Embracing risk management as a tool to build business continuity & resilience

Recent critical global events and their subsequent impact on organizations has been eye-opening for business enterprises aspiring to remain resilient in the short and long term period.

The critical global events we are witnessing in current times undoubtedly prompt the conversation of building business continuity and resilience through application of risk management principles to security management. No longer can businesses claim the defense of the "unforeseen." Following up-to date intelligence based reports, research and news from reliable global platforms and forums and much more businesses are in a better position to anticipate the foreseeable security risks to better prepare and equip themselves for the future.

Business continuity is a business's level of readiness to maintain critical functions after an emergency or disruption. These events can include security breaches, natural disasters etc. Whereas business resilience describes an organization's ability to respond and adapt quickly to disruptions or significant, unplanned changes that could threaten its operations, people, assets, brand, reputation etc.

With unraveling global events such as post covid-19 pandemic, ongoing Ukraine – Russia war, climate change effects, natural disasters, upsurge of conflict in Israel, terrorists threats and much more impacting on organizations, the spotlight is being shined on risk management .These global events have driven many companies to not only re-examine their risk practices but also to explore new techniques, technologies and processes for managing risk. More organizations are adopting a risk maturity framework to evaluate their risk processes and better manage the interconnections of threats across the enterprise. In addition to using risk management to avoid bad situations, more companies are looking to formalize how to manage positive risks to add business value.

The world economic forum (WEF) global risks report 2023, indicates that the short term risk projected over the next two years for businesses are:-

·???????? Cost of living crises

·???????? Natural disasters and extreme weather

·???????? Geo-economic confrontation

·???????? Widespread cyber crime and cyber insecurity

·???????? Large scale environmental damage incidents

·???????? Erosion of social cohesion and societal polarization

·???????? Failure to mitigate climate changes

·???????? Natural resource crises

·???????? Debt crises

·???????? Failure of climate-change adaption

Whereas the Security Executive Council 2021 report anticipated ?the top security risks to business organizations to include:-

·???????? Cyber crime

·???????? Business disruptions due to extreme weather such as fires etc

·???????? Workplace violence

·???????? Insider threat

·???????? Supply chain disruption and supplier risk

·???????? Regulations and compliance

·???????? Political and social instability

·???????? Security risk talent shortage

·???????? Failure to provide duty of such as travel security etc

Even with these research based facts provided to us, some businesses are yet to embrace a forward thinking approach that entails effectively planning and preparing ahead.

Here is why some businesses are not adequately prepared for foreseeable crises:-

1. Denying it can happen to them - It is human nature to dissociate, or push negative thoughts and images out of one's mind. In the short term, it is easier and more comfortable to simply assume the "it can't happen here" attitude.
2. Being reticent to make crisis preparedness a priority - Most senior executives and managers would agree that it is best to be adequately prepared for critical incidents. But of course, this is not what their organizations exist to do, and it inevitably siphons resources away from their real missions. Competing priorities can be allowed to ensure that the preparedness process never gets underway.
3. Allowing yourself to remain unaware of risks inherent to your businesses - If you aren't looking for something, you generally won't find it. Unless a foreseeable-risk analysis is conducted throughout your operations, you probably won't be aware of the full range of risks you face, both inside your organization and within the context of external threats.
4. Ignoring warning signs as they emerge - Past internal history is often not critically analyzed, thus near misses and obvious weaknesses are overlooked.
5. Relying on weak, untested plans - Often, plans are thrown together shoddily, and a false sense of security is allowed to develop. Unless a crisis plan has been carefully constructed and thoroughly tested, through simulations and emergency exercises, it cannot effectively protect your organization in the moment of a crisis.
6. Addressing crisis prevention and post-incident response - Crisis preparedness requires a management system that has an effective champion, sufficient managerial support and talent, adequate budgeting, quantifiable objectives, periodic testing and a monitoring system to assure that it is working.

The following are steps adapted from ISO 31000 risk management principles and guidelines that an organization can implement for effective security risk management.

1. Establishing the context of the risk management process

The objectives, strategies, scope and parameters of the activities of the organization, or those parts of the organization where the risk management process is being applied, should be well defined and established.

2. Defining risk criteria

The organization should define criteria to be used to evaluate the significance of risk. The criteria should reflect the organization's values, objectives and resources. Some criteria can be imposed by, or derived from, legal and regulatory requirements and other requirements to which the organization subscribes.

3. Risk assessment

Risk assessment is the overall process of risk identification, risk analysis and risk evaluation.

3.1 Risk identification

The organization should identify sources of risk, areas of impacts, events (including changes in circumstances) and their causes and their potential consequences.

3.2 Risk analysis

It involves developing an understanding of the risk. Risk analysis provides an input to risk evaluation and to decisions on whether risks need to be treated, and on the most appropriate risk treatment strategies and methods. Risk analysis can also provide an input into making decisions where choices must be made and the options involve different types and levels of risk.

3.3 Risk evaluation

The purpose of risk evaluation is to assist in making decisions, based on the outcomes of risk analysis, about which risks need treatment and the priority for treatment implementation. Risk evaluation involves comparing the level of risk found during the analysis process with risk criteria established when the context was considered. Based on this comparison, the need for treatment can be considered. Decisions should take account of the wider context of the risk and include consideration of the tolerance of the risks borne by parties other than the organization that benefits from the risk.

3.4 Risk treatment

Risk treatment involves selecting one or more options for modifying risks, and implementing those options. Once implemented, treatments provide or modify the controls.

Risk treatment involves a cyclical process of:-

• Assessing a risk treatment
• Deciding whether residual risk levels are tolerable
• If not tolerable, generating a new risk treatment
• Assessing the effectiveness of that treatment

Risk treatment options are not necessarily mutually exclusive or appropriate in all circumstances. The options can include the following:-

• Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk
• Taking or increasing the risk in order to pursue an opportunity
• Removing the risk source
• Changing the likelihood
• Changing the consequences
• Sharing the risk with another party or parties (including contracts and risk financing)
• Retaining the risk by informed decision.

3.5 Monitoring and review

Both monitoring and review should be a planned part of the risk management process and involve regular checking or surveillance. Responsibilities for monitoring and review should be clearly defined. The organization's monitoring and review processes should encompass all aspects of the risk management process.

3.6 Recording the risk management process

Risk management activities should be traceable. In the risk management process, records provide the foundation for improvement in methods and tools, as well as in the overall process.

Lets maintain a positive attitude while we plan and prepare for a resilient future

Credits to:

World economic forum (WEF) global risks report 2023

The Security Executive Council 2021,top security risk report

ISO: 31000 Guidelines

?