The common component within the risk analogy for quality,

environment, health and safety, information security and business

continuity is the presence and reality of the unwanted risk, including

the realization that threat prevails and that we have to be cautious

about its consequences. And as we attempt to be proactive in

managing processes, in our effort for identifying risk and its

corresponding threat and consequences, a weakness in the risk

management prevails which is dependent on the insights about the

risks and the effectiveness of our understanding about our

vulnerabilities and the effectiveness of controls. Once again, get the

baseline wrong and you end up managing a wrong problem and the

wrong cause leads to waste in efforts. The subject of Barrier Analysis

which is the technique in the Bow-tie method of risk assessment is

something to be explored to address the weakness of the current risk

management approaches…The perspective of Barrier provides

structure in the thinking about underlying causes and proactive and

reactive Barriers. It helps you dig deeper into organisational

knowledge that is implicit, and make it explicit. Barrier analysis

makes you look deeper into the risk beyond the surface of just the

potential threat and event assessment. It helps be more definite in

the preventive and recovery controls and the identification of

esclation factors to guarantee the effectiveness of the controls.

To be effective in the management of risk requires focus, while risk

management encompasses varied applications, it is also a risk that

we get hanged up in its applications and detail. Get the baseline

wrong and you end up managing a wrong risk and the wrong cause

leads to waste in efforts. It is also a risk that the risk management

becomes an exercise and does not provide the depth of the reality

within the risk existence meriting the value expectation for its

application. While there is an attempt to provide a holistic process

for managing risks, it is still to be customized for its various

applications. While in the field of quality, a risk is centred on

potential causes and effect harbouring on various failure modes, the

field of environment, health and safety focuses on the environmental

aspects and hazards that will bring about threat and consequences.

The field of information security likewise focuses on threat that will

bring about breaches to confidentiality, integrity and availability to

information assets, and the business continuity focuses on the

potentiality of disruptive incidents that we intend to prevent for

potential business disruption, disaster and worst a crisis.

Every organization is on their toes in their effort to achieve their business goals. In the uncertainty of

the times, it is important to integrate Risk Management in the way we manage our businesses. We

must realize that risk is the effect of uncertainties on our objectives and we need a structure for

managing such risks..... if we must ensure the sustainability of achieving our goals.

Risks Management refers to the architecture for managing risks and Managing Risks refers to

applying that architecture to particular risks. To manage such architecture, we have to be aware

about the principles for managing risks, the frameworks for risk management, and the risk

management process itself. ISO 31000 was developed to give us directions for our risk management

process and its application, it was published 2009 along with the guidelines for Risk Assessment

Techniques within ISO 31010.

It is then but timely to explore

the framework and related risk

assessment techniques of ISO

31000 to guide the company in

its structure for risk assessment,

mitigation and treatments. It will

also be more effective if we

support such by best practice

and techniques to properly

identify risk and understand the

balance between reactive and

preventive controls through a

risk assessment technique tested

through time by organizations

involved in high risk operations.

ISO 31000 and its suggested

techniques for risk assessment

does not intend to put risk

assessment in a box but to

provide options in a structured

thinking for risk assessment and

creatively facilitate risk

assessment to be more visual ,

effective and value-adding.

In business, risks abound at all angles at any given time. The risk of

a customer dissatisfaction, the risks of penalties and closure arising

to that of non compliance to prevailing rules and regulations, the

risks of attritions, cyber-attacks, fraud, and repudiation, the

reputational risk for any smear campaign that can be done against

the company image and its personalities. That’s but to name a few,

but when a detailed assessment is performed, it makes all process

owners realize that the way to manage a process is not just to

understand its input and outputs but expand the perspective to

cover dependencies not only towards process compliance and

effectiveness, but its general protection from risks towards

business continuity. The challenge to companies is to understand

the environment in which it operates, to understand the prevailing

threat in its priority processes, determine its impact to business and

perform business contingency plans and recovery strategies to

mitigate such risks.

As system evolve, managing processes became more than just

documenting procedures, we began to look beyond effectiveness

and look at resources and its conservation towards efficiency.

Managing processes became more than just making a plan out of

what we would normally do per customer and regulatory

requirement, we began to look closer at the process dependencies

and evaluate the risks of any failure from any such dependencies.

As the market widens and technology is ever improving, and

convenience became a top concern for managing processes, risk

increases across every transaction. Managing risks used to be a

specialist function, nowadays, we see every process owners

becoming aware of business risks and initiating and instituting

controls in their processes beyond basic requirements. At this

juncture, companies are bracing themselves for bigger risks. The

climate has been fazed with disasters brought about by climate

change and the need to address the concern on the conservation of

natural resources and reduce our carbon foot prints abound as

priority concerns for companies to contribute to business

continuity. The technological convenience and the risks it brings

intensifies the image or reputational risks because of the fast

dissemination of information across the various medium and

channels available.

Risk Management – The Role It Plays In Business Management

Risk Management and Integrated Management Systems

Risk Management and

Business Continuity

Management Systems

Next page

A new standard just recently released May 2012 was ISO

22301:2012 that intends to facilitate the societal security

management system requirements readiness for emergency

preparedness and business continuity. The scope of this standard

encompasses within a particular scope possibilities of threats,

events and disruptive incidents.

The standard will incorporate the universal and cyclical PDCA

approach as we have seen in the typical management system,

extending the conventional business continuity planning process to

take greater account of business continuity to prepare the

organization’s critical business functions against unforeseeable

events that could change the risk environment and impact business

continuity. It will incorporate ‘failure scenario assessment

methods’ such as Threat Profiling and Assessment, FMEA (Failure

Modes and Effects Analysis), with a focus on identifying ‘triggering

events’ that could precipitate serious incidents. It will streamline

the resources among business continuity, disaster recovery,

emergency response and ICT security incident response and

management activities

The coverage of ISO 22301 is similar to BS 25999-2 such as business

continuity policy, business impact analysis, risk assessment,

business continuity strategy, business continuity plans, exercising

and testing etc. to raise the company’s level of resilience and

credibility. The level of importance of this standard is fast

increasing along with the business intent to address action

requirements for managing the risks that abound. As the old

mantra goes, an ounce of prevention is better than a pound of

cure. And while a regular process owner struggles between the

difference of Correction and Corrective Action to address prevailing

business concerns. To manage business continuity, we must

facilitate the change to shift the emphasis from Corrective action to

Preventive Action. Preventive actions should be a primary focus of

business nowadays along with performing a good business impact

analysis and programs to manage the risks.

The Game of Innovation

As the marketplace expands due to the growing need for industrial

globalisation, CEO’s are facing a pressure to further drive

operational and product innovation to meet the customer demand.

In a fast phased environment, meeting customer demand without

sacrificing quality is necessary; as such, the concept of innovation

seeks to bridge this gap through proper identification of critical

business areas to deliver customer needs. While the ultimate goal is

to identify opportunities for improvement, such objectives may not

be realised if the accompanying risks are not managed diligently. As

failure becomes not an option, CEO’s turn to two management

approach to resolve their questions relating to innovation

uncertainty, Lean Sigma and Design for Six Sigma.

Calculated Risk with Design for Six Sigma

Product development is a very crucial part when playing the game

of innovation. At the onset of product planning, one missed

potential failure could ultimately spell disaster. Realising that a lot

of things can go wrong from planning to execution, project

management efforts are now centred on placing control points in

critical areas of the product life cycle. Such approach to product

development heavily dwells on what is known as Design for Six

Sigma (DFSS). DFSS addresses risk through its Define, Measure,

Analyse, Design, and Verify (DMADV) method to product planning.

At the start of the product lifecycle, product definition would

require the proper identification of the potential value for

innovation. It is at the defining stage of value where most

companies fail to realise the potential risk and accompanied impact

of such innovation. As a result, corporation’s experience an

accelerated rate of innovation in order to just cope with market

demand. The accelerated rate of product innovation could

ultimately lead to product and market saturation as consumers

become unresponsive to the product.

Business Continuity Management System Cont. Because of the realisation of such risk, project management now

treats the early stages of innovation as a means to mitigate risk by

properly classifying potential threats and its possible impact. DFSS

as a tool for product development has a proven track record in

providing useful control points in the product lifecycle. These

control points can help address potential market saturation by

realising the value and level of priority for innovation through

product simulation and quality function deployment.

Risk management through Lean Six Sigma

While innovation draws a common misconception of being limited

only to products, such concept may also be applied to business

processes. Since business processes are likewise output oriented,

its vulnerability to the failure of people and systems are very

evident; such risks can either be directly or indirectly affecting

one’s operations as manifested by output. With Basel II drawing the

line on what is operational risk (as, any failure in the internal

process due to people, system or external event), there has now

been a growing consciousness on how such risk can be properly

managed in order to further surpass, if not at least maintain, one’s

service level.

The stringent and structured methodology of Lean Six Sigma offers

a proactive approach in addressing operational risk through proper

identification, evaluation and recommendation on how defective

processes may be eliminated. The Lean Six Sigma philosophy

sprung from two of the most effective problem solving approaches

which were pioneered by leading organisation; these approaches

are Lean and Six Sigma, with the first aiming to streamline process

and remove non value adding activities and the latter being focused

on providing consistent output through variation reduction.

The systematic approach of Lean Six Sigma, proves to be a very

useful method in addressing the risk management within the

organisations business processes. Its focus on process flow

efficiency and service level variation reduction proved to be a very

important facet if one is to calibrate their operations. Moreover,

the Lean Six Sigma problem solving philosophy also aims to assess

such process in order to further identify potential gaps within the

operations that could lead to service delay and inconsistency.

Taking the stage

Realising the greater need to address such risk in order to propel

towards operational innovation, Neville Clarke had long instigated

Lean Six Sigma as a tool towards achievement of such goal.

Dedicated to being a preferred business solutions provider, Neville

Clarke have been assisting organisations realise these objectives,

through consultancy and training centred on the idea of speed and

quality. As such, these corporations assisted by Neville Clarke are

well on their way in becoming a more competitive and

operationally innovative through the use of Lean Six Sigma.