Documente Academic
Documente Profesional
Documente Cultură
PLANNING
HELLO!
Balneg, Nelson
Delena, Reymark
Cheng, Li
2
WHAT ARE THE TOPICS TO EXPECT?
What Is Business Risk Developing a Recovery Plan
Risk Management Cybersecurity for your business
Identifying Business Risk Information Technology Risk
The PPRR Risk Model Management
Business Continuity Planning Protecting IT and Data System
Preparing a Risk Management Managing Risk in Supply Chains
Plan and Business Impact Analysis Keeping Your Workplace Safe
Preparing an Incident Response Avoiding Business Scam
https://www.business.qld.gov.au/running-business/protecting-business/risk-management/identifying-risk 3
“
There's no harm in hoping for the best
as long as you're prepared for the
worst.
― Stephen King, Different Seasons
4
4
1
WHAT IS BUSINESS RISK?
5
BUSINESS RISK CONT.
Risks can be internal and external to your business. They can also
directly or indirectly affect your business's ability to operate.
Risks can be hazard-based (e.g. chemical spills), uncertainty-based
(e.g. natural disasters) or associated with opportunities (e.g. taking
them up or ignoring them).
The Australian standard defines risk as’ the chance of something happening
that will have an impact on objectives'.
https://ag.purdue.edu/commercialag/farmrisk/understanding-risk-types/ 6
BUSINESS RISK
The probability of loss inherent in an organization's operations and
environment (such as competition and adverse economic conditions) that
may impair its ability to provide returns on investment.
Business risk plus the financial risk arising from use of debt (borrowed
capital and/or trade credit) equal total corporate risk.
7
BUSINESS RISK CONT.
Business risk, which can also be categorized as short-term or
operational risk, impacts the return on assets and includes price,
costs and productivity.
Business risks are relatively easy to manage in that there are clear
approaches to managing them and they have low-impact outcomes or
a low probability of occurring.
https://ag.purdue.edu/commercialag/farmrisk/understanding-risk-types/ 8
BUSINESS RISK
9
Direct risks to business…
10
Indirect risks to business…
People often make the mistake of overlooking things that
don't directly impact their business and are
therefore unprepared to deal with change.
11
Indirect risks to business…
Consider how these scenarios could affect your business:
Environmental
Risk
Operations Risk
Financial Risk
Business
Risk
Empowerment
Information
Business
for Decision
Business
Process Risk
Risk
RiskRisk
Making Risk
Operational
Risk
Info Pro /
Integrity Risk Technology Risk
Strategic
Financial
Risk
Risk
13
BUSINESS RISK MODEL AND OPPORTUNITY cont.
• Competitor
• Sensitivity
• Corporate Governance
• Capital Availability
Environmental • Catastrophic Loss
• Political
Risk • Legal
• Regulatory
• Industry
• Key Stakeholders
14
BUSINESS RISK MODEL AND OPPORTUNITY cont.
•Public Safety
•Customer Satisfaction
•Organization Development
•Product Development
•Efficiency
Integrity
•Performance Gap
Operations Risk • Management Fraud
•Compliance /Legislative
•Business Interruption • Employee Fraud
•Product/Service Failure • Illegal Acts
•Environmental
•Health and Safety
•Asset Management
Risk • Unauthorized Use
•Leadership
Empowerment •Performance Incentives
•Authority/Limit
Risk •Change Readiness
•Outsourcing Communication
Information
•Relevance
•Integrity
Risk • Concentration
Processing/ •Access
•Availability
Technology Risk •Infrastructure
PROCESS RISK
15
BUSINESS RISK MODEL AND OPPORTUNITY cont.
•Pricing
Operational •Contract Commitment
•Performance Measurement
Risk •Alignment
•Regulatory Reporting
•Environmental Scan
Strategic •Business Portfolio
•Performance Measurement
Risk •Organization Structure
•Resource Allocation
•Planning
17
Managing risk in business…
The process of identifying risks, assessing risks and developing
strategies to manage risks is known as risk management.
18
2
PPRR RISK MANAGEMENT MODEL
19
PPRR RISK MANAGEMENT MODEL
The prevention, preparedness, response and recovery (PPRR)
model is a comprehensive approach to risk management.
21
Definition
Business continuity planning (BCP) is the creation of a strategy
through the recognition of threats and risks facing a company, with
an eye to ensure that personnel and assets are protected and able to
function in the event of a disaster.
22
23
Four Steps to Developing a Business Continuity Plan
24
BCP Life Cycle
25
1
Risk Assessment
Risk Assessment
This phase includes:
Evaluating physical on-site security and conducting walkthroughs
Reviewing physical and network single points of failure
Evaluating the impact of various business disruption scenarios
Defining the probability of a risk occurring based on a rating system
Prioritizing findings
Developing a roadmap
27
2
Business Continuity Impact
Analysis
28
https://www.fema.gov/media-library/assets/documents/89526
Business Continuity Impact Analysis
The BIA will identify critical business functions and describe what
would be necessary to recover these functions, in the event of a
disaster or disruption in service.
Gathering this information will help your agency develop a BCP
and will allow for the prioritization of available equipment and
resources, were an event to occur.
29
Business Continuity Impact Analysis cont’d.
The objectives of the BIA are as follows:
30
Business Continuity Impact Analysis cont’d.
The completed BIA will provide each section with the following information:
Ranking of critical and non-critical business processes.
Assignment of RTOs and RPOs for each business process.
Document listings of key vendors, systems, and vital records.
Estimates of the qualitative and quantitative impact impacts of an event,
based upon duration of unplanned disruption. (e.g. 24 hours, 48 hours,
5 days, etc.)
An overview of what would be necessary to recovery the functions of the
section or program.
32
For instance,
Telephones are ringing, and customer service staff is busy talking with
customers and keying orders into the computer system. The electronic
order entry system checks available inventory, processes payments and
routes orders to the distribution center for fulfillment. Suddenly the order
entry system goes down. What should the customer service staff do now?
If the staff is equipped with paper order forms , order processing can
continue until the electronic system comes back up and no phone orders
will be lost.
The order forms and procedures for using them are examples of “manual
workarounds.” These workarounds are recovery strategies for use when
information technology resources are not available”.
33
3
Strategy and Plan
Development
34
https://www.fema.gov/media-library/assets/documents/89526
Strategy and Plan Development
35
4
Implementation
36
https://www.fema.gov/media-library/assets/documents/89526
Implementation
This phase centers on:
• Distributing the plan to all key stakeholders
• Conducting training sessions to help ensure employees are
comfortable with the steps outlined in the plan
37
5
Rehearse, Maintain And Review
38
https://www.fema.gov/media-library/assets/documents/89526
Rehearse, maintain and review cont’d
39
Rehearse, maintain and review cont’d
40
Developing a
recovery plan
A recovery plan will help you respond effectively if an
incident or crisis affects your business
Developing a
recovery plan Your recovery plan contains information relating to
planning for recovery as well as the resumption of
critical business activities after a crisis has occurred.
In developing
a recovery Develop Develop recovery strategies
plan
Monitor the recovery process using a
Monitor checklist
A | Review your time frame for recovery
• A recovery time frame covers the time from when an incident or crisis happens to the time
your business can resume usual operations
• Critical activities are those that your business couldn't operate without. Think about how
long your business could cope (even without serious financial losses), if your key services,
resources and staff were affected by a crisis and you were unable to conduct these
activities. Then think about how you would get them back on track if something did
happen, and how long it would take.
A | Review your time frame for recovery
• You should assign a recovery time objective to each of your critical business activities
• This will help you prioritize your business activities so you can work out what will need
attention first if a crisis does happen
• Your recovery plan is part of your business continuity plan that outlines practical strategies
to help you manage and recover from a crisis. A business continuity plan also includes
your risk management plan, business impact analysis and incident response plan.
B | Develop recovery strategies
• You can develop and implement strategies that will help your business recover from an
incident or crisis. Your recovery strategies should demonstrate a clear understanding of
your business's recovery objectives and reflect what the business needs to continue
operating. Prioritize critical business functions and record a recovery time for each. This
process will highlight the actions you should list in your recovery plan.
B | Develop recovery strategies
The following are some strategies to consider when developing a
recovery plan for your business.
• Nominate staff to be part of a recovery team, assign backups and ensure that all are aware of their
roles and functions in the recovery process. Your recovery team could be similar to your incident
response team.
• Ensure that more than 1 person knows how to do a certain task and you don't risk losing essential
skills or knowledge if something happens to one of your staff members.
• Make sure your team can use manual processes in case your equipment or machinery is damaged.
• If you deal with hazardous materials, special equipment, or in risky environments, you may need to
provide training for your staff so they can do their jobs safely and respond after an incident. This will
help you reduce the impact a crisis may have on your business and help you recover quicker.
B | Develop recovery strategies
Review your emergency kit and contact lists
• As part of your incident response plan you should have developed an emergency
kit that includes key documents that will be essential for recovery. Make sure the
emergency kit is stored safely off site in case your premises are unreachable in a crisis.
• Put together contact lists of all people who may be affected by a crisis, including staff,
key customers and suppliers and your insurance company. You may need to let your
customers and suppliers know of alternative methods of contacting you or placing
orders and what to expect from your business in the event of a lengthy outage.
• Record contact details of people who can fix your equipment, machinery and systems
if they are damaged.
B | Develop recovery strategies
Maintain external communications
• Keep the lines of communication open with your customers, suppliers and other
stakeholders such as business partners. Make sure that you have contact lists of all people
who may be affected by the incident. Effective and timely communication will create and
build the perception that your business is under control, that you know and understand
what is happening, and that the situation will be resolved.
B | Develop recovery strategies
Identify alternative suppliers, facilities and equipment
• Develop relationships with more than 1 supplier, so that if one is affected by an incident your
business can continue as usual.
• Establish a disaster recovery location where you and your staff can work off site, if necessary, and
will be able to access critical backup systems, records and supplies. This may be a room or space at
another business location or at a hotel or home.
• Determine which assets (including documents) are essential for recovery and therefore require
protection.
• Be prepared for the possibility of broken or damaged equipment, machinery and systems. Know
who can fix them and have their contact details at hand. Consider renting or borrowing equipment
if possible. Find out who you can rent or borrow equipment from if yours is damaged or
unreachable.
• Factor in disruptions to electricity, gas, water, sewerage and telecommunications systems. Work
out what backup systems or alternatives are available.
B | Develop recovery strategies
Keep your business operating
• Be prepared for cash flow emergencies. Keep enough cash on hand to handle
immediate needs and consider setting up internet banking services.
• Assess your processes to work out if you can reduce your operating costs.
• Assess the impact of the crisis on your business and consider a range of business
strategies to keep your business operating.
• Consider doing business online as this may allow you to operate even if your premises
are damaged.
C | Monitor the recovery process using a
checklist
• Once a crisis has passed and it is safe to return to your premises, there are a number of
steps that you need to take. As part of your recovery plan you should develop a checklist to
use as you assess the extent of the damage after a crisis and monitor the recovery process.
Cybersecurity for
your business
Protecting your business from cybercrime
• Read recommendations from the Queensland Police
Service about preventing cybercrime.
• Register for the Australian Government's Stay Smart
Online alert service to stay updated on cybersecurity
threats.
• Read the Australian Taxation Office's top
cybersecurity tips for business and complete
the online security self-assessment.
Reporting cybercrime
• You can report suspected cybersecurity threats to
your business
Information technology
(IT) risk management
• IT risks include hardware and software
failure, human error, spam, viruses and
Information malicious attacks, as well as natural
disasters such as fires, cyclones or
technology (IT) floods.
• identify risks
• assess risks
• mitigate risks
• develop response plans
• review risk management procedures
Legal requirements
• As a first step in managing IT risks, you should be aware of the legal and
legislative requirements for business owners (Privacy Laws, RA 10173 –
Data Privacy Act of 2012 – DICT)
IT risk assessment
• Having identified risks and likely business impacts, the development of a business continuity
plan can help your business survive and recover from an IT crisis. A business continuity plan
identifies critical business activities, risks, response plans and recovery procedures.
• IT policies and procedures explain to staff, contractors and customers the importance of
managing IT risks and may form part of your risk management and business continuity plans.
• Security policies and procedures can assist your staff training on issues such as:
• safe email use
• setting out processes for common tasks
• managing changes to IT systems
• responses to IT incidents.
• A code of conduct can provide staff and customers with clear direction and define acceptable
behaviors in relation to key IT issues, such as protection of privacy and ethical conduct.
• How you respond to information technology (IT) incidents determines how well your
business recovers, and also influences customers' ideas about your reliability.
Your IT risk management plan and business continuity plan should include:
• IT incident response plans
• emergency response plans
• recovery plans.
Responding to an information technology
incident
74
Protecting IT and Data System
Online security is vital to protect your company's virtual assets (electronic data) and IT
systems.
Data protection and a secure online presence will build your customers' trust and help
you meet legal obligations, such as privacy laws.
IT data and systems are at risk of hacking, malware, viruses, spam and online scams
that may corrupt your hardware or allow criminals to steal private data.
75
1
Security threats to IT data and systems
76
Security threats to IT data and systems
77
2
Securing computers, servers and wireless
networks
78
Securing computers, servers and wireless networks
79
Securing computers, servers and wireless networks
Steps to guard against internal threats to IT systems:
Allow only authorized staff to access IT data and systems.
Put IT policies and procedures in place.
Be careful about employees connecting portable devices to work systems.
Be alert for spam claiming to be from 'trusted' email senders - for example, banks do not do
business by email.
Think before opening attachments or sharing information to ensure data protection.
Store data carefully - choose who has access to it and decide what devices you allow staff to
connect to your network.
Password protect your website so authentic users can access the site.
80
Securing computers, servers and wireless networks
Steps to guard against external threats to IT systems:
Install anti-virus and anti-spyware software, including spam filters, and ensure they are
turned on and updated regularly.
Enable wireless or wi-fi network security and change the default password immediately
because most default passwords are well-known to hackers.
Install a software firewall, normally included in IT security bundles or operating systems.
Choose strong passwords involving a combination of numbers and upper and lower-case
letters. Change passwords regularly.
Back up data regularly and store copies of backups off site.
81
3
Policies and procedures for protecting IT data
and systems
82
Policies and procedures for protecting IT data and
systems
Business owners have legal obligations to secure data and
protect the privacy of their customers' information. To
safeguard your online customers, you need policies that
comply with the laws on privacy, spam and electronic transfers.
Policies can cover:
privacy of customer data
code of conduct
business procedures.
83
Policies and procedures for protecting IT data and
systems
Electronic transaction laws
Legally there is no difference between electronic financial transactions and cash transactions,
and your online security must comply with national and state laws.
Procedures for using IT systems
You must have defined procedures about using and accessing IT data and systems, backing up
data and data protection. Such procedures define how employees and contractors behave. For
example, IT procedures could instruct staff to always delete spam without opening
attachments, which can contain viruses.
IT risk management and business continuity planning
You need to identify risks to your IT data and systems and put in place measures, such as SSL
certificates, firewalls, passwords and anti-virus software, to protect you and your customers. A
risk management plan can help you identify and manage risks to IT data and systems.
84
5
Managing Risk in Supply Chains
85
Managing Risk in Supply Chains
A supply chain consists of the different activities that transform natural resources, raw
materials and components into a finished product that is delivered to the end customer.
When one business within the supply chain fails to deliver their product or service to the
next business in the chain, the entire supply chain can be disrupted.
A business with a resilient and responsive supply chain will have a significant
competitive advantage over other businesses.
86
1
Identifying supply chain risks
87
Identifying supply chain risks
Business owners have legal obligations to secure data and
protect the privacy of their customers' information. To
safeguard your online customers, you need policies that
comply with the laws on privacy, spam and electronic transfers.
Policies can cover:
• privacy of customer data
• code of conduct
• business procedures.
88
Identifying supply chain risks
You can limit the impact of supply chain disruptions on your
business by identifying the risks within your supply chain and
developing ways to mitigate them. You should document this
process in a risk management plan, which is part of your
overall business continuity plan.
89
External supply chain risks
External risks can be driven by events either upstream or
downstream in the supply chain. There are 5 main types of
external risks:
demand risks - caused by unpredictable or misunderstood customer or end-customer demand
supply risks - caused by any interruptions to the flow of product, whether raw material or
parts, within your supply chain
environmental risks - from outside the supply chain; usually related to economic, social,
governmental, and climate factors, including the threat of terrorism
business risks - caused by factors such as a supplier's financial or management stability, or
purchase and sale of supplier companies
physical plant risks - caused by the condition of a supplier's physical facility and regulatory
compliance.
90
Internal supply chain risks
Internal risks provide better opportunities for mitigation
because they are within your business's control. manufacturing risks -
caused by disruptions of internal operations or processes
business risks - caused by changes in key personnel, management, reporting structures or
business processes, such as the way purchasers communicate to suppliers and customers
planning and control risks - caused by inadequate assessment and planning, which amount to
ineffective management
mitigation and contingency risks - caused by not putting contingencies (or alternative
solutions) in place in case something goes wrong
cultural risks - caused by a business's cultural tendency to hide or delay negative information.
Such businesses are generally slower to react when impacted by unexpected events.
91
2
Preparing for supply chain disruptions
92
Preparing for supply chain disruptions
• The best way to manage a supply chain disruption is to prepare for it. You should
undertake a business impact analysis to prepare your business to address the
impacts of supply chain disruption.
• A business impact analysis identifies your key business processes, and the
activities and resources you need to operate your business. It assesses how these
key elements will be affected by supply chain interruptions highlighted in
your risk management plan.
• The degree of impact on your business will depend on the severity and length of
the disruption, but most disruptions will have a financial effect.
• Disruptions can be internal, such as a breakdown of vital machinery, or external,
such as interruptions to the flow of raw materials or parts to your business. The
business impact analysis allows you to measure how supply chain disruptions
may affect business activities, including financial management.
93
Preparing for supply chain disruptions
For example, if vital machinery breaks down and disrupts production, the
impacts on various business activities could include:
• inventory management of raw materials and finished goods
• supplier relations
• ordering and purchasing
• staffing
• sales and revenue
• marketing aspects including customer relations and business reputation
• financial management.
By identifying the key business activities affected by disruptions to your
supply chain, you can prioritise your efforts to focus on those activities that
would have the most impact on your bottom line.
94
3
Responding to supply chain disruptions
95
Responding to supply chain disruptions
Although prevention and being prepared go a long way toward ensuring supply chain
continuity, disruptions can still occur. Creating an incident response plan will allow you to
effectively manage your business's immediate response if your supply chain is disrupted.
It's critical to have a plan in place to deal with supply chain interruptions if and when they
occur. In general, the longer it takes to restore supply, the greater the costs to your business.
These costs can include:
• interrupted stream of revenue
• lost revenue from customers switching to competitors
• overall customer dissatisfaction
• damaged business reputation
penalty payments for contractual non-performance clauses
96
Responding to supply chain disruptions
As well as reducing the potential costs to your business, an incident response plan also has
several other benefits:
• It gives you a better understanding of your supply chain processes.
• It provides a course of action when a supply interruption occurs.
• It allows any knowledgeable person in your business to take immediate action to restore
supply if key staff are unavailable.
Your incident response plan should:
• identify actions for shortening the duration of a disruption, thereby minimising its impact
on your business
• identify resources - human, financial and material - that will be required to carry out these
activities
• indicate what triggers will implement the plan (e.g. once stock decreases to a certain level
you will implement the plan).
97
6
Keeping Your Workplace Safe
98
Keeping Your Workplace Safe
As an employer, you are legally obligated to provide a safe workplace for yourself, your
workers, customers, and other people such as members of the public and visitors. This
is a requirement under the Work Health & Safety Act 2011.
(https://www.worksafe.qld.gov.au/laws-and-compliance/workplace-health-and-safety-laws/laws-and-
legislation/work-health-and-safety-act-2011)
Work health and safety obligations apply to everyone involved in a business. Ensure you
meet your obligations by familiarising yourself with the laws and following them.
99
1
Workplace incidents
100
Workplace incidents
Preparing for workplace incidents
Preparing for emergency situations
Reporting and recording workplace incidents
Investigating workplace incidents
Resolving and recovering from workplace incidents
101
2
Work health and safety risk management
102
Work health and safety risk management
All businesses, regardless of their structure or size, must have work health and safety risk
assessment that is current and meets legal obligations.
A strong risk management plan, as part of a larger business continuity plan, will improve
your business resilience and help you recover from incidents.
103
Work health and safety risk management
A strong risk management plan, as part of a larger business continuity plan, will improve
your business resilience and help you recover from incidents.
104
Work health and safety risk management
Risks and hazards
A hazard is something with the potential to cause harm. A risk is the likelihood that the harm will occur from
exposure to the hazard.
Workplace hazards in/volving the risks of illness or injury may include:
chemicals and substances hazards - such as hazardous substances and dangerous goods, asbestos, lead and waste management
biological hazards and infectious diseases - such as legionella and hendra virus
physical hazards - such as equipment, confined spaces, electrical hazards and working at heights
manual tasks hazards - such as the use of the human body to perform any kind of manual task
environmental hazards - such as noise, lighting, surrounding environment (including uneven floor surfaces, etc.), cold, dust and heat stress
psychosocial hazards - such as fatigue, work-related stress, workplace harassment and occupational violence.
105
Work health and safety risk management
Risk management legislation
Under the How to manage work health and safety risks code of practice 2011 (PDF, 494KB), to properly manage
exposure to risks you must:
1.look for the hazards
2.determine who might be harmed and how
3.decide on control measures
4.put controls in place
5.review the controls.
106
Work health and safety risk management
Risk management legislation (cont)
Control measures should be implemented in the following order:
1.Get rid of the harm or prevent the risk.
107
3
Managing work health and safety in your
business
108
Managing work health and safety in your business
Build business resilience
▷ Improve how you will deal with workplace incidents by developing a business continuity plan and conducting
a comprehensive analysis of how your business could be affected by various possible incidents.
▷ If your business does suffer from a major incident, having a business continuity plan could help you
continue to operate and avoid having to close.
▷ A business continuity plan includes a risk management plan, a business impact analysis, an incident
response plan and a recovery plan.
▷ Use our business continuity plan template.
109
Managing work health and safety in your business
Improve your safety performance through safety leadership
The Safety Leadership at Work Program is designed to improve safety culture and contribute to reducing work
related injuries and fatalities in Queensland workplaces. Join the program for free and learn how to influence
and build a positive safety culture through:
webinars, forums and safety leadership events (receive special membership rates)
films, benchmarking tools and case studies
updates on leading industry practices
direct access to business leaders to apply their learnings directly to your own business
networking opportunities to explore solutions to common issues and influence your industry's safety culture.
110
MANAGING WORK HEALTH AND SAFETY IN YOUR BUSINESS
Access Workplace Health and Safety Queensland's resources
You may be eligible for a Workplace Health and Safety Queensland (WHSQ) small business advisor to visit your
workplace and assess your situation. They can give you advice on your safety management system and provide
information on solutions available to fix health and safety issues. Find out if you're eligible and arrange
a workplace consultation for your business.
111
7
Avoiding Business Scam
112
Avoiding Business Scam
If your business is scammed or defrauded, you could lose money and suffer other consequences, such as
damage to your reputation.
To protect your business, it is important that you can recognise common scams and know how to report them.
113
1
Scams and fraud
114
Scams and fraud
Consumers Businesses
Common scams Personalised scams pose as • false billing
• malware and
opportunities
ransomware
• online shopping • door-to-door scams • unexpected prize and lottery
scams
• overpayment scams
scams • classifieds scams • pyramid schemes scams • phishing scams
• mobile phone plans • dating and romance • travel prize scams
• inheritance scams
• identity theft scams scams • investment scams
• reclaim scams. • charity scams. • Nigerian scams
• health and medical scams
• betting and sports investment
schemes
• remote access scams
115
2
Protect yourself against scams
116
Protect yourself against scams
• To protect your bank account:
• never give money, credit card details or online account details to anyone you don’t know and trust
• keep your receipts
• check your bank account and credit card statements
• report any unexplained transactions to your bank.
• keep your bank cards safe
• make sure nobody else knows your PIN number
117
Protect yourself against scams
• To protect yourself online:
118
Protect yourself against scams
• To protect yourself while shopping:
• don’t pay any invoice unless the goods or services were both ordered and delivered
• if someone comes to your door
• you should check their identification
• you do not have to let them in
• they must leave if you ask them
• read and understand all of the terms and conditions before signing anything
• for major purchases, take the contract away with you overnight
• make sure you know how to stop any subscription service you sign up to
• always get independent advice if an offer requires a lot of your money or time.
119