Four Types of Risk Mitigation and BCM Governance, Risk and Compliance

In this post, we’ll define risk mitigation, explain your options for risk mitigation, explain how to get started, and who is responsible for managing your risk mitigation strategy.

What do you do when you find a vulnerability in your company? Risk mitigation is the action you take to reduce threats and ensure resiliency. 

What is Risk Mitigation?

Risk mitigation can be defined as taking steps to reduce adverse effects.

When mitigating risk, it’s important to develop a strategy that closely relates to and matches your company’s profile. A proper risk mitigation strategy will define how you manage each risk.

risk mitigation definition

The Four Types of Risk Mitigation

There are four types of risk mitigation strategies that hold unique to Business Continuity and Disaster Recovery: risk acceptance, risk avoidance, risk limitation, and risk transference.

four types of risk mitigation

Risk Acceptance

Risk acceptance does not reduce any effects however it is still considered a strategy. This strategy is a common option when the cost of other risk management options such as avoidance or limitation may outweigh the cost of the risk itself. A company that doesn’t want to spend a lot of money on avoiding risks that do not have a high possibility of occurring will use the risk acceptance strategy.

Read more about making an educated move to mitigate risk with acceptance.

Risk Avoidance

Risk avoidance is the opposite of risk acceptance. It is the action that avoids any exposure to the risk whatsoever. It’s important to note that risk avoidance is usually the most expensive of all risk mitigation options.

Risk Limitation

Risk limitation is the most common risk management strategy used by businesses. This strategy limits a company’s exposure by taking some action. It is a strategy employing a bit of risk acceptance along with a bit of risk avoidance or an average of both. An example of risk limitation would be a company accepting that a disk drive may fail and avoiding a long period of failure by having backups.

Risk Transference

Risk transference is the involvement of handing risk off to a willing third party. For example, numerous companies outsource certain operations such as customer service, payroll services, etc. This can be beneficial for a company if a transferred risk is not a core competency of that company. It can also be used so a company can focus more on its core competencies.

Read more about offloading your risk by transferring it.

So how can I be a leader in Business Continuity Management (BCM) Governance, Risk and Compliance (GRC) and balance my risks and opportunities? All of these four risk mitigation strategies require monitoring. Vigilance is needed so that you can recognize and interpret changes to the impact of that risk.

How Do You Start with Risk Mitigation?

It’s simple: with a plan. There are a few essential items to include in a risk management plan:

  • a list of individual risks
  • a rating of each risk based on likelihood and impact
  • an assessment of current processes and controls
  • a plan of action

Starting from the top and working your way to a plan of action for each individual risk will constitute your risk management plan.

Who Defines and Mitigates Risk?

You know the risk mitigation techniques available, but who’s job is it to facilitate your risk mitigation process? Managing risk is a project that must be clearly defined to a specific person. This risk mitigator must keep up with standards, create and then sustain participation, deal with conflict and otherwise manage the energy levels in different groups, be able to guide groups to outcomes, all the while dealing with uncertainty throughout their work. This suits MHA Consulting, but it’s not for everyone. Make sure your team is qualified, prepared with the correct details, and supported by management.

What the Trends Tell Us About Mitigated Risk

BCM compliance across companies we have worked with has yielded interesting information:

  • Many are afraid to assess their compliance – better to keep their head under the sand than know the truth
  • Management education is needed to show how BCM benchmarking can be effectively used to manage their program
  • The use of self-assessment tools to measure BCM compliance is non-existent or its a rudimentary tool with limited functionality
  • Majority of organizations do not have a clear picture of where they stand and where their weaknesses or strengths lay
  • Resource time is often being spent on program dimensions that have little to no effect on compliance and resiliency
  • Management is continually asking for compliance benchmarking and reporting but it doesn’t exist

If you’re a BCM Practitioner practicing risk mitigation, you’ve probably been asked this question from your senior management: “How compliant is our Business Continuity program, and how does it compare to others in our industry?” Are you still trying to figure out what industry standards fit your program or are using manual inefficient tools that are holding you back?  A BCM GRC software tool is something you should consider today.

The Corporate Risk Mitigation Checklist

  1. Gain management support. This gets overlooked a lot, but it’s very important. You have to communicate with management about the importance of assessing (and reassessing) risk and get their buy-in. Otherwise everything else you do will likely be for nothing.
  2. Identify team members. Who’s going to help you conduct the risk assessment? Needed are a leader, subject matter experts, and technical writers. The SMEs are key; you need to get to the operational leadership to be able to obtain a clear, informed view of the risks facing the company.
  3. Identify risks. What are the areas externally and internally that pose threats to the organization? Think about natural disasters, technological risks, risks involving single points of failure (whether they reside in equipment or people), and risks arising from your location. For more on identifying risks, see this post on conducting threat and risk assessments.
  4. Assess and prioritize the risks. Evaluate risks in terms of how severe the impact would be if they occurred and also the likelihood of their occurring. Prioritize in this order:
    • High impact and highly likely to occur
    • High impact and less likely to occur
    • Low impact and highly likely to occur
    • Low impact and less likely to occur
  5. Determine mitigation options. The main risk mitigation options are:
    • Avoid the risk (exit activities that bring it on or turn over to a third party)
    • Reduce the risk (take steps to reduce the likelihood of a negative event occurring)
    • Accept the risk (live with the risk, acknowledging that if the threat occurs the organization will have to bear the consequences)
  6. Develop the mitigation plan. Work out what approach the company will take to deal with each of its high priority risks.
  7. Test the plan. Where appropriate, test the mitigation solutions or steps to ensure they are working as intended.  
  8. Implement the plan. Execute on the mitigation plan as developed and tested.
  9. Monitor the plan. Keep taps on the progress of your implementation as well as on the business environment, which is subject to change.
  10. Review and update the plan. Repeat steps 3-8 on a continuous basis in recognition of the fact that risk mitigation is not a project but an on-going process.

An additional item that could be added is measuring residual risk, which was discussed in detail in this post from a couple of weeks ago.

Help is Available

Does the prospect of trying to reassess and manage your company’s risks using only inside personnel seem daunting? Help is available in the form of assistance from MHA Consulting and similar firms that are staffed with experts possessing deep experience in helping organizations gauge and mitigate their risks, internal and external. Most consulting companies are happy to work with clients to provide just as much help as is desired, whether it is high-level guidance or hands-on implementation of the entire risk mitigation process.

How a BCM GRC Tool Helps You Mitigate Risk

In a nutshell, a BCM GRC tool helps you better manage your risk mitigation program by balancing the risks and opportunities for improvement. If you’ve devised your own system of assessing your compliance, such as using a manual process, it gets a little trickier to assess and report on compliance on a regular basis.   And if you’ve ever let something accidentally slip through the cracks, you can appreciate a better way to manage this process.

While not every BCM GRC platform features questions modeled after industry standards and weighted by importance, permits task assignments and comprehensive management reporting you’ll benefit from choosing one that does. Unless that is, you have your own personal assistant who keeps you up to date about everything regarding BCM compliance…and these days, who does?

What is Your Risk Mitigation Action Plan? Compliance and Resiliency

If your goal as a BCM Practitioner — and let’s face it, every one of us has this as a goal — is to raise your compliance and resiliency, you need a reliable system for assessing compliance.

A BCM GRC tool can play a major role in making all these business processes much easier.  Let’s say you’ve been asked to assess your BCM compliance. In your BCM GRC tool, you can quickly and easily assess the compliance of the seven dimensions  (Program Administration, Crisis Management, Business Recovery, Disaster Recovery, Supply Chain Risk Management, Third Party Management, and Fire & Life Safety) of your program.  You can attach supporting documentation, so you have everything that relates to that assessment in one handy place. Our expert advice is to assign fellow planners to have access to specific programs or auditors to view reports on your compliance. You can add tasks and assign responsible parties for a resolution to keep the program moving down the compliance trail. Finally, you can run management scorecards and reports on each dimension outlining the state of the program.

This kind of highly valuable data gives a big-picture analysis of what the compliance landscape looks like. For example, perhaps the tool identifies your BIA process is critically weak and does not comply with industry standards. This is worth considering. Perhaps it might be time to revise your BIA questionnaire or look to outside agencies to implement a best practice approach.

BC Management Software Designed for Mitigating Risk

If you’re serious about succeeding as a BCM Practitioner, make sure you’re using the right tools, like BCMMETRICS. It’s designed to help BCM Practitioners like you be more effective at successfully managing your BCM program through intelligent assessment and measurement. The multitude of BCM industry standards is overwhelming even for experienced practitioners.  But BCMMETRICS makes the process extremely easy to use and administer. Our own BCMMETRICS platform is designed to be simple enough to figure out within minutes. 

Further Reading on Risk

Accept, avoid, limit, or transfer. These are the options laid before you when it comes to risk. A risk mitigation plan is an opportunity for you to reduce and eliminate risk. While organizing your risk strategy may seem uncomplicated, the key in risk mitigation is action – not just writing reports or making lists of action items.

More of our writing on mitigating risk:

About
Michael Herrera
Michael Herrera is the Chief Executive Officer (CEO) of MHA. In his role, Michael provides global leadership to the entire set of industry practices and horizontal capabilities within MHA. Under his leadership, MHA has become a leading provider of Business Continuity and Disaster Recovery services to organizations on a global level. He is also the founder of BCMMETRICS, a leading cloud based tool designed to assess business continuity compliance and residual risk. Michael is a well-known and sought after speaker on Business Continuity issues at local and national contingency planner chapter meetings and conferences. Prior to founding MHA, he was a Regional VP for Bank of America, where he was responsible for Business Continuity across the southwest region.
Showing 6 comments
  • jason

    Does risk transference negate the company’s exposure and liability should an event occur that causes damage, injury or even death? The BP Mexican Gulf oil platform disaster springs to mind.

    • Melissa

      Thats a very good question. Risk transference may not always negate exposure if your supplier is negligent in the production of good or operations of a service that you as the company are providing to your customers.

      • Austin

        Hello Melissa, the Risk transference should mitigate your risks if you have a properly crafted service level agreement which can be enforced by law. This way, you will be able to trust that the third party will not devote from the minimum requirements.

pingbacks / trackbacks