This book includes a plain text version that is designed for high accessibility. To use this version please follow this link.
BCI Benchmark
Hungry for risk
John Robinson explores the value of understanding your 
organisation’s continuity risk appetite and its role in facilitating 
the decision-making process
W
hen you propose treatment for a continuity risk, what in ‘final offers’ which may or may not coincide. To resolve any
tells you whether or not it fills the gap adequately? As deadlock, the possibility remains that a senior decision-maker may
professionals, we can judge if it fulfils best practice, but be engaged. They may of course choose a third potentially extreme
what if we’ve misinterpreted the business requirement and under- position due to knowledge or opinion not possessed by the two
protected or over-spent in the eyes of senior management? This original parties, or because of a different perception of the risk. This
implies there can be no universal ‘right decision’. If this is the case, final position and the reasons for its adoption provide an abstract
who then defines adequacy and how do we recognise it, since expression of the organisation’s risk appetite for this situation, and
clearly not all organisations need the same level of protection? may be usefully applied to inform other similar situations.
BS25999 makes it clear that we should offer risk treatment Understanding your organisation’s continuity risk appetite has
choices and it categorises these broadly as business continuity value. It has the potential to accelerate negotiations, such as those
(mitigation), acceptance, transfer and termination. However, in in our example above, and means that risk treatment proposals
doing this it alludes to another critical but intangible variable – are more likely to satisfy senior decision-makers, saving time and
appetite. Risk appetite arises because we are obliged to decide on reducing the chance of error – it provides protection. Proposals
the extent to which we remediate as well as the blend of treatments that ignore risk appetite stand a greater chance of rejection or if
we decide to use. It is often expressed (sometimes unknowingly) accepted, may expose the organisation to over-spend or under-
in the form of a budget and suggests that a residual or accepted protection in the eyes of stakeholders. Stakeholders can reasonably
risk component always remains, since no-one is willing or able expect risk to be managed consistently across an organisation,
to spend an infinite amount on treating the most extreme risks. generating a similar return on investment without significant gaps
Our risk appetite is therefore an indicator of the residue we are or overlaps. For large organisations, this implies that locations
prepared to accept. with diverse continuity risk profiles, separate budget constraints
and relative management independence should somehow achieve
Risk appetite parameters the same balanced levels of continuity risk management through
Risk appetite sounds woolly and hard to pin down. However, it is consistent decision-making.
a real and arguably essential concept. Perhaps the best illustration
is a familiar one, where a business area demands the ability to Risk appetite sounds woolly and hard
restore an application within four hours, whereas IT’s current
capability is two days. Both are typically estimates based on a mix
to pin down. However, it is a real and
of experience and perception. The key determinants are:
• The rate at which business impact increases for each additional
arguably essential concept
hour by which application recovery is delayed. This may never
happen and is often an estimate A special case
e
• The capital and revenue cost for each hour by which application To compound matters, continuity risk is a special case.
recovery time is reduced. This has to be done now and may Information, experience and certainty each affect risk appetite and
incur both capital and revenue costs they act as a kind of amplifier. A natural risk-taker may find it easy
The aim is to find a mid-point where estimated risk and real cost to make a decision faced with incomplete information, whereas a
are both accurately reflected and acceptable to stakeholders. strongly risk-averse individual may err on what they believe is the
In a perfect world, a negotiation takes place where one or both side of caution, given the same information. This means that small
©iStockphoto.com/lorrainedark
positions soften in the light of improved understanding, resulting amounts of additional information can be influential.
November/December 2009  Continuity  
Cont Nov/Dec 09_insides.indd 11 27/11/09 14:12:35
Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48
Produced with Yudu - www.yudu.com