One of the most important roles business continuity professionals have is that of risk mitigator: a person who understands, manages, and educates others at the organization about risk. In today’s post, we’ll share five things you need to know and do if you want to get good at the craft of mitigating risk.
Risk mitigation is the process of understanding the hazards facing an organization and taking steps to bring them to within a level determined to be acceptable in light of the organization’s mission.
It’s not about eliminating all risk completely, but thinking about and managing it in a rational, informed way.
Risk mitigation is by nature a process that is never done. Because your organization and environment inevitably change over time, managing risk is an ongoing activity.
Here are five tips to help you master the craft of mitigating risk:
Understand the risk management process
The process has six steps, and in managing risk, you should perform all of them in order on a continuous loop. The steps are:
- Assess your risks
- Prioritize your risks
- Figure out your organization’s risk profile
- Choose your risk strategies
- Execute your risk strategies
- Measure residual risk.
For a good overview, see our post Rinse and Repeat: Using the Risk Management Process to Manage Uncertainty from earlier this year.
Learn about the risk framework
The risk framework refers to the activities that make up the job of risk mitigator and managing risk at an organization. There are eight components:
- Internal control environment
- Setting of objectives
- Event identification
- Risk assessments
- Risk response
- Control activities
- Communication of relevant information
I discussed the risk framework in detail in the post Everything You Always Wanted to Know About Managing Risk but Were Afraid to Ask.
Analyze the likely impact on your organization of each of the eight risk areas
The risk areas are:
- Human error
- Supply chains
- Data security
- Facility security
- Business processes/management
For more details, see the two posts mentioned above.
Understand your organization’s risk tolerance and risk appetite
These terms refer to how much risk management is prepared to accept in pursuit of its objectives. Risk appetite is a broader statement of the level of risk that management deems acceptable. Risk tolerance refers to the specific level of risk the company will accept as it pursues a specific objective.
Learn the four risk mitigation strategies
The four risk mitigation strategies are:
- Avoid the risk by exiting activities that bring it on or implementing protections to eliminate the exposure.
- Reduce the risk by taking steps to reduce the likelihood of a negative event occurring, though not removing it completely.
- Transfer the risk such as by taking out insurance to help cover it or hiring a third party that will take the risk associated with the action or process.
- Accept the risk, acknowledging that if the danger is realized, the organization will have to bear the consequences.
Once you as a risk mitigator have mastered the content described above, it all comes down to executing on what you know and educating your organization across all levels in order to make risk mitigation part of your organization’s culture. The most prepared organizations are those in which risk is addressed in daily activities and not just during a formal risk assessment.
Being a Risk Mitigator
Being a risk mitigator is about understanding the hazards that face your organization and managing them in an informed, rational way. By mastering the concepts set forth above, you will be well on your way to helping your organization stay within a reasonable level of risk while still performing its mission and pursuing attractive opportunities.
For more information on risk management and other hot topics in business continuity and IT/disaster recovery, check out the following recent posts from MHA Consulting and BCMMETRICS:
- Rinse and Repeat: Using the Risk Management Process to Manage Uncertainty
- Everything You Always Wanted to Know About Managing Risk but Were Afraid to Ask
- Rethinking Risk: A Better Way to Think About Risk in Business Continuity Management
- Never Break the Chain: Assessing and Managing Supply Chain Risk
- Telephone Train Wreck: Crisis Call Chaos in the Time of COVID-19
- Working Remotely over the Long Haul: Living with COVID-19 as a Business