Risk mitigation controls are the measures we take to reduce the risks our organizations face in carrying out their operations. This blog lays out and explains the top eight controls in order of their importance.
Risk Mitigation Controls Explained
Business continuity is all about reducing risk. The total risk of any enterprise, before any mitigation controls are applied, is called the inherent risk. By applying risk mitigation controls, we can significantly reduce the risk remaining for the organization. The risk left after mitigation controls are taken into account is called residual risk. Residual risk is one of the key measures of business continuity; this is the type of risk that you want to bring below management’s declared risk tolerance level.
You can see why risk mitigation controls are important. They are the tool we apply to reduce the risk the organization is running, ideally to the point of bringing the organization’s residual risk below the level deemed acceptable by management.
In business continuity, there are around five to 10 measures that are commonly regarded as the key mitigation controls. These are the measures we can implement to reduce the risk at our organizations, increasing our resilience, and making us better prepared to deal with disruptions.
In today’s post we’ll look at what I believe are the top eight risk mitigation controls, listing them in rough order of importance.
This is a judgment call on my part, one informed by 25 years’ experience and countless conversations with my colleagues and clients.
It’s worth mentioning that exactly which controls a particular company should prioritize is influenced to an extent by the type of organization, the industry, the organization’s mission, and so on.
By “most important,” I mean the controls that an organization really needs to implement and get right in order to keep its exposure within safe and reasonable limits. These are also the controls that deliver the most bang for the buck in terms of increased resilience for dollars spent.
The Top 8 Risk Mitigation Controls in Order of Importance
- Recovery Strategy. This is the single most important risk mitigation control. The recovery strategy should reflect how quickly you need to recover the business unit. It should be fully implemented and validated. Too many businesses do not have standardized recovery strategies outlining the minimum standards that must be met for recovery. In evaluating your recovery strategies, good questions to ask include: Are they reasonable for the level of criticality of the business unit? Do we have the resources (people, time, and money) to implement the recovery strategies? Do we enforce the strategies through our policy and standards?
- Recovery Exercises. This is the second most significant area of risk. Practicing your recovery strategy is absolutely necessary. Don’t simply talk about what you’ll do in the event of a disruption; practice it. Use your alternate capabilities for a period of time and run your business processes and systems that way to see if they will work. To evaluate your recovery exercises ask: Are we conducting recovery exercises? Are our recovery exercise standards comprehensive and rigorous enough to ensure we can recover our business? Are we conducting the highest level of exercise possible for our most critical units? This is an area where I see a lot of organizations short-changing themselves. Most companies, if they test their systems at all, limit themselves to walkthrough, tabletop-type exercises. Very few companies, maybe 10 to 15 percent, actually use their recovery strategies and make sure they can truly achieve recovery of the business units, processes, and associated information technology. This is about not just stress testing, but practice as well, and most organizations don’t do nearly enough of it.
- Recovery Team. Your Recovery Team is a critical factor in reducing risk at your organization, provided the members are capable and well-trained. In assessing the ability of your Recovery Team, ask the following questions: Are there any deficiencies within the team that could be causing risk? Do your team members have enough training? Does the team have enough people and other resources to do the job properly? Does the team have sufficient management support? Do the members have the deep knowledge required to perform the job capably?
- Recovery Plan. The task here is to write a plan that comprehensively outlines the steps and actions you need to take in order to utilize the recovery strategy to recover the business unit and its critical processes. Often there are problems within the recovery plan itself. To evaluate a Recovery Plan ask: Do we have a standardized recovery plan template? Does it contain the right pieces of information to ensure we can recover? Is it consistent with best practices? Does it follow a logical progression of steps? The plan should progress naturally from when an event happens, to the activation of the plan, to steps for recovery, to going back to business as usual.
- Business Impact Analysis. The BIA is a very important control. In order to help the organization manage and control its risk, you should conduct regular BIAs, and they should be current, comprehensive, and properly assess the level of criticality in the continuity plan./The strength of a recovery plan relies in part on an accurate and on-target Business Impact Analysis. In evaluating your BIA situation, ask the following questions: Have we conducted a BIA? Are we conducting BIAs regularly? Is the BIA giving us accurate information? Is the IT department well informed about the results of the BIA, including the computer systems/applications that need to be recovered and the time they need to be recovered by? The results of the BIA feed into the mitigation controls described above.
- Third-Party Supplier Risk Mitigation. With some business units this might not be an issue, with others it’s critical. If you have a significant dependency on a third-party supplier, your operation is only as resilient as theirs is. You can have a great strategy and plan, but a chain is only as strong as its weakest link. Are your third-party suppliers the weak link in your unit’s recoverability? This issue is becoming more important as more companies shift vital operations to cloud-based services run by third-party vendors. Many companies work with numerous third parties but have no idea how those parties would fare in the event of a disruption of their business. Their plans affect yours. In assessing your third-party risk situation, ask the following questions: Do you know all of the third-party suppliers for each business unit? How would those suppliers be ranked in terms of criticality to your business? Do you know if they’re protected by a business continuity plan?
- Training and Awareness. A good training and awareness program reduces risk by ensuring that employees can respond effectively if and when a disruption strikes and recovery is necessary. In evaluating your training and awareness program, the questions to ask are: Do we have a training and awareness standard? Is that standard sufficiently rigorous?
- Policies and Standards. Policies explain how you plan to implement business continuity activities. Standards support the policies and their implementation. They set the tone. In assessing where your organization stands in this area, good questions to ask include: Do we have policies and standards? Do we enforce them? Are they consistent with best practices? Are they easy to understand? Do they meet the needs of our company? Have we communicated the policies and standards to the relevant parties?
Bringing Down Risk and Improving Resilience
Risk mitigation controls are a critical tool in helping organizations bring the amount of risk in their operations below the level deemed acceptable by management. The best choice of mitigation tools for each company depends to an extent on its industry, mission, and similar factors.
However, experience has shown that a core group of controls tends to work best for most organizations. Those controls, in rough order of their importance are,
Recovery Strategy, Recovery Exercises, Recovery Team, Recovery Plan, BIA, Third-Party Supplier Risk Mitigation, Training and Awareness, and Policies and Standards. These are the measures organizations should focus on in order to bring down their risks and improve the overall resilience.
Are There Tools Available to Improve Your Ability To Mitigate Risk?
The Residual Risk (R2) assessment tool by BCMMetrics™ offers a simple, reliable way to understand and manage risk. It helps identify where pockets of residual risk exist in your organization; it also helps determine the magnitude of the risk and evaluates the mitigating controls to show how you can improve.
The tool also enables speedy sharing of risk analysis results. You’ll get detailed reports of your residual risk, graphs visualizing areas outside and within risk tolerance, and action item reports. All of this is in an easy-to-use, cloud-based tool that enables you to get the job done yourself—and have confidence that it’s done right.
What is an example illustrating the process of assigning mitigating controls to assets and threats?
Let’s illustrate the process of assigning mitigating controls to assets and threats with a practical example:
Identifying the Asset and Threat
Imagine a company considers its primary server to be a crucial asset. This server stores critical and confidential information. The primary threat to this server is identified as being vulnerable to cyber-attacks.
Assessing the Asset and the Threat
The next phase involves evaluating both the asset and the threat. For the asset, we evaluate aspects such as its overall value, how critical the confidentiality, integrity, and availability of the data it holds are. For the threat, we must consider the likely impact of a cyber-attack, the likelihood it will occur, and how vulnerable the server is to this threat.
Assigning Mitigating Controls
Upon assessing the severity of the threat relative to the asset, it becomes clear that the risk of a cyber-attack is significant. To mitigate this risk, the company opts to implement specific controls. These might include installing a robust antivirus program and setting up a comprehensive firewall system. Additionally, regular software updates and patches are applied to shield the server from new vulnerabilities.
Outcome
These actions, effectively implemented, reduce not only the probability of an attack but also the potential impact any attack could have. Thus, the overall security risk to the server is considerably diminished, protecting the vital data it holds. This process illustrates how assigning appropriate mitigating controls helps safeguard essential business assets from identified threats.