Risk Management Audit
Maersk Group is a Danish company that provides transportation and logistics services in over 130 countries. The company has its head office in Copenhagen, Denmark and subsidiaries across the world with over 88,000 employees working for it. It has a fleet of over 650 container ships and it transports over 15 million containers through these ships around the world. This is a report on risk management practices that is used by the company for managing its risk portfolio. The report would investigate the risk management strategies used by the company with an aim to assess their effectiveness. It would analyze the current risk faced by the company and would do its mapping. The report would also explore how risk management practices like disaster recovery, risk contingency planning, and business continuity planning can be used by the company. The organizational structure used for risk management along with the control processes would also be analyzed in this risk audit report.
Risk Management
The company uses standard steps for managing risks in the organization including risk identification, assessment, ranking and response planning.
Risk Identification: The micro and macro aspects related to multiple organizational and industrial perspectives can be explored to identify risks faced by the organization. These include social, political, temporal, environmental, financial, legal, geographical, technical, managerial, and outreach perspectives. These perspectives can act as key risk topics and when they are delve deeper into, sub-topics related to risks can be identified which would help in identification of specific risks or risks that may be faced by the logistics and transportation services organization.
Risk Topic |
Risk Sub-topics |
Risk |
Risk Description |
Social |
Cultural Change |
Employee resistance |
The company is going through a cultural change that may not be accepted easily by its employees who may fear the change as negative. This causes resistance in employees towards change (JOC Staff, 2014) |
Competition |
High competition reducing market share |
If the competition is high then the market share of the company would be affected. One of the major competitors of Maersk is Hanjin in Korea which is fighting with Maersk for the first position in the high end shipping segment (Andersen, 2013) |
|
Technical |
System |
Cyber attack |
If the IT systems used by the company face problems like cyber attacks, they can cause disruptions in its operations. The company’s systems had faced a major cyber attack that had affected most of its applications such that the systems had to be shut down. Maersk took a week to make 1500 of its applications functional again after the attack was identified (Reuters Staff, 2017). |
Political |
Security |
In-transit loss of goods |
If the cargo gets damaged in transit then it leads to a loss for the customer of the company and a reputation loss for Maersk (Colina, 2011) |
Financial |
Revenue loss |
Increase in cost leading to revenue loss |
If the freight rates and oil prices rise, it would affect the operational profits of the company leading to loss of revenues because of increase in cost of operations |
Infrastructure |
Transportation delays |
Poor infrastructure causing delays in delivery |
If the infrastructure used for transportation of goods such as port infrastructure near seas is not up to the mark or not sufficiently developed then it can cause delays in transporting goods to customers of Maersk |
Environmental |
Air Pollution |
Air pollution from ship emissions |
The ships used for transporting goods via sea cause emissions that can pollute the environment. Shipping contributes 4% to the global CO2 emissions (The Gaurdian Team, 2011). |
Outreach |
Marketing |
Incorrect customer segmentation |
The company has been trying to develop a segmentation model for the categorization of its customers but failed to come up with an effective model which made it difficult for the company to market itself efficiently (Jerkovi? & Adeltoft, 2012). |
Risk Assessment: The strategic objectives of the company can be explored to understand how the identified risks can affect the strategic positioning or operations of Maersk group. Strategic objectives of an organization can come under any of the common four categories including provision of highest quality of products or services, creation of global environment, providing efficient solutions, and creating cooperation with the social and business environment.
The strategic objectives of the company can be identified along each of these categories as follows:
- Highest quality of products and services: Delivery best in class logistics and transportation services to customers by leveraging on digitization and customization
- Global Environment: Developing structured business solutions for customer organizations across globe
- Cooperation with the environment: Building a strong capital structure and bring the financial ratios in line with the ratings of investment grades.
- Efficient solutions: Reorganize business structures to bring synergies in different departments and new product development processes.
Risk assessment can be done considering these objectives that would form the basis of the ranking given to identify risks.
Table A: Risk Impacts
Impact Level |
Descriptor |
Description |
0 |
Negligible |
No financial loss |
1 |
Minor |
Some financial and reputation loss |
2 |
Moderate |
Moderate financial and reputation loss |
3 |
Serious |
Serious loss that can interrupt operations of business |
4 |
Severe |
Major financial loss or business interruption |
5 |
Catastrophic |
Failure of the company (Avdoshin & Pesotskaya, 2011) |
Table B: Risk Probabilities
Probability Level |
Descriptor |
Description |
0 |
Impossible |
May never happen |
1 |
Rare |
Can appear occasionally |
2 |
Unlikely |
Can appear at times |
3 |
Moderate |
Will occur some time |
4 |
likely |
Can appear in most situations |
5 |
Most certain |
Event would happen (Bayne, 2002) |
Risk Ranking: Based on impact level and probabilities of occurrence, risks can be given ranking from acceptable, moderate, significant, and severe to high risk.
Risk Management
Risk Probability |
||||||
Impact Level |
0 |
1 |
2 |
3 |
4 |
5 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
1 |
0 |
1 |
2 |
3 |
4 |
5 |
2 |
0 |
2 |
4 |
6 |
8 |
10 |
3 |
0 |
3 |
6 |
9 |
12 |
15 |
4 |
0 |
4 |
8 |
12 |
16 |
20 |
5 |
0 |
5 |
10 |
15 |
20 |
25 |
Risk Category |
No Risk |
1-3: Acceptable |
4-7: Moderate |
8-13: Significant |
14-19: Severe |
20-25: High Risk (Bodicha, 2005) |
Risk Matrix: A risk matrix can be used to identify each risk and the ranking given to each risk based on probability of its occurrence and the impact on the company
Each identified risk can be given ranking based on its likelihood of occurrence and impact on the project to form the risk matrix as shown below:
Risk |
Explanation |
Impact |
Probability |
Ranking |
Employee resistance to change |
It would majorly affect the strategic goals of creating global environment, efficient solutions, and building a cooperative environment |
5 |
4 |
20 |
High competition reducing market share |
High competition is already there and it affects the market position of the company |
4 |
5 |
20 |
Cyber attack causing disruptions |
It would majorly affect the functioning of logistics and transportation operations as they are largely dependent on technologies |
5 |
3 |
15 |
In-transit loss of goods of customer goods |
This is less likely to occur and the impact would also be minimal with only a few customers affected |
3 |
2 |
6 |
Increase in cost leading to revenue losses |
Increase in oil and freight prices is more likely to occur but the damage would not be major as adjustments can be made |
3 |
4 |
12 |
Poor infrastructure causing delays in delivery |
Poor port infrastructure can be faced in developing countries but it would only cause minimal strategic damage through delays |
3 |
4 |
12 |
Air pollution from ship emissions causing environmental impacts |
Air pollution is a common problem with shipping operations and it would affect the creation of cooperative environment |
3 |
5 |
15 |
Incorrect customer segmentation causing marketing challenges |
Incorrect segmentation leads to wrong targeting of customers which would affect the creation of global and cooperative environment that is supportive to business goals of the company |
5 |
2 |
10 |
Risk Response: Risk Reponses can be acceptance of risk, avoiding of risk, transfer of risk and risk mitigation. The choice of appropriate response plan is based upon the level of the severity of the risk. For instance, risks that are high or severe are usually avoided and in case they cannot be, risks may be transferred to a third party. Risks that are moderate or significant are either avoided transferred or mitigate in case either are not possible (Curtis & Carey, 2012)
Risk |
Ranking |
Descriptor |
Response |
Employee resistance to change |
20 |
High Risk |
Avoid by creating awareness of benefits of change and providing training to employees to get buy-in |
High competition reducing market share |
20 |
High Risk |
Mitigate by aggressive marketing and customer targeting and by providing innovative solutions to stay ahead |
Cyber attack causing disruptions |
15 |
Severe |
Mitigate by running disaster recovery plan |
In-transit loss of goods of customer goods |
6 |
Moderate |
Transfer the risk from the loss to freight forwarded or the insurance insurance company (Solomon Island Government, 2009) |
Increase in cost leading to revenue losses |
12 |
Severe |
Mitigate the risks by restructuring and cutting costs |
Poor infrastructure causing delays in delivery |
12 |
Severe |
Mitigate by proper planning so as to minimize delays |
Air pollution from ship emissions causing environmental impacts |
15 |
Severe |
Mitigate by using ships that less CO2 emissions |
Incorrect customer segmentation causing marketing challenges |
10 |
Significant |
Improve the segmentation strategy that effectively identifies customer segments for marketing (Engine Yard, Inc., 2014) |
Disaster recovery is the process which is used to recover the data that is lost after a critical incident faced by the infrastructure of an organization. Maersk had faced a major cyber attack from Petya in 2016 which is a ransomware which asked for a hefty for data recovery. However, due to a strong disaster recovery strategy in place, the company was able to overcome the challenges and recover its data as well as resume its 1500 applications across the organization within a week after the detecting the intrusion.
Besides cyber attack, there can be several more causes of disaster in an organization such as other human induced damages and devastations caused by natural calamities. The disaster recovery plan can have different steps that are decided based on different situations (JIRA Security and Privacy Committee (SPC) , 2007).
For example, following recovery steps would be used in case Maersk headquarter in Copenhagen is destroyed by a natural calamity like earthquake or fire:
- Set up a temporary headquarter in a new location in Copenhagen
- Allocate some of the staff to ensure that operations are uninterrupted
- Transfer the backup files data to the new location systems
- Shift the management team to the new facility
- Conduct repairing of the old headquarter
- Announce the change of address of the headquarter to the public (Delhi Government, 2014)
Following recovery steps were used by Maersk when it was faced with the cyber attack:
- All the running IT systems were shut down as soon as the attack was reported
- A communication was sent to all the customers about the shut down
- Public announcements of attacks and recovery initiative were made with an assurance of fast recovery
- Systems were checked to identify those affected and those safe
- Systems that were unaffected by the attack were started again and the business from selected ports were resumed including Algeciras, Buenos Aires, Callao Lima, Itajai, India and Tangier.
- Bookings were started with limited applications running including INTTRA and EDI
- Bookings in locations where applications could not be run, manual bookings were started
- Data was recovered from the backup systems
- Normal operations were resumed(Arden Group, 2017)
Business Continuity planning includes identification of systems that are critical to an organization, analysis of risks that are faced by the company by causing disruptions in these systems, determination of likelihood of the risk occurrence and development of a plan for recovering and resuming disrupted services (Ting, et al., 2009).
Following steps can be used for business continuity:
Step 1: Initiation of business continuity plan
Step 2: Assessment of risk probability and assessment
Step 3: Development of recovery strategies to deal with risks when they occur
Risk Identification
Step 4: Disaster recovery
Step 5: Test the recovery strategy
Step 6: Training the staff on recovery strategies
Step 7: Update the Business Continuity plan (OECD, 2014)
Different BCP steps may be needed for different situations of disasters as explained in the examples below:
Situation: |
Dissatisfied employees going on strike |
Competitors having advantage because of faster adoption of new technologies |
Cyber attack |
Step 1 |
Inform the top management about the strike |
Assess the technology |
Shut down all systems |
Step 2 |
Form a team for managing emergency |
Negotiate with technology seller for purchase |
Communicate the disruption to customers |
Step 3 |
Negotiate with labour representative and arrive at acceptable terms |
Test technology on pilot |
Start systems that are unaffected by attack |
Step 4 |
Resume the operations with available staff |
Use technology for limited services to ensure that in case the technology fails, all operations of the company are not disrupted |
Start operations in limited locations |
Step 5 |
Inform the public about the resolution and terms agreed upon |
Announce the new technology adoption to customers and to the public |
Start applications that are unaffected |
Step 6 |
Start business activities as normal |
Start the activities again |
Start using applications in limited locations |
Step 7 |
If negotiation fails, hire new people for work |
Employ more people if needed for new technology adoption (Ting, et al., 2009) |
Purchase new systems and transfer data backup on these systems |
TO control the security specific risks from affecting the company, assess the vulnerability of systems at each layer of OSI model and take appropriate control measures.
Layer |
OSI Layer |
Risk Control |
1 |
Physical |
Use universal standards for Ethernet Install UPS to deal with situations of power outages |
2 |
Data link |
Allow correct message routing using address resolution protocol |
3 |
Network |
Take routing decisions based on network security protocols and give restricted access to network users (SLAC, 2009) |
4 |
Transport |
Use Transfer Control Protocol for checking transmission errors and Use UDP for the reliability of transmission |
5 |
Session |
Use password authentication for giving access to users |
6 |
Presentation |
Use universal data transfer standards |
7 |
Application |
Install softwares for anti-virus ad anti-malware on systems (Armour, 2017) |
Conclusions
The report discussed how risk management, disaster recovery, and business continuity planning can be used to manage mild to catastrophic risks in an organization. A case of a transportation and logistics service provider named Maersk was taken and the risk management system, DR planning and BCP processes were explored considering different situations of disasters. It was found that risk management process involves identification of risks and their ranking based on their probability of occurrence and impact on the strategic goals of the project. Ranking can then be used for identifying appropriate response strategy. It was found that the steps involved in disaster recovery and business continuity planning are different with different types of risk situations.
References
Andersen, O., 2013. Competitors go after Maersk where it hurts. [Online]
Retrieved from: https://shippingwatch.com/articles/article5196893.ece
[Accessed 10 October 2017].
Anderson, R. C., 2010. Risk Management and Corporate Governance, s.l.: OECD.
APM Group Ltd, 2017. DEFINING RISK: THE RISK MANAGEMENT CYCLE. [Online]
Retrieved from: https://ppp-certification.com/ppp-certification-guide/52-defining-risk-risk-management-cycle36
[Accessed 14 September 2017].
Arden Group, 2017. What lessons can you learn from the Maersk cyber-attack?. [Online]
Retrieved from: https://arden-group.co.uk/2017/07/03/what-lessons-can-you-learn-from-the-maersk-cyber-attack/
[Accessed 10 October 2017].
Armour, D., 2017. Understanding Security Using the OSI Model, s.l.: SANS Institute.
Avdoshin, S. M. & Pesotskaya, E. Y., 2011. Software Risk Management: Using the Automated Tools, s.l.: Russian Federation.
Bayne, J., 2002. An Overview of Threat and Risk Assessment, s.l.: SANS Institute .
Bodicha, H. H., 2005. How to Measure the Effect of Project Risk Management Process on the Success of Construction Projects: A Critical Literature Review. The International Journal Of Business & Management, 3(12), pp. 99-112.
Colina, E. V. d., 2011. Who bears the burden of proving the cause of cargo damage?. [Online]
Retrieved from: https://www.incelaw.com/tw/knowledge-bank/who-bears-the-burden-of-proving-the-cause-of-cargo-damage
[Accessed 10 October 2017].
Cooper, R., 2004. Risk Analysis and Preventing Information Systems Project Failures, s.l.: School of Computing and Mathematical Sciences.
Curtis, P. & Carey, M., 2012. Risk Assessment in Practice, s.l.: COSO.
Delhi Government, 2014. HAZARD, RISK AND VULNERABILITY ANALYSIS, New Delhi: Delhi Government.
Engine Yard, Inc., 2014. Security, Risk, and Compliance, s.l.: Engine Yard.
Health and Safety Authority, 2006. Guidelines on Risk Assessments and Safety Statements , Dublin: Health and Safety Authority.
Jerkovi?, I. & Adeltoft, J., 2012. Maersk Line Case, s.l.: Maersk Lines.
JIRA Security and Privacy Committee (SPC) , 2007. Information Security Risk Management for Healthcare Systems , s.l.: MITA (Medical Imaging & Technology Alliance) .
JOC Staff, 2014. New Book Probes Changing Maersk Culture. [Online]
Retrieved from: https://www.joc.com/maritime-news/container-lines/maersk-line/new-book-probes-changing-maersk-culture_20140528.html
[Accessed 10 October 2017].
OECD, 2014. Risk Management and Corporate Governance, s.l.: OECD.
Reuters Staff, 2017. Maersk brings major IT systems back online after cyber attack. [Online]
Retrieved from: https://www.reuters.com/article/us-cyber-attack-maersk/maersk-brings-major-it-systems-back-online-after-cyber-attack-idUSKBN19O0X8
[Accessed 10 October 2017].
SLAC, 2009. Research Support Building and Infrastructure Modernization: Risk Management Plan, s.l.: SLAC.
Solomon Island Government, 2009. National Disaster Risk Management Plan, s.l.:Solomon Islands Gover Nment.
The Gaurdian Team, 2011. Maersk claims new ‘mega containers’ could cut shipping emissions. [Online]
Retrieved from: https://www.theguardian.com/environment/2011/feb/21/maersk-containers-shipping-emissions [Accessed 10 October 2017].
Ting, J. S.-L., Kwok, S.-K. & Tsang, A. H.-C., 2009. Hybrid Risk Management Methodology: A Case Study. International Journal of Engineering Business Management, 1(1), pp. 25-32.