Reducing risk is at the heart of everything we do as business continuity professionals. This week’s blog post will spell out the key concepts relating to this all-important goal; call it “The Ultimate Guide to Residual Risk.”
Related on MHA Consulting: Know Your Gaps: Manage Residual Risk to Keep Your Company Safe
Inherent Risk vs. Residual Risk
There are two main kinds of risk when it comes to organizational activities and business continuity: inherent risk and residual risk. Inherent risk is the danger intrinsic to any business activity or operation. Residual risk is the amount of risk that remains in an activity after mitigation controls are applied.
Putting it in mathematical terms:
(Inherent risk) – (the risk eliminated by your mitigation controls) = residual risk.
Mitigation controls are any steps taken or resources created to reduce organizational risk and make an operation safer. Examples include business impact analyses, recovery plans, and recovery exercises.
Here’s an illustration of inherent and residual risk from everyday life:
There’s inherent risk in crossing a busy street (primarily, of being hit by a car). To reduce that risk, a person can implement mitigation controls such as crossing at a stoplight, wearing a high-viz vest, and carrying an orange flag. These controls reduce the risk but there is always some danger left over (e.g., a driver might run a red light and hit you despite the precautions you’ve taken). This leftover risk is the residual risk.
Generally, in business continuity, we spend more time worrying about residual risk than inherent risk. Inherent risk is what it is, but residual risk can be managed and reduced. In many cases it also has to be lived with.
Residual risk is one of the foundational concepts of business continuity management.
Identifying and reducing residual risk is the most cost-effective way of making an organization more resilient.
Understanding Risk Tolerance
In managing risk, the goal for organizations is not to get their risk down to zero. It is to bring it down within the level management has decided is acceptable, that is, its risk tolerance level.
In deciding its risk tolerance level, management should analyze the cost to the organization of having its operations offline.
An organization that can undergo an outage of five days at no great cost is justified in having a high risk tolerance. An organization that would suffer a large impact as the result of an outage of two hours should be willing to tolerate very little risk.
Where risk tolerance is high, controls can be relaxed. Where it is low, controls must be tight. (An organization’s risk tolerance also tends to reflect the personality of the senior managers; some like to gamble, others are risk averse.)
Finally, even within a given organization, risk tolerance can and should vary across different parts of the operation depending on their criticality.
The Four Risk Mitigation Strategies
As mentioned above, mitigation controls are steps organizations can take to bring down the risk inherent in their activities and operations. A related but higher level concept is that of risk mitigation strategies.
There are four main risk mitigation strategies:
- Risk acceptance. A strategy involving a conscious decision to remain vulnerable to a potential harm, usually based on a cost-benefit analysis.
- Risk avoidance. A strategy centered on altering organizational behavior to eliminate a given risk.
- Risk limitation. A strategy in which measures are taken to reduce risk, short of completely eliminating it. Incorporates a combination of the strategies of risk avoidance and risk acceptance.
- Risk transfer. A strategy in which a risk is passed on to another organization, such as by hiring a third-party vendor to perform the associated function.
Most organizations use some combination of all of these strategies to manage their risks.
All the activities you perform as a BC professional should map to one of the risk mitigation controls or strategies.
The Big Three of Residual Risk
At most organizations, residual risk typically lurks in one or more of three areas: recovery strategies, recovery exercises, and basic infrastructure. Let’s look at them one by one.
- Recovery strategies. Most companies have sound recovery strategies but many fall short in implementing them. This is equivalent to a hotel figuring out the most efficient fire-escape route for every room but not installing signs in the rooms telling guests what they are. One of the best ways for organizations to bring their residual risk below management’s risk tolerance level is to fully implement their recovery strategies.
- Recovery exercises. Many organizations conduct recovery exercises, but too often these are insufficiently rigorous and realistic. Tabletop exercises might be adequate for less critical functions; they are not adequate for processes that are time-sensitive and mission-critical. Critical processes need to be fully tested to ensure that they are recoverable within the needed time frame. Setting up and fully implementing a solid testing program is another excellent way to reduce residual risk.
- Basic infrastructure. Many organizations have a great deal of residual risk hidden away in various parts of their infrastructure. Often their infrastructure is fragile and not well understood. The most vulnerable areas tend to be electrical power, data backups, and network connectivity. Many organizations lack sufficient backup power supplies to keep even their most critical equipment functioning in the event of a power outage. A lot of organizations do not make sure their data backups are functioning properly, which can lead to unexpected data loss. Many are dependent on unstable computer networks that lack redundancy, a situation that can easily result in operations coming to a halt. Strengthening these elements of basic infrastructure is an efficient way of reducing risk and improving resiliency.
How to Manage Residual Risk
Managing residual risk is not a project; it is an ongoing, cyclical process. The organization and environment are always changing, and the company’s risk management efforts must be adjusted as needed to keep up.
In most cases, residual risk should be looked at once year—and at a minimum, once every two years.
Managing residual risk is a matter of looking back at your program after you implement your risk mitigation strategies and seeing how much risk is left. Then ask yourself: are we as a company OK with this amount of risk? In other words, does the remaining risk fall within your organization’s risk tolerance? If it doesn’t, you’ll need to implement more risk mitigation controls.
Managing residual risk is similar to deciding how much of a deductible you are willing to accept in buying auto insurance. A cheaper policy is great, but that high deductible can be costly if you’re involved in an accident. (And in some cases, just as with car insurance, companies might be paying more for risk mitigation than they really need, if they have a relatively high risk tolerance.)
The key point is, the organization should be aware of what’s going on with residual risk and make conscious decisions about it. The thing to avoid is, blindly carrying on while having no idea of how much risk the company is running.
Working with Senior Management
As stated above, it is up to management to decide how much risk the organization can tolerate. The job of the BCM professional is to inform management of the risk situation and press them to make a decision on how much risk they are willing to live with.
If you find that there’s a significant amount of residual risk in your system, your job is to share the information honestly with management. Do not water down the message.
It’s the executives’ job to come up with the resources for more mitigation (or not).
As a BCM pro, the most you can do is to educate the leadership and the rest of the organization about the risk management cycle in general and residual risk in particular.
Here are a few suggestions on how to talk with senior management about residual risk:
- Don’t try to read the room.
- Don’t tell people what they want to hear.
- Be objective and forthright.
- Don’t underreport the risk.
- Don’t say the sky is falling (unless it is).
- Don’t take management’s response personally.
The best approach in talking to management about residual risk is to be assertive about making yourself heard, but leave it to them to decide what should be done.
The role of BCM staff is to find out the level of residual risk, report it up the chain, and educate senior management (and the entire organization) about the risk management cycle in general and residual risk in particular.
Only senior management can decide what the company’s risk tolerance is and fund more mitigation.
Calculating Residual Risk
In recent years, MHA has developed a methodology to systemize the calculation of residual risk.
It involves: determining the recovery time objectives (RTOs) for critical business processes, giving each process a business impact score, identifying the major threats facing the organization, assigning each threat a probability level, calculating the inherent risk factor, determining the organization’s risk tolerance score, scoring the risk mitigation controls, weighing these controls against your chosen business continuity standard, determining the weight score of the mitigation controls, finding the overall score for your mitigation control state, and comparing this score to your risk factor–tolerance number.
If the number is equal to or higher than the risk factor-tolerance number, you are well within tolerance range and your business recovery plan is on the mark. If it is lower, then your plan is insufficient and you should take further action to strengthen your business recovery plan.
For a more detailed explanation of how to calculate residual risk, see this post by MHA CEO Michael Herrera. (Alternatively, contact us directly for advice and assistance.)
Risk reduction lies at the heart of business continuity. Residual risk is the risk that remains in an organization’s operations after mitigation controls are implemented. The four risk mitigation strategies are risk acceptance, risk avoidance, risk limitation, and risk transfer. The three areas where residual risk typically lurks in organizations are recovery strategies, recovery exercises, and basic infrastructure.
Managing residual risk is an ongoing process that requires continuous adjustment to keep up with changes to the organization and its environment. Bringing down residual risk is the most cost-effective way to boost an organization’s resilience.
For more information on residual risk, and other hot topics in BC and IT/disaster recovery, check out these recent posts from MHA Consulting: