What does ASA do?

ASA’s two branches do distinct types of work.

In our consulting services, we work closely with you to scope out operational risk practice areas to assess, then combine due diligence (review of existing policies, standards and programs) with on-site interviews with managers and executives to give you a 360-degree picture of current practices and create a high-level roadmap to close program gaps. In addition to such risk assessments, our consulting services include single-day executive briefings, short-term strategic project assignments such as  benchmarking your company against similar organizations, and scenario design for testing and training employees. See examples of our consulting services in Are You A Potential ASA Client?.

The ASA Institute for Risk and Innovation drives risk research and publication while offering thought leadership around critical infrastructure protection, public-private partnerships and enterprise-wide risk management. Special 2010 research initiatives focus on cyber-security and regional contingency planning. Through the Institute, ASA participates in a wide range of conferences. Clients can also use one day workshops and risk retreats to map strategic initiatives to new or emerging threats. 

If I hire you, what is the typical work process?

We begin each engagement the same way. We need to understand the problem you want to solve and the internal resources you are willing to allocate to work with us. Any quotation for work that we prepare for you would be written after this initial meeting, and include any special requests or concerns we have. The quotation will include an estimate of our fees for the work.

If your request is for a gap analysis with recommendations, ASA will interview a range of managers and staff to obtain a well-rounded view of the company. We would then compare program or project maturity levels with other institutions of the same size. If you ask us to recommend a better program, we will want to know to what maturity level your company aspires -- common practice, best practice or world class. We will map our findings and recommendations accordingly.

If your request is for an executive briefing or research report involving a topic you select, then our initial process is the same. We meet with you and gain a clear understanding of the reason you are asking for a briefing, and then we prepare the report in writing. If desirable, Annie Searle can deliver the briefing in person to an executive or to a board of directors.

In all such situations described above, we will prepare regular status reports on our progress and, unless otherwise requested, the final product will be a report or reports that are confidential.

Read more about our approach and process.

How long does a typical engagement with ASA last?

Typically, two to six weeks, depending on what you are asking us to do.

What is “business resilience?”

“Resilience” is defined by IBM as “The ability of an organization’s business operations to rapidly adapt and respond to internal or external dynamic changes – opportunities, demands, disruptions or threats – and continue operations with limited impact to the business.”

If your company does not have plans yet on how to manage disasters and outages, starting from scratch can be perceived as a formidable problem. But creating and tweaking plans is an integral part of business risk management and can help drive both reputation and profitability. The end state or goal of such plans is resilience.

Once plans are created, the challenge is to ensure that they are flexible enough to handle emerging threats and potential disruptions not initially imagined. Recent examples include the cascading impacts of both the Gulf oil spill and the Iceland volcanic ash.

What’s the difference between “emergency management” and “crisis management”?

It’s a matter of magnitude. Our research indicates that 95 to 98 percent of all incidents can and should be handled at the local level by trained incident-support teams who are part of a general emergency-management program. Another 3 percent of events turn out to require some assistance from corporate headquarters. Only 1 to 2 percent of disruptions rise to a level requiring the full attention of executives who are part of a crisis-management team. Decisions at this level cut across financial, service, regulatory, legal, reputational and operational areas.

ASA talks about “hidden or unknown risks.” What does that mean?

Not all risks associated with a significant business disruption can be allocated to IT and telecommunications outages. Other operational disruptions can come from project losses, vendors, liability and internal fraud. All risks, known or unknown, can be risk rated against five impact areas:

  • Financial (money lost)
  • Service (impact to customers)
  • Regulatory and legal (industry regulations or contractual agreements)
  • Reputation (customers impacted, corporate image/brand)
  • Operational (workforce affected correlated against upstream and downstream impacts).

What are controls?

Controls are policies and procedures established by institutions in order to reduce exposure to risk. When deployed effectively, controls help ensure that an institution's risk exposure remains within the risk tolerances established by stakeholders.

Certain industries have standardized controls; for instance, COBIT (Control Objectives for Information and related Technology) is a popular standard for the field of information technology.

An ASA risk assessment looks at policies, procedures and other internal controls to see how effective they are, and where gaps may exist.

There are 18 critical infrastructure sectors. Why does ASA work in only six of them?

The expertise of Annie Searle and her associates is primarily in six sectors – global response, business practices, information technology, corporate security and information security – with a full understanding of regulatory or government oversight drivers as well as environmental, health and safety issues. Although we do move outside these six sectors as needed, this is where we spend most of our time.

What is the difference between the various levels of risk maturity?

Let's look at an example: In the field of business continuity, to be at the level of "common practice" means that your programs are compliant, that methods and techniques are widely used, and that they will generally serve to meet regulatory requirements and satisfy audit inquiry.

For a company to be at the level of "best practice" implies that not only can a company's methods and techniques be found compliant, but additionally that risk assessment, impact analysis and planning are fully integrated across the company in a programmatic manner.

For a company to be at the level of "world class," organizational continuity is fully integrated with appropriate enterprise strategies, tactics and practices. Innovation and active redesign are integral parts of a world-class program, so that the program is embedded in the accountability of every employee.