Risk Management - what is it and why do we do it?

Risk management gives us a framework that helps us to consider future events and uncertainties that affect an organisation.  If it is being effective, it helps prioritise and ratify current and future management decision making.

Risk management involves everyone and everything throughout the organisation

(Steve Fowler - CEO Institute of Risk Management).

The framework we develop is dependent on a client’s requirements.  Risk management can be as simple or complex as you want it to be.  What we aim to do is develop a process that suits an organisation’s appetite, real requirements and is effective in its objectives.

Business Continuity Management – what is BCM?

Where an event affects business processes, the consequences can be severe and include financial loss, embarrassment, loss of credibility and goodwill for the organisation concerned.  Consequential damage can extended much wider impacting on staff, customers, suppliers, stakeholders and public.

BCM is concerned with managing risks to ensure that at all times an organisation can continue operating at a predetermined minimum level i.e. sometimes prevention is more appropriate than waiting to try the cure!

“BCM is about anticipating that things are beginning to go wrong and taking planned and rehearsed steps to protect the business and hence the stakeholders interests” (John Sharpe - Policy and Development Director Continuity Forum)

Emergency Response Planning - what’s that? 

Considering what you will do immediately after, or even during, a disaster event.  What if your building is not safe to go back into what is the next step, where will all the evacuees go, how will communications be handles… and all this while the building is still burning!

“Whilst there will be natural anxieties in the face of the unforeseen…lack of information, preparedness, training and experience will significantly affect stress levels and personal effectiveness…

(Association of Chief Police Officers 1989)

Rehearsals - why rehearse, it will never happen?

Stuff happens – power failures, loss of IT, hackers, fires, flooding, accidents and so the list goes on.  What assurance do you have that a plan will work – only testing it will highlight any omissions or disconnections.  Taking people through an exercise where nothing is at stake, except pride, is valuable experience for all involved, should the unthinkable happen.

Rehearsals are not a luxury we can do without but essential in being able to assure stakeholders we have a viable and workable recovery plan.   

Rehearsal events can vary in the level of staff involvement and complexity with respect to the organisation.  At their simplest they consist of walk through briefing exercises, increasing to desk-top scenario sessions, technology component tests through to integrated recovery exercises involving the movement of staff, invocation of any third party services and recovery of data to alternative sites.

Rehearsals also help identify issues arising from process, technology and organisation changes not captured by change control.

“Education and awareness of business continuity policy, strategies and plans will be essential for the ongoing success of the BCM initiative within an organisation”          (Guide to Business Continuity Management – HMSO 1995)

Rehearsals are an effective way of providing such awareness and education.

Crisis Management – why is this different to emergency response?

The emergency response is often invoked following a physical event and is concerned with issues such as containment, saving life, public safety, immediate communication to the market place and first steps of recovery.

Crisis management has a broader range of triggers including many human-caused events such as fraud, product tampering, hostile bids and sabotage.  The discipline is also much more hands-off, dealing with image, reputation, and long term survival and growth of an organisation.

The skills and aptitudes required to handle crises can be acquired despite their many possible forms.

“While not all crises can be foreseen, let alone be prevented, all of them can be managed far more effectively if we understand practice the best of what  is humanly possible” 

(Ian Mitroff – Professor of Business Policy University of South Carolina)

These skills and attributes can also be discovered and honed through rehearsal events.  By the nature of things, such events are sudden, unpredictable and are often unprecedented by their scale and speed of escalation.  This unfamiliarity is one of the most stressful elements for response personnel.  Rehearsals also give experience and confidence. 

Information Security – do I need this as well?

To some extent – yes!  How much and to what standard will be dependent on a number of factors –

• the size of the organisation
• the data that is held
• the importance of such data
• confidentially requirements for such data
• industry regulators
• applicable statutes
• customer and supplier requirements
• what the competition has done.

Every organisation holds data in a number of formats.  Most consistently these would be hard copy (paper records) and soft copy (data held electronically on a pc, server, phone, palm-top…). 

For some companies, availability of data will be critical to the business functioning, whilst with others, maintaining the confidentiality and integrity of this data will be fundamental.  For some, both criteria will apply.

Information security policies and process ensure availability, confidentiality and integrity are maintained.  This is particular to any organisation which uses the internet for business transactions or communication.

“No organisation can operate in today’s world without effective information security…  The extent and value of electronic data is growing exponentially…exposure of businesses and individuals to its misappropriation or destruction is growing very quickly… consumer confidence… will depend on how secure they believe their data is…”      (Steve Watkins – IT Governance)

Much of what needs to be done revolves around people and management, not technology.  Technology is often in place, but abused by users to the extent it becomes ineffective.  The framework for good information security is contained in ISO 27001 – Information Security.