Blog | BCMMetrics

Understanding Inherent Vs. Residual Risk In Business Continuity

Written by Michael Herrera | Apr 4, 2017 10:32:30 AM

NASA takes risk management seriously. In its own words, “Effective risk management is critical to mission success.” NASA’s ideas and practices related to risk management got us to the moon and beyond, which is why I advocate for applying similarly high standards to the practice of business continuity management. Your organization may not be preparing to search for signs of past microbial life on Mars, but your company’s mission is critical in its own way—especially for the people you employ and the customers you serve.

One of those ideas involves inherent vs. residual risk. NASA was one of the first to apply these concepts as a way of evaluating risk; other organizations and industries have employed them as well. I think they can be equally effective in evaluating risk for businesses. Let’s examine the differences between the two concepts and how they can be used in business continuity.

Inherent Vs. Residual Risk In Business Continuity

The purpose of your business continuity activities is to ensure that your organization is prepared to continue certain critical operations at a predetermined acceptable level in the event of a disruptive incident. I think we can all agree that’s a given.

Here’s the part that may be up in the air: Do you really want to know if the plans you’ve put into place will work or not?  

If you do—and you want to significantly increase the likelihood that your recovery plans will succeed—you’ll use the concepts of inherent and residual risk to assess their effectiveness and make the required adjustments to improve.

Inherent Risk

Inherent risk is the risk of the entity you’re trying to measure, without mitigating controls.

In the case of business continuity, we’re talking about the risks associated with a particular recovery plan for a particular business unit—for instance, the accounts payable department, the call center, or the SAP system. Inherent risk is what it is. It’s formed by the realities that exist before you’ve made any attempt to address them, and will influence the development of your recovery plan.

The inherent risk associated with a recovery plan is made up of two factors related to the business unit the plan covers:

  1. The recovery time objective of the recovery plan. This refers to the amount of time after a disruption (one day, three days, a week, etc.) in which a system, an application, or a process must be functional again. It’s essentially a measure of the criticality of a particular business process.
  2. The threat landscape of the business unit. This refers to the various threats a particular recovery plan has associated with it. Threats may range from location (downtown New York City poses a higher threat level than other locations, for instance) to technology (if the business unit relies on numerous complex computer systems, for example).

Inherent risk is used in calculating residual risk.

Residual Risk

The residual risk is the amount of risk that remains after all efforts have been made to identify and eliminate risk (i.e., your mitigating controls).

The efforts you’ve made to identify and eliminate risk must include:

  • Management’s risk tolerance. What amount of risk is management willing to tolerate? Based on the criticality of the recovery plan (and therefore the level of inherent risk), management may have high, moderate, or low risk tolerance in the event of a disruption. Consider the business impact of a disruption to a call center vs. a marketing department. Based on their levels of criticality, management’s risk tolerance is likely to be lower for one department than it would be for the other. For business units with high inherent risk, tolerance will be very low. For units that have moderate inherent risk, the level of tolerance may be moderate as well. For units with low inherent risk, there will likely be high risk tolerance.
  • The state of the mitigating controls. You must consider the quality and status of the following: the business impact analysis, your recovery strategy, your recovery exercises, the recovery plan and the team, training, and awareness, and third-party supplier risk.

In the end, your calculations for residual risk will tell you definitively if the business continuity program you’ve spent time, money, and resources on can be executed effectively—or where your organization may be exceeding the recovery needs of the business, allowing you to make adjustments and conserve resources.

See Your Business Continuity Program More Clearly

“Inherent vs. residual risk” is more accurately phrased “inherent and residual risk,” as the two concepts go hand in hand. Despite their value, however, very few organizations do the legwork required to evaluate the inherent and residual risk in their business and/or information technology recovery plans. While the process may uncover areas in need of improvement, it also helps organizations to optimize valuable resources and effectively minimize risk.

Evaluating your residual risk doesn’t have to be hard. Our Residual Risk (R2) tool, part of the BCMMetrics™ business continuity software suite, was designed specifically to provide organizations like yours with a quantitative method to evaluate risk. Cloud-based and secure, the tool walks you through the process of evaluating your mitigating controls, calculating inherent and residual risk, and assessing risk tolerance levels. You’ll get the results in detailed reports and simple charts that can be easily shared with the appropriate stakeholders.

If you’d like to ensure that your business has truly manageable levels of residual risk—and a business continuity program that actually works—take the first step and schedule a demo to see the R2 tool in action.