Blog_Jan_Ban.jpg

Complete Application Form: Sample CM BoK 2 RAR #1

When you provide evidence on your experience, you must demonstrate that the requirement as spelt out in the respective BoK is executed during the specific period.  This sample submission is in your application form for BoK 2 Risk Analysis and Review.

It is essential to demonstrate that you have conducted the processes within the BoK yourself over the specific period mentioned. Your two referees are willing to confirm the experience when the certification team needs verification.

Note that at least one of your referees should be your superior or supervisor.

Do note that some examples are for Specialist Level certification applications.  There is an expectation for more experience and involvement if you are applying for the Expert level certification.

Steve Sobak

BCMBoK 2: Risk Analysis & ReviewCM_#RAR Sample 1Risk Analysis and Review

Example BoK RAR #1

1. What was performed?

The risk assessment process for crisis management is to identify the various threats and risks or crisis scenarios to the organization and their impact on the business.

 

As the Head of Business Continuity and secretariat to the Crisis Management Team, I have been conducting Threat & Risk (TRA) Assessments for the Group of Companies. TRA is performed following the methodology described in ISO 31000-Risk Management (i.e. Establish context / Risk identification / Risk Analysis / Risk Treatment).

TRA aims to identify and evaluate potential risks, threats or vulnerabilities to the Bank's facilities and infrastructure that might negatively affect the continuity of business operations. In addition, threats that may affect the reputation and usually dealt with as crisis management issues).

2. When was it done?

From December 202x and annually as required by the CM policy

3. How was it carried out?

I have explained my involvement in the crisis and risk assessment stage through the following:

  • Facilities (property & security related issues):
    • Security measures,
    • Networks, power supply, telecommunications and HVAC (Heating, Ventilation, and Air Conditioning) systems adequacy,
    • Exposure of critical facilities to damage caused by uncertain events (e.g. fire, earthquake)/ malicious actions/ environmental threats (natural disasters, extreme weather conditions, etc)
    • IT systems operation and critical points of failure regarding systems,
    • Information Security,
    • Processes applied for the safe backup and management of critical data,
    • Measures were taken for monitoring and controlling critical service providers/vendors,
  • Personnel training regarding emergency procedures
  • Insurance coverage against risks

During Threat & Risk (TRA) Assessments, the existing risk control tools are evaluated, as well as those tools that are planned to be applied by the responsible Business Units, in order to examine how effective, they are in risk mitigation.

Actions to mitigate risk (or vulnerability) are applied in cases where the existing risk control tools are characterized as “Inadequate” or “Weak” (Risk Treatment plan).

Risk identification
  • I conducted three rounds of discussions with respective process/ project leads, business unit heads, and representatives of other departments to identify the threats and risks to the organization which may disrupt our operation or business.
  • I have classified those risks into different types and identified the likelihood of occurrences and their impact on people and operations.
  • Some of the threats identified are classified as "crisis scenarios" and are further discussed with the senior management and crisis management team.  These crisis scenarios include events or threats that affect the organization as it does not "deny physical access" to the organization.
Report Preparation
  • I documented the results of the risk assessment in a report. Taken inputs from IT, Admin and other teams and evaluated the existing control measures and additional requirements.  The crisis scenario is further submitted separately for discussion with the crisis management committee.
Management approval
  • I had completed the prioritization of risks with the team and documented and submitted the list of threats and risks to management. As a result, it had been accepted by the management, and an acceptable level of risks had been decided.
  • With the help of BU project leaders, I prepared the budget and got approval from senior management (CEO and head of division/director).
Improvement and risk reassessment
  • Over time I have suggested much improvement in the risk assessment process. I supervise the risk reassessment activity that happens at yearly intervals. Several versions of the crisis and risk assessment reports have been released.
  • I am a member of the BCP Committee and Management Review Committee and am actively involved in management review meetings regarding risk-related activity and mitigation plans.
  • I am actively involved in internal audits, client audits and external audits regarding our risk assessment methodology and results.
  • We are currently involved with one of our major client’s crisis management and business continuity teams for the last 30 days in reassessing risks by clients for the existing critical processes.

Note to Applicant: This feature is meant to assist the applicant and if direct duplication of its content will be regarded by the institute as plagiarism as this is intended to be a sample to assist and not to be copied and modified directly. Submit Certification Application [CM] Sample BoK

Back To; Table of Content for Certification Application [CertApp]

BCM Institute reserved the right to reject your application if this action continues as it does not reflect your true experience or it does not truly demonstrate that you have the necessary experience.

 

Comments

 

More Posts

New Call-to-action