinations in 220 countries and territories throughout the world. The network is organized through 5,000 offices worldwide and operates 425 aircraft and 75,000 vehicles offering around the clock service to more than 3.64 million customers. ABC Limited continues to be at the forefront of logistics technology and, with over 310,000 dedicated employees, guarantees fast and reliable services aimed at exceeding customers' expectations.
3.2. Identify Risks - Implications from HHM (Step 1)
According to Haimes (1981), HHM is a holistic philosophy and methodology aimed at capturing and representing the essence of the inherent diverse characteristics and attributes of a system – its multiple aspects, perspectives facets, views dimensions, and hierarchies. Notifying such hierarchical system multi-view, Table 1 describes 7 aspects should be considered.
The aspects with HHM are both macroscopic and microscopic at all. Such views can be applied to assess risks during the construction of sustainable development plan.
As mentioned before, ABC Limited is a branded logistic forwarder. To analyze the risk of it in tactical level by HHM approach in a global view, 11 major visions or perspectives can be identified as: (i)Societal, (ii)Technical, (iii)Political, (iv)Environmental, (v)Geographical, (vi)Managerial, (vii)Financial, (viii)Infrastructure, (ix)Temporal, (x)Legal, and (xi)Outreach.
Fig. 2 shows the diagram and chart of HHM of risk management of ABC Limited. A success logistic operators or freight forwarders such as ABC Limited must have an extensive business network throughout the world. As the trend of globalization and standardization is more prevalent in logistic industry, there are still several tradition cultures in local market. For example, ABC Limited has a worldwide network linking to more than 220 countries and territories. Also there are approximately 285,000 employees who came from different places and different backgrounds. Therefore, as an international logistic operator, ABC Limited must face some risks related to societal aspect. Indeed, the risks related to societal issue can be clustered into tradition and education.
HHM framework for risk identification in ABC Limited
Aspects to be considered in HHM
3.3. Assessment of Risks - Implications from ERM (Step 2)
After the above analysis of HHM approach, ERM approach will be used to further analyze on the internal risks. ERM supports value creation by enabling management to deal with potential uncertainty and reduce the risk affection. ERM concerns on the organization in general especially an enterprise. Clearly, it is suitable for ABC Limited since it is one of the famous logistic enterprises in the world and it has its own strategic and financial goals. In other words, ERM framework can get help of such strategies easily by providing the value creation. It would discuss step by step below.
Understanding the use of ERM, it should establish a standard flow to achieve such kind of goals at all (Fig. 3). It consists of five key implementation procedures, which are designed to offer practical suggestions to show movement in the ERM development.
Key implementation steps in ERM
3.3.1. Procedure 1: Establish the Context
Before identifying and prioritizing a company's risk as well as provide quality inputs for the purpose of formulating effective risk responses, the company needs to establish the context, such as understanding the company mission and establishing an ERM organization. Being ERM is a management concept focusing more on the enterprise-level, division or subsidiary and business unit process, it is important to clearly define the enterprise strategy and strategic objective in order to match the identified risks (see Procedure 3) with company's mission. For its goals, it separates into four levels:
Offering highest quality express and logistics solutions based on strong local expertise combined with the most extensive global network presence;
Creating a truly global working environment and placing value on our multi-cultural heritage;
Providing superior quality and solutions at all levels of the business processes; and
Cooperating citizen in all countries in which it operates, taking into account the social and environmental needs of our employees, local communities and the public
After determining the strategic and objective, risk philosophy can be formulated. Related to the ABC Limited's objectives above, offering a superior and truly global supply chain services is the most important value proposition of ABC Limited. So, risk philosophy should focus on the supply chain directly by considering the supply chain processes and related processes thoroughly. Understanding that, ERM organization should like that by assigning related roles and responsibilities (Fig. 4).
ERM Organizational Chart
Observing the ERM organization design, a Supply Chain Management (SCM) manager should be added into ERM organization for considering the risk in supply chain since ABC Limited mainly focus and concern on its supply chain services. For the financial manager and insurance risk manager, they both play an important role because they will be in charge of the flow of money within the risk situation. For example, in the real risk situation, financial manager can adjust the operation costs and insurance risk manager can claim money from insurance company for support. Integrating more elements related to ERM, organization learning department will be added to educate the staff about risk management which gets help of minimizing the negative outcome and increasing the employees' sense about risk.
3.3.2. Procedure 2: Identify Risks
Having the organizational context, risks should be identified to understand the situation well. Inputting from the result of HHM, Fig. 5 illustrated the risks (with green color) need to be further filtered and assessed to determine their likelihood of occurrence. Fig. 6 depicts the highlighted risks with scenarios.
Risks highlighted HHM framework
Risks scenario of highlighted risks
Base on the risk above, assessment should be carried out to investigate the happening possibility. With the help of risk identification, we can access the risk qualitatively by verifying the level of risk. In other words, a matrix is formed as below (Fig. 7):
Risk matrix
According to the above matrix, we can assess the risk (i.e. identified above) as shown in Fig. 8.
Likelihood vs Consequence of hazard being realized
3.3.3. Procedure 3: Identify Risk Responses
Having the standard and appetite within the company, critical success factors and risk responses (include time provision and contingency actions) should be identified to minimize the impact of the risks or crisis.
In ABC Limited, it should firstly assign four main responses include:
Accept
To accept the level of risk and use this standardized level to manage the company operations continuously.
Avoid, Prevent & Reduce
It is to avoid the risk happen and try to minimize such possibility to zero. Of course, risk elimination should be done if risk happens.
Transfer
To transfer the risk to other parties, it can minimize the impact of the risk at all.
Mitigate
To take action and to manage the risk. Such actions include the internal control, financial transfer, communication within company, public announcement and contingency plan.
By using the matrix to differentiate the risk rating of each risk and assign the appropriate response as shown in Fig. 9.
Risk responses
3.3.5. Procedure 5: Monitor and Review
Knowing the risk result from assessment, announcement should be done internally and externally. It can let the shareholders, stakeholders, public and employees know about the company situation. It will deeply clarify the company situation and reduce the public fear. For employees, it can motivate them by eliminating the uncertainty.
With respect to result, continuous improvement should be carried out to improve the existing risk situation after the assessment. Turning out the continuous improvement, it may re-arrange existing flow and risk responses. It would let the company prevent the same things again and get help of risk management. With the improvement, continuous monitoring actions should be carried out for the sake of risk prevention. It can get help of controlling the mitigate risks at all. With respect to the monitoring steps, management level should review the result periodically to maintain the stability of the company at all.
3.4. Avoid and Mitigate Risks – Implications from BCP (Step 3)
BCP is the process of identifying critical data systems and business functions, analyzing the risks of disruption to the data systems and business functions, determining the probability of a disruption occurring and then developing business recovery plans (BRP's) to enable those systems and functions to be resumed in the event of a disruption. It is done from the point of continuing in business, no matter what happens. Business Recovery Planning (BRP) and Disaster Recovery Planning (DRP) are the two main concepts in BCP. BRP lists out the steps which an organization needs to take action in order to resume its service and business as soon as possible. A business recovery plan ensures an organization can continue to provide limited service no matter what happens. Otherwise, the organization may not be able to respond immediately to prevent service breakdown. On the other hand, DRP frequently refers to an IT-focused plan designed to restore operability of the target system, application, or computer facility an alternate site after an emergency. In details, Fig. 10 illustrates the implementation of BCP steps by steps.
Steps by steps BCP implementation
In the following session, several BCPs are assumed and introduced according to each situation.
3.4.1. Situation 1: Industrial Action and Strike
ABC Limited has more than 285,000 employees worldwide being responsible for enabling a smooth operation. It is common to see that the policy of company needs to be changed according to the current mission and targets. Sometimes, these changes may not be satisfied by employees. So, they may cease their work and take the strike action. According to its CEO, there are about 160,000 employees located in different area in Asia. Imagine that if Chinese employees do not satisfy the terms and condition of the new policies, almost half of the ABC Limited employees will stop their work and cause the service breakdown of company. In other words, there would be insufficient staff to perform normal operation. Under such situation, some services, and even the whole business would be suspended. In order to tackle this situation, below suggests some methods for ABC Limited (Table 2).
BCP for industrial action and strike
3.4.2. Situation 2: New Developed Technologies in Express Industry
It is true that using aircraft and vehicles to transport our goods is not the only mean in express industry. In this fast developing and tight competitive industry, each company invests vast amount of money on researching new technologies in order to enhance the efficiency and security of the goods transported. If the competitors get the first-mover advantages, and even they grasp this kind of technologies maturely, this will seriously affect the business in all critical aspects such as market shares, finance, operation and services provided. For example, attaching Radio Frequency Identification (RFID) in each container is a new application in enhancing the security level (especially in the case of cross border). Table 3 describes the BCP for the situation “ABC Limited takes the first-mover advantages (i.e. technology is not yet developed and purchased by competitors)”.
BCP for taking the first-mover advantages
3.4.3. Disaster Recovery Planning (DRP)
DRP is part of a larger process known as BCP. Disaster recovery is the process of regaining access to the data, hardware and software necessary to resume critical business operations after a natural or human-caused disaster. DRP aims on providing instruction and information on what to do including essential details on procedures, directions ad schedules in case there is an issue or accident which suspends DHL's business and service within a short period of time. In addition, documenting plans should be prepared to enable critical application/system and related infrastructure to be resumed in the event of a disruption. The most important point is that the failure will last for more a long period of time.
On behalf of ABC Limited, its complete operational failure in Asia may due to the accident happened in Hong Kong Regional Headquarter. There are several reasons which may result in this situation, the failure in power plant which causes the power cut in headquarter, the outbreak of the infectious disease like SARS and fire may destroy the headquarter. Since the database and IT system is also important in ABC Limited operation like the online tracking system, hacker attack may also result in the complete failure in ABC Limited operation.
3.4.4. Business Recovery Plan (BRP)
When such disasters happen that causes the complete operational failure in Hong Kong Headquarter of ABC Limited, a recovery plan is shown as follow:
Set up a temporary headquarter in other places like Singapore
Local staff will be allocated to different office to keep on operating their tasks
Information transfer to the temporary headquarter (i.e. there should be more than one backup of data and information in our database in order to prevent the total loss of the data)
Management team will transport to the temporary headquarter
Repair the Regional Headquarter in order to make sure the business can be back to normal in a short time
Announce the change to public
In general, there are several domains which should be taken in consideration in DRP, they are:
The crisis management command structure
The location of a secondary work site (where necessary)
Telecommunication architecture between primary and secondary work sites
Data replication methodology between primary and secondary work sites
The application and software required at the secondary work site
The type of physical data requirements at the secondary work site
4. Discussion and Conclusions
After conducting such case study, it is known that every logistic company has a lot of risks including political, environmental, geographical, technical, societal and financial by using HHM method. But such kinds of risk are always creating opportunities. It only depends on how we can handle them or not. Using risk management methods, it can identify all risks clearly and point out related solution at all.
From HHM, it reveals that advanced technologies can be substitutes of freight forwarder services. In tradition, the core business of ABC Limited is to transfer and convey documents, products on time. However, some technologies such as email or EDI could greatly reduce the business of ABC Limited. Moreover, conveying prototype between factories can be simply by just clicking a button through the broad band cable. Apparently, it is a risk to a tradition logistic company. Nevertheless, if ABC Limited can step a foot on the e-commerce market, it ensure the continuous improvement and sustainable development of ABC Limited.
From ERM, it reveals that more appropriate risk management style on ABC Limited more since the risk are based on it. It is understandable that ABC Limited has a list of specific risks which affects it well. Valuing all risks, customer dissatisfaction, and technology disaster are the serious problems since those aspects are more valuable comparing with other factors at all. Based on these critical factors, suggestions such as training and spare facilities can get help of these problems. Having this suggestion, it ensures ABC Limited can have a better challenge comparing with other logistic industry if same risks happen.
However, even HHM and ERM is useful, they can perform better by considering more about organization learning and knowledge management. Those ideas can only perform the analysis and prevention in management level. If company wants to spread it through the company as well as only performing in management level, it should use more tools about organization learning and knowledge management. Those can influence the organization by training up the employees and educating them a correct message toward risk management. Having those ideas, every employee can alert themselves well and decrease the possibility of risk happening.
Considering these three different approaches, it is hard to determine which approach is the best. However, mentioning the suitability for an enterprise as like as ABC Limited, it is known that ERM is more suitable than other approaches. Table 4 illustrates this fact with evidences. Valuing from this table, it is understandable that ERM has both BCP and HHM's advantages. ERM can provide all-rounded solutions towards the company itself.
Risk exists everywhere. Certain risk can be avoided but the majority of risks can nowhere close to be eliminated. An effective risk management strategy can help ensuring the company achieves consistent operations and supports the achievement towards its objectives and missions. This case study has which illustrated three different methods in applying risk management, namely HHM, ERM and BCP. The result findings, which are highly appreciated by the staff in ABC Limited, can be regarded as a starting point and examples for them to continue exploring the issues in risk management.
Difference between the three risk management mythologies
Footnotes
5. Acknowledgements
The authors would like to express their sincere thanks to the Research Committee of The Hong Kong Polytechnic University for financial support of the research work.