Setting up a CRP is an extension of the risk management process. It involves deep planning around what tools will be needed for specific threat types and proactively ensuring they will be available. When a risk actually occurs there will be no time for planning and coordination, so it needs to be done upfront. Consider who should be involved, both from a company perspective and any outside experts who would be required. Identify the information that’s essential to evaluate the extent of the threat and analyze an appropriate course of information. Also, consider procedures to ensure that data and information are adequately preserved and available for the CRP.
The goal of any incident response is to minimize the impact of a negative event on an organization’s objectives. This involves responding to an incident as quickly and efficiently as possible, making good decisions to limit further damage and repair any damage that has been done. In order to accomplish this, an organization should have a corporate response plan (CRP) in place that is ready to go at a moment’s notice. A CRP typically includes an oversight committee that will design the CRP and oversee the work of the corporate response teams.
Smart Business spoke with James Martin, managing director at Cendrowski Corporate Advisors LLC, about the finer points of a CRP.
What sort of events should be addressed with a CRP?
A CRP is a natural extension of an organization’s risk management process and can be designed to address risks that are particular to an organization and its industry. Such a plan could help manage risks that have a high likelihood of occurrence and a high impact if they were to occur. An organization might have
several CRPs, each designed to address specific events, for instance cybercrime, fraud, business interruption and other public relations disasters.
Why does an organization need a CRP?
Risk management attempts to identify and mitigate risks, however, it is impossible to completely prevent risk occurrence or even to identify all risks facing an
organization. This is why an organization needs to be ready with a plan. The future really is unknowable; the goal of the CRP is to make sure the organization has a mindset of preparedness and the basic tools to manage a risk occurrence when it happens.
What are the basics for setting up a CRP?
Who should be involved?
A corporate response committee should tailor the CRP for the company situation and determine who should be involved with the operation of a response team. The team is responsible for operating the CRP when an event occurs. Of course, for IT security events the committee should include members of the technology team. The members of the committee should be senior management so they can authorize the CRP and provide team members with the authority to examine transactions and events on behalf of the committee.
What are the keys to success?
Planning needs to be done to progress from threat identification to a desired outcome — the organization needs to determine the acceptable end resolution.
This will also vary by threat type, but should consider the overall goals of:
■ Minimizing business impact.
■ Resuming normal operations.
■ Repairing any damage done.
Consideration should always be given to the need for confidentiality. For certain threats, such as a report that fraud has occurred, the CRP should involve confidentiality during the process to ensure that the investigation can proceed appropriately and protect the rights of the parties involved. As with any other risk management activity, the CRP should also include an evaluation process to gauge the effectiveness of the response and identify areas to improve. Also, the risk occurrence and mitigation information should be used to check if prior risk evaluations for risk impact and likelihood ratings need to be updated. ●
James P. Martin, CMA, CIA, CFE, is Managing Director for Cendrowski Corporate Advisors LLC. Reach him at (866) 717-1607 or [email protected]
Insights Accounting is brought to you by Cendrowski Corporate Advisors LLC