Fill in the form below and we will contact you shortly to organised your personalised demonstration of the Noggin platform.
An integrated resilience workspace that seamlessly integrates 10 core solutions into one, easy-to-use software platform.
The world's leading integrated resilience workspace for risk and business continuity management, operational resilience, incident & crisis management, and security & safety operations.
Explore Noggin's integrated resilience software, purpose-built for any industry.
Continuity Management Software
Updated October 12, 2023
Nowadays, a business interruption is a matter of when not if. Over the last decade, the topline risk of disaster-related closings of business facilities has only increased, while business interruptions themselves have become more expensive for companies to recover fromi. More concerning still, interruption isn’t the only serious business risk requiring sustained senior management oversight. From public and operational security to occupational health and safety, the ranks of significant risk continue to grow, as the wider macroeconomic environment just gets more difficult for business.
Risk scholars Howard Kunreither and Michael Useem offer a few reasons why. They highlight a number of important, cross-industry trends that are exacerbating business risk across the globe. Those trends include growing interdependency, shorter-term (management) thinking, increased regulation, greater geographical clustering, higher probability of systemic shock, and new calls for transparency, spurred on by advances in information and communications technologyii.
Indeed, Kunreither’s and Useem’s broad sweep of factors line up nicely with more targeted analyses of major business risks. For instance, global insurer Allianz puts out an annual list of the top ten global business risks. In 2018, the top risks include the following:
Predictably, in advanced economies, we see a high correlation in risk profile(s), including a high incidence of relatively new risks. In the U.S., for instance, the top three risks now include cyber incidents, business interruptions, and natural catastrophes the latter appears after the record-breaking 2017 storm season, which is linked to climate change and the increasing volatility of weatheriv. Major risk in the U.K. is similar, except changes in legislation and regulation replace natural catastrophes in the top three. After all, the country is negotiating its exit from the European Union. Meanwhile, Australia’s top three risks are the same as the U.K.’s.
So how do companies succeed in this volatile business environment? They develop proactive, forward-looking risk strategies, processes, and systems to cope with and anticipate profound shifts in business risk.
Too often, though, firms are asleep at the switch, the last to react to changes in their very own risk profile. Case in point: attention to disruption and interest in risk usually increase only after major crisis events, e.g. the September 11 terror attacks and the 2008 global financial meltdown, and then peter out. Harvard Business Review puts it best: “Discussions of risk usually come to the forefront in times of crisis but then recede as normalcy returns”v.
Then, what’s to be done to prevent backsliding into risk complacency? Having a firm grasp on the fundamentals of risk and risk management certainly helps. For starters, any risk-risk being defined as an expression of possible loss due to a hazard-has three basic components:
What’s more, risk itself can be divided into a few categories. There’s not just the risk you identify using your analytical tools, but also the risk you have yet to find. The sum of identified and unidentified risk makes up your total risk profile.
Meanwhile, there’re varying degrees of risk within the category of identified risk: acceptable and unacceptable risk. Acceptable risk, as the name implies, is the risk you tolerate once you’ve applied controls to manage your risk profile. Controls are the actual strategies and tools you’ll use to manage risk, either to mitigate risk or eliminate it altogether. An effective control will reduce or eliminate at least one risk component. Unacceptable risk, on the other hand, is the portion of identified risk that you simply can’t accept; unacceptable risk must be eliminated or, at least, actively controlledvii. Residual risk, which can comprise acceptable risk and unidentified risk, is the amount of total risk that remains after your risk management efforts have been brought to bearviii.
Hazard. Any real or potential condition that can cause degradation, injury, illness, death, or damage to or loss of equipment or property.
Risk. An expression of possible loss due to a hazard in terms of severity (usually qualitatively categorized) and probability (also qualitatively categorized).
Identified risk: Subset of risk that has been determined to exist using analytical tools. The time and cost of analysis, the quality of the risk management program, and the state of the technology involved affect the amount of risk that can be identified.
Unidentified risk: Subset of risk that has not yet been identified. Some risk is not identifiable or measurable.
Total risk: The sum of identified and unidentified risk.
Acceptable risk: The part of identified risk that is allowed to persist after controls are applied. Risk can be determined acceptable when further efforts to reduce it would cause degradation of the probability of success of the operation, or when a point of diminishing returns has been reached.
Unacceptable risk: The portion of identified risk that cannot be tolerated but must be either eliminated or controlled.
Residual risk: The portion of total risk that remains after management efforts have been employed. Residual risk comprises acceptable risk and unidentified risk.
Source: Federal Aviation Administration
Examining the idea of acceptable and unacceptable risk brings up a central question of risk management: how much risk is too much risk? Risk management, of course, is all about identifying, evaluating, and determining the risks your company is exposed to and coming up with policies, processes, and procedures to manage those identified threatsix. But you simply can’t run a business without introducing some degree of risk. Even if you could identify every single risk, it would require a significant outlay of resources to control all of them. And as you can imagine, allocating that number of resources to risk management would have opportunity costs for running the business as a wholex.
Risk management goal
Limited resources for controlling identified risks aren’t the only stumbling blocks to effective risk management. In many respects, businesses are working at a major deficit, especially with the emergence of new risks types, like cyber data risk, greater focus on reputational risk, and regulatory changes in occupational health and safety. The sheer pace and volume of change are overwhelming risk teams, quickly rendering their existing processes and frameworks-many of which are disjointed, disconnected, and overly manual-redundant, outmoded, just plain-ole incapable of preventing risks ((systemic or otherwise) from turning into major incidents.
We see this lack of a comprehensive, integrated operational risk management approach play out particularly with teams who lack the internal (communications) tools to properly integrate their knowledge base of risk into their systems for managing risk. In turn, managers don’t get visibility into companywide risk, which limits them to a fragmented view of (section-specific) risk. And despite the high probability of contagion between business lines, team-specific processes to identify, assess, manage, monitor, and report on risk tend to proliferate, with the following downstream consequences:
Risk management being difficult in the best of times, even teams who deploy best practice processes can easily find themselves at a risk preparedness deficit. The surfeit of emerging risks, including new public safety threats to the enterprise, can point up major skills and capabilities gaps within companies.
Nor is the cost of ineffective risk management trivial either. Get risk management wrong and your business might suffer from workplace injuries and accidents, productivity loss, damaged assets and products, even significant financial penalty. Just the cost of an on-the-job accident can add up quickly. Companies will have to shell out to train replacements, repair equipment, pay higher insurance premiums, while also losing time, prestige, and sacrificing employee moralexi.
So what can be done, especially if you can’t adequately control all of your company’s identified risks? Well, as one business scholar puts it, a good rule of thumb for effective risk management is “pursuing sensible and informed risk profiling and decision making toward increased returns”xii. In other words, risk is inevitable; tradeoffs in risk management are unescapable. To make betterinformed tradeoffs, stakeholders need to operate with a strategic, business perspective in mind, anchoring their risk management practices within a larger, organizational contextxiii.
Turning these guidelines into practices starts at the top, though. Only business leaders can align a company’s risk appetite with its risk management aims. But doing so effectively requires executives to promote greater risk awareness and transparency. Executives also have to empower staff to contribute their own ideas in order to improve risk processes and controls.
What’s more, a supportive risk culture begins with a robust reporting culture. To get better reporting outcomes, executives have to invest in the appropriate tools that will enable their teams to fully assess and document risks, including detailed information on why certain identified risks were accepted (and others not). Additional best practices include:
Another important takeaway is striving for a closed-loop of continuous improvement in managing your operational risks, the risks of running your business, or, as international policymakers at the Basel Committee on Banking Supervision define the term: “the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events”xiv. A central theme of operational risk management is that risks are more easily assessed and managed in the planning stages of any given operation, rather than during implementation and execution, when changes become more expensive and time consuming.
Undertaken successfully, operational risk management cuts down on your operational surprises. But getting it right takes work. That’s because operational risk management is an actual process (or cycle) of risk assessment, decision making, and implementation (of controls) that needs to be pursued in toto. Here, then, are the stages of the operational risk management life cycle:
Indeed, not all hazards lend themselves to this kind of in-depth operational risk management, which is the level of operational risk management you’d undertake without major time constraints. Conversely, time-critical risk management makes use of an abbreviated life cycle, in which teams skip straight to assessing the situation, before balancing resources, communicating risks and intentions, implementing controls, and (finally) debriefing.
So, what level of operational risk management makes the most sense for your business? The frustrating answer is it depends. It depends on any number of factors, none more important than available time and resources. What we can say, though, is the best operational risk management frameworks balance prevention and response. They also put a high price on continuously improving the
efficiency of control systems so as to support larger business objectivesxv. Getting there in the short term takes eliminating redundant and overlapping controls, as well as issuing specific guidelines on how to perform best-in-class root cause analyses.
In the medium-term, though, sophisticated tools will be absolutely integral to developing a strong operational risk management culture at your business. And here, flexible, integrated all-hazards management technology can help. Specifically, bundling operational risk tracking and incident management functionality into the same solution renders incident response more efficient. Cross-linking hazards with incidents (within the same solution) gives teams the requisite history and intelligence they need to trigger necessary changes in their risk management plans and processes, as well as helps them identify where controls might have failed to achieve desired outcomes.
It, therefore, makes sense to find a risk management solution capable of handling all types of business-as-usual incidents, as well as planning activities for risk and business continuity management, as well as incidents and the entire emergency management lifecycle. Ensure your system provides tight integration with assets, contacts, documents, events, tasks, workflows, scheduled reviews, reporting, communications, resource allocations, key risk and reporting indications, etc. Your solution should also be able to perform the following functions:
Finally, a firm commitment to consistently upgrading your risk management systems and processes is the best way to build a solid risk and reporting culture. And if your company is like many others, you already have strong risk management practices from which to spring off, just not the right solution set.
Indeed, business leaders, including C-suite executives and their boards, now take an active interest in the management of risk. But they don’t always have the best understanding of emerging or unidentified risk-their teams, for any number of reasons, aren’t always transmitting a complete picture of operational risk-so can’t fully turn risk management into a driver of value creation and profitabilityxvi.
Now they can. Operationalize the best practices we’ve discussed in this paper with advanced, comprehensive, integrated risk management software to recoup the business benefits of effective risk management: increased C-suite visibility, more informed risk taking and decision making, lower compliance costs, and increased mission effectiveness.
i. Allianz Global Corporate & Specialty: Global Claims Review 2015: Business Interruption in Focus: Global trends and developments in business interruption claims. Available at https://www.agcs.allianz.com/assets/PDFs/Reports/AGCS-Global Claims-Review-2015.pdf.
ii. Howard Kunreuther and Michael Useem, Oxford University Press: Mastering Catastrophic Shock: How Companies Are Coping with Disruption.
iii. Christina Hubman, Heidi Polke-Markmann, and Patrik Vanheyden, Allianz Global Corporate & Speciality: Allianz Risk Barometer: Top Business Risks for2018. Available at https://www.agcs.allianz.com/insights/white-papers-and-case studies/allianz-risk-barometer-2018/.
iv. Wayne Drash, CNN: Yes, climate change made Harvey and Irma worse. Available at https://www.cnn.com/2017/09/15/us/climate-change-hurricanesharvey-and-irma/index.html.
v. Kevin Buehler, Andrew Freeman, and Ron Hulme, Harvard Business review: The New Arsenal of Risk Management. Available at https://hbr.org/2008/09/the-new-arsenal-of-risk-management.
vi. Federal Aviation Administration: FAA System Safety Handbook. Available at https://www.faa.gov/regulations_policies/handbooks_manuals/aviation/risk_management/ss_handbook/media/Chap15_1200.pdf.
vii. Ibid.
viii. Ibid.
ix. Edward Cho, Georgia State University: Exploring Barriers to Effective Risk Management Through a Proposed Risk Governance Framework. Available athttps://scholarworks.gsu.edu/cgi/viewcontent.cgi?article=1062&context=bus_admin_diss.
x. Ibid.
xi. Mike Shannahan, Occupational Health & Safety Magazine: Risk Management in the Workplace: What You Should Know. Available at https://ohsonline.com/blogs/the-ohs-wire/2013/11/risk-management-in-the-workplace.aspx.
xii. Edward Cho, Georgia State University: Exploring Barriers to Effective Risk Management Through a Proposed Risk Governance Framework. Available at https://scholarworks.gsu.edu/cgi/viewcontent.cgi?article=1062&context=bus_admin_diss.
xiii. Federal Aviation Administration: FAA System Safety Handbook. Available at https://www.faa.gov/regulations_policies/handbooks_manuals/aviation/risk_management/ss_handbook/media/Chap15_1200.pdf.
xiv. Basel Committee on Banking Supervision: Principles for the Sound Management of Operational Risk. Available at https://www.bis.org/publ/bcbs195.pdf.
xv. Tom Ivell and Vikram Jain, Oliver Wyman: Managing Operational Risk: What Financial Services Can Learn from Other Industries. Available athttps://www.oliverwyman.com/content/dam/oliverwyman/global/en/2014/dec/Rethinking_Managing%20Op%20Risk.pdf.
xvi. Howard Kunreuther and Michael Useem, Oxford University Press: Mastering Catastrophic Shock: How Companies Are Coping with Disruption.