While traditionally, risk management mainly encompassed recovery-oriented strategies, meaning that companies sought to figure out the best methods to recuperate from disruptive events, recently, there has been a change in perspective in the risk management field. This new approach is oriented toward resiliency, or the organization’s ability to cope with risks without discontinuing its operations (Engemann & Henderson, 2012). By adopting such a proactive approach, the company can improve its business operations by identifying and eliminating any weak spots.
In the present case, it appears that the company is equally vulnerable to both internal and external threats. Internal threats primarily concern either staffing and personnel issues, or IT-related security problems. External threats, on the other hand, involve weather, technology, and people-related issues, including floods, snow, terrorism, and utility failures. Typically, companies have far less control over external threats, so resiliency plans are particularly relevant in addressing them: if an organization cannot mitigate risk, it can, nevertheless, ensure that it is prepared to face it.
Thus, the company can adopt resiliency controls to address the threats it faces. In the present case, these controls are typically related to the creation of backup files and materials. For instance, having backup equipment, or its parts, as well as having an alternative site for sample processing can help the company face the risk of equipment damage and sample loss. Duplicating some information can also help the organization deal with the loss of information or security attacks. A similar strategy can be adapted to deal with the staffing or budgeting issues, whereby the company hires more employees and maintains an excess budget so that the related risks do not affect them. However, such measures also tend to be quite expensive, even if they help the enterprise to continue functioning in case the threat event does take place.
The resiliency approach can also be taken even if the organization’s planning assumes the smoking hole scenario. Essentially, it is a hypothetical worst-case scenario whereby virtually all company’s resources are destroyed as a result of some event (Fischbacher-Smith, 2010). Importantly, these scenarios are highly hypothetical – meaning that they are very unlikely to occur. If all company’s resources are destroyed, it can’t resume its operations as normal. However, this is not to say that planning for the smoking hole scenario is irreconcilable with the resiliency posture: it rather means that the worst-case scenario planning prompts organizations to consider comprehensive and complex situations involving several of the company’s key assets. The organization is thus able to identify several weak spots that need to be improved.
Since the company does not always have the resources and the expertise necessary to address the threats it faces, it often needs to rely on outsourcing to external vendors. Thus, if a regional threat takes place, several organizations will be competing for the same resources such as maintenance and support services from the external vendors. Thus, a new contention risk is created whereby the organization does not get a timely and quality response from its outsourcing partners.
However, these risks can also be mitigated. First of all, risk management experts emphasize cooperation and collaboration between different companies – meaning that these resources can be shared rather than competed for (Veysey & Souter, 2015). Even more importantly, the company may outsource the initial development to third-party vendors, and train its employees to maintain these products, so they are not dependent on external actors in the event of a threat.
Similarly, if a regional threat event occurs, organizations may find themselves competing for such a seemingly basic resource as cell phone reception if the network becomes overwhelmed during a regional event. Organizations must try to forecast such peaks in demand for certain services and resources so that they can develop appropriate response plans. For instance, in the present scenario, depending on the goals of communication, several risk treatment strategies can be utilized. If it is important to gather employees in one place, the company may assign a meeting place where everyone needs to report to if a certain threat occurs. The company can also instruct its employees to use text messages rather than calls, as they are easier for the network to transmit.
Several of the Quality Management Principles are especially relevant to the development and maintenance of risk assessment plans: customer focus, process and system approaches, fact-based decision-making, and continual improvement (International Standards Association, 2012).
Customer-oriented companies mitigate risks in such a way so that any disturbance goes virtually unnoticed by the customer. Adopting the process approach allows organizations to see the links between different resources and activities. The system approach allows organizations to create a comprehensive picture of risks and opportunities and, consequently, harmonize and integrate different processes. The factual approach is necessary so that companies make predictions based on up-to-date and accurate data. Finally, since risks are constantly developing, especially in the IT-sphere, companies need to make sure that they continuously gather feedback on its operations to improve its risk management strategy.
References
Engemann, K., & Henderson, D. (2012). Business continuity and risk management: Essential elements of organizational resilience. Brookfield, CT: Rothstein Publishing. Web.
Fischbacher-Smith, D. (2010). Beyond the worst case scenario: ‘Managing’ the risks of extreme events. Risk Management, 12(1), 1–8. Web.
International Standards Association. (2012). Quality management principles. Web.
Veysey, S., & Souter, G. (2015). Spotlight falls on risk managers in changing world. Business Insurance, 49(21), 6. Web.