An organizations “operational risk” is not something that can be avoided. It arises simply because the organization is in operation (i.e. doing business). Despite the fact that the risk cannot be removed, there are ways in which it can be minimized or mitigated (Alexander & Sheedy, 2005). These ways generally come from establishing controls that work well with the organization and its operations. The key is to avoid being too restrictive while still ensuring that the most important areas of the organization are protected and cared for properly (Alexander & Sheedy, 2005). One of the best ways to mitigate risk is through a good plan for business continuity. There are so many different types of operations risks that a business continuity plan must be very comprehensive. It should consider fraud, legal risks, environmental risks, and physical risks (Gorrod, 2004). By addressing all of them, the plan will be more likely to actually protect the company from harm if there is a breach of security or if the organization encounters a problem which could otherwise bring down its entire business or structure and harm its long-term prospects.
Because operational risk can come about from external events but also from failed internal processes, systems, and people, the way it is managed is different from the way other risks are handled (Alexander & Sheedy, 2005; Gorrod, 2004). Many risks can be addressed on only one level or in only one area of the organization. Operational risks, however, are all-encompassing in that they require more insight into the overall workings of the organization instead of only a specific area (Gorrod, 2004). The goal then becomes to determine how much operational risk a company is taking and whether that risk will require a specific type of continuity plan that is tailored toward mitigation of a particular kind of risk. Overall, business continuity plans should be prepared to handle almost anything. However, there are many types of plans that can help a business continue when a crisis has occurred. Some plans naturally lend themselves more toward specific types of operational incidents, and those should be.