'Don't cut corners on risk assessment'

Cutting corners when it
comes to risk assessment is
not an option, says Graham
Croock, director of BDO
Risk Advisory Services.
“Too often companies are
not expecting anything bad
to happen. They don’t take
proper risk assessments –
and if they do they don’t
take the time to look
further than the obvious
risks,” he says.
Citing an example of an
agricultural company that
implemented a wireless
operation on its system
which was then hacked
with catastrophic results,
Croock says regardless of
one’s industry, spending
the time and effort on a
proper risk analysis of
one’s business is always
worthwhile.
“In the case of the
agriculture company,
no-one thought their
control systems were at
risk. What happened was
that the hackers not only
gained entry to the system,
but also managed to release
an entire tank of liquid
fertiliser onto the fields. It
did not just destroy the crop,
but their farming land for
the next 15 years.”
Croock says risk
management needs to be
an integral part of any
business. “If you
are under the
impression
that your
business has
very little
or no risk
then you
need to be
wondering why
you are getting the high
rewards.”
He says risk is firstly
managed in terms of the
industry one is operating in
and then from the business
perspective.
“One must not forget that
for every risk that exists
there is at least one or more
consequence. That also
means there are several
preventative controls at
your disposal – or corrective
measures – if you have not
been able to mitigate a risk.”
According to Croock, for
every 100 risks within a
business it is only possible
to manage about ten to
12 effectively at any given
time.
“Which is why a risk
assessment is so important.
There has to be a staged
approach to not only define
and identify the risks,
but also prioritise them
systematically.”