But is that how the executives in your organization think? Are they willing to fund your risk mitigation requests every time you submit one simply because it’s the “right” thing to do? Is our perspective the very reason many of us have difficulty generating solid senior management support for our efforts?
This article will take you on
a journey that may challenge everything you have been taught about
risk. By the end, I hope to have you thinking about “risk” in a whole
Traditional Definitions of Risk
The DRJ Glossary defines risk as, “The potential for exposure to loss which can be determined by using either qualitative or quantitative measures” and risk management as, “The culture, processes, and structures that are put in place to effectively manage potential negative events.”
The DRII Professional Practices for Business Continuity Planners defines the practice of risk evaluation and control as, “Determine the events and external surroundings that can adversely affect the organization and its facilities with disruption as well as disaster, the damage such events can cause, and the controls needed to prevent or minimize the effects of potential loss.”
Similarly, NFPA 1600’s Explanatory Material Annex states, “A comprehensive risk assessment identifies the range of possible hazards, threats, or perils that have or might impact the entity, surrounding area, or critical infrastructure supporting the entity.”
Wow, that sure sounds like a lot of doom and gloom. It’s no wonder that many in senior management hate to see us coming down the hall (assuming they even know who we are).
As seen in Figure 1, practitioners using the traditional view of risk management frequently generate a matrix to plot the likelihood and impact of threats to the organization. Whether you utilize three, four, or five categories on each axis really doesn’t matter. The idea is to focus attention on the highest probability and highest impact areas so that prioritized mitigation efforts can be developed.
Once identified and prioritized, management needs to decide what to do in response to these threats. Their choices include:
Avoid – Eliminate the risk through careful design or planning, or discontinue the process entirely.
- Substitute – Find a less risky alternative to perform the same function.
- Transfer – Remove liability for the risk by making someone else accountable for it, e.g., through insurance.
- Reduce – Find a way to reduce the likelihood and/or impact of the threat.
- Accept – Understand what the risk is and decide that no further action is desired or possible.
While there is certainly tremendous value in reducing our organization’s exposure to negative consequences, at best we’re focusing on only half the story. I believe this one-dimensional view is what keeps many in our profession out of the boardroom level discussions within our respective organizations. In order to increase our level of influence, we need to be seen as adding business value rather than as just a scare mongering cost center.
There’s Another Side to Risk
ISO/IEC Guide 73 defines risk as, “The combination of the probability of an event and its consequences.” Simply put, risk is all about uncertainty and it’s not always a bad thing. What distinguishes this from the traditional approach used by many BC/DR planners is that the outcome of an event can either be positive or negative in relation to the achievement of business objectives. Along with the “threats” that can lead to a negative business impact or loss, there are also “opportunities” which, if exploited successfully, lead to an improved outcome or business benefit.
To help illustrate this concept, Figure 2 represents an integrated matrix that shows both the tradtional threat-based view of risk on the left side, along with opportunities represented on the right. By placing the two matrices next to each other in a mirror view, management’s attention can be focused not only on the highest likelihood/highest impact threats, but also on those opportunities where there is a high likelihood of delivering significant business benefits.
Just as management needs to decide what to do about threats, they similarly need to make decisions about what to do with opportunities. These choices may include:
- Pursue – High likelihood/high impact opportunities that must be exploited to deliver shareholder value.
- Partner – When a particular expertise is not in-house, work with an external third party to increase the impact or likelihood of an opportunity.
- Develop – Work with internal resources to increase the impact or likelihood of an opportunity.
- Disregard – Take no action, the likelihood and/or benefit is too low to make it worthwhile.
So, how do you go about identifying and evaluating both threats and opportunities to populate this integrated risk matrix? There are numerous thought-provoking business strategy tools out there that can guide you toward looking at risk in a more balanced, strategic, executive-level way. One of the simplest ways to get started understanding the big picture is a method known as a “strengths, weaknesses, opportunities and threats” (SWOT) analysis. The SWOT analysis takes into consideration many different internal and external factors, and is designed to help you identify elements that minimize the impact of weaknesses and threats (evaluated on the left side of the integrated risk matrix) while maximizing the potential of strengths and opportunities (evaluated on the right).
SWOT analysis is merely one of the structured methodologies used to better understand your business and many times the basic SWOT analysis is followed up with more sophisticated methodologies and tools. How you choose to go about brainstorming ideas and evaluating probability vs. impact is up to you, but there’s a good reason why you should consider adopting this expanded view of risk.
What Goes on in the Boardroom?
Dealing with both sides of the risk equation is what your executives do every day in running the company. Their job is to determine the acceptable amount of strategic risk to take in order for the company to make a profit. No matter what your industry, there is risk (uncertainty) associated with every product or service that your company provides.
Think about it ... somebody had to be willing to accept some uncertainty and develop new products; otherwise, we wouldn’t have progressed beyond the Stone Age. A mortgage company uses credit scores but still takes a chance by loaning out money assuming they are going to get their principle back plus interest. Insurance companies use complex actuarial tables to manage their risk exposures while still making opportunity profits off the premiums collected from their customers. Automakers face uncertainty every time they introduce a new model, hoping it will become a top seller. Hollywood movies. New television shows. Electronic devices. Anything offered on the Home Shopping Network. Everything your company sells can be traced back to a balanced decision made about the opportunities found within strategic risk.
Sometimes the decision to pursue a new business opportunity works out well (e.g., the invention of radio, the cell phone, computers), and sometimes it doesn’t (new Coke, the Edsel), but what all these items have in common is a company embracing the opportunity side of risk and believing that marketing their new product or service will generate increased revenue and shareholder value. So, if these are the kinds of business case analyses our executives are using to make decisions every day, why aren’t more of us speaking to them in a language they understand?
Building a Better usiness Case
When conducting a business impact or risk assessment, have you ever identified business processes that were inefficient or just simply didn’t make sense? Did you ever come up with ideas on how to make things better? What did you do with that information? If you’re like many in this profession, you considered that out of scope for your department and either simply moved on or let somebody else handle it. There is a better way.
Let’s explore a hypothetical situation. During your pandemic planning efforts, you identified one possible mitigation to the likely threat of workforce disruption was to provide your employees with as many network connectivity choices as possible, including wireless. Sounds good, but suppose you’re extremely security conscious or not so technologically advanced company doesn’t yet have or allow wireless broadband capabilities on the laptop computers in use by your company’s distributed workforce. If you just stopped there and submitted a business case whose sole justification is mitigation for a threat that may occur at some undetermined time in the future, do you think your proposal would effectively compete against other corporate initiatives and receive funding? Maybe, but not likely.
Suppose you performed a very different kind of analysis that focused on delivering positive business benefits as the primary objective. What if your business case instead focused first on enabling your workforce to connect to your company network via wireless “hot spots” while they were sitting at an airport waiting for a plane or staying in a hotel? You can calculate a direct Return on Investment (ROI) in the business case, and your proposal now becomes one focused primarily on reducing downtime and increasing worker productivity on a daily basis.
Now, as part of this new business case, you throw in the added benefit of also providing your company’s staff with additional connectivity options in the event of a pandemic. With this combined approach, there is a much higher probability of getting the business case approved. Suddenly, you’re seen as someone adding business value, not just the constant harbinger of bad news. In the end, the business benefits and you get the mitigation that you wanted in the first place.
Risk. What comes to mind when you hear that word? We’ve reached the end of our little journey, and my hope is that now “risk” has a whole new meaning for you. Take the steps necessary to start thinking, speaking, and acting like an executive by focusing on the big picture. Look at both sides of the risk matrix. When you find ways to tie mitigation efforts into business cases where the primary focus is on delivering daily business value, you’ll be recognized as a valued strategic thinker and professional success will soon follow.
James G. Callahan, CBCP, has more than 17 years experience in security, safeguards, BC/DR and risk management. He is currently a senior process manager for business continuity and risk management at AstraZeneca Pharmaceuticals LP.
"Appeared in DRJ's Spring 2008 Issue"