The path to a risk register that reflects credible and up-to-date- state of risks is a long and demanding one. However, it usually begins with an awareness of the presence of risks and their possible impact on the profit or loss, or the reason for it is an unpleasant event that left significant consequences on the business, as happened in the case of the COVID-19 pandemic.

How long is the risk register useful?

The risk register contains useful information that is the result of the previously described efforts and represents an important milestone on this route. For many organizations, a properly and transparently arranged risk register is also the ultimate goal, as it gives them a strong sense of security. Think about it: you have a complete list of risks, the risks are assessed and categorized so that everyone can immediately see which ones are the most dangerous if they materialize. You also have risk assessments marked with nicely chosen colours. The management is seemingly pleased, as you have prepared a forty-two-page report for them, and none have had any comments. Great, isn’t it?

Whether and for how long the risk register is actually useful, of course, is another question. If you leave it as it is, it is probably only reliable for a short period of time, and only if the business has not changed much.

At a time when rapid change has become the only constant, however, a one-year-old risk register is probably worth very little. For that, good risk management practices and virtually all standards uphold the principle that regular and extraordinary reviews of our risks must be carried out.

When and how often should risk register be revised?

As a rule, we determine the frequency of regular inspections ourselves according to the specifics of our business. In doing so, we take into account the industry in which we are, our business and social environment, and all other factors that could have an impact on the ‘obsolescence’ of our information on identified risks.

In practice, many organizations choose to review risks once a year. For some, this is probably the right decision, while for others, a one-year review period can be absolutely too long.

What is more interesting is the requirement for an extraordinary review of the risk register. In which cases should you carry out an extraordinary inspection? Good practice says something like this: we need to review risks in the event of a major change in the scope or form of business, business environment, regulations, major adverse events (risks that have materialized or have materialized) and other situations that could change our perception of risks.

List of reasons for an extraordinary review of the risk register

Let me list a few typical cases where risks need to be scrutinized.

Changes in the scope of the organization
The business world has been quite dynamic for some time; companies merge and disintegrate. In the event that we expand, for example, merge a company, the scope of our risks may also increase. With new people, locations, processes, and products, new and often unknown risks usually come along. Therefore, the review of the risk register is one of the most important steps, in many cases already at the time of planning a change in scope.

Changes in performance
When introducing new products or services, introducing new processes and processes, launching new projects, entering new markets or emerging competition, we need to ask ourselves at the right time what new risks will come with these changes.

Legislative changes
We cannot directly influence legislation. Major changes in the laws are probably announced in time, but some can happen ‘overnight’. Experience tells us that even long-announced changes in laws can come as a ‘surprise’ when they come into force. Namely, people tend to postpone obligations until they are close enough to the deadline.

Examples of changes in legislation that have significantly affected the risk register of a large number of companies are:

• Change in value-added tax, where there were some unknowns in the field of financial risks due to the magnitude and complexity of impacts
• Enforcement of the EU General Data Protection Regulation (GDPR), where a number of new risks related to the processing of personal data have emerged
• Adoption of laws and regulations in the field of critical infrastructure, which impose new responsibilities on some organizations and thus introduce new risks, which we already wrote about.

The emergence of a pandemic
The recent outbreak of the pandemic has affected business in almost every corner of the world and still has extremely strong consequences for most organizations today. New risks which we may not have been able to imagine previously, may have materialized.

This extraordinary situation certainly dictates an extraordinary review of the risk register. New and almost unimaginable risks need to be considered, such as the unavailability of staff due to mandatory quarantine, staff shortages due to inactive public transport, and black scenarios such as the loss of staff due to death.

New risks also require completely new measures, with which we often have no experience, such as the purchase of protective equipment, the reorganization of business premises, the introduction of teleworking and the like.

Purpose of the risk register review

The main objectives of the risk review are:

• Identify which existing risks remain unchanged.
• Identify which existing risks have changed and need to be re-evaluated.
• Identifying new risks, for example, those that we do not have in the register, but which are relevant given the new circumstances. We also need to bring these risks through the whole process of evaluation and classification to get their proper place in the register.
• Eliminate risks that may no longer be relevant.
• Reduce the impact of any new and unacceptable changed risks to an acceptable level or take other action.

Real-time risk monitoring

The risk register is most useful when it contains current and up-to-date information on risks and when you monitor all risks at all times, meaning all expected changes are reflected in the risk register in a very short time. Risk information is alive, and we can say that we monitor risks in real-time.

This reduces the need for periodic inspections, as almost all changes are captured on an ongoing basis. Potential extraordinary inspections are also much more effective because the risk register does not contain ballast in the form of outdated and invalid information.

Monitoring risks in this way is, of course, harder to achieve. Certainly, the preconditions are a highly developed risk management culture and a high degree of integration of risk management into the business processes themselves. But a lot also depends on using the right tools to support risk management.

The SBR platform focuses on meeting the key requirement of monitoring risks at all times. It achieves this by being able to easily involve a wide range of people who know the specific risks and have the authority to deal with them. For risks in the register, it enables optional management of risk parameters, such as their inherent assessment, current assessment, target assessment, management efficiency, institutions, tasks and important deadlines. For each risk, an unlimited number of indicators (key risk indicators) can be monitored, which graphically show trends and warn of possible unexpected or undesirable situations. In this way, the need for an extraordinary review of the risk register is significantly reduced. However, when an extraordinary examination occurs, it is extremely effective.

The old Slovenian proverb goes:The fed crow does not believe the hungry crow. I often think of it when we talk about business continuity management or more specifically the likelihood of serious business interruptions. The possibility of events such as a large-scale earthquake, a prolonged power outage, an epidemic or pandemic across the country, a terrorist attack and the like, in normal circumstances, seem very distant, which is why the common reaction is that this simply cannot happen to us.

Whether such reaction is the result of strong optimism, or perhaps just a sign that people, in general, wish to avoid thinking about the potential complex problems that the future may bring, is a question for some other blog. This, however, is not a case with business continuity experts who in the majority of their time think about how to respond if any of the likely scenarios really do happen. Even more, on the basis of business analysis, we also outline an economically sound strategy, prepare concrete plans, regularly test them and educate the stakeholders involved.

Unfortunately, we are precisely in the midst of a time when one of the very unlikely scenarios came true. The epidemic has plagued much of the world in a relatively short period of time. It has affected people both personally and professionally, as well as the business world. For businesses, the response to the unexpected situation was, and probably still depends on preparations made in the past. Organizations that have prepared well in ‘quiet times’ are likely to find it easier to switch to crisis modes. In other words, those organizations that had a good business continuity plan in place which they also regularly updated and teste, are now probably relatively stable. Of course, things are not so simple, since the impact of the epidemic also depends on other factors such as type of industry, degree of computerization, dependence on procurement or logistics etc.

Nevertheless, we are now all in this very specific and unique situation that requires us to respond accordingly. With this blog, we want to give you some useful tips that could help you keep your business, stay on the market, meet your commitments, maintain an acceptable social level for your employees, and maintain a good image of your organization.

1) DETERMINING THE SCOPE OF THE BUSINESS

When we are struggling to re-establish our business after the outage, we usually have to decide on its reduced scale. The reasons for this are different and include everything from a reduced market, limited supply of raw materials, the need to limit costs to the reduced capacity of the reserve location, unavailability of staff or resources or limitation of customer contacts etc.

We advise you to evaluate your processes and activities against criteria that are relevant to your business. Take into account the effects of the inactivity of individual processes on the loss of market share, legal and other obligations, revenue structure, the reputation of the organization and the like. Sort the processes from priority to least priority by rating. Choose those lower priority processes without which you can continue your business. When prioritizing, keep in mind that a seemingly less important process may be essential to the operation of some high priority process. In high-priority processes, evaluate which resources are essential for their operation. Ensure your decisions are made with the latest available data.

If you are managing the critical infrastructure of the Republic of Slovenia or European critical infrastructure in the territory of the Republic of Slovenia, you should also consider your obligations under the legislation and regulations in this field when assessing the level of priority of processes.

2) MANUAL PROCEDURES

In case of partial or total unavailability of information technology assets, establish the manual implementation of emergency procedures. Keep in mind that it may be necessary to provide additional resources such as calculators, paper, blocks, forms, pens, printers, local workstations, local software versions, even additional workforce and more. Make arrangements with suppliers and be prepared to pay with cash. Provide additional logistics and temporary staff. Ensure safe storage of paper records and plan electronic data entry as soon as possible.

3) CRISIS MANAGEMENT

Establish crisis management. It differs from normal management in the way that crisis management contains several elements of operational management, decision-making and implementation in the field, accurate implementation of the crisis management plan (if it exists) and requires multi-level communication and demanding coordination of simultaneous activities. Crisis management may be carried out by existing management, but in practice, it appears to be appropriate for crisis management to have a designated team of a different composition, which is given powers only when a crisis is declared.

The qualities of a good crisis leader include, among other things, the ability to make quick and responsible decision-making, the ability to act judiciously and with a sense of risk, the ability to communicate clearly and decisively at all levels and in emergency situations, a sense of involvement of experts in various fields, a person with a high level of confidence and, last but not least, someone who is charismatic. In crisis management, we are closer to command (within the scope of powers, of course) than to executing normal business decisions.

If police, firefighters, or civil protection are involved in a given situation, give their guidance to any lawful request

4) COMMUNICATION

In emergencies, new and less-than-usual decisions are made, so circumstances can change quickly. Decisions and accompanying information must be clear and concise and must reach the contractors as soon as possible and without distortion. Provide communication channels to enable this. If conventional channels of communication, such as telephony, e-mail or conversation applications do not work, establish alternative routes, such as couriers, radio stations, and the like.

Make a list of all the target audiences you need to address in times of crisis. These can be employees, their family members, neighbours, partners, executives, supervisors, customers, shareholders, regulators, the media, nearby residents, local communities, public authorities and the like. Determine the method and specifics of communication according to the target audience and empower a narrow circle of staff who can communicate. Post as much information as possible on your online media that can be directed to interested audiences.
Pay particular attention to communicating with the media. Identify a person or a narrow circle of people who can communicate with the media and do not allow others to freely do so. Have pre-drafted press release templates. Coordinate important statements with management, legal service or crisis management. Request authorization for all posts if possible.

If the event requires involvement with police, firefighters or civil protection, clearly provide any information they require and are authorized to access.

For larger-scale events, monitor the operation and decisions of crisis management and authorities at the municipality or state level. Make someone in charge to monitor this type of information, and determine how they report to management or crisis management.
Keep an eye out for any fake news that comes up in connection with the important events or/and the industry you are in, or possibly in relation to your organization. Speak out about them and deny the negative news with facts and argument.

5) WORK PERFORMANCE

Performing work at primary location
If work can continue in the primary location, depending on the situation, check what additional steps you need to take to ensure a safe and unobstructed flow of activity. In the event of a pandemic contact restriction, make sure there is adequate work space, protective masks, disinfectants, protective panels, the maximum number of people in the room, preventing physical contact or approaching, resting due to additional loads and the like.

Performing work at another location
When the primary location is not suitable for continuing the business, organize work at another location. This is a challenging task and is practically feasible only if the backup location was planned and established during normal conditions and a business shift plan is in place.

Work from home
Work from home is an alternative to those business processes where most activities take place in computerized workplaces using a PC. In doing so, staff need to be provided with laptops or agree to use their own personal computers at home. Appropriate infrastructure for work from home should be provided. This is primarily about secure internet connectivity, either via an existing home connection or through an organization-provided mobile connection. The connection must be protected by appropriate secure technology such as VPN or HTTPS. The home-based IT environment in which the work takes place must also be of a sufficiently high level of information security. Because the organization does not have much influence on this, it is necessary to educate employees in the safe use of technologies.

When working from home, agree on the method and form of compensation for using the employee’s resources for the purpose of doing business.

In circumstances where people cannot be contacted (an epidemic, for example), it is of the utmost importance to establish alternative channels of communication and collaboration. There are many software tools that make it possible to work together. If you have not used these tools before the emergency, identify the right person to evaluate the current offer and suggest a choice. Make sure you have clear requirements as to what functionality you need and what licensing model is right for you. If necessary, organize a quick training to use and adapt to the new way of working.

6) ASSESSMENT AND SYSTEMATIC RECORDING OF DAMAGES

Keep up to date documenting of any damage caused. Specify the data set that is required to maintain the damage event documentation. Evaluate financial and non-financial impacts with each damage, try to introduce a meaningful classification that will allow for detailed analysis, note the timing of events, state the actions taken, and update the data over time. The data will be very useful in assessing future risks, in enforcing insurance benefits, in potentially exercising rights under other contracts, in claiming state aid, in analyzing existing risks and measures, and in planning and improving business continuity.

If legal action is possible, identify and secure the evidence as much as possible.

7) HUMAN RESOURCES MANAGEMENT

If an emergency dictates a reduced volume of business, compile a list of full-time, part-time, shift, on-call and off-staff. Consider the additional responsibilities, priorities, and powers of staff who have roles in the business continuity plans.

It is very important to know and take into account the personal circumstances of the employees when planning. Regardless of the level of motivation and affiliation with the organization, it is expected that employees will put their loved ones, their own safety and their assets first. Work with your staff when planning your business and be aware of their personal needs and potential distress.

Be aware of labour law legislation regarding pay for increased or reduced work and non-working staff. Personnel reduction should be a last resort and carried out in accordance with the regulations and in cooperation with the affected.

8) SECURITY

If necessary, provide adequate additional security for the place where the business is conducted and for the protection of the stationary location. Take care of both physical and information security.

9) RETURN TO NORMAL BUSINESS

Plan for a return to normal business already during an emergency or situation. Review the primary location and resources for conducting the business, and evaluate the potential scope of work and costs to return to a functional state. Prepare an activity plan to prepare your primary location and procedures for setting up all activities in the usual way. Include primarily non-working staff in crisis plans and procedures.
After the announcement of the end of the emergency, determine the termination of crisis management and execute the plan and return procedures.
Prepare and initiate claims for insurance reimbursement and other reimbursements to which you are entitled.

Conduct an analysis of events, responses, harms, consequences, good practices and mistakes. Take corrective action based on this information.
Review the risk management process to determine if you have previously identified the events that caused the interruption as risks. If so, check that you have satisfactorily evaluated them and taken the appropriate action. In any case, update the risk register since you have a lot of new and concrete information.

If you have a business continuity system, review the performance of each individual component. Find and implement any enhancements. Expose good performance.

Provide emergency response and performance assessment to all employees. Praise those who have done their duties well. In the case of deficiencies, do not blame individuals, but identify ways to improve the system.

CONCLUSION

To conclude, emergency response is much easier and more effective when we are prepared for it. A business continuity system designed, set up and tested under normal circumstances will certainly make it much easier to deal with the brutal business disruption such is the current epidemic.

The Silver Bullet Risk team has extensive experience in business continuity planning in accordance with the guidelines and requirements of ISO 22301.

Do you have questions about financial and/or operational risk management, loss management or business continuity and you can’t find the right answer on your own? Sign up for an online meeting and find out if how we can help you:



Ask yourself: Can you effectively continue your business after a fire, flood, earthquake or loss of your most important customers or suppliers?

In light of the current spread of the coronavirus on a world-wide scale, it is possible that in many cases business continuity plans will have to be activated. As we know from media reports, many factories and other organizations close to the source of the outbreak were ordered to close for a significant period of time. We can only hope that those affected had some risk management and business continuity implemented, identified and evaluated some pandemic risks and have plans tested ready to be activated. We believe the risk of the pandemic will definitely find its way into risk registers of many organizations.

An accident doesn’t rest, therefore unforeseen things can happen in business to anyone, anytime, including you. Organizations that have not developed a business continuity plan are at high risk, which is why to respond quickly and effectively is the key to survival.
By some statistics, as many as 90% of the businesses that experience some of these incidents cease operations in the next 2 years due to their inability to recover. This is why having some type of a business continuity plan in place is important for every organization, regardless of revenue, size or industry. Such a plan should include a basic organizational structure for your team, as well as the necessary guidance and checklist for your business units.

What is business continuity?
Business continuity is the advance planning and preparation undertaken to ensure that an organization will have the capability to operate its critical business functions during emergency events that would significantly interrupt your business. These events can include natural disasters, malicious code (remember Lekarna Ljubljana?), pandemic, workplace violence, riots, large scale power cuts (caused by sleet) or any event that results in a disruption of your business operation. It is important to remember that you should plan and prepare not only for events that will stop functions completely but for those that also have the potential to adversely impact services or functions.

Why is business continuity important?
Establishing a business continuity system enables you to continue business operations while also providing a sense of security for your clients and customers who depend on the business. Namely, business interruptions due to system failure, natural disasters, etc. can have a significant impact on an organization’s operations, market share as well as undesirable financial and reputational consequences for the organization. Critical business systems account for more than 50% of systems and applications within organizations, making it very important to have a realistic and strong business continuity management system in place.

What does Business Continuity Include?
Business continuity covers the planning and also preparation needed to ensure your organization will be able to perform its critical business functions during emergency events. In times of crisis, your business needs to be able to provide answers to the following questions:

– How and when you will communicate with all stakeholders and keep them informed?
– How you will provide your customers with services or access to the product despite the complications?
– How will you take care of and support your employees?
– What is the required technology to support the business functions and what is the workaround process to use if the technology is not available?
– Where and how to relocate people and processes if this is required?
– Which people, teams or even organizations are needed to carry out the plans and manage emergency events?
– In what scope and in what order you will recover your business processes
– How are you going to recover the data
– Business process dependencies (what, or who does each business process rely upon in order to do their work).
– Regular exercises to validate that plans and actions meet requirements and will be functional in an actual event.
– Ensure staffing levels will be adequate during an event for both external and internal needs
– Documentation of the steps and actions to take during an event to accomplish the items above.


Benefit from International Standard for Business Continuity: ISO 22301:2019
A great tool to help you understand and prioritize the threats to your business is an ISO 22301:2019 international standard. It covers generic requirements to implement, maintain and improve a management system to protect against, reduce the likelihood of the occurrence of respond to and recover from disruptions when they arise.

Need help with ISO 22301? Send us an email.

The requirements of the standard are general and applicable to all organizations of all sizes and types or their parts. Therefore, the tool offers you the possibility of developing an individual approach and methodology, depending on the business and complexity of your organization. For these reasons, the ISO 22301 may be used within an organization to measure itself against good practice, and by auditors wishing to report to management.

Important steps in establishing and maintaining an efficient business continuity management system are:

  • Business continuity policy that documents organizations intent to systematically continuity of its operations, providing resources, assigning roles and expressing management support
  • Risk identification and assessment that identifies and evaluates risks that could interrupt business, providing directions for further planning
  • Risk treatment that explores options for mitigating those risks
  • Business impact analysis (BIA) that determines order and timeframes for business processes recovery, defines critical data and recovery point objectives
  • Business continuity strategy that defines strategic approaches to resuming operations in event of disruption at an acceptable level and within acceptable timeframes, based on findings in risk identification/treatment and BIA
  • Business continuity plans that define accurate steps, roles, and resources for carrying out activities to resume operations in an event of a disruption (process recovery plans, crisis management plans, communication plans, disaster recovery plan, plans for returning to normal operations…)
  • Training and testing to ensure plans are up-to-date, feasible, reflect strategy requirements, are familiar to personnel with business continuity roles, etc

The purpose of risk management in the context of business continuity is to:

-Identify and evaluate possible risks that could disrupt business
-Treat risks where risk treatment justified economically or by other criteria to minimize their probability or impact

Risk identification, assessment, and treatment are an integral part of a systematic risk management process and go hand in hand with business continuity efforts. During regular risk management activities, the risk that could interrupt business should be controlled appropriately.

In some cases, the likelihood of risks materializing and interrupting business can be reduced significantly. A good example is a malware risk. There are well-known examples of when ransomware caused an unacceptable long interruption. This risk could be possibly well contained with appropriate measures to prevent malware entering critical systems thus completely eliminating the actual interruption.

And then there are risks that can not be avoided. A typical example is an earthquake. It is practically not possible to implement measures that could prevent the earthquake. In this case, the only real prevention is a systematic response to an event by having business continuity plans prepared, tested and rehearsed so they can be activated and operations continued within defined time objectives.

In both cases, effective risk management, supported with appropriate tools such as SBR is of critical importance.

SBR supports workflows and methodologies that greatly help you to identify, evaluate, assess and rank risks in various risk areas and categories including business continuity. Evaluation and assessment can be done in many ways both financially or using other custom criteria defined by you. Measures that might include business continuity planning can be also evaluated for efficiency and cost-effectiveness. Risk can be monitored through custom-defined key risk indicators and acted upon if required.

P.S.: To refresh your knowledge about systematic risk management, check a few previous articles:

How to manage risks systematically?

How to identify risks?

How to define “a risk”?

Risk assessment [Part 1]: Setting up the risk measurement framework

Risk assessment [Part 2]: How to assess risks in practice?

***

Contact our team if you need help with risk assessment.

For more information about risk management follow our LinkedIn & Twitter account. You can join the debate in Linkedin group ERM – ENTERPRISE RISK MANAGEMENT.

When we talk about risk management, we are talking about those business processes that support you in making decisions and help you protect your company assets reasonably and prudently. In doing so, you are dealing with uncertainty, or in other words, evaluate the effectiveness of your strategies by considering the various factors that may act as an inhibitor.

In modern society, where both economic and non-economic activities are based mainly on the flow and processing of information, consequently, one of the critical areas of risk management is becoming the provision of information security. Organizations are only well aware of its importance, as it is comprehensive and requires that we take into account the impact of the technology itself as well as the social aspect of management.

Think about it! In modern organizations, almost all employees deal with the technology most of their time, which is why the threats of various unauthorized interventions, intrusions, data theft or loss of intellectual property are practically innumerable are always present. All of them, however, can lead to significant business damage and loss of reputation.

As we have repeatedly pointed out in our blogs, business risks, including information risks, can never be avoided entirely. Indeed, in an increasingly relentless competition, any company must identify, evaluate and evaluate the risks within its organization, and design effective processes to help manage them.

How to deal with the identification and management of information risks?

The first step, of course, is to answer the question of what risk is. I point out two criteria:

– Existence of uncertainty: Risk exists when an event or development of a particular situation is uncertain, unexpected.
– Potential adverse effect: The risk exists if the unpredictable event causes damage or an outcome worse than expected.

There are several ways to identify risks, which we have already written about in more detail. The easiest is to ask ourselves what are the chances that might arise in our business area, and with the brainstorming technique, try to compile a list of those that are most important to us.
One possibility is to scrutinize business processes, identify the necessary resources for the operation of processes and, taking into account the probability of some threats, determine the effects on expected added value, and then combine information to get a list of risks.

To help us identify risks in the field of information security management, we can also use established international standards. Among them are the international standard ISO / IEC 27001 for information security management system or ISO / IEC 27005, which provides guidelines for risk management in the context of security management system information.

Process approach: eat a large watermelon in small pieces

Risk management is the most effective when it becomes part of everyday tasks, meaning when you incorporate it into business processes. In doing so, the complexity of the process itself usually increases with the size of the organization. Therefore, it makes sense to start with smaller, manageable steps, which, with continuous improvement in the Deming Circle1, expand our scope over time, go into more and more detail and improve the information already obtained.

The process approach is hugely suitable for identifying information risks, as it helps to identify potential risks that threaten processes through the identification of sources for information processing, the importance of resources in operations and activities, and a set of appropriate threats. In the process approach, it is also essential that process owners are involved in the identification of risks, as the latter usually have the highest quality information.

INFORMATION
We start collecting information to determine risks in business processes. As an essential guide, you should ask yourself how the threats affect the added value which the process should create. In most cases, we can measure added value with financial impact, but this is not necessarily the case. Also, the formal existence and documentation of processes vary from organization to organization. Thus, we can also use a less precise and less detailed list of methods in risk identification, especially if we are in the initial steps of risk management. For more natural control, we can also break down the processes into smaller units or. on individual activities.

SOURCES
Processes and their activities need resources to a greater or lesser extent. It follows that any deviation from the expected resource operation potentially reduces the efficiency of the process operation. For this reason, when determining risks, we focus on resources and their impact on the processes.
We can make the process of identifying resources in an individual process more manageable by asking ourselves about the existence of resources within known categories or groups, for example: do we have resources that represent hardware, software, data, people, infrastructure, and the like. It is also essential to know that these resources can appear in several processes at the same time, and their impact on the operation of an individual process can vary greatly.

THREATS
In the process of identifying risks, we focus on resources, or more precisely on deviations from the expected operation of resources. The factors that cause these deviations, however, can be called threats. Threats are, therefore, individual elements or properties of the environment, which can have a detrimental effect on resources and thus on the functioning of the process.
A source can be affected by one or more threats. The likelihood of a particular risk materializing also depends on how vulnerable the source in question is. Vulnerability, however, is a set of resource and protection properties that already exist for a resource.

Risk identification

The identification of risks according to the approach described so far can follow the following steps:

1. We determine the processes for which we want to identify risks
2. We divide the processes into smaller units – activities
3. We determine all the necessary resources for the activities to operate
4. For each source in an individual activity, we identify threats that make sense in terms of the environment, area and impact on the operation of the activity

From the obtained data, we compile a list of risks, which we will evaluate and classify in the next phases of the risk management process, select unacceptable ones from them and also address the latter. The goal is to bring unacceptable risks to an acceptable level in some way.

Key findings

We can summarize the following:

1. Risk identification can be approached in several ways, one of which is to ask ourselves the question: what risks can we identify based on our experience and knowledge.
2. Risk identification can also be undertaken by systematically analyzing our business processes and, on the basis of known threats, identifying risks on the basic building blocks of business.
3. The process of risk identification and overall risk management is carried out to the extent we manage and by repeating the scope we expand and improve the results.
4. Good practices and existing knowledge should help us, which is largely true in the field of information risk management; it also pays to rely on established international standards.

________

1Deming’s circle is an iterative method of four steps of continuous improvement: 1. Plan 2. Execute 3. Check 4. Take action; with each repetition, we improve the results and are closer to the set goal.

***

Contact our team if you need help with risk assessment.

For more information about risk management follow our LinkedIn & Twitter account. You can join the debate in Linkedin group ERM – ENTERPRISE RISK MANAGEMENT.

Twenty years ago not much was being said or thought about privacy, besides few who really understood the potential of the new medium called the internet. We were eager to give our email address and all other info, just to get access to new insights, or join online spaces where we found similar minds. We never thought we would become the product of massive industry of gathering data, only to sell it to the highest bidder.

Today, the world talks a lot about privacy. In fact, it’s one of the most talked about issue. And with all the industry and social issues followed by the lack and abuse of privacy, we started to dig deeper on what it meant to give our personal information away. Legislators moved, too. GDPR come into the light.

Silver Bullet Risk - BLOG - ERM - Enterprise risk management

On 25 May 2018, The EU General Data Protection Regulation (GDPR) came into effect. To comply with the new regulation, companies had to review their handling of customers and users data.

Managing your employees’ data is also a part of GDPR requirements. And to comply with new strict settings, there are some things to consider. Those who best understand the compliance with new regulative, are the risk managers. The ones who are risk aware and can analyze your company’s risk potential, threats and also opportunities.
Risk Management is responsible to recognize and implement processes, that can present threats in the company, otherwise there can be financial, operational or other consequences.

Through GDPR requirements, we identified a sample of personal data risks you should take into consideration.

1. When it comes to personal data in your organization, it’s not only the names and emails of your employees. There is a full plate of information about your employees, from their birthdays, to social security numbers, from address to financial information and other. Risk management is responsible to identify or recognize all personal data in the organization. With the increasingly higher volume of personal data and more delicate information, their responsibility even increases for the purpose to recognize and protect sensitive personal data.

2. Access to personal data is not something that can be available to every employee. Responsibility to recognize who can access it must be a high priority in protecting your employees privacy. However, to process personal data, one doesn’t need to have access to users private information, but only a limited set of data, without disclosing the identity of the owner of data. Risk management recognizes the need to organize this kind of access to personal data.

3. Imagine having heaps of data and information in your company, and all this data is in one file. Unsorted, scattered even, hard to make sense out of it. Again, it’s up to risk management to identify the threat of non-consolidated data and put forward best effort in the process to keep internal records in order.

4. Having an access to data does not mean you are able to handle it, work with it, make sense of it or give the process an added value. That’s why risk management recognizes that educating those who access data on the right ways of working with data, is one of the threats that can be mitigated. Sufficient and right training of personnel with data processing tasks is again responsibility of risk management to steer this process in the right way and avoid false handling of data.


***

For more information about risk management follow our LinkedIn & Twitter account. You can join the debate in Linkedin group ERM – ENTERPRISE RISK MANAGEMENT.

Silver Bullet Risk team had the opportunity to be an exhibitor at CEBIT and with our partners anykey we presented our Silver Bullet Risk platform to many interested clients and companies who were looking for an optimal approach to risk management in their organization.

Silver Bullet Risk platform also received a significant upgrade in recent months, with updating some development processes and started with blockchain implementation. As risk management experts and consultants we strive to bring the best technological advancement to business environment, and as such, blockchain is the next logical step in the evolution of Silver Bullet Risk platform.

We are pleased by the fact that the industry is going in the direction we are already on. We’re glad there’s a lot of interest in the area we’re developing on — risk management and of, course, blockchain.

What’s next for us?

We are well on our way of developing new options in Silver Bullet Risk platform, based on new blockchain technology, including latest trends like GDPR.

Looks like next year’s CEBIT will be even more interesting, heading in the direction of smart everything: smart transport, smart cars, drones, helicopters, smart delivery and much more.

Silver Bullet Risk - BLOG - Upravljanje tveganj

Whether you’re just visiting or you’re a part of the CEBIT story, a week spent at festival like that is a great opportunity for meeting new people and getting to see the first clues on latest tech breakthroughs. CEBIT festival is truly the front row seat in looking the future of tech and business.

See you next year!


***

For more information about risk management follow our LinkedIn & Twitter account. You can join the debate in Linkedin group ERM – ENTERPRISE RISK MANAGEMENT.