Risky Business: 9 Ways That Not Measuring Residual Risk Can Harm Your Organization

Do you wear your seatbelt when driving or riding in a car?

If you are like over 85 percent of the people in the United States, then you do, according to the National Highway Traffic Safety Administration (via Wikipedia).

Does your organization’s business continuity program use the tool of residual risk to quantify the amount of exposure you have to natural, man-made and technological disasters?

If your program is like over 85 percent of programs in the U.S., then you don’t, according to informal surveys I take when I speak at business continuity functions around the country. In fact, I would say that over 95 percent of programs do not measure residual risk.

This is unfortunate, because just as using a seatbelt reduces the risk of being hurt while traveling in a car, measuring residual risk reduces the damage your organization is likely to suffer in the event of a disruption or disaster.

Those of us who have been around for a while know that in the old days many fewer people wore seatbelts than do now. According to the NHTSA (again via Wikipedia), in 1983 only 14% of drivers wore them. I hope that over time, business continuity programs come to embrace the use of the tool of residual risk in the same way that motorists have accepted the use of seatbelts.

In today’s post, I’m going to give a brief refresher on what residual risk is, then share my list of the nine main risks companies are exposing themselves to by not measuring and tracking it.

Residual Risk in a Nutshell

You’ve probably heard this before, but I’m going to give a brief refresher for those who are rusty on the topic.

Residual risk is the amount of risk left in your recovery plans after the protections provided by your risk mitigation controls is taken into account. Risk mitigation controls are measures such as business impact analyses (BIAs), recovery exercises, and other measures you implement to bring down your total risks.

As an analogy, in football, there is a certain amount of inherent risk in the game—and that risk is reduced by the use of shoulder pads, helmets, padding around the goalposts, detailed rules, referees to enforce the rules, and so on. Those measures are the mitigation controls, and the risk which remains is the residual risk. (Whether the residual risk is still too high is a topic for another day.)

9 Risks Organizations Run by Not Measuring Residual Risk

 So what risks do organizations run by not measuring residual risk and tracking how it changes over time?

1. Overlooking gaps in their program.
2. Paying for more protection than they need.
3. Getting stuck in the documentation stage and never moving on toward assessing recoverability.
4. Being unable to demonstrate the value of their program to management.
5. Never getting management to think about how much risk they are willing to tolerate and commit in policy to a specific level.
6. Never truly understanding the state of their program. Never seeing clearly what they are doing well and where their opportunities for improvement lie.
7. Being in the dark regarding how their program is changing over time.
8. Not knowing if they are doing the right level of testing, in terms of matching the intensity of the test (e.g., tabletop versus functional) to the criticality of the activity.
9. Never knowing if their recovery strategies are truly capable of recovering their processes or systems.

By measuring residual risk in your recovery plans, you gain a clear picture of what you are doing well and where you remain vulnerable. This information is immensely valuable. It helps you know where you need to take immediate action, guides you in intelligently spending your resources, and assists you in communicating your program’s needs and your team’s contribution to management. In short, it rationalizes a process that can otherwise be murky and random.

Wise motorists know that wearing seatbelts is a simple way to increase their safety as they travel they roads. Similarly, using the tool of residual risk can increase the safety of your organization as it goes about its business in our contemporary world of high manmade, natural, and technological risks.