The Risks We Cannot See

Megan Phee: Hi, I'm Megan Phee, and this is GRC& Me, where we interview industry thought leaders in governance, risk, and compliance on hot topics, industry- specific challenges, trends, and more, to learn about their methods, solutions, and outlook in the space. Hello, and welcome to another episode of GRC& Me. Today, I sit down with Howard Mannella. Howard is a senior staff of global business continuity and security at Udemy. We discuss what it means to have business resilience. And Howard explains to us the difference between proactive and reactive and preemptive, and how organizations can focus on impact, not just cause. Lastly, he shares with us a helpful acronym that I think could apply to all of our businesses. And now, here's my conversation with Howard. Howard, welcome to an episode of GRC& Me.

Howard Mannella: Thank you. Thrilled to be here.

Megan Phee: Great. Okay. So today, we're going to talk all about business resiliency. I know it's a topic that you know very well. And one thing I've heard you talk about is that common approach, which is we often think about resiliency or business resiliency in the terms of being reactive versus proactive. And you have a really interesting perspective, which is there's another aspect to that. There's proactive, reactive, and preemptive. So tell us a little bit about that. What does that mean to you? And the listeners are just curious to understand and learn from you.

Howard Mannella: Yeah, absolutely. Reactive, which is where everyone starts, you're behind the event, you're behind "boom" and you're trying to catch up. Proactive is at least you've caught up to "boom," so you're prepared for it. But preemptive is when you try to get ahead of "boom" to make the boom smaller or less frequent. So an example, a lot of organizations, and I've seen this, I've heard this firsthand, organizations will say, well, our crisis management or our business continuity plan, we'll get all the VPs on a bridge. We'll round them up, get them on a bridge. We'll figure it out, because they're really smart people. That's very reactive. Proactive is to say, you know what? Let's at least prepare for that. Let's have the bridge number previously established. Let's train people. Let's script out the responses and think about what will we do if, so they're not making it up. Because very important, in a disaster situation, the two things you never want to have to do are think and make stuff up. And preemptive is to get ahead of boom to say, let's look at trends. Let's look at the horizon. Let's build in resiliency into our organizations, which, by the way, is not plans and procedures. True business resiliency is a business architecture play. But that could be the topic for another podcast. Business resiliency, preemptive, is to stay ahead of trend, stay ahead of the horizon, and put in mitigation so that those phone calls are less frequent and less urgent.

Megan Phee: And I have heard you've talk about this acronym, SPLATR. Tell us, what does SPLATR mean to you? How can others apply maybe SPLATR in their business?

Howard Mannella: Yes. We protect the SPLATR. By that, I mean we don't focus on the cause. We focus on the impact. There is a proper place for procedures around earthquake, procedures around bombs, procedures around dirty bombs, active shooter, et cetera. That's what's causing it. But at the end of the day, business continuity and resiliency concerns itself with after the fact, oh crap. Now what? And we look to protect the SPLATR. S- P- L- A- T- R. Supply chain or third party vendors, people, locations, assets, technology, or regional outage, such as widespread power outages, loss of internet, blizzards, and that kind of a thing. At the end of the day, events will harm or impact one or more parts of the SPLATR. Fix the SPLATR, and you fix your organization.

Megan Phee: Oh, I love that. How long or where did you come up with that? Where did you apply that? Where did it begin, and how long have you been leveraging that approach?

Howard Mannella: I actually thought it up in a bar in Memphis, but it's leading practices in the industry or in the practice community is to start focusing on that, on impact, not cause. And it's been going on actually for some time.

Megan Phee: Yeah, that's great. But it's a great acronym for folks to be mindful of, right? All those components they're thinking of, but it's just a quick way. And it's a great way to educate internally. I think anytime if you can relate to the business in some degree about impact and cause, you'll get more awareness and support from the colleagues.

Howard Mannella: Right. And it carves away half of the problem, because you don't have to worry about dirty bombs or bombs or how dirty is the bomb, who cares. So less to focus on and you can be laser- focused on getting your business back.

Megan Phee: Ah, I love that. Okay, great. Well, and another question I have for you is, we know that your business and your team uses a Risk Cloud. How has the Risk Cloud impacted the way that you do this type of work within the business?

Howard Mannella: I'll be quite honest, I came to Risk Cloud a skeptic, and I am currently a fan. And the reason I'm a fan is that it's customizable and it can be much more aerodynamic than a lot of the other platforms out there. So many platforms are top heavy, administrative, they try to appeal to all, so they don't satisfy anyone, and they put you in a box. You have to do it their way. Risk Cloud is nice, because we could do it our way and the Udemy way is to be very sleek, very aerodynamic, light touch, not heavy, and be more to the point. So we don't need admins, we don't need any of that nonsense. And we can customize and adapt risk cloud to our methodology, which is very next generation business continuity, instead of having us have to adapt our methodology to how Risk Cloud wants it to be.

Megan Phee: I love that. And I've heard that for folks who have said that before, it gives us the freedom to bring to life what we are doing or we've identified we need to do as a business, in not just the Risk Cloud way. What kind of benefits have been realized at the business level, because of that aerodynamic ability to wrap around what and how you want to run resilient processes or resilience?

Howard Mannella: One big thing is a workflow piece. I love the workflow piece, because I don't have to be annoying and bother people. It's not me sending out repeated notes to say, here's a link to an Excel spreadsheet or Google sheet, go fill this out, and here's how to do it. There's a lot of questions. It's very confusing. Risk Cloud makes it easy, because the fields can be self- explanatory. You have tool tips, you have help, and you can send that to somebody and they'll send it back, and it's a predefined workflow. And that really makes it easy. And it takes the onus off of me, because then they're not annoyed at Howard Mannella. They're just annoyed that they have to satisfy this workflow. So it's not about me, it's about the workflow.

Megan Phee: You're not nudging anymore, nagging, the system is automated and holding people accountable to the work that you need to do, which is keep the organization resilient, which is great.

Howard Mannella: Right. And the reporting is really nice. The reporting and dashboarding, we can make it what we want. We don't have to act like Risk Cloud wants.

Megan Phee: I love that. And my follow up to that, what do you do with the reporting? How do you leverage it internally, of course with the business team, but do you leverage that reporting to educate up on any times?

Howard Mannella: Absolutely. We're establishing, well, we're not establishing a steering committee. We already have an executive risk committee, and we're folding resiliency and continuity into that risk committee. And so it's real easy to be able to just peel off a couple reports and say, here's our prioritization, here are our criticalities. It just gives visibility into the business and it allows me to present surprises where I might discover that department A is really critical, low tolerance for downtime, and they need department B in order to do their work, but department B, in a vacuum, and if it was just Excel spreadsheets or whatnot, it's easy for them in a vacuum to say, well, if we slip a week, we don't think it's a big deal. They don't realize the dependencies. But we could catch those and we could report them up. And if business continuity isn't delivering surprises, then we're not delivering value, and Risk Cloud helps us to do that.

Megan Phee: I love what you just said. If we're not delivering insights or surprises, there's the lack of value there. Yeah. Because you should be calling attention to the aspects and the conversations you need to, to inform strategic decision making, which only comes from clarity of those dependencies and interconnection. So, yeah. That's great. Thanks again, Howard, for your time today.

Howard Mannella: It was a privilege.

Megan Phee: Thanks, man.

Howard Mannella: Thank you for having me.

Megan Phee: And if you want to learn how Risk Cloud can help your organization's business continuity and resilience planning, visit logicgate. com. And until next time, this is Megan Phee with GRC& Me.