In enterprise risk management (ERM), risk is commonly divided into eight distinct risk domains, some strategic and some operational. In today’s post, we’ll look at what these domains are, reveal which tend to get overlooked, and explain how knowing about the domains can help business continuity (BC) professionals reduce their organizations’ risks, bolster their resilience, and protect their stakeholders.
Related on MHA Consulting: Don’t Just Hope: Choosing Strategies to Mitigate Risk
In Strong Language, MHA’s glossary of essential business continuity terms (free for download with registration), risk management is defined as “The process of assessing and mitigating the danger to which an organization is exposed as it carries out its activities.”
Before we discuss the eight risk domains, there are three general points about risk management that are worth keeping in mind:
1. In essence, risk management is about being mature, practical, and proactive in actively managing down risk to make the organization more prepared to limit impacts and ensure operational resiliency.
2. Following the risk assessment. the organization should address each identified risk with one of the four risk mitigation strategies: risk acceptance, risk avoidance, risk limitation, or risk transfer. (For more on these strategies, click here.) Identified risks should not just be ignored with the hope the impact will not occur. Hope is not a strategy.
3. Everyone involved in assessing and mitigating risk at an organization needs to make sure their work is tailored to the company’s industry and culture. Risk management is not one-size-fits all.
The landscape of risk is commonly divided into eight risk domains. Here is a breakdown of the eight domains as well as an indication of how critical each is from the perspective of BC:
1. Operational: Risks related to day-to-day business processes, systems, and resources (internal, external, technology, equipment, and people) to ensure smooth operations and service delivery. Critical to BC.
2. Health and Safety: Risks associated with the well-being and security of employees, customers, and visitors. Important to know for BC, but remediation should be part of the safety and security organization. The BC practitioner’s role is to ensure that BC plans address these risks and that any workarounds outlined in recovery plans do not increase them (or interfere with measures taken to remediate them).
3. Strategic: Risks that might impact the achievement of long-term organizational objectives, guiding decision-making and strategic planning. Not critical to BC planning (however, should be considered if there are risks that could have potential operational impacts).
4. Financial: Risks related to financial stability, including market fluctuations, credit risks, and cash flow management. It’s important for BC to ensure that recovery plans address workarounds associated with these risks.
5. Human Resources: Risks linked to the workforce, such as availability, single points of knowledge or skill, talent acquisition, retention, training, and employee satisfaction. Critical to BC. Recovery plans must address potential single points of failure relating to individuals or small teams that could be impacted by loss of staff.
6. Legal and Regulatory: Risks pertaining to compliance with laws, regulations, and industry standards. Potential legal liabilities also fall in this domain, as do matters related to company ethical practices. Critical to BC. Recovery-plan workarounds must meet legal and regulatory requirements. Relevant areas include HIPAA (health information security), personally identifiable information (PII), payment card information (PCI), andcritical reporting requirements.
7. Technological: Risks concerning technology infrastructure and applications, data security, cyber threats, information breaches, and other technological disruptions. IT is responsible for this area, but BC practitioners need to understand these risks and ensure workarounds can function for the length of time necessary.
8. Environmental and Infrastructure Hazards: Risks associated with natural disasters, physical infrastructure failures, and environmental impacts. These risks are handled by other teams, but BC practitioners needs to ensure recovery plans address their potential impacts.
These are the eight areas BC consultants and risk management professionals are talking about when we discuss the need to assess and mitigate the risks to an organization.
Some of the risk domains named above tend to get short shrift when organizations roll their sleeves up and get to work identifying and assessing the risks they face.
The strategic domain and its close relations (legal and regulatory, financial) usually get a lot of attention owing to the fact that it’s the higher level people who usually take the lead on risk management, and those people tend to think strategically.
In contrast, the operational side and the other tactical-level concerns tend to be overlooked. This is unfortunate because the operational piece is key from a business continuity and viability perspective.
Anyone involved in risk assessment and mitigation should make a special push to gather information about operational and tactical risks from the people who know them best: front-line, lower-level workers.
MHA’s experience in this area suggests that superficial questions will yield superficial results. What’s needed are probing, informed questions by people who respect the experience of the front-line workers and are determined to get to a true picture of the vulnerabilities they alone can identify. (For good examples of this type of operational vulnerability, see “Single Points of Failure: Protecting Yourself from Hanging by a Thread.”)
The BC professionals have a role in ensuring that the organization looks at all eight domains in assessing and mitigating risk. But they will be more active in some areas than others.
BC practitioners tend to have little to do with assessing strategic risks. However, they are well-positioned to play a role in engaging with front-line workers to elicit substantive information on critical operational risks, as well as risks to health and safety, technology, and other tactical areas. BC professionals should also devise recommendations to mitigate the risks they identify.
Finally, BC practitioners’ findings and recommendations should be rolled up into the all-inclusive risk assessment package (strategic and operational) given to the senior leadership to enable them to make informed decisions about what the organization should do to manage down its risks. (These decisions tend to require either procedural changes or operational outlays.)
This activity is not a one-and-done project but an ongoing process.
Enterprise risk management (ERM) revolves around eight distinct risk domains, combining both strategic and operational aspects. These domains play a pivotal role in assessing and mitigating risks, ensuring smooth operations, and safeguarding the organization’s well-being.
Business continuity professionals have an important role to play in actively engaging with front-line workers to gather critical information about operational risks, an area that is often overlooked. The vulnerabilities they identify, and the solutions they propose, can then be provided to senior leadership, enabling them to make informed decisions about mitigation strategies as the organization engages in the ongoing process that is contemporary risk management.