Author: Manu Steens
In this post I write my own opinion, not that of any organization.
ISO 31000 largely prescribes in outline what a risk management system can look like. It requires you to carry out a risk assessment, and to come up with measures, which you must then implement. However, it does not prescribe how to assess a measure (see my earlier blog https://emannuel.eu/en/hoe-een-maatregel-van-business-continuity-management-en-risico-management-beoordelen/)
Nor does it describe how to know if you’re prepared for a risk. That is what I want to talk about now. Because if a measure has been assessed positively, the actual work only begins.
A first step you need to take is to effectively carry out a risk assessment. There is no way around that. You have to do that. But defining a measure is only the beginning of the actual operational preparation for the risk. There are a few things you need to do / check, besides implementing it.
- Do you have a budget?
Provide a budget that is large enough. And there are several types of budgets that you can provide.
The first is the budget you need for the implementation of the chosen measure.
A second is the budget you may need for external insurance.
A third is the budget you may need to get through the dark times, a kind of bridging budget.
A possible fourth is a budget in the form of a captive. This is only relevant for very large risks or for large risk portfolios.
These budgets must be represented in the balance sheet. Without double purposes.
- Do you have people?
In many crises, there is always a shortage of hands in the operational activities. It is best to think in advance which people and which types of profiles you will need. Discuss this in advance with HR, to see if they can include the activities required of them in their part of the business continuity plan (BCP).Do they know people with the appropriate profiles? Do they know the necessary contacts to get them quickly? HR also needs to lend a hand.
- Do you have material resources?
People often can’t do anything if they don’t have the necessary equipment. Do you have the necessary back-up equipment for this? Do you have the necessary goods and information to continue the work or services? Are there goods or equipment that are duplicated as back-up for multiple purposes, with multiple measures? Can the organization afford this ?
- Do you have the necessary information (distributed)?
This can be the call tree within your organization or the log-in data of the notification system etc. Are our own employees aware of the measure where useful and necessary? Is the environment (internal and external) aware of the possible risk if this is relevant to them? The other stakeholders too?
- Do you have an owner of the risk?
Who is responsible for addressing the risk when it materializes? Is that the process owner? Anyone else? Is the handling of the crisis delegated to another person? You previously discussed the measure with him/her in an operational assessment. (cfr. URL Supra.) Who does what and who reports to the Crisis Management Team (CMT)?
- Do you have a sponsor of the risk?
Typically, this is a high-ranking manager who approves the budgets for the measure. In addition, you previously discussed the measure with him/her in a strategic assessment. (cfr. URL Supra.)
Finally, if a measure was not possible, do you have a plan of action? Have you talked to risk managers from other organizations who may have similar risks and who have plans? Can you exchange experiences? Can you come to agreements with competitors for the joint deployment of people when a risk occurs?
Checking off this list does not prevent your measure from failing. But after all, it can convince the interested parties that the organization has already taken the necessary steps to avert, prevent or mitigate the risk if it occurs.