Is your audit and risk committee concerned?
There’s no doubt that that board audit and risk committee has a substantial responsibility, tasked with advising the board on issues of risk, control, governance and associated insurance. Usually responsible for external reporting, internal controls and risk management, internal and external audit, the committee keeps the board informed of the implementation of strategic risk and continuity management programs that protect the business shareholders, operations, brand and reputation.
Perhaps you have been asked to investigate the status of your business continuity management program, to undertake a specific risk-review (such as financial or IT risks), or even to implement a BCM program from scratch.
The fundamental question you must ask at the outset is ‘what are the risk factors that are relevant to our organisation, what is their likelihood, and therefore what is the possible impact/ materiality of them?’.
By starting with a risk-based approach, you will ensure that your Crisis Management, Business Continuity, Emergency Management and IT Disaster Recovery Plans are based on fact not fiction; allowing practical and cost-effective solutions to be put in place.
Far too often we see organisations developing risk mitigation and continuity plans based on a perceived need or expectation, generally leading to expensive, over-engineered solutions that are out of line with shareholder requirements and the businesses operational risks.
Adopting a risk management standard such as AS4360 is a good way to ensure that a consistent approach is taken to the assessment and presentation of risks and corresponding mitigation strategies and plans.