Keeping up with Risk Change
Category Business Continuity Management - BCM - Business Continuity - Foot and Mouth
Is your organisation keeping up with Risk Change?
Understanding risk is a challenge for all businesses and one which can never be put on shelf as new threats, regulations, technologies and trends are constantly emerging.
Often the problems businesses face are regarded in relatively simple terms with it being common in recent years for issues to be regarded a binary Yes/No fashion.
The situation has been becoming more complex for BCM and Risk professionals as 'risk management ' has increasingly crept up the corporate agenda and more organisations are facing tricky decisions.
Businesses have at long last started to realise understanding risk isn't just about working out what vulnerabilities or weaknesses need to be shored up but rather about finding a balance where performance is not compromised by too little or too heavy-handed a consideration of liabilities.
Consequently, organisations are having to learn how to better understand the risks to their specific organisation and the potential consequences. Undertaking a risk analysis (in BCM terms a BIA) is key, as then you’ll be able to direct focus, effort and resources covering the real threats rather than just your 'gut feel' perception or a template model of the threats?
Work must therefore be undertaken to identify all areas of potential risk - from staff taking their laptops home and email policies through to major events such as the potential impact of a pandemic or a terrorist incident - and importantly understand what the risk and impact is to the organisation for these events and how they can be managed or mitigated.
Companies must ask themselves: is a risk operational - might it stop you working? Or is it more far-reaching? For example does it involve the loss of intellectual property and therefore competitive edge, or the loss of customer data and therefore serious damages in terms of future business, reputation and possibly even punitive measures?
It's those risks at the more far-reaching end of the scale which likely account for the greatest consideration and going through appropriate due diligence is no mean feat. But in order for businesses to get the benefit of such a risk assessment it must be comprehensive and structured, so the methodology can be replicated and the process becomes scalable.
Good practice risk assessment needs to be 'bottom up', looking at the individual assets that make up the whole infrastructure, covering people, premises, processes and the supply chain as well as the usual ICT environment.
The approach needs to systematic - analysing potential threats, the vulnerabilities they might exploit, the likelihood of this occurring and what the potential impact is. Naturally, the method needs to be iterative because threats will change and controls therefore need to be regularly reviewed.
Good risk assessment should provide sufficient information to enable decisions that are appropriate and proportionate to the value at risk and lastly, it needs to take account of the business need for the assets, making sure that they are available to the people who need them for their work, as and when they need them.
Organisations must also recognise technology is not separate from the rest of the organisation. Email, for example, could be as much a consideration for the CEO and board as it is for the IT department.
Engagement within the organisation helps immensely in managing risk helping to set policies through HR and Legal that address the risks of using chat software, email usage, or perhaps staff connecting their iPods to your network systems - these issues can all be easily addressed by IT working with the relevant group and communicating effectively with managers.
Although no two organisations share the same risk profile, some risks are universal to all organisations.
As organisations evolve, they need to look out for new threats. For example, with more and more organisations implementing email and data exchange on mobile devices, there is a clear need for organisations to protect this data in an appropriate way. Companies should consider the consequences of inadvertent loss, such as when someone sends the wrong data through email to someone outside the company, and malicious loss, such as sending confidential data through web-based email for personal gain, in their risk planning.
In general terms as new technologies come along their usefulness and relevance should always be considered in terms of the benefits and the risks associated with use. At all times those two considerations must be looked at side by side through a sensible consideration of the risks posed and especially how they interact with other critical processes or activities.
Essentially it comes down to this, if something delivers no discernible value to the business and yet poses a huge risk then the risk assessment is that the technology has no place within the company. Or if something delivers huge business benefits and poses no risks then what are you waiting for?
Unfortunately it very rarely is something so clear cut and within the huge grey areas between those two extremes businesses must assess the right fit for them and that’s where sensible, structured and sustainable Risk Assessment comes in empowering the organisation to assess and inform on Risk and easing the difficult task of prudent and professional management
Assessing Risk is not a black and white issue and understanding risk certainly isn't easy, but with proper management the shades or grey are much easier to work with the organisation gaining the dual benefits of better resilience and increased value from the investment.
End
For more details on our events, workshops and industry development work, as well as the general activities of the Continuity Forum please contact us directly on +44 208 993 1599 or mail us HERE!
Please do contact Sara Mckenna or Russell Price .
Creating Continuity ... Building Resilience ...
If you would like to know more about how your organisation can get involved and benefit from working with the Continuity Forum, please email us HERE! or call on + 44 (0) 208 993 1599.
___________________________
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
