NASA takes risk management seriously. In its own words, “Effective risk management is critical to mission success.” NASA’s ideas and practices related to risk management got us to the moon and beyond, which is why I advocate for applying similarly high standards to the practice of business continuity management. Your organization may not be preparing to search for signs of past microbial life on Mars, but your company’s mission is critical in its own way—especially for the people you employ and the customers you serve.
One of those ideas involves inherent vs. residual risk. NASA was one of the first to apply these concepts as a way of evaluating risk; other organizations and industries have employed them as well. I think they can be equally effective in evaluating risk for businesses. Let’s examine the differences between the two concepts and how they can be used in business continuity.
The purpose of your business continuity activities is to ensure that your organization is prepared to continue certain critical operations at a predetermined acceptable level in the event of a disruptive incident. I think we can all agree that’s a given.
Here’s the part that may be up in the air: Do you really want to know if the plans you’ve put into place will work or not?
If you do—and you want to significantly increase the likelihood that your recovery plans will succeed—you’ll use the concepts of inherent and residual risk to assess their effectiveness and make the required adjustments to improve.
Inherent risk is the risk of the entity you’re trying to measure, without mitigating controls.
In the case of business continuity, we’re talking about the risks associated with a particular recovery plan for a particular business unit—for instance, the accounts payable department, the call center, or the SAP system. Inherent risk is what it is. It’s formed by the realities that exist before you’ve made any attempt to address them, and will influence the development of your recovery plan.
The inherent risk associated with a recovery plan is made up of two factors related to the business unit the plan covers:
Inherent risk is used in calculating residual risk.
The residual risk is the amount of risk that remains after all efforts have been made to identify and eliminate risk (i.e., your mitigating controls).
The efforts you’ve made to identify and eliminate risk must include:
In the end, your calculations for residual risk will tell you definitively if the business continuity program you’ve spent time, money, and resources on can be executed effectively—or where your organization may be exceeding the recovery needs of the business, allowing you to make adjustments and conserve resources.
“Inherent vs. residual risk” is more accurately phrased “inherent and residual risk,” as the two concepts go hand in hand. Despite their value, however, very few organizations do the legwork required to evaluate the inherent and residual risk in their business and/or information technology recovery plans. While the process may uncover areas in need of improvement, it also helps organizations to optimize valuable resources and effectively minimize risk.
Evaluating your residual risk doesn’t have to be hard. Our Residual Risk (R2) tool, part of the BCMMetrics™ business continuity software suite, was designed specifically to provide organizations like yours with a quantitative method to evaluate risk. Cloud-based and secure, the tool walks you through the process of evaluating your mitigating controls, calculating inherent and residual risk, and assessing risk tolerance levels. You’ll get the results in detailed reports and simple charts that can be easily shared with the appropriate stakeholders.
If you’d like to ensure that your business has truly manageable levels of residual risk—and a business continuity program that actually works—take the first step and schedule a demo to see the R2 tool in action.