In fact, many companies see their risk management and a disaster management plan as a mere step in the compliance process; instead, if they were to see it as a means to company survival, they would pay more attention to its accuracy as well as its ability to guide their company through the prevention, immediate treatment of, and eventual recovery from disaster.
Risk and disaster management planning, as mentioned before, should not be seen as an end state; rather, they should be seen as steppingstones to away larger in state, fondly known as a comprehensive business continuity program.
The diagram shown below, indicates high risk management and disaster recovery are only two of the three foundational steps needed in order to begin formulating a business continuity strategy. The third step is a comprehensive business impact analysis which gets done in conjunction with the risk analysis.
In order to plan against disaster effectively, one needs to have an indication of the nature and severity of the inherent risks facing their type of business. The only way to achieve this, is to do a comprehensive risk assessment.
Unfortunately, no matter which nation you come from, we are living in a VUCA world (vulnerable, uncertain, complex and ambiguous). It is for this reason that companies cannot adopt a one size fits all safety net, as what may be relevant and effective for company A, may be totally off the ball in terms of company B.
It is a well-known fact that different enterprises face different forms of risk and these risks also vary in severity. It is for this reason that companies need to get clarity on the sources and nature of the risk that they are likely to face.
In industry today, we face three main overriding classifications of risk; i.e. Uncertainty-based risk, Opportunity-based risk and finally Hazard-based risk.
Uncertainty-based risk is the top of risk one cannot predict or prevent and generally always ends up in Loss. Examples of Uncertainty-based risk include criminal or terrorist activity, natural disasters and negligent acts or omissions by third parties.
Opportunity-based risk involves the choice between taking or not taking a risk. Either choice could end up in being an advantage or a loss to the company making that choice. Examples of Opportunity-based risk include deciding between two different products, when to introduce new products to the market, or even to branch out in a new business venture. Each could bring about financial success or eventual ruin.
Hazard-based risks involved the potential to harm human capital these risks include physical hazards psychological hazards chemical hazards biological hazards and even ergonomic hazards. Most hazard based risks require exposure to the hazard. Examples of Hazard-based risk include physical injury due to negligence chemical or biological material spills or even poorly maintained office furniture.
Every business, no matter the nature of their activity, will always face all three categories, either in a lesser or greater capacity. And, thus, all three categories need to be taken into consideration when assessing the company’s risk.
When looking at uncertainty we need to understand that there are three sources of Uncertainty-based risk namely natural disasters, intentional acts, including maliciousness or fraud to name but a few and unintentional risks, including visitor or employee errors or omissions.
Many people ask: “but why do we need to do comprehensive risk assessments before we took it disaster management?”
The answer is simple, if you do not know what risks your company faces, how these risks exacerbate into events, and finally what the impact these events will have on your business, then how do you know what constitutes a disaster in terms of your own company?
The aim at the end of any disaster, is not only to have the enterprise survive the disaster, but to get the enterprise back into an equal or even better looking state then what it was in before the disaster struck.
Thus, the fundamental survival kit needed for disaster recovery (which is that action taken in order to survive a disaster in the immediate period) and recovery from disaster (a long-term effort required to bring the company or service back to the state of functionality and output that it enjoyed before the disaster occurred), is the company’s resilience, resources and practiced disaster recovery processes, all gained by having a comprehensive business continuity management strategy.
So, what is the role of risk management in achieving this end state?
By following the risk management process, and doing an in-depth study on the sources of risk that affects the nature of one’s specific company, one then finds themselves in a position to add preventative, detective and corrective controls to the process is in order to prevent or lessen the impact of any event that may cause them to experience downtime. The identification of these controls as well as the testing of these controls in the working environment, would not be possible if the risks were not properly identified at the beginning of the process. It is for this reason that risk management needs to be done in a very structured way without missing steps along the way.