Within the field of Risk Management, there are various ways of identifying risks. Depending on the way in which you wish to realize these risks, there are certain risk classification systems to choose from. One of these is the FIRM scorecard, which at some points serves the same purpose as the Business Impact Model. Both of these aim at identifying risks, whereas FIRM also takes notice of risks outside of the organization. Additionally, the FIRM scorecard also puts more focus on the causality between the organizations planning/business model, its stakeholders and the organizations position in the market.
Let us dive into the core of the model and see how it help us asses certain risks. For a better understanding of the model, this figure will be a good starting point for illustrating the many factors that come into play:
To better comprehend the figure, let us look at it starting from the top. So first of all, we have the mission objective. The Mission Objective of an organization is its designated mission, a mission that is influenced by a line of factors, such as:
- Significant risks: Which risks have meaning for us and are relevant?
- Key dependencies: Functions within and outside of the organization that can cause a disruption for our operations. This is where the organizations robustness (capacity) and resilience (restoring activities) come into play.
- Core processes: The primary activities which helps the organization realize its goals.
- Planning: Planning which is conducted on a strategic level, and choice of business model.
To understand what is meant by planning on a ‘strategic’ level, we need to differentiate between the strategical, tactical and operational level.
On the strategical level we have the board of the company, those who decide the company’s policies and decide the long-term strategy for the organization. On this level, planning is usually based on what will happen for the next 12-18 months. This is just a ballpark figure, as some projects may take years before they become operative.
Next, we have the tactical level, which consists of middle-upper management. Management on this level will usually be the mediator between the strategic personnel and the operatives. This is also why they are the ‘first line of defense’, since they are the ones on-site with enough authority and day-to-day presence. Planning on the tactical level will usually be based on a time period between 6-12 months.
On the operational level is where all of the practical activities take place. This is where we have our costumer care, cleaning personnel, security, and so forth. They are the ones making sure that our operations run as they should, and the planning for this level is usually revolved around 1-2 weeks.
Lastly, we have the compliance level, and this one is a little outside the hierarchy. An organization’s compliance revolves around all of the legal criteria for an organization. This includes everything from the organization’s responsibility for the staff’s safety, environmental laws, anti-corruption, etc. It will usually be lawyers whom makes it clear for the board what activities are or aren’t legal, and later have HR implement relevant activities that ensures that there is compliance across the organization. Complying with the law is an absolute must, for if caught, the organization will lose their ‘license to operate’ and therefore cease operations.
By using the terms above, we can get better insight into how these affect the FIRM scorecard The acronyms cover the following:
Financial: Risks that can impact the way in which money is managed and whether profitability is achieved. In order to reduce risks within this department a risk manager can perform certain to reduce fraud, actions such as: reducing the motive for fraud, minimize the opportunity to steal, improve detection of fraud and record keeping and increase level of supervision.
Infrastructure: Risks within the infrastructure are elements that can affect and/or cause disruption within our core processes and efficiency. For this department of the organization, a BIA analysis would be an optimal tool. Depending on the nature of the organization, the hazardous risks can vary but will usually include things such as: Electrical & fire safety, dangerous machinery, radiation and so forth.
Reputation: How does the public, stakeholders and competition view us? Depending on which sector the organization finds itself it, the reputation may be more critical than others. Public organization are for example reliant on their reputation, since their operations are funded by the taxpayer, and therefore has a responsibility to withhold a standard of professionalism, integrity and transparency.
Even for private organizations, a bad reputation can lead to boycotts and ultimately a decline in profits. It is therefore important for an organization to protect their brands, and make sure to have appropriate franchisee behavior, whilst avoiding counterfeiting and fake goods.
Market: The market is a force that cannot be tamed. The outside world can influence the organization’s business potential, both quantity and opportunity wise. The constant evolution of digitization changes the terms on which business is conducted, and how products are shaped, delivered and reviewed. Organizations are always challenged by different forces from the external environment, such as the buyers, suppliers, competitors and even the replacement of an identical, yet better product.
Lastly we have the 4P’s. These are factors that can bring potential disruption and harm to our operations. They are defined as:
People: Lack of skills, unexpected absence of key personnel, ill-health accident or injury to people.
Premises: Theft or loss of physical assets, property damage and contamination on premises.
Processes: IT-failures, inadequate management of information, disruption by hackers/viruses.
Products: Poor product/service quality, delivery of defective goods or components, disruption caused by failure of supplier, failure of outsourced services and facilities.