Risk Mitigation

How is risk mitigation incorporated into a Business Continuity Plan?

In ISO 22301 there is a protection and mitigation section where three points are made:

1. Reduce the likelihood
2. shorten the period of disruption
3. limit the impact of disruption on the organization’s key products and services

White Island Eruption

I have been following the news of the White Island eruption this week. There has been a lot of talk about acceptable levels of risk, and it raises a lot of questions:

• Is the risk of being involved in an active volcano eruption worth visiting such an impressive natural site? I would say “no” – however, I have walked around a volcano in the Greek Islands and visited Yellowstone National Park and Rotorua. All volatile natural areas where you don’t expect anything to go wrong – but there is always a risk.
• Should it have been the tour operators decision to continue tours, despite the raised volcanic activity? They have a vested interest in continuing tours, however it was also reported that this was a sudden eruption with no warning.
• What happens to the tour business now? Will it reopen in the future? Will there be tighter controls around when tour groups are allowed onto the island. Will this ruin their business, or will it make people more interested in visiting White Island?

Risk Mitigation in Business Continuity Plans

Feedback from BCP Builder Community on LinkedIn:

• This image depicts a series of detective, preventative controls as risk mitigation and corrective, responsive controls using the Business Continuity Plan (image credit – Continuity 22301 Ltd).

• There should be close collaboration between the business continuity and the risk functions in an organization. This includes mutual participation in business impact analyses, table-top exercises. Ongoing, regular dialogue will ensure there is a shared vision of what risks exist, and agreement on risk mitigation strategies.
• Traditionally, the Business Impact Analysis is performed first, followed by the Risk Assessment.  However, there have been differing views on the sequence of those two activities over the years. Both are essential components of a Business Continuity, Disaster Recovery or Resilience plan.
• Prioritized resource (determined from a Business Impact Analysis) based risk assessments are a good mechanism for developing business continuity plans. This is where you look at your most in-demand resources based on your Business Impact Analysis and do a risk assessment against losing any of these resources. 
• Leveraging modern technologies such as Microsoft Teams in your communication plans extends the opportunity to collaborate across sites and departments and quickly respond to any incident. It’s all about that path to business as usual.

If you want to increase your Organizational Resilience, start with preparing a Business Continuity Plan and check out BCP Builder’s Business Continuity Planning Templates.