For most people, this will be a busy time of the year: end of year performance reviews, last-minute budget planning, holiday parties or a final push to achieve their annual goals. All of this adds up to a very busy time when all you want to do it take a break. However, there’s one other thing I’m going to suggest you squeeze in before you start next year’s ERM program. ...

Meet the expert – Crisis Communications with Price Floyd We are kicking off our ‘meet the expert’ series with an interview with Price Floyd, the founder of the Engaging America Projectand an expert in risk and crisis communications. Price has over 25 years of experience in government and the private sector and here he shares over a dozen key lessons he has learned including: The difference between communications in government and the private sector How digital media has improved crisis communications Why it’s too late to call the communications team when things start going wrong The number one skill for communicators Why it’s important to tend the garden (and what this means) Watch the video to hear these and many more key lessons that you can put into action today. ...

I’m trying to improve my videos so apologize for the quality but here’s a quick video with 10 quick thoughts on risk management. [Video: https://video.wordpress.com/embed/zX8wUAWO?hd=0&autoPlay=0&permalink=1&loop=0&preloadContent=metadata&muted=0&playsinline=0&controls=1&cover=1] Let me know what you think!

Enterprise security risk management (ESRM) has been a topic of increasing interest for security managers over the past few years. ASIS International has identified it as a strategic focus. However, after a review of the literature, beginning with the 2010 CSO roundtable paper on ESRM, two issues are raised that could make ESRM implementation difficult. The initial papers on ESRM appeared to encourage security to fill the gap left by traditional enterprise risk management (ERM) systems, which often focused on financial and market risk exclusively. Although an effective ERM system should incorporate all risks, having security fill these gaps via the ESRM system would quickly overwhelm the chief security officer (CSO). ...

Completion of the assessment and development of risk mitigation strategies help the organization understand their risks and what it can do to bring these risks within the levels of its risk tolerance and appetite. The elements that ensure that these risks stay within the permissible levels are risk governance and system controls. *Controls are what help keep the system in equilibrium or prompt a reaction where things begin to deviate from ‘normal’. Governance provides oversight to ensure that the risk management system is operating properly and that risks are being identified, elevated and managed at the appropriate levels. * ...

Effective risk management requires a series of behaviors and attitudes to exist within an organization that make risk considerations prominent in day-to-day operations. This mindset alone will go a long way to making an organization more risk-led but a functioning risk management system is also required to develop, support and guide that mindset. The specific system adopted by an organization will be influenced by a number of factors: the industry may have a series of regulatory requirements; the country in which it is headquartered will have applicable laws to follow; there will be cultural aspects which will differ from organization to organization; and individual sectors and industries have preferred approaches to risk management. That makes it difficult to prescribe what a risk management system will look like and even a review of the existing standards and common references can still leave the reader without a clear template to follow. ...

*Integrating a risk management system into your department or organization will be a major endeavor and while there are significant benefits to making this change, the degree of effort required should not be underestimated. Moreover, the overall workload of the organization and other major initiatives that might also be underway are major considerations when planning ERM implementation. This article will refer to ERM systems but the same principles will apply if the implementation is for a less expansive risk management system. Importantly, as a supporting function and not an operational activity, risk management must be shaped to fit the organization. It should not try to shape the organization to fit it. Implementing a risk management system requires thorough planning, a careful combination of change and project management and a high degree of cultural sensitivity. * ...

Once an organization’s risks are understood, it is important that appropriate action is taken to address these risks to ensure that the organization’s objectives are protected or enhanced. Some risks are severe enough to require immediate action. Others can be dealt with in the short term whereas some risks require longer-term attention over months or even years. This essay explores the key ideas and terms associated with addressing risks and outlines the steps to take to ensure that the appropriate action is taken once a risk is identified concentrating on five main options: avoid, tolerate, treat, transfer and terminate. ...

Complicated, subtle factors affect how we perceive risk and these can be exacerbated by the way we receive risk information. We refer to the ways we think about and react to risks as risk perception, and the processes for discussing risk as risk communication. Even when people are in the same or very similar situations, they may perceive the risks very differently. Similarly, different people listening to the same risk information will react to it differently depending on several factors that affect their perspective. The overall result of this is “the general frustration experienced by both risk managers and affected parties in conveying and understanding risk information”.[i] ...

When we are conducting a risk assessment, we need a way to assess, grade and order risks to allow us to use this information for decision-making and to prioritize our actions. This article outlines some basic techniques that can be used for risk assessment grading and matrics. These basic examples lay the foundation for more complex sets of metrics that can be adapted for your organization and the specifics of the assessment. An example of the metrics used in the r = tvi construct and the risk calculation tool are included along with links to online tools that you can copy and use in your own assessments. ...