Risk management is an essential skill for any business professional. Whether it be having a second screwdriver available on the job in case one is lost or broken, or it be having Errors and Omissions or liability insurance, we are constantly evaluating risks and the costs associated with managing those risks.
In this paper we are going to focus on understanding risk management. If you better understand that you have options when it comes to risks, you may be more comfortable with the risk brainstorming cycle.
1. Risk management
Risks are often complex. In an effort to disassemble or distill the risks, we’ll break them apart into two different underlying components. Each of the components of a risk are normally managed separately. In this case, we’ll be working with the likeliness of a risk actually happening, and the impact of that risk against our organization. Risks can then be more easily visualized on a basic X-Y graph.
a. Likeliness or probability
Controlling the risk is actually two exercises in one. The first is to control the likeliness of a risk, that is, reduce the likeliness that the risk will occur. For example, say our software shop has been hired to create a feature rich point of sale system. We may mitigate the risk of not meeting the customer’s feature list by increasing the schedule or by adding additional engineers to the staff. An option to reduce the likeliness of not meeting the customer’s expectation is to use a spiral, agile, or incremental release schedule in lieu of a waterfall development lifecycle so the customer is able to see early on what they will be receiving in the end. 5 The US DoD categorizes the four options as Avoid, Control, Accept, or Transfer (ACAT).
b. Impact or severity
The second is to control the impact of the risk, that is, reduce the negative impact to your business. Say you are concerned about fire: You can install fire suppression equipment to reduce the impact of the fire. Or consider lighting strikes: You can install lightning rods to reduce the impact on the building and it’s contents from the damaging effects of lightning strikes. You can install redundant or high availability computer equipment to reduce the impact of technology failure that would otherwise negatively affect your business (systems remain operational through a failure).
2. Risk treatment
Risks in themselves are not “bad”. In fact, risks can create opportunities – some businesses actually cater to helping people manage their risks, like portable air conditioning services are there to help people in crisis, where their primary air conditioning system has failed.
But risks can be bad, especially if they are not managed correctly. How can we reduce the likelihood or the impact of a risk? There are basically four ways to manage risk,5and a few more we’ll discuss. Makes this pretty simple, no? We’ll look at each of these options in the order that you should be looking at them.
The United States Department of Defense Defense Acquisition University enumerates the risk treatment opportunities ACAT, a mnemonic for Avoid, Control, Accept, or Transfer.
A: Avoid, eliminate, or withdraw from the source of the risk
First, you can avoid the risk altogether, that is, eliminate them completely. Now that sounds great, right? Avoidance is extreme mitigation! But risk avoidance is likely not practical in most situations. Let’s look at a few situations.
Let’s say you are a software shop. You’d like to add a new function to your software that includes automatic electronic data transfer to a bank. You realize this is a risky function, since it will have regulatory impact. In this case, you can avoid the risk by not implementing the feature. There is a drawback, though, and that is that you may lose sales because the feature is not present. Is this reasonable? Maybe.
Take another example, say you own a hair salon. You realize there is a risk that someone may get cut with a pair of scissors, and in fact the insurance company has identified the hazard and offered a significant discount if you do not use scissors in your practice. Great, to avoid that risk, get rid of all the scissors! But is this reasonable? By avoiding the risk, you are also avoiding any hair cut engagements that require scissors. Sure, you can still do clipper cuts and razor shaves, but you cannot layer hair with scissors. Does this sound reasonable? It may be fine if you are on a military base and only cut men’s hair in a strict military style. It may not be so fine if you also cut hair for the wives of the servicemen.
C: Control, reduce, optimize, or mitigate
Second, you can reduce or “control” the risk. Risks are composed of two dimensions. In the case of controlling the risk, you’ll be working to optimize either the likeliness or the impact of the risk.
A part of mitigation is monitoring. Say for example you are a roofing contractor and have a firm fixed price (FFP) contract to replace a roof. Since this is FFP, you are responsible if material costs increase – but there is also an opportunity to make more money if you purchase the goods at a better price. You may decide to monitor the selling price until the kickoff. If the price goes up to some pain threshold and you believe further price increases are coming, you may purchase the goods early. If on the other hand, prices continue to erode, you may wish to continue to monitor until you absolutely need the material.
A: Accept, or retain
If all other options are too costly, too disruptive, or otherwise unacceptable, you can retain, or “accept” the risk. This is kind of like “self insurance”. Accepting a risk is completely viable where the cost of other mitigation options is too costly. Take for example insurance policies that normally do not cover acts of war. If your business is destroyed by an act of war, you are by default self insured, and you have accepted the risk.
Say you are part of a Business Warehouse Cooperative. You realize there is a risk that a hurricane could hit. It is impossible to avoid this risk, since you happen to live on the Gulf Coast. You can mitigate the risk by installing hurricane windows and shutters, and you have off site backups and online cloud computing resources to protect your data. But there is still residual risk, you could lose your building, and you could lose your customers. You look into hurricane insurance and Business Interruption Insurance, and you believe the likeliness of occurrence is less than the cost of insurance. In this case, you self insure, and after all the mitigation, you retain the residual risks associated with a hurricane strike.
T: Transfer to another party
Third, you can share, or “transfer” the risk. Transfer of risk is actually quite common. Most of us have car insurance. Car insurance is transferring the financial risk of an accident to a third party.
There are also other forms of insurance. Say you are hiring a small computer and Information Technology shop to do a highly important deployment. You may wish to purchase “key man”
insurance to transfer some of the risks associated with hiring this shop, just in case the key man dies during the deployment. Another common form of insurance to transfer or share risks is E&O or Errors and Omissions insurance. This form of professional indemnity insurance or professional liability insurance helps to protect you in defending against negligence claims.
E: Another option: Exploit!
Exploiting a risk is an interesting idea. If you are a Home Health Agency, and you see a significant risk with HIPAA, you may create a new business focused on helping Home Health Agencies with HIPAA compliance.
Risks are a part of everyday life. Every day, we are faced with risks, and managing those risks. Risk management is an essential skill required to effectively running a business.
In this short paper we’ve looked at concrete methods to manage risks. Risk management playbooks are important, and prior planning prevents all sorts of problems. However, remember that risks are ever evolving, and managing risks requires some amount of flexibility in the practitioner.
- “NIST Risk Management Framework Overview”,
- “Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy”,
- “This publication describes the Risk Management Framework (RMF) and provides guidelines for applying the RMF to information systems and organizations. The RMF provides a disciplined, structured, and flexible process for managing security and privacy risk that includes information security categorization; control selection, implementation, and assessment; system and common control authorizations; and continuous monitoring. The RMF includes activities to prepare organizations to execute the framework at appropriate risk management levels. The RMF also promotes near real-time risk management and ongoing information system and common control authorization through the implementation of continuous monitoring processes; provides senior leaders and executives with the necessary information to make efficient, cost-effective, risk management decisions about the systems supporting their missions and business functions; and incorporates security and privacy into the system development life cycle. Executing the RMF tasks links essential risk management processes at the system level to risk management processes at the organization level. In addition, it establishes responsibility and accountability for the controls implemented within an organization’s information systems and inherited by those systems.”