Business Awareness: Understanding the Business
The start of any serious and consistent risk analysis passes through the correct understanding of the business in question. This phase consists of obtaining a correct understanding of the organization’s mission, its value proposition, its vision of the future, its strategic objectives and its critical success factors.
The perfect understanding of the company’s strategic planning also makes the efforts related to Risk Management more effective. This is because the main responsibility of the risk manager is to provide solutions that allow the company to fulfill its mission, its strategic objectives and its value proposition assuming acceptable risks.
These risks should also be balanced with the risk appetite of your investors and the level of resilience (tolerance) of the organization.
Identification of Critical Risks
The initial phase of risk identification is screening that separates the secondary risks from the critical risks of an organization – those that can significantly compromise from your strategic objectives to the future of your business.
It is of fundamental importance to any company because every manager has a limited ability to monitor, control and mitigate risk.
The identification begins with a survey of a general list of risks from discussions or interviews involving the risk management team and representatives from different areas, at the most varied hierarchical levels.
In this process, it will be of great value to analyze the company’s core business, macro processes in general, accident statistics, reports of risks of specialized consultancies and “anamnesis” with top management.
This initial list, elaborated empirically, is based on the people’s perception of the risks that affect their activities and impact the crucial factors of success of an organization.
The methodology allows through critical analysis, even without historical databases to reach a robust risk assessment. Although not as assertive as a purely quantitative model, it allows the risk manager to collect the perceptions of the representatives, develop a “Risk Management Culture”, and initiate a process of engagement of the areas involved in the implementation of the risk management plan. In addition, it allows the use of qualitative and quantitative information and is treated in a single risk management model, allowing the analysis of databases containing risk histories occurring in the company, companies in the same segment or in the industry in general.
On the basis of this information, it is assessed whether some initial listing risk has the potential to impact on some critical success factor, some strategic objective, the company’s mission or the achievement of its value proposition. If this happens, this risk is added to the Critical Risk List.
Risk, threat and vulnerability
It is important to define the differences between risk, threat and vulnerability to avoid conceptual errors in the preparation phase of the Corporate Risk Management Master Plan.
Vulnerability is a deficiency in the process, in the systems or human resources employed, that allows the realization of the risks to which the organization is exposed.
Already risk and threat are closely linked factors, and sometimes its distinction is not so clear. While the threat is tied to the vector driving it, the risk is linked to its realization. For example, in the phrase, “hackers threaten to invade systems,” we have:
– Threats: Hackers
– Risks: System Invasion, “System Disruption”, “Phishing”, “Sniff” etc…
Origin and risk factors
When we define the Critical Risks for the preparation of the Corporate Risk Management Master Plan, it is important to know their origin and the risk factors.
Risk factors are usually deficiencies in our protection systems that allow us to achieve a certain risk. That is, it is linked to vulnerability and external causes.
For the example of the hacker threat quoted above, it is possible to say that one of the risk factors would be the lack of an information security policy.
By visualizing the origin of the risk and the risk factors, we can identify the main points where the risk and safety management process should be focused. From said it will be possible to adapt the various means of protection, be they human, technical or organizational.
However, the philosophical-academic discussion about the nature of risks (human, technical or organizational) is harmless and does not usually add much value in a practical way.
What matters is, after defining the source and the risk factors, to establish feasible actions to avoid their realization.
The critical risks will then be monitored and closely monitored by the risk manager, while the secondary risks will be addressed to other areas to be treated.
Risks and Scenarios
For each Critical Risk, a Risk and Scenario Survey Table should be prepared.
This table consists of a description of the worst case scenarios of those risks and impacts to the media, the community, the business, the internal public, and others.
The Risk and Scenario Survey is a tool that aims to provide an overview of the risks and their impacts in case of their materialization.
It also provides an overview of the possible impacts on the various components of the company.
The table is a tool that also facilitates the visualization of the need to prepare Contingency Plans and Crisis Plans for some specific situations and helps to address the responsibilities within the company.
It also serves as a basis for defining the magnitude of the impact of the risk on the various variables that will be evaluated, including the financial and the image of the company.
The tool helps to create the necessary basis for the next step in the process: risk measurement. This is because the clear definition of a possible risk scenario allows the risk measurement to be obtained in a much more assertive way.
The precise definition of the consequences of the risk will allow the risk framework in the qualitative tables for each variable to be made much easier and more precise. A clear scenario helps to resolve doubts in the risk measurement phase.
It is recommended that for each critical scenario a Contingency Plan be prepared in addition to the Plan of Action for mitigation and control of risk. Ideally, the Chief Risk Officer (CRO) or the Corporate Risk Manager be the coordinator of this action.
The plan should be developed by interdisciplinary teams made up of representatives of the various segments of the company, such as: IT, Security, Marketing, Finance, Social Responsibility, etc. However, such integration between areas seems to be something still distant from the Brazilian reality.
If such a procedure is not possible, it is suggested that the Chief Risk Officer or the Corporate Risk Manager coordinate a “brainstorming” with the participation of representatives of the aforementioned areas for the preparation of the Risk and Scenario Survey Table.
With this information, the manager can start the preparation of the Action Plans and Contingency Plans, which must be presented and validated by the different areas of the company.
The Risk Scenarios and Scenarios Table makes it easier for shareholders, directors and senior management to have a clear idea of the direct and indirect consequences of realizing key critical risks.