BCM Basics: Inherent Risk vs. Residual Risk

This post is part of BCM Basics, a series of occasional, entry-level blogs on some of the key concepts in business continuity management.

If you spend any time at all in the business continuity world, you are likely to encounter the terms inherent risk and residual risk. In today’s blog we’ll explain what these terms mean and why the concepts behind them are so important in helping organizations manage down risk and protect their stakeholders.

Related on MHA Consulting: Know Your Gaps: Manage Residual Risk to Keep Your Company Safe

[Related on MHA Consulting: Know Your Gaps: Manage Residual Risk to Keep Your Company Safe]

Defining Inherent Risk and Residual Risk

MHA recently published a free guide to key business continuity terms called Strong Language: The MHA Glossary of Essential Business Continuity Terminology. This glossary is an excellent resource for anyone just getting started in business continuity (and might even be of interest to seasoned professionals).

In Strong Language, we define inherent risk as “The danger that resides in an activity before the application of mitigation controls.” Residual risk is defined as “The risk that remains in an organization or process after the implementation of mitigation controls.”

For someone new to business continuity management (BCM), these definitions will probably prompt the response, OK, great; what are mitigation controls?

The glossary covers that, too. Mitigation controls are “Steps taken and resources created to reduce organizational risk, e.g., business impact analyses, recovery plans, recovery exercises.”

In other words, inherent risk is the danger that is inherent in a business activity or operation. Mitigation controls are the steps you take to reduce that risk and make the operation safer. Residual risk is the risk that remains in the activity after the mitigation controls have been applied.

To put it in mathematical terms:

(Inherent risk) – (the risk eliminated by your mitigation controls) = residual risk

We can also explain the two kinds of risk with an example from everyday life. Think about crossing a busy city street. This activity comes with a certain amount of inherent risk (primarily, of being hit by a car). To reduce that risk, we can implement mitigation controls, such as crossing at a stoplight, wearing a high-visibility vest, carrying an orange flag, carefully checking both ways before stepping off the curb, and so on. These controls reduce the risk, but there is almost always some danger left over; this is the residual risk.

In crossing a street, your residual risk lies in such factors as the possibility that an impaired driver might come careening through, violating the traffic laws. In business continuity, we often find it in the persistence of various kinds of human error or noncompliance.

Generally, in business continuity, we spend more time worrying about residual risk than inherent risk. This is because inherent risk is what it is, but residual risk can be managed and reduced. In many cases it also has to be lived with, to some extent.

For BC professionals, risk reduction is the ballgame. This is the reason behind all the other BC activities we perform.

The Four Risk Mitigation Strategies

The concept of risk reduction leads straight to two other key BCM concepts: mitigation controls and mitigation strategies.

As we’ve seen, mitigation controls are steps organizations can take to bring down the risk that is built into their activities and operations. Mitigation strategies is a higher level concept.

There are four risk mitigation strategies, and most organizations use some combination of all of them to manage their risks. The four strategies are:

  • Risk acceptance. A strategy involving a conscious decision to remain vulnerable to a potential harm, usually based on a cost-benefit analysis. 
  • Risk avoidance. A strategy centered on altering organizational behavior to eliminate a given risk. 
  • Risk limitation. A strategy in which measures are taken to reduce risk, short of completely eliminating it. Incorporates a combination of the strategies of risk avoidance and risk acceptance. 
  • Risk transfer. A strategy in which a risk is passed on to another organization, such as by hiring a third-party vendor to perform the associated function. 

All the activities you perform as a BC professional should map to one of the risk mitigation controls or strategies.

An organization’s ultimate goal should be to bring the risk level down until it falls within management’s stated risk appetite (“The theoretical amount of risk management is willing to accept as the organization carries out its activities”) and risk tolerance (“The amount of deviation from the organization’s risk appetite that management is willing to incur in a real-world situation”).

Owing to the fact that the environment and organization are always changing, this is a cyclical, ongoing process.

It’s a whole other topic and a whole other can of worms. (For one thing, getting management to decide on and tell you its risk appetite and risk tolerance can be like pulling teeth. But that’s a subject for another post.)

Now you can see why inherent risk and residual risk are such important concepts within BCM. They are the end of the string that leads straight to the essence of risk management and which can help you untangle the whole knot of the business continuity challenge.

An Ongoing and Cyclical Process

Inherent risk is the totality of the danger residing in an organizational activity. Residual risk is how much risk remains in the activity after the safety measures known as mitigation controls are implemented.

In business continuity, risk management is an ongoing, cyclical process that involves using mitigation strategies and controls to bring the risk of the organization’s activities down to a level that is within management’s stated risk appetite and tolerance.

Further Reading

For more information on risk management and other hot topics in BC and IT/disaster recovery, check out these recent posts from MHA Consulting and BCMMETRICS:

About
Richard Long
Richard Long is one of MHA’s practice team leaders for Technology and Disaster Recovery related engagements. He has been responsible for the successful execution of MHA business continuity and disaster recovery engagements in industries such as Energy & Utilities, Government Services, Healthcare, Insurance, Risk Management, Travel & Entertainment, Consumer Products, and Education. Prior to joining MHA, Richard held Senior IT Director positions at PetSmart (NASDAQ: PETM) and Avnet, Inc. (NYSE: AVT) and has been a senior leader across all disciplines of IT. He has successfully led international and domestic disaster recovery, technology assessment, crisis management and risk mitigation engagements.