Mitigating Controls and Your Business Recovery Plans.
Understanding what residual risk remains after we have implemented all of the mitigating controls available to us is essential for a strong BCM program.
In the world of Business Continuity Management (BCM), senior management is placing greater emphasis on understanding what Residual Risk remains after we have implemented all of the mitigating activities available to us. For management to feel comfortable, the remaining Residual Risk must be within their Risk Tolerance/Appetite. If it’s outside their Risk Tolerance/Appetite, they will request that additional work be done on the weak areas to minimize the Residual Risk. In a perfect world, the Residual Risk will be zero or negative, indicating that the controls in place are sufficient.
So, how many of you have thought about the mitigating activities in your Business Recovery Plans? Do you know what they would be and how important each of them might be to recovery? Here is what we see as the mitigating activities for a Business Recovery Plan:
- Business Impact Analysis
- Recovery Strategy
- Recovery Team
- Recovery Plan
- Recovery Exercise
- Third Party Supplier Risk
- Training & Awareness
Now, how important is each of these mitigating controls to the success of your recovery plan?  Is each mitigating activity equally important or are some of them more important before a disruption occurs? I believe that each mitigating activity has a different level of importance based on what it ultimately means to the plan and its level of recovery confidence.
In discussion with colleagues and subscribers of our BCMMETRICS(TM) tool, we have agreed that a sample priority for mitigating activities based on the value to minimizing risk is as follows:
- Recovery Exercise
- Recovery Strategy
- Recovery Team
- Recovery Plan
- BIA
- Third Party Supplier Risk
- Training & Awareness
What do you see as a priority for the mitigating activities? Begin looking at the mitigating activities for each of your recovery plans and see if a small or significant risk remains. Shore up the mitigating activities that need help and you will reduce your overall residual risk for the business unit and your organization.
Read More: BCMMETRICS Residual Risk
Michael Herrera
Michael Herrera is the Chief Executive Officer (CEO) of MHA. In his role, Michael provides global leadership to the entire set of industry practices and horizontal capabilities within MHA. Under his leadership, MHA has become a leading provider of Business Continuity and Disaster Recovery services to organizations on a global level. He is also the founder of BCMMETRICS, a leading cloud based tool designed to assess business continuity compliance and residual risk. Michael is a well-known and sought after speaker on Business Continuity issues at local and national contingency planner chapter meetings and conferences. Prior to founding MHA, he was a Regional VP for Bank of America, where he was responsible for Business Continuity across the southwest region.
