Over the past 18 months, most organizations have made changes to their business continuity plans to increase their resiliency. Unfortunately, few have taken the critical next step of measuring and managing the risk that remains, which is known as residual risk.
What is Residual Risk
The COVID-19 pandemic prompted most companies to make changes to their business continuity management (BCM) plans and strategies to make themselves more resilient.
This is praiseworthy.
It’s also only a beginning, especially for larger organizations and those with mature BCM programs.
For those BCM and risk management professionals who work at smaller organizations or those with young BC programs, this blog information is related to work and assessments after you perform an initial risk assessment and implement mitigations to bring your risk down.
Residual risk is another way of saying leftover risk: it’s the gaps that are left in your protection after you take measures to reduce your initial exposure.
Unfortunately, many BCM teams, even those working at mature programs, tend to skimp on measuring residual risk.
Avoiding the Fate of Smaug the Dragon
If you don’t think this matters, consider the case of Smaug, the dragon from The Hobbit.
Smaug was protected by armor over his entire body except in one place on his chest, and this was where he was targeted by Bard the Bowman and killed by an arrow.
How does a company avoid suffering a fate like Smaug’s? It manages residual risk.
How to Manage Residual Risk
In an earlier blog, I talked about how managing risk is an ongoing cycle.
Managing residual risk is part of that cycle—namely, the part after you implement measures to reduce your risk.
In most cases, residual risk should be looked at once year—and at a minimum, once every two years.
(For a breakdown of the main risk reduction measures, see this post by MHA Consulting CEO Michael Herrera on the BCMMETRICS blog.)
To manage residual risk, you need to look back at your program after you implement your risk mitigation strategies and see how much risk is left.
Then you ask yourself: are we as a company OK with this amount of risk? Or is this more risk than we are comfortable living with?
In other words, does the remaining risk fall within your organization’s risk tolerance?
If it doesn’t, you’ll need to implement more risk mitigation controls.
Managing residual risk is a lot like deciding how much of a deductible you are willing to accept in buying auto insurance. A cheaper policy is great, but that high deductible can come back and bite you if you’re involved in an accident. (And in some cases, just as with car insurance, companies might be paying more for risk mitigation than they really need, if they have a relatively high risk tolerance.)
The key point is, the organization should be aware of what’s going on with residual risk and make conscious decisions about it.
The thing to avoid is what all too many companies do: whistle through the graveyard while having no idea of how much risk they are running.
Reporting Up to Senior Management
I said above that you as a BCM pro should ask whether the company is OK with putting up with a certain amount of risk.
In reality, the answer to this question is determined by senior management. They’re the ones who decide how much risk is too much.
Your job is to understand the situation and make sure they know about it.
Senior management being senior management, this is not necessarily a straightforward matter.
If you find that there’s a significant amount of residual risk in your system, your job is to continue to share the information with management; do not water down the message. I like the analogy of jumping on the table and saying, “You are not hearing me” until leadership says, “We heard you, we don’t want to hear about this anymore.” That’s all you can do as a BCM person.
It’s the executives’ job to come up with the resources for more mitigation—or not; you want to ensure they are making decisions based on the best information possible.
As a BCM pro, the most you can do is to educate the leadership (and the rest of the organization) about the risk management cycle in general and residual risk in particular.
A few suggestions in talking with senior management about residual risk:
- Don’t try to read the room.
- Don’t tell people what they seem to want to hear.
- Be courageous.
- Be objective.
- Don’t underreport the risk. (This is a common mistake.)
- Don’t say the sky is falling (unless it is), because it will ruin your credibility.
- Don’t take management’s response personally.
The best approach in talking to management about residual risk is to be assertive about making yourself heard, but leave it to them to decide what should be done.
BCM Staff’s Essential Role
Since the pandemic started, many companies have beefed up their BC programs. Very few have performed the vital next step of measuring how much risk remains in their systems and making a conscious decision on what to do about it. The two options are: living with the risk and implementing further mitigations in order to reduce it.
Only senior management can decide what the company’s risk tolerance is and fund more mitigation. But the BCM staff perform the essential role of finding out the level of residual risk, reporting it up the chain, and educating senior management (and the entire organization) about the risk management cycle in general and residual risk in particular.
Further Reading on Managing Residual Risk
For more information on managing residual risk and other hot topics in BC and IT/disaster recovery, check out these recent posts from MHA Consulting and BCMMETRICS:
- You’re Doing It Wrong: Residual Risk
- Risky Business: 9 Ways That Not Measuring Residual Risk Can Harm Your Organization
- Everything You Always Wanted to Know About Managing Risk but Were Afraid to Ask
- The Risk Management Process: Manage Uncertainty, Then Repeat
- Types of Risk: Don’t Forget to Keep Tabs on Your Long-Term Risks