Risk Management is a collection of processes through which an organisation identifies, assesses and ranks the various threats and opportunities it might face. There are a number of methods available to an organisation seeking to manage risk.
Risks originate from a number of business aspects, whether external, such as financial market or economic risk, or internal, through data loss, theft or mismanagement. Risk Management is an integral part of Business Continuity and the needs and objectives of an organisation will determine the best options.
All businesses should consider risk. Starting a business is a risk and running organisations is risky. A large aspect of business governance is about identifying, assessing, measuring, and making decisions about risk.
There are several steps in Risk Management: the internationally recognised standard is ISO31000.
Here are the steps a company should take when devising and implementing and Risk Management plan:
Identifying the context
This is about defining the business environment being measured, and the framework within which the risk is managed.
Identifying the risk
Some industries such as financial services have a regulatory framework within which to identify, assess and manage risk; others such as electronics and manufacturing have specific sector risks. Different geographies have other risks, and some organisations consider scenario planning as a means of identifying risk.
The organisation also needs to agree its own risk appetite, which will inform its reaction to risk and its consequences.
Assessing the risk
Assessing the risk and its potential severity can be difficult. Ideally, risks would be quantitatively measured in terms of loss, although that can be difficult as by definition risk is an unknown quantity.
For example, it is possible to calculate the costs of losing a piece of equipment, but impossible to measure the likelihood or extent of events which might cause damage.
The commonly accepted methodology is to combine the likelihood of an event (the probability) with the cost of the event (the impact).
Mitigating the risk
There are four ways of dealing with risk:
1. Avoid the risk – stop doing whatever it is that causes the risk, if possible
2. Reduce the risk – accept the risk, and mitigate the likelihood or impact
3. Transfer the risk – outsource the operational risk, or insure it
4. Accept it – budget for the consequences, depending on risk appetite
The choice will depend on a number of factors, including the impact of the decision on products or services, sales, budgets, capabilities, or even consequences.
Implement and review the risk management plan
This involves selecting appropriate controls or countermeasures to manage the risk according to appetite – and critically, monitor it to avoid inaction, and thus increased risk.
ibd provides access to specialist and professionally qualified advisers with specific Business Continuity expertise, and live experience of invoking plans following disaster or disruption.