In today’s post, we’re going to answer questions about risk management that we’ve been asked recently by readers of our blogs and by MHA Consulting clients.
What’s so important about risk and risk management that it get its own Readers’ Mailbag?
Read on for the answer to that and several other interesting questions on the topics of measuring, monitoring, and managing risk.
You’ve written a lot about risk lately. Why do you care about risk so much?
Are you familiar with the answer bank robber Willie Sutton gave when asked why he robbed banks? He said, “Because that’s where the money is.”
The reason we in business continuity management (BCM) worry about risk so much is because that is where the danger to our organizations lies. It’s also where the opportunities to make them more resilient can be found.
Everything we in business continuity and disaster recovery does revolve around risk mitigation. Without understanding risks and the impacts those risk pose, the planning and implementation around BC and IT/Disaster Recovery (IT/DR) will not provide appropriate value or functional capability. We do risk assessments to reach resiliency.
What common problems are you seeing with risk management as you work with different organizations around the country?
Here are a handful:
- Many organizations have an incomplete understanding of the likely and impactful risks; often the focus is on what has already been addressed.
- Many people in BCM are afraid to assess their organization’s compliance with BCM standards and best practices because they are worried about what they might find out. They’d rather be in the dark than learn the full extent of their vulnerabilities.
- People don’t understand how helpful BCM benchmarking can be in helping them manage risk within their program. There’s a strong need for education on this topic.
- Few companies use up-to-date software to help them measure compliance. These companies are flying blind.
- Most organizations do not have a clear picture of where they stand and where their BCM strengths and weaknesses lie.
- At many organizations, the limited time and resources available to improve resiliency are often spent on trivial activities, such as counting up how many recovery plans have been completed.
What are the benefits of BCM benchmarking software?
One benefit of having this type of software is, you will be able to come up with an answer when management asks you a question such as, “How compliant is our Business Continuity program and how does it compare to others in our industry?”
A good BCM self-assessment or GRC (Governance, Risk, and Compliance) tool makes it easy for you to assess your compliance with industry standards and best practices. This is a critical first step toward raising your compliance and hence your resiliency.
A quality BCM self-assessment tool will let you quickly and easily assess the compliance of your program. For example, BCMMETRICSTM Compliance Confidence allows you to assess your program across seven dimensions: Program Administration, Crisis Management, Business Recovery, Disaster Recovery, Supply Chain Risk Management, Third Party Management, and Fire & Life Safety.
Some tools also let you attach supporting documentation, so you have everything that relates to that assessment in one place. And some BCM tools allow you to add tasks and assign responsible parties for a resolution to keep the program moving down the compliance trail. Some also allow you to run management scorecards and reports on each dimension outlining the state of the program.
This kind of data gives a big-picture analysis of what the compliance landscape looks like. It gives you a clear picture of where you are doing well and where your program is weak, providing a way to focus your future efforts for maximum return and impact.
There are several good BCM self-assessment tools on the market, including those produced by our sister company, BCMMETRICS. You can find out more about the entire suite of BCM benchmarking tools here.
I’m still a little confused about what risk management involves, in the context of BCM. Can you enlighten me?
Gladly. Your question is about the activities that make up the job of managing risk at an organization. We usually think of this as consisting of eight components. (It’s called the Enterprise Risk Management framework, or ERM.) The components are:
- Internal control environment. This concerns the tone of an organization. It sets the basis for how risk is viewed and addressed. It addresses the organization’s risk management philosophy, risk appetite, ethical values, and operating environment.
- Objective setting. Clear objectives must be set before management can identify potential events that might have an effect on their plans. ERM ensures that management has a process in place to set objectives that support and align with the company’s mission and are consistent with its risk appetite.
- Event identification. Events affecting the achievement of the organization’s objectives must be identified. This includes internal and external events. Remember that it’s always important to distinguish between risks and opportunities. Opportunities are channeled back to management’s strategy or objective-setting processes.
- Risk assessments. Consider the likelihood and impact of an event as a basis for determining how risks should be managed. Risks should be assessed on an inherent and a residual basis.
- Risk response. Management should develop a set of actions (avoiding, accepting, sharing, or reducing) to align risks with the company’s risk tolerance and risk appetite.
- Control activities. Establishing and implementing policies and procedures to help ensure the risk responses are effectively carried out.
- Communication of relevant information. Important information should be identified, captured, and communicated in a format and timeframe that enables people to carry out their responsibilities.
- Monitoring. The ERM should be observed and, if necessary, modified. Monitoring is accomplished through ongoing management activities, separate evaluations, or both.
What are the main kinds of risks that organizations face?
We usually break organizational risk down into six types:
- Human error. No process or checks will stop all mistakes. This is the beauty and curse of humanity.
- Intentional. Knowingly taking shortcuts or not following known procedures.
- Unintentional. Physical errors or mental or cognitive errors; where someone does the wrong thing believing it to be right (i.e., making the wrong decision).
- Data breach/ransomware. This happens every day.
- Brand image/reputational damage. Your organization’s brand is an asset which needs to be protected, just like your physical plant and computer networks. (For more information, see 7 Tips to Help You Protect Your Brand in a Crisis.)
- Technology outages. Cases recently in the news have involved airlines and cloud-based services, among others. (Resiliency Theater – You May Not Really Be Prepared for an Outage.)
What is a risk mitigation strategy?
A risk mitigation strategy is a way of reducing the potential adverse effects to the organization that could be caused by a crisis or business disruption.
There are four types of risk mitigation strategies:
- Risk Acceptance: Risk acceptance does not reduce any effects. However, it is still considered a strategy. This strategy is a common option when the cost of other risk management choices such as avoidance or limitation may outweigh the cost of the risk itself. A company that doesn’t want to spend a lot of money on avoiding risks that do not have a high possibility of occurring will use the risk acceptance strategy.
- Risk Avoidance: Risk avoidance is the opposite of risk acceptance. It is the action that avoids any exposure to the risk whatsoever. Risk avoidance is usually the most expensive of all risk mitigation options.
- Risk Limitation: Risk limitation is the most common risk management strategy used by businesses. This strategy limits a company’s exposure by taking some action. It is a strategy employing a bit of risk acceptance along with a bit of risk avoidance or any combination of the two. An example of risk limitation would be a company accepting that a disk drive may fail and avoiding a long period of failure by having backups.
- Risk Transference: Risk transference involves handing risk off to a willing third party. The most frequently used and easiest method of risk transference is insurance. Insurance is the financial transfer of risk. Another example is the transference of operational risks that can easily be performed by third parties, such as customer service, payroll services, etc. This can be particularly beneficial for a company when a transferred risk is not one of their core competencies, as it allows them to focus more on their core activities.
Should I monitor changes to risk?
Absolutely. Monitoring risk—including tracking identified risks and evaluating the performance of risk mitigation actions—is critical to the risk mitigation process. Systematically monitoring risk feeds information back into other risk management activities, such as identification, analysis, mitigation planning, and mitigation plan implementation.
The process for risk monitoring includes setting up a structure for how often you review your risk, what to monitor, how to report changes, and how to redefine your risk strategies.
How often should I measure risk?
Monitoring the ongoing risk mitigation and state of identified risks should be a continuous activity. We monitor and react to risk constantly in our daily lives; a conscious, ongoing monitoring of our organization’s risk mitigation position should occur as well.
It’s a good idea to schedule periodic risk reviews ahead of time. Take the time each month to review the highest probable and largest impact risk, along with the mitigation strategy that will allow for continuous improvement.
Should I review the risk mitigation plan on an ongoing basis?
Yes, ongoing review of the risk mitigation plan is required to ensure that it is meeting the needs of the organization.
Review all mitigation strategies, including the status and effectiveness of the actions you have taken. Surveying those strategies not implemented also ensures that your plan is moving forward.
Ensuring that all requirements of your risk management plan are being implemented is critical—otherwise, the mitigation strategy can become an unconscious acceptance of the risk, and may be identified as an additional risk itself.
Is it important to identify new risks?
Yes, it is. The modus operandi of your business is always evolving, and even if it’s doing so slowly, new risks may pop up. Your risk mitigation strategy will be ineffective if you’re not tracking new risks based on personnel, vendor, and software changes. Updating your list of risks is a critical part of maintaining an effective risk management plan.
Should I validate my previous risk assessments?
Definitely. When reviewing the risks you’ve previously identified and taken action on, remember to validate your previous risk assessments based on your risk’s likelihood and impact. Changes to your risk may result in changes to either or both of these. Therefore, it is essential to adjust the risk’s priority accordingly. It’s also a good idea to validate previous assumptions and state any new assumptions as this will help you monitor your risk over time.
How do I report on risk changes?
The best way is to leverage the reporting already in use as part of the risk analysis. There is no need to have multiple reporting mediums. A quick monthly dashboard with changes and status of risks and mitigation strategies (which are monitored) and/or changes to the profile can be enough to provide constant visibility to the state of risk and potential impact.
Keeping this up-to-date should not take much time if the monitoring is performed as described above. Remember, without good information, you cannot make appropriate decisions. Having consistent reporting will help you convey any changes to your risk strategy to management and interested parties.
When should I redefine my risk strategy?
It may make sense to adjust the mitigation strategy or the regular risk assessment schedule when there is a change to the risk impact or its probability. Use of current implemented strategies would be ideal, making changes as warranted. A complete change in the strategy may not be necessary, but adjustment to the implementation may be an option.
Will I ever be done worrying about risk management?
Sorry, but no—not as long as you’re working as a business continuity professional.
Risk management is not a task to complete and check off of your to-do list. It’s an ongoing activity that should become part of your overall business continuity culture. It should be a consideration in everything we do. An underlying thought should always be, what are the risks, likelihood of occurrence, and impact?
As with most activities, continual attention provides better and more efficient execution, less effort overall, and better results.
Monitoring risk mitigation strategies is actually one of the most important activities you can undertake. You never know when the event being mitigated may occur.
For more information on this and other hot topics in business continuity management, check out these recent posts from MHA Consulting and BCMMETRICS:
- The Ultimate Checklist for Creating a Risk Mitigation Plan
- Everything You Always Wanted to Know About Managing Risk but Were Afraid to Ask
- Compliance and Residual Risk – It’s Not Just For Big Companies
- Monitoring Risk: Tracking Your Risk Mitigation Strategies
- The Top 7 Risk Mitigation Controls, in Order
- Go Like a Rocket: 3 Tools to Help You Manage Enterprise Risk