Risk management is systematically executed based on the principles and processes outlined in the Risk Management Framework. To have a robust framework, three questions from the Three-Stage Risk Management Framework which we constantly use to ask ourselves:
What could the problems be?
What should I do about the problems?
What happens if the plans go wrong?
As much as a hassle it may seem, these questions decrease the likelihood of firms developing a weak Risk Management Framework which can prove futile when responding to threats. Firms do not want to be caught in a situation where manageable risks or threats are underestimated, resulting in detrimental consequences.
As much as the Three-Stage Risk Management Framework (as the name suggests) is used for risk management, it can also be used in the risk mitigation planning process to identify gaps and threats that may have been overlooked.
Question 1: What could be the problems?
Some common problems include wrongful assessment of risks and overlooking secondary risks related to the primary source of risks or threats. For example, a typhoon would be a primary risk whereas other events or calamities that happen as a result of which, such as flooding, landslide, land and air transportation disruption, power outages, internet & telecommunication outages, damages infrastructures, human safety, food safety, health issues, and business disruptions, are all secondary risks. As one can see, these secondary risks are not new and can be avoidable or mitigable if only the stakeholders had taken them seriously and not waved them off as insignificant.
Question 2: What should I do about the problems?
Failure to understand the nature and severity of threats would result in a faulty Comparative Risk Value model and the lack of resources to tackle the problems. Rather than turning a blind eye to the new threats or risks which are now uncovered, it is crucial to ensure that the model takes into account all of them and resources (such as manpower, equipment and budget) are rejigged to mitigate these risks. Regardless of how robust a response or solution may be, failure to understand each threat’s scale and scope can lead to failures in the response.
Drills and exercises should always be in place to test the effectiveness of the different security plans in place. Sometimes, it is only through actual testing that we know if something works or breaks. These drills and exercises also increase the response team’s awareness and responsiveness towards executing these plans.
Question 3: What happens if the plans go wrong?
Inevitably, some threats do get overlooked or mismanaged but they must not be forgotten – these experiences serve as a reminder and an opportunity to make remedies. One can do so by firstly, reviewing the Contingency Plans and patching up the gaps that led to a near-miss or actual crisis. Finally, these lessons should be analysed and used as a case study for the risk management team to rethink possibilities and ways to better mitigate or avoid such crises. One approach to do so would be for the managers to brainstorm for complex situations or even supposedly ‘unlikely’ circumstances and come up with several solutions/response plans for one risk agent and decide on the best one based on past experiences or tested effectiveness. Never say never – what is ‘unlikely’ may not be that unlikely after all.
However robust our Risk Assessment Framework may seem, firms should conduct regular reviews to ensure the Framework is still relevant and effective to mitigate new threats and risks.