Well-conceived and thoroughly researched business cases can play a pivotal role in improving the quality of organizational decision-making. The business case does not however, stand by itself as a risk management tool. It is simply part of a toolbox for analyzing and making decisions about proposed risk treatments.
Whatever risk treatment you’re considering, and whatever means you used to identify it, the business case is designed to determine and enunciate the value of that treatment. In Figure 1, we’ve used the ISO31000:2009 Risk Management Standard process to illustrate the role of the business case. Quite simply, it supports analysis, selection and implementation of risk treatments.
|Figure 1: The Role of Business Cases in the context of ISO31000 Risk Management Process|
Irrespective of how you phrase this risk, lets say that in our hypothetical example, you have identified two main treatments to address it. You’ll note from the examples in Table 1, that we’ve included a reference to which risk(s) each treatment addresses.
|Table 1: Example of Risk Treatment Plan|