Modern Risk Management - Coursework Example

Running Head: MODERN RISK MANAGEMENT Modern Risk Management Name Institution Date Modern Risk Management This essay portrays the components modern risk management and delves into details about how these requirements can be implemented in an organisation in preparation to combat risk and safeguarding the operations of an organisation should an incident that can potentially cause a disruption in the normal activities of an organisation occur. Risk management in the modern world has taken equal if not more importance in the running of organisations that finance and resources management have enjoyed for many many years. The essay briefly describes what a risk management programme is and in depth explains how security risk management, crisis management and contingency planning can be developed and implemented in a modern risk management programme. The essay also examines who in an organisation is vital in the formulation of a risk management team and outlines what their roles in the team are and why it is important to include them. Risk management can be defined as an attempt to identify and then manage the threats that could have severe impact or potentially bring down an organization. In general terms risk management generally involves reviewing the operations of an organization, identifying of the potential threats to an organization and assessing the likelihood of those threat occurring, and lastly taking appropriate action to address threats which are the most likely to occur (Bateman, 2006) . The world has quickly moved from the old times when risk management was merely thought of as a matter of securing the most appropriate or right insurance. Traditionally, insurance coverage normally came in quite standard packages, so people had a tendency to not give risk management the serious attention it needed. As the world has developed over time, that kind of impression about risk management has undergone a dramatic change. Recent times have seen a major increase in rules and regulations in organizations, lawsuits from employees and more reliance on key resources, hence risk management is rapidly becoming a management practice which has the same kind of importance given to areas such as financial and resources management (Myers, 2002). Organizations have seen the need to ensure that they are adequately prepared to handle the more unusual, extreme and infrequent occurrences which pose a threat to an organization’s staff and operations. Some of these risks include but are not limited to : explosions, fires, terrorist activities such as bomb scares and suspect packages, product contamination, flooding, robbery and kidnapping. When an organization puts in place effective plans, it as a result minimizes injuries to its staff and down-time, helps to maintain morale of its staff, protects and also enhances the reputation of the organization (Silva, 1995). Developing a good risk management programme takes a process that should be effectively supervised professionally by competent and well informed professionals who understand the different dimensions of risk in the developing challenging world of doing business. Risk management is no longer a matter of getting a good insurance cover as there are a lot of unpredictable situations that could cripple a business in an instant and those new risks need to be assessed by professionals who are capable of thinking outside the box and identifying threats the other people would ordinarily brush aside (Myers, 2002). In the process of developing a good risk management programme, there is a need of making of a risk analysis. The analysis consists of assessing all the possible threats to an organisation including all its various levels of operations, the different sites and countries as is appropriate. The need to make a comprehensive analysis is based on the fact that for a multinational doing businesses in different countries, even when the risk policy is meant to encompass the organisation as a whole, there are risks that are prevalent in one country but are not as common in another (Bateman, 2006). And even if it is just a company that does business in just one country, the levels and types of risks would differ maybe from a department to the next. Take for example a company that manufactures paint. There are risks that could only affect those working in the factory itself but not those in other departments for example sales. For a multi national, even though there are no places that can be certified to be terrorism free, the risk in of bombing affecting the operations of a company operating in Basra is not the same as that of the operations of that same company in Birmingham( Myers, 2002) . There is a need for organisations to conduct regular, comprehensive and focused assessments of what could consist of potential risks to the organisations. This is known as risk management assessment. A focused risk management assessment should be undertaken at regular intervals preferably two or more times every year. A risk management assessment should be undertaken by a team of members of an organization’s staff and this team should be comprised of representatives from each of the major functional areas of the organization. The risk management assessment needs to be carefully planned, methodically carried out and well documented (Figlewski & Levich,2002). The human capital of an organisation and proper management of the same is an aspect of risk management which is much too often overlooked. Each of the key roles in an organization need to have some kind of resource to back up the performance of that particular role. To give an example, some other person in an organization should have the general understanding of another employee's role in the organisation so that in case that other employee for any reason is not unable to perform his role, the normal operations of the organisation will not be adversely affected by (Silva, 1995). To better understand how other employees carry out their roles in an organisation, the others can make proper use of up to date job descriptions, to-do lists and reading of regular status reports so as to familiarise themselves and better understand how others employees carry out their roles (Figlewski & Levich, 2002). The management can have one staff member backing up another member who is on a vacation for example. During the staff meetings, as a manager you can have a staff member make a presentation about their role in the organisation and explain how they carry out their role. The management needs to ensure that each distinctive and critical role has one backup person in the least who can effectively step in to conduct the role of another key member of the staff who for some reason may not be there to perform his duty. Management needs to allocate the necessary resources to ensure that employees who could act as a backups to the other employees who play a major role in an organisation are well prepared and adequately trained to fill in case of any eventuality (Bateman, 2006) . I would justify allocating funds for the purpose of training an employee from within the organisation because in the long run it is cheaper than the loss that could occur due to a sudden loss of vital staff or the process of recruiting a similarly skilled person. The organisation must ensure that it enforces physical security and in this regard theft is rightfully the major physical threat that is a concern to any organisation. The simplest and basically what most people would consider a solution to this problem is the simple act of keeping doors locked but this simple solution is not always feasible. When it comes to the security of the computers in an organisation, keeping the computers locked to a table or a wall could be a good deterrent measure against a casual theft, the shoplifting style kind of theft but this will not deter a professional. A combination of alarms and locks is a better way of preventing computer theft and as a manger, it would be important to allocate resources towards implementation of a proper alarm system and better and more sophisticated locks as a measure of dealing with the risk of theft (Kendrick, 2009). Sprinkler systems and smoke detectors are a good investment when an organisation is aiming at allaying the threat of fire. These measures can help protect equipment of an organisation including the hardware parts of the organisations computers. However, computers have some uniqueness in that the loss of the hardware part of the computer is not in any way comparable to the loss of data. Loosing of the data stored in the computers is most costly damage and this damage cannot be prevented by smoke detectors and sprinklers (Silva, 1995). Loss of data can be prevented by ensuring that back up tapes are stored in remote locations. As a manager, i would ensure that the organisation is protected from the risk of fire by putting in place smoke detectors and sprinkler systems an investment i believe would pale in comparison to the loss that would occur from fire if these were not put in place (Kendrick, 2009). To save data which is even more sensitive and a more expensive loss than the loss of physical equipment, i would ensure that there is a data backup plan in place. This data backup plan would involve storing backups of the organisations data in remote places so that even if a tragedy occurs and data in the computers of the organisation gets lost, there would be a backup of that data to enable the organisation to get back into operation. Organisations have been known to get irreversibly damaged and to get completely crippled due to loss of important data. It is simpler to invest in sprinklers than to wait for a fire to damage an organisation’s property because the cost of buying new equipment would be higher. Another low cost investment i would make as a manager is putting in place uninterruptable power supplies and surge protectors which can save an organisation some very costly equipment damage. In regions that are prone to intense thunder storms or even power outages, these are very important especially when the equipment or computers must be used continuously. Some surge protectors are also capable of protecting phone lines going to a modem (Kendrick, 2009). Most of the risks facing organisations have to do with computers since data is the most important asset in every organisation. Generally, putting measures to have data backed up in remote areas is a very important and major step that helps in the prevention of loss of data. When information for some reason gets lost, the cost to an organisation in reproducing the same information is very costly in terms of resources, sometimes more costly than the original cost. Data integrity however is a greater concern as there are dangers to data even when it has been stored in remote locations or within the organisation. Viruses are a major problem and there is not system that can be claimed to be totally safe from this problem (Kendrick, 2009). Virus protection is necessary for any Macintosh or PC. Investing in a proper virus protection is a necessity for every organisation that is concerned with the integrity of its data. A major step in an organisation’s preparedness in combating any crisis is the establishing of what exactly consists of a crisis and outlining when the formulated plans of dealing with the crisis have to be activated. Preparation is always the best way to give oneself a better chance of being able to combat a problem when it finally comes (Silva, 1995). When an organisation is anticipating a problem, it is easier for that organisation to deal with the problem than an organisation that gets caught unaware by a major crisis. The management of an organisation needs to professionally assess all the areas that are prone to risk and classify them with appropriate levels of response. Giving an example of New York city as an organisation, there is a risk of terrorism facing the city practically everyday. But what should the levels of response be? The magnitude of the 9/11 attacks was indeed massive and comparing that attack with the recent botched car bomb attempt, the two incidents can both be classified as terrorists attacks but the question is, would the response from the authorities of New York city be the same? I would think not. Similarly, the challenges that face other organisations vary in the degree of magnitude. After an organisation has assessed and formulated the policy about what constitutes a crisis and what doesn’t, the point of planning based on all the facts gathered comes in (Kendrick, 2009). The management of the organisation has to develop the appropriate responses for the particular levels and types of incidences according to the outline in their policy. Their response needs to be a[appropriate in relation to the specific states of alerts and the responses should involve the establishment of the decision making structures and establishment of effective communication with the affected parties. The level of to which a problem can potentially escalate is dependent on how the management effectively implements its responses policy (Doherty, 2000). The effectiveness of any response is very much dependent on how well the plans that have been formulated after all the work that goes into assessment are been implemented. Proper and effective implementation of the organisation’s response strategies can only be better achieved when a crisis management team has been put in place (Borodzicz, 2004). There needs to be clear organisation with each member of the team being assigned his responsibilities. Since the crisis management team will be drawn from the staff of the organisation, there will be need for every individual to be clearly briefed about what his roles within the team are and for there to be a clear guideline about who is answerable to whom. The members of the crisis management team are likely to be assigned roles that are outside of the scope of what they normally do for the organisation or out of their job description and hence the leadership structure of the team will not be the normal hierarchy in the day to day running of the organisation (Laye, 2006). The other area in the crisis management response is the preparation of important documents. There needs to be a preparation of implementation plans and specific guidelines that state what specific actions are to be taken for a range of various emergencies. The key documents should also consist of an update directory for external and internal contacts that must be informed of incidents and should be involved in the resulting actions (Laye, 2006). No organisation is immune and at times, an organisation can experience a very serious incident which can totally disrupt its operations and prevent it from carrying on business as usually. These incidents can be anything ranging from fires to floods to serious computer malfunctions and information security incidents to earth quakes or terrorist attacks. The modern risk manager knows that the risks come from so many sources and any one of the sources can cause an organisation to come to its knees or in the least disrupt the normal operations. When these incidents occur, the organisations managements have the responsibility to recover from those incidents within the least amount of time possible, minimum disruption and at the minimum cost. All of these of course demand for adequate preparation and meticulous planning and every organisations needs to allocate funding to take care of the preparations and planning that go into ensuring that all of that happens (Figlewski & Levich, 2002). The importance for an organisation to take very seriously the development, maintenance and implementation of disaster recovery and business continuity can not be overemphasised. The vital task of developing and maintaining of the recovery plan is not a task that can be kept pending waiting for people to clear their schedules so that they can finally make time to deal with the issue (Doherty, 2000). Serious incidents can occur at any given moment and organisations need to be adequately prepared and at levels of alert all the time such that when those incidents happen, the plans of dealing with them can be swiftly set into motion. An organisation that does nit have properly laid out strategies of how to respond to those eventualities face a greater enemy from within, an enemy a lot greater than all their competitors put together. The area of risk management for this reason needs to be given the importance it deserves (HSE, 2006). A contingency plan in as far as an organisation is concerned is management process which identifies potential impacts which threaten the organisation. The contingency plan presents a framework to building the potential of an organisation to effectively respond and possibly recover from a disruptive incident (Focardi & Fabozzi, 1998). This process needs to be integrated fully and embedded as a management process in an organisation. The aim of a contingency plan is to build or improve the resilience of an organisation by identifying way in advance the impacts of various disruptions that may suddenly occur in an organisation and hinder it from succeeding. The contingency plan must prioritise efforts of various specialists in an organisation targeting the achievement of resilience in areas such as facilities, Information Technology and security (Kendrick, 2009). Contingency planning is mainly concerned with the development of an organisation-wide resilience that can allow an organisation to stand even when it has lost a part or all of its operating capability. It also entails making it through despite the loss of resources such as equipment or staff. The resilience must be developed all through the organisation because the ability of an organisation to survive depends on the operational management and staff and also technology (Focardi & Fabozzi, 1998). The contingency plan of an organisation must be developed by a team that is well constituted and properly represents all the functional areas of an organisation. If we are talking about an organisation that is quite huge in terms of size, there needs to an establishment of a formal project which should have support and approval from the highest level of management (Doherty, 2000). For such a contingency plan, the lower level management can not do it by themselves and need the support and approval of top management, otherwise putting such an enormous plan is not possible without the participation of top decision makers (Laye, 2006). The first undertaking in the process of preparing a contingency plan is the preparation of a comprehensive list of all the potentially disastrous incidents that would in a way adversely affect the organisation’s normal operations (Silva, 1995). The list must include all the possible incidents that could occur no matter how trivial they may appear and no matter how remote their likelihood of occurring may seem. As a leader involved with preparation of the contingency plan, i would first note probability rating for each one of the items listed as potential risks. Also, there would be rating of every individual incident in terms of how severely its occurrence would impact on the organisation. This would enable the team to make a plan that is based on the needs of the organisation (Borodzicz, 2004). After completing the assessment stage the team would now be able to establish a structured plan (HSE, 2006). This plan would contain a set range of milestones to steer the organisation from the state it would be after the disruption due to the occurrence of the incidence and the milestones would detail how the organisation would be propelled back to normalcy in terms of its operations. Naturally, the first of these milestones would be the process of how the organisation would deal with the immediate aftermath of the occurrence of an incident. This would involve emergency services or the other specialists trained on how to handle extreme situations (Laye, 2006). The next course of action would be to determine the critical functions of the business that are vital to the organisation and need to be urgently resumed and also the order in which the operations would be resumed. As a matter of necessity, the plan would be detailed and would identify the key individuals who would be aware and well versed of what would be expected of them under the comprehensive contingency plan. The contingency plan once developed for the organisation, it would be subjected to rigorous tests meant to rectify any flows that might appear (Silva, 1995). The testing would be properly planned and the conditions under which it would be carried out would be made suitable so that the conditions reproduced would be authentic. Those people who would be expected to carry out certain activities if an incidence was to occur in reality would be the same people to test the plan. For the purpose of perfection, there would be methodical recording and documentation of the results as this would guarantee the obtaining of feedback to be used in fine tuning of the plan. As a manager, i would also sanction the auditing of the plan and the contingency to back up the arrangements supporting it (HSE, 2006). Due to the fact that the top executive in an organisation is the main decision maker, even in times of crisis, it should not be any different. The top executive is the main person i would include in a crisis management team due to his or her position of authority (Pritchard, 2005). In any case, the top executives should not be seen to take the back row in times of crisis and that is not just because it is bad for morale but also because they need to be seen to be leading their troops in response to a crisis. The main responsibility of the executive would be to make recommendations and to support the crisis management team in carrying out its responsibilities and to be supportive of its mandated roles (Crouhy & Galai, 2006). In the crisis response team, i would also include a media relations person whose roles would include liaising with and disbursing information to the families of those injured or killed in the event that brought the crisis, inspiring and giving moral support to employees, deflecting attention from or shielding the crisis management team from undue attention so that they can effectively carry out their duties. It would also be the duty of the media relations person to interface between the shareholders and the board of directors, deal with the regulatory bodies that might be involved as the crisis unfolds (Jeynes, 2002). The other members of this time would include representatives from IT, human resources, business continuity, medical services, facilities management, safety and corporate security (Pritchard, 2005). The IT representative would of course be responsible to ensure that the information technology department is back up as soon as possible so that communication can resume within the shortest time possible. The human resources representative would be responsible for ensuring that employees know what is going on and are updated regarding their roles because in the absence of this, it would be counterproductive as people might panic wondering what becomes of them at the end of the crisis (Crouhy & Galai, 2006). The business continuity representative in the crisis management team would be responsible for advising the crisis management team in its effort to ensure that business does not come to a standstill. Just because there is a crisis doesn’t mean that the operations of the corporation should also stop. The representative from the medical services part of the corporation would be responsible for the medical aspects of the team’s response to the crisis (Jeynes, 2002). The facilities management representative would assist the team in identifying those areas of the corporations facility that are able to be used and those that should not be in use due to the dangers that might occur depending on the nature of the crisis. The safety member would be responsible for advising the team on the safety procedures to be taken in order to avoid further danger (Lam, 2003). The corporate security representative in the team would be responsible for advising the team and overseeing the implementation of all the security measures necessary to minimise the chances of an escalation of insecurity brought about by the event leading to the crises (Frenkel, Hommel, Dufey & Markus, 2005). In conclusion, modern risk management is far more complicated than risk management was viewed in the past (Focardi & Fabozzi, 1998). It entails putting in place measures that can ensure the survival of an organisation even in times of calamities which may disrupt the organisation’s operations. No organisation in the modern world of doing business can afford to exist without a risk management programme as failing to put such a programme in place is tantamount to suicide in the business sense of the word. The risk management programme of every institution should fully encompass Security Risk Management, Crisis Management procedure and Comprehensive Contingency Planning. References Bateman M. T. (2006) Practical Risk Assessment Handbook. Montreal: McGill Queen's University Press. Borodzicz, E. (2004) Risk, crisis and security management. NY: Harper Collins. Crouhy, M. & Galai, D. (2006). The essentials of risk management‎. London: OUL Doherty, A. (2000). Integrated risk management: techniques and strategies for managing. London: Penguin. Figlewski, S. & Levich, M. (2002). Risk management state of the art‎. NY: Sage. Focardi, S. & Fabozzi, J. (1998). Risk management: practice, ‎framework, and methods. London: OUL. Frenkel, M., Hommel, U., Dufey, G. & Markus G. (2005). Risk management: challenge & opportunity‎. London: Penguin. HSE, (2006). Five steps to risk assessment.London: HSE Jeynes, J. (2002). Risk management: Ten principles‎. NY: Sage. Kendrick, T. (2009). Identifying & Managing the Project Risks: The Essential Tool for Failure. NY: Sage. Lam, J. (2003). Enterprise risk management: from incentives to controls‎. NY: McGraw-Hill. Laye, J. (2006). Avoiding disaster. NY: McGraw-Hill. Myers, K. (2002). Business continuity strategies. NY: McGraw-Hill. Pritchard, L. (2005). Risk Management: Concepts & Guidance‎. London: Penguin. Silva, M. (1995). overdrive: managing in crisis filled times. NY: Harper Collins. Read More