A methodology for developing a business continuity strategy

From Continuity Central.com -

"Once an organization has developed its business impact analysis (BIA) and its risk assessment, it has, according to ISO 22301:2012, to determine an appropriate business continuity strategy (BCS) to be able to resume and recover prioritized activities, at a specified minimum acceptable level. This has to be done taking into consideration the time within which the impacts of not resuming the activities would become unacceptable. The development of a BCS is probably one of the most complicated steps in building a business continuity management system (BCMS). An appropriate BCS demands the usage of a methodological approach and creative thinking. In this article the author presents a methodology for developing an effective BCS and the managerial aspects which need to be considered to stimulate a creative thinking environment."

Read more>>

What every Risk Manager should be asking himself

By Stanley Epstein

The whole aspect of Risk Management has taken on a much higher profile over the past few years, driven by many new factors. In the financial industry the crisis that so unpleasantly arrived on our doorstep in 2008 has been a major catalyst while other recent events such as 9/11, the Japanese Tsunami linked to the Fukushima atomic incident, hurricane Katrina and hurricane Sandy, have each, in their own way added to the knowledge of and the pressure to be more aware of risk and to take positive steps to better manage these.

One of the most important aspects of risk management lies in the creation the correct culture within the organization. In this short article I pose ten questions aimed specifically at Risk Managers. If you can answer “yes” to all of these you have created the appropriate risk management culture. The more “no’s” you have on your list the more work you need to do.


1. Have you identified the potential business risks to the organization?

The starting point of any risk management program is to obtain a clear understanding of all the potential risks that face the firm. The emphasis is on ALL the risks. Remember operational risks become business risks as well. 

2. Have you assessed the likelihood and consequence of the significant risk being realized?


There are risks and there are risks. Once you have established what risks face your organisation the next step is to determine what are the chances of such risks being realised as well as what effect such an occurrence will have on the business or operation.

3. Have you assessed those risks that could:

• Damage your organization’s reputation?
• Affect your organization’s market position?
• Result in prosecution?

We often tend to focus on the financial risks only. However risks are always much wider than just the lost of income or the added expense of replacing a server. You need to give serious thought to the risks that could affect your organisation in the wider scheme of things. Reputation, market position and the threat of prosecution, just to name but three. A current example is the “horse-meat” scandal that is sweeping across Europe.

4. Have you established controls to manage significant business risks?

Of course it is impossible to eliminate all risks that the firm faces. Yet there is a very significant range of risks that your business is exposed to regularly. The starting point in managing these risks is to make certain that the right controls are in place to do just this.

5. Have you established a positive culture for controlling the risks?

Although risk represents a danger to the firm and a potential loss, risk should be seen in a positive light as an issue that you need to be aware of and that needs to be managed. A positive culture in managing risks is based on ensuring knowledge and understanding of what risk is, its implications and how it is managed or mitigated. This culture is further enhanced by ensuring that ALL the organisation’s staff receive the appropriate training.

6. Have you established a contingency plan to mitigate disaster?

What would you do, if tomorrow morning, you were faced with a situation in which you were unable to open your business? The reason why is largely irrelevant. The real disruption would be that you would be unable to open for business. Contingency planning is exactly how you would overcome this unfortunate situation and be able to continue operations/ serving your customers. Do you have a Business Continuity Management plan that covers everything? Has it really been tested? Will it work?

7. Have you established continuity management control arrangements?

Business continuity management control addresses an organization’s ability to offset interruptions to normal operations. Key elements of this include;

• Business continuity planning – a business continuity strategy based on a business impact analysis.
• Business continuity testing – testing and documentation of business continuity strategy.
• Business continuity maintenance – identifies ownership of business continuity strategy as well as ongoing reassessment and maintenance.

8. Do you regularly audit compliance with control arrangements?

It is one thing to have a comprehensive set of control arrangements to help mitigate the various risks. But this does not mean that you have managed your risks effectively. Are control arrangements being complied with? Compliance auditing will help keep this in check.

9. Do you regularly review these arrangements with respect to their adequacy and effectiveness?

Nothing remains static over time. What was true today need not necessarily be so tomorrow. The same applies to control arrangements. New processes, new operations, new clients all subtly change the risks you face. And with this change comes the need to ensure that the controls that you have put in place remain adequate and effective always.

10. Do you report annually on your risk and control measures?

Is there a higher body that keeps a watching brief over the businesses risks, the risks that you manage and you control measures? Do you report regularly to someone on these issues? You should be …. and you should be doing this at the very least annually.

At the start of this article I wrote that a positive answer to each of the ten questions posed above would indicate that you, as a Risk Manager, have created an appropriate risk management culture. But culture is not enough. That culture has to lead to effective risk management. You do this in the doing, in showing positive results, in bringing down risks faced by the business, in reflecting a positive financial outcome.

Of course this is just the beginning to creating an effective risk management program. Acquiring the knowledge and the expertise is the next step on Risk Management ladder. 

Remember – risk management is a journey, not a destination!

The fun stuff is yet to come!

The Evolving Role of the Front Line in Risk Governance

From GARP –

“The risk responsibilities of front-line units at financial institutions have increased significantly. The front line must now cover the risks associated with their activities, and should therefore be held accountable by the CEO and the board for effectively assessing and mitigating those risks, according to the Office of the Comptroller of the Currency (OCC).

Until recently, it was largely the second line of defense (the independent risk management team) that led the risk management exercise, while the front line focused more on sales and revenue targets. The latter’s risk responsibilities were largely limited to not breaching risk thresholds.”

Read more>> 

Enterprise Risk Management (ERM) Training Program

Online, Distance Learning Blended Sessions for this course are being held between the following dates - 1/28 February, 2016 – 1/ 30 April, 2016 – 1/31 July, 2016 – 1/31 October, 2016

Public 2-Day Sessions

13/14 March, 2016 - Dubai, United Arab Emirates

12/13 May, 2016 - Jakarta, Indonesia

10/11 August, 2016 - Bangkok, Thailand

28/29 September, 2016 - Jakarta, Indonesia

10/11 November, 2016 - Singapore

14/15 November, 2016 - Kuala Lumpur, Malaysia

7/8 December, 2016 - Hong Kong
The Enterprise Risk Management (ERM) training course is a practical hands-on training designed for managers, professionals, consultants, internal and external auditors that deal with the complexities of enterprise wide risk management function on a daily basis.

Here is how you benefit from this course:

• How to apply the COSO-ERM framework so you can implement an effective ERM system
• Benchmark your ERM practices against the COSO-ERM framework so you can measure your present practices stand-up to industry standards
• Comply with the requirements for corporate governance (such as the various international standards like the Cadbury Report)
• Get the big picture of ERM Framework
• Learn how to align risk appetite and strategy
• Enhance risk response decisions
• Reduce operational surprises and losses
• Identify and manage multiple and cross-organizational risks
• Provide integrated responses to multiple risks
• Gain more confidence in doing ERM in your company/job
• Improve the deployment of capital
• Discover how to design and implement an appropriate Enterprise Risk Management system i.e. policies, procedures, practices, and accountability required to establish the right levels of Risk Management in compliance with current standards and other requirements for your organization

For details CLICK HERE>>

How to Design and Implement an Effective Enterprise Risk Management System

Enterprise Risk Management (ERM) Training Course

2/3 November 2015 - Singapore
15/16 December 2015 - Hong Kong

This Enterprise Risk Management (ERM) training course is a practical hands-on training program designed for managers, professionals, consultants, internal and external auditors that deal with the complexities of enterprise wide risk management function on a daily basis.

FULL DETAILS & REGISTRATIONS