BCM Planning Methodology

Assessing Your Risk: Treating Your Risk

Written by Goh Hua Wei | Apr 5, 2019 4:17:57 PM

This is the second part of the "Assessing Your Risk" for "The New Manager" for BCM and CM series, and the focus is on:

  • Understanding the ISO 31000 Risk Management Model
  • Implementing and selecting the appropriate "Risk Treatment" for the identified risk.

Note to Course Participants: Proceed to the last section of this blog to better understand the types of "Risk Treatment" when completing your assignment.

Note to Reader: In BCM Institute. this phase in the planning methodology, when applied to the Business Continuity (BC) is "Risk Analysis and Review" and IT Disaster Recovery (IT DR) planning, is "IT Risk Analysis and Review"  While, when it is applied to the Crisis Management (CM) and Crisis Communication (CC) planning process, it is called "Crisis Risk Assessment."  When you are going in-depth into the various disciplines of BCM, CM, CC and ITDR.

ISO 31000 Risk Management Process

Collectively, ISO 31000 calls the 3 steps of threat identification, risk analysis, and risk evaluation, risk assessment.

ISO 31000 Risk Management Model

It often makes sense to group risk rating values to give risk levels so that threats falling within the same risk level grouping can be assigned the same level of importance and priority for treatment. The higher the risk level, the more priority would be given to treat the threat.

Risk Treatment Options

ISO 31000 lists four generic risk treatment options that would address the majority of risks. These are:

 

Risk Treatment  Description
Avoidance  Risk Avoidance is to make an informed decision not to become involved in or to withdraw from a risk situation.
Reduction  Risk Reduction is to take appropriate actions to lessen the probability, negative consequences or both, associated with a risk.
Transference Risk Transference refers to the shifting of the burden of loss for a risk to another party through legislation, contract, insurance or other means.
Acceptance  Risk Acceptance is to make an informed decision to accept the likelihood and impact of a particular risk, or pursue an opportunity. Risk Acceptance depends on risk criteria and risk appetite of Top Management.
Mapping of Risk Treatment 
Controls

Controls are instruments or practices that are used to manage risk. All controls fall within one of the above 4 treatment options. We will discuss each of these risk treatment options in another blog.

Existing Controls

These are the controls currently implemented for the organization to mitigate the risk posed by the threat.

Additional Controls

These are "Controls" identified and still not implemented.  Current Control, if effectively implemented, will be taken into consideration when prescribing the risk treatment.

 

Learn More About Business Continuity Management (BC-CM-CC-ITDR)

You may want to know more about our courses.