Online risk can lead to direct or indirect loss to your business resulting from inadequate or failed processes, people and systems, or from external events. But risk is part of everyday life so we should understand and learn from it. Some risks are anticipated before they happen, many are not
Managing online risk, for example employee use of email and the Internet, legal and regulatory compliance, and contractual compliance requires you to have a firm strategy in place, best done using a recognised risk mitigation model. The PDCA (Plan Do Check Act) cycle is one such model you can use which is also found in the practical application of global standards such as ISO 27001 on security and risk management.
Online risk can lead to direct or indirect loss to your business resulting from inadequate or failed processes, people and systems, or from external events.
Risk around governance and compliance is usually caused by a defective transaction, a claim or counterclaim, failing to protect company-owned assets, a change in the law, or regulatory intervention.
Failure to commit
Failure to mitigate online risk can be catastrophic. Consequences for orgnaisations can include: bad publicity; loss of shareholder and customer confidence; at worst business closure. They can also face civil or criminal actions, fines and compensation claims, and imprisonment for directors and other culpable parties.
The 5 principles of cyber governance
The following principle set out what you and the organisations needs to look at when complying with laws and regulations to do with the use of online systems and networks.
- Legal - compliance with laws and regulations
- Decent - adoption of business standards
- Honest - proper risk assessment
- Moral - use of control mechanisms
- True - stakeholder education and awareness
Risks are usually controlled by adopting appropriate Standards across the organisation. Standards are not a substitute for the law.
PDCA risk cycle
One recognised business model to mitigate legal risk is the Plan, Do, Check, Act (PDCA) cycle (see diagram below).
1. Plan - what to do and how to do it
Document the organisation’s strategy and business objectives to meet ‘bottom line’ requirements. Map out operational and management processes, including information flows. Identify all legal risks to be mitigated by actions and controls embedded in processes. The 5 risk actions are
- (1) Prevention;
- (2) Reduction;
- (3) Transference;
- (4) Contingency; and
- (5) Acceptance
2. Do - carry out what was planned
Implement operational and management processes, including information flows in order to mitigate the legal risks.
3. Check - did the plan go accordingly?
Monitor and measure operational and management processes, as well as information flows against strategy, policies, objectives, targets, and legal and fiscal requirements. Document and report the results.
4. Act - fix any mistakes and improve for next time
Take action to improve performance of operational and management processes, and information flows. Deal with emergent legal risks and provide feedback to corporate planning.