Page 4: Calculating risk
Each Eurostar department is asked key questions so that a relevant set of risks can be established. Examples of the risks considered range from losing the main offices due to fire (long-term) or a bomb scare (short-term) to a train derailment, a major financial catastrophe or the loss of one or more of the vital computer systems.
The risk matrix that has been developed shows the gross risk. This could be described as a simple risk that has no mitigations (the company activity designed to prevent the occurrence of an unwanted event e.g. a procedure or a fire alarm) against it. An example could be the loss of Eurostar’s telephone Contact Centre in Ashford following a fire. The centre is the central hub of communications for Eurostar sales, ticket distribution and customer service. This would be a serious event since, were it to happen and no proactive action had been consider regarding how it would deal with the problem, all of the organisation’s core values would be compromised. It would lose much of its booking capability with the resultant impact both on revenue and reputation.
The gross risk is arrived at by the addition of a likelihood score and impact score in a simple matrix. Next, the mitigations are considered. These are the processes and responsibilities necessary to control the risk of an undesired event and limit its impact should it occur. In this example, even mechanisms such as fire alarms and trip switches on electrical circuits mitigate the risks. Back up locations that could be switched to easily to continue taking calls and bookings are one of the mitigations that Eurostar has arranged should its facility be affected.
By considering the mitigations the gross risk can be rescored to produce a net risk which should be lower than the gross. If that risk is still high then further plans will need to be considered to reduce the net risk even further. Even if the risk is seen to be ‘reasonable’ there is always the possibility that its effect can be further reduced. In this context further management action plans are always considered.
Assessment of this type can be easily wasted. If having gone to all of the effort (staff time and other associated company resource etc) of identifying how the business controls the continuity risks identified, it is critical to ensure that these are more than just mere words. Checks must be made to ensure mitigating activity is actually in place and working as intended.
Therefore at Eurostar the matrix is revisited every six months and regular audits are carried out on the mitigations and further plans to ensure they are being progressed as stated. Failure to do so may mean the company has retained risk without adequate knowledge or mistakenly thinking it is under control.