Integrated Risk Management
Through the application of technology and automation, we'll help you manage your risks efficiently and effectively across the entire enterprise.
Identity and Access Management
We'll help you ensure everybody within your organisation has access to the right systems and data, for the right reasons, and at the right time.
Cyber & Application Security
Our experts will uncover security weaknesses within your security design and business-critical applications. Helping you protect your organisation from both internal and external threats.
About us
A group of passionate individuals with a shared purpose to help the world's leading companies embrace best practices for GRC and risk management.
Partners
Turnkey's strategic partner network consists of selected organisations that complement our capabilities.
Corporate Social ResponsibilityCSR
We are committed to being agents for change through our Climate Action Plan, championing diversity in our workplaces, and more.
Get in touch
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
Careers
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
Webinars & eBooks
All of Turnkey's webinars, guides and other insights available in one place.
Blogs
Read the latest insights from our experts on GRC and risk management, covering the latest industry topics.
Press Coverage
See all the publications where Turnkey, our experts and our successes have been noted.
Key events
See the key industry conferences on GRC, SAP security and risk management which we are attending.
Case Studies
Client satisfaction is of the utmost importance to us, and we strive to constantly deliver above expectations, going the extra mile at every opportunity.
FAQs
We've put together a comprehensive list of frequently asked questions - along with our responses - to the most common GRC and SAP security issues.
4 April 2019

How to create a risk management framework to deal with Brexit

After more than two years of Brexit negotiations, the terms of the UK’s impending EU departure still remain very much up in the air - and for businesses trying to plan for life outside the European Union, uncertainty reigns supreme.

Understandably, it’s a source of immense concern for organisations on both sides of the Channel, yet it could easily be argued that managing Brexit is actually no different to managing any other form of business risk.

Indeed, while Brexit remains an emotive topic for many, the best preparation lies in the same objective risk management principles and procedures you would implement for any other kind of business threat.

In this blog post, we’ll assess the ‘business as usual’ steps you should be taking to identify and mitigate the risks of Brexit - whatever the ultimate outcome of the negotiations.


STEP 1: Carry out a risk audit

HMRC estimates there are around 240,000 UK businesses currently trading exclusively with the EU.

While these businesses are the most likely to feel the full force of Brexit (more so than businesses already familiar with rest-of-the-world trade procedures), even organisations who don’t trade with Europe will still be affected by the new-look post-Brexit market.

For instance, your business may have EU nationals among the workforce, or contracts with fellow UK businesses more dependent than you on European trade.

It is therefore imperative that every business carries out a risk audit, to evaluate the possible impacts of Brexit in the context of your own unique circumstances.

a.     Document the potential impacts
The particular business model and the specific services that are operated will determine the impacts of Brexit, of whatever type; these will potentially be extensive and widespread.  It is inadvisable – even if it was possible – for one person to be responsible for documenting these. Deeper insight can be obtained through survey-style communication with key people and teams within the organisation to ensure that the top impacts for different services, products and aspects of the business are raised.

b.     Identify the drivers
If only the overarching source of the risk (No-Deal Brexit for example) is required, this is relatively easy.  It’s more difficult if a break down of the more specific causes or facets, such as access to EU labour, increased tariffs, additional costs of licences, blockades / disruption at ports etc, is needed. Knowing the drivers of risk should provide context and insight into the cause of the risk itself and as such can lead to actions designed to reduce the probability / possibility of the incident occurring.

c.     Assess the worst-case scenario
Think about the worst possible outcomes for each of the impacts identified. Be brave; this is challenging – but critical to truly understand the inherent risk scores (and therefore be able to prepare for them).  At this stage, it is important to avoid tempering each scenario with the belief that ‘it won’t happen to us’ as this moves away from impact evaluation and encroaches onto probability and risk analysis, which is dealt with in the following step.

d.     Grade the probability of each impact happening
As noted above, this should be logically separate from the worst-case scenario assessment to avoid influencing the identification with judgement that reduces (or raises) the probability of potential impacts.  However, at this point the discussion around whether or not something is likely to happen is relevant. Using a realistic prospect of the likelihood of an impact occurring and multiplying it with the impact score should it do so, it should be possible to determine an overall risk factor for each.

Naturally, these potential risks will vary greatly from business to business, but the following areas are among those most likely to require consideration:


Movement of goods
If you import or export goods to/from the EU, you must be prepared to comply with post-Brexit customs formalities in the event of no deal. You will also be impacted by significant changes to VAT rules and procedures, and potentially by difficulties at the border.

As part of your risk audit, aim to identify what impact these factors could have. What could the potential cost of border delays be for your business - both in terms of time and working capital? Look too at the size, number and regularity of your shipping consignments. How heavily could your organisation be hit by a rise in administrative customs costs?


Access to EU labour
Does your business rely heavily on EU workers? Depending on the future relationship with Europe, access to EU labour may become more restricted - making retention of your existing workforce a high priority.

Your current EU national workers may need to apply for settled status. Meanwhile, you might need to consider how you will track employee nationality status in order to ensure immigration compliance.


Product compliance
Are the products you produce or sell currently tested or certified against EU standards? While it seems certain that the UK will adopt these same standards and regulations post Brexit, it’s plausible that UK standards will not be recognised in the EU in the event of no deal.


Compliance with future trade tariffs
If you deal with suppliers from inside the EU, or from countries who have a trade agreement with the EU, your supply chain logistics could become increasingly complex (and costly) post Brexit. Supply chain mapping may therefore play a key part in your risk audit.

Similarly, those who export goods to the EU will need to consider the potential trade tariffs that could apply in the event of a no-deal departure. Without a trade deal, all exports and imports to the EU would be subjected to the same tariffs levied by the World Trade Organisation (WTO). How much would that cost your business?


STEP 2: Assess consequence and probability
Once you’ve identified the principle risks across these and other applicable categories, you should grade the consequence and probability of each.

Firstly, give each risk a score (perhaps between one and five), depending on the severity of its potential impact One if it would have minimal impact on your bottom line (less than 1% of your turnover), five if it could result in the closure of your business.

The advice here is to consider the worst case scenario, making sure to avoid the “it won’t happen to me” mentality. The key is to objectively assess the severity of the risk if it does happen - however unlikely it may seem.

The probability part comes next. Each risk should again be graded (for example 1-5), this time based on an assessment of probability.

A mark of one would suggest a risk that’s highly improbable, while a grade of five suggests a near certainty.

Of course, this element of the assessment is particularly difficult due to the ever-changing nature of Brexit negotiations. However, this shouldn’t be used as an excuse not to do any planning at all.

Rather, organisations should make a judgement on what is most likely to happen, seeking professional advice if necessary to establish the most probable path.

Once you have scored your risks for probability and consequence, simple multiply the two scores to calculate an overall score (out of 25) for each of the impacts identified.

STEP 3: Consider your response
With your Brexit-related risks identified and graded, you can begin designing your response to each - starting with the highest-scoring (and therefore most pressing) risk.

Identify the steps you could take to mitigate each risk in full or in part - whether it’s stockpiling key raw materials, setting up divisions in the EU, or hiring extra labour.

For each potential measure you consider, aim to establish how much it will contribute to the management of the risk. Will it reduce the likelihood by 10%, 50% or completely negate the impact?

This assessment will provide a target risk level that illustrates how much of the risk can be managed if all right controls are put in place and carried out effectively.

Going forward into the post-Brexit landscape, the controls you put in place to mitigate your risks should be reviewed on a regular basis, in order to ascertain whether or not they’re having the desired effect.

Has the ‘worst case scenario’ considered at stage one been avoided? Have the measures you put in place lessened the impact - and by how much?

Based on your findings, adjustments can then be made to your controls to further mitigate the risk.


STEP 4: Make informed decisions based on quality data
At every stage in the above process, it’s essential that your projections, assessments and decisions are based on the best available data.

Where possible, organisations should seek system-based statistics to inform the implementation and review of risk controls, though qualitative data can also be useful in certain circumstances.

Regardless though, the almost daily changing of the Brexit picture makes it nigh on impossible to confidently predict every potential business risk. In many ways, the potential risks are infinite - and will remain so until all the pieces start to fall into place.

So, while organisations should prepare as much as possible by adopting a traditional risk management approach, you should also expect the unexpected - and be prepared to react with agility and speed to the impacts you could never have seen coming.


If you're interested in the theme of risk management, then why not watch the recording of our guest webinar with Norman Marks - 'Risk and controls in real life'. Just click on the image below.

Norman Marks Webinar