Risk-Based Thinking and Business Continuity Planning

Brian Zawada, FBCI Brian Zawada, FBCI | Apr 23, 2018

I use the term all the time. Avalution’s leadership team, and by extension, the firm’s product/service-related messaging often uses it. A quick Google search returns nearly 6.8 million results in under a second.

The term I’m referring to is “risk-based”.

Made up of two simple words, risk-based is an important concept that is worthy of exploring, mainly because (in my opinion) it contributes to two very important concepts that have a direct correlation to business continuity success:

  1. Focus
  2. Simplicity

There are also a few terms used in the risk management discipline (some specifically mentioned in ISO 22301 and ISO 31000) that relate to the topic of risk-based, namely:

  • Inherent Risk: The probability of loss arising out of the organization’s innate position or its environment, in the absence of any action to control or modify the circumstances.
  • Risk Profile: The organization’s willingness to take risks and expose themselves to associated threats.
  • Risk Appetite/Tolerance: The amount and type of risk that an organization deems acceptable to meet their strategic objectives.

In ISO 31000, specific to the term “context” (another word with a strong relationship to risk-based thinking and inherent risk), the authors noted the following as it relates to risk management: “It is important to evaluate and understand both the external and internal context of the organization, since these can significantly influence the design of the framework.”

So, why am I sharing this background with you?

I’m of the opinion that the business continuity discipline – and other risk management disciplines – tend to use the term “risk-based” rather loosely, without a clear definition of what it can (and should) mean or a clear understanding of how it can add value. I also think that when it comes to one of the synonyms for risk-based, that being inherent risk, we over think its use as well. So, let’s briefly explore both to add some clarity.

Avalution’s Definition of Risk-Based
Risk-based thinking essentially means considering the consequences of an action when making a decision. Factoring in probability of success or failure, as well as the impact associated with the decision, organizations and their leadership teams can make better-informed decisions to assist with meeting strategic objectives.

In the case of business continuity, risk-based thinking helps prioritize where to focus limited time and resources to introduce – or improve – resilience or recoverability, optimally looking at the organization from a top-down perspective. In doing so, the organization not only protects what’s most important, but it also ensures that business continuity capabilities address leadership and key third-party expectations.

Avalution’s View on Risk-Based Thinking (or said another way… Inherent Risk)
At a strategic level, the concept of inherent risk is exceptionally valuable. Considering the inherent risk in anything – business continuity and information security, as two examples – helps clarify the level of time and resource investment necessary to meet the organization’s objectives. If we apply the concept of inherent risk to the organization’s ability to meet its strategic objectives, or to its ability to continue delivery of Product X, it can be valuable to help make decisions on where to focus limited resources.

Where the concept fails to add value is when we seek to determine inherent risk at the tactical or activity/resource level. It’s at this level that we often see controls in place to manage risk, and it’s valuable to tie these activity or resource-level controls to higher level processes or products/services to assess inherent risk, rather than at the lower level (after all, why ignore what’s in place already?). At this level, residual risk is a far more important input into making appropriate risk treatment decisions.

The Value of Risk-Based Thinking
As briefly mentioned, risk-based thinking helps bring focus to the business continuity planning process. Instead of working to plan for all scenarios for all locations, IT applications, and “boxes on the organizational chart”, imagine a focused planning effort that prioritizes efforts based on the business activities and resources that directly contribute to the continual delivery of the organization’s most important products and services, or the most important obligations that, if missed, would result in a non-compliance situation. Engaging leadership in prioritizing critical products and services, and then comparing the failure to deliver products and services to the organization’s risk appetite, helps senior leadership make well-informed and consistent decisions for the benefit of all stakeholders.

Let me offer a case study to explain the value of risk-based thinking. I had a discussion recently with the director of Fortune 1000 business continuity program. He mentioned that he was struggling with the workload associated with driving the maintenance of approximately 1000 business continuity plans globally. We discussed how he was currently prioritizing the maintenance effort – or said a different way, where he was spending his and his team’s time – directly engaging with the business to drive maintenance and continual improvement. He indicated he didn’t have a prioritized approach and all plans were essentially viewed as equal. We then discussed how to engage leadership in obtaining the guidance necessary to prioritize, based on the importance of products/services and the business risk associated with failing to deliver these products. We also discussed risk-based thinking specific to customer and regulatory obligations, all of which contributed to prioritizing business activities and resources. Recently I heard back on the results of the prioritization discussion, and I was happy to learn he did better than the 80/20 rule. Based on leadership guidance, he was able to focus his team’s time on 15% of the 1000 plans, as they were the business areas that introduced the most risk to the organization when facing a potential disruptive event.

Offer
Avalution recently created two context assessments – one for business continuity and one for information security. These assessments are designed to help our clients answer two key questions:

  1. What level of business continuity or information security do we need based on the unique nature of our organization?
  2. What are the tangible actions we can take to improve our risk profile specific to business continuity or information security risk?

If you’re interested in taking one of these assessments to help bring focus to your business continuity and information security processes, please reach out to me at [email protected]. I’d be happy to send you the assessment survey and schedule a time to discuss the results.

_______________________

Brian Zawada, Avalution Consulting
Business Continuity Consulting | Information Security Consulting | Catalyst