Risk avoidance is the elimination of hazards, activities, and exposures that can negatively affect an organization’s assets.
Whereas risk management aims to control the damages and financial consequences of threatening events, risk avoidance seeks to avoid compromising events entirely.
When determining your risk mitigation strategies, don’t confuse the strategies of risk avoidance or risk acceptance with risk ignorance. Risk ignorance is a situation where the knowledge about the risk (and any underlying phenomena and processes) is poor. Just because there are no remediation strategies currently in place does not mean that a conscious decision has been made to accept the risk.
We perform assessments regarding risk and risk impact on a daily basis. We then use those assessments to determine our choice of action. A good example is wearing a seat belt. We might observe that experienced drivers are more likely to understand the risks inherent in car travel, and thus choose to wear seat belts, whereas the less experienced driver (think teenagers) may have to be reminded constantly of those risks– at least in my house. These are contrasting examples of risk avoidance (seat belt use) and risk ignorance (no seat belt use). Neither should be confused with risk acceptance (car travel is dangerous, but I don’t want to wrinkle my clothes, so I’m not going to wear my seat belt).
Take a moment and think about the type of organization you work with – are your colleagues seat belt wearers or seat belt rejecters? How do we become a risk avoidance based organization, and is that a desirable state?
- Understand the risk and impacts. An assessment of how the risk will impact only one area does not allow for good organizational decisions.
- Ensure the risks and impacts are in business terms, not just technical or BC terms. If there are no real business impacts, what is the actual risk?
- Update the risks and impacts. You should revisit your risk profile on a regular basis, at least annually.
- Identify the risks that have remediation in place. Assess the effectiveness of that remediation (is it appropriate to the risk impact, will it work, etc.?).
- Identify the risks that have no remediation in place. Document those risks and the reason why there is no remediation in place. This is where you must distinguish between choosing to accept a risk or to ignore it.
- Conscious management decision based on impact, probability, cost, etc. (management accepts the risk).
- No reason; the risk is identified, but no conscious decision has been made about how to handle it (management ignores the risk).
- Assess the criticality of the task. Consider why performing the task is important or why a risk remediation solution is appropriate.
- Calculate the financial benefits of the task. Directors must decide when the cost of the risk is greater than the cost of risk management and manage their plans accordingly.
- Assess the availability of resources. If resources (budget, time, etc.) are not available to fully remediate the risk, identify a solution that may reduce risk, even if it does not reduce it to the appropriate level. Something is better than nothing.
- Incremental change helps modify culture and understanding.
A corollary to the above: even if remediation plans are not approved or priorities are reduced, you must keep the information flowing and continue to communicate potential impacts. Bad news does not get better with age.
Risk avoidance does not mean remediation is in place to prevent any potential issue. It does mean that proper evaluation has occurred and decisions have been made with the best information possible. A risk cannot be ignored with the hope that it will not occur. Risk avoidance is a desirable goal, even if remediation is implemented incrementally.