If you’re new to Business Continuity, you have a lot to learn. A thorough understanding of Risk – and how to assess Risk – need not be on your To Do list.
As a BCM professional, you already know how much time you spend on Risk Assessments. Have you ever considered how little value a BCM-centric Risk Assessment provides?
Most large organizations have a Risk Management Departments. They catalogue, monitor and manage risks. If that’s already their fulltime job, why are you conducting Risk Assessments? Even in a smaller company, is a BCM practitioner really most qualified to be conducting Risk Assessments?
Risk Management is more a science than a project. Risk Managers spend their time focusing on risks. Most small businesses without dedicated Risk Management departments understand their organization’s risks – even if they don’t act on them. Those who set a business’ strategic direction consider risk in those plans (regardless of whether they do so consciously).
So why should we expect Business Continuity managers to be Risk experts? They devote their time, and energy assessing risks specifically for BCM – when an understanding of organizational risks already exists elsewhere in their organization.
Asking line managers to help evaluate risks to their business processes is equally wasteful. Most are too close to day-to-day operations to perceive all but the most obvious risks, and generally have no prior experience thinking about risks. So BC Managers often fall back on a predetermined list of potential risks with only the most widely impactful importance and limited, if any, value.
A Business Continuity Management program can function without conducting Risk Assessments. Conversations with the right people (Risk Managers or strategic managers) can collect sufficient information to accommodate the needs of BCM.
Stop reinventing the wheel; leverage existing institutional knowledge. Then cross Risk Assessments off your Things-to-Do list.
About the Author
A frequent speaker at Business Continuity conferences, many of Jim Mitchell’s blogs can be found elsewhere on eBRP’s website and has published articles in DRJ, Continuity Insights and Continuity Central. Jim has more than 20 years of experience in Business Continuity; if you don’t agree with his opinions – he won’t be surprised.