[This is the second post in our occasional series “You’re Doing It Wrong.” The first post was on BCM Metrics.]
I realize that the title of this post is probably incorrect. It’s probably not right to say that you are using residual risk incorrectly in your business continuity program.
Most likely you are not using it at all!
That is, if my experience with industries of all types across the country is representative of the general situation of leading American businesses and nonprofits, and I think it is. (I don’t know about you, but I have found that most BCM programs are mired in tactical problems—BIAs, recovery strategies, etc.—and never obtain a bird’s-eye view of their risk situation, such as you get by considering residual risk.)
In my opinion, you definitely should be making residual risk a cornerstone of your program. I truly think that residual risk is the shape of the future for business continuity management.
Organizations that do not incorporate residual risk in their business continuity planning are doing the equivalent of driving a car with the windshield obscured by mud. Organizations that do incorporate it have sparkling clean windshields that provide a clear view of the road ahead, allowing them to navigate safely and confidently toward their goals.
So what is residual risk, what are the benefits of basing your program on it, and how would you go about incorporating it?
I have previously discussed the topic in my ebook, 10 Keys to a Peak-Performing BCM Program, available for free download here, as well as in a number of blog posts identified below.
However, like a fire chief going to the schools each year to talk about fire safety, I think this information is important enough that it bears repeating.
Here, then, is a brief description of what residual risk is, how it can help your organization, and how you can begin leveraging the concept to strengthen your BCM program.
Residual risk is the term we use to describe the amount of risk that is left in your program after all of the risk mitigation controls present in the program have been taken into consideration.
Residual risk is not quantifiable in the same manner as distance, for example, where you can measure it in a certain number of units (3 feet, or whatever). There are no units to measure risk. Instead, it is measured the way doctors might ask you to quantify pain, on a scale of 1 to 10, or what have you. Many organizations quantify risk of various types, including residual risk, on a 1-to-5 scale, and I think that is a good way of doing it. It lets you make essential distinctions without getting bogged down in the fine shading.
Now what, you might be asking, does he mean by risk mitigation controls?
Risk controls are the measures that you have implemented in your program and recovery plans to deal with the negative impacts of potential disasters. (See The 5 Most Important Risk Mitigation Controls for more information.) The main risk controls are:
- The business impact analysis (BIA).
- Your recovery strategy.
- Your recovery plan.
- Recovery teams.
- The level of recovery exercises your organization has performed.
- Third party supplier risk.
Obviously, these are not direct controls in the manner of your car’s accelerator and brake, but they are ways of managing and reducing risk.
A simple equation can sum it up:
|Residual risk =||
The total risk at your organization
[minus] The risk which has been eliminated (or mitigated) by your controls
Residual risk is basically leftover risk. It’s what is left over after the total risk in your organization has been reduced by whatever controls you have implemented.
Generally speaking, the higher the level of capability of controls you have the lower your residual risk. For example, as you know, some BIAs are excellent; others are not worth the paper they’re printed on.
Got all that? Great.
Now, the ideal thing is for an organization to identify a critical set of recovery plans that matter most for its particular mission and then look at the residual risk in those areas.
And finally, we come to the concept of risk tolerance, which is how much risk the senior leadership at your organization is prepared to live with based on the impact each area could potentially have on the organization. The usual thing here is, the greater the potential impact is to the organization’s core mission, the less risk that management will often accept in that area.
Now, granted, getting management to decide on and state explicitly how much risk, on a scale of 1 to 5, they are willing to accept across areas is not necessarily going to be easy. But this is a prerequisite to taking advantage of the concept of residual risk, which is a prerequisite to bringing rationality to a BCM program.
It starts with you, the BCM professional.
You and your team are the ones who will have to master the concepts surrounding residual risk, present them to your management, and get them to start discussing which impact areas your organization should focus on and how much risk they are willing to tolerate in each one.
Once you know your management’s risk tolerance in the organization’s chosen impact areas, and you have carefully assessed your residual risk in each one, you can start making adjustments to the various elements of your program in order to bring the reality of your program in line with management’s stated preferences.
Will the results show that the organization would need to spend money in order to bring the risk for a certain area within management’s tolerance level? Sometimes. And sometimes it might show that you have much more protection in a given area than you need, enabling you to reduce your expenses in that area, channeling the savings someplace where it really counts.
I can’t say it enough: utilizing the concept of residual risk is the way to introduce rationality into your business continuity planning and spending.
How would you get started in doing this: Get your head around the concepts, have a look at the posts and other resources linked to in this post, and make plans to talk with your senior management about incorporating the concept of residual risk (and risk controls, risk tolerance, and impact categories) into your organization’s BC program.
By basing your program on the concept residual risk, you will be steering it into the future, as well as clearing the mud off the windshield so that you can see clearly where you were going.