In recent blogs we have discussed various aspects of risk mitigation, including risk acceptance, risk avoidance, risk limitation, and risk transference. This week’s blog will focus primarily on the area of risk limitation, the most common risk management strategy used by businesses.
Risk acceptance (a conscious decision to take no action to limit the risk) is the opposite of risk avoidance (the decision to take action that is intended to avoid any exposure to the risk). Risk avoidance is usually the most expensive of all risk mitigation options, while risk acceptance is typically chosen because the cost of other risk management options may outweigh the cost of the risk itself. Risk transference acknowledges the risk, but involves handing off that risk to a willing third party.
So what is risk limitation? Risk limitation is a strategy designed to limit a company’s exposure by taking some action or series of actions. It is meant to lessen any negative consequence or impact of specific, known risks, and is most often used when risks are unavoidable. It may involve implementing controls that will reduce the probability that a risk will occur, or minimize adverse impacts when the risk does occur.
Here are several examples from actual organizations:
- Not having redundant hardware at an alternate location, but having backups to restore the environments on procured hardware at time of event. This limits long-term risk while reducing costs associated with less critical applications.
- Limiting risk of a long-term outage by contracting with a provider for warm site services for IT processing.
- Identifying alternate locations (hotels, libraries, partner company office space) for meeting or workspace if the primary worksite is unavailable. This limits the risk of a building being unavailable, but does not eliminate the risk entirely because the alternate space may not be available or optimal.
- Posting security personnel at entrances will limit the presence of unauthorized individuals in the building, but may not prevent it from occurring.
- To reduce the risk of failure of the single network connection for credit/debit transactions, a defined, documented and tested workaround strategy exists involving using telephone authorization and manual transactions for credit/debit payments.
- Rather than purchasing computing resources in advance, purchase laptops or desktop computers for relocation and work-from-home activities only when the primary worksite becomes inaccessible.
- To reduce impact of employees being away due to illness or injury, and to reduce insurance costs, an organization provides a wellness program and subsidizes gym memberships.
Risk limitation does not mean that measures are in place to avoid any potential issues. It does mean that proper evaluation has occurred and steps have been taken to reduce the likelihood of occurrence or to minimize the impact of an occurrence. Build your risk limitation strategy incrementally, making improvements based on your own real world experience.