Corporate responsibility: risk is a board game

Developing a risk management strategy

Information security and system integrity are fundamental elements of company operations; the risks associated with information assurance should be central to the risk management strategy.

Various technical solutions are available to reduce the impact of particular risks and if used in conjunction with a robust and dynamic risk management strategy, with involvement at board level, then a company will be in a good position to face the array of incidents and disasters that can occur.

Not only will a good strategy help avert the worst, it can also be used as a positive marketing message, attracting investors and customers who will have greater confidence in an organisation that can demonstrate that it takes the issue seriously.

In developing a risk management strategy, the main steps that the board can take are as follows:

  • Identify the risks - this will involve input from across the organisation and involve staff at all levels.
  • Evaluate the risks - what will be the consequences to the business if the risks you have identified occur? Which are more likely to occur?
  • Prioritise the coping strategy - determine which risks should be dealt with first and which will require the greatest investment.
  • Consider the options available for minimising risks - technical solutions and human involvement will both be part of the equation. Balance cost against possible damage.
  • Educate - ensure everyone in the company is aware of the risks and the procedures for dealing with them. Develop policies covering the management of risks.
  • Lead by example - if the board are seen as taking the lead in good practice, other staff will follow.
  • Monitor - check that policies are being followed, possibly by using appropriate software to monitor the condition of the network, and that all breaches and attempted breaches are reported.
  • Review the strategy - regularly review the risk management strategy to ensure it is working. Take account of new risks or changed company priorities and if necessary, amend the strategy.

Underpinning each of these steps there will be a number of considerations that will depend on a wide range of factors from the nature of your business and its ethos to available resources and industry pressures.

Whatever the circumstances, the basic principles of good corporate governance will still apply. Risk is a board game and risk management will always be an important element of the role of directors; if they choose to ignore it, then they will be gambling the company's future, as well as their own, on the throw of the dice.