This post outlines the risk management process —the steps every organization should go through regularly to protect themselves against the hazards of doing business. Every organization needs to do some type of risk management. If your business is caught without a process for risk management, you are leaving yourself vulnerable.
Risk management can be defined as forecasting and evaluating risks to the organization, determining impact (financial, brand, people, etc.), and identifying steps to avoid or reduce their impact. Risk mitigation is the prudent response to the reality that life is uncertain and sometimes bad things happen to good organizations. The alternative to risk management is going through life with your fingers crossed, hoping that bad luck only ever happens to other people. Risk management introduces rationality into the irrational world of bad luck. It’s a way of evaluating potential negative events and their likely impacts, then taking steps to protect ourselves against those events that would cause the severest damage if they occurred, or that are more likely to occur. Risk mitigation and management can help us understand where we should invest to protect ourselves, and also where we don’t need to do so (if the risk is too small).
The risk management process is the set of steps you should be taking routinely, habitually, to assess and mitigate the hazards present in your organization and lines of business. This should become part of your organization’s culture. It should become as habitual for your company as it is for a person to look both ways before they cross the street. It needs to be a cycle because it can take several iterations to get where you need to be and also because things change over time. Risk management and mitigation is not a project, but an ongoing aspect of resiliency. Most organizations should assess their risks at least once a year, depending on the rate of change in their organization, field, and environment.
We could add a seventh step: go back and do it all over again—since things are always changing, in business, life, and the larger environment, and you need to continually review to stay current and protected. We’ll talk more about each step below.
Everything in risk management starts with risk assessment: examining the factors at your organization and in your environment that are potentially dangerous. You want to think about everything that has the potential to take your organization down. Natural disasters are part of the picture but there’s a lot more to it than that. Think also about technological risks and risks involving single points of failure (SPOFs), whether they reside in equipment or people (individuals who are the only ones who know how to do certain essential tasks). Also think about risks that might arise from your location. Are you in an industrial area where there’s a risk of gas leaks? Near government buildings downtown where you might be affected by demonstrations?
Once you have made a list of the risks facing your company, you need to evaluate them. Specifically, you should evaluate them in terms of how severe the impact would be and the likelihood of their occurring. Then you prioritize them in this order:
Here you can see right away how using the risk mitigation process can bring significant benefits to the organization.
You also have to figure out your risk profile, or rather your senior management’s risk profile. This is all down to them. It’s about how much risk they are prepared to live with. Some organizations are comfortable running a lot of risk. Some will do all they can to get their risk exposure as close to zero as possible. Risk appetite and risk tolerance both refer to how much risk an organization is prepared to accept in pursuit of its objectives. Risk appetite is a broader statement of the level of loss exposure that management deems acceptable, given its objectives and resources. An organization with a high risk appetite might accept a high insurance deductible or even go without insurance. An organization with substantial financial reserves might have a high appetite for risk. Risk tolerance is a narrower view of the specific level of risk the company will accept, setting an acceptable level of variation from its risk appetite surrounding specific objectives that the company is willing to tolerate.
Once it’s known how much risk management is prepared to accept, you can start choosing a risk mitigation strategy for each significant risk. There are four of them:
Implement the strategies you decided on in Step 4.
Residual risk refers to how much risk is left over after you have adopted your risk mitigation strategies. It’s the amount of risk left in your system after you have followed steps 1 through 5. This is not an abstract concept. It tells you whether your risk mitigation strategies were successful. If your residual risk remains outside your management’s tolerance, you need to go back and beef up your mitigation strategies. If your residual risk is significantly less than the amount of risk management will accept, you might be spending too money on their risk mitigation process. Perhaps you can ease up on some of your strategies.
After this, it’s all about repeating the cycle—whether you are repeating particular steps as part of an ongoing effort to hit the bull’s-eye of your management’s risk tolerance, or you’re repeating the entire process as part of an annual or biannual review. Large organizations usually have a risk management department. Small and mid-size ones can often benefit from obtaining an outside consultant such as MHA to help in implementing the risk mitigation cycle.
Are you familiar with the answer bank robber Willie Sutton gave when asked why he robbed banks? He said, “Because that’s where the money is.” The reason we in business continuity management (BCM) worry about risk so much is because that is where the danger to our organizations lies. It’s also where the opportunities to make them more resilient can be found. Everything we in business continuity and disaster recovery does revolve around risk mitigation. Without understanding risks and the impacts those risk pose, the planning and implementation around BC and IT/Disaster Recovery (IT/DR) will not provide appropriate value or functional capability. We do risk assessments to reach resiliency.
- Related on MHA Consulting: Everything You Always Wanted to Know About Managing Risk but Were Afraid to Ask
One benefit of having this type of software is, you will be able to come up with an answer when management asks you a question such as, “How compliant is our Business Continuity program and how does it compare to others in our industry?” A good BCM self-assessment or GRC (Governance, Risk, and Compliance) tool makes it easy for you to assess your compliance with industry standards and best practices. This is a critical first step toward raising your compliance and hence your resiliency.
Related: BCMMETRICS produces a suite of industry-leading BCM benchmarking tools.
A quality BCM self-assessment tool will let you quickly and easily assess the compliance of your program. For example, BCMMETRICS TM Compliance Confidence allows you to assess your program across seven dimensions: Program Administration, Crisis Management, Business Recovery, Disaster Recovery, Supply Chain Risk Management, Third Party Management, and Fire & Life Safety. Some tools also let you attach supporting documentation, so you have everything that relates to that assessment in one place. And some BCM tools allow you to add tasks and assign responsible parties for a resolution to keep the program moving down the compliance trail. Some also allow you to run management scorecards and reports on each dimension outlining the state of the program. This kind of data gives a big-picture analysis of what the compliance landscape looks like. It gives you a clear picture of where you are doing well and where your program is weak, providing a way to focus your future efforts for maximum return and impact. There are several good BCM self-assessment tools on the market, including those produced by our sister company, BCMMETRICS. You can find out more about the entire suite of BCM benchmarking tools here.
Gladly. Your question is about the activities that make up the job of managing risk at an organization. We usually think of this as consisting of eight components. (It’s called the Enterprise Risk Management framework, or ERM.) The components are:
Internal control environment. This concerns the tone of an organization. It sets the basis for how risk is viewed and addressed. It addresses the organization’s risk management philosophy, risk appetite, ethical values, and operating environment. Objective setting. Clear objectives must be set before management can identify potential events that might have an effect on their plans. ERM ensures that management has a process in place to set objectives that support and align with the company’s mission and are consistent with its risk appetite. Event identification. Events affecting the achievement of the organization’s objectives must be identified. This includes internal and external events. Remember that it’s always important to distinguish between risks and opportunities. Opportunities are channeled back to management’s strategy or objective-setting processes. Risk assessments. Consider the likelihood and impact of an event as a basis for determining how risks should be managed. Risks should be assessed on an inherent and a residual basis. Risk response. Management should develop a set of actions (avoiding, accepting, sharing, or reducing) to align risks with the company’s risk tolerance and risk appetite. Control activities. Establishing and implementing policies and procedures to help ensure the risk responses are effectively carried out. Communication of relevant information. Important information should be identified, captured, and communicated in a format and timeframe that enables people to carry out their responsibilities.
Monitoring. The ERM should be observed and, if necessary, modified. Monitoring is accomplished through ongoing management activities, separate evaluations, or both.A risk mitigation strategy is a way of reducing the potential adverse effects to the organization that could be caused by a crisis or business disruption. There are four types of risk mitigation strategies:
Absolutely. Monitoring risk—including tracking identified risks and evaluating the performance of risk mitigation actions—is critical to the risk mitigation process. Systematically monitoring risk feeds information back into other risk management activities, such as identification, analysis, mitigation planning, and mitigation plan implementation. The process for risk monitoring includes setting up a structure for how often you review your risk, what to monitor, how to report changes, and how to redefine your risk strategies.
Monitoring the ongoing risk mitigation and state of identified risks should be a continuous activity. We monitor and react to risk constantly in our daily lives; conscious, ongoing monitoring of our organization’s risk mitigation position should occur as well. It’s a good idea to schedule periodic risk reviews ahead of time. Take the time each month to review the highest probable and largest impact risk, along with the mitigation strategy that will allow for continuous improvement.
Yes, a periodic review of the risk mitigation plan is required to ensure that it is meeting the needs of the organization. Review all mitigation strategies, including the status and effectiveness of the actions you have taken. Surveying those strategies not implemented also ensures that your plan is moving forward. Ensuring that all requirements of your risk management plan are being implemented is critical—otherwise, the mitigation strategy can become an unconscious acceptance of the risk, and may be identified as an additional risk itself.
For more information, see The Ultimate Checklist for Creating a Risk Mitigation Plan
Yes, it is. The modus operandi of your business is always evolving, and even if it’s doing so slowly, new risks may pop up. Your risk mitigation strategy will be ineffective if you’re not tracking new risks based on personnel, vendor, and software changes. Updating your list of risks is a critical part of maintaining an effective risk management plan.
Definitely. When reviewing the risks you’ve previously identified and taken action on, remember to validate your previous risk assessments based on your risk’s likelihood and impact. Changes to your risk may result in changes to either or both of these. Therefore, it is essential to adjust the risk’s priority accordingly. It’s also a good idea to validate previous assumptions and state any new assumptions as this will help you monitor your risk over time.
The best way is to leverage the reporting already in use as part of the risk analysis. There is no need to have multiple reporting mediums. A quick monthly dashboard with changes and status of risks and mitigation strategies (which are monitored) and/or changes to the profile can be enough to provide constant visibility to the state of risk and potential impact. Keeping this up-to-date should not take much time if the monitoring is performed as described above. Remember, without good information, you cannot make appropriate decisions. Having consistent reporting will help you convey any changes to your risk strategy to management and interested parties.
It may make sense to adjust the mitigation strategy or the regular risk assessment schedule when there is a change to the risk impact or its probability. Use of current implemented strategies would be ideal, making changes as warranted. A complete change in the strategy may not be necessary, but adjustment to the implementation may be an option.
Sorry, but no—not as long as you’re working as a business continuity professional. Risk management is not a task to complete and check off of your to-do list. It’s an ongoing activity that should become part of your overall business continuity culture. It should be a consideration in everything we do. An underlying thought should always be, what are the risks, likelihood of occurrence, and impact? As with most activities, continual attention provides better and more efficient execution, less effort overall, and better results. Monitoring risk mitigation strategies is actually one of the most important activities you can undertake. You never know when the event being mitigated may occur.
For more information on the risk management process and other hot topics in BC and IT/disaster recovery, check out these recent posts from MHA Consulting and BCMMETRICS: