In business continuity, risk is at the center of everything we do. Therefore, we thought it might be helpful to make today’s blog a primer on risk.
Most of this stuff you probably already learned at one time or another, but there’s no harm in a quick refresher course.
Read on for a quick summary of:
- The 8 components of the Enterprise Risk Management framework
- The 6 types of risk your business continuity management (BCM) program should consider
- The 4 main risk mitigation strategies
As a bonus, we’ll discuss the issue of risk appetite vs. risk tolerance, and how organizations determine their risk profiles.
So keep reading to learn everything you always wanted to know about risk but were afraid to ask.
A RISKY FRAME OF MIND
The first thing you should know about risk is that the Enterprise Risk Management framework—that is, the activities that make up the job of managing risk at an organization—consists of eight (8) components. They are:
- Internal control environment. This concerns the tone of an organization. It sets the basis for how risk is viewed and addressed.
- It addresses the organization’s risk management philosophy, risk appetite, ethical values, and operating environment.
- Objective setting. This must occur before management can identify potential events affecting their achievement. ERM ensures that management has a process in place to set objectives. The chosen objectives should support and align with the company’s mission and be consistent with its risk appetite.
- Event identification. Events affecting the achievement of the organization’s objectives must be identified. Includes internal and external events. It’s important to distinguish between risks and opportunities. Opportunities are channeled back to management’s strategy or objective-setting processes.
- Risk assessments. Consider the likelihood and impact of an event as a basis for determining how risks should be managed. Risks should be assessed on an inherent and a residual basis.
- Risk response. Management should develop a set of actions (avoiding, accepting, sharing, or reducing) to align risks with the company’s risk tolerance and risk appetite.
- Control activities. Establishing and implementing policies and procedures to help ensure the risk responses are effectively carried out.
- Communication of relevant information. Important information should be identified, captured, and communicated in a format and timeframe that enables people to carry out their responsibilities.
- Monitoring. The ERM should be observed and, if necessary, modified.
- Monitoring is accomplished though ongoing management activities, separate evaluations, or both.
THE 6 KINDS OF RISKS
In business continuity, we usually break out the kinds of risks that organizations face into six (6) types. They are:
- Human error. No process or checks will stop mistakes. The beauty and curse of humanity.
- Intentional. Knowingly taking shortcuts or not following known procedures.
- Unintentional. Physical errors or mental or cognitive errors; where someone does the wrong thing believing it to be right (i.e., making the wrong decision).
- Data breach/ransomware. This happens every day.
- Brand image/reputational damage. For more information, see 7 Tips to Help You Protect Your Brand in a Crisis.
- Technology outages. Cases recently in the news have involved airlines and cloud-based services, among others.
HOW TO MITIGATE RISK
Risk is a fact of organizational life, but there are a number of strategies companies use to mitigate it. Here are the are four (4) main risk mitigation strategies:
- Risk acceptance. Risk acceptance does not reduce any effects; however, it is still considered a strategy. It is a common option when the cost of other risk management options outweighs the cost of the risk itself. A company that doesn’t want to spend a lot of money on avoiding risks that do not have a high possibility of occurring will use the risk acceptance strategy.
- Risk avoidance. Risk avoidance is the opposite of risk acceptance. It is the action that avoids any exposure to the risk whatsoever. Risk avoidance is usually the most expensive of all risk mitigation options.
- Risk limitation. Risk limitation is the most common risk management strategy. It limits a company’s exposure by taking some action. It is a strategy employing a bit of risk acceptance along with a bit of risk avoidance. An example of risk limitation would be a company accepting that a disk drive may fail and avoiding a long period of failure by having backups.
- Risk transference. Risk transference is the involvement of handing risk off to a willing third party. For example, numerous companies outsource certain operations such as customer service, payroll services, etc. This can be beneficial for a company if a transferred risk is not a core competency of that company.
WHAT COLOR IS YOUR RISK PARACHUTE?
The famous job-seeker’s guide What Color Is Your Parachute? says that everyone has different strengths and interests and that a person should let their unique profile be their guide as they plan their career. It’s similar for an organization when it comes to determining their risk profile.
Every company is different. Every organization needs to work this out for themselves, based on their unique values, industry, culture, and mission, and so on.
Some organizations are comfortable running a lot of risk. Some will do all they can to get their risk exposure as close to zero as possible.
How do you determine the risk profile of your organization? Think about how much risk your management is willing to accept. (This corresponds with Component No. 2, “Objective setting,” in the description of the Enterprise Risk Management framework given above.)
The amount of risk the organization will tolerate is its objective. The other activities of the framework are performed with the goal of meeting that objective. (This is why you need to determine how much risk you will accept at the beginning.)
Understanding the organization’s acceptance of risk allows both the IT department and the people managing the business functions to determine the appropriate risk remediation.
To determine their risk profiles, organizations must balance their risk appetite against their risk tolerance.
Risk appetite and risk tolerance both represent how much risk an organization is prepared to accept in pursuit of its objectives or mission. The risk appetite is a broader statement of the level of risk that management deems acceptable. An organization with a high-risk appetite might accept a high insurance deductible or even go without insurance. An organization with substantial financial reserves might have a high appetite for risk.
Risk tolerance is a narrower view of the specific level of risk the company will accept, setting an acceptable level of variation around specific objectives an organization seeks to achieve objectives.
Once organizations perform their risk assessments and understand their overall risk appetite, they can determine their tolerance for each risk and use an appropriate mitigation strategy.
UNDERSTANDING RISK MANAGEMENT
Risk is to business continuity as water is to sailing. It’s where it all happens. It’s the medium we work in to do what we do. By understanding risk—including the framework for managing it, the flavors it comes in, and the strategies for mitigating it—you are on your way toward gaining better control of it, and thus toward making your organization stronger and more resilient overall.
FURTHER READING
For more information on Enterprise Risk Management and other hot topics in business continuity management, check out these recent posts from MHA Consulting and BCMMETRICS: