How vulnerable are public sector systems? cont'd...
Emerging Risks - reassessing your position
Risk assessment and management is a central part of any organisation’s strategic management and is directly linked to Corporate Governance. It is the process (see figures 8 and 10) whereby organisations methodically address the risks attached to their business activities with the goal of achieving sustained benefit within each activity and across the portfolio of activities. Its objective is to add maximum sustainable value to all the activities of the organisation. It supports accountability, performance measurement and reward, thereby promoting operational efficiency at all levels (AIRMIC 2004)
Figure 8: Risk assessment model
Source: Dr David J Smith 2002 (adapted from Fennell 2002)
In considering risk management as an integral part of Internal Controls and Corporate Governance of an organisation there are five key questions that must always be considered in addition to those within the risk assessment process. In this context, it is worth remembering (and reminding all senior executives) that ‘managerial ignorance’ is no longer an acceptable legal or moral defence if internal controls or corporate governance is handled badly or found wanting. As a result all executives and managers should consider the following key questions that are likely to be asked in a subsequent inquiry:
1. When did you know there was a problem?
2. What did you do about it?
3. If you didn’t do anything, why not?
4. If you didn’t know there was a problem, why not?
5. What would you have done if you had known such a problem could exist?
AIRMIC (2004) indicate that any system of risk management (internal control) must provide as a minimum:
· Effective and efficient operation of the organisation
· Effective internal controls
· Compliance with laws and regulations
A risk assessment is an essential ingredient in the effective and efficient operation of an organisation in that it identifies the threats that require prioritised risk management control.
An essential consideration is cost effectiveness (benefit) of internal controls. This relates to the cost of implementing the control(s) compared to the projected risk reduction benefits. In essence the measurement of added value should be measured in terms of potential economic effect if no action were taken versus the cost of the proposed risk management action(s). The key issue is where the cost of reducing the risk may be totally disproportionate to the risk (AIRMIC 2004). This again directly relates to the business objectives of the organisation and outcomes of the BIA that when conjoined with the risk assessment informs the setting of strategy, solutions and a risk appetite.
Within the BIA and risk assessment process it is important that every organisation must understand the laws and regulations that apply to its operation and implement a system of Internal Controls to ensure mandatory compliance.
Current research indicates that some of the key current threats to both public and private sector organisations are:
· Global terrorism
· Supply chain - especially where there is Just In Time ( J.I.T.) management or a global aspect
· Non compliance or consistency with national and international legislation regulatory and/or insurance requirements e.g. Basel II and BSI 7799
· Security - Personal, Physical, Logical including data
· Hackers
· Worms and Viruses
· Contamination
· Criminal Activities e.g. Theft of corporate and personal identities
Creating Continuity ... Building Resilience ...
If you would like to know more about how your organisation can get involved and benefit from working with the Continuity Forum, please email us HERE! or call on + 44 (0) 208 993 1599.
____________________________
