Securing Your Business

Every organization faces a number of risks that may have a negative impact on their enterprise. Failure to manage these risks is risky management. Risk generally arises out of uncertainty and includes two elements: 1) the probability that an incident will occur and 2) the severity of the outcome if the incident does occur. The level of risk, or risk ranking, is a function of the two and they must be considered together with the controls that are in place.

In ideal risk management, a prioritization process is followed: risks with the greatest loss potential and greatest probability of occurring are dealt with first while less damaging risks that are less likely to occur are handled secondarily. In reality, the lines become blurred and prioritization becomes a balancing act. Action can then be taken to reduce the likelihood of the event happening or reduce the consequence should it occur.

USING ERM

Traditional risk management is a five step process, whereas Enterprise Risk Management (ERM) – specifically the Australian/New Zealand Standard Risk Management AS/NZS 4360:2005 – is a seven-step, structured and disciplined approach to managing risk. The seven ERM tasks are:

* Establishing the context.

* Identifying the risks.

* Analyzing the risks.

* Evaluating the risks.

* Treating the risks.

* Monitoring and review.

* Communicating and consulting.

The additional tasks of establishing the context and communicating and consulting are valuable additions to the traditional model and should become part of every enterprise’s program.

Protocols regarding the management of risk should be consistent with the strategic, organizational and risk management context of the individual organization. In order to arrive at these protocols, all relevant stakeholders and their interests must be identified. These stakeholders and their interests will influence the criteria against which risks are to be evaluated. The tolerance of an organization to risk and the treatment to be used to manage them may be based on operational, technical, financial, legal, social or other objectives or interests to the stakeholders. Typical examples of risk criteria are:

* Zero tolerance.

* Ensuring that a project is delivered on time.

* Ensuring all precautions to protect life and property are taken.

* Maintaining agreed-upon standards of quality

Although risk criteria are initially developed as part of establishing the context, they may be further developed and refined as part of the risk identification and risk analysis stage. It is very important that this stage of the plan gets the required time and attention it deserves, because it forms the nucleus for the whole program and will most certainly affect its success.

COMPREHENSIVE RISK IDENTIFICATION

It is important to think outside of the box and use a combination of techniques to ensure comprehensive identification of risks is accomplished. The process, while creative, must also be well-structured; otherwise, an unidentified risk might be excluded from further analysis. Identification should include all risks, whether or not they are under the control of the organization. A common problem at this stage is the generation of a large unwieldy list: without the benefit of a computerized risk register, the process can become overwhelming. Once a final list of events or risks has been compiled, it is necessary to consider possible causes and scenarios. Very often it is beneficial to brainstorm and consult with subject matter experts about the process or activity being reviewed.

The identified risks then need to be systematically and accurately assessed. The objective is to separate the minor, acceptable risks from major risks and generate a risk score (potential impact) and action plan – including a timetable – to mitigate the risk. Risk analysis involves consideration of the sources of risk, their consequences and the likelihood that those consequences may occur in the context of the controls that are in place to mitigate the loss.

Detailed records of the risk identification and analysis phase should be kept in a “risk register” to facilitate the evaluation and treatment stage. The purpose of creating a risk register is to record the identified risks in a way that can be used at a later date to generate action plans, inform stakeholders and define risk treatment options. The risk register can take many forms. For large organizations, the use of a computerized system is recommended. The register should contain the following elements as a minimum:

* Reference number.

* Risk category.

* What and how it can happen.

* The consequence ranking.

* Likelihood ranking.

* Adequacy of controls.

* Risk Ranking.

* Priority.

* Action plan.

* Time frame for action.

* Person responsible.

* Estimated budget for treatment.

The use of a computerized system will allow for the generation of analytical reports that segregate risk scores by activity, category, location, or any of the other variables listed. In addition, it is easy to track the estimated budgets that are required to reduce the perceived risk. This is very important when implementing such a system for local governments or large corporations.

RISK EVALUATION AND TREATMENT

The fourth step in the process is risk evaluation. Risk evaluation involves comparing the level of risk found during the analysis with the risk criteria identified during the “establishing the context” stage. It also links the level of risk with the cost to mitigate the same and produces a prioritized list of risks for further action. In general, the greater the risk, the more focus it deserves. The focus should be commensurate with the activity’s nature, cost, complexity and importance to the operation. If the risk register is computerized, it is very easy to produce a risk profile or ranked risk log.

Risk treatment options can be identified from the ranked risk log. Identifying the various options involves balancing the cost of implementing the most appropriate option, or combination of options, against the benefits of the risk mitigation. Priority should be given to those options that result in large reductions in risk using relatively low expenditures of money or resources. Once the priorities have been set, action plans can be generated. The plans should detail the treatment options or activities required, the necessary resources, the person responsible for implementing the action plan and the timetable for implementation. The administrative task of tracking the implementation of numerous action plans is simplified if the system is computerized.

MONITORING AND COMMUNICATING

Monitoring and review is necessary to ensure the risk treatment plan is effective and is performing to the expectation of the stakeholders. Circumstances affecting the risk or method of treatment chosen are constantly changing, along with society’s rapidly changing expectations. As a result, a regular repetition of the risk cycle is important. In addition, stakeholders should be updated in a timely manner respecting the physical progress, financial status or other factors surrounding the proposed and actual plan. Tracking the program and reporting to the stakeholders over the Internet, with appropriate security in place, is an option that should be explored.

Risk communication and consultation with stakeholders is an important step in the ERM model. Most organizations have multiple stakeholders that would benefit from being informed of major milestones and other factors affecting the program. Communication is meant to be a two-way dialogue: it is important to ensure that those responsible or those with a specific interest in the process understand the basis for the decisions made and the action plans put forward. Determining the method of communication should be part of the “establishing the context” phase and depends in part on the interest of each stakeholder. The success of a good risk management program is dependent upon the acceptance of the program by the stakeholders while good communication is integral in maintaining their interest.