Andy Osborne is Acumen's
Consultancy Director and author of :

Business Continuity Tips

Andy is committed to passing on his expertise and extensive hands on experience in the field of Business Continuity Management.

So... here's the full text to compliment his link...


It depends...

Traditional risk management techniques usually revolve around creating a list of all the bad things that might happen, ranking them in some way according to likelihood and impact and adding a corresponding list of mitigation measures, many of which never actually get implemented. Whilst this approach often provides the required tick in the box for an auditor, as often as not all that we’re left with is a risk register and a feeling that we’re missing the point slightly.

The trouble is that for all but the most obvious ones, anticipating specific threats is a bit hit and miss and largely a matter of guesswork. And the process of assessing likelihood and impact is usually no more scientific than holding a wet finger in the air. In any case, we can almost guarantee that the problem that ultimately hits us won’t be one of the risks we previously identified. And it’ll probably be something that’s outside of our control anyway.

So is there a better way?

One way might be to stop worrying so much about the specifics of what might go wrong, particularly if it’s something that we have no control over; to focus instead on what we need to go right and identify what we depend upon for that to happen. By looking closely at the dependencies within a process, activity, system, business, environment, project, piece of machinery or whatever, we can determine where failure could prevent our success and identify appropriate contingencies.

Mapping our dependencies can help us to identify vulnerabilities that need to be addressed and secure ourselves against unknown threats, whatever they are and no matter how difficult they are to predict. And if our boat’s still floated by the traditional risk assessment process, dependency modelling can help us to be far more targeted than the typical “scatter-gun” approach.

If nothing else, focussing on the positives, rather than the negatives, might make risk management slightly less depressing for those involved!