The goal of any incident response is to minimize the impact of a negative event on an organization’s objectives. This involves responding to an incident as quickly and efficiently as possible, making good decisions to limit further damage and repair any damage that has been done. In order to accomplish this, an organization should have a corporate response plan (CRP) in place that is ready to go at a moment’s notice. A CRP typically includes an oversight committee that will design the CRP and oversee the work of the corporate response teams.

Smart Business spoke with James Martin, managing director at Cendrowski Corporate Advisors LLC, about the finer points of a CRP.

What sort of events should be addressed with a CRP?

A CRP is a natural extension of an organization’s risk management process and can be designed to address risks that are particular to an organization and its industry. Such a plan could help manage risks that have a high likelihood of occurrence and a high impact if they were to occur. An organization might have
several CRPs, each designed to address specific events, for instance cybercrime, fraud, business interruption and other public relations disasters.

Why does an organization need a CRP?

Risk management attempts to identify and mitigate risks, however, it is impossible to completely prevent risk occurrence or even to identify all risks facing an
organization. This is why an organization needs to be ready with a plan. The future really is unknowable; the goal of the CRP is to make sure the organization has a mindset of preparedness and the basic tools to manage a risk occurrence when it happens.

What are the basics for setting up a CRP?

Setting up a CRP is an extension of the risk management process. It involves deep planning around what tools will be needed for specific threat types and proactively ensuring they will be available. When a risk actually occurs there will be no time for planning and coordination, so it needs to be done upfront. Consider who should be involved, both from a company perspective and any outside experts who would be required. Identify the information that’s essential to evaluate the extent of the threat and analyze an appropriate course of information. Also, consider procedures to ensure that data and information are adequately preserved and available for the CRP.

Who should be involved?

A corporate response committee should tailor the CRP for the company situation and determine who should be involved with the operation of a response team. The team is responsible for operating the CRP when an event occurs. Of course, for IT security events the committee should include members of the technology team. The members of the committee should be senior management so they can authorize the CRP and provide team members with the authority to examine transactions and events on behalf of the committee.

What are the keys to success?

Planning needs to be done to progress from threat identification to a desired outcome — the organization needs to determine the acceptable end resolution.
This will also vary by threat type, but should consider the overall goals of:
Minimizing business impact.
Resuming normal operations.
Repairing any damage done.
Consideration should always be given to the need for confidentiality. For certain threats, such as a report that fraud has occurred, the CRP should involve confidentiality during the process to ensure that the investigation can proceed appropriately and protect the rights of the parties involved. As with any other risk management activity, the CRP should also include an evaluation process to gauge the effectiveness of the response and identify areas to improve. Also, the risk occurrence and mitigation information should be used to check if prior risk evaluations for risk impact and likelihood ratings need to be updated.
 
James P. Martin, CMA, CIA, CFE, is Managing Director for Cendrowski Corporate Advisors LLC. Reach him at (866) 717-1607 or jpm@cendsel.com
 
Insights Accounting is brought to you by Cendrowski Corporate Advisors LLC
Published in Chicago

Challenging times present opportunities for organizations to perform detailed assessments of their operations. Performing operational assessments can help organizations identify, mitigate and take advantage of the risks that they face. These assessments focus on process design and execution risks.

“When properly performed, operational assessments identify areas where process design and execution risks are not aligned with an organization’s risk tolerance,” says James P. Martin, a managing director at Cendrowski Corporate Advisors LLC.

Smart Business spoke with Martin to learn more about operational assessments.

How can operational assessments help?

Organizations must achieve a diverse set of strategic objectives. This is accomplished by translating strategic objectives into what are often interdependent yet, disparate operational objectives.

Operational objectives include revenue growth, operational efficiency, compliance with laws and regulations, public perception, corporate responsibility and market leadership, as well as customer and employee satisfaction. Attainment of each requires the assumption of inherent risks.

Operational assessments focus on mitigating inherent process design and execution risks through the use of controls. Controls are employed to reduce an organization’s residual risk, or risk after control implementation, to a tolerable level.

What’s included in operational assessments?

Operational assessments examine whether an organization’s processes enable the achievement of strategic objectives. The first step is breaking down process design and execution elements into tasks performed by employees. This is often accomplished through employee interviews, as well as through observation in the workplace.

Once tasks have been identified, risks associated with the accomplishment of tasks are enumerated, as well as controls centered on mitigating risks. Risks are quantified by likelihood and impact. High-likelihood and/or high-impact risks are prioritized for mitigation in operational assessments, as they pose the greatest threat.

How can organizations decrease high-likelihood and/or high-impact risks?

High-likelihood risks can be decreased through preventive controls, while high-impact risks can be decreased by detective controls. For example, organizational training regarding fire hazards decreases the likelihood that a fire will occur. This is a form of preventative control. Proper placement of fire detectors throughout an organization’s premises decreases the potential impact should a fire occur. This is a form of detective control.

For risks that remain at a level too high for the organization to tolerate, new controls must be developed to bring residual risks in line with the organization’s risk tolerance. Otherwise, the organization should consider outsourcing the risk — for example, utilizing hedging strategies and insurance contracts that transfer risk to a third party.

What can be missed when performing operational assessments?

A key element that is sometimes missed by those performing operational assessments is the assignment of clear roles and responsibilities to team members who will oversee the creation and redesign of process controls. Without accountability, proper incentives are not present, and the operational assessment may struggle to achieve its intended results.

How do these assessments differ?

Risk assessments primarily assist organizations in preserving shareholder value, while operational assessments also help organizations grow shareholder value. More specifically, a risk assessment is really a deep dive into one component of an operational assessment. It involves the identification and analysis of potential risks that may impede an organization from achieving its strategic objectives.

By performing risk assessments across the organization, organizational managers can develop plans to mitigate the risks an organization may face, helping preserve its objective from potential threats and, hence, its shareholder value.

Actively identifying internal risks also can help organizational managers remove the opportunity for fraudulent activity.

James P. Martin, CMA, CIA, CFE, is a managing director at Cendrowski Corporate Advisors LLC. Reach him at (866) 717-1607 or jpm@cendsel.com.

Insights Accounting is brought to you by Cendrowski Corporate Advisors LLC

Published in Chicago