Risk Management is an evolving business practise and is now reaching a level of maturity where ERM (Enterprise Risk Management) is becoming more defined.
CorProfit brings thought leadership and field-experience where your corporate Risk Framework document is established to have a range of Risk Management Programs integrated according to the processes and methodologies each employs. This is taken a step further to integrate under one software platform, KnowRisk®.
Incident Management is a major part of ERM; if you take is as sitting “shoulder to shoulder” with Risk Management, lessons learnt from evaluating incidents become the test bed for risks in the risk management system and the means to improve controls that might have broken down.
An incident by definition is a risk that has occurred, thus setting the residual likelihood at 100%. In many cases your company has obligations to register incidents that occur in relation to injuries, environmental spills, or a breach of privacy during work related activities.
Naturally you distinguish between an incident under OHS or SHE from Corporate Breaches under Financial Services, health, Aged Care, Disability Services and so on.
CorProfit has expertise across several business disciplines in relation to managing incidents and setting them under the appropriate categories.
There is nothing new about the need to register incidents and to work through the ramifications that may need to be addressed.
Where CorProfit sets itself apart is how to learn lessons from incidents beyond just those that are mandated to be reported so as to provide useful feedback to the risk management side to reduce similar incidents from reoccurring in the future; even to having no incidents in the first place that result in serious consequences.
The CorProfit Incident Management Module is an ideal starting point for you to compare your current approach and determine enhancements to what you do. Our Incident Management process includes:
The incident is registered (what occurred)
The incident is categorised using pre-defined categories / sub-categories
The impacts of the incident are documented (i.e. the affects)
Date / time if known is entered (when)
The location details are entered (where)
Details of persons affected are also entered (who)
Some background / cause is investigated (how it happened)
How the situation could have been dealt with (could it have been dealt with in a better way, even avoided in the first place?).
CorProfit makes clear the relationship between a risk and incident as mentioned above, which this diagram depicts.
When an incident occurs, it is dealt with using a corrective control(s) which in some cases may be in a crisis mode, then after the situation has been stabilised investigating the causality as well as finding out the actual losses.
The cause of that incident may lead to a Root Cause being discovered. This can be correlated with the Profile Risk Cause or Knowledge Base Risk Cause fields used under the Risk Management Process.
The Incident has a correlation with the Risk Description in the risk management process.
The actual Impacts of an Incident can be measured and correlated with the planned / forecasted Consequences object in the risk management process. The actual impact cost allows comparison with the Inherent Cost or Residual Cost, having regards to whether the existing Controls failed in part or whole.
You would know the actual Controls that were necessary to use at the time of the Incident, i.e. the ability to compare the actual corrective controls against the planned corrective controls. Further the incident may bring out why a Preventive Control that was expected to work, broke down.
CorProfit also provides you a Maturity Model which brings in the actual Cost of Controls for minimising the impact of the Incident. This in turn may give a valuable feedback loop into the Risk Management System, assisting to set in place more reliable objective costs rather than relying merely on subjective words.