>Security Risk Management – More Than Just Risk Assessment

>

Thursday, December 22, 2011

In an article in the December edition of the ACC Docket, entitled “Disciplined and Practical Risk Management”, Jim Jackson, General Counsel of Medair, discussed risk management in the non-profit arena, focusing on his experiences on this issue during his tenure at Medair.

Medair is an entity which “brings life-saving relief and rehabilitation in disasters, conflict arenas and other crisis by working alongside the most vulnerable in Africa, Asia and other areas with extraordinary need.”

This relief and rehabilitation includes the areas of “health, nutrition, water, sanitation, hygiene and shelter.” After becoming involved with the non-profit in 2010, he instituted a risk management system which included a risk assessment program and linking of this risk assessment “into what we do and to manage that effectively.”
His approach is one that can be used for any risk portfolio which a company may carry, including an anti-corruption risk based upon the Foreign Corrupt Practices Act (FCPA).

Risk Assessment

Jackson believes that many risks are similar across different organizations, both for-profit and non-governmental organizations (NGOs), like Medair. Therefore, by reviewing other risk assessment programs, it was possible for him to create a measurement of risk for his client.

The risks for Medair include “revenue stream, portfolio fulfillment, staff security, attracting and retaining staff, fraud and business continuity.” To determine the specific risks for each, Jackson led a series of interviews. He cautioned that it must be the “right people in the room.”

That is, the ones with the experience who can answer the questions related to risks the entity faces. After feedback from the interviewees, Jackson pared the initial list into a “more specific set of causes of risk and the precise areas to monitor and track.”

From this exercise, Jackson developed “probability and impact definitions and then labeled and described the specific risk.” They are as follows:

PROBABILITY


Probability Rating        Assessment
Greater than 10%           Very Likely
Less than 10%               Possible
Less than 5%                 Unlikely
Less than 1%                 Rare

IMPACT


Priority Rating           Impact Rating

1                                    Critical
2                                    Significant
3                                    Moderate
4                                    Insignificant



Risk Management

However, the risk assessment and ranking is only the first step. Jackson said that “ongoing communication is key to the effectiveness of risk mitigation.” For Medair, this communication begins when it charts its risk assessments using the above metrics at the quarterly meeting of the Executive Leadership Team (ELT), where risk “mitigation strategies are also analyzed for effectiveness.”

These strategies include “making sure that resources are allocated to mitigation actions”, and the all parts of the organization are in communication with each other regarding these actions. All of this is then reviewed at the next quarterly ELT meeting.

However, for Jackson the primary key is that risk management must be linked to the organization’s purpose and goals. Your company must to be disciplined; it cannot simply develop a risk assessment and then not use it to look at risk generally. As important as systems are, they must be “practical and linked” to what your company does.

< /div>

The Medair risk management system provides an excellent example of the tools available to the compliance practitioner. The Department of Justice identifies a risk assessments and its use in a minimum best practices program.

Further your risk assessment should inform your compliance program and not vice-versa. The Medair method of assessing risk and then managing from that assessment provide an example of an ongoing process for an overall risk management process for a company under the requirements of the FCPA.

Cross-posted from Tom Fox Law
Copyright 2009-2011 Respective Author at Infosec Island
About

For more information about me please checkout my Linkedin profile at http://uk.linkedin.com/in/padrury/

Posted in Miscellaneous Tagged with: