In most jurisdictions and for the majority of organisations, there is a requirement (either in law, regulatory requirements or applicable standards) to maintain a corporate risk register and to have effective risk based controls in place to manage the most important risks facing the organisation. We have broad and deep experience in assisting organisations large and small to create and maintain their risk registers and in advising those organisations in the cost-effective management of risk.
There are a number of steps involved in undertaking a complete business risk assessment and not all customers need to carry out all steps as one or more aspects of the process may already have been completed. We believe in not re-inventing the wheel and as such, before we begin, we would expect to conduct a thorough review of existing risk assessments and related documentation to identify the most efficient and pragmatic pathway through the process. The risk assessment itself is usually best done through a facilitated workshop involving all of the appropriate participants so that discussions can be had and informed decisions made quickly.
Agree Scope & Assess Relative Business Criticality
- CRITICAL: vital to the day-to-day operation of the business.
- MANDATORY: vital to enable the company to meet statutory or other (internally or externally) imposed requirements.
- STRATEGIC: vital to the implementation of long-term business strategy.
- TACTICAL: essential to short- to medium-term performance of the business.
Information is gathered from participants to identify their perception of the criticality of their business and technical processes. This step also identifies dependencies between business functions and business processes.
The results are consolidated to provide a corporate view of these perceptions, which is then reviewed by the participants.
A workshop can optionally be used to conclude the process where the documented perceptions are reviewed.
At the heart of any process for assessing risk must be a set of types of risk that can be easily understood by those conducting the assessment. Within each type there will be a wide variety of manifestations, which will most likely be different for each part of the business.
Hence, the types of risk that may be identified include:
- Failure of, or disruption to, a process or activity – this includes risks ranging in effect from the catastrophic failure of the entire process to minor disruption to a single step in the process;
- Failure of, or disruption to, a dependency – this includes risks ranging in effect from the collapse of a critical supplier of goods or services to the temporary failure of an information flow from another business process;
- Failure of, or disruption to, plant or equipment;
- Failure of, or disruption to, information technology or systems;
- Compromise of Information Security (confidentiality, integrity, availability);
- Project Risks, which include risks associated with NOT delivering the specified solution, risks associated with the solution and risks associated with its delivery.
In assessing the types of risk to which a physical or organisational component of the business may be subject, it is important to ensure that the assessment is well informed and based on verifiable evidence. Where possible and appropriate, the views of acknowledged experts should be called upon to ensure that the assessment of the nature and likelihood of a particular risk is as realistic as possible.
All Risks identified during this activity are described in the Risk Management Plan. At this stage it is only necessary to record summary details for each risk. These details should include a name, which should convey something of the nature of the risk, and a one or two sentence description of the nature of the risk.
Assess Likelihood of Occurrence and Business Impact
The probability of a risk occurring, its likelihood, is determined as being Low, Moderate, High or Very High.
In performing a risk assessment it is necessary to identify not only the immediate effects of the risk occurring but also the impact on the business of those effects. For example, the effect of a hard disk problem may be the corruption of some data stored on that disk, whilst the business impact of corrupt data relating to customer accounts could result in significant cash flow problems and could also adversely effect the company’s reputation for excellence. In general, the assessment of each risk should consider the impact on (in alphabetical order, implying no relative importance):
- Financial performance of the company;
- Health and safety of employees and the public;
- Morale of employees
- Productivity and process efficiency;
- Product Quality;
- Regulatory or Legislative Compliance;
- Reputation of the company with its customers, investors, staff and suppliers.
When assessing the impact of a risk it is important to ensure that the assessment is well informed and based upon verifiable evidence. Hence, expert opinion should be called upon where possible and appropriate to do so.
The impact of a risk occurring is described as being Low, Moderate, High or Very High.
Each risk is thus assigned to a category, which indicates the level of severity the risk should be considered to have for the organisation.
For each Risk identified as falling into Categories One and Two, a Risk Description should be developed (see Deliverables below).
This information provides the basis for a cost-benefit analysis, which will support decision-making on how each risk should be addressed.
Assess Likelihood of Detection
The likelihood of a risk being detected (or more accurately, the likelihood of detecting the symptoms the risk is expected to display) is determined as being Low, Moderate, High or Very High.
Determine Appropriate Response
There is only value in implementing a risk response if the tangible and intangible benefits of doing so outweigh the tangible and intangible costs. In addition, the tangible and intangible costs of preparing the response and ultimately of deploying it need not to outweigh the costs of taking no action. Since success in business involves a degree of risk-taking, there will be risks that the business is happy to accept in the expectation that doing so will result in improved profitability, market share or other tangible benefits.
|Scope & Business Criticality Assessment||A summary of the business criticality of each business function and process within the scope of the assessment.|
|Risk Assessment||A summary of each risk and the events likely to trigger it;The probability of the risk occurring, including details of any circumstances where the likelihood of the risk may change;Details of the potential impact of the risk on the business, including estimates of the cost to the business of taking no action to prevent or mitigate its impact;|
|Details of the symptoms likely to be displayed in the event that the risk occurs, and the ways in which these symptoms could be detected;An assessment of the likelihood of detecting the risk and measures that could be taken to increase that probability;Details of existing counter-measures designed to monitor the risk, prevent it from occurring or to mitigate its impact, including estimates of the costs of implementing and maintaining these counter-measures;|
|Risk Response Plan||Proposals for additional counter-measures, or changes to those in place, to prevent the risk from occurring and to mitigate its impact, including details of the facilities, equipment and personnel required, and estimates of the time, effort and cost required to implement and maintain these new counter-measures;Estimated savings accruing from implementing the proposed counter-measures in the event that the risk occurs;Estimated consequential savings likely to accrue from implementing the proposed counter-measures in the event that the risk does not occur.|
Prices (excluding VAT and reasonable expenses)
Business Risk Assessment £2,500
Risk Response Plan £5,000
Time scale 2 weeks
Support for Self-Certification against Cyber Essentials and/or IASME – Call to discuss
Assessment of Compliance against ISO27001 – £2,500
Part-time support for ongoing Risk Management Programme – Call to discuss