In risk management for business planning, you can disregard potential events that have no bearing on the unit outcomes for the period. You can therefore disregard all of the following types of risk.
Routine and low-level events from which you can recover.
By definition, recoverable events generally have little effect on period outcomes. Too many routine events during the period may actually add up to a real effect on the final outcome, so you might recognise ‘too many’ as a relevant variety of outcome that should be kept unlikely. Isolated random product defects and transaction errors are not risks, from a business plan point of view. They are expected.
Most disruptive events, even those experienced as ‘crises’.
Disruptions are usually short-term set-backs and distractions with no specific effect on period or long-term outcomes. Some of them lead to long-term benefits. What matters for the period outcomes is the potential for events from which you don’t recover.
Loss of key people and facilities does threaten long term outcomes if you don’t have recovery options. You need a business continuity plan as well as a business plan.
The potential for events that are clearly harmful, though to someone else’s outcomes rather than those of your unit.
For example, if your unit processes payrolls, you may be aware of risks around the size of general pay rises and the potential effect on corporate profitability, but unexpectedly high pay rises would have no effect on your unit’s processing of payrolls over the year. Such risks may be important, but should be referred to the ‘someone else’, and need not appear in your own unit’s risk management.
Risks subject to separate management.
Common cases are health and safety, business continuity, security, and fraud risks. In risks like that, there may be a standing risk management process that has nothing to do with your unit’s business plan. If your unit is the manager of (say) corporate security, it will be maintaining a corporate security risk assessment and security management plan already. There is no need to integrate the risk part of unit business planning with the corporate security risk assessment. Keeping them separate is much easier.
Similarly, having separate risk management processes for each project, procurement, client, ‘case’, and so on means that you can leave those project- or case-specific risks out of business planning risk.
But first be sure of the objectives
Before disregarding large categories of risk, it is essential to be sure that the unit objectives are really understood well enough. Only with that confidence will you have all the calmness you need with look the boss in the eye over your business plan. We identify risks after reviewing the objectives affected by uncertainty.
The good news is that by reviewing the objectives fairly thoroughly now, a lot of time will be saved in the risk identification stage. For example, the work in the objectives will replace the whole idea of ‘risk categories’.