1
Enterprise Risk
Management
2
Risk
Types
Definition
 The uncertainty concerning a potential loss
or the chance of something happening that
will impact objectives.
Elements in the concept of risk
 Physical,
 Operational,
 Financial &
economic,
 Technological,
 Legal/regulatory, and
 Political.
Risk Management
 The provision of a way to realize available
 perception that something could happen,
business opportunities without exposing an
 how likely that something will happen, and
organization into unnecessary risks.
 consequences if it happens.
 It is an iterative process.
3
Risk Management (RM) Requirements
Risk Management policy
 Defining and documentation of an organization’s policy of managing risks is a duty of the senior
management.
 Should be simple, so that it is easily understood by all within the organization.
Implementation Program:
 Several steps are required to implement effective RM system.
 Combining or omitting certain steps depend on an organization’s RM structure and culture.
Management Review:
 Top management should ensure efficient regular interval review of organization’s RM system,
and this has to be well recorded.
4
THE NEW ISO31000:2018 RISK MANAGEMENT (RM) PRINCIPLES
h
a. Integrated: RM forms a part of most organizational operations.
a
g
b
b. Comprehensive and Structured: These contribute to consistency and
comparison ease in the results.
f
c
e
d
c. Customized: RM frameworks are unique to the contexts of organizations
with relation to their missions.
d. Inclusivity: stakeholders should all be timely involved in the RM system.
e. Dynamism: RM anticipates, acknowledges and responds to the changes of an organization’s context.
f. Accurately available records : RM inputs get extracted from history as well present time.
g. Cultural alongside human factor input.
h. Continous improvements: RM is continuously made better by experiencing threats and getting lessons off
the risks encountered.
5
Enterprise Risk Management (ERM)
 Are the strategies used by firms in identifying and preparing for adverse threats with respect
to a firm’s finance ability, operating ways, and missions.
 Enables managers to work on a company’s risk position.
 ERM is a high-level “umbrella” that unifies all forms of managing risks.
Such risks include:
 Projects,
 Insurance,
 Information Technology,
 Security, and
 Finance,
 Strategic risks.
 Effective ERM program creates value by linking risk and strategy as part of decision making.
6
Enterprise Risk-Management Process
Involves applying
policies, practices
and procedures in
a systematic way,
to activities of
communicating,
consultation, and
reporting risk.
7
Reporting Consultation and Communicating
1
1
a.
Purpose
a
 Assisting the stakeholders understand risk, which form
the basis of decision making.
 This helps them be aware and be able to understand the
threats, and consulting helps give feedback to in
decision making.
Aims:
 Bringing together several expertise for all the steps of the RM;
 Ensuring a consideration of divergent views and opinions in the process of defining riskcriteria and during risk evaluation;
 Providing adequate information to help in the oversight of risks;
 Bringing inclusivity among victims of the risk.
8
Establishment of the Scope, Context and Criteria
1
1
b.
 Involves making the process of managing risks a custom one
depending on the needs and targets as well as the organization’s
own unique cultures.
b
 It ensures effectiveness in assessing and treating the disruptive
risky events.
Defining the Scope
 The scope under consideration should be clarified since the management of risks may be applied at
several different important levels within the organizational management structure.
 The necessary targets are also put into consideration.
Factors considered in scope definition
a. Targets and choices needed,
b. Expectations from the procedures taken,
c. Geographic situation, and what should specifically be included and/or excluded,
d. Resource requirement.
9
b.
Establishing the Scope, Context and Criteria (cont.)
External contexts
Internal context
Context of the RM process
Defining risks criteria
 The Environments e.g., nature, politics and cultures.
 Interviewing the communities.
 PESTLE analysis.
 Internal Review, security risks
assessment, etc.
 Enterprise Risk Management Policies.
 Risk Management Frameworks.
 Industrial Requirement.
 Appetite.
 Tolerance.
 Risk capacity.
10
1
1
Assessment of the Risk
 Combines identifying, analyzing, and evaluating the eventful
threats and is done in a systematic and repetitive way.
Purpose:
c.
Risk-Identification
c
 Finding, recognizing and describing a risk that destroys
or hinders the achievement of set objectives.
Considerations include:
 Visible and invisible risks;
 Sources & effects;
 Chances and dangers;
Sources for risk identification
 indicators of
emerging risks;
 time related factors.
 Forward looking: what possibly
could happen?
 Historic: what has already happened?
11
d.
Risk Analysis
 Refers to a process
of comprehending
3. RISK
ANALYSISthe nature of risk
and determining its intensity.
Factors considered while analyzing risks include:
 Possibility of threats occurring and their likely impacts;
 Intensity of the impacts;
 How complex the threat tends to be;
 How time would influence the occurrences;
 Efficiency of available controls.
 Analyzing the threats is valuable in evaluation of
such risks, and subsequently deciding on how
and if a risk needs treatment.
 These outcome are insightful in decision making.
d
12
e.
Purpose:
Risk Evaluation
3. RISK ANALYSIS
 Determining whether a risk is to be accepted or otherwise.
 Deciding on the areas requiring the most attention.
e
 Identifying important controls and assigning them (the cumulative
set of controls), a rating.
Reasons why risks might be accepted:
 If the risk is of low-level that treating it would stretch the available resources.
 When no treatment is affordable or otherwise available within reach for the risk.
 If cost of treating it is excess relative to its benefits.
 If the risk presents opportunities weightier than the risk itself to a point that acceptance is
justifiable.
13
f.
Risk Treatment
Purpose:
At this stage, the whole management process actualizes,
and is therefore of value to the firm.
The outcome of the assessment; including, planned
treatment activities and control are documented in a register.
Options for the treatments involve:

Removing the risk source;
 sharing the risk;

Altering the possibility;

Altering the impacts;
 retaining the threat by informed
decision.
f
Preparation & implementation of risk treatment plans
Purpose
 Specifying how the decided alternatives are to undergo implementation.
 Information contained in these plans include: proposed actions, resources required, constraints,
rationale for selecting the treatment plans as well as the required reporting and monitoring.
14
g.
Monitoring and Reviewing
 Monitoring and review is a vital step in good management of
risks because these threats tend to change e.g., because of
environmental change or the activities used in their treatment.
 This step assures effectiveness in the process design,
implementation and outcomes.
Recording
 These management procedures are wholly and fully recorded, and a report based on them
relayed to the relevant authorities within and outside the organization.
Aims:
 To help management to decide.
 Improves risk management activities.
 Communicating risk-management processes as well as impacts throughout the company or
business organization.
g
15
Recommendations on RM
 Need of having proper risk frameworks.
 Need to have relevant tools to use to manage
risks.
 Monitor regularly.
 Continuously consult with the surrounding
community members, authorities and other
stakeholders.
 Need to have a global standard escalation
method.
Benefits of an effective ERM
program
 Increases visibility of key performance
drivers.
 Aligns risk taking with profit and growth
targets.
 Generates higher future returns through
disciplined allocation of capital.
 Stabilizes performance by protecting
against downside scenarios.
 Promotes risk awareness within key
decision making processes.
16
Lessons Learnt in Building a successful and Sustainable
Enterprise Risk Management Framework
1. Avoid jargon and use a language people
can easily understand.
2. Get senior buy-in and sponsorships and
engage in business regularly.
3. Align to business continuity and resilience
strategies.
4. Do not become overly dependent on data
and numbers at the expense of good
judgement.
5. Get the balance right.
5. Theory is very different from practice.
6. A risk aware culture will not happen
overnight; it will do with patience.
7. Risk management standards - avoid
adopting one standard and benchmark
against peers.
8. Stress test risk scenarios – risk events are a
certainty.
9. Ensure risk reports are meaningful and
appropriate for the right audience.
17
Crisis Risk Management (CRM)
 Businesses face an ever-present range of events and hazards which threaten them such as:
 Supply chain failure;
 Terrorist actions;
 Pandemics - from SARS to Covid-19;
 IT failure;
 Civil disturbance;
 Extreme weather.
 There is, therefore, the need to manage such crises.
 Crisis Risk Management (CRM) refers to frameworks which give guidance to a firm and its
top management so as to be ready to manage and undergo a recovery from risks that would
impact the organization’s systems, properties, value and reputative growth, success and even
its survival.
18
Crisis Management Integrating with CRM and
ERM
Issue Management
Crisis Management
should integrate
well with
Enterprise Risk
Management and
CRM so as to
achieve an integral
Risk-Management.
19
Incident Reporting & Crisis Management Communication
Mechanism
Fundamental Concepts:
 Emergency managementorganized analysis of planning
and decision making.
 Security management.
 Crisis management.
 Business continuity – ensuring
continuation of critical
organization’s operations.
Common Crises:
 Violence;
 Natural hazards;
 Bomb threats;
 Utility loss.
 Pandemics;
Phases of Emergency Management:
 Mitigation – reduction in occurrence probability or
consequence severity.
 Preparedness.
 Response – collective action taken to protect people.
 Recovery – care to restore damaged systems and buildings.
20
Incident Reporting & Crisis Management Communication
Mechanism (cont.)
The Four C’s:
Necessary teams:
1. Command- Leadership, someone must be
 Site Emergency Response Team – responsible
in charge.
for the company’s first response and
2. Control of resources, people, systems and
management of the incident e.g., by evacuation.
equipment.
 Incident Support Team – Provides advice and
3. Coordination.
guidance to the site emergency response team.
4. Containment- keep incident from spreading
 Crisis Management Team – chooses
and impacting a wider area.
appropriate strategy to manage the response.
Universal Protective Actions:
 Evacuation;
o Horizontal.
o Vertical.
 Shelter-in-Place.
 Lockdown.
Top 3 Priorities
Formular for Success
 Life safety;
 20% Planning;
 Incident stabilization;
 30% Training;
 Property conservation.
 50% Exercise.
21
Incident Reporting & Crisis Management Communication Mechanism
(cont.)
Tactical communications-the 3 core elements of a company’s preparedness:
 Emergency response
o Warning and notification;
o Evacuation;
o Shelter-in-place;
o Incident command.
 Crisis Management
o Strategic communications;
o Institution issues
Management;
o Protection of reputation.
 Business continuity
oInformation technology;
oFacilities management;
Summary
oPublic relations;
oResearch.
22
Crisis Management & Public Media
Pre Crisis Phase
Preventive measures include attempting to lower common threats.
Preparedness is equally vital; herein there is the creation of a CMP and deciding on the
members to compose the Crises Management Team(s).
Crisis Management Plan
 A CMP refers to a tool used for referencing and that gives a list of crucial contact information
– it reminds of what is to be done in a crisis.
 CMP saves time because therein, some tasks are already pre-assigned, with the presumption
that there is a designated crisis team.
 The important concepts contained in a CMP include:
 Crisis management definitions.
 Post-incident review process.
 Team roles and responsibilities.
 Plan and capabilities maintenance.  Team activation criteria.
 Reporting and screening potential crises.
 Team structure and membership.
 Concept of operations.
23
Crisis Management & Public Media (cont.)
Crisis Management Team
 These comprises those from PR, legalsecurity, finances and HR.
 Compositions, however, vary with nature of
the crisis.
 The team must first be trained and tested.
Spokesperson
 Talks to the news media during a crisis
having gotten prior media training.
 Best practices herein are:
 Avoiding phrase “no comment” to
eradicate a thought of the organization
being at guilt.
 Appearing pleasant before cameras.
Crisis Communication Channels
 Best Practices under this include:
 Use a unique website to address crisis concerns.
 Utilize mass notification system to reach stakeholders.
 Use intranet as a channel to reach employees and other stakeholders.
24
Crisis Management & Public Media (cont.)
Initial Response
It’s best to:
 Have consistency and keep the spokesperson
updated;
 Prioritize public safety;
 Provide sincerity in expressing concern for
victims;
 Have employees included in the initially
responding team.
Post Crisis Phase
Best practices in this phase include:
 Delivering all facts promised to stakeholders
soonest.
 Keeping stakeholders in the know on the
recovery efforts’ progress.
 Analyzing crisis management efforts.
Crisis Types by Attribution of Crisis
Responsibility
Victim Crises: Minimum Responsibility of
the Crisis
Include natural disasters, violence by workers,
and tampering with products.
Accident’s Crisis: Low Responsibilities
These include raised issues(stakeholders
claiming that the firm is not running
appropriately), technical error accidents.
Easy to Prevent Crisis: Stronger
Responsibilities
Such are inclusive of an accident that may
result from human-related errors.
25
Business Continuity Management (BCM)
Definitions
 BCM is a way to anticipate occurrences that might impact important operations in an
organization and to ensure responsive plans are in place soonest.
 Business Continuity Plan (BCP) refers to noted-down processes which gives guidance to
firms in response, resumption, and restoration of itself after having been disrupted by crises.
BCP overview
Key benefits of BCM
.
IT security may be compromised.
Instills confidence in stakeholders.
Requires commitment from the top.
Creates designed road map to manage crises.
Requires clear policies and strategies.
Guides decision making.
Crisis Management and PR are very important.
Helps the management to identify risks.
Should be inherent in all changes – strategy,
projects, culture and policies.
26
Business Continuity Management (cont.)
Challenges in being prepared for a
crisis.
 Rising expectations-demand for faster
response by stakeholders.
 Growing cyber exposure.
 Increased complexity of crisis events.
 Increased automation.
Main Roles and Responsibilities
 BCM Owner – offers leadership, enforces and embeds
policies.
 Steering Committee – assists, reviews, and supervises the
BCM process.
 Manager – operational manager of the BCM program;
coordinates, manages and reports to owner of the program.
The Teams’ Roles
Team
Responsibility
Crisis Management
Assists the owner to manage disasters and crises.
Security
Handles security aspects in normal and disaster conditions.
Communication
Handles internal and external communication that are of
relation to BCM.
IT DR
Manages the program and recovers IT equipment.
HR/People Assistance
Manages human-related issues for affected people.
27
Business Interruption Crisis Management
Introduction to Business Interruption (BI)
Business Interruption = Value × Outage
Value = Revenue, Production, or other ‘rate-based’ measurement that’s meaningful to the
company.
Outage = a period of time where the company’s ability to generate their value is interrupted.
Definitions
 Direct Business Interruption (BI) – Loss of revenue or production capability at a specific
location due to an adverse event.
 Business Interruption Interdependency (BII) – Loss of production capability or revenue at
a specific location at a corporate due to adverse event at another corporate supplying it.
 Contingent Business Interruption (CBI) – Loss of revenue or sales at a corporate facility
due to adverse event at a non-corporate facility.
 Increased Cost of Working (ICOW) – Additional expenses incurred from diminishing
impacts of a business interruption loss.
28
Business Interruption & Natural Disasters
 A natural hazard is an unexpected and uncontrollable natural environmental phenomenon
which can cause severe property destruction, injuries and/or death and must equally be
considered as other risks.
 They pose challenges for businesses which depend on:
 Hazard -frequency and severity of events.
 Vulnerability – extent of damage at a given event intensity.
 Exposure – exact location and property value.
 Risk financing – insurance and risk financing mechanisms in place.
 In seeking to protect their businesses from natural hazard risks, companies should:
Identify hazards and potential intensity and frequency relative to a risk’s location;
Quantify potential financial exposure to help come up with optimal insurance and risk
financing solutions;
Manage the risk through enhanced risk mitigation strategies.
29
Maximum Foreseeable Loss (MFL) & Assessing
Business Interruption Downtime
 Management should always prepare for the worst and establish a maximum Foreseeable Loss
Scenario (MFL)
Definition
 MFL is the maximum loss sustainable under adverse threats including catastrophic events
like earthquake, terrorism, and tidal waves.
 If the geographic location of the facility is in high-risk area for hazards e.g., earthquakes,
typhoon and storm, they will be considered MLF.
Losses are distinguished by:
1. Direct Business
Interruption (DBI)
2. Increased Cost of Working
 Reinstatement;
 Relocation.
 Ramp-up;
 Restriction. Access
(ICOW)
3. Contingent Business
Interruption (CBI)
 Non-Supply of Raw
Materials;
 Off-site Assets.
30
Delay in Start Up (DSU)
Provides an indemnity against financial
loss incurred should the completion of
an insured construction project be
delayed beyond the scheduled
completion date as a result of the perils
insured.
Methodology
 The insured must
substantiate claims that
his/her project might have
brought enough income to
pay both fixed and variable
costs, had there been delay.
Time Excess (TE)
 Is part of an indemnity period, which is the
period of time in which the benefits are payable
under an insurance policy.
31
Case Study (Tunnel Project)
Typical Client Expectation
 A detailed explanation of principles and the
scope of cover.
 Insurance program design, assessment of
needs insured, sum insured (DSU Analysis
– Quantification & Modelling).
 Identification of potential loss scenarios
with indemnity examples (DSU Analysis –
Risk Assessment)
 Establishing a statement of intent from
insurers on advancing the trigger
date/extending the period of insurance.
 Periodic reviews of Project schedule (DSU
Analysis – BOT/BOOT Monitoring).
Risk Assessment
Special Hazards
 Material damage to the construction works,
construction machinery and facilities.
 Material damage and bodily injury to third
parties.
Possible Loss
 Collapse of the trench wall because of failure
to adequately adapt risk security measures to
the geological circumstances.
 Damage to third party property i.e.
telecommunication lines, electricity cables,
water pipes, caused directly by construction
machinery equipment.
32
Case Study - Tunnel Project (cont.)
Monitoring
BANKS
INSURANCES
………
Certification of Works Progress
Site Organization
Site Organization
Permitting Plan
Permitting Plan
Purchasing Plan (Orders, Contracts, etc.)
Purchasing Plan (Orders, Contracts)
Quality of Works
Quality of Works
Performance obtained after the Mechanical completion
….....
Sub-contractors resources and structure
Sub-contractors resources and structure
Recovery plan, if any
Recovery plan, if any
O & M performances during the operational period
….....
Capability to guarantee the Pay Back
….....
Commissioning and Testing Procedures
Commissioning and Testing Procedures
33
Intradependencies and Business Continuity
Interdependency vs Intradependency
 Interdependency refers to how two or more companies work together to survive and depends
on a company’s volume. It may lead to risks such as contingent business interruption risks like
those transferred by insurance and derivatives.
 Intradependency is how departments or business units within a company rely on each other for
the functionality and operations of the company.
Business Continuity Plan(BCP) vs Business Continuity Managements (BCM)
BCP refer to a plan used to counter the risk of losing crucial capacity to operate as a result of
adverse threats, whereas the latter is a way to anticipate occurrences that might impact important
operations in an organization and to ensure responsive plans are in place soonest.
Reasons for the Plan are to:
 Effectively respond to adverse events;
 Protect customers, operations and
properties;
 Sustain operational capacity;
 Protect business outcomes.
34
Basic steps to business survival
1. Inform employees about threat environment;
2. Enforce policy to allow critical workers to
work from remote areas;
3. Use VPN for a secure access remotely;
4. Encourage employees to use remotely
accessible equipment;
5. Increase bandwidth to allow all critical
people’s access;
The Plan Do Check Act cycle
 It’s an internationally recognized standard
cycle that monitors, and continuously
improves how effective an organization’s
BCM are.
 The diagram sideways illustrates this cycle.
6. Use electronic formats for critical
records and web-enable them.
Consider cloud platforms for remote
access;
7. Include telework capability in BCP
and implement appropriately.
35
Business Continuity Planning Steps
1. Executive Sponsorship: BCP efforts should be engaged from the top.
2. Understanding a threat and its location: Analyze the threat and examine information
available from WHO and available security agencies. Also do an examination of the
implications on the business operations.
3. Performing (BIA) – Involves defining assumptions in the planning and identifying the
business’ key operations processes. Look out for personal & infrastructure requirements.
4. Development of Business Continuity Strategies: includes forming emergency management
and response teams, escalation procedures, command and control protocols as well as
training and testing requirements and maintenance Plan.
5. Validation of the plans available for emergency: check on response plans and ensure crisis
recovery plans are up to date.
36
Business Continuity Planning Steps (cont.)
6. Developing relevant Strategies: determining ready alternatives; coordinate with
interdependent entities and support functions like administration, and identify
emergency operations personnel.
7. Train Personnel: this is through briefings & exercises, test and classroom-based
trainings.
8. Testing Plans: conduct periodic tests of plans using tablet test, drills, simulations
and functional exercises.
9. Proper Maintenance Strategizing by defining roles, updating data periodically,
updating strategies and personnel contact information.
10.Build employee awareness with the help of email notices, plan testing, and
organization-wide briefings.
37
Business Impact Analysis (BIA)
 Is carried out before a BCP to identify time-sensitive processes, recovery time objectives, and
necessary recovery resources.
 BIA assists in evaluating critical issues, and answering such questions as:




What specific resources are required?
What are the supporting implications?
What is the potential for financial and operational impacts?
What are the priorities for the resumption of operations?
BIA Outcomes






Endorsement of the organization’s BC program;
Analyzing of the results of a firm over a period of time;
Establishment of relationship between products and resources;
Activities and resources;
Parties with interests;
Finding ways of how updated the information should be.
38
Business Impact Analysis – BIA (cont.)
39
Business Impact Analysis – BIA (cont.)
Basic BIA Requirements
Initial (First time) BIA
considerations
Identifying customers and other interested parties and anticipating
their reaction to an incident;
Identify products and services;
Engaging all relevant interested parties with an appropriate
mandate;
Create awareness and ensure
education;
Developing appropriate skills and competencies within the
organization or product to conduct the analysis;
Determine the impact categories and
criteria;
Gathering generally complete and accurate information – some
information maybe unavailable thus identifying area for further
work;
Identify the organization’s structure
to an appropriate level of detail;
Ensuring that management representatives have sufficient authority
to approve BIA results, and;
Document the work flow to a process
and activity, and;
Ensuring those contributing to BIA information gathering are well
knowledgeable to speak on behalf of the organization, process or
activity.
Complete information gathering
through document review and
interviews.
40
Business Impact Analysis – BIA (cont.)
Fundamental considerations in BIA
Critical Business Processes: BIA allows the company to prioritize its critical processes.
Upstream Dependencies: include Internal (inputs from within the company) and External
(inputs from third-party vendors).
Downstream Dependencies: Internal (outputs to other departments within the firm) and
External (outputs from third party vendors).
Software Requirements: include MS Office, Windows can be excluded.
Human Capital & Workspace Requirements: refers to number of staff at a specific
department (Minimum number required to operate a department after 1, 2-3, 5 & 10 days after a
disaster).
Vital Records: key issues herein include confidentiality, integrity, availability and currency.
Information strategies should include hardcopy and virtual formats.
Process Recovery: Best ways is by proper documentation, use of third-party help, proper
management and use of technological strategies.
41
ERM Summary of crucial Elements
Organs/Participants:
 Organization’s Leadership/Management–Is either the client otherwise referred to as the
Risk Owner.
 Members of the Board– They hold the organization’s manager accountable in so far as risk
management with regards to policy is concerned.
Committee:
 The Risk Committee – Oversees the process of Risk Management. Ensures it’s success. It
also acts on behalf of management.
Procedures:
 Assessing the Risks.
 Reporting the assessed risks.
 Attempting to escalate the threat/risk
42
Question
1. What name is given to a risk management program that comprehends an
organization’s strategic, operational, speculative and pure risks?
a)
Comprehensive risk management system.
b) Financial risk management plan.
c)
Enterprise risk management plan.
d) Insurable risks plan.
e)
Traditional risk management plan.
43
Question
2. Identify which of the below reasons is an exception on why an organization
would adopt an enterprise management plan.
a) In order to raise earnings’ volatility.
b) In order to treat the risks experienced in a more holistic way.
c) So as to raise the net income.
d) To stabilize performances.
e) In order to see the key performance drivers.
44
Question
3. Identify which one of these processes is not part of risk assessment in enterprise
Risk Management steps.
a) Risk quantification.
b) Defining risk criteria.
c) Analyzing the risk.
d) Risk identification.
e) Risk evaluation.
45
Question
4.
Advise Mr. Ned, a newly hired risk manager at a Texas hospital, on the appropriate sequence
of steps he needs to pick out of the ones listed below. He is tasked with Enterprise Risk
Management on his first day at job and needs guidance on the correct order of three steps
while going through the ERM process.
a) Determine severity of risk; identify the risk; treat the risk.
b) Quantify the risk; define the risk criteria; evaluate the risk.
c) Identify the risk and quantify it; treat the risk; carry out monitoring.
d) Evaluate the risk; treat the risk; determine probability of the risk occurring.
e) Treat the risk; carry out monitoring; evaluate the risk.
46
Question
5. Which one of the following shouldn’t you do as an enterprise risk manager in
order to build a successful and sustainable ERM framework?
a) Stress test eventful threat scenarios.
b) Adopt one risk management standard so that you can always use it for risk management in
your enterprise.
c) Get the balance right.
d) Align to business continuity.
e) Get sponsorships for your risk management processes.
47
Question
6. Identify the odd one out of the below fundamental concepts of incident
reporting and crisis management.
a) Insurance.
b) Business continuity.
c) Security management.
d) Management of crisis.
e) Emergency management.
48
Question
7. The following information is contained in a Crisis Management Plan (CMP)
EXCEPT?
a)
Operation concepts.
b)
Duties and responsibilities of the team members.
c)
Insurer’s contact information.
d)
Concept of operations.
e)
Membership of the crisis management team.
49
Question
8. A business enterprise, RST , has decided to develop a Business Continuity Plan (BCP), and the manager
tasked with carrying out the risk management wants to decide on what the correct order of three of the
procedures of BCP development steps are. Which one of the orders below is the appropriate development
BCP sequence for the manager?
a) Assess the risk; develop relevant recovery strategies; obtain support of the management.
b) Develop relevant recovery strategies; perform a Business Impact Analysis; implement and test the BCP.
c) Obtain support of the management; assess the risk; test the Plan.
d) perform a Business Impact Analysis; develop relevant recovery strategies; obtain support of the
management.
e) Test the Plan; assess the risk; develop relevant recovery strategies.
50
Question
9. Identify which Business Continuity Management Team has its responsibility
mismatched.
a) Security Team
Protecting victims of the crisis and the staff
b) Other Recovery teams
Recover computers and offer intranet to staff
c) HR Team
Assist affected victims
d) Crisis management team
Manage the threats alongside the BCM owner
e) Communications team
Handle external communications
51
Question
10. Which of these questions would be left unanswered after doing a Business
Impact Analysis (BIA)?
a) What operations of the business are to be resumed first?
b) What financial resources are needed?
c) What will the compensation be from the insurer?
d) What are the supporting implications?
e) What are the operational implications?
52
END
-THANK YOU-