Improve Your Risk Evaluation and Control tip #10 – keep it confidential

You have taken considerable time and effort to discover and document all of your companies vulnerabilities. Criminals or even your competition might be able to exploit this information.

Tip #10 Label and treat the risk evaluation as confidential or privileged information

For those in government organizations the risk evaluation should be protected from any ATIP requests.  To avoid lawsuits and other issues, legal council should advise private companies on treatment of the highly sensitive information in the risk report and their due diligence responsibilities.

The information gathered during the risk evaluation and control phase will be used to inform many of the latter stages of your program.  A summary of the top ten risks should be presented to those participating in the business impact analysis to give them an understanding of how operations would most likely be disrupted. The risk evaluation should be validated annually.  The business continuity management maintenance program should also include a risk evaluation of any major new project undertaken by the organization.

(For more information on DRI’s professional practices please read Professional Practice One – Program Initiation and Management DRII Professional Practices  June 1, 2012 Version 1)

Next week features blogs on insurance and business continuity…

Advertisements

Improve Your Risk Evaluation and Control tip #9 – final ranking

Remember the purpose of Risk evaluation and control is to allow the organization to focus on high probability and high impact events to identify where controls, mitigations or management processes are non-existent, weak or ineffective. Therefore, the top risks should influence risk management policy. The length of the list should be influenced by both your company’s size, risk appetite and the maturity of your business continuity management program. Your first key risk list may be only 3 to five key risks.  A risk averse large federal department might have a list of 50 key risks.

Tip #9 Give senior management final risk ranking approval

It is best to provide your senior management with a quick presentation of the key risks before submitting the final evaluation.  Senior management may disagree with your evaluation or have additional “big picture” information to add. This can also prepare them for risk control recommendations that will appear in the final report.

Your risk assessment report to senior management should include the methodology, the risk chart, a list of your organization’s top risks (within the scope of your assessment), and any recommendations for loss control measures including your cost benefit analysis of these measures.

Return tomorrow for our final tip on risk evaluation and control…

(For more information on DRI’s professional practices please read Professional Practice One – Program Initiation and Management DRII Professional Practices  June 1, 2012 Version 1)

 

Improve Your Risk Evaluation and Control tip #8 – cost analysis

Once you have compiled a list of risk categories and exposures from both internal and external sources, each possible event should be rated according to the probability that it will occur and what possible impact it could have on your organization.

Be sure to define your rating terms. For example:

Probability is the likelihood of this event impacting our organization in the next 10 years.

Severity is the maximum financial loss to our organization that could be caused by this event.

The size and complexity of your organization will determine how you develop the rating system.  A small simple organization should use a simple rating system such as this:

Probability Severity
1 Low 01% to 35% 1 Low Up to   $99,999
2 Medium 36%   to 70% 2 Medium $100,000 to   $999,999
3 High 71%   to 99% 3 High Over   $1,000,000

A larger, more complex organization might want to have a more layered approach:

Probability
1 Low Up to 35%
2 Medium 36% to 59%
3 High 60% to 79%
4 Very High Over 80%
Severity
1 Low Up to   $99,999
2 Medium $100,000 to   $999,999
3 High $1,000,000   to $9,999,999
4 Very High $10,000,000 to 99,999,999
5   Catastrophic Over   $100,000,000

Always use both words and numbers to quantify the exposures/risks.  Risks should be ranked according to their risk number (probability multiplied by severity) and charted on a graph that clearly indicates all risk/exposures outside of the entities risk tolerance. Rating of the risks can be done by a small group of key personnel or a larger survey. The larger survey can also be used to identify loss controls and safeguards.

Tip #8 Rank recommendations for prevention measures in order of cost-effectiveness

More expensive loss control measures should be submitted to upper management with cost analysis and your recommendations based upon the level of risk to the organization.

Return tomorrow for our next tip…

(For more information on DRI’s professional practices please read Professional Practice One – Program Initiation and Management DRII Professional Practices  June 1, 2012 Version 1)

Improve Your Risk Evaluation and Control tip #7 – discretionary fund

Identifying new risks and additional controls can provide visible and evident benefits to the organization but can initially seem daunting.  By following these tips, you can expedite this step and grow your network while enhancing your organization’s defences.

Tip #7 Arrange a small fund to deal with low-cost control measures

Depending upon the culture of your organization, you might want to arrange in advance for a small discretionary fund (small relative to the size of your organization) to be used for low-cost loss control measures uncovered by your team. By avoiding red tape and company politics, you are able to quickly demonstrate to employees a corporate commitment to risk control.  This should increase their willingness to provide your group with accurate risk information. Your final recommendations will not be cluttered with these low-cost control measures.

Return tomorrow for our next tip…

(For more information on DRI’s professional practices please read Professional Practice One – Program Initiation and Management DRII Professional Practices  June 1, 2012 Version 1)

Improve Your Risk Evaluation and Control #6 – outsourcing

Identifying new risks and additional controls can provide visible and evident benefits to the organization but can initially seem daunting.  By following these tips, you can expedite this step and grow your network while enhancing your organization’s defences.

Tip #6 Examine risks from outsourced activities

Globalization can provide cost savings but can also expose your organization to many hidden risks.  Do not overlook the threats to overseas outsourced services or key suppliers.  Some categories of risk such as war, terrorism and political risks are more frequent in some areas.  You should be aware of these risks and monitor them.

Ideally, you should review the business continuity plan for their facility and obtain a copy of their risk assessment before the contract is signed.  Monitor their BC program and ensure that the plans are being exercised.

Return tomorrow for our next tip…

(For more information on DRI’s professional practices please read Professional Practice One – Program Initiation and Management DRII Professional Practices  June 1, 2012 Version 1)

Improve Your Risk Evaluation and Control tip #5 – loss experience research

Identifying new risks and additional controls can provide visible and evident benefits to the organization but can initially seem daunting.  By following these tips, you can expedite this step and grow your network while enhancing your organization’s defences.

In addition to creating organization-wide methods of information collection and distribution, you may want to add these research methods to your information gathering activities.

Tip #5 Conduct research on historical experience of similar organizations

Most organizations are not unique.  Devote some time to researching the historical loss history of organizations similar to your own. Your insurance professionals can also provide insight. Insurance companies track loss data according to industry. Professional associations, trade shows, and the chamber of commerce might provide some industry risk information as well as a forum to discuss loss experience with colleagues. While direct competitors may not be forthcoming, others in your industry may also provide information on their incidents.

Return Monday for our next tip…

(For more information on DRI’s professional practices please read Professional Practice One – Program Initiation and Management DRII Professional Practices  June 1, 2012 Version 1)

Improve Your Risk Evaluation and Control #4 – hazard maps

Identifying new risks and additional controls can provide visible and evident benefits to the organization but can initially seem daunting.  By following these tips, you can expedite this step and grow your network while enhancing your organization’s defences.

In addition to creating organization-wide methods of information collection and distribution, you may want to add these research methods to your information gathering activities.

Tip #4 Analyze risk data from hazard maps

Economical online hazard maps are available usually on a regional or national scale.  More detailed hazard maps and further risk information should be available from local municipalities.  Take this opportunity to connect with the local officials involved with emergency management. Business continuity planners may be well aware of local risks but when you have locations spread across the country or around the world, these maps can be extremely valuable.

Insurers and re-insurers (I recommend SwissRe) provide valuable free information online about current and emerging risks. It is worth taking some time to review the information that may be relevant to your organization.

Some samples of hazard maps online

Natural Hazard Map of Canada, Alberta Flood Hazard Map, Aon Political Risk Map, Swiss Re Flood Risk App for iPad

Return tomorrow for our next tip…

(For more information on DRI’s professional practices please read Professional Practice One – Program Initiation and Management DRII Professional Practices  June 1, 2012 Version 1)

Improve Your Risk Evaluation and Control #3

Identifying new risks and additional controls can provide visible and evident benefits to the organization but can initially seem daunting.  By following these tips, you can expedite this step and grow your network while enhancing your organization’s defences.

Tip #3 Examine the facility inspection

While speaking with the risk manager, ask for a copy of any recent inspection of the facilities conducted by your insurance carrier.  If one has not been completed recently, your contact may be able to request one.  Ideally, you should accompany the insurance inspector as he/she examines the facilities.  Analyse the report and follow-up with the inspector on any questionable details.

Discuss with the inspector his/her estimated recovery time for each risk identified.  This will give you a basic idea of how long you may be without your facilities after certain events. The inspector might also have an understanding of other high risk operations in your area. Taking full advantage of this resource can save you time and money.

Return tomorrow for our next tip…

(For more information on DRI’s professional practices please read Professional Practice One – Program Initiation and Management DRII Professional Practices  June 1, 2012 Version 1)

Improve Your Risk Evaluation and Control Tip #2

Identifying new risks and additional controls can provide visible and evident benefits to the organization but can initially seem daunting.  By following these tips, you can expedite this step and grow your network while enhancing your organization’s defences.

Tip #2 Coordinate with other risk management groups within the organization

Use your resources wisely.  Currently, most organizations contain various individuals that have some responsibility for identifying, measuring and controlling risks to the entity. Research your internal resources and leverage completed risk assessments.  Look for expertise in your risk management (and/or insurance), internal audit, physical and data security teams and on your health and safety committee.

Some organizations have started to group these functions under one umbrella.  You will save your organization money if you work together to create a risk register.  Various software tools are available. You may even consider using a collaborative tool such as a risk register wiki that allows all these functions to contribute and capture a more robust catalogue of the company’s risk.

Return tomorrow for our next tip…

(For more information on DRI’s professional practices please read Professional Practice One – Program Initiation and Management DRII Professional Practices  June 1, 2012 Version 1)

Improve Your Risk Evaluation and Control #1

Identifying new risks and additional controls can provide visible and evident benefits to the organization but can initially seem daunting.  By following these tips, you can expedite this step and grow your network while enhancing your organization’s defences.

Tip #1 Establish the risk evaluation as a small project

Manage the risk evaluation as a mini-project within the Business Continuity Planning Program with its’ own scope, objectives, and milestones. Clearly identifying the scope of the risk assessment will make it more manageable and more accurate.   Clarify the meaning of key terms that will be used in the risk evaluation. The following are some sample definitions:

  • Risk is the potential for exposure to loss which can be determined by using either qualitative or quantitative measures.
  • Risk Categories are risks of similar types are grouped together under key headings, otherwise known as ‘risk categories’. These categories include reputation, strategy, financial, investments, operational infrastructure, business, regulatory compliance, outsourcing, people, technology and knowledge.
  • Risk Control is all methods of reducing the frequency and/or severity of losses including exposure avoidance, loss prevention, loss reduction, segregation of exposure units and non-insurance transfer of risk.

Make sure to exclude certain categories of risk that will be outside of the scope of this evaluation (such as strategic risks).

Your organization’s risk tolerance level must come from senior management, ideally from their corporate risk council or chief risk officer.

Return tomorrow for our next tip…

(For more information on DRI’s professional practices please read Professional Practice One – Program Initiation and Management DRII Professional Practices  June 1, 2012 Version 1)

  • Be Prepared

  • Professionals

  • Categories