Consultancy & Advisory Services – Risk Management

Risk Management & Compliance

  • CSI assist their clients in identification, assessment, prioritization and mitigation of the impact that uncertainty can place upon an organization.
  • Risk management is often used to help an organization determine its risk appetite – how much risk the organization is willing to assume in order to achieve its stated objectives – as well as to develop the methods for ensuring that the risk an organization assumes does not excessively threaten the organization’s operations or success.
  • This includes addressing both negative risks (preventing or dealing with adverse outcomes) as well as positive risks (better understanding opportunity costs).
  • To ensure that risk management is working effectively and adhere to, a proper compliance system is set up.

Systemic Risk Review

There are two main approaches to achieving effective internal control. They are:

  • the ‘internal control intelligence’ approach: study the risks, and mitigate them before they can do harm;
  • the protective approach: create defenses round the things which need to be protected, to stop or limit the damage before things go wrong.

Good internal control requires both approaches: they are complementary. Both involve understanding the behaviour and techniques of those who present a threat. In our protective role, we have to take account of all kinds of threat, for example from terrorists, spies and proliferators. We study their methods in order to work out how to defeat them, and we work with our customers to help them apply the most effective measures.

We provide:

  • assessments of the risks, so that internal control can be directed first at those which would be most damaging;
  • alerts and warnings about imminent risks;
  • advice on overall policy and best practice in mitigating these risks; and
  • specialist advice to individual departments and other organizations as they apply that policy.

Threats and Risk Assessment

  • Too much security is expensive and disruptive and too little means taking unacceptable risks. To achieve the right balance between the potential costs of internal control failures and the implementation of internal controls means knowing what the risks and vulnerabilities are, and what is at stake. Only the owner of an asset knows what the consequences are of an internal control failure, but we provide assessments of the threat from various sources that those responsible for the asset can use in making risk assessments.

Contingency Planning

  • All organizations make plans to help them respond and maintain business continuity should something go wrong, such as a major fire or the illness of a key employee. We advise on best practice for the particular threats in which we have the expertise, where existing plans may need to be adapted to deal with significant events like terrorism or electronic attack. This may include planning to control an incident and to have fall-back facilities (such as buildings) available for use if the primary ones are made unusable. Sometimes the only way to make sure a critical function will continue is to duplicate it.