Last week we talked about the importance of finding out management’s risk tolerance and creating a business continuity program which will keep risk for the organization within those limits. Today, I thought I’d get more specific about how you go about doing that by discussing the five most important risk mitigation controls within your business continuity plan.
The way to limit the risk in your program is by implementing measures to limit the adverse effects of potential events: risk mitigation controls.
Here’s an example of how mitigation controls play a role in your everyday life: When you tell an ATM how much cash you want and receive that exact amount—with the withdrawal being accurately noted on your statement—this comes about because of a whole series of mitigation controls that have been put in place by the bank. These controls are meant to accurately manage and track cash disbursements.
In risk management, mitigation controls provide a parallel type of control over risk.
There are many risk mitigation controls, but some are more important than others, particularly in the field of business continuity management. Which ones are the most worthwhile for organizations to focus on in managing their level of risk? I asked myself this question when I was designing the BCMMETRICSTM suite of tools, particularly Residual Risk (R2). The reason was, I wanted the tool to concentrate on the areas that were most important for managing risk in order to maximize the value of the tool for future users.
I had my own ideas on the subject, but I wanted to test and refine my thoughts against the knowledge of my colleagues in the field. I set about asking the people in my network which mitigation controls they believed to be the most important for business continuity management plans. The discussions that followed led me to identify five of them as being especially critical and effective.
The 5 Most Important Risk Mitigation Controls
These five controls ended up at the heart of the Residual Risk tool, and they are the ones that I think would be most beneficial for you to concentrate on as you manage the business continuity plan risk in your organization. Here they are:
- Business Impact Analysis. The BIA is one of the most important controls. In order to help the organization manage and control its risk, you should conduct regular BIAs, and they should be current, comprehensive, and properly assess the level of criticality in the continuity plan.
- Recovery Strategy. Once you have the results from a good BIA you can use them as the foundation for your second control, the Recovery Strategy. The strategy should reflect how quickly you need to recover the business unit, and should be fully implemented and validated.
- Recovery Plan. The task here is to write a plan that comprehensively outlines the steps and actions you need to take in order to utilize the recovery strategy to recover the business unit and its critical processes.
- Recovery Exercises. Have you tested your strategy and plan to make sure you can actually recover based on them? This is about not just stress testing, but practice as well, and most organizations don’t do nearly enough of it.
- Third-party Suppliers. With some business units this might not be an issue, with others it’s critical. If you have a significant dependency on a third-party supplier, your operation is only as resilient as theirs is. You can have a great strategy and plan, but a chain is only as strong as its weakest link. Are your third-party suppliers the weak link in your unit’s recoverability? This issue is becoming more important as more companies shift vital operations to cloud-based services run by third-party vendors.
So those are the five risk mitigation controls you should focus on to help you make sure your organization’s business continuity plan risk levels stay within the tolerance levels set by your senior management.
Of the five, which two are the most important? I would say, Recovery Strategy and Recovery Exercises. These two controls are the ones that truly drive the success of the plan. They are the engine. When I see people get into trouble, it’s usually because they didn’t create a recovery strategy that truly meets the needs identified in the BIA. It can also be because they haven’t conducted recovery exercises that were sufficiently stringent to establish that their plans can actually recover the business.
With regard to exercises, this area in particular is one where I see a lot of organizations short-changing themselves. Most companies, if they test their systems at all, limit themselves to walkthrough, tabletop-type exercises. Very few companies, maybe ten to fifteen percent, actually go the recovery site and make sure they can truly achieve recovery of the business units, processes, and associated information technology.
I think of those companies that don’t conduct realistic exercises as being like underprepared distance runners.
Suppose you decided it would be cool to run a marathon. (It is rewarding, as I can attest from experience.) And suppose in the days before the race you decided it would be smart to make sure you had sufficient stamina to run the entire 26.2 mile distance, before you actually got out there in public on the big day and tried to do it. And suppose you then jogged a distance of one mile and then told yourself that you were fully prepared for the complete race. Not only that, but you also bet everything you owned that you were prepared. Obviously, if this was the full extent of your testing, you would really know nothing about your ability to run 26.2 miles. In fact you are highly unlikely to make it even a significant fraction of that distance. This is the approach most companies take to their recovery exercises.
So now you know the five key risk mitigation controls and which two are the most important of all. You also know that it’s critical to conduct realistic exercises to ensure that you really can recover your business processes and systems, if and when you face the need to do so. With this knowledge, you are in a good position to make sure that your company’s program keeps business continuity plan risks within the level the senior managers have indicated they are willing to tolerate.
Improve Your Ability To Mitigate Risk
The Residual Risk (R2) assessment tool by BCMMetrics™ offers a simple, reliable way to understand and manage risk. It helps identify where pockets of residual risk exist in your organization; it also helps determine the magnitude of the risk and evaluates the mitigating controls to show how you can improve.
The tool also enables speedy sharing of risk analysis results. You’ll get detailed reports of your residual risk, graphs visualizing areas outside and within risk tolerance, and action item reports. All of this is in an easy-to-use, cloud-based tool that enables you to get the job done yourself—and have confidence that it’s done right.