This report, published by Deloitte, explains that risk intelligence is a risk management philosophy focusing on the use of both risk avoidance and risk-taking to create value.  While this article deals with risk intelligence, it focuses on the risk avoidance aspects as it discusses prudently preparing for the occurrence of negative events. 

Businesses are constantly threatened with risks and preparedness is important to prevent the occurrence of these risks from causing the business to suffer more than is necessary and to allow the business to emerge from the disruption in the best shape possible.  Risk intelligent organizations can use the threat of these risks to broaden thinking about risk beyond company walls and traditional business continuity planning.  These actions can lead to greater resilience, faster recovery, and a competitive advantage in the marketplace in the wake of risk events.

In planning for risk events, organizations should move beyond statistical modeling and scenario planning to implement a business impact analysis.  A business impact analysis often fills a critical knowledge gap by looking at ways the organization could be impacted regardless of the cause because while disruption is likely to occur, its causes are often uncertain.  This analysis also helps narrow the focus from analyzing potential events that could cause a disruption to the impacts and their business consequences that are likely to occur due to a disruption. 

Organizations should seek to be prudently and practically prepared, and this level of preparedness will differ for each organization.  Organizations should make conscious, informed decisions about what level of risk to accept and do what is needed to reasonably prevent, detect, and respond to business disruptions.  Preventing business disruption is often the most effective means available, but if prevention is not viable then detection, response, and recovery plans are important tools.  The importance of adequate preparedness is especially evident with risks that occur quickly, without advance warning.  For these risks, a business disruption plan may represent the difference between a fast and slow recovery as ample planning allows response to the event to proceed quickly. 

There are several steps companies can take to plan and prepare for business disruption events:

  • Build a business case for risk management, ensuring risk assessments are followed up on.  Good risk management can provide a competitive advantage through improved shock resilience.
  • Assess risk exposure through various methods such as scenario planning, business impact analysis, and statistical modeling.
  • Consider the impact of events on people so work can continue remotely or onsite if needed. 
  • Think expansively as some threats may impact multiple locations.
  • Look external to the organization to upstream and downstream entities to ensure their business continuity and disaster recovery plans are strong.
  • Evaluate outsourcing arrangements to understand the extent to which they are providing critical services.

There are numerous risks that a business may face, but rather than be overwhelmed by this and do nothing, companies should take steps to mitigate risk exposure.  Activities companies can integrate into existing risk management structures involve three stages: anticipation and preparation activities in advance of a disruption, first response activities to contain the problem, and recovery activities to resume business activities both immediately after the event and in a more long-term reevaluation and adjustment of activities.

Subscribe to ERM Insights

The latest research, insights and opportunities from the NC State ERM Initiative to help
you and your organization lead with confidence.

ERM Enterprise Risk Management Initiative 2009-06-01