What is the “residual risk” of your critical Business Units and their continuity capabilities? But first of all, what is residual risk? Residual risk is the risk that remains after an organization has implemented appropriate controls to comply with industry standards, regulatory requirements, best practices, etc.
In a perfect world, you want to have the lowest possible residual risk for your most critical business units and Information Technology to minimize the potential for significant impact to your organization in event of a disruption. The higher the residual risk, the greater the opportunity for a greater impact in event of a disruption. So, lets look at a simple way of assessing residual risk.
First, you must assign an impact factor to the Business Unit or IT entity. To make it simple, we assigned an impact of 5 to each Business Unit/Information Technology System/Application with RTO’s that if disrupted will have a critical impact, 3 to those RTO categories who will have a moderate impact and 1 to those RTO categories who will have little to no impact if they suffer a disruption.
Second, now that you have assigned potential impact to the organization from the Business Unit or Information Technology entity, you must the consider the controls key to reducing the risk of a critical business unit or IT system/application. These may include:
- Business Impact Analysis
- Recovery Strategy
- Recovery Team
- Recovery Plan
- Recovery Exercises
- Training & Awareness
Within each of these controls, you must consider the extent to which each control has been implemented for each business unit to assess how solid it is. A BIA completed in the last year yields greater risk control than one completed three years ago or never. The use of a geographically diverse recovery strategy greatly reduces residual risk while having a backup site a mile away is not as good. So, you need to assess the strength of each control using common sense (5 = Fully Implemented, 3 = Moderately Implemented, 1 = No Control). More importantly, you must have a solid understanding of what makes a control fully implemented and what does not. Weight each control based on its importance to recovery success with all control weightings adding up to a 100 (e.g, recovery strategy weight is 25%, recovery plan is 10%, etc.). Add up the weighted scores to get your control score.
Third, to get the residual risk, subtract the total weighted score from the impact score. For example, the impact score for an RTO 0 – < 12 hours business unit is 5. The weighted control score for this business unit is 4.3 leaving a residual risk of .7 which is outside our established tolerance level of .5 for business units with a high impact score. If your control score happens to be greater than the establish impact score for the business unit then use the absolute zero rule so you don’t have a negative residual risk score which also means your controls are in good enough shape for that business unit. Using this approach, you can also quickly identify what controls need to be augmented to reduce residual risk using this approach.
Lastly, in the end, your ultimate goal is to have implemented your plans and associated controls in such a manner that no to very little residual risk exists for the most critical areas of your organization. We are implementing residual risk analysis in Q3 of 2015 as part of our BCM compliance self assessment tool, BCMMETRICSTM. To review the tool go to www.bcmmetrics.com for a comprehensive overview of the tool and its assessment and reporting capabilities.