You have recognised the risk, recorded it and planned what to do about it. What comes next?
There is plenty of guidance around for identifying and recording risks and lots of good ideas for monitoring and review but surely what ultimately counts is how aware we are of the risks we face as a business as a whole and how effective our mitigation strategies and response capabilities are.
Let’s take a look at cyber: with almost daily news coverage it seems be this years “must have” item for the risk department and chief information officer. Every board member will have read about it and there is sufficient information around to conclude it is a real threat with real impacts.
So before the board asks us, let’s dig in to it a little bit more starting with a detailed analysis of the organisation in order to refine down the areas at risk. With help from the IT department, who will fight for a budget to reduce the exposure and have improved protection and monitoring, we are off to a good start and soon all sorts of techniques to reduce vulnerability will be suggested: be alert to problems, detect events as they occur, consider encryption and improve the firewalls – and that’s before we make a start on the architecture. A series of actions is eventually agreed and money starts to be spent!
Yet a significant risk will remain, reduced perhaps but by how much it is difficult to assess so that no matter how good you are, the complexity and scale of the problem means you cannot guarantee to eliminate it. Let’s not forget the technical brains at work behind the cyber threat, who keep things evolving just because they can.
How effective are the precautions?
One of the key frustrations for risk managers is the issue of likelihood; within reason the impacts and consequences of events can be assessed either through past experience or hazard analysis techniques.
But life is not simple when probability arrives and that’s why Murphy and his law of unintended consequences invites a few of his friends around occasionally to make a mockery of risk assessment! High consequence, very low frequency events are amongst the hardest of all to deal with and who wants to spend money on problems that may never occur?
Fit for Risk
From the Corpress experience, “risk” starts a conversation and helps prioritise actions but what it does not do is remove the need for effective mitigation and response. By which we mean the establishment of an alert organisation, able to determine what its exposure to internal and external threats are, with confidence in its capability to respond to events.
This places a great deal of emphasis on the capability of staff, teams and leaders; as opposed to a focus mainly on procedural systems and risk registers, all of which are still required but are seen as a foundation stone rather than the answer.
Why Exercise the risks?
No amount of reading of plans or listening to slide presentations will prepare individuals and teams for the pressure, complexity and uncertainty of dealing with difficult events:
Competence and capability come from practice and experience!
- different scenarios,
- the range of possible outcomes and escalation paths,
- the influencers on impacts and probabilities
will allow people to engage with, understand and challenge the organisation’s risks.
By adopting this approach, the culture of the organisation improves and through the engagement of people from boardroom to shop floor the awareness and confidence of teams grows. Well presented, risk based exercise programmes improve leadership, decision-making and communications and often identify significant cost reduction for risk mitigation.
Returning to cyber this means engaging key staff across the organisation in a variety of different styles of exercises based around the central theme of cyber risk. From the technical experts protecting your systems to the communications team handling the fallout and the operational and sales teams managing customer and other key interfaces. Not of course forgetting the executive team!
Shared understanding and the experience of how to handle problems builds relationships and capability; it’s people who make organisations work and the more capable they are to control, manage and respond to difficult circumstances the less the organisation is exposed.
If you’d like to share your thoughts with us please get in touch at firstname.lastname@example.org or tweet to us @corpress