Few organizations think about risk in a rational manner, which commonly leads to unnecessary expenditures and dangerous gaps in their business continuity planning. In today’s post, we’re going to look at a better way to analyze and address risk, namely the approach known as risk-based thinking.
What is Risk-Based Thinking?
Risk-based thinking means considering risk at the beginning of developing a business continuity program rather than at the end. It uses risk as the starting point, letting it guide the organization’s BCM investments and priorities.
Risk is the most reasonable, rational thing to take into consideration in shaping the outlines of your organization’s BC program.
By taking a risk-first approach, you can identify the most significant areas of risk at the organization. These are the areas that require the most attention, planning, development, and testing in your BC program.
The risks vary for each industry, organization, and facility, so there is no one-size-fits-all solution to assessing risk in business continuity.
Unfortunately, few companies today use risk-based thinking in guiding their business continuity programs. By not doing so, those companies are flying blind.
When you don’t use a rational, analytical method to identify your most significant risks, then how do you know what is most vulnerable? You don’t. How do you know what needs protecting? You don’t. In both cases, you’re just guessing.
Companies that do not used risk-based thinking tend to go with one of two approaches in their business continuity planning. One is what we call the boil-the-ocean approach. The boil-the-ocean approach is when you try to protect everything. For most companies this is about as feasible as boiling the ocean. In other words, it’s not feasible. Result: everything gets a little protection, but nothing is truly protected.
The other approach we see a lot is the shotgun approach. With the shotgun approach, the planners shoot from the hip, guessing at what is worth protecting. They protect that and leave the safety of everything else to fate. Result: they are playing Russian roulette with the security of the company.
Worth the Effort
I understand why companies don’t use risk-based thinking. It’s hard, or at least it’s unfamiliar. If yours is such a company, I encourage you to overcome your resistance. Risk-based thinking is worth the effort.
By not using risk-based thinking, you’re building in inefficiencies and areas of weakness. When systems that have inefficiencies and areas of weakness come under stress, they fail. This is not what you want to have happen as a responsible professional, if you care about your organization and its stakeholders.
The Benefits of Risk-Based Thinking
Here are the benefits of risk-based thinking in brief:
- It allows you to identify and protect against the most significant risks facing your organization.
- It prevents you from wasting resources on protecting against risks that are not that important.
- It saves time.
- It lets you be more scientific and rational in your approach.
- It allows you to take your head out of the sand.
- It gives you well-founded peace of mind.
The Impact of the Four Key Areas
Risk-based thinking affects all areas of business continuity management. However, its biggest impact is on the following four areas:
- Compliance. Risk-based thinking is an integral part of using business continuity standards. By choosing and coming into compliance with one of the leading business continuity standards, you are preparing your program for success and your company for resilience.
- BIAs. Business impact analyses (BIAs) are all about identifying what processes are truly important to the organization.Risk-based thinking goes one step farther. It helps you understand where the risks lie in those critical processes, such as the single points of failure (SPOFs). By identifying these vulnerabilities, you can take steps to shore them up, providing better protection for your most critical processes.
- Threat and risk assessment. Companies that don’t conduct TRAs are doing themselves no favors. The TRA and risk-based thinking go hand-in hand. It provides a systematic way of assessing the threats and risks an organization or facility faces. The TRA looks not just at the facility itself but at the wider environment, including human, natural, and technological threats. This information is the foundation of a risk-based approach to business continuity.
- Residual risk. Residual risk is the risk that remains in the organization after the total risk has been reduced by the use of the various risk mitigation controls (such as the use of BIAs and TRAs). Risk-based thinking is realistic thinking. It recognizes that removing all the risk from the organization is cost-prohibitive and also unnecessary. What’s important is to bring the residual risk within the limits that management has deemed acceptable. (Getting management to decide on how much risk it will accept is another challenge entirely, one I looked at in this post.)
The Wave of the Future
I feel so strongly about the value of risk-based thinking that I made it the core of the BCMMETRICS suite of business continuity tools: BIA On-Demand, BCM One, Compliance Confidence, and Residual Risk.
Risk-based thinking is the wave of the future in business continuity management. It allows you to identify the most significant risks facing the organization and protect against them. It also enables you to identify which risks are less significant, so that you don’t spend a disproportionate amount of time and resources dealing with them.
Risk-based thinking puts your BC program and investments on a rational footing. It allows you to take your head out of the sand while providing you with well-founded peace of mind.
For more on risk in business continuity and other hot topics in business continuity and IT/disaster recovery, check out these recent posts from BCMMETRICS and MHA Consulting:
- Weighing the Danger: The Continuing Value of the Threat and Risk Assessment
- Standard Time: The Best Time to Choose a Business Continuity Standard Is Right Now
- Never Break the Chain: Assessing and Managing Supply Chain Risk
- 6 Tips to Help You Vet Your Third-party Vendors
- The Top 7 Risk Mitigation Controls, in Order
- Risky Business: 9 Ways That Not Measuring Residual Risk Can Harm Your Organization
- The 5 Most Important Risk Mitigation Controls