There are those who are “insurance people” and those who are “not insurance people”. As a first-born, type-A, former Girl Scout, lawyer, and a financial services compliance officer (for most of my career), I am the epitome of insurance people. All of the things that are legally required to be insured are, of course, insured. I have the required policies for house and car, as well as the Cadillac of policies available to me for life, health, death, disability, etc. However, I extend this insurance bent to my dog, my two cats, my phone, my toaster oven…you get the picture. I haven’t met an extended warranty that I haven’t been sorely tempted by.
What I have come to realize, however, is that while insurance is certainly an important part of a mitigation plan should the worst happen, it cannot be the entirety of the plan. In addition to the puppy’s health insurance plan, I make sure that I feed her the healthiest food, take her on long walks, as well as keep up to date with flea and tick medicine, and schedule preventative vet appointments. A holistic, multi-faceted approach to pet ownership is key as is a holistic multi-faceted approach to disaster planning. It is a crucial mindset to mitigating your risks overall and to eventually getting you back on the right track. The very first step on your business continuity planning journey is more of a pre-step, this is a thorough self-assessment. Before you can plan to mitigate your risks, you need to know what they are.
Begin at the Beginning: Knowing Your Risks and the COSO Framework
The Committee of Sponsoring Organizations of the Treadway Commission (COSO), the organization that brought us the often-cited “Lines of Defense” theory of risk management, published a research paper several years ago entitled “Risk Management in Practice”.
The research sets out a risk management workflow. The first step sounds deceptively simple, it is, “identify risks”. COSO suggests that risk identification process should precede the actual risk assessment. The goal is to develop a comprehensive universe of all potential risks. COSO suggests that the net is cast wide at this point in the exercise; risk evaluation, prioritization and mitigation all come later. It should also be pointed out that the COSO framework pre-supposes an enterprise-wide approach to risk identification and management. Your risk assessment can certainly be scaled down to your specific and individual team, department, business unit, division, or affiliate. A complete assessment of the risks of your organization at large includes all of these areas on an enterprise-wide basis. This sounds (and actually is) rather daunting.
see Above Step One: What are your Risks?
Getting your metaphorical arms around your organization’s risks is indeed a big undertaking. However, there are resources to be had from a variety of sources both inside and outside of your organization. If you are embarking upon a brand-new exercise in risk identification, you can consider consulting your industry’s best practice. Who are your peers? Are there industry groups that you can join? If you are in a highly regulated industry, what information does your regulator provide?
Additionally, vendors (software solutions, advisory firms, and law firms) may provide an out-of-the-box list of potential risks. While you wouldn’t want to rely too heavily on some other organization’s assessment of their risks, they can provide a great start. Available templates, checklists, and best practices can provide a springboard for your own evaluation.
In addition to consulting with those outside of the organization, do not forget to focus on those inside the organization. Perhaps more illustrative of your particular risks is the consulting that you will do inside of your organization with stakeholders who are actually doing the day-to-day work and have a finely tuned sense of where the organization’s risk lives.
The Benefits of Self-Assessment
The financial services industry (all verticals included) has in many ways been the canary in the coal mine for risk and compliance best practices. They have been very highly regulated by myriad regulatory agencies for a very long time. In the absence of a specific regulatory authority or a best practices template, an organization might look to financial services for guidance.
A strategy used in banking is the Risk and Control Self-Assessment (RCSA). Risk and Control Self Assessment | American Bankers Association (aba.com) The American Bankers Association even offers training on the RCSA. RCSAs were developed to establish business environment and internal control factors under the Basel Accord for operational risk modeling. RCSA suggests that a firm start with defining the hierarchy, make a list of the top-level risks for the organization.
Knowledge (of your risk) Is Power
Checklists, templates, and best practices from peers are a starting but not an ending point. Only through thorough self-assessment of your unique organization can you have a good sense of your universe of risks, allowing you to make more strategic and well-grounded choices for managing and mitigating those risks. This is true in your personal life as well as your corporate life. Perhaps the extended warranty for the $50 toaster oven doesn’t make economic sense, but your higher-cost investments (in my case the furry ones) might make sense to insure. Knowing your risk is the only way to manage it.