Complete Application Form: Sample CM BoK 2 RAR #1

As the Head of Business Continuity and secretariat to the Crisis Management Team, I have been conducting Threat & Risk (TRA) Assessments for the Group of Companies. TRA is performed following the methodology described in ISO 31000-Risk Management (i.e. Establish context / Risk identification / Risk Analysis / Risk Treatment).

TRA aims to identify and evaluate potential risks, threats or vulnerabilities to the Bank's facilities and infrastructure that might negatively affect the continuity of business operations. In addition, threats that may affect the reputation and usually dealt with as crisis management issues).

2. When was it done?

From December 202x and annually as required by the CM policy

3. How was it carried out?

I have explained my involvement in the crisis and risk assessment stage through the following:

• Facilities (property & security related issues):
  • Security measures,
  • Networks, power supply, telecommunications and HVAC (Heating, Ventilation, and Air Conditioning) systems adequacy,
  • Exposure of critical facilities to damage caused by uncertain events (e.g. fire, earthquake)/ malicious actions/ environmental threats (natural disasters, extreme weather conditions, etc)
  • IT systems operation and critical points of failure regarding systems,
  • Information Security,
  • Processes applied for the safe backup and management of critical data,
  • Measures were taken for monitoring and controlling critical service providers/vendors,
• Personnel training regarding emergency procedures
• Insurance coverage against risks

During Threat & Risk (TRA) Assessments, the existing risk control tools are evaluated, as well as those tools that are planned to be applied by the responsible Business Units, in order to examine how effective, they are in risk mitigation.

Actions to mitigate risk (or vulnerability) are applied in cases where the existing risk control tools are characterized as “Inadequate” or “Weak” (Risk Treatment plan).

Risk identification

• I conducted three rounds of discussions with respective process/ project leads, business unit heads, and representatives of other departments to identify the threats and risks to the organization which may disrupt our operation or business.
• I have classified those risks into different types and identified the likelihood of occurrences and their impact on people and operations.
• Some of the threats identified are classified as "crisis scenarios" and are further discussed with the senior management and crisis management team.  These crisis scenarios include events or threats that affect the organization as it does not "deny physical access" to the organization.

Report Preparation

• I documented the results of the risk assessment in a report. Taken inputs from IT, Admin and other teams and evaluated the existing control measures and additional requirements.  The crisis scenario is further submitted separately for discussion with the crisis management committee.

Management approval

• I had completed the prioritization of risks with the team and documented and submitted the list of threats and risks to management. As a result, it had been accepted by the management, and an acceptable level of risks had been decided.
• With the help of BU project leaders, I prepared the budget and got approval from senior management (CEO and head of division/director).

Improvement and risk reassessment

• Over time I have suggested much improvement in the risk assessment process. I supervise the risk reassessment activity that happens at yearly intervals. Several versions of the crisis and risk assessment reports have been released.
• I am a member of the BCP Committee and Management Review Committee and am actively involved in management review meetings regarding risk-related activity and mitigation plans.
• I am actively involved in internal audits, client audits and external audits regarding our risk assessment methodology and results.
• We are currently involved with one of our major client’s crisis management and business continuity teams for the last 30 days in reassessing risks by clients for the existing critical processes.