What is the “residual risk” of your critical recovery plans?
The first thing to understand is, what is a residual risk? Residual risk is the risk that remains after an organization has determined its risk tolerance and the effect of its mitigating controls. In a perfect Business Continuity program, you want to have the lowest possible residual risk for your most critical recovery plans (e.g., those with a Recovery Time Objective of 72 hours or less) to minimize the potential for significant impact to your organization in the event of a disruption. The higher the residual risk, the greater the opportunity for a higher impact in the event of a disruption. So, let’s look at a simple way of assessing residual risk in your critical recovery plans.
Assign Impact Factor
The impact factor represents the impact of the loss of the Business Unit or IT System/Application on the business. You must determine the impact factor of each recovery plan using its Recovery Time Objective (RTO). To make it simple, let’s assign an impact factor of “5” to recovery plans with RTOs levels that are deemed as having critical impact if disrupted, a “3” to those RTO categories that will have a moderate impact if disrupted, and a “1” to those RTO categories that will have little to no impact if they suffer a disruption.
Evaluate Mitigating Controls
Mitigating controls are measures that are put in place to reduce the risk of failure of a critical Business Unit or IT System/Application. Once you have assigned an impact factor to each recovery plan, you must then consider the mitigating controls that can reduce the riskiness of each of your critical recovery plans. These include:
- Business Impact Analysis – Is the BIA up to date, complete, and aligned with IT?
- Recovery Strategy – Does the recovery strategy meet the recovery needs of the recovery plan?
- Recovery Team & Plan – Are the recovery team and plan consistent with industry standards?
- Recovery Exercises – Are you conducting recovery exercises at the highest level required by the plan?
- Training & Awareness – Have you trained your recovery team members to maximize recovery potential?
- Third Party Risk – Have you mitigated the risk with your critical 3rd party vendors?
Assign a weight to each mitigating control based on its importance, with a total weighting of 100% for all controls (e.g., recovery strategy weight is 25%, a recovery plan is 10%).
To assess how solid each recovery plan is, consider the extent to which each mitigating control has been implemented for each plan. You must have a solid understanding of what makes a mitigating control fully implemented and what does not. For example:
- A BIA completed in the last year yields greater risk control than one completed three years ago (or never).
- The use of a geographically diverse recovery strategy greatly reduces residual risk, while having a backup site only a mile away is not as good.
You can assess the strength of each mitigating control using common sense measurements (e.g., 5 = Fully Implemented, 3 = Moderately Implemented, 1 = No Control).
Next, add up the weighted scores for each mitigating control by multiplying the weight of each mitigating control by its strength to get your total mitigating control score for the recovery plan.
Example for Recovery Strategy
Mitigating control score = 3 (moderately implemented) x 25% (weighting for the control)
Our business continuity management software has all the tools you need to assess and manage risk in your program. Within the BCMMetrics™ suite is BIA On-Demand (BIAOD), a secure cloud-based tool you can use to conduct a complete and thorough Business Impact Analysis. You’ll be able to easily determine the criticality of your business units and the processes associated with them without outside help, and even generate insightful reports that can be shared with stakeholders.
Additionally, the Residual Risk (R2) tool gives you a quantitative method to evaluate risk in your business recovery plans. It also helps you clearly see areas where you have successfully managed risk, as well as opportunities for improvement, and generates easy-to-read management reports. Along with these tools you’ll receive eight hours of consulting with a business continuity expert, as needed, to provide help anywhere along the way.
If you’d like to see the BCMMetrics™ suite of online tools in action, schedule a free demo today.