Improve Your Risk Evaluation and Control tip #10 – keep it confidential

You have taken considerable time and effort to discover and document all of your companies vulnerabilities. Criminals or even your competition might be able to exploit this information.

Tip #10 Label and treat the risk evaluation as confidential or privileged information

For those in government organizations the risk evaluation should be protected from any ATIP requests.  To avoid lawsuits and other issues, legal council should advise private companies on treatment of the highly sensitive information in the risk report and their due diligence responsibilities.

The information gathered during the risk evaluation and control phase will be used to inform many of the latter stages of your program.  A summary of the top ten risks should be presented to those participating in the business impact analysis to give them an understanding of how operations would most likely be disrupted. The risk evaluation should be validated annually.  The business continuity management maintenance program should also include a risk evaluation of any major new project undertaken by the organization.

(For more information on DRI’s professional practices please read Professional Practice One – Program Initiation and Management DRII Professional Practices  June 1, 2012 Version 1)

Next week features blogs on insurance and business continuity…

Advertisements

Improve Your Risk Evaluation and Control tip #9 – final ranking

Remember the purpose of Risk evaluation and control is to allow the organization to focus on high probability and high impact events to identify where controls, mitigations or management processes are non-existent, weak or ineffective. Therefore, the top risks should influence risk management policy. The length of the list should be influenced by both your company’s size, risk appetite and the maturity of your business continuity management program. Your first key risk list may be only 3 to five key risks.  A risk averse large federal department might have a list of 50 key risks.

Tip #9 Give senior management final risk ranking approval

It is best to provide your senior management with a quick presentation of the key risks before submitting the final evaluation.  Senior management may disagree with your evaluation or have additional “big picture” information to add. This can also prepare them for risk control recommendations that will appear in the final report.

Your risk assessment report to senior management should include the methodology, the risk chart, a list of your organization’s top risks (within the scope of your assessment), and any recommendations for loss control measures including your cost benefit analysis of these measures.

Return tomorrow for our final tip on risk evaluation and control…

(For more information on DRI’s professional practices please read Professional Practice One – Program Initiation and Management DRII Professional Practices  June 1, 2012 Version 1)

 

Improve Your Risk Evaluation and Control tip #8 – cost analysis

Once you have compiled a list of risk categories and exposures from both internal and external sources, each possible event should be rated according to the probability that it will occur and what possible impact it could have on your organization.

Be sure to define your rating terms. For example:

Probability is the likelihood of this event impacting our organization in the next 10 years.

Severity is the maximum financial loss to our organization that could be caused by this event.

The size and complexity of your organization will determine how you develop the rating system.  A small simple organization should use a simple rating system such as this:

Probability Severity
1 Low 01% to 35% 1 Low Up to   $99,999
2 Medium 36%   to 70% 2 Medium $100,000 to   $999,999
3 High 71%   to 99% 3 High Over   $1,000,000

A larger, more complex organization might want to have a more layered approach:

Probability
1 Low Up to 35%
2 Medium 36% to 59%
3 High 60% to 79%
4 Very High Over 80%
Severity
1 Low Up to   $99,999
2 Medium $100,000 to   $999,999
3 High $1,000,000   to $9,999,999
4 Very High $10,000,000 to 99,999,999
5   Catastrophic Over   $100,000,000

Always use both words and numbers to quantify the exposures/risks.  Risks should be ranked according to their risk number (probability multiplied by severity) and charted on a graph that clearly indicates all risk/exposures outside of the entities risk tolerance. Rating of the risks can be done by a small group of key personnel or a larger survey. The larger survey can also be used to identify loss controls and safeguards.

Tip #8 Rank recommendations for prevention measures in order of cost-effectiveness

More expensive loss control measures should be submitted to upper management with cost analysis and your recommendations based upon the level of risk to the organization.

Return tomorrow for our next tip…

(For more information on DRI’s professional practices please read Professional Practice One – Program Initiation and Management DRII Professional Practices  June 1, 2012 Version 1)

Improve Your Risk Evaluation and Control tip #7 – discretionary fund

Identifying new risks and additional controls can provide visible and evident benefits to the organization but can initially seem daunting.  By following these tips, you can expedite this step and grow your network while enhancing your organization’s defences.

Tip #7 Arrange a small fund to deal with low-cost control measures

Depending upon the culture of your organization, you might want to arrange in advance for a small discretionary fund (small relative to the size of your organization) to be used for low-cost loss control measures uncovered by your team. By avoiding red tape and company politics, you are able to quickly demonstrate to employees a corporate commitment to risk control.  This should increase their willingness to provide your group with accurate risk information. Your final recommendations will not be cluttered with these low-cost control measures.

Return tomorrow for our next tip…

(For more information on DRI’s professional practices please read Professional Practice One – Program Initiation and Management DRII Professional Practices  June 1, 2012 Version 1)

Improve Your Risk Evaluation and Control tip #5 – loss experience research

Identifying new risks and additional controls can provide visible and evident benefits to the organization but can initially seem daunting.  By following these tips, you can expedite this step and grow your network while enhancing your organization’s defences.

In addition to creating organization-wide methods of information collection and distribution, you may want to add these research methods to your information gathering activities.

Tip #5 Conduct research on historical experience of similar organizations

Most organizations are not unique.  Devote some time to researching the historical loss history of organizations similar to your own. Your insurance professionals can also provide insight. Insurance companies track loss data according to industry. Professional associations, trade shows, and the chamber of commerce might provide some industry risk information as well as a forum to discuss loss experience with colleagues. While direct competitors may not be forthcoming, others in your industry may also provide information on their incidents.

Return Monday for our next tip…

(For more information on DRI’s professional practices please read Professional Practice One – Program Initiation and Management DRII Professional Practices  June 1, 2012 Version 1)

Improve Your Risk Evaluation and Control #4 – hazard maps

Identifying new risks and additional controls can provide visible and evident benefits to the organization but can initially seem daunting.  By following these tips, you can expedite this step and grow your network while enhancing your organization’s defences.

In addition to creating organization-wide methods of information collection and distribution, you may want to add these research methods to your information gathering activities.

Tip #4 Analyze risk data from hazard maps

Economical online hazard maps are available usually on a regional or national scale.  More detailed hazard maps and further risk information should be available from local municipalities.  Take this opportunity to connect with the local officials involved with emergency management. Business continuity planners may be well aware of local risks but when you have locations spread across the country or around the world, these maps can be extremely valuable.

Insurers and re-insurers (I recommend SwissRe) provide valuable free information online about current and emerging risks. It is worth taking some time to review the information that may be relevant to your organization.

Some samples of hazard maps online

Natural Hazard Map of Canada, Alberta Flood Hazard Map, Aon Political Risk Map, Swiss Re Flood Risk App for iPad

Return tomorrow for our next tip…

(For more information on DRI’s professional practices please read Professional Practice One – Program Initiation and Management DRII Professional Practices  June 1, 2012 Version 1)

  • Be Prepared

  • Professionals

  • Categories