Residual Risk: if you’re not familiar with the term, you should learn how it applies to your Business Continuity Management program.
In pulmonary science (the study of lungs) there’s something called ‘residual volume’. That’s the amount of air that remains in your lungs after you forcefully exhale. No matter how hard you try, there will always be residual volume.
In Business Continuity Management there’s something called ‘residual risk’. It’s not much different: once you’ve mitigated identified risks, what’s left is residual risk. No matter what you do, there will always be residual risks. Business Continuity Plans are the primary tactic to deal with those residual risks.
There are chiefly four ways you can deal with risks:
- Avoidance
- Transfer
- Acceptance
- Reduction
Avoidance is what you do when you move your facility from an earthquake zone to Phoenix (where there is a very low earthquake potential). Or you divide your IT operations among two or more data centers (and use each to back up another) to assure availability. Or simply eliminate a risky process, or stop producing a hazardous product.
Risk is transferred when you buy insurance, or outsource your IT to a major 3rd party. (If you outsource it to “Bob’s IT”, that may not be a transfer – it may be multiplication of the original risk!). Or your company might sell a division or product to shift the risk to the new owner.
Acceptance is inherent in an organization’s decision to do nothing about a risk – which signals its willingness to accept both its existence and its potential impact. Why accept a risk? A cost/benefit analysis may show the impact cost is less than the mitigation cost (perhaps it is too expensive to move that facility out of the earthquake zone), maybe the probability is so low that investing in a long-term mitigation strategy isn’t necessary. Or perhaps Management may simply be willing to take the risk – hoping they’ve made the right call.
Reducing risks has many forms, including (but not limited to):
- Split Production. Using the example cited earlier, you could open a second facility in Phoenix and divide processing between it and your San Andreas, California location.
- Supplier Diversity. Managing enterprise-wide supply chains to reduce over-reliance on specific suppliers.
- Geographic Diversity. Contracting with multiple suppliers to reduce reliance on a geographic area or transportation mode.
- Physical Mitigation. Installing K-braces in your building to reduce the potential impact of an earthquake. Or installing a standby electrical generator. Or a fire suppression system.
- Alternative Access. Equipping critical employees with the means to work remotely if needed.
When all potential risks have been identified, and mitigation efforts are put in place, what remains is residual risk: those that – for one reason or another are still a threat, and are worth worrying about. That where the role of Business Continuity planning gets its importance.
Because your organization cannot (or has chosen not to) transfer, reduce or avoid certain risks, the Business Continuity Management program is the last line of defense against those threats. By narrowing the program’s focus to mitigating residual risks, the scope of the program is clear. Now it’s just a matter of getting to work!
