Compliance and Residual Risk – It’s Not Just For Big Companies

Richard Long

In case you missed it, MHA Consulting CEO Michael Herrera last month conducted a webinar called “Your New BFFs – Compliance and Residual Risk.” (BFFs means Best Friends Forever, for those who haven’t been keeping up with their modern slang.)

The webinar is now available as a half-hour video which you can watch for free here.

The video is an excellent introduction to two concepts which are at the heart of contemporary business continuity management:

  • The importance of adopting and complying with a business continuity standard, and
  • The benefits of using the concept of residual risk to truly understand the capabilities of your business continuity program and develop a roadmap for its improvement.

We invite you to look at the video and check out the associated slide deck, since there is no substitute for letting Michael walk you through these concepts, if they are new to you.

However, because the content of the webinar is so fundamental, we thought it might be helpful in today’s post to give a thumbnail sketch of the concepts.

Introduction

As organizations mature in their BC programs, so should their ability to measure needs and ensure their program is providing all the necessary risk remediation. The dual concepts of compliance and residual risk can be useful tools to this end.

Standards and metrics have often been part of large companies, especially those under regulatory or standards-based processes, but nowadays smaller and mid-size companies are also getting pressure from their clients to have a business continuity and disaster recovery program and to be able to demonstrate its effectiveness.

One of the ways that businesses are improving their programs is by leveraging the concepts of compliance and residual risk. These concepts have been around forever, but unfortunately not many companies we work with use them.

This is regrettable because these two factors are so important when it comes to the recoverability of your company. Focusing on compliance and residual risk can give you the best value as you move forward with your business continuity program.

In many places MHA goes, when we ask if they have adopted a business continuity standard, the answer is often “Why?” or “We already use best practices.”

We think that adopting a standard is an important step in maturing the organization’s business continuity position. However, it should not be a replacement for actually doing something. Having a BC plan for all departments, and an IT recovery strategy and technical recovery plan – even if they are not perfect – are the most critical items. Using a standard helps identify what needs to be done.

Auditors are also becoming more sophisticated when it comes to business continuity standards. If you don’t choose a standard, they may choose one for you. Auditors are increasingly requiring BC programs to be able to verify that they can do what they say they can.

We are also seeing that when it comes to business continuity, management is being held to higher levels of accountability. But often they aren’t comfortable or prepared for this. When you ask them to attest to the capability of their programs, you tend to see responsibility being shifted around the room. So how can Compliance and Residual Risk help?

The Role of Compliance

We define compliance as “the state of being in accordance with established standards, guidelines, and directives.” If you have a high level of compliance with a business continuity standard, you probably have a high-performing BCM program.

Choose a standard

Typically only 10 percent of our average audience indicate that their organization has adopted a BC standard. Most have no idea about standards or residual risk.

Depending on your organization, a specific standard may not be required. There are different standards relevant to business continuity, such as those found in regulatory requirements or more detailed standards such as IS0 22301, FFIEC Appendix J, and NFPA 1600.

The standards have a lot of the same content and there are a lot of good standards to use. “All I ask is that you adopt a standard. Pick one. If you’re not regulated, pick one that works for you. Put it in your policy,” said Herrera.

Evaluate Your Program

After you pick a standard that’s right for you, study it, score your company against it, see what your level of compliance with it is. You can do this on your own using spreadsheets or with the aid of tools such as those offered by BCMMETRICS.

You need to come up with a simple way to score your program on each one. This lets you see where your program stands right now. People don’t like to do this because it takes time, but the benefits are worth it.

It’s also important to continually evaluate your program. New programs should evaluate their compliance approximately every three months. Mature programs can do it every six months to a year.

Generate a Roadmap

Based on how you score in terms of the current state of compliance with your chosen standard, you can generate a roadmap for improvement.

To do this you need to identify:

  • Areas that are in good shape
  • Areas with high-priority needs
  • Areas with less critical needs

This analysis will produce a roadmap that will guide your future efforts. Too often we see people go as far as generating the roadmap, but then they don’t follow through on it.

It’s important to be realistic in the timetable you set in your roadmap. Many people set unrealistic goals. Slow and steady improvement is better than being too ambitious in the beginning, then not following through.

Communicate Your Successes and Opportunities

In terms of your metrics, it’s important to learn to see the forest through the trees. Too many people focus on measuring things such as the number of recovery plans written and business impact analyses (BIAs) completed. This just shows how much effort you’ve put in, not what results you’ve achieved. Focus instead on metrics that truly speak to readiness. This is what we mean by the “forest.” You need to know how good you are from a performance and compliance perspective. (Some people refer to this as functional metrics.)

If you start reporting on the “forest” instead of the “trees,” you’ll be able to tell management where your program truly stands in the key areas of Program Administration, Crisis Management, Business Recovery, IT Disaster Recovery, Supply Chain Risk Management, Third Party Management, and Fire & Life Safety.

This kind of reporting also lets you clearly identify your successes and opportunities. It tells you where you can most profitably invest more time and resources.

The Role of Residual Risk

This is a concept that may be more suited for use by organizations with mature business continuity programs. If you do not have the basics in place, residual risk does not provide the same value. But after you have implemented the important basic items of BC, the assessment of residual risk can be an indispensable tool.

  • Residual risk is the risk that remains in a system or environment after all efforts have been made to identify and eliminate the risks (i.e., the risk that remains after your mitigating controls do their job of bringing down the total risk).
  • Inherent risk is the risk associated with a particular BC plan or business unit before any mitigating controls have been put in place.
  • Risk Tolerance is the amount of risk management is willing to tolerate.
  • Mitigating controls are the measures put in place to minimize risk. Examples in business continuity include BIAs, recovery strategies, and recovery exercises.

Risk Tolerance and Residual Risk

Management must decide what its risk tolerance is in the different areas. Oftentimes, managers overestimate their risk tolerance. They say they are willing to tolerate high risk, but when presented with the possible consequences, they tend to become more conservative.

Once management’s risk tolerance has been identified, it’s time to do an analysis to see how the residual risk that is actually present in those areas compares with management’s risk tolerance.

Three things can happen when we perform this analysis:

  • We find we have a lot more risk than management is comfortable with (in which case, we need to do something to bring the risk to within an acceptable level).
  • We discover that we are just about at the right level of risk (we can carry on as before).
  • We discover we have much less risk than management is willing to put up with (meaning we’re spending more than we need to in this area; we can probably take some resources from this area and apply them elsewhere).

Mitigating Controls

By assessing residual risk in your plans, you identify how bulletproof each one is. We find that it’s best to measure residual risk at the recovery plan level.

To do this, you must consider the state of your mitigating controls. These include the business impact analysis, recovery strategy, recovery exercises, recovery plan and team, training and awareness, and third-party supplier risk.

In terms of residual risk, many BC programs are doing well in terms of BIAs, recovery plans, maintenance, and their recovery teams. Many are falling short when it comes to recovery strategies and recovery exercises. We also see a lot of weakness in third-party supplier risk.

Integrating Compliance and Residual Risk into Your Program

If you want to implement the concept of residual risk in your program, you first have to make sure you understand it yourself, then shift to educating others. Often when you tell your managers that using residual risk can help the organization save time and money, they start to go along.

The lower your management’s tolerance for risk, the tighter the controls that will be needed, and the more time and money that will be required to implement them (and vice versa, if your management has a high tolerance for risk).

Benefitting from an understanding of residual risk does not require a huge budget. It does require a careful methodology.

So how do we leverage residual risk (and compliance) to improve our programs?

  • Create a roadmap and action plan. This is the best way to leverage the concepts of residual risk and compliance.
  • Track the changes in your compliance scores and residual risk in your program over time so you can show management that you are providing high return on investment.
  • In developing a roadmap and action plan, you should settle on a time frame between 12 and 24 months out. Then come up with deliverables and tasks to be completed within that time frame.

Often the best way to show compliance and residual risk is visually, through dials and graphs. These can communicate the situation at a glance. The webinar and associated slide deck include illustrations on how to do this.

However you choose to leverage residual risk (and compliance) to improve your programs, the bottom line is, you need to be ready and able to execute your recovery plan. This is the true value of BCM.

Make sure all the people working for your BCM office are working toward the goals of making your program have higher compliance and lower residual risk. This is what truly matters.

BCM softwarethird-party vendors