Risk matters

15 February 2017

In its first column FSM, the International Institute of Risk and Safety Management (IIRSM) explains how systematic risk management safeguards business resilience

WE ALL live with uncertain futures and we can’t freeze in time, stay still and do nothing – we all have things we want to achieve, opportunities we want to exploit and changes we want to make. 

Public bodies want to provide services, businesses want to serve their customers and owners, charities want to deliver change for their stakeholders and as individuals we have aspirations for ourselves and those close to us. 

But we can never be completely sure how things will turn out. Risks in the real world and risks arising from our own actions may stop us achieving our goals. Sometimes these risks will lead to direct monetary loss, but they can also lead to illness and injury, damage to the environment and property, business failure, loss of employment or waste of human potential. 

Managing risk 

Today, there exists a body of knowledge about risk and a variety of skills, tools and techniques that can be applied to improve outcomes, regardless of the industry or sector, in a similar way to other professional disciplines such as accounting or human resource management.

It provides a means for organisations to handle uncertainty, including new problems arising from changing circumstances. While it acknowledges that nothing in life is certain, the practice of systematic risk management should improve business resilience, increase predictability and contribute to improved returns and outcomes. Risk management is therefore about both helping an organisation achieve its objectives, as well as protecting its reputation and core business activities. 

IIRSM believes that practical educational approaches to managing risk for all, and not purely for risk professionals and specialists, ensures that more people have the knowledge and competence to help their organisations avoid harm and maximise opportunities. 

Business continuity 

Business continuity management (BCM) provides the tools for organisations to recover from major disruption from fires, flu pandemics, extreme weather, terrorism, cyber attacks or other risks. 

It is a holistic management process that identifies potential risks to a business and the impacts they may have in the event of major disruption to normal operation of the organisation. While risk management is concerned with risks facing the organisation, BCM is concerned with continuity of operations across the organisation. BCM takes account of future plans and strategies, whereas risk management is concerned with threats to those plans and strategies.

Similarly, while continuity of core processes and resources are a key component of BCM, risk management is concerned with identifying, and if necessary mitigating, risks associated with those processes. 
Resilience partnership
There are three main risk areas where business continuity planning can help with overall risk mitigation strategy. Firstly, some risks faced by an organisation may be unexpected, where the impact and/or probability cannot be easily predicted.  
Secondly, there are those areas where significant or frequent disruption can be expected, should the risk materialise. Lastly, there is the arena where high levels of system complexity exist so risk outcomes are difficult to predict. Allied to this, inter-related or interdependent risks, sometimes in themselves quite simple, taken together can create potentially disastrous effects. 
In all these areas, BCM provides the necessary resilience for the organisation to both survive and recover from incidents caused by the risks involved.
Both BCM and risk management require an element of centralisation, in terms of frameworks and policies, and embedded devolution, to deal with the practical implications. 
Risk identification and assessment should be carried out alongside business impact analysis (BIA) in developing a BCM plan. Identification of mission-critical activities and the required recovery time in the event of disruption is a key part of BIA, but is equally important in understanding the risks facing an organisation in order to develop the broader risk treatment strategy.
Increasingly, organisations are learning that risk management and business continuity planning are complimentary – they are two sides of the same coin. Close cooperation, or indeed complete integration between the two is vital.
For more information on IIRSM, visit