Everyone in business continuity knows about risk mitigation controls, but do you know which ones are most important, according to the experts? That’s the topic of today’s blog.
TRIAL BY FIRE
Before we get started, I’d like to give a pop quiz. Do you know which of the following pieces of home fire-safety equipment is the most important, according to firefighters?
- Fire escape plan
- Fire escape ladder
- Class A fire extinguisher (for trash, wood, and paper)
- Class B fire extinguisher (for liquids and grease)
- Class C fire extinguisher (for electrical equipment)
- Combination fire extinguisher
- Bucket
- Flashlight
- Smoke detector
Which is the second most important? Which third? Which least? Don’t you agree it would be good to know?
Most of us can only budget a limited amount of time and resources toward home fire safety. We make calculations balancing the risk, potential impact, and the other demands on our time and resources. After implementing a few safety measures, we then get on with the rest of our lives.
That being the case, shouldn’t we make sure the measures we take are the most effective of the available options?
In terms of which fire-safety equipment is most important, I’m going to defer to the professionals. (Here are some tips from Ready.gov.) But as you’ll see, the same problem comes up in an area I do know something about: risk mitigation controls.
RISK MITIGATION CONTROLS EXPLAINED
In the beginning of today’s post, I said that everyone in business continuity knows about risk mitigation controls. But here’s a reminder, in case you’re rusty or from another field: Risk mitigation controls are the measures we take to reduce the risk of our activities.
In business continuity, it’s common to talk about the total risk of an enterprise, which is the inherent risk, or the risk that exists before any mitigating controls are put into place. After assessing that, we look at the measures we’ve taken to reduce risk, which are the risk mitigation controls. (In terms of our fire-safety example, smoke detectors and fire extinguishers would both be considered risk mitigation controls.)
Finally, we subtract the mitigated risk from the inherent risk to arrive at residual risk, which is how much risk remains to the enterprise after our risk mitigation controls are taken into account. (One of the key goals of business continuity is to reduce residual risk, bringing it in line with management’s risk tolerance.)
MITIGATION CONTROLS IN BCM
In business continuity, there are anywhere from 5 to 10 measures that are commonly regarded as the key mitigation controls. Here are what I would consider to be the seven main controls, in alphabetical order (for more information on each one, see the Further Reading section at the end of the post):
- Business Impact Analysis
- Recovery Exercise
- Recovery Plan
- Recovery Strategy
- Recovery Team
- Third Party Supplier Risk
- Training & Awareness
These seven things are the measures we take to reduce the risk at our organizations. They are the ways we increase our resilience and make us better prepared to deal with disruptions.
Does your organization have the ability to implement all of them, right away, to the highest standard? If so, great. You should do it. It would provide incredible protection to your organization and everyone who depends on it.
More likely, you can’t take this approach. It’s more probable that you have to prioritize and skip some things, at least for now. OK, fine, no problem. We can handle that. We’re realists. But in that case, which controls should you focus on right now, to get the most bang for your buck (in other words, the most protection for the least money)?
THE TOP 7 RISK MITIGATION CONTROLS IN ORDER OF IMPORTANCE
I’ve been a business continuity consultant for almost twenty years. As the head of BCMMETRICS and MHA Consulting, I have the good fortune to get to work with some of the best consultants in the business. Through our clients, I’m also in touch daily with BC professionals from a wide range of industries from all across the country.
One of the things I frequently talk about with my colleagues is the subject of risk mitigation controls, and specifically which ones really deliver in terms of increasing resilience and recoverability. Based on all that, I would say the following represents our consensus view of the key BCM mitigation controls in order of importance:
- Recovery Exercise
- Recovery Strategy
- Recovery Team
- Recovery Plan
- Business Impact Analysis
- Third Party Supplier Risk
- Training & Awareness
If I were writing this tomorrow, I might arrange the list a little differently. But basically this is my take, based on my experience and that of my colleagues, of the main risk mitigation controls in order of importance.
THE BOTTOM LINE
What’s the bottom line? If you only have limited resources to devote to business continuity – and don’t we all? – then in my opinion, you will get the biggest benefits by focusing first on conducting Recovery Exercises, developing your Recovery Strategy, and refining your Recovery Team and Plans. Once those are in good shape, you could turn to the other items on the list.
FURTHER READING
For more information on risk mitigation controls and other hot topics in business continuity management, check out these recent posts from BCMMETRICS and MHA Consulting:
- The 5 Most Important Risk Mitigation Controls
- Risk Mitigation: 8 Controls That Can Reduce Risk
- Risky Business: 9 Ways That Not Measuring Residual Risk Can Harm Your Organization
- Go Like a Rocket: 3 Tools to Help You Manage Enterprise Risk
- Compliance and Residual Risk – It’s Not Just For Big Companies
