 |
| John Bartlett CBCI, DBCI |
Whole industries
have been established and libraries of books written on Risk Management. Often
risk and risk management means different things to different people and
industries.
This article is not intended to provide comprehensive details or guidance on developing and applying risk management within your organisation; this is already expected to be in place to a greater or lesser extent as part of good business practice. Instead, the purpose of this article is to provide guidance on risks in relation to BCM and the essential activities of your organisation, thereby ensuring informed decisions can be made to treat the risks and develop the most appropriate level of resilience and recovery for your organisation.
This article is not intended to provide comprehensive details or guidance on developing and applying risk management within your organisation; this is already expected to be in place to a greater or lesser extent as part of good business practice. Instead, the purpose of this article is to provide guidance on risks in relation to BCM and the essential activities of your organisation, thereby ensuring informed decisions can be made to treat the risks and develop the most appropriate level of resilience and recovery for your organisation.
Risks normally arise
as a result of people (not doing what they should or not doing it properly,
forgetting something, doing something illegal), faulty goods or services (such
as technical/machinery failure, pipes leaking/breaking, power failure, delivery
failure) or natural and environment activities (for example extreme weather
conditions, such as flooding or earthquake, incidents near to your organisation
or global/national related incidents). All of these could directly affect and
disrupt your organisations activities, or activities of organisations and
people you are dependent upon to provide you with products or services.
Identifying Risks
In the first article we stated that risks to continuity can mainly
be broken down into four key groups: people; infrastructure; information; and
suppliers. There is no easy way of identifying all the potential risks to the
organisation, but it is essential that there is an open culture in the
organisation to identify and communicate risks, that otherwise may go
unidentified, untreated and disrupt the organisations essential activities. One
of the easiest ways to approach risk identification is to list all the
characteristics of the risk groups (examples were provided in first article)
and through a workshop with the appropriate people, identify the requirements
for each essential activity (see article last week) and then apply a ‘what if’
analysis to each requirement, for example what if a particular person,
application, supplier, material, piece of information, equipment or control
(e.g. fire alarm) was not available or did not work properly.
Each risk identified
should be listed in a register along with its owner and then evaluated in terms
of their likelihood and impact, and their relationship with one another. For
completeness, where an existing control is in place to protect against that
risk, the control (such as fire sensors or alarm, or IT Disaster Recovery
facility) should be evaluated to ensure it is sufficient to meet the requirements
and that it works effectively. There may already be information to help on the
evaluation of these controls (such as reports from Internal or External
Auditors, independent consultants, etc.). If the evaluation of these controls
identifies weaknesses or failings, this should be recorded as an Issue in the
register. These issues should then be evaluated in terms of their impact the
same as risks, and the highest likelihood value used (as it already exists).
Evaluating Risks
The value of a risk can
be achieved by evaluating the likelihood and impact of each one using a simple
scoring mechanism (for example 1 to 5, where 1 is very low and 5 is very high).
To ensure consistency it helps to provide a definition of each level and
measurement criteria. The individual scores should then be recorded in the
register and a risk value calculated by multiplying the impact and likelihood
scores together.
The risks and issues
can then be plotted on a 5 x 5 matrix (where likelihood and impact are plotted
on to the x and y axis) to easily identify clusters of risks/issues with colour
codes (Red, Amber and Green) used to identify acceptable high, medium and low
values on the matrix. This is often referred to as a heat map. The relationship
between risks/issues and the requirement identified for essential activities
should be reviewed and evaluated, and if necessary the impact and/or likelihood
revised based upon these relationships. This will ensure that risks are
reviewed in relation to the organisation as a whole, rather than individually,
and any potential systemic impact to the organisation from a combination of
risks is similarly assessed.
The definitions and
values used as criteria to measure the likelihood and impact of the risks will
be personal to each organisation, and should be agreed with the BCM sponsor and
Senior Management.
Treatment of Risks
The corresponding
treatment of risks/issues will depend upon the level of risk appetite accepted within
the organisation and the most appropriate approach based upon strategy,
plans/projects and method of operation. There are five potential approaches for
risk treatment: prevention, reduction and transfer (these
are all proactive preventative measures); acceptance; and contingency
planning (reactive measure once a risk has materialised). Each of the
risks/issues on the register should be reviewed, the options to treat each risk
considered and an appropriate treatment chosen based upon a cost/benefit
analysis. These treatments can then be included and managed under an existing,
planned or strategic project, or combined into a separate risk treatment
project. All of these treatments for BCM related risks combine to provide the
scope of review and action under BCM.
Monitoring Risks
Whilst the BCM
function can help identify risks and help select the most appropriate treatment
to achieve resilience and recovery, a single individual within the organisation
should have management responsibility and accountability for managing the
organisations risks. Once an appropriate risk treatment has been implemented,
the individual should establish a risk governance, monitoring and review
framework to regularly review the status of risks with the BCM function and
ensure the risk treatment remains appropriate and effective. This governance
should include communication with the organisations stakeholders to ensure they
are aware of the organisations key risks and the measures in place to manage
them.
No comments:
Post a Comment