Artikels

Risk determination with risk typology

admin

Author: Manu Steens

The determination of the risks is one of the important steps in risk management, to arrive at a risk register with accompanying action plans as an intermediate step.

In this respect, according to the principle of subsidiarity, the lowest in rank that can sensibly determine the risks is the right person to list the necessary risks. This applies to risks at all levels in the organization.

The first step therefore consists of determining the target group of the brainstorming session for the risks. For operational risks these can be process or project managers, but also newcomers who do not yet have a lot of vision on risks. For they constantly come into contact with unforeseen issues, and cooperating in the risk analysis raises their awareness and alertness. For tactical and strategic risks these can be board members. The target group of the risks must also be determined. For the normal risks these can be the managers, for large risks and strategic risks one must report to the top management / management board.

Once the target groups for determining the risks and reporting have been determined, the risks themselves must be assessed. This can be done with a risk typology. In addition, there are several possibilities. These are always dependent on the organization itself, which must therefore be well known by those who choose / design the appropriate risk typology. Below we present a number of examples of risk typologies (not exhaustive).

A first possible division is as follows:

  • Financial risks
  • Legal requirements
  • Legal compliance
  • Reputation
  • Specific to the industry
  • Data integrity and reliability
  • Confidentiality of the data
  • Security of your own data
  • Disaster recovery and continuity planning
  • Operational risks

A second possible division is as follows:

  • External risks
    • Nature
    • Politics / law and regulations
    • Social / social
    • Economy / market, fairs, …
  • Internal risks
    • Strategy
    • Legal / financial consequences legal form
    • Continuity
    • Quality
    • Fraud / Compliance …
    • Material risks (loss of damage)
    • Safety of people / resources
    • Financial risks
    • Critical knowledge
    • Capacity …


A third possible division is as follows:

  • Operational risks:
    (Willem De Ridder, ‘Risicobeheersing met toegevoegde waarde’): “The risk of loss as a result of inadequate or failing processes, people and systems or as a result of external events.”
  • Strategic risks:
    (Lizanne Vroom, ‘Risicomanagement vanuit het Dynamisch Business Model’): “The danger of (capital) loss and / or the survival of the organization as a result of changes in the organization’s environment, the lack of response or an incorrect response. Changes in the environment of the organization, business adverse decisions or incorrect implementation of the chosen strategy. ”

A useful way to work with this risk typology is to brainstorm with a SWOT method. Note that making this SWOT does distinguish between internal matters (strengths and weaknesses) and external issues (opportunities and threats), but is not yet a risk analysis in itself. It can be used to formulate the risk statements on the basis of each item in the risk typology, in relation to the operational projects, processes, objectives or strategic objectives. So in fact to do risk identification. The risk typology used can also depend on this. In addition, the SWOT method with its confrontation matrix is ​​suitable for formulating measures.

A brainstorming session is best with a group of about 4 people, or a coach. The latter must always challenge the group to formulate the risk statements properly, and also, according to the principle of a Bow-Tie, to formulate the causes and consequences, causes of causes and consequences of consequences, etc. The 5x ‘why’ and 5x ‘what then’ question method applies here. In this way the participants in the brainstorm eventually formulate the risk statements in the form of ‘The organization / the process / project … has problem / opportunity … with the cause (s) … and effect (s) …’.

One can choose to split the causes and consequences with the problem over several risk statements, or to group the causes and group the consequences. These are then challenged with preventive and reactive measures respectively. The Bow-Tie method is then very suitable to indicate whether all the stated causes and consequences are being addressed with measures.

Self-assessment BCM – tools

admin

If you want to know how far you stand with the implementation of your BCM operation, you must carry out a (self-) assessment.

There are specialists for hire to do an audit and write an expensive report. But often you do not have the money in times of crisis. Then you have to do it yourself. You need a tool for that. Here you will find a Dutch simple Excel tool (and an English translation) that you can still adapt to your own needs.

Icoon

Self assessment BCM - Nederlands

1 file(s)   54.92 KB
Icoon

Self-assessment BCM English

1 file(s)   54.20 KB

 

The 4 commandments of risk management, the values of an organization and Information Security

admin

Author: Manu Steens and Joris Bouve with thanks to Hilde Van Nijen

The main purpose of information security is the risk awareness of the employees. After all, man is the weakest link. Risk awareness goes both ways. On the one hand this concerns awareness of the business with regard to information security: where does it hurt and what can be done technically and what do you have to do yourself? On the other hand, it is also about the awareness of ICT people: what do they need to know that the business finds important and what is not. Doing more is often irresponsible and gives rise to spending money inappropriatly.

What & why?

The purpose of information security is to ensure the reliability of information systems. This reliability is viewed from the following three perspectives:

Confidentiality: ensuring that information is only accessible to those who are authorized to do so.
Integrity: ensuring the correctness and completeness of the information.
Availability: ensuring that authorized users have timely access to the information / information systems at the right time

This is of course only possible by taking, maintaining and monitoring a coherent package of measures. It generally concerns information that is stored in information systems, but can also be written on paper.

The information security policy of the organization is aimed at ensuring, on the basis of risk management, that the information of the organization is correct and complete and accessible in time for the authorized persons.

How?

To ensure information security adequately, measures must be developed to ensure confidentiality (C), integrity (I) and availability (A: availability).
It is not easy to lay down generally applicable criteria for this, because these can differ from department to department within an organization, even between teams within a department the needs can be different.

These measures must also respond to the following areas:

  • People and Resources,
  • Collaboration (at process level and overarching)
  • Systems
  • Content,

As an aid instrument we have worked out the matrix below. In this matrix, the four domains are approached from the three perspectives. We have prepared a number of guidelines for each combination. For these questions we have drawn inspiration from the “four commandments of risk management” (see below). Every employee can get to work with these questions. But these questions are also extremely suitable for gaining a clearer view of information security (both from the point of view of the “business” and from the point of view of IT).

People and resources Collaboration at process level and overarching Systems Content
C What do you share with whom? Which access do you need? Does anyone know the security manager? What is the intention of the management with their information security policy? Does the confidential information remain within confidential circles? Are these circles known to everyone? Which things do you have to be able to be admitted to the systems? Is a background study necessary for this? Who coordinates this? Which security-related laws must your organization meet (privacy, ISO standards, BCM, …)?
I Does everyone have good intentions? Is a background investigation necessary for this? Are the processes drawn up and checked for bugs and errors? Was the flow of the process tested? Are the systems regularly maintained and tested? Is that needed? How important is the correctness of the content? Do you use voluntary error introduction for the sake of confidentiality?
A What people and things do you need to be able to do your work safely? What about a system failure? People? Buildings? Facilities? Suppliers? Has a risk analysis been made for information security? Who has physical access to which systems? Who has logical access to which systems? When? Is there an SLA with supplier? When do you need the information? Are these depending on the time in the year?

Answers to these questions are some of the criteria that information security must meet within the organization.

The four commandments of risk management and four values: openness, decisiveness, trust and agility

Risk-aware behavior can be reduced to the following four commandments:

  • Do not harm yourself unless you get better;
  • Do not harm anyone unless he / she gets better;
  • Do not break anything unless you can make something better with the parts;
  • Grab your chances, unless this is contrary to rules 1, 2 or 3.

These four commandments are

  • simple
  • easy to remember
  • clearly applicable

Moreover, these commands are relatively easy to link to the values ​​of an organization. By way of illustration, we give here how these fit within the values ​​of openness, decisiveness, trust and agility.

Openness:

Rule 2: do not harm anyone to this applies. For example, openness of management is only valid as long as someone is involved. The privacy legislation also supports this principle that a person can appeal against the processing of his data. In addition, according to the privacy legislation, one is mainly allowed to come out with statistics, not to expose the heart and soul of an individual against his/her will. So there may be transparency, but with the right extent: the extent to which you do not hurt anyone.

Vigor:

Rule 3: do not break anything and rule 4: grab your chances. Effectiveness within the organization is meant to be creative. In order to serve clients better, however, it may be necessary to be decisive and break down existing structures and build better structures. For this, one should know his ways within the organization to act effectively. And if you know the goals and the way to it, it is important to seize the opportunities.

Trust:

Rule 2: do not harm anyone and rule 1: do not harm yourself. For an organization, it is of utmost importance that everyone has their trust. This applies to both the client and the employees. You must have sufficient self-confidence that you are heading in the right direction with what you do for the market. If people hurt each other senselessly, this trust will soon be violated.

Agility:

This means that exceptions can always be part of rules 1 through 4.

But it also means rule 4: grab your chances. Drifting away from the chosen road can yield a number of benefits that you would otherwise have missed. Looking carefully at opportunities and tackling these issues is also the message !

A Risk identification method

admin

Author: Manu Steens

This method is in line with the COSO-ERM approach when it comes to setting the objectives of the company and identifying both static and dynamic risks throughout the entity.

The structure is a matrix that is shaped by, on the one hand, the objectives (Strategic and operational objectives) and, on the other hand, possible internal and external factors, the quick scan.

This matrix approach promotes the completeness of the risk identification and provides a structure for the organization of the risks.

More specifically, this ‘risk matrix’ looks like the one shown below:

nr Aspects Quick Scan findings Risks: mention the incidents, their probability, cause and consequence
Strategic goals SG1 SG2
Operational goals OG1-1 OG1-2 OG2-1 OG2-2
1 Proces management
2 stakeholders management
3 Monitoring
4 Organisation structure
5 Human Resources Management
6 Organization culture
7 Information and communication
8 Financial management
9 Facility management
10 Information and communication technology
11 External factors

By filling in this matrix, the CRO answers three essential questions:

  1. Which objectives of the entity are subject to research?
  2. Which parts / aspects of the organization are the subject of research?
  3. In which risks is further insight required?

In a first step, the potential risks to which the entity is exposed are examined on the basis of a quick scan.

As a second step, the CRO will have to systematically check with the business which of the risk problem fields identified in the quick scan occur in its company and which require further investigation. For this he must question the internal and external experts and the management team in question.

The development of a quick scan can usually be done by conducting a survey with the experts, which they generally view as realistic risks in relation to the aspects of the guideline. This can be supplemented with a desk research using annual reports, audit reports, risk inventories of occupational safety, fire prevention plans, continuity plans, incident registrations, damage history including registration of near damage.

Afterwards the matrix is ​​”weighted” with regard to the quick scan in step 2, whereby it must be clearly chosen which risks have a grip on which strategic and operational objectives. In periodic interviews with the management team, the company then asks which risks they see, how these risks affect the organization and what is done to control them. An approach of existing control measures can already be included in the quick scan.

BCM – How to determine the criticality of a process in a BIA?

admin

Authors: Joris Bouve and Manu Steens

In BCM there is a lot of talk about time-critical processes (TCP), essential processes (EP) and necessary processes (NP).

Typically one uses as definition:

  • TCP: those processes that have to be restarted within two working days;
  • EP: those processes that do not have to restart within two days, but within two weeks;
  • NP: those processes that do not have to restart within two weeks, but within two months.

How critical a process is, can also be approached in a different way: if the impact of a too long outage (eg > 2 days) of the process becomes too much to handle, then you have to quickly (eg in <2 days ) restart the process.

The question here is: how do you determine the criticality of a process?

Proceed as follows (see table below):

  • List the processes in the [process] column;
  • Determine the impact on your service if the process threatens to fall out in the following columns.
  1. If the impact is of such a nature that the service is seriously compromised in the event of an outage that would last for more than 2 days or if there is a legal provision that requires a restart within a period of 2 days, you describe that impact in the column. in. There is then a time-critical process. In the [process criticality] column, enter TCP.
  2. 2 dagen].”>when outage > 2 days]. You can also state here what measures you will take to minimize the effect or how you can still guarantee the intended service
  3. If the impact is of such a nature that the service is seriously compromised in the event of an outage that would last more than 2 weeks or if there is a legal provision that requires a restart within a period of 2 weeks, you describe that impact in the column 2 dagen].”>when outage > 2 weeks]. in. There is then an essential process. In the [process criticality] column, enter EP.
  4. If the impact is such that the service is seriously compromised in the event of an outage that would last for more than 2 months or if there is a legal provision that requires a restart within a period of 2 weeks, you describe that impact in the column 2 dagen].”>when outage > 2 months]. It is then a necessary process. In the [process criticality] column, enter NP.

In the column [dependencies] you enter which expertise, logistic means, IT resources, … you need.
As described under point 2), you enter in column [criticality process] to which category the process belongs: time-critical, essential, or necessary.

Process Impact when outage  > 2 days Impact when outage > 2 weeks Impact when outage > 2 months Dependencies criticity process
[name process] [Description] [Description] [Description] TCP/EP/NP

 

Two examples:

  • The crisis management process. If this starts only after an hour, serious reputational damage can already be caused by, for example, incorrect communication in the media. It must therefore certainly be started within two days. The 2 columns next to it need not be filled in anymore. With the dependencies, you put eg the expertises, the meeting room, laptops, smartphones, communication tools etc. In the last column you place the decision of the chosen type of process, in this case TCP.
  • Process X must be able to start up within 5 days in August, because otherwise a rule from the legislation can be violated, with corresponding fines and reputational damage. 2 dagen].”>when outage > 2 weeks’ and you choose the type of process ‘EP’. In dependencies you can, for example, write communication with the bank, the name of an an administrative employee and the right software program.


This choice of type of process (TCP, EP or NP) can then be adopted one by one in the Business Impact Analysis. The dependencies can also be taken over.