The FIRM Scorecard

Risk Management

Within the field of Risk Management, there are various ways of identifying risks. Depending on the way in which you wish to realize these risks, there are certain risk classification systems to choose from. One of these is the FIRM scorecard, which at some points serves the same purpose as the Business Impact Model. Both of these aim at identifying risks, whereas FIRM also takes notice of risks outside of the organization. Additionally, the FIRM scorecard also puts more focus on the causality between the organizations planning/business model, its stakeholders and the organizations position in the market.

Let us dive into the core of the model and see how it help us asses certain risks. For a better understanding of the model, this figure will be a good starting point for illustrating the many factors that come into play:

To better comprehend the figure, let us look at it starting from the top. So first of all, we have the mission objective. The Mission Objective of an organization is its designated mission, a mission that is influenced by a line of factors, such as:                                  

  1. Significant risks: Which risks have meaning for us and are relevant?
  2. Key dependencies: Functions within and outside of the organization that can cause a disruption for our operations. This is where the organizations robustness (capacity) and resilience (restoring activities) come into play.
  3. Core processes: The primary activities which helps the organization realize its goals.
  4. Planning: Planning which is conducted on a strategic level, and choice of business model.

To understand what is meant by planning on a ‘strategic’ level, we need to differentiate between the strategical, tactical and operational level.

On the strategical level we have the board of the company, those who decide the company’s policies and decide the long-term strategy for the organization. On this level, planning is usually based on what will happen for the next 12-18 months. This is just a ballpark figure, as some projects may take years before they become operative.

Next, we have the tactical level, which consists of middle-upper management. Management on this level will usually be the mediator between the strategic personnel and the operatives. This is also why they are the ‘first line of defense’, since they are the ones on-site with enough authority and day-to-day presence. Planning on the tactical level will usually be based on a time period between 6-12 months.

On the operational level is where all of the practical activities take place. This is where we have our costumer care, cleaning personnel, security, and so forth. They are the ones making sure that our operations run as they should, and the planning for this level is usually revolved around 1-2 weeks.

Lastly, we have the compliance level, and this one is a little outside the hierarchy. An organization’s compliance revolves around all of the legal criteria for an organization. This includes everything from the organization’s responsibility for the staff’s safety, environmental laws, anti-corruption, etc. It will usually be lawyers whom makes it clear for the board what activities are or aren’t legal, and later have HR implement relevant activities that ensures that there is compliance across the organization. Complying with the law is an absolute must, for if caught, the organization will lose their ‘license to operate’ and therefore cease operations.

By using the terms above, we can get better insight into how these affect the FIRM scorecard The acronyms cover the following:

Financial: Risks that can impact the way in which money is managed and whether profitability is achieved. In order to reduce risks within this department a risk manager can perform certain to reduce fraud, actions such as: reducing the motive for fraud, minimize the opportunity to steal, improve detection of fraud and record keeping and increase level of supervision.

Infrastructure: Risks within the infrastructure are elements that can affect and/or cause disruption within our core processes and efficiency. For this department of the organization, a BIA analysis would be an optimal tool. Depending on the nature of the organization, the hazardous risks can vary but will usually include things such as: Electrical & fire safety, dangerous machinery, radiation and so forth.

Reputation: How does the public, stakeholders and competition view us? Depending on which sector the organization finds itself it, the reputation may be more critical than others. Public organization are for example reliant on their reputation, since their operations are funded by the taxpayer, and therefore has a responsibility to withhold a standard of professionalism, integrity and transparency.

Even for private organizations, a bad reputation can lead to boycotts and ultimately a decline in profits. It is therefore important for an organization to protect their brands, and make sure to have appropriate franchisee behavior, whilst avoiding counterfeiting and fake goods.

Market: The market is a force that cannot be tamed. The outside world can influence the organization’s business potential, both quantity and opportunity wise. The constant evolution of digitization changes the terms on which business is conducted, and how products are shaped, delivered and reviewed. Organizations are always challenged by different forces from the external environment, such as the buyers, suppliers, competitors and even the replacement of an identical, yet better product.

Lastly we have the 4P’s. These are factors that can bring potential disruption and harm to our operations. They are defined as:

People: Lack of skills, unexpected absence of key personnel, ill-health accident or injury to people.

Premises: Theft or loss of physical assets, property damage and contamination on premises.

Processes: IT-failures, inadequate management of information, disruption by hackers/viruses.

Products: Poor product/service quality, delivery of defective goods or components, disruption caused by failure of supplier, failure of outsourced services and facilities.

Relational coordination

Risk Management

When cooperating across sections there may arise a line of potential problems, mainly in regards to the communicative aspect. These problems arise as a result of the clashing of different expertise, authorities and cultural differences. In relation to this a professor within the field of management by the name of Jody H. Gittel has come up with her theory of relational coordination. This theory is mainly focused on the public sector, it is however still applicable for international private organizations. By using this theory as a tool, this theory can help analyse the interpersonal processes, which could potentially be barriers for optimal efficiency. This theory has furthermore been the foundation for multiple Danish consultants, whom have come with their own additions to this theory. Consultants such as Carsten Hornstrup claim that the definition of a good relationship is subjective, and a certain relationship can therefore be seen in two completely opposite ways. A relevant factor in this is the individuals authoritative position within the hierarchy of the organization, whereas leaders will often have a more positive outlook on the relation.

Jody H. Gittel has put up a negative and positive spiral with the purpose of illustrating what indicates a positive and negative relationship. The reason it is illustrated as a spiral is that, a relation is heavily built upon the communication and likewise. There is therefore no real ‘starting point’ and one should try to improve one of the following aspects, in order to breakthrough the next until it comes into full circle.

The theory of relational coordination is based on two different dimensions: Relations and communication. The quality of these aspects are defined as such:


  1. Mutual goals: Same interpretation of the mission objective within an organization, where a task is solved based on a set of common, clarified goals. This is also synonymous with the organization’s vision, so it is crucial that everyone is on the same page regarding the overall goal.
  2. Mutual knowledge: To which degree are the different groups familiar with each others professional field and competences? This is not only about perfoming one another’s list of duties, but also knowing and understanding them.
  3. Mutual respect: Whether the different groups feel acknowledged for their contribution to solving the common task. This is where the higher placed personnel may show a lack of respect other groups, which ultimately affects the common engagement in a negative way


  1. Frequent and timely: This indicator revolves around whether communication is timed correctly, often and interpreted in a meaningful way. The overall coordination suffers if the communication is too frequent, too rare or timed incorrectly.
  2. Precise and problemsolving: Is the communication constructive, practical and relevant? The task needs to be presented in a comprehensive way for the receiver, and needs to address the actual issue at hand.

Business Impact Analysis

Risk Management

Business Impact Analysis

There will often be many active pieces within an organization. Some may be critical for the organization’s infrastructure, and others may be not as essential for the survival of the company. When conducting a business Impact Analysis (BIA) one needs to consider what is it, that brings actual value to the company. A company’s wealth and value is not only decided upon by its monetary value, but its cultural and social values as well. By first off, we need to establish ‘what value are we creating’ and thereafter ‘who do we create value for’ in order to get an idea of the organization’s output and paint a picture of the overall process.

By reviewing the following steps, we can in a systematic way review relevant elements for our company’s value creation. The steps are as follows:

  1. Value creation: Who are we creating value for? To understand this business model, we need to identify potential hazards that can cause disruption to our operations. In this step, you can use models such as Porters Value Chain and Business Model Canvas.
  1. Identification of critical activities: In this step we pool in a bunch of processes, which together constitute an activity. For example, the production line makes value for us, so we need to recognize where potential disruptions within this productionline would be critical for our operations.
  1. Mutual dependencies: Which activities rely on each other to function? In this part, it is also relevant to consider how dependent we are on our suppliers. Do we have an alternative suppliers, in case our Tier 1 is unable to perform their part?
  1. The robustness of critical activities:  How do we test our robustness? In this step we test the minimal operative level. For example, if the power is out, can we still keep an overview of our logistics on paper rather than electronics? The system’s robustness is defined by being able to absorb disruptive activities, whilst keeping our operative integrity? An analysis can be conducted by doing the following:
  2. Identifying vulnerabilities/minimum operational levels.
  3. Identify where an increase in resources can strengthen our robustness.
  4. Different types of exercises can also help in this phase (e.g. contingency plans).
  1. Internal and external ressources: The ressources that the company is reliant on, such as:
  2. Infrastructure; roads, stand-alone systems.
  3. Physical ressources; storage/inventory, equipment,
  4. Intellectual ressources; skills, employees educational background, capabilities.
  1. Maximum Tolerable Downtime (MTD): MTD describes the point where an organization is unable to keep their operational integrity after a disruptive event (post-crisis). The costs of restoration is so high that it would not be worth it.
  1. Recovery Time Objective (RTO): RTO describes when management wishes for an activity to be back up and running. RTO requires resources and therefore an allocation of economic funds. The RTO can be influenced by mitigating intervention, by having Risk Management as an integral part of the organization.

This figure can help illustrate what the MTD and RTO means during a disruptive event.