What is Risk Mitigation?
What do you do when you find a vulnerability in your company? Risk mitigation is the action you take to reduce threats and ensure resiliency. When you mitigate risk, you are taking steps to reduce adverse effects.
When mitigating risk, it’s crucial to develop a strategy that closely relates to and matches your company’s profile. A proper mitigation strategy will define how you manage each risk.
Safeguard your business success by learning how to approach risk mitigation.
In this post, we’ll explain your options for mitigating risk, explain how to get started, and explain who is responsible for your risk management strategy.
The Four Types of Risk Mitigation
There are four risk management strategies that are unique to Business Continuity and Disaster Recovery: risk acceptance, risk avoidance, risk limitation, and risk transference.
Risk Acceptance
Risk acceptance does not reduce any effects however it is still considered a strategy. This strategy is a common option when the cost of other risk management options such as avoidance or limitation may outweigh the cost of the risk itself. A company that doesn’t want to spend a lot of money on avoiding risks that do not have a high possibility of occurring will use the risk acceptance strategy.
Risk Avoidance
Risk avoidance is the opposite of risk acceptance. It is the action that avoids any exposure to the risk whatsoever. It’s important to note that risk avoidance is usually the most expensive of all risk mitigation options.
Read more about making an educated move to mitigate risk with avoidance.
Risk Limitation
Risk limitation is the most common risk management strategy used by businesses. This strategy limits a company’s exposure by taking some action. It is a strategy employing a bit of risk acceptance along with a bit of risk avoidance or an average of both. An example of risk limitation would be a company accepting that a disk drive may fail and avoiding a long period of failure by having backups.
Risk Transference
Risk transference is the involvement of handing risk off to a willing third party. For example, numerous companies outsource certain operations such as customer service, payroll services, etc. This can be beneficial for a company if a transferred risk is not a core competency of that company. It can also be used so a company can focus more on its core competencies.
Read more about offloading your risk by transferring it.
So how can I be a leader in Business Continuity Management (BCM) Governance, Risk and Compliance (GRC) and balance my risks and opportunities? All of these four risk mitigation strategies require monitoring. Vigilance is needed so that you can recognize and interpret changes to the impact of that risk.
How Do You Start Mitigating Risk?
It’s simple: with a plan. There are a few essential items to include in a risk management plan:
- a list of individual risks
- a rating of each risk based on likelihood and impact
- an assessment of current processes and controls
- a plan of action
Starting from the top and working your way to a plan of action for each individual risk will constitute your risk management plan.
The Corporate Risk Mitigation Checklist
- Gain management support. This gets overlooked a lot, but it’s very important. You have to communicate with management about the importance of assessing (and reassessing) risk and get their buy-in. Otherwise everything else you do will likely be for nothing.
- Identify team members. Who’s going to help you conduct the risk assessment? Needed are a leader, subject matter experts, and technical writers. The SMEs are key; you need to get to the operational leadership to be able to obtain a clear, informed view of the risks facing the company.
- Identify risks. What are the areas externally and internally that pose threats to the organization? Think about natural disasters, technological risks, risks involving single points of failure (whether they reside in equipment or people), and risks arising from your location. For more on identifying risks, see this post on conducting threat and risk assessments.
- Assess and prioritize the risks. Evaluate risks in terms of how severe the impact would be if they occurred and also the likelihood of their occurring. Prioritize in this order:
- High impact and highly likely to occur
- High impact and less likely to occur
- Low impact and highly likely to occur
- Low impact and less likely to occur
- Determine mitigation options. The main risk mitigation options are:
- Avoid the risk (exit activities that bring it on or turn over to a third party)
- Reduce the risk (take steps to reduce the likelihood of a negative event occurring)
- Accept the risk (live with the risk, acknowledging that if the threat occurs the organization will have to bear the consequences)
- Develop the mitigation plan. Work out what approach the company will take to deal with each of its high priority risks.
- Test the plan. Where appropriate, test the mitigation solutions or steps to ensure they are working as intended.
- Implement the plan. Execute on the mitigation plan as developed and tested.
- Monitor the plan. Keep taps on the progress of your implementation as well as on the business environment, which is subject to change.
- Review and update the plan. Repeat steps 3-8 on a continuous basis in recognition of the fact that risk mitigation is not a project but an on-going process.
An additional item that could be added is measuring residual risk, which was discussed in detail in this post from a couple of weeks ago.
Who Defines and Mitigates Risk?
You know the risk mitigation techniques available, but who’s job is it to facilitate your process? Managing risk is a project that must be clearly defined to a specific person. This risk mitigator must keep up with standards, create and then sustain participation, deal with conflict and otherwise manage the energy levels in different groups, be able to guide groups to outcomes, all the while dealing with uncertainty throughout their work. This suits MHA Consulting, but it’s not for everyone. Make sure your team is qualified, prepared with the correct details, and supported by management.
What the Trends Tell Us
BCM compliance across companies we have worked with has yielded interesting information:
- Many are afraid to assess their compliance – better to keep their head under the sand than know the truth
- Management education is needed to show how BCM benchmarking can be effectively used to manage their program
- The use of self-assessment tools to measure BCM compliance is non-existent or its a rudimentary tool with limited functionality
- Majority of organizations do not have a clear picture of where they stand and where their weaknesses or strengths lay
- Resource time is often being spent on program dimensions that have little to no effect on compliance and resiliency
- Management is continually asking for compliance benchmarking and reporting but it doesn’t exist
If you’re a BCM Practitioner practicing risk mitigation, you’ve probably been asked this question from your senior management: “How compliant is our Business Continuity program, and how does it compare to others in our industry?” Are you still trying to figure out what industry standards fit your program or are using manual inefficient tools that are holding you back? A BCM GRC software tool is something you should consider today.
Help is Available
Does the prospect of trying to reassess and manage your company’s risks using only inside personnel seem daunting? Help is available in the form of assistance from MHA Consulting and similar firms that are staffed with experts possessing deep experience in helping organizations gauge and mitigate their risks, internal and external. Most consulting companies are happy to work with clients to provide just as much help as is desired, whether it is high-level guidance or hands-on implementation of the entire risk mitigation process.
What is Your Action Plan for Mitigating Risk? Compliance and Resiliency
If your goal as a BCM Practitioner — and let’s face it, every one of us has this as a goal — is to raise your compliance and resiliency, you need a reliable system for assessing compliance.
A BCM GRC tool can play a major role in making all these business processes much easier. Let’s say you’ve been asked to assess your BCM compliance. In your BCM GRC tool, you can quickly and easily assess the compliance of the seven dimensions (Program Administration, Crisis Management, Business Recovery, Disaster Recovery, Supply Chain Risk Management, Third Party Management, and Fire & Life Safety) of your program. You can attach supporting documentation, so you have everything that relates to that assessment in one handy place. Our expert advice is to assign fellow planners to have access to specific programs or auditors to view reports on your compliance. You can add tasks and assign responsible parties for a resolution to keep the program moving down the compliance trail. Finally, you can run management scorecards and reports on each dimension outlining the state of the program.
This high-value data gives a big-picture analysis of what the compliance landscape looks like. For example, perhaps the tool identifies your BIA process is critically weak and does not comply with industry standards. This is worth considering. Perhaps it might be time to revise your BIA questionnaire or look to outside agencies to implement a best-practice approach.
Further Reading
Accept, avoid, limit, or transfer. These are the options laid before you when it comes to risk. A risk mitigation plan allows you to reduce and eliminate risk. While organizing your risk strategy may seem uncomplicated, the key in risk mitigation is action – not just writing reports or making lists of action items.
More of our writing on mitigating risk:
Michael Herrera
Michael Herrera is the Chief Executive Officer (CEO) of MHA. In his role, Michael provides global leadership to the entire set of industry practices and horizontal capabilities within MHA. Under his leadership, MHA has become a leading provider of Business Continuity and Disaster Recovery services to organizations on a global level. He is also the founder of BCMMETRICS, a leading cloud based tool designed to assess business continuity compliance and residual risk. Michael is a well-known and sought after speaker on Business Continuity issues at local and national contingency planner chapter meetings and conferences. Prior to founding MHA, he was a Regional VP for Bank of America, where he was responsible for Business Continuity across the southwest region.
Does risk transference negate the company’s exposure and liability should an event occur that causes damage, injury or even death? The BP Mexican Gulf oil platform disaster springs to mind.
Thats a very good question. Risk transference may not always negate exposure if your supplier is negligent in the production of good or operations of a service that you as the company are providing to your customers.
Hello Melissa, the Risk transference should mitigate your risks if you have a properly crafted service level agreement which can be enforced by law. This way, you will be able to trust that the third party will not devote from the minimum requirements.