Don’t Just Hope: Choosing Strategies to Mitigate Risk

Richard Long

Once you’ve identified the risks facing your organization, you need to consciously select a risk mitigation strategy for each one. In today’s post, we’ll explain the four possible strategies and share some tips to help you choose between them.

WHAT NOT TO DO

So you’ve completed a threat and risk assessment (TRA). Excellent. You now have a good idea of the main threats your organization faces, the likelihood that each will occur, and an estimate of the consequences to the organization if each did occur. (For more on TRAs, see this recent post.)

What do you do next?

Well, one thing you could do—in my experience it might be the most common choice—is assume or hope that nothing will happen and ignore all the risks you just uncovered through your TRA.

However, this is a terrible idea. Remember, hope is not a strategy.

What you really should do is, for each major risk you’ve identified in your TRA, consciously choose one of the four possible risk mitigation strategies to guide your response to that risk.

THE FOUR RISK MITIGATION STRATEGIES

For each of the major risks you face, you should choose one of the following four risk mitigation strategies to guide your approach in managing it:

RISK ACCEPTANCE

Sometimes it really is best to do nothing. Risk acceptance is the strategy of not doing anything and simply accepting the fact that the risk is out there and might rear up and sting you some day. This can be a good strategy for risks where the costs of dealing with it outweigh the potential damage, or where the risk has a very low likelihood of occurring. A company that doesn’t want to spend a lot of money on avoiding risks that do not have a high possibility of occurring will use the risk acceptance strategy. Even when these risks are tolerated they should be monitored because future changes might alter the equation regarding their acceptability. Risk acceptance is a conscious decision based on facts. It is realistic and mature. This is very different from the strategy of ignoring the risk and hoping it doesn’t happen.

RISK TRANSFERENCE

Risk transference is the strategy of handing a particular risk off to a willing third party. The most frequently used and easiest method of risk transference is insurance, but companies might also choose to transfer the performance of a particular function to a third party. For example, many companies outsource support operations such as customer service, payroll services, and security. In doing so they also outsource the risks associated with those operations. Typically, the operations outsourced in this manner are outside the core competency of the company.

RISK LIMITATION

Risk limitation is the most common risk management strategy used by businesses. This strategy limits a company’s exposure by taking some action. It is a strategy employing a bit of risk acceptance along with a bit of risk avoidance. An example would be a company accepting that a disk drive may fail and seeking to limit the damage that such failure would cause by making frequent backups of the drive.

RISK AVOIDANCE OR REMOVAL

Risk avoidance is the opposite of risk acceptance. This strategy seeks to eliminate all exposure to the risk. Risk avoidance is usually the most expensive of all risk mitigation options as it requires implementing technology or process changes. It may also include not performing a process, especially if it is not critical to the core or supporting business functions. For example, if an organization sells a product that significantly increases its risk of liability, but which is not that important to the company’s mission or bottom line, it might simply stop selling it as part of a strategy of risk avoidance.

DECIDING ON A STRATEGY FOR EACH RISK

So those are the four strategies. For each of the main risks you face, how do you decide which strategy to use? Try this:

  1. Obtain or perform a Threat and Risk Assessment for your organization.
  2. Get your upper management to decide on the organization’s level of risk appetite and risk tolerance.
  3. For each major risk identified in your TRA, identify which of the four risk strategies will result in a risk level that is within your management’s risk tolerance.
  4. Of the adequate strategies, choose the one that is the most convenient, cost effective, and in accord with your company’s mission.

As you can probably guess, the hardest part of the process might be getting management to decide on how much risk it can live with.

Sometimes a business continuity consultant can help in nudging the senior executives toward making these decisions.

THE MOST IMPORTANT THING

In choosing risk management strategies to deal with the threats your organization faces, the most important thing is just that: choosing a strategy.

For each risk, consciously choose one of the four possible strategies, basing your choice on your organization’s risk appetite and tolerance, as determined by your senior management.

FURTHER READING

For more on this and other hot topics in business continuity management, check out these recent posts from MHA Consulting and BCMMETRICS:

scout the business continuityguard against cyberattacks