Relevant Contents
Need Tailored Business Continuity Insights?
Contact Us Now for Personalized Guidance!
This post is part of BCM Basics, a series of occasional, entry-level blogs on some of the key concepts in business continuity management.
In business continuity, risk is at the heart of everything we do. Every BC professional should be familiar with the enterprise risk management framework, the five types of risk, the four main risk mitigation strategies, and the concept of risk appetite and risk tolerance.
Related on MHA Consulting: Checking It Twice: The Corporate Risk Mitigation Checklist
Managing Operational Risk
At its core, BC is about minimizing risks and ensuring that the planning and actions that will allow the organization to continue functioning during an event are in place.
More specifically, BC is about reducing operational risk—as opposed to, say, insurance risk or strategic risk, which are managed at the executive level. In BC, our focus is on identifying and mitigating those risks that have the power to impact operations and delay their recovery.
Central to the task of managing operational risk are four foundational concepts: the enterprise risk management framework, the five types of risk, the four main risk mitigation strategies, and the concept of risk appetite and tolerance.
Read on for a description of each.
The Risk Management Framework
The enterprise risk management (ERM) framework includes all the activities that make up the job of managing risk at an organization. It has eight components:
- Internal control environment. The tone of an organization. This sets the basis for how risk is viewed and addressed at the company. The internal environment addresses the organization’s risk management philosophy, risk appetite, ethical values, and operating environment.
- Objective setting. Before anyone can identify events that might impede the organization’s ability to carry out its objectives, management must identify what those objectives are. The chosen objectives should support and align with the company’s mission and be consistent with its risk appetite.
- Event identification. After the organization’s objectives are established, the next step is to identify events, internal and external, that have the potential to interfere with achieving them. In this context, it is important to distinguish between risks and opportunities, with opportunities being channeled back to management’s strategy or objective-setting processes.
- Risk assessments. To help in determining how different risks should be managed, it’s essential to consider the likelihood of each risk’s occurring and the impact it would have on the organization if it did occur. Risks should be assessed on an inherent and a residual basis.
- Risk response. Next the organization should develop a set of actions to help it mitigate the risks, such as avoiding, accepting, sharing, or reducing them, to bring them into alignment with the company’s risk tolerance and risk appetite. (See below for more information on risk mitigation strategies and risk tolerance and appetite.)
- Control activities. It isn’t enough to merely identify potential risk mitigation actions. Control activities such as policies and procedures need to be implemented to ensure the risk responses are carried out.
- Communication of relevant information. Important information should be identified, captured, and communicated in a format and timeframe that enables people to carry out their responsibilities.
- Monitoring. The risk management effort should be continuously monitored and modified as necessary. Monitoring is accomplished though ongoing management activities, separate evaluations, or both.
By integrating these eight components, an organization can create a robust risk management framework that aligns with its mission and objectives. Continuous monitoring and effective communication ensure that the framework remains adaptive and responsive to emerging risks.
The Five Types of Risks
In business continuity, we usually categorize the risks that organizations face into five distinct types:
- Human Error. These are risks caused by the actions of human beings, whether intentional or unintentional. Intentional errors include, for example, those caused by employees’ deliberately skipping required procedures out of negligence or errors committed purposefully out of resentment or ideology or for financial gain. Unintentional errors can result from physical mistakes or cognitive lapses, where someone believes they are making the right decision but instead chooses incorrectly.
- Natural or External Events. These are events beyond our control, such as extreme weather, seismic activities, political demonstrations, or conditions related to specific locations. These risks require preemptive strategies to mitigate their impact.
- Brand Image/Reputational Damage. The impact of an event on your organization’s reputation can be long-lasting and far-reaching. Protecting your brand during a crisis is critical, as public perception can shift rapidly and have lasting effects.
- Technology Outages. Recent events have shown that outages in technology, whether in cloud services, telecommunications, or airline systems, can cause significant disruptions to operations. A well-prepared business must have contingency plans to address these scenarios.
- Cyber Events. Cyber threats, including data breaches and ransomware attacks, occur daily and represent one of the most pervasive risks in today’s digital landscape. Implementing robust cybersecurity measures is essential to defend against these persistent threats.
Together, these five categories cover the spectrum of risks that can challenge an organization’s ability to maintain continuity. Understanding and addressing each type is crucial to building a resilient and responsive business.
The Four Risk Mitigation Strategies
Risk is an inevitable aspect of operating a business, and no organization can completely eliminate it. However, strategies exist that can be employed by companies to manage and mitigate the impact of various risks. Below are the four main risk mitigation strategies that organizations typically consider:
- Risk Acceptance. This strategy involves acknowledging the existence of a risk without taking steps to prevent it. While it doesn’t reduce the effects of the risk, it’s often chosen when the cost of other mitigation strategies exceeds the potential impact of the risk itself. Companies might opt for risk acceptance when the likelihood of the risk occurring is low or when the potential loss is minimal relative to the cost of avoidance.
- Risk Avoidance. As the name suggests, risk avoidance aims to eliminate any exposure to the risk. This is the most conservative approach, and it often requires significant resources to implement. Organizations typically use this strategy when the risk is deemed unacceptable or when the potential consequences are too severe to ignore.
- Risk Limitation. The most commonly employed strategy, risk limitation seeks to minimize exposure by taking proactive steps. This approach often involves a blend of risk acceptance and risk avoidance. For example, a company might accept that a disk drive could fail but mitigate the impact of a potential failure by implementing regular backups. By doing so, they reduce the impact of the failure without entirely avoiding the risk.
- Risk Transference. This strategy involves shifting the risk to another party, usually through outsourcing or insurance. For example, a company might transfer the risk of data loss by hiring a third-party cloud service provider. This approach is particularly beneficial when the risk is not directly related to the company’s core operations, allowing the organization to focus on its strengths while managing potential threats through external partnerships.
By understanding and applying these four strategies, companies can make informed decisions that align with their risk tolerance and business objectives. The right combination of these approaches can help an organization navigate the complex landscape of risks while maintaining resilience and stability.
Risk Appetite and Risk Tolerance
Organizations must carefully evaluate their unique profiles to determine their approach to risk. Each company has its own values, industry contexts, cultures, and missions, all of which influence its risk profile.
Some organizations are willing to embrace a significant amount of risk, while others prioritize minimizing their exposure to potential threats. To determine the risk profile of your organization, it’s essential to consider how much risk your management team is willing to accept. This aligns with the “Objective Setting” component of the Enterprise Risk Management (ERM) framework, which is foundational to strategic decision-making.
The amount of risk an organization can tolerate shapes its overall objectives. Once this tolerance is established, other activities within the ERM framework are carried out with the goal of adhering to that level of risk. Defining your risk tolerance at the outset is critical—it informs all subsequent actions and decisions.
Understanding your organization’s risk appetite and tolerance is key to ensuring that the IT department and the people managing the business functions can determine appropriate risk remediation measures.
Risk appetite and risk tolerance, though related, serve different purposes in risk management. Risk appetite represents a broad, overarching statement of the level of risk that management is willing to accept in pursuit of the organization’s goals. For instance, a company with a high risk appetite might opt for a high insurance deductible or even forego insurance entirely, particularly if it has substantial financial reserves to cushion potential losses.
In contrast, risk tolerance is more specific, defining the acceptable level of variation around particular objectives. It sets precise boundaries for the amount of risk the organization is willing to take on in specific areas.
Once an organization has conducted a thorough risk assessment and understands its overall risk appetite, it can then determine the appropriate tolerance for each identified risk. This, in turn, allows the organization to select suitable mitigation strategies and incorporate them into its business continuity plans and technology safeguards.
The Cornerstone of Effective BCM
Understanding and managing risks is the cornerstone of effective business continuity management. By mastering the concepts and strategies discussed above, organizations can better prepare for potential disruptions and safeguard their operations.
The right balance of risk appetite, tolerance, and mitigation strategies will ensure resilience and continuity. With a solid risk management framework in place, your organization will be well-equipped to face whatever challenges come your way.
Further Reading
Richard Long
Richard Long is one of MHA’s practice team leaders for Technology and Disaster Recovery related engagements. He has been responsible for the successful execution of MHA business continuity and disaster recovery engagements in industries such as Energy & Utilities, Government Services, Healthcare, Insurance, Risk Management, Travel & Entertainment, Consumer Products, and Education. Prior to joining MHA, Richard held Senior IT Director positions at PetSmart (NASDAQ: PETM) and Avnet, Inc. (NYSE: AVT) and has been a senior leader across all disciplines of IT. He has successfully led international and domestic disaster recovery, technology assessment, crisis management and risk mitigation engagements.