Use the Risk Management Process to Manage Uncertainty, Then Repeat

Richard Long

In today’s post we’ll talk about the risk management process —the steps every organization should go through regularly to protect themselves against the hazards of doing business.

Every organization needs to do some type of risk management. If your business is caught without a process for risk management, you are leaving yourself vulnerable.

Risk management can be defined as forecasting and evaluating risks to the organization, determining impact (financial, brand, people, etc.) and identifying steps to avoid or reduce their impact.

Risk mitigation is the prudent response to the reality that life is uncertain and sometimes bad things happen to good organizations. The alternative to risk management is going through life with your fingers crossed, hoping that bad luck only ever happens to other people.

Risk management introduces rationality into the irrational world of bad luck. It’s a way of evaluating potential negative events and their likely impacts, then taking steps to protect ourselves against those events that would cause the severest damage if they occurred, or that are more likely to occur.

Risk management can help us understand where we should invest to protect ourselves, and also where we don’t need to do so (if the risk is too small).

The Risk Management Process

The risk management process is the set of steps you should be taking routinely, habitually, to assess and mitigate the hazards present in your organization and lines of business.

This should become part of your organization’s culture. It should become as habitual for your company as it is for a person to look both ways before they cross the street.

It needs to be a cycle because it can take several iterations to get where you need to be and also because things change over time. Risk management and mitigation is not a project, but an ongoing aspect of resiliency.

Most organizations should assess their risks at least once a year, depending on the rate of change in their organization, field, and environment.

The 6 Steps of the Risk Management Process

The risk cycle has six steps:

  1. Assessing your risks.
  2. Prioritizing your risks.
  3. Figuring out your risk profile.
  4. Choosing your risk strategies.
  5. Executing your risk strategies.
  6. Measuring residual risk.

We could add a seventh step: go back and do it all over again—since things are always changing, in business, life, and the larger environment, and you need to continually review to stay current and protected.

We’ll talk more about each step below.

Step 1: Assessing your risks

Everything in risk management starts with risk assessment: examining the factors at your organization and in your environment that are potentially dangerous.

You want to think about everything that has the potential to take your organization down.

Natural disasters are part of the picture but there’s a lot more to it than that.

Think also about technological risks and risks involving single points of failure (SPOFs), whether they reside in equipment or people (individuals who are the only ones who know how to do certain essential tasks).

Also think about risks that might arise from your location. Are you in an industrial area where there’s a risk of gas leaks? Near government buildings downtown where you might be affected by demonstrations?

Step 2: Evaluating your risks

Once you have made a list of the risks facing your company, you need to evaluate them.

Specifically, you should evaluate them in terms of how severe the impact would be and the likelihood of their occurring. Then you prioritize them in this order:

  • High impact and highly likely to occur.
  • High impact and less likely to occur.
  • Low impact and highly likely to occur.
  • Low impact and less likely to occur.

This process can be enlightening. It’s not unusual at this stage for a company to realize it’s protecting itself against the wrong things (e.g., by spending a lot of money on something that’s unlikely to occur and would have a modest impact, and neglecting to protect itself against something that is highly likely and would have a severe impact).

Here you can see right away how using the risk mitigation process can bring significant benefits to the organization.

Step 3: Figuring out your risk profile             

You also have to figure out your risk profile, or rather your senior management’s risk profile. This is all down to them. It’s about how much risk they are prepared to live with.

Some organizations are comfortable running a lot of risk. Some will do all they can to get their risk exposure as close to zero as possible.

Risk appetite and risk tolerance both refer to how much risk an organization is prepared to accept in pursuit of its objectives.

Risk appetite is a broader statement of the level of loss exposure that management deems acceptable, given its objectives and resources. An organization with a high risk appetite might accept a high insurance deductible or even go without insurance. An organization with substantial financial reserves might have a high appetite for risk.

Risk tolerance is a narrower view of the specific level of risk the company will accept, setting an acceptable level of variation from its risk appetite surrounding specific objectives that the company is willing to tolerate.

Step 4: Choosing your risk strategies

Once it’s known how much risk management is prepared to accept, you can start choosing a risk mitigation strategy for each significant risk. There are four of them:

  • Avoid the risk. Exit activities that bring on the risk.
  • Reduce the risk. Take steps to reduce the likelihood of a negative event occurring.
  • Share the risk. Take out insurance to help cover the risk.
  • Accept the risk. Simply live with the risk, acknowledging that if the threat occurs the organization will have to bear the consequences.

Step 5: Executing your risk strategies

Implement the strategies you decided on in Step 4.

Step 6: Measuring residual risk

Residual risk refers to how much risk is left over after you have adopted your risk mitigation strategies. It’s the amount of risk left in your system after you have followed steps 1 through 5.

This is not an abstract concept. It tells you whether your risk mitigation strategies were successful.

If your residual risk remains outside your management’s tolerance, you need to go back and beef up your mitigation strategies.

If your residual risk is significantly less than the amount of risk management will accept, you might be spending too money on their risk mitigation process. Perhaps you can ease up on some of your strategies.

Rinse and Repeat

After this, it’s all about repeating the cycle—whether you are repeating particular steps as part of an ongoing effort to hit the bull’s-eye of your management’s risk tolerance, or you’re repeating the entire process as part of an annual or biannual review.

Large organizations usually have a risk management department. Small and mid-size ones can often benefit from obtaining an outside consultant such as MHA to help in implementing the risk mitigation cycle.

Why do you care about risk so much?

Are you familiar with the answer bank robber Willie Sutton gave when asked why he robbed banks? He said, “Because that’s where the money is.”

The reason we in business continuity management (BCM) worry about risk so much is because that is where the danger to our organizations lies. It’s also where the opportunities to make them more resilient can be found.

Everything we in business continuity and disaster recovery does revolve around risk mitigation. Without understanding risks and the impacts those risk pose, the planning and implementation around BC and IT/Disaster Recovery (IT/DR) will not provide appropriate value or functional capability. We do risk assessments to reach resiliency.

What common problems are you seeing with risk management as you work with different organizations around the country?

Here are a handful:

  • Many organizations have an incomplete understanding of the likely and impactful risks; often the focus is on what has already been addressed.
  • Many people in BCM are afraid to assess their organization’s compliance with BCM standards and best practices because they are worried about what they might find out. They’d rather be in the dark than learn the full extent of their vulnerabilities.
  • People don’t understand how helpful BCM benchmarking can be in helping them manage risk within their program. There’s a strong need for education on this topic.
  • Few companies use up-to-date software to help them measure compliance. These companies are flying blind.
  • Most organizations do not have a clear picture of where they stand and where their BCM strengths and weaknesses lie.
  • At many organizations, the limited time and resources available to improve resiliency are often spent on trivial activities, such as counting up how many recovery plans have been completed.

What are the benefits of BCM benchmarking software?

One benefit of having this type of software is, you will be able to come up with an answer when management asks you a question such as, “How compliant is our Business Continuity program and how does it compare to others in our industry?”

A good BCM self-assessment or GRC (Governance, Risk, and Compliance) tool makes it easy for you to assess your compliance with industry standards and best practices. This is a critical first step toward raising your compliance and hence your resiliency.

A quality BCM self-assessment tool will let you quickly and easily assess the compliance of your program. For example, BCMMETRICSTM Compliance Confidence allows you to assess your program across seven dimensions: Program Administration, Crisis Management, Business Recovery, Disaster Recovery, Supply Chain Risk Management, Third Party Management, and Fire & Life Safety.

Some tools also let you attach supporting documentation, so you have everything that relates to that assessment in one place.  And some BCM tools allow you to add tasks and assign responsible parties for a resolution to keep the program moving down the compliance trail.  Some also allow you to run management scorecards and reports on each dimension outlining the state of the program.

This kind of data gives a big-picture analysis of what the compliance landscape looks like. It gives you a clear picture of where you are doing well and where your program is weak, providing a way to focus your future efforts for maximum return and impact.

There are several good BCM self-assessment tools on the market, including those produced by our sister company, BCMMETRICS. You can find out more about the entire suite of BCM benchmarking tools here.

I’m still a little confused about what risk management involves, in the context of BCM. Can you enlighten me?

Gladly. Your question is about the activities that make up the job of managing risk at an organization. We usually think of this as consisting of eight components. (It’s called the Enterprise Risk Management framework, or ERM.) The components are:

  1. Internal control environment. This concerns the tone of an organization. It sets the basis for how risk is viewed and addressed. It addresses the organization’s risk management philosophy, risk appetite, ethical values, and operating environment.
  2. Objective setting. Clear objectives must be set before management can identify potential events that might have an effect on their plans. ERM ensures that management has a process in place to set objectives that support and align with the company’s mission and are consistent with its risk appetite.
  3. Event identification. Events affecting the achievement of the organization’s objectives must be identified. This includes internal and external events. Remember that it’s always important to distinguish between risks and opportunities. Opportunities are channeled back to management’s strategy or objective-setting processes.
  4. Risk assessments. Consider the likelihood and impact of an event as a basis for determining how risks should be managed. Risks should be assessed on an inherent and a residual basis.
  5. Risk response. Management should develop a set of actions (avoiding, accepting, sharing, or reducing) to align risks with the company’s risk tolerance and risk appetite.
  6. Control activities. Establishing and implementing policies and procedures to help ensure the risk responses are effectively carried out.
  7. Communication of relevant information. Important information should be identified, captured, and communicated in a format and timeframe that enables people to carry out their responsibilities.
  8. Monitoring. The ERM should be observed and, if necessary, modified. Monitoring is accomplished through ongoing management activities, separate evaluations, or both.

What are the main kinds of risks that organizations face?

We usually break organizational risk down into six types:

  1. Human error. No process or checks will stop all mistakes. This is the beauty and curse of humanity.
  2. Intentional. Knowingly taking shortcuts or not following known procedures.
  3. Unintentional. Physical errors or mental or cognitive errors; where someone does the wrong thing believing it to be right (i.e., making the wrong decision).
  4. Data breach/ransomware. This happens every day.
  5. Brand image/reputational damage. Your organization’s brand is an asset which needs to be protected, just like your physical plant and computer networks. (For more information, see 7 Tips to Help You Protect Your Brand in a Crisis.)
  6. Technology outages. Cases recently in the news have involved airlines and cloud-based services, among others. (Resiliency Theater – You May Not Really Be Prepared for an Outage.)

What is a risk mitigation strategy?

A risk mitigation strategy is a way of reducing the potential adverse effects to the organization that could be caused by a crisis or business disruption.

There are four types of risk mitigation strategies:

  • Risk Acceptance: Risk acceptance does not reduce any effects. However, it is still considered a strategy. This strategy is a common option when the cost of other risk management choices such as avoidance or limitation may outweigh the cost of the risk itself. A company that doesn’t want to spend a lot of money on avoiding risks that do not have a high possibility of occurring will use the risk acceptance strategy.
  • Risk Avoidance: Risk avoidance is the opposite of risk acceptance. It is the action that avoids any exposure to the risk whatsoever. Risk avoidance is usually the most expensive of all risk mitigation options.
  • Risk Limitation: Risk limitation is the most common risk management strategy used by businesses. This strategy limits a company’s exposure by taking some action. It is a strategy employing a bit of risk acceptance along with a bit of risk avoidance or any combination of the two. An example of risk limitation would be a company accepting that a disk drive may fail and avoiding a long period of failure by having backups.
  • Risk Transference: Risk transference involves handing risk off to a willing third party. The most frequently used and easiest method of risk transference is insurance. Insurance is the financial transfer of risk. Another example is the transference of operational risks that can easily be performed by third parties, such as customer service, payroll services, etc. This can be particularly beneficial for a company when a transferred risk is not one of their core competencies, as it allows them to focus more on their core activities.

Should I monitor changes to risk?

Absolutely. Monitoring risk—including tracking identified risks and evaluating the performance of risk mitigation actions—is critical to the risk mitigation process. Systematically monitoring risk feeds information back into other risk management activities, such as identification, analysis, mitigation planning, and mitigation plan implementation.

The process for risk monitoring includes setting up a structure for how often you review your risk, what to monitor, how to report changes, and how to redefine your risk strategies.

How often should I measure risk?

Monitoring the ongoing risk mitigation and state of identified risks should be a continuous activity. We monitor and react to risk constantly in our daily lives; a conscious, ongoing monitoring of our organization’s risk mitigation position should occur as well.

It’s a good idea to schedule periodic risk reviews ahead of time. Take the time each month to review the highest probable and largest impact risk, along with the mitigation strategy that will allow for continuous improvement.

Should I review the risk mitigation plan on an ongoing basis?

Yes, ongoing review of the risk mitigation plan is required to ensure that it is meeting the needs of the organization.

Review all mitigation strategies, including the status and effectiveness of the actions you have taken. Surveying those strategies not implemented also ensures that your plan is moving forward.

Ensuring that all requirements of your risk management plan are being implemented is critical—otherwise, the mitigation strategy can become an unconscious acceptance of the risk, and may be identified as an additional risk itself.

Is it important to identify new risks?

Yes, it is. The modus operandi of your business is always evolving, and even if it’s doing so slowly, new risks may pop up. Your risk mitigation strategy will be ineffective if you’re not tracking new risks based on personnel, vendor, and software changes. Updating your list of risks is a critical part of maintaining an effective risk management plan.

Should I validate my previous risk assessments?

Definitely. When reviewing the risks you’ve previously identified and taken action on, remember to validate your previous risk assessments based on your risk’s likelihood and impact. Changes to your risk may result in changes to either or both of these. Therefore, it is essential to adjust the risk’s priority accordingly. It’s also a good idea to validate previous assumptions and state any new assumptions as this will help you monitor your risk over time.

How do I report on risk changes?

The best way is to leverage the reporting already in use as part of the risk analysis. There is no need to have multiple reporting mediums. A quick monthly dashboard with changes and status of risks and mitigation strategies (which are monitored) and/or changes to the profile can be enough to provide constant visibility to the state of risk and potential impact.

Keeping this up-to-date should not take much time if the monitoring is performed as described above. Remember, without good information, you cannot make appropriate decisions. Having consistent reporting will help you convey any changes to your risk strategy to management and interested parties.

When should I redefine my risk management strategy?

It may make sense to adjust the mitigation strategy or the regular risk assessment schedule when there is a change to the risk impact or its probability. Use of current implemented strategies would be ideal, making changes as warranted. A complete change in the strategy may not be necessary, but adjustment to the implementation may be an option.

Will I ever be done worrying about risk management? 

Sorry, but no—not as long as you’re working as a business continuity professional.

Risk management is not a task to complete and check off of your to-do list. It’s an ongoing activity that should become part of your overall business continuity culture. It should be a consideration in everything we do. An underlying thought should always be, what are the risks, likelihood of occurrence, and impact?

As with most activities, continual attention provides better and more efficient execution, less effort overall, and better results.

Monitoring risk mitigation strategies is actually one of the most important activities you can undertake. You never know when the event being mitigated may occur.

Further Reading

For more information on the risk management process and other hot topics in BC and IT/disaster recovery, check out these recent posts from MHA Consulting and BCMMETRICS:

About
Richard Long is one of MHA’s practice team leaders for Technology and Disaster Recovery related engagements. He has been responsible for the successful execution of MHA business continuity and disaster recovery engagements in industries such as Energy & Utilities, Government Services, Healthcare, Insurance, Risk Management, Travel & Entertainment, Consumer Products, and Education. Prior to joining MHA, Richard held Senior IT Director positions at PetSmart (NASDAQ: PETM) and Avnet, Inc. (NYSE: AVT) and has been a senior leader across all disciplines of IT. He has successfully led international and domestic disaster recovery, technology assessment, crisis management and risk mitigation engagements.
crisis management traininggcoronavirus