Straight To
Your Inbox

Stay Updated

Alerts, insights,
and updates straight to your inbox.

Click to get started

Construction Insights

Think Beyond Safety To Manage Your Risks

Construction risk management image

To many, the term risk management refers to the company’s safety policies and procedures. To others, risk management means the company’s insurance programs and coverages. Still others view risk management as company-wide compliance (laws, regulations, taxes, etc.). But the truth is that risk management includes all this and much, much more.

What is risk management?

Per the American Institute of CPAs’ “Enterprise Risk Management: Guidance for Practical Implementation and Assessment,” risk management is “coordinated activities to direct and control an organization with regard to risk” and enterprise risk management “is a process, effected by an entity’s board of directors, management, and other personnel, applied in strategy-setting and across the enterprise designed to identify potential events that affect the entity, manage risk to be within its risk appetite, and to provide reasonable assurance regarding the achievement of entity objectives.” In plain English, risk management encompasses identifying and managing or mitigating risks to help keep them from disrupting your business.

This is a good working definition because it sufficiently broadens risk management beyond the traditional focus on financial aspects to include operational, managerial and executive activities. It is a very broad topic – but one that businesses of all sizes must pay attention to and dedicate resources to – not just the “big boys.” Risk management breaches (i.e. financial, data, other) occur daily. One of the fastest growing risks is that of data breaches. And again, every company’s data is at risk, even a construction company that may think it’s not large enough or doesn’t have sensitive information anyone would be interested in stealing. Data is valuable not just to the company that owns it, but on the open market. In addition, your data is vulnerable to other cyber-risks, such as being encrypted and locked from your access unless you pay a fee – a practice known as ransomware. This could be just as costly.

For those entities which don’t want to or don’t have significant resources (money, personnel and time) to invest in an enterprise risk management program, there are still significant and powerful ways to help protect your data and its vulnerabilities. Although they are more limited in scope, they can be cost-effective and efficient for many organizations.

Ways to get started quickly

One such tool companies can leverage for their benefit is an information security risk assessment process known as OCTAVE® Allegro. OCTAVE® stands for Operationally Critical Threat, Asset, and Vulnerability Evaluation℠. Allegro means “brisk” or “with pace.” OCTAVE® Allegro is a suite of tools, techniques, and methods for risk-based information security strategic assessment and planning to quickly identify and evaluate information security risks. This eight-step process allows an initial assessment to be completed as quickly as one day. Your AGH risk management team can either facilitate this process for the company or train your personnel to administer the program internally. Either way, this is a cost-effective and efficient process that can help small to mid-sized entities begin to address risk management concerns, especially those related to data and information.

For example, assume your construction company has highly sensitive information and data (building drawings, proprietary modeling and project costing) on your company server that is accessed and downloaded to multiple desktop and laptop computers as well as personal devices (smart phones or IPads). What risks are involved with this scenario? Is any of that information protected by federal or other regulations? What happens if a device is stolen, the data is corrupted or worse, the data is ransomed? There are many, many risks that should be evaluated, prioritized, then appropriately addressed. This is what OCTAVE® Allegro does in “bite-size, digestible” phases, and can be applied to very small through very large, complex companies based on the entity’s desired scope.

Risk management is an investment no company – big or small – can afford to ignore. Specifically, companies must ensure their data is secure and protected. The costs associated with a breach will far outweigh the costs associated with preventative measures which could save your company from interruptions ranging from irritating to disastrous. Risk management may not sound like an “exciting” use of resources. But dealing with a data breach or business interruption is more “excitement” than any business leader needs.

Take Action

For more information about risk management, contact AGH vice president of assurance Aron Dunn. Aron is one of few Certified Construction Industry Financial Professionals (CCIFPs) who do not work directly for a construction company or contractor. He serves on AGH’s construction industry team. To reach Aron, use the information below.

Aron Dunn, CCIFP

Senior Vice President,
Assurance Services
Aron Dunn works extensively with construction contractors, and is one of few CPAs not employed by a contractor who has earned the Certified Construction Industry Financial Professional (CCIFP) credential. In additional to his focus on construction assurance, Aron’s experience also includes special-project background in mergers and acquisitions and refinancing. He is a board member of both the national Construction Financial Management Association (CFMA) and the Greater Wichita chapter of CFMA.

Aron is a certified public accountant and a member of both the American Institute of Certified Public Accountants and the Kansas Society of Certified Public Accountants (KSCPA). At one point, he served as one of the youngest-ever KSCPA chair, long time former chair of the KSCPA’s Auditing and Accounting task force and the Peer Review Process Improvement Task Force, and is a past president of the Wichita Chapter of the KSCPA. He is a former member of AICPA's national Accounting & Review Services Committee among other AICPA committees and task forces.
Aron Dunn, CCIFP
Aron Dunn, CCIFP
Share this page