How to manage risk and counter crises with a corporate response plan

The goal of any incident response is to minimize the impact of the negative event on the organization’s objectives.
This involves responding to the incident as quickly and efficiently as possible, making good decisions to limit further damage and repairing any damage that has been done. In order to accomplish this, an organization should have a corporate response plan (CRP) in place that is ready to go at a moment’s notice.
Smart Business spoke with James P. Martin, Managing Director at Cendrowski Corporate Advisors LLC to discuss the finer points of a corporate response plan (CRP).
What sort of events should be addressed with a corporate response plan?
Different organizations will have different risks depending on their operations. A CRP is a natural extension of the organization’s risk management process. Where the organization identifies a risk that has a high likelihood of occurrence, and a high impact if it were to occur, the organization should consider if a CRP would be useful in managing the risk occurrence.
Some hot-button issues today are frequently described in the newspaper headlines, such as cybercrime, fraud, business interruption, and other public relations disasters. An organization might have several CRPs, each designed to address a specific event type.
Why does an organization need a corporate response plan?
Risk management attempts to identify and mitigate risks. However, it is impossible to completely prevent risk occurrence or even to identify all risks facing the organization; this is why the organization needs to be ready with a plan.
The goal of the CRP is to make sure the organization has a mindset of preparedness and the basic tools that are essential to manage a risk occurrence when it does occur.
What are the basics for setting up a CRP?
Plans need to be developed to address the details of the organization’s response. When a risk actually occurs there will be no time for planning and coordination; this needs to be done up front. Consider who should be involved, both from a company perspective, and any outside experts that would be required.
Identify the types of information that will be essential in order to evaluate the extent of the threat and analyze an appropriate course of information. Consider procedures to ensure that data and information is adequately preserved and available for the CRP. Setting up the CRP involves deep planning around what tools will be needed for the specific threat type and proactively ensuring they will be available.
Who should be involved?
The Corporate Response Committee will tailor the CRP for the company situation and determine who should be involved with the operation of a response team. The team is responsible to go out and operate the CRP when an event occurs.
Of course, for IT security events, the committee should include members of the technology team. The members of the committee should be senior management such that they can authorize the CRP and provide members of the team with the authority to examine transactions and events on behalf of the committee.
What are the keys to success?
Planning needs to be done to progress from threat identification to a desired outcome: the organization needs to determine the acceptable end resolution.
This will also vary by threat type but should consider the overall goals of: 1) minimizing business impact, 2) resuming normal operations and 3) restoring any damage done. Consideration should always be given to the need for confidentiality.
For certain threats, such as a report that fraud has occurred, the CRP should involve confidentiality during the process to ensure that the investigation can proceed appropriately and to protect the rights of those parties that might be involved.
As with any other risk management activity, the CRP should also include an evaluation process at the end to evaluate the effectiveness of the response and identify improvements that should be made for the future.
Also, the risk occurrence and mitigation information should be used to check if prior risk evaluations for risk impact and likelihood ratings need to be updated. ●
Insights Accounting is brought to you by Cendrowski Corporate Advisors LLC