Risk Acceptance

In addition to risk avoidance and risk transfer, the organization may decide to accept the risk. Accepting risks is not necessarily a risk reduction strategy however, it is a valid option when considering risk management. In accepting the risk, the organization is rolling the dice, gambling that an event or incident will not occur, and therefore the organization will not suffer a disruption in operations. The decision on which risks are acceptable will depend upon a thorough risk analysis to examine the probabilities of a specific incident occurring.

There are multiple reasons why an organization will choose the risk acceptance option. These include:

• The risk acceptance option has little to no costs (at least on the front end) 
• The costs associated with the occurrence of an incident is less than the costs associated with other risk management strategies
• The organization wants to save money up front with the understanding that it may incur significant costs in the future

Many organizations do not consider business continuity or disaster recovery in their strategic planning. By default, these organizations have selected risk acceptance as their risk management strategy. These organizations are “All-In” gambling that nothing will happen to cause a disruption in their operations and incurring the huge costs associated with this disruption. Every day of operation is a roll of the dice. They are trusting the dice to show snake eyes every time. Be careful, sooner or later the odds will go against you.

If I were to come to you on September 10, 2001 and ask, “what would we do if hijackers took over commercial airliners and used them as missiles to destroy our economic infrastructure?” you probably would have suggested I undergo mental counseling or at the very least a drug screen. If there is one thing 9/11 should have taught us, it is the phrase “that will never happen” is invalid. If risk acceptance is the chosen strategy, it should not be by default. It should be a well thought out decision following careful and detailed analysis of risks faced by the organization.

An organization also has the option to hedge its bets, to not gamble everything on each roll of the dice. An organization has the option to invest in as much risk reduction that it can afford. For example, let us consider a family owned and operated business. The business has existed for years and was passed down through multiple generations of the family. The building is old and may be in a flood prone area. The costs to transfer the risks of fire and/or flooding is excessive and beyond the budget of the organization. In this scenario, the business may not be able to purchase an insurance policy valued at the replacement costs of the business. Therefore, the organization purchases a policy valued less than the replacement costs. This strategy is also a gamble. However, the organization is betting that if there is an incident, it will not be catastrophic, and the damage will be covered by the insurance policy.

Although risk acceptance has little cost to initiate, it can be very expensive in the event an incident occurs. Costs associated with risk acceptance if an incident occurs include:

• Loss of production, if the organization is unable to produce products and services, it will be unable to generate revenue
• Loss of skilled employees, few things can bring the hopes, dreams, and plans of a person to a screeching halt like sudden and unexpected unemployment. The organization’s most valued resource will seek employment with its competition
• Loss of market share, while the organization is out of operation, its customers will seek products and services from its competitors. Some, if not all may not return

Not properly planning for business continuity and disaster recovery exposes the organization. Failure to make to invest the time and effort into planning is inexcusable. Fortunately, R. L. Sligh Limited is here to assist. Contact us, let us guide you through the business continuity and disaster recovery process.