29 November 2021
Much has been spoken and written about coronavirus since the start of 2020, and as a result primary risk focus has been on crisis management and business continuity planning.
This article explores other contingency type risks that may sit outside of the traditional business continuity threat analysis and examine how you and your organisation can manage these types of risks more effectively.
The potential to overlook some of your risks
Crudely, if you split your risk scoring matrix into four quadrants you will have four types of risk, depending upon where it is positioned.
The high impact / high likelihood risks, the ‘primary risks’. These risks usually occupy the majority of a management team and Board’s risk agenda, as they require immediate action to address - and can sometimes require an element of ‘firefighting’ due to the risk’s proximity to the ‘here and now’.
This focus on primary risks mean that other high impact / lower likelihood risks can be overlooked.
How can these high impact / lower likelihood risks be better managed?
Over the years these types of risk have often fallen off the radar because they are seen as so unlikely to occur, or complacency sets in in terms of how effective the control environment is, that they don’t get the airtime that the primary risks do. We have all heard at some point, the phrases 'that will never happen to us' and 'we’ve got that under control'.
This leads organisations into making assumptions about how effective the controls are that are mitigating the risk and less effort is made in truly understanding the risk itself. Should this happen, and the risk then moves towards fruition, the likelihood increases, and the result is that the risk sits squarely in the primary box.
This could be for a number of reasons, either that controls have failed or something outside of the organisations’ control has occurred and impacted the risk, meaning that management and Board’s time again is focussed on responding to an additional primary risk.
Challenge 1: The tip of the iceberg, can you see what is under the water?
Having a broad and frequent Board risk reporting cycle is fundamental as it provides a wider and rounder picture of the organisation’s risk profile and provides insight into those risks that could be on the horizon or where the organisation might be required to react. Having these risks visible at Board level helps to inform decision making and the triangulation of information. Having key risk indicators in place for contingency risks will also have a role to play as that can help identify the trajectory of the risk and again, provide deeper insight.
It is common for risks that are high impact / low likelihood to sit within departmental / directorate risk registers, and therefore the Board may be unsighted on these risks should there not be a periodic deep dive into certain areas within the organisation. Bringing these risks to the fore and understanding how they impact upon other, perhaps more primary / red risks, will aid this discussion at Board level.
Challenge 2: What are you going to do if it does happen?
Not many organisations out there thought that a pandemic of coronavirus' scale was that high on the list of events that might occur in 2020, yet with a crisis management plan and a business continuity plan most organisations have been able to ‘muddle’ through the last year. Most business continuity plans would have be written to accommodate fire, flood, loss of IT etc, and been heavily reliant on remote working as a recovery strategy. Now it isn’t suggested that a full business continuity plan is drawn up for every high impact / low likelihood risk on the risk register, as this would make them too lengthy and unwieldly. However, being able to understand what action would need to happen and what the impacts would be is a strong starting point and will provide management with more confidence that the risk is understood and the organisation’s ability to respond effectively and appropriately is in place.
Challenge 3: When do you want to know about this risk?
Setting an organisational risk appetite can be a challenging process but once in place and understood it will enhance the organisation’s approach to risk management not just contingency risks. However, in the case of contingency risks if appetite levels are set and risks are appropriately prioritised it will assist in deciphering whether or not further action is required to mitigate the risk. A contingency plan is required or whether the organisation is willing to live with the risk in its current state. In turn this will help decision making at all levels of the organisation.
Challenge 4: These controls work, but who says?
As organisations have become more complex, and the landscape riskier or more opportunistic, depending upon your outlook, there is a requirement to ensure that resources are focussed effectively. Knowing where to deploy time and cash can be challenging in all organisations but sight must not be lost on the contingency risks, a robust assurance map providing insight into the effectiveness of the controls managing those risks is key. There are a multitude of assurance sources available within organisations, as well as external sources, identifying and capturing these may seem a lengthy task however the benefits will be seen and hopefully provide comfort to management teams and boards for many contingency risks.
Linking this assurance mapping to the organisation’s risk appetite will assist as it will help to provide direction on whether further actions are required to strengthen any underperforming controls or whether the Board are satisfied that enough has been done.
Challenge 5: Have you got one eye on the horizon, and the other on existing risk?
We will all be familiar with risk reviews and risk identification workshops, however tying the two aspects together can get overlooked as they are often done in isolation. Over time it is sometimes the case that risks are not ‘new’ but they are morphed versions of previously identified risks. Recognising this can save valuable time, particularly from a contingency risk perspective as the control environment will be similar but being specific on the causes and articulating the risk is a crucial part of telling the story. Those who aren’t the risk owner are expectedly not as close or familiar with the risk so therefore need a fuller understanding if they are to use it to make risk-based decisions.
When did your organisation last consider the way in which it manages contingency risks?
For more information about better management of risk, discover Insight4GRC - our cloud-based governance, risk management and compliance suite.
For more information, please contact Adam Lickorish.