Four Types of Risk Mitigation and BCM Governance, Risk and Compliance

In this post, we’ll define risk mitigation, explain your options for risk mitigation, explain how to get started, and who is responsible for managing your risk mitigation strategy.

What do you do when you find a vulnerability in your company? Risk mitigation is the action you take to reduce threats and ensure resiliency. 

What is Risk Mitigation?

Risk mitigation can be defined as taking steps to reduce adverse effects. There are four types of risk mitigation strategies that hold unique to Business Continuity and Disaster Recovery. When mitigating risk, it’s important to develop a strategy that closely relates to and matches your company’s profile.

four types of risk mitigation

Risk Acceptance

Risk acceptance does not reduce any effects however it is still considered a strategy. This strategy is a common option when the cost of other risk management options such as avoidance or limitation may outweigh the cost of the risk itself. A company that doesn’t want to spend a lot of money on avoiding risks that do not have a high possibility of occurring will use the risk acceptance strategy.

Read more about making an educated move to mitigate risk with acceptance.

Risk Avoidance

Risk avoidance is the opposite of risk acceptance. It is the action that avoids any exposure to the risk whatsoever. It’s important to note that risk avoidance is usually the most expensive of all risk mitigation options.

Risk Limitation

Risk limitation is the most common risk management strategy used by businesses. This strategy limits a company’s exposure by taking some action. It is a strategy employing a bit of risk acceptance along with a bit of risk avoidance or an average of both. An example of risk limitation would be a company accepting that a disk drive may fail and avoiding a long period of failure by having backups.

Risk Transference

Risk transference is the involvement of handing risk off to a willing third party. For example, numerous companies outsource certain operations such as customer service, payroll services, etc. This can be beneficial for a company if a transferred risk is not a core competency of that company. It can also be used so a company can focus more on its core competencies.

Read more about offloading your risk by transferring it.

So how can I be a leader in Business Continuity Management (BCM) Governance, Risk and Compliance (GRC) and balance my risks and opportunities?

Follow our 10-point, step-by-step guide for creating an efficient and effective risk mitigation plan. Download our risk mitgiation checklist.

All of these four risk mitgiation strategies require montioring. Vigilence is needed so that you can recognize and interrperet changes to the impact of that risk.

How Do You Start with Risk Mitigation?

It’s simple: with a plan. There are a few essential items to include in a risk management plan:

  • a list of individual risks
  • a rating of each risk based on likelihood and impact
  • an assessment of current processes and controls
  • a plan of action

Starting from the top and working your way to a plan of action for each individual risk will constitute your risk management plan.

Who Defines and Mitigates Risk?

You know the risk mitigation techniques available, but who’s job is it to facilitate your risk mitigation process? Managing risk is a project that must be clearly defined to a specific person. This risk mitigator must keep up with standards, create and then sustain participation, deal with conflict and otherwise manage the energy levels in different groups, be able to guide groups to outcomes, all the while dealing with uncertainty throughout their work. This suits MHA Consulting, but it’s not for everyone. Make sure your team is qualified, prepared with the correct details, and supported by management.

What the Trends Tell Us About Mitigated Risk

BCM compliance across companies we have worked with has yielded interesting information:

  • Many are afraid to assess their compliance – better to keep their head under the sand than know the truth
  • Management education is needed to show how BCM benchmarking can be effectively used to manage their program
  • The use of self-assessment tools to measure BCM compliance is non-existent or its a rudimentary tool with limited functionality
  • Majority of organizations do not have a clear picture of where they stand and where their weaknesses or strengths lay
  • Resource time is often being spent on program dimensions that have little to no effect on compliance and resiliency
  • Management is continually asking for compliance benchmarking and reporting but it doesn’t exist

If you’re a BCM Practitioner practicing risk mitigation, you’ve probably been asked this question from your senior management: “How compliant is our Business Continuity program and how does it compare to others in our industry?” Are you still trying to figure out what industry standards fit your program or are using manual inefficient tools that are holding you back?  A BCM GRC software tool is something you should consider today.

How a BCM GRC Tool Helps You Mitigate Risk

In a nutshell, a BCM GRC tool helps you better manage your risk mitigation program by balancing the risks and opportunities for improvement. If you’ve devised your own system of assessing your compliance, such as using a manual process, it gets a little trickier to assess and report on compliance on a regular basis.   And if you’ve ever let something accidentally slip through the cracks, you can appreciate a better way to manage this process.

While not every BCM GRC platform features questions modeled after industry standards and weighted by importance, permits task assignments and comprehensive management reporting you’ll benefit from choosing one that does. Unless, that is, you have your own personal assistant who keeps you up to date about everything regarding BCM compliance…and these days, who does? 

What is Your Risk Mitigation Action Plan? Compliance and Resiliency

If your goal as a BCM Practitioner — and let’s face it, every one of us has this as a goal — is to raise your compliance and resiliency, you need a reliable system for assessing compliance.

A BCM GRC tool can play a major role in making all these business processes much easier.  Let’s say you’ve been asked to assess your BCM compliance. In your BCM GRC tool, you can quickly and easily assess the compliance of the seven dimensions  (Program Administration, Crisis Management, Business Recovery, Disaster Recovery, Supply Chain Risk Management, Third Party Management, and Fire & Life Safety) of your program.  You can attach supporting documentation, so you have everything that relates to that assessment in one handy place. Our expert advice is to assign fellow planners to have access to specific programs or auditors to view reports on your compliance. You can add tasks and assign responsible parties for a resolution to keep the program moving down the compliance trail. Finally, you can run management scorecards and reports on each dimension outlining the state of the program.

This kind of highly valuable data gives a big-picture analysis of what the compliance landscape looks like. For example, perhaps the tool identifies your BIA process is critically weak and does not comply with industry standards. This is worth considering. Perhaps it might be time to revise your BIA questionnaire or look to outside agencies to implement a best practice approach.

BC Management Software Designed for Mitigating Risk

If you’re serious about succeeding as a BCM Practitioner, make sure you’re using the right tools, like BCMMETRICS. It’s designed to help BCM Practitioners like you be more effective at successfully managing your BCM program through intelligent assessment and measurement. The multitude of BCM industry standards is overwhelming even for experienced practitioners.  But BCMMETRICS makes the process extremely easy to use and administer. Our own BCMMETRICS platform is designed to be simple enough to figure out within minutes. 

Further Reading on Risk

Accept, avoid, limit, or transfer. These are the options laid before you when it comes to risk. A risk mitigation plan is an opportunity for you to reduce and eliminate risk. While organizing your risk strategy may seem uncomplicated, the key in risk mitigation is action – not just writing reports or making lists of action items.

More of our writing on mitigating risk:

Michael Herrera
Michael Herrera is the Chief Executive Officer (CEO) of MHA. In his role, Michael provides global leadership to the entire set of industry practices and horizontal capabilities within MHA. Under his leadership, MHA has become a leading provider of Business Continuity and Disaster Recovery services to organizations on a global level. He is also the founder of BCMMETRICS, a leading cloud based tool designed to assess business continuity compliance and residual risk. Michael is a well-known and sought after speaker on Business Continuity issues at local and national contingency planner chapter meetings and conferences. Prior to founding MHA, he was a Regional VP for Bank of America, where he was responsible for Business Continuity across the southwest region.
Showing 6 comments
  • jason

    Does risk transference negate the company’s exposure and liability should an event occur that causes damage, injury or even death? The BP Mexican Gulf oil platform disaster springs to mind.

    • Melissa

      Thats a very good question. Risk transference may not always negate exposure if your supplier is negligent in the production of good or operations of a service that you as the company are providing to your customers.

      • Austin

        Hello Melissa, the Risk transference should mitigate your risks if you have a properly crafted service level agreement which can be enforced by law. This way, you will be able to trust that the third party will not devote from the minimum requirements.

pingbacks / trackbacks