Regarding the R(isk) in GRC - you can find a lot of different classification schemes. In COSO ERM framework risk is classified according the “objective categories” Strategy, Operations, Reporting, and Compliance. Not differing much Casualty Actuarial Society (CAS) uses Strategic risk, Operational risk, Financial risk and Hazard risk. In our GRC LoungeTalk series, we will focus more on areas of risk that were addressed by our customers.
We start with the following seven areas and will enhance the list over time.
- Operational Risk
- IT Risk
- Supply chain risk
- Environmental Risk (ISO 14001)
- Business Continuity Management (BS 25999 Business Continuity)
- Security Management (ISO 27001 Information Security)
- Health & Safety (OHSAS 18001 Occupational Health & Safety)
Operational risk management covers the risks arising because companies are “doing their business”. These risks can occur due to inadequate processes, failure of people or IT-systems, but also can be caused by fraud or are in connection with legal requirements. Especially in the context of Basel II operational risk management gained new dynamics.
IT Risks cover losses or non-compliance with regulationscaused by destruction or disclosure of data, errors or disruption of systems. As processes become more and more automated and IT becomes more and more relevant, risks in this context also gain relevance for companies and institutions.
Supply chain risks are risks that arise during the execution of the different steps of the supply chain in a company, e. g. in the manufacturing or production process. (Financial) impact of e.g. of failure or malfunction in the supply chain for the company is in the focus. Supply chain risk management results in preparing alternative sourcing processes or optimizing stocks with regard to identified risks.
Environmental Risk (ISO 14001) covers the risk of being not compliant to the requirements of an environmental management system that e.g. follows ISO 14000 series standard. Especially in the context of “going green” and “green IT”, a lot of companies are dealing with that topic.
Business Continuity Management (BS 25999 Business Continuity) covers measures to generate and validate emergency processes or mechanisms for the case of a disruption of critical business functions. Crisis management and disaster recovery management for guaranteeing SLA’s or to adhere to a maximum tolerable period of disruption are central aspects of handling risks in this context.
Security Management (ISO 27001 Information Security) has the aim to bring information security in a company under control and to document compliance according to the chosenstandard. Usage of firewalls or anti-virus mechanisms in companies is quiet “state of the art”, but bringing these topics under explicit management control goes one step further.
Health & Safety (OHSAS 18001 Occupational Health & Safety) risk management is based on the principles of ISO 9001 and covers aspects that include responsibility of the upper management for the introduction of a respective system including planning, definition of measures and controlling phases. Thus, requirements concerning controlling the risksof occupational health and safety are defined and a continuous improvement of the management system is intended.
As you can see, the topic “Risk Management” covers a wide range of different areas. Many aspects or activities required by these areas are similar and can be covered by a generic approach with smaller or bigger adoptions. Specific enhancements have to be added to cover the best practices exiting for the areas. Feel free to comment or add your input to these topics, your experience or your concerns.
