Is your organization prepared for a crisis?

Risk management can impact project budget, schedule, and/or quality. Business Blackout, Lloyd’s of London and the University of Cambridge’s Centre for Risk Studies, recently reported that U.S. power grid attack can result in approximately $70 billion in insurance claims and economic losses up as much as a trillion dollars.  Further, there are many different types of risk companies are trying to address including strategic, operational, compliance, financial, market, credit, and supply chain to name a few.  Strategic risk accounts for approximately 60% of the risk universe whereas operational and financial account for approximately 30% and 10%, respectively.

Even though many companies have been conducting risk assessment studies for many years, most companies find it challenging to create a complete enterprise risk assessment steps and realize its full value.  The chart below describes a basic process for risk assessment.

Risk Assessment

In the article, Enterprise Risk Management Beyond Theory, the study conducted interviews of five companies.  Most of the companies have suggested the following basic steps that are necessary for a robust risk assessment approach:

  1. Buy-in from the top: All the companies in the article agree that the leadership must believe in the risk assessment approach in order for everyone to cooperate.
  2. Keep it fresh: If the risk factors are not refreshed often, then breakdown may occur without having the key indicators triggering the events. The cyber attacks, which were considered unlikely a few years ago, are now considered an imminent threat to most large companies.
  3. Condense the information: A complicated checklist will confuse people and even oversee the basic risks. There are various ways to report information including showing a likelihood of an event (likely, unlikely, and certain), ranking of the likelihood of an event (1-5), or ‘heat map’.
  4. Learn from others: It is important to create processes that fit the organization’s need, but in order to gain a competitive advantage, the companies should also review other companies risk assessments.

My last employer used some of these approaches.  The company performed complete risk assessment every two-three years and the risk were categorized by business area or functions.  A formal “Risk Assessment Committee” reported directly to the President, which partly contributed to attention it received.  All aspects of the business were reviewed and the risks were categories 1-5 (5 being a likely scenario).  Anything over 3 were discussed each year and addressed over the following two years.  The checklist was kept transparent to all parties involved and certain part of the checklist was made available to the whole organization.

Certain risks such as business closure risks were discussed more frequently.  “Risk Assessment Checklist” was completed during and reviewed after each event (including weather-related events), which impacted a closure of the business.

What does your company or your competitors are doing to assess risk?  How do the factors mentioned above impact your organization?

 

Illustration of “Heat Map”

Heat Map

 

Source:

http://www.pwc.com/us/en/risk-management/assets/beyond-theory.pdf

http://www.pwc.com/en_us/us/issues/enterprise-risk-management/assets/risk_assessment_guide.pdf

https://www2.deloitte.com/content/dam/Deloitte/global/Documents/Governance-Risk-Compliance/dttl-grc-riskassessmentinpractice.pdf

http://www.insurancejournal.com/news/national/2015/07/08/374402.htm

3 thoughts on “Is your organization prepared for a crisis?

  1. In my industry one of the biggest risks facing employees is fraud. Sophisticated hackers are sending e-mails inside companies to send wires to their accounts. The e-mails look like they are coming straight from an employee’s e-mail account. Therefore, my company is educating client’s on the risk of fraud activity and how a company can build out steps to respond to this risk. Many times we educate clients on specific activities that other companies have faced and ultimatley done to combat fraud, hence they are learning from each other.
    We also get asked many questions about what happens in the event that our systems go down. We have a set procedure of steps that we go through if one of our systems goes down. We have documents that we provide our clients to educate them about of procedures.

  2. My company has a dedicated Crisis Management team that seeks to be prepared for any and all situations. We have a Crisis Management room where leaders of the business will meet during a crisis to collaborate and resolve the issues. Not only are they prepared for crisis’ to come up but also they are prepared to mitigate risk and prevent crisis situations from occurring. They do this through cross functional teams that draw in expertise from all over the business to create SOPs and business practices that can mitigate risks before they even occur. Also, there is constant monitoring to ensure that we are aware of risks that are out there (weather, political, social, economic, etc)

  3. Very interesting post, thank you. I work for a larger corporation, and although I am aware that we have a Crisis Response and Disaster Recovery Team (picture a large conference room with lots of monitors and head-sets like space shuttle mission control rooms) my department has not been made privy to any of their plans or risk assessments. While I think we would not necessarily need to be very involved in the planning, as I am guessing a lot of our identifications revolve around cyber and physical risks to our stores and customer data, I do feel our department has a number of risks that probably do not have appropriate responses in place should they occur. Something that I may suggest to that division is in the future, have each department or functional area at least involved in putting together their own Risk Assessment Checklist, and possibly share the overall purpose of the corporate Crisis Response Team. I feel like there are some areas that could benefit from having some documented risks identified and responses mapped out, even if they are not on the massive corporate scale our Crisis Response Team deals with. Thanks again for the post.

Leave a Reply

Your email address will not be published. Required fields are marked *