In this series, Facility Executive introduces you to one of the many business continuity professionals scheduled to speak at the 21st Annual Continuity Insights Management Conference, which will take place at the Hyatt Regency Minneapolis, April 24-26, 2023.
In these times, when the need for critical information-sharing has never been greater, Continuity Insights offers insight, inspiration, and actionable ideas presented by a faculty of leading business continuity experts and practitioners. This conference provides a timely and important opportunity to share best practices, lessons learned, and effective strategies employed to ensure organizational resilience.
Here, we chat with Mary Herbst, VP of Enterprise Risk Management and Compliance, YMCA of the North.
Facility Executive: Tell us about your background. How did you first get involved with business resiliency?
Mary Herbst: My first exposure to Business Continuity was in 2004 when I went to work for Carlson Companies. I had almost no experience in Business Continuity, Disaster Recovery and none in Crisis Management. From the very beginning, I started going to conferences, reading and learning as much as I could and discovered that I was very passionate about Business Resiliency. I have always wanted to ensure that every employee knows what to do if there is a business interruption and how to respond to any kind of crisis – personal or work related.
From there, I have developed Business Resiliency programs (both as an employee and as a consultant) for companies as small as 10 people and as large as 165,000. I have led crisis response teams for hurricanes, fires, earthquakes, information security breaches and infectious disease (TB, COVID-19 and Avian flu). My greatest accomplishment was helping to lead a team in responding to Hurricane Maria in Puerto Rico where I coordinated the drop of over 24,000 pounds of food and medical supplies and evacuated over 60 employees and their families off the island well before FEMA could respond.
FE: What inspired you to develop an Enterprise Risk Management program?
MH: I had some experience as a consultant setting up an Enterprise Risk Management program for a medium sized company in Minnesota from the ground up. Through that process, I learned a great deal about how to incorporate the identification, assessment, and prioritization of risk into a corporate culture. When the job for the YMCA of the North came available, I decided that I would focus on doing Enterprise Risk Management for the rest of my career. I had never worked for a YMCA and didn’t realize all the inherent risk that is present in the operations and mission of the organization. I spent the first four months meeting with key stakeholders and identifying and assessment all the risks associated with running camps, gyms, social services, and youth programs. Once I identified the risks, I developed a risk calculator to assess, prioritize, and capture strategies associated with the identified risks and determine how to show year after year progress towards mitigation or transfer of key risks.
FE: How can facility executives identify the top risks to their organizations?
MH: The best way that I found was to first identify key stakeholders within the organization and interview them. The first question that I always ask is: “What keeps your up at night?” Those are the big rocks that often turn out to be key risks or the top risks in the organization. Then as people are communicating their “big rocks,” think of follow-up questions that help your stakeholders consider smaller risks that are not top of mind.
Often, there are so many identified risks, that you need to put them into buckets or categories. For instance, you may have several risks around safety, but rather than defining or listing each one, it may be easier to put them all into one larger risk and prioritize them as a larger entity.
MARY’S BREAKOUT SESSION
What’s Risk Got To Do With It? A Proactive Approach To Risk Management
Measurement, Metrics, and Maturity Track
Monday, April 24, 2023
11:00 AM – 12:00 PM
In order to effectively manage our risk and insurance, the presenter has developed an Enterprise Risk Management program to proactively identify the top risks in the organization and to make recommendations on to mitigate, transfer, and/or effectively manage risks in an association that has high risk tolerance.
I’ve found that people of all levels of the organization know what the risks and safety issues are, they just need to have a way to share and communicate them. Then, once you have a consistent tool and process to score them and follow-up conversations about how to mitigate or transfer the risk, you can prioritize them to help drive decisions around time, money, and resources to mitigate the highest priority items.
FE: What would you like your audience to take away from your presentation?
MH: I would like people to be able to think about their own organizations, the types of risk that they need to be concerned with, and how to integrate the idea of risk (both positive and negative) into the day-to- day thinking and operations of the organization. I want the audience to recognize that there is the mitigation of “negative risks,” like safety, security, infectious disease, and the tracking and promotion of “positive risks” or taking risks that have the potential for large gain. Through my work at the Y, we have begun to consider risk when determining strategy and mission-driven goals for the organization. I want participants to consider risk when determining how to structure their Business Continuity and Disaster Recovery programs and how to proactively prevent some situations from occurring by proactively identifying and monitoring the risks of their organization.