If you’ve been following along on our blog, we’ve been deconstructing some of the most important concepts in business continuity—among them is residual risk. Companies that measure the residual risk of their recovery plans are practicing business continuity at its best. They implement risk mitigation plans to reduce risk, craft contingency plans to respond in times of need, and do everything they can to ensure the strength of those plans, making it possible to reach the intended recovery goal.
If you’ve calculated your company’s residual risk and discovered that some or all of your business recovery plans are outside your risk tolerance level, it’s time to consider your options.
What Is Risk Mitigation?
Risk mitigation is central to business continuity. It is the act of taking steps to reduce the extent of exposure to a risk and/or the likelihood of its occurrence.
The key to reducing your risk lies in the strength of one or more of the mitigating controls for your business continuity program. Each of these controls plays a role in the success of the program; if one or more are not up to par, they will negatively impact the level of residual risk for the business unit and your organization.
If you looked at your recovery plans today, could you identify the level of residual risk in each one based on the state of its mitigating controls (BIA, Recovery Strategy, Recovery Plan, Recovery Exercises, etc.)? And based on that calculated level of risk, would you know if that recovery plan is within or outside management’s tolerance for risk?
8 Mitigating Controls To Review
Once you’ve considered the answers to the previous questions, it’s time to evaluate each of the controls individually as they apply to the recovery plan. One or more of the mitigating controls may need shoring up if you hope to control the level of residual risk.
1. Your business continuity management team.
Objectively consider whether there might be any deficiencies within the team itself that could be causing the risk.
- Do your team members have enough training?
- Does the team have enough people and other resources to do the job properly?
- Does it have sufficient management support?
- Do members have the deep knowledge required to perform the job capably?
Looking for a simple, quantitative method to evaluate risk? See for yourself how the Residual Risk (R2) online tool works.
2. Policies and standards.
Policies explain how you plan to implement business continuity activities; standards support the policies and their implementation. To evaluate this area, ask:
- Do we have policies and standards?
- Do we enforce them?
- Are they consistent with best practices?
- Are they easy to understand?
- Do they meet the needs of our company?
- Have we communicated the policies and standards to the relevant parties?
3. Your Business Impact Analysis (BIA).
The strength of a recovery plan relies in part on an accurate and on-target Business Impact Analysis. Ask:
- Have we conducted a BIA?
- Are we conducting BIAs regularly?
- Is the BIA giving us accurate information?
- Is the IT department well informed about the results of the BIA, including the computer systems/applications that need to be recovered and the time they need to be recovered by?
4. Training and awareness.
Similar to sports, you need to train your team hard enough so when the game comes, they’re playing at the appropriate level. Ask:
- Do we have a training and awareness standard? (For instance, training once a year.)
- Is the standard rigorous enough?
5. Your recovery plan.
Often there are problems within the recovery plan itself. Hopefully you have a plan to begin with. (If you don’t, that’s a problem.) To evaluate it, ask:
- Do we have a standardized recovery plan template?
- Does it contain the right pieces of information to ensure we can recover?
- Is it consistent with best practices?
- Does it follow a logical progression of steps? It should progress naturally from when an event happens, to the activation of the plan, to steps for recovery, and back to business as usual.
6. Recovery strategies.
In our experience, the most significant risk lies here. Too many businesses do not have standardized recovery strategies outlining the minimum standards that must be met for recovery. For highly critical business processes (those that must be recovered in 24 hours or less), a work-at-home strategy would be less effective than having an alternate site that workers can be transferred to right away. Evaluate your recovery strategies by asking:
- Are they reasonable for the level of criticality of the business unit?
- Do we have the resources (people, time, and money) to implement the recovery strategies?
- Do we enforce the strategies through our policy and standards?
7. Recovery exercises.
After recovery strategies, this is the second-most-significant area of risk. Practicing your recovery strategy is absolutely necessary. Don’t simply talk about what you’ll do in the event of a disruption; practice it. Go to your alternate site for a period of time and run your systems from there. Does it really work? To evaluate your recovery exercises ask:
- Are we conducting recovery exercises?
- Are our recovery exercise standards comprehensive and rigorous enough to ensure we can recover our business?
- Are we conducting the highest level of exercise possible for our most critical units?
8. Third party supplier risk.
Many companies work with numerous third parties but have no idea how those parties would fare in the event of a disruption of their business. Their plans affect yours. Ask:
- Do you know all of the third party suppliers for each business unit?
- How would those suppliers be ranked in terms of criticality to your business?
- Do you know if they’re protected by a business continuity plan?
Improve Your Ability To Mitigate Risk
The Residual Risk (R2) assessment tool by BCMMetrics™ offers a simple, reliable way to understand and manage risk. It helps identify where pockets of residual risk exist in your organization; it also helps determine the magnitude of the risk and evaluates the mitigating controls to show how you can improve.
The tool also enables speedy sharing of risk analysis results. You’ll get detailed reports of your residual risk, graphs visualizing areas outside and within risk tolerance, and action item reports. All of this is in an easy-to-use, cloud-based tool that enables you to get the job done yourself—and have confidence that it’s done right.