Risk management plan
Table of Contents
Activity 1: Risk management strategy 1
Risk factors for financial investment and insurance products 1
Risk exposure management strategy 1
Communication to relevant personnel 2
Strategy for portfolio managers and target businesses in inclusion 3
Organisational policy, procedures, guidelines and authorities 4
Actuarial and financial principles and processes 4
Evaluation of the risks and hazards 5
Risk acceptance and rejection criteria 6
Terms and conditions for risk acceptance 7
High and low hazard financial and legislative risk areas 7
Outline of the risk acceptance strategy 8
Activity 2: Implementation plan 9
Management of the implementation strategy 9
Activity 1: Risk management strategy
1. Risk management strategy
Risk factors for financial investment and insurance products
The organisation is exposed to several risk factors for the products and services. There is the risk related to credit, governance, development, strategic moves, liquidity and operational activities. Asides from these, risks are also perceived as a financial loss when customers are not meeting the financial obligations under the credit risks. Liquidity risk occurs when the organisation fails to fund the assets under the financial obligations [1]. Regulations, policies, procedures and standards create governance risks that have an indirect impact on the management and operational structure of the business. Business activities and their outcomes, especially related to promotion and marketing can create development risks.
Operational risks are the results of the failure or disruption of the internal business operations and procedures. The occurrence of strategic risks can cause significant financial and reputational loss to the business. Technological risks such as cyber security are also a common component of all the identified risks while business is heavily relying on the technology and internet to work with various types of stakeholders [2]. Therefore, there is a critical need for a risk management strategy that can help the organisation to identify and assess the risks and accept the viable approach for their mitigation.
Risk exposure management strategy
The organisation has mainly four risk exposures: compliance failures, brand damage, liability issues and security breaches. Out of these, security breaches, especially due to cyber security issues is major. The risk exposure management approach includes several components. First, information risk management is an important aspect to ensure that the stakeholders are enjoying the right information throughout the business operations. The use of information risk management is to set up policies, procedures and technologies to reduce cyber security threats [2]. It includes the identification and management of poor and vulnerable data security. It also identifies and manages the risks occurring from the third-party vendors. There is a focus on the four-stage model to handle the information risks: plan, assess, handle and monitor and report [3].
A second major component of the strategy includes access management. It emphasizes the fact that the unauthorised person is not able to access the system and data storage. There is a focus on security, authentication, authorisation and monitoring. The strategy focuses that individual’s access to data, services and assets is monitored and managed under the organisational policies, procedures and technological setup [4]. Third, there is a focus on monitoring and detection of cyber risks. It includes specific tools and software that can automate the monitoring and detection while hiring the cyber security specialist for detection of the risks against the abnormal activities in the organisational computer network. Forth, the strategy includes user education and awareness programs and procedures. For instance, the strategy ensures that the new employees are going through a comprehensive training program and after the program, there is an assessment of their understanding. It includes awareness of their roles and responsibilities and accountability for the business operations and outcomes.
Further, the strategy ensures that there are protective security processes and procedures when the employees and external users are accessing the services and products. Protective security processes can help to expose the critical data accidentally and there is management toward execution of the intended and allowable process to the user [3]. Asides from these, if there is occurring risk, there is a need to report the risk and its impacts on the target person in the business.
Communication to relevant personnel
The communication strategy has mainly two considerations: the objective of the communication and the target person in the conversation. For instance, notice boards are used to ensure that every staff member is aware of the notice within the time and there is sufficient support from them to ensure mitigation. Social media is used whenever customers are facing issues. It is useful to make them aware of the issues and strategic approaches of the business regarding the risks [5]. Email is also significant when there is a need to share the particular strategy with the intended people in the business. It is important when there is a need for a strict alliance to the procedure and approaches to maintain quality and service availability. Further, internal meetings, briefings and online conferences are major approaches to verbally share the information with relevant staff members.
Personally manage
Accountability is critical to define with roles and responsibilities of the resources so that they can contribute toward improved cyber security. For instance, the organisational systems need to avoid common mistakes an employee can make during routine operations. There is a need to use the technical setup and services that can assist the employees in the practices. An individual has accountability to ensure legitimate use of the systems and services. Phishing emails should be avoided in the practices. The management can offer the latest information on the applicable technological vulnerabilities and training so that the employees can get updated information towards better risk management.
Strategy for portfolio managers and target businesses in inclusion
The strategy is for portfolio managers as they have a role to manage the business products and services considering the internal and external business market and trends. The strategy is prepared for the finance service business but it is widely applicable to the other businesses in the same and other industries where the internet is the backbone of the business. Cyber-security is the core risk in the discussion and it is assumed that almost every industry is connected to internet services. There is an equal risk of cyber-security issues so that the organisations can adopt the approach to mitigate the risks.
Components of the strategy
Compliance requirements
The strategy integrates several compliance requirements to ensure organisational continuity against the major risks and challenges. For instance, the Corporation act 2001 is considered to regulate the business activities in the country. Similarly, the insurance act 1873 is useful to set minimum solvency and capital requirements for business operations. Including the insurance contracts act, these acts ensure good faith among the customers and other stakeholders [6]. These acts help to manage financial viability for the strategic implementations. Through these regulations, the organisation can ensure fairness, transparency and ethical services to the customers. Considering the cyber security risk, the strategy integrates the privacy act and so that it needs to integrate major privacy principles. For instance, the strategy emphasizes that there is appropriate storage and protection of personal and sensitive information. The strategy also ensures that the organisation has an implementation of appropriate measures to uphold privacy [7]. The consumer protection act is integrated into a strategy to ensure that customers are getting the right information and advice regarding data management and risk mitigation. It also helps the organisation to make customer-centric decisions in risk management. The strategy implements ASICS regulations to uphold consumer protection.
The cyber-security risk management practices are designed with a consideration that the practices are legally sound. The financial transaction act is considered to ensure that transactions to other parties are secure and reliable in the public network. Anti-money laundering and counter-terrorism act are also useful to set guidelines and standards for the employees and customers so that they can get a safer environment when using the services and products [2]. There is also the integration of the financial sector-specific acts and regulations such as the credit act and cheque act to ensure that the business process is free from vulnerabilities and there is efficient management of the data throughout the process.
Organisational policy, procedures, guidelines and authorities
There is consideration of the performance targets to assess and accept the risk. For instance, the organisation has compliance with legislation and regulations and the applications are consistent to assess the risk. The individual at the workplace has compliance with organisational policy and procedures. Considering the previous attempts for similar risks, the organisation has a good risk mitigation figure [8]. It has undertaken the risks up to the fifth level. However, only 60% of the risk is undertaken and for that, it has considered strategic risk management practices with adequate risk management skills and resources.
Relevant risks
There is a use of the Australian risk management standards to identify and classify the risks. For instance, ISO 31000 provides comprehensive guidelines and principles that help the organisation in risk analysis and assessment. Operational efficiency can be improved and confidence of the stakeholders and governance can be achieved with the integration of this standard [9]. There are low risk and high-risk areas that are identified using an exposure of the risks, compliance and current market conditions, breaches and loss. The organisation has minimum risk exposure to staff members and external stakeholders while operations are meeting the regulatory requirements. The organisation operations are compliant with the market trends and conditions and the risks such as credit risks, liquidity risks and operational risks are within the accepted level of the exposure.
However, there are also some high-risk areas. For instance, cyber security can cause breaches to compliance if consumer data is not managed with sufficient security. It results in financial loss and loss of the market segment. There is a high risk of damage to the business reputation and public relations. Cyber security risks can impact access to business assets and services.
Actuarial and financial principles and processes
Actuaries are integrated to identify the likelihood of the risks based on the statistical and mathematical analysis of the risks. It is identified that the cyber security risk has a likelihood of occurrence and there is a need for a strategic approach to mitigating the impact [10].
Relevant industry hazards
The organisation has mainly five industrial hazards: business continuity, internal, external, marketplace and financial hazards. Cyber security and similar risks can cause financial and market loss and it has an indirect impact on the business operations in an internal and external business environment.
Evaluation of the risks and hazards
There is risk exposure to state-sponsored attacks and it can cause regulatory inactions. Cyber security attacks can result in credential theft and identity theft. The organisational employees and customers might not be able to gain access to their accounts and the business continuity might be interrupted. The errors from the employees in operations can allow the third party to access the data and critical business services. In communication, an attacker can lead to data theft and modification attacks if there is a lack of a strong security mechanism [11]. Phishing attacks are also being common in which an attacker can try to pretend as a source to obtain credentials and other sensitive information from the users [6]. Ransomware is also a risk that results in loss to the system data and it is done for a ransom amount.
Risk mitigation strategies
The organisation is recommended to use risk acceptance and risk transfer strategies. First, risk acceptance can help the organisation to reduce the potential risks with real-time decision-making. It allows controlling the risk and risk impacts before the risk becomes a major challenge for the business sustainability. It includes the utilisation of the internal capabilities to meet the requirements. Second, risk transfer is useful if the organisation is working with third-party vendors and businesses [11]. In such cases, the transfer of the risks to a third party can help the organisation to improve security and risk mitigation. It saves consumption of the business resources and capabilities such as time and cost.
Risk assessment criteria
| Risk impact | Insignificant | Minor | Medium | Major | Catastrophic |
| Financial | Loss <5% | Loss 5-15% | Loss 16-40% | Loss 41-75% | Loss >75% |
| Cost exceeds <5% | Cost exceeds 5-20% | Cost exceeds 21-40% | Cost exceeds 41-60% | Cost exceeds >60% | |
| Revenue <10% | Revenue 10-20% | Revenue <21-30% | Revenue 31-50% | Revenue >51%% | |
| Marketplace | Customer disappointment with services | Disappointment is presented to the business | Disappointment is leading no back to business | Reducing customer visits and trust | Expanding negative thoughts |
| Operations | Services are recoverable internally but not working | Services are recoverable externally but not working | Disruption in the services | Disruption is expanding to other services | Business functions are failing due to disruptions |
| Reputations | Bad reputation within business | Bad reputation within the business and among local people | Bad reputation among specific suppliers and people | A bad reputation in the market but limited to people | Publicly bad reputation |
Risk acceptance and rejection criteria
| Risk level | Acceptance criteria | Recommended action |
| Catastrophic | Unacceptable | Must implement risk reduction measures |
| Major | Unacceptable | Must implement risk reduction measures |
| Medium | Medium | Should implement risk reduction measures |
| Minor | Acceptable | Can be implemented risk reduction measures |
| Insignificant | Acceptable | Can be implemented risk reduction measures |
Terms and conditions for risk acceptance
The organisation needs to accept some terms and conditions during acceptance of the high-risks. It should follow the strict risk assessment procedure to identify the risk factors and ensure mitigation within time and cost. The procedure needs to be supported with legal advice and for that variables and parameters for the risk acceptance or rejection should be considered. Top management is liable to approve or deny the risk acceptance proposal and it includes information collection process, validation against compliance and mapping of the legal requirements [11]. On approval, there is a need to design contingency plans. Such plans need approval and should be communicated to others. An individual should manage accountability and roles and responsibilities for the work. The technical team needs to identify variants and percentages of the risk while ensuring timely diversification of the risk to mitigate the impact on the business and its critical components.
High and low hazard financial and legislative risk areas
The high hazard financial risk area is related to the customer financial information and security system for the authentication. Low hazard risk area includes operations, management and marketing function. Legislative risks are high in the implementation of the security systems and information technology whereas risk is low regarding the operational structure and approaches of the business.
Risk mitigation strategy
Following are major components of the risk mitigation strategy for the organisation:
Policy and procedure change: The organisation should update the policies and procedures being used for data access and use of the information technology systems and services. The organisational policy should be changed for better monitoring and control and handling of the errors and impacts in real-time controls. The procedure should be standardised regarding risk identification and reporting to ensure faster and better decisions.
Change management strategies: Each change in data storage and information technology service needs in-depth assessment and should be approved by the relevant personnel. Change management should be supported with change establishment in the operations to avoid post-change impacts and risks.
Contingency plans: employees should learn about the contingency plans and their implementation in the scenarios. It is required to communicate and distribute contingency plans to all relevant people under the training and development programs [12].
Altering actions: if the risk has occurred, the organisation should move with a detailed assessment of the risk. Once the risk and related likelihood for expansion and consequences are identified, suitable changes can be adopted in approaches to mitigate the outcome.
Outline of the risk acceptance strategy
The core purpose of the risk acceptance strategy is to ensure minimum loss and faster recoverability against the likely risks. It has the purpose to mitigate the financial and legislative impacts on the business.
The strategy guides that there should be acceptance of the risks against the identified and defined criteria. It focuses on relevant policies, actions and procedures and supports reporting and recording structure. The strategy also emphasizes the learning and development opportunities considering the previous and current risk management approaches.
The core purpose of the risk acceptance criteria is to guide which risks are manageable within the business and which needs integration of the external parties. The risk criteria aim to set support for the decisions behind the risk classification and acceptance. For risk criteria definition and acceptance, there is the use of management structure and framework. For instance, individual needs to report the risk to the senior manager or leader and the subsequent manager needs to communicate the problem to the technical department [13]. During the process, the risk needs to be identified, classified and documented properly.
There is the application of policies and procedures regarding the role of the individual in risk communication. An individual should document the risk and it must be communicated to top management with relevant evidence and already-made decisions so that a more robust and faster decision can be made.
In cyber-security risks, the core action plan is to report the incident to the higher authorities and individuals should try to mitigate the exposure. Risk can be accepted if it has not become a huge problem for the business at the moment. In other cases, it should be transferred for comprehensive solutions with expertise in the domain.
Activity 2: Implementation plan
Management of the implementation strategy
Work breakdown structure
Figure 1: WBS
Identified resources
Financial: Implementation of the strategy requires cash and other financial resources. There is a need for cash around $40,000 for implementation including the cost for the resources and physical equipment.
Human resource: The business owner needs to give at least 250 hours for the implementation of the strategy. It requires human resources who are experts in technology projects and have sufficient knowledge and experience to manage cyber threats. Technically sound and capable human resources are required to lead the project. There is a need for around 6 experts from installation to implementation of the various services and techniques under the risk management plan.
Technological: There is a need for installation of the security software and anti-theft systems. The software and services are required to achieve real-time monitoring against the cyber-threats. The organisation should install in-house systems for real-time network monitoring and identification of abnormal activities.
Physical: it requires a dedicated technology department that has two functions: research the market trends and potential techniques for security improvement and secondly, the department should maintain the security and systems up to the mark. There is a need for office space for this.
Reputations: The organisation needs to maintain a positive attitude toward the implementation. A sufficient budget needs to be allocated to ensure reputation in the market with ongoing improvements.
Procedures
Financial plan: There is an expected need of $40,000 and 20% of the total amount is required before the actual management of the risk strategy in the context. The remaining amount must be divided among the requirements such as physical equipment and human resource cost and it should be allocated within 15 days.
Promotional strategies: The risk management strategy should be promoted to the target audience using direct emails, publications and integration into the business documents during communication. It includes clear news on social media and other major portals where stakeholders of the business such as customers can reach easily [11].
Resources requirements: It needs resources for project management and procurement, installation and implementation of the equipment. It needs human resources, financial resources and technical equipment to accomplish the project.
Risk management issues and strategies: There are mainly two issues in risk management. First, the organisation lacks a dedicated technical department to support the investigation and implementation of the services. Second, there is a higher dependency on external parties so that it is hard to achieve timely response and management. For that, it is recommended to hire technical resources in the project and procure the required approvals and assets before they are required in the project [13].
Specific actions, initiatives and tasks: clear role delegation, pre-identification of the major risks and optimisation of the resources and capabilities are major tasks that need special attention to avoid internal problems in the implementation.
Staffing requirements and arrangements: During implementation, a project manager has critical responsibility to manage the resources and ensure optimum execution of the plan. Staff members are required according to the demand of the skills and competence whereas their arrangement needs to be made to achieve optimised performance. For that, parallelisation of the activities is important to consider.
Timelines: The strategy can be implemented within three months including the time required for team building, procurement of the resources and validation of the implementation against the defined quality measures. It has an additional one-week time to manage uncertain challenges and changes in the implementation [2].
Communication strategy: There is one kick-off meeting to start the implementation as a project. Later, there are weekly and monthly meetings asides from the on-demand communication. Weekly meetings are useful to monitor the progress and communicate the strategic plan for next week’s activities. Similarly, the monthly meeting has value to explore the project progress and identify the techniques to improve the performance or mitigate the challenges. On-demand communication includes emails and face-to-face conversations for specific reporting on tasks.
Monitoring and evaluation
It is ensured that the plan is monitored to achieve the intended implementation goals. There is the use of a work breakdown structure in which the major components of the risk management strategy are identified and assessed for their requirements in terms of resources, time and cost. The project is also assessed for the activities and demand of the capacities to meet the goals. For instance, each project activity has a defined number of resources and costs so that the project manager can monitor the performance and outcome. There is the use of weekly and monthly meetings and reviews to ensure that individual is working appropriately to achieve the common goals [14]. Changes in the activities and triggers behind the changes are also identified and recorded. Plan progress is monitored regularly against the predefined project schedule to identify whether the project is ahead or behind the schedule. New risks and plans are identified and they are incorporated into the implementation plan.
The evaluation is done mainly on the three factors: stakeholders are satisfied, trending demands are integrated and business capabilities and constraints are used properly. Therefore, it is ensured that the project stakeholders such as customers and investors are satisfied with the risk management strategy while the trends and demands in information security and data management are achieved [12]. The project is also assessed for the constraints, outcomes and performance. For evaluation, there is the development of the feedback form that is incorporating meeting and review schedules.
Meetings:
Daily stand-up meeting: 15 min
Weekly meeting: project manager and others
Monthly meeting: project team and sponsors
Reviews
Project charter review
Plan and strategy review
Outcome review
References
- Rampini, A.A., Viswanathan, S. and Vuillemey, G., 2019. Risk management in financial institutions. NBER Working Paper, (w25698).
- Bouveret, A., 2018. Cyber risk for the financial sector: A framework for quantitative assessment. International Monetary Fund.
- Aldasoro, I., Gambacorta, L., Giudici, P. and Leach, T., 2020. Operational and cyber risks in the financial sector.
- Camillo, M., 2017. Cybersecurity: Risks and management of risks for global banks and financial institutions. Journal of Risk Management in Financial Institutions, 10(2), pp.196-200.
- Johnson, A.L., 2016. Cybersecurity for financial institutions: The integral role of information sharing in cyber attack mitigation. NC Banking Inst., 20, p.277.
- Pacella, J.M., 2016. The cybersecurity threat: Compliance and the role of whistleblowers. Brook. J. Corp. Fin. & Com. L., 11, p.39.
- Talesh, S.A., 2018. Data breach, privacy, and cyber insurance: How insurance companies act as “compliance managers” for businesses. Law & Social Inquiry, 43(2), pp.417-440.
- Chung, J.J., 2017. Critical Infrastructure, Cybersecurity, and Market Failure. Or. L. Rev., 96, p.441.
- Tranchard, S., 2018. Risk management: The new ISO 31000 keeps risk management simple. Governance Directions, 70(4), pp.180-182.
- Boudreault, M. and Renaud, J.F., 2019. Actuarial Finance: Derivatives, Quantitative Models and Risk Management. John Wiley & Sons.
- Hopkin, P., 2018. Fundamentals of risk management: understanding, evaluating and implementing effective risk management. Kogan Page Publishers.
- Sadgrove, K., 2016. The complete guide to business risk management. Routledge.
- Hubbard, D.W., 2020. The failure of risk management: Why it’s broken and how to fix it. John Wiley & Sons.
- Kaplan, R.S. and Mikes, A., 2016. Risk management—The revealing hand. Journal of Applied Corporate Finance, 28(1), pp.8-18.
Get solved or fresh solution on Risk management plan Assignment Report Solved and many more. 24X7 help, plag free solution. Order online now!
