By Michael Herrera, CEO, MHA Consulting
A new year is upon us and it’s time for BCM practitioners to strategize to maximize “Compliance” and minimize “Residual Risk” across their BCM program and organization as a whole. But are they ready? If they can answer “yes” to all of the questions below, they are well on the way to a good year in 2016:
- Has the level of Compliance across the program and its components (Program Administration, Business Recovery, Disaster Recovery, etc.) been identified and quantified based on accepted industry standards?
- Have the areas and levels of Residual Risk in critical recovery plans and capabilities been identified and quantified?
- Has a strategic roadmap for 2016 been documented, outlining how the program will maximize its level of Compliance, as well as minimize the Residual Risk across the BCM program and organization?
- Has management approved the strategic roadmap, with deliverables and tasks, to maximize BCM Compliance and minimize Residual Risk?
Based on our experience, very few BCM Offices can definitively answer “yes” to all four questions.
The BCM industry has been primarily focused on assessing a continuity program’s compliance with industry standards as a key indicator of whether a solid program infrastructure has been implemented. However, assessing the level of compliance to accepted industry standards is only one piece of the metrics puzzle.
The next evolution of BCM metrics is quantitatively identifying where pockets of Residual Risk exist, determining the magnitude of the remaining residual risk after all mitigating activities have been taken into account, and evaluating if the residual risk needs to be mitigated, transferred, or accepted, based on management’s “risk tolerance/appetite.”
If you looked at each of your recovery plans today, could you specifically identify the quantitative level of Residual Risk remaining in each of your recovery plans based on the state of each of its mitigating activities (BIA, Recovery Strategy, Recovery Plan, Recovery Exercises, etc.)? And based on that calculated level of risk, would you know if it is within or outside management’s tolerance for risk?
Residual Risk analysis provides management with a quantitative evaluation to best determine where they need to target efforts to minimize major risk – or where they may be exceeding the recovery needs of the business unit and wasting valuable time, money and resources. Today’s business environment requires BCM practitioners to optimize money, time and resources while minimizing risk and providing the highest level of recoverability.
MHA’s newest addition to its cloud-based BCMMETRICSTM suite of self-assessment applications is Residual Risk (R2). The R2 application is designed to provide BCM Practitioners and Risk Managers with the ability to assess the Risk Factor (RF) of each business unit or system/application recovery plan; weight the importance of recovery plan mitigating activities; establish management risk tolerance levels; assess the state of mitigating activities for each plan; calculate the Residual Risk for each plan based on the Risk Factor minus the weighted score of the mitigating activities; and lastly, determine if it meets or exceeds management’s risk tolerance levels.
The new R2 application, coupled with the existing BCMMETRICS Compliance Confidence (C2) tool, provides a comprehensive approach to evaluating and reporting on Compliance and Residual Risk in one secure, cloud-based portal.