Risk Management &

Risk Communications


Services are performed for organizations who want to anticipate risk
events and exploit business opportunities. Large companies with specific risk
needs including information/cyber security; warranty and recall; fraud and insider-threats will frequently employ are services. Smaller companies that need to select
or employ a Risk Framework to better track their risks and develop risk
governance. These frameworks may be required of our clients by their customers
or suppliers to do business with them. All risk plans include a detailed separate
communication plan which cover coordinating, crisis and compliance


A typical engagement includes a series of workshops with management
regarding the specific risk program desired. An overview of risk management and
the framework to be employed, risk governance issues and recognition of positive
risk and negative risk. A detailed plan to manage the identified risk (illustrated
below) and a communications plan to support those activities. The communication
plans include identification of response teams, escalation matrixes, risk deterrence, detection, response and recovery methodologies and drafting of message maps.


Risk management begins with a framework. Frameworks are specific to
the type of risk management employed. COSO, ISO, COBIT, NIST, FINRA and
HITRUST are examples of frameworks. A risk management program includes
Governance (risk capacity, appetite, tolerance), Identification: assets, threat
communities., threat actors, vulnerabilities, risk scenarios. Assessment and
Analysis: primary and secondary loss; loss frequency; benefits (positive risk),
velocity (high v. low velocity events) and risk ranking. Risk response: Avoid,
transfer, ignore, mitigate, and cost v. benefit of response. Risk monitoring and
reporting: Development of Key Risk Indicators (KRI’s), control procedures,
monitoring of controls and reporting of the risks (development of risk register).
Communication Plans include: coordinating (internal), crisis (internal and
external) and compliance (regulatory) protocols, governance and message maps.


Clients who are proficient at managing risk have reduced costs both
primary (loss event impact) and secondary (insurance, audit fees, interest rates)
and are better positioned to recognize and manage positive risk. Exploiting
positive risks can be the difference between a high performing company and a
take-over target.