The FIRM Scorecard

Risk Management

Within the field of Risk Management, there are various ways of identifying risks. Depending on the way in which you wish to realize these risks, there are certain risk classification systems to choose from. One of these is the FIRM scorecard, which at some points serves the same purpose as the Business Impact Model. Both of these aim at identifying risks, whereas FIRM also takes notice of risks outside of the organization. Additionally, the FIRM scorecard also puts more focus on the causality between the organizations planning/business model, its stakeholders and the organizations position in the market.

Let us dive into the core of the model and see how it help us asses certain risks. For a better understanding of the model, this figure will be a good starting point for illustrating the many factors that come into play:

To better comprehend the figure, let us look at it starting from the top. So first of all, we have the mission objective. The Mission Objective of an organization is its designated mission, a mission that is influenced by a line of factors, such as:                                  

  1. Significant risks: Which risks have meaning for us and are relevant?
  2. Key dependencies: Functions within and outside of the organization that can cause a disruption for our operations. This is where the organizations robustness (capacity) and resilience (restoring activities) come into play.
  3. Core processes: The primary activities which helps the organization realize its goals.
  4. Planning: Planning which is conducted on a strategic level, and choice of business model.

To understand what is meant by planning on a ‘strategic’ level, we need to differentiate between the strategical, tactical and operational level.

On the strategical level we have the board of the company, those who decide the company’s policies and decide the long-term strategy for the organization. On this level, planning is usually based on what will happen for the next 12-18 months. This is just a ballpark figure, as some projects may take years before they become operative.

Next, we have the tactical level, which consists of middle-upper management. Management on this level will usually be the mediator between the strategic personnel and the operatives. This is also why they are the ‘first line of defense’, since they are the ones on-site with enough authority and day-to-day presence. Planning on the tactical level will usually be based on a time period between 6-12 months.

On the operational level is where all of the practical activities take place. This is where we have our costumer care, cleaning personnel, security, and so forth. They are the ones making sure that our operations run as they should, and the planning for this level is usually revolved around 1-2 weeks.

Lastly, we have the compliance level, and this one is a little outside the hierarchy. An organization’s compliance revolves around all of the legal criteria for an organization. This includes everything from the organization’s responsibility for the staff’s safety, environmental laws, anti-corruption, etc. It will usually be lawyers whom makes it clear for the board what activities are or aren’t legal, and later have HR implement relevant activities that ensures that there is compliance across the organization. Complying with the law is an absolute must, for if caught, the organization will lose their ‘license to operate’ and therefore cease operations.

By using the terms above, we can get better insight into how these affect the FIRM scorecard The acronyms cover the following:

Financial: Risks that can impact the way in which money is managed and whether profitability is achieved. In order to reduce risks within this department a risk manager can perform certain to reduce fraud, actions such as: reducing the motive for fraud, minimize the opportunity to steal, improve detection of fraud and record keeping and increase level of supervision.

Infrastructure: Risks within the infrastructure are elements that can affect and/or cause disruption within our core processes and efficiency. For this department of the organization, a BIA analysis would be an optimal tool. Depending on the nature of the organization, the hazardous risks can vary but will usually include things such as: Electrical & fire safety, dangerous machinery, radiation and so forth.

Reputation: How does the public, stakeholders and competition view us? Depending on which sector the organization finds itself it, the reputation may be more critical than others. Public organization are for example reliant on their reputation, since their operations are funded by the taxpayer, and therefore has a responsibility to withhold a standard of professionalism, integrity and transparency.

Even for private organizations, a bad reputation can lead to boycotts and ultimately a decline in profits. It is therefore important for an organization to protect their brands, and make sure to have appropriate franchisee behavior, whilst avoiding counterfeiting and fake goods.

Market: The market is a force that cannot be tamed. The outside world can influence the organization’s business potential, both quantity and opportunity wise. The constant evolution of digitization changes the terms on which business is conducted, and how products are shaped, delivered and reviewed. Organizations are always challenged by different forces from the external environment, such as the buyers, suppliers, competitors and even the replacement of an identical, yet better product.

Lastly we have the 4P’s. These are factors that can bring potential disruption and harm to our operations. They are defined as:

People: Lack of skills, unexpected absence of key personnel, ill-health accident or injury to people.

Premises: Theft or loss of physical assets, property damage and contamination on premises.

Processes: IT-failures, inadequate management of information, disruption by hackers/viruses.

Products: Poor product/service quality, delivery of defective goods or components, disruption caused by failure of supplier, failure of outsourced services and facilities.

Risk Strategy. Safety Risk Management

Risk Management

This article describes how safety risk management is a key component of any safety management system and involves identifying safety hazards to your operations and assessing the risks of mitigation. To successfully identify hazards you should think laterally and be unencumbered by past ideas and experience   

Introduction

The term “safe”

Those involved in disaster  management are often faced with defining what level of safety from hazard exposure is considered sufficient. There is not necessarily a correct answer to the question “how safe is safe enough?” ( Derby and Keeney, 1981). Most people assume that referring to something as “safe” implies that all risk has been eliminated. However, because such an absolute level of safety is virtually unattainable in the real world, risk managers must establish thresholds of risk that define a frequency of occurrence below which society need not worry about the hazard. Derby and Keeney (1981) contend that a risk becomes safe or acceptable if it is “ associated with the best of the available”

This definition can cause great disagreement between the public and disaster risk management officials. The public may expect a level af safety determined to be zero risk for some hazards, such as terrorism in the United States. Officials may need to recalibrate the public’s perception of these hazards continually to let the public know that although the risks are in fact stille possible, they have been mitigated to the best of the country` s social, economic, and technological abilities. Although the chances of a terrorist attack will always exist, governments strive to attain levels of security dictating that the risks are so low that people need not worry.

To determine what level of safety is most acceptable, Derby and Keeney ( 1981 ) contend that “the best combination of advantages and disadvantages” must be chosen from among several alternatives. For instance, although the risk for car accidents is one of the greatest we face on a daily basis, eliminating the risk by prohibiting the use of cars is impractical. However, we can make cars more resistant to impact, add seat belts and airbags, and enact laws and regulations that limit the ways in which cars are operated. The result is a level of safety upon which society agrees is acceptable in relation to the benefits ( mobility ) retained.

Paul Barnes of the Australian Department of Primary Industries explains the importance of establishing an agreement on what constitutes safety in the community. He writes:

Is our goal Community safety or Safer Communities? As a societal outcome, Community Safety can be sought via efficient  and effective regulation at an institutional level. Associated with this regulation must be similarly high standards of risk management applied at the community level. The establishment of safer communities , however , is a different matter. Before this can be sought as a goal, determinations must be made about what safety means to the communities themselves. To do this, institutional regulators must ensure that use of their expertise does not promote inflexibility in understanding the world – views of the public. 

 Feel free to comment, or contact us for more information!

        source:

          Coppola, D. (2021): “Introduction to International Disaster Management”   

Does your company have a Contingency Plan?

Good strategies always involve a Business Contingency Plan (CP), in case the original plan backfires, and does not work as expected. In this case you need a CP to achieve the same goal as planned. A CP will work as your ‘plan B’ in such case.

Let us see why you need a business contingency plan and how to create one in a few simple steps!

What is a BCP?

But first, let’s define what a contingency plan is.

A contingency plan is a proactive strategy that describes the course of actions the management and staff of an organization need to take in response to an event that could possibly happen in the future. A CP is, in other words, related to likelihood and possibility which we can not predict with certainty.  

What is the purpose of a BCP?

A CP helps you stay prepared for unforeseen events and minimize their impact. The purpose of a business contingency plan is to help your business resume normal business operations after a disruptive event. A CP can also help organizations recover from accidents, manage risk, avoid negative publicity, and handle employee injuries.
In times where your primary plan doesn’t work, you need to execute the plan B. By this your business can react faster to unexpected events.

How to make a CP?

An effective CP is based on good research and brainstorming. The four steps below show you how to develop a business contingency plan to help you prepare for the unexpected.

1) Identify the risks

Before you can prepare for an event, you need to know what you are preparing for. Because of this you need to identify the major events that can have a negative impact on the course of your business and on the key resources, such as your employees, IT systems, machines etc.. Think of all the possible risks in your organization. As you are brainstorming, you could with advantage involve employee from other teams, to ensure that you are preparing for risks in the entire organization, and not only in your team.

Tip: use a min map to organize and categorize the risks you gather from the brainstorming session!

2) Prioritize the risks

 Once the list is created, you need to start prioritizing them, based on the threat they pose. Make sure you spend your time preparing for events that have a high chance of occurring. You would not want to spend all your time preparing for events you’re not experiencing.

Tip: To determine which risks are more likely yo occur, use a risk impact scale!

3) Develop contingency plans                     

Once you have created a prioritized list, it’s time to put a plan together to mitigate those risks. As you write a contingency plan, it should include visuals or a step-by-step guide that outlines what to do once the event has happened and how to keep your business running. Include a list of everyone, both inside and outside of the organization, who needs to be contacted should the event occur, along with up-to-date contact information.

Tip: we recommend you begin with the threats you consider high priority!

4) Maintain the plan

Even after you’ve developed a CP, the process doesn’t stop here. Once you have completed the contingency plans, make sure that:

  • The CP is quickly accessible to all employees and stakeholders
  • You communicate the plan to everyone who could potentially be affected
  • Review your plan frequently (Personnel, operational, and technological changes can make the plan inefficient, which means you may need to make some changes)

Benefits of a CP

Without a backup plan, you’re opening yourself to unnecessary risks. Here we have listed some om the most important benefits of a CP, that you cannot ignore:

  • Helps your business react quickly to negative events
  • A CP lists the actions that needs to be taken, and by this everyone knows what to do, without wasting time panicking
  • Allows to minimize damage and loss of production

What is the CP planning process in your organization? Let us know in the comment section below!

Sources:

The danish template for CP

For inspiration take a look at CP templates:

Risk strategy; risk transfer, sharing and spreading

This post focuses on the last risk management strategy, which we have introduced throughout the last weeks. Take a look at the lasts posts to get the full overview!

The final and most debated goal of risk management strategies is according to Senior Disaster Management Specialist, Damon P. Coppola, risk transfer, sharing or spreading. The concept of the goal is not actually to reduce the risk, but to dilute its consequence or likelihood across a large group of people such that each suffers an average consequence. Risk transfer involves moving the risk to another third party or entity, even though this may include giving up some control. By outsourcing, moving to an insurance agency, or leasing property, your organization is not responsible all alone when something goes wrong.
The most common form of risk transfer is insurance, which includes reinsurance. Insurance reduces the financial consequence of a hazard’s risk by eliminating the monetary loss associated with property damage. Insurers charge a calculated payment that is priced according to the hazard’s expected frequency and consequence. Payment of the premium guarantees the repayment of losses to impacted participants if the insured hazard occurs. In this way the cost of the secondary hazards is thereby shared by, or spread across, all participants through the payment of premiums. The risk transfer safeguards the project team against unpredictable risks such as weather, political unrests, or COVID-19, which are outside of the project team’s control.    
OBS: Risk management may seem superfluous at the beginning of the project. When a project manager is beginning a new project, it is indeed difficult to consider what could go wrong, especially if the project team is overconfidence biased (as described in our earlier post). Therefore, risk management must be considered an absolute priority from the beginning of the project!

Risk transfer do not always result in lower costs. Instead, a risk transfer is the best strategy when you can reduce future damage. In this way insurance can cost money, but it may end up being more cost-effective, than having the risk occur and being solely responsible for reparations.

Risk sharing includes sharing the risk impacts or liability among suppliers, partners, contractors, or companies by a contract. This sharing enables them to reduce risks around capacity and to reduce the risk of price fluctuations. For instance, if a power supply fails in an expensive server causing the loss of revenue for a customer, you could ask and receive a replacement power supply.

Summary of risk management strategies

Avoid, accept, transfer, consequence, or likelihood reduction. For each risk you encounter, you and your organization will have to deal with it. A pre assessment or risk analysis enable more options than just a major construction recall.  

Within your organization’s risk management framework, you should be aware of the different strategies along with understanding the guidelines for their implementation. Engineers and managers make decisions concerning risks every day, throughout the organization. Providing a set of clear strategies along with guidance allows the entire organization to appropriately mitigate risks daily.  

Feel free to comment, or contact us for more information!

Source:

Coppola, D. (2015): “Introduction to international disaster management”

Risk strategies: Risk likelihood Reduction and Consequence Reduction

This post focuses on the two second risk management strategies, which we introduced last week. Look at the lasts posts to get the full overview!

Risk Likelihood Reduction

For many kinds of hazard risk, it is possible to reduce the chances that they will manifest into even bigger risks. In such case, risk is addressed through a reduction in likelihood. Obviously, this is not practical or feasible for certain types of hazards such as bad weather. Other secondary risks, such as water in the fundament of the construction have several mitigation options available to manage, including controlled release or cover.

In international projects as an example, companies sign contract to lower the likelihood for disagreements before the actual work begins. 

Another way to reduce the risk likelihood would be enhanced training or applying a security patch. You can also reduce the likelihood by implementing controls. Controls that detect the root causing unwanted failures, that the team can avoid. This kind of control seeks to be found in the management or decision-making process. By improving the ability to find design flaws or to improve the accuracy of field failure rate prediction, you can improve the ability to make appropriate decisions concerning the risks in your project.  

To assign high-risk management activities to highly qualified project personnel. In this way the experts, who are used to run a high-risk business, can anticipate problems, and find better solutions. Companies also use diversification of knowledge by sharing skills and know-how across the supply chains to spread and reduce risks. This can, by advantage, be done through a RoC Drill which gather a group of diverse people. This should be done to have an independent, unbiased outside experts review the project’s risk plan before final approval.

Risk Consequence Reduction

The second and similar risk reduction goal, is to reduce the impact of hazard risk on humans, structures, the economy, the environment, or any combination of these. Measures that address consequences typically assume that the hazard is going to result in an even bigger risk, that will have an associated intensity. Such strategy is taken to ensure that the structure, collaboration, system, or other subjects protected by the mitigation strategy, is able to withstand an event without any, or with reduced, negative consequences. The risk levels of most hazard risk can be reducing through at least one, and likely more consequence reduction options, which is not always the case with likelihood reduction. For most technological hazards, consequence reduction revolves around the development of primary and redundant safety and containment. This strategy employs a bit of risk acceptance with a bit of risk avoidance, or an average of both. An example would be a company accepting a bit of delay in the project, by having a buffer time.

Another method to reduce the consequence is to be proactive. Unwanted event or high field failure rates will occur. Therefore, you need to:

1)Think how you will detect the onset of the event, and
2) how to respond.

Maybe you need to stop construction when a part of the plan has a major consequence. Therefore: have plan in place. By acting quick and appropriate you may reduce the exposure to more failures/consequences.

Tip: This can be done by gathering the team around a RoC Drill when you need to reschedule the project process!

Source:

Coppola, D. (2015): “Introduction to international disaster management”

Risk strategies: Avoidance and Acceptance

This post focuses on the two first risk management strategies, which we introduced last week. They are opposite each other and seeks by this totally different views and strategies. Take a look at the lasts posts to get the full overview!

Risk Avoidance

Some hazard risks pose such a great threat that even a partial reduction in either risk likelihood or consequences is unacceptable, given the possible outcome of a realized event. For these risks, only total risk avoidance is acceptable, which is why action it is deemed necessary to reduce either the likelihood or the consequence factor to absolute zero.  

By stepping away from the business activities involved or designing out the causes of the risk, you can avoid the occurrence of the undesired events. Some opportunities to avoid risk are to exit the business, cancel the project, close the construction, etc.. This strategy has its consequences: In some cases, we even create additional risks by trying to avoid a particular risk. For instance, we may be tempted to choose a supplier with a proven track record instead of a new supplier, that offers significant price incentives. On one hand we choose not to take any chances, but at the other hand we could also miss out on the benefits we could have received by choosing a new supplier. Even though this has other consequences, it is an option.

Eliminating a risk is the best technique you can apply. If the project manager can avoid the risk, surely it is the best way to avoid negative impacts derived from it on the project.   Managing risk in this way is most like how people address personal risks. While some are more risk-loving and some more risk-averse, everyone sure has a tipping point, where things become just too risky and not worth attempting.

Risk Acceptance

Some associated risks for certain hazards are considered to be acceptable “as is”. It may be determined that any further reduction in risk is either too expensive or unnecessary. Several reasons might lead to this decision.
First, every project team has a whole range of hazards with which it must contend, and there assuredly is limited funding to treat those ranges of hazards. Some risks, as determined through cost-benefit analyses, are better left untreated, with the purpose of treating other hazards for which risk reduction will have greater value. All projects will have risks that are so small in terms of consequence or likelihood of occurrence that they are accepted without discussion. This could be going ahead with an event despite the risk of rain, or deciding to take part in a risky activity, which is well managed and supervised, but still risky.
Second, some risk reduction measures can result in one or more undesirable consequences. These secondary hazards may be expected to arise as a direct result of the mitigation measure. In which cases can be considered more damaging or undesirable that the consequences of the hazard risk. Furthermore, the secondary hazards are not discovered until after mitigation has been conducted – in this case you need to decide whether or not to dismantle the new protection mechanisms.
In most cases, risk acceptance is entertained or applied not when risk reduction or avoidance measures are unavailable, but when they are unaffordable.

Source:

Coppola, D. (2015): “Introduction to international disaster management”

What is risk management strategies?

Every project we face will address different risks in the day-to-day operations or at long term. Even the most carefully planned project can encounter problems and unexpected risks. Some will be good and some bad. Some minor some bigger. But this does not mean we should give up, when we are facing unexpected problems!
Once your organization has identified the existing hazards and their associated risks, further evaluation for risk treatment options become possible.

Your ability to mitigate risk allows you to proactively acknowledge and accommodate risks. Getting rid of risk altogether is not a feasible solution, but by measuring risk, your organization can decide how to deal with each kind of risk the best way.

Risk management is the process of determining an acceptable level of risk, calculating the current level of risk, and then either accepting the risk, avoid the risk or taking steps to reduce to acceptable level of risk.

In this post, we will introduce the five different strategies to mitigate risk, which we will dike deeper intro in the following posts.

Mitigation

Mitigation refers to any action or sustained effort undertaken to reduce a hazard risk through the reduction of the likelihood and/or the consequence component of that hazard’s risk. In other words, mitigation seeks to either reduce the likelihood of occurring or reduce the impact of the consequences if it occurs.

Mitigations goals

Mitigation goals refer to the different methods of dealing with risk. When considering the mitigation options suitable for treating a risk, several general goals classify the outcome that your strategy may seek:

1) Risk likelihood reduction

2) Risk consequence reduction

3) Risk avoidance

4) Risk acceptance

5) Risk transfer, sharing or spreading

OBS: Most strategies are most of the time not a clean risk consequence reduction or likelihood reduction but a combination between the goals!

Keep in touch to learn more about the 5 different goals in the upcoming posts, where we will zoom in at the specific goal.

Sources:

Coppola, D. P. (2015): “Introduction to international disaster management”

Vulnerability Assessment

Understand your vulnerabilities is just as vital as risk assessment because vulnerabilities can lead to risks. If there is a universal imperative when it comes to mitigating vulnerabilities, it’s to analyze them first before you try to fix them. The more compound they are, the more critically important this assessment steps becomes. 

What is a vulnerability assessment? 

A vulnerability assessment refers to the process of defining, identifying, classifying, and then prioritizing all the vulnerabilities that exist in various infrastructures, applications within the company. 

With an effective vulnerability assessment, your organization has the tool needed to understand your security weaknesses, how to assess the risks associated with those weaknesses, and last how to put protections in place which reduce the likelihood of occurring.

How to perform a vulnerability assessment

There are three general steps that your company can follow:

  1. Identify and rang the vulnerability
  2. Document the vulnerabilities
  3. Create guidance

Step 1: Identify and rang the vulnerabilities

In this step you should define the risk and critical value for each action. You can construct a matrix with columns for each vulnerability, a possible scenario, the probability of an event and the impact of such an event.

Tip: Focus on what matters most!

Step 2: Document the vulnerabilities

The purpose of the step is to document the vulnerabilities, so you easily can identify and reproduce the findings in the future.  

Step 3: Create guidance

Use the profile to provide a clear graphical outline of which actions are associated with the greatest vulnerabilities, and likewise which to consider new or additional measure against.  

Tip: Your vulnerability assessment should be reviewed and updated on a regular basis or when changes have been made!

Note: The vulnerability profile cannot stand alone. It should be done along with a risk assessment. (Re)read the post about risk assessment.  

The pros and the cons of vulnerability assessment:

Sources

Snedaker, S. & Rima, C. (2014) ”Risk assessment, Vulnerability Assessment”, in (red.) Business Continuity and Disaster Recovery Planning for IT Professionals, 2.nd. edition

Balbix: “Brief overview of vulnerability assessment”, available online: https://www.balbix.com/insights/vulnerability-assessments-drive-enhanced-security-and-cyber-resilience/ 

Risk Assessment, step 3

This risk tool post is about the third step in a risk assessment, so if you haven’t read the first two post, we recommend you read the first post to find out why it is so important to do a risk assessment in your organization and how to get started! 

Step 3: Develop strategies to reduce risk and vulnerability   


Once the threats have been identified and evaluated, and the risks rated, the next step is to consider what can be done to reduce risks to an acceptable level. Developing security strategies is a critical step in ensuring that before committing staff, resources and the firm’s reputation, the firm has taken all reasonable steps to minimize the risk.   
In general, there are two possible courses of reducing exposure to risk:

Mitigation measures to reduce risk should focus on both prevention (reduce the probability) and reaction (reduce the impact). By doing this, you can reduce the level of residual risk from the level originally assigned to each threat identified, and thereby improve your ability to deliver your program.   

For example, we could reduce the exposure the to the risk of spreading with COVID-19 by:

Sources:   
Damon P. Coppola (2015) “Introduction to international disaster management”  

European interagency security forum (2020) “Security to go: A risk management toolkit for humanitarian aid agencies 

Humanitarian Practice Network (2010) “Good practice review – Operational security management in violent environment” 

Risk assessment, step 2

This risk tool post is about the second step in a risk assessment, so if you haven’t read the first post, we recommend you to read the first post to find out why it is so important to do a risk assessment in your organization and how to get started!   

Step 2: Evaluate the hazards and rate the risk  

Once you have identified the types of hazards in step 1, you may face in the project, you will need to evaluate each of them and rate the level of risk to the staff, the firm and its project. This step helps clarify how severe (or not) the risk is, and how much priority it must be given.  

Note: The risk rating is derived from a combination of the probability that an incident will occur and the level of impact it will cause

There exist different risk rating systems, depending on the project, geographically, nationality, staff or regionality. Below are two tables you can use to determine the risk rating for each hazard that has been identified. However, in a new situation where firms and organizations have not recently been undertaken, it may be necessary to use data from similar projects combined with current information from sources.

Tip: The definitions for each level should be agreed across the firm to make it possible to compare different contexts!

First, this assessment helps identify areas that are priorities for your project or the firm, specifically those risks that are more likely to happen and whose impact if they happen would be moderate to critical.
Second it helps in determining when a risk has become too high for projects to continue.

The tables could end up depicts the following conclusions from a discussion in the team:

Sources:  

Damon P. Coppola (2015) “Introduction to international disaster management” 

European interagency security forum (2020) “Security to go: A risk management toolkit for humanitarian aid agencies” 

Humanitarian Practice Network (2010) “Good practice review – Operational security management in violent environment”