DTR007 Introduction to Risk, Resilience and BCM

Downloadable PDF Resources

  1. English/Spanish
  2. English/Russian

This module will take you through Introduction to Risk, Resilience and Business Continuity Management.

  1. Introduction
  2. The Changing Nature of Modern Risk Management – Complexity
  3. The Three-Stage Risk Management Cycle
  4. Centralized Management
  5. Emergency Incident Management
  6. Business Continuity Management
  7. Business Continuity and Crisis Management
  8. Corporate Risk Management and Decision- Making
  9. Planning, Training and Exercising of Gold, Silver and Bronze Levels
  10. Risk Management System based on the ISO 31000 Standard
  11. Organisational Resilience Management

The information in this document is part of the Deltar
‘Level 4 Management Award in Advanced Risk and Crisis Management’

Introduction

Modern risk management has changed significantly over the last twenty years, and it can be said that 21st risk management is so different from previous generations that it can be seen as a subject demanding its own specialist skills and study.

Many security and risk managers have ‘learned their trade’ by doing the job, and although there is now an increasing range of professional courses, qualifications and even advanced academic degrees in risk and crisis management, the simple truth is that many people who are tasked with increasingly complex roles in organisations, including risk management, business continuity management , resilience, and crisis management, have not been give the skills, training or experience to truly understand how such roles should be fulfilled.

The purpose of this course is to give participants an insight to all of the major functions of a modern risk and crisis manager, including planning, team development, capability development and response management. It will enable them to return to their organisations with the knowledge and skills that will allow them to take leadership in all aspects of risk and crisis management, and to have a clear understanding of what is required in order to plan for and respond to the widest range of potentially disruptive events.

The Changing Nature of Modern Risk Management – Complexity

If there is one factor that is central to the study of modern risk and crisis management, it is complexity. The world itself is more complex, the nature of the problems and challenges we are facing are more complex, and the nature of the solutions that we are required to deliver are more complex.

These are critical issues that the modern risk manager needs to be aware of, and it is the overarching objective of this course to provide participants with all of the tools, skills and capabilities they need in order that they can take leadership in their own organisation for all aspects of security and risk management, offering the same level of professionalism as would be expected from the senior managers in any other division.

The Three-Stage Risk Management Cycle

Classical Risk management is based on a well-recognised three-stage management process, namely Risk Assessment, Risk Control and Contingency Planning.

Each of these sections has its own models and templates, but are designed to deliver an integrated, rational risk management programme that will allow the risk managers, the organisation as a whole and the individual departments within it to identify potential problems, to initiate protocols and processes that will minimise the risk of those events happening, and then will give the organisation the widest range of response option that can be used in the event that such an event was to occur.

Centralized Management

The challenges and pressure associated with risk management means that special thought must be given to the management structure itself. As an example, what level of authority is given to lower-level teams, or those that are working farther away, and what level of authority is maintained by the central management structure? It must then be asked whether these are appropriate to both normal operating activities and to emergency management, or whether there is a need to have the ability to adapt those management structures depending on differing circumstances.

Each event will require a unique response, and the ability to create a response management framework that is most appropriate to the scale, intensity, duration and impact of each event is one of the fundamental challenges for all emergency response managers.

Emergency Incident Management

Once an incident does occur, there is the need to have automatic response protocols in place that can be triggered to manage the response to the initial stage of the incident, whilst information can be gathered, decisions made, plans formulated and responses agreed.

The development of such plans is a critical function of security and risk management, and will be a significant issue in deciding how effective an organisation is in responding to such an incident if it were to occur, and in deciding how effective the organisation would be in safeguarding its own operations, functions and capabilities.

Old and New Versions of Incident Command Systems

The technology has changed, but the objective remains the same:

  • Gather information
  • Create a plan
  • Communicate with teams on the ground

Business Continuity Management

Business Continuity Management (BCM) covers both the development of BCM plans, also called Business Continuity Planning (BCP), and the management of the response once an unwanted event has occurred. The purpose of both BCP and BCM is to ensure that the organisation has the capability to respond to the widest range of possible events in the most robust and resilient manner, in order to maintain its functionality, and in the worst case, its continued existence.

Given the high level of dependency that any organisation has in the current world on outside factors, the ability to develop effective business continuity management plans is also critical in identifying potential critical failure points that can then be managed pro-actively before a potentially disastrous event occurs. From this perspective, BCP is part of the organisational strengthening cycle rather than just a set of plans that are used once an event has occurred.

One of the issues at the centre of all business continuity management is the issue of risk communication. Different people have a different attitude to risk – some are more risk averse, in that the prioritise the known and safe over possible new opportunities that are unknown and made be considered potentially risky, and others may see the same opportunities as being worthwhile in terms of the potential benefit, and believe that the risks themselves can be managed in an effective way.

The ability to discuss such matters in a way that allows everyone to understand the issues involved, and come to an agreed position, is at the basis of risk communication, and allows different risk management strategies to be considered that will then allow for the appropriate balance between managing the risk but not cutting off future opportunities that would otherwise be utilised by potential competitors.

Business Continuity and Crisis Management

Corporate risk management involves a wide range of different functions, including Risk Management, Incident Management, Emergency Management, Business Continuity and Crisis Management. In order to have an effective risk and business continuity management capability all of those functions need to be integrated into a single framework that allows the knowledge and capabilities held by each individual unit to contribute to the greater safety and security of the organisation as a whole

Corporate Risk Management and Decision- Making

However well-designed the corporate risk management programme might be, when an actual situation occurs, there is often an inability to make effective decisions give the stresses and pressures associated with an actual incident occurring in real time, with the potential negative consequences of any decision that might be taken. Just as an individual can freeze when put under pressure, so can an organisation. These are issues that must be considered as part of the risk management planning process, and the better that an organisation, and the critical decision-makers understand these challenges, then the better prepared they will be to take those decisions when required.

Planning, Training and Exercising of Gold, Silver and Bronze Levels

The basis of any skill development is structured practice, which can then be tested at increasingly challenging and complex levels. It is no different in risk and security management, and one of the critical parts of the business continuity management development process is structured training and exercising that will ensure that each individual unit understands their roles and responsibilities, and has the necessary skills and capabilities to deliver those functions, but which will ensure that they also have an understanding of how they integrate with other units around them.

Business continuity management is always an issue of multi-team response and integration, and the more effective the training programme, the more effective will be the actual service delivery once they are needed in the face of an actual situation.

The training itself can be developed from simple, exercises designed to develop and then test skills, but which will then become more complex, so that eventually every level of the decision-making structure including Gold (Strategic), Silver (Tactical) and Bronze (Operational), will understand all of the issues associated with complex operation management, and will have the skills and capabilities to work together effectively as a single unified response team.

Risk Management System based on the ISO 31000 Standard

ISO 31000 is accepted as the international standard for risk management and associated activities. Rather than being a detailed management programme I itself, ISO 31000 identifies critical areas that need to be addressed, and offers a checklist against which any organisation can measure its own current risk management practices, and can be used as a template for future risk management development programmes.

Organisational Resilience Management

However well developed an organisation’s risk management programmes are, the world is full of examples of situations where the risk management capabilities were simply not strong enough to survive the shock of an actual emergency incident. The final issue in risk management and business continuity management is ensuring that the organisation itself, and all aspects of its BCM programme, is robust enough to operate in the widest range of potential situations.