My personal career transition from revenue assurance function (focused on telecoms) to that of enterprise risk management and eGRC software application has opened a completely new world of learning and things to think on. The basics of risk management and assessment include determining the likelihood and impact of risks and the effectiveness of the controls; but then the following question started pestering me. Thus this tiny post is for me to understand your opinion/thoughts.
You have your risk registers; you evaluate the risks; you add more risks and associated controls; you assess the IMPACTS and LIKELIHOODS of these risks; you test the controls for their effectiveness; you report and follow up and reassess; BUT…. if disaster strikes, ARE YOU PREPARED? The question is that of preparedness instead of control effectiveness. Essentially, how much aware are you of the velocity of the strike; and should a disaster strike, are you ready to take it head on? This is my 1st question!
While this was in my mind, and started researching about it, I came across this interesting article here. While I found this article answering the question I had in my mind, but preaching and practicing is different, and thus, the second part of my question is:
Are You really practicing this integrated approach to determine your preparedness?
If yes, how easy and effective have you found?
if No, what are the challenges You are facing?
Let me know your thoughts.