The best disaster is the one that never occurs, and it’s nothing short of a fundamental responsibility of management to ensure that all reasonable steps have been taken to identify potential risks and to put in place appropriate preventive and mitigating controls. A comprehensive Risk Assessment report is the starting point for doing just that: identifying risks and the control measures that the organization will pursue to either prevent the risk from occurring in the first place, or mitigating the impacts of the risk if it should occur.
What You Should Know
In the world of risk management, it is commonly accepted that there are four fundamental responses available to management when presented with a risk: accept, avoid, mitigate, or transfer. Each of these four “risk treatments” is valid under certain circumstances, and often we find organizations using a combination of the four. For example, a company located in a hurricane zone may “mitigate” the risk potential of a hurricane by creating a robust business continuity plan, but will also “transfer” some of that risk by obtaining appropriate property and casualty insurance.
That example helps illustrate the proper context of a Business Continuity Management System: it is part of what will typically be a larger “risk mitigation” program. In fact, it is often a fair characterization of a BCMS to view it as the “plan of last resort.” In other words, it is the plan that we use when all other prevention and mitigation efforts have failed, and the “risk” – that is, the disaster – actually occurs and causes a business interruption.
The starting point for an intelligent management decision regarding which treatments to apply to a given risk is to first identify all risks and prioritize them by factors that include likelihood, damage potential, and availability and effectiveness of preventive and mitigating controls.