When your organization isn’t risk literate, the result can often resemble a horror movie; when it is, you can save the day.
In some ways, being a business continuity management consultant is a lot like watching a horror movie. How?
Well, do you know how in horror movies people are always doing things that you know are liable to get them killed, but that they do anyway—despite your yelling at the screen for them to run the other way—because they are lacking critical information that you’ve been given by the director?
It’s the same for a BC consultant. I repeatedly see organizations doing things that I know are harmful to their long-term best interests, based on things I’m aware of that they are not, despite my yelling at the screen (figuratively speaking, of course) and urging them to turn aside from their intended course of action.
Fortunately, these businesses rarely suffer the fate of the typical horror movie character. However, they do experience such negative impacts as unnecessary stress, confusion, expense, inefficiency, and risk exposure—as well as the needless surrendering of a measure of control over their own companies.
I hasten to say, I don’t sit on my hands while the company is sleepwalking into trouble. I do everything I can to share what I know and get them to avoid the danger, but business continuity is one competing priority among many, and too often the ears that matter are not ready to hear what I have to say.
There is one area where the experience I described above happens especially frequently: when the BCM team goes in front of the senior leadership to talk about how much money they would like and what the BC program’s priorities should be.
These conversations are usually a painful muddle for all concerned— a muddle that almost always leads to random, irrational choices being made, to the detriment of the company’s long-term interests and stability.
I am not saying that all of these companies’ problems would be solved if they would only spend more money on business continuity consultants such as myself.
I am saying, there is a straightforward, rational way for companies to determine how much they should spend on business continuity and which specific initiatives they should put it toward, and I think it would do them a world of good if they were to adopt this process.
Let’s get into the details a little more.
First, I’ll tell you what usually happens when the BCM team goes in front of the senior leadership to defend a budget request and get their marching orders.
Then I’ll tell you about how things could go—if this were a hero movie, and everyone was risk literate, and everybody approached the subject of risk management in a rational, responsible, and well-informed manner.
What Usually Happens
What usually happens is some combination of the following:
- The BC team doesn’t talk to the senior leadership about residual risk because they lack confidence in their own ability to measure and talk about it. Remember, residual risk is the amount of risk that remains after all efforts have been made to identify and eliminate risk (i.e., your mitigating controls).
Easily evaluate your organization’s level of residual risk with our cloud-based Residual Risk (R2) tool, and get a score for each of your business unit and/or information technology recovery plans. Schedule a demo to see the tool in action.
- As a result of the first bullet point, residual risk is not actually used at the organization, even though the concept of residual risk should be the cornerstone of the modern, rational approach to business continuity practice.
- The BC team does not educate management about the role of risk appetite and risk tolerance in business continuity.
- Management is not obliged to express how much risk it is willing to accept for the company across its various operations.
- Management decides how much to spend on business continuity based not on rational, data-driven factors but on emotional and anecdotal ones (e.g., “Our competitor just had that problem, we better spend whatever it takes to make sure that doesn’t happen to us” or “We’ve been in business 150 years and we’ve never had a problem, so we’re not that worried about it”).
- Management comes up with creative and heroic ways that the company could get around any problem raised as a potential risk by the business continuity team.
- Management rolls their eyes at the presentation of the business continuity team. (This actually happened to me.)
As you can see, the usual picture today is anything but rational. The result is, everyone involved is operating in a fog of confusion, which is stressful for all. Most aspects of the business are either underprotected or overprotected. In some areas, the company is unknowingly exposing itself to potentially ruinous risk. In other areas, it is likely paying for more protection than it needs.
And the real shame of it all is, there is a very rational, reasonable method for measuring and mitigating risk, if only companies would avail themselves of it.
What Could Happen if You’re Risk Literate
What could happen, if all of the parties were risk literate, is something like the following:
- The BC team would have a strong grasp of the topic of assessing residual risk and they would educate management about it.
- The BC team would be able to educate management on the topics of risk appetite and risk tolerance.
- At the request of the BC team, management would think about, determine, and express its risk tolerance for different areas across the organization.
- The BC team would be able to look at residual risk across the key operations of the organization, then determine if the risk exposure is within or outside management’s tolerance for risk.
- The BC team would present its findings to management.
- In response, management would direct the BC team to cut back on initiatives that are creating more protection than necessary, and it would provide the funds necessary for the BC team to bring residual risk down in the areas where it currently exceeds management’s stated risk tolerance.
This vision is something of a pipe dream at the moment. But it’s something we in business continuity can work for and which we hope one day we will achieve. Remember that such universally accepted concepts as health insurance and automobile insurance were once only gleams in someone’s eye. Over time I am confident that the business community overall will become more risk literate, and that a more rational approach to risk management will take hold.
Until that day, being a business continuity consultant will always be a little bit like watching a horror movie, where management—even though they’re paying for you to be there—will often not hear you when you tell them, For Pete’s sake, don’t open that door! Be the hero in your own business continuity story and save the day.
See Your Business Continuity Program More Clearly
“Inherent vs. residual risk” is more accurately phrased “inherent and residual risk,” as the two concepts go hand in hand. Despite their value, however, very few organizations do the legwork required to evaluate the inherent and residual risk in their business and/or information technology recovery plans. While the process may uncover areas in need of improvement, it also helps organizations to optimize valuable resources and effectively minimize risk.
Evaluating your residual risk doesn’t have to be hard. Our Residual Risk (R2) tool, part of the BCMMetrics™ business continuity software suite, was designed specifically to provide organizations like yours with a quantitative method to evaluate risk. Cloud-based and secure, the tool walks you through the process of evaluating your mitigating controls, calculating inherent and residual risk, and assessing risk tolerance levels. You’ll get the results in detailed reports and simple charts that can be easily shared with the appropriate stakeholders.
If you’d like to ensure that your business has truly manageable levels of residual risk—and a business continuity program that actually works—take the first step and schedule a demo to see the R2 tool in action.