What is a risk?
For someone that is not a specialist let’s explain them in a simple and easy way:
A risk is something that could happen or not. In business it has been connoted in a negative way; something that could jeopardize to obtain or achieve the results. In business, a risk is mitigated but never eliminated. The risk is mitigated with a control.
Controls as risks have several types but let’s keep it simple. There are 4 types of them: manual (performed by a person), electronic (performed by a system), preventive and detective.
Depending upon the size of the company, its business lines, processes, resources, etc. controls should be designed in order to minimize risks. But, how to do it if the risks have not been identified? Here are the steps to deploy the BRA:
1. Analyze the company externally and internally. Start with an inventory of potential events that could affect it; such as the threats (external). This will depend on where the company is established and/or operates. For example: is a high risk jurisdiction for corruption or money laundering or tax evasion? What are the economic factors that could affect? How are the financial markets? How is the employment rate? Who is our competition? (direct and indirect) Which is the regulation we have to comply? What is the political environment? Which natural catastrophes could affect us? What is our customers’ behavior? Which emerging technology affects us?, Etc.
Afterwards, think about the inventory of events that could affect internally, such as: how is our relationship with shareholders? How is the processes design? Which is our staff capacity? How often are they trained? Do we depend on technology? How are we protecting our core business? (Confidential information such as formulas, plans, data, etc.) Do we cover our operating costs? How often maintenance is given to the equipment? How leveraged we are? Which kind of accidents could happen in our facilities? How is the surveillance? Which are the areas that manage cash or important information? Which are our more important products or services? Do we have an alternative provider in case the main fails? Have we established a mission, vision and values? Do our employees know them? Where the company keeps the money? Who has access to it? Do we manage a considerable amount of money?, etc.
2. Now that you got the list, start evaluating each event by these two questions:
a) In the case this event happens, what will be its impact on our business?
b) Which is its probability of occurrence?
Design a table in Excel with 3 columns: events, impact and probability of occurrence. Evaluate impact and likelihood in a scale of 0 to 10. It is recommended that for the first time done, someone in charge (either Internal Audit or Compliance) determines the list and afterwards send it to the other Area Directors so they can evaluate it, individually. Establish a deadline and a date for a meeting to share the results. That the same person in charge of the list, is the moderator between the Directors. The purpose of the meeting is that everybody explains their point of view and also to obtain a consensus answer. It sounds easy but it can be quite exhausting, especially if it is done for the first time. The key is that everybody participates so you’ll obtain two things: evaluation of risks and make sensitive the people who runs the company about what the company could face.
3. After you have the evaluation, divide the scale by three. Classify both the importance and probability of occurrence in high, medium and low. Start prioritizing the ones with the maximum number. Which are the risks that could easily happen and impact us more? Those will be the high risks. A medium probability and impact? And low?
4. Use a graph to place the risks, such as: (you can use the X axis or Y indistinctly for importance or likelihood)
This is a “risk map” or “heat map”…it’s a very useful tool to have an idea on how a company, process or area is today. Is like the “photo” of its vulnerabilities. As you can see, events could lead to threats and therefore become risks. What yesterday is a low risk, today can be a high risk or tomorrow a medium one. The risks are changing; they are dynamic. External factors change; they are out of the hands of the company; i.e. who would imagine that we would have drones? Internal factors, of course depend more on the company.
The importance of the BRA is to know the company in detail. Is to evaluate how vulnerable we are and know if we are prepared to minimize what it could turn a reality. Therefore it is recommended to be updated at least once a year, or when:
-an event occurs,
-a new event appears,
-a new system is bought,
-a new service or product will be launch, etc.
It should be again evaluated.
Next step: if you’ve already diagrammed the company process that information will be helpful. From the risk list where will they be placed? (Depends if the flowchart has been done by area or process) On a next article we’ll continue…