Term ‘residual risk’ is mandatory in the risk management process according to ISO 27001, but is unfortunately very often used without appreciating the real meaning of the concept. Show
Residual risk is the risk remaining after risk treatment. After you identify the risks and mitigate the risks you find unacceptable (i.e. treat them), you won’t completely eliminate all the risks because it is simply not possible – therefore, some risks will remain at a certain level, and this is what residual risks are. The point is, the organization needs to know exactly whether the planned treatment is enough or not. Residual risks are usually assessed in the same way as you perform the initial risk assessment – you use the same methodology, the same assessment scales, etc. What is different is that you need to take into account the influence of controls (and other mitigation methods), so the likelihood of an incident is usually decreased and sometimes even the impact is smaller. For more information about the risk management process read ISO 27001 risk assessment & treatment – 6 basic steps. How is it related to acceptable level of risk?I mentioned that the purpose of residual risks is to find out whether the planned treatment is sufficient – the question is, how would you know what is sufficient? This is where the concept of acceptable level of risks comes into play – it is nothing else but deciding how much ‘risk appetite’ an organization has, or in other words whether the management thinks it is fine for a company to operate in a high-risk environment where it is much more likely that something will happen, or the management wants a higher level of security involving a lower level of risk. Both approaches are allowed in ISO 27001 – each organization has to decide what is appropriate for its circumstances (and for its budget). The former approach is probably better for high-growth startup companies, while the letter is usually pursued by financial organizations. Residual risk managementOnce you find out what residual risks are, what do you do with them? Basically, you have these three options:
Such a systematic way ensures that management is involved in reaching the most important decisions, and that nothing is overlooked. So the point is – top management needs to know which risks their company will face even after various mitigation methods have been applied. After all, top management is not only responsible for the bottom line of the company, but also for its viability. To see how to use the ISO 27001 risk register with catalogs of assets, threats, and vulnerabilities, and get automated suggestions on how they are related, sign up for a 14-day free trial of Conformio, the leading ISO 27001 compliance software. In a recent post, we asked: Do you really want to know if the business recovery plans you’ve put into place will work or not? If the answer is yes, you should be using the concept of residual risk as part of your business continuity management strategy. Closely interwoven with inherent risk, residual risk can serve as justification for the time and resources required to support your recovery needs. By definition, it is the risk that remains after all efforts have been made to identify and eliminate risk. In other words: Are you doing enough to support your business recovery plan? A residual risk calculation will tell you definitively. Despite the fact that many businesses are devoting time and resources to creating business recovery strategies, few are concerned with measuring the effectiveness of their efforts—only three people in my most recent seminar of 50 were measuring risk at all. In fact, no recovery strategy is complete until you’ve taken this important step. Wondering how to calculate residual risk? Take a look below to see how we do it. How To Calculate Residual RiskStep 1: Identify the inherent risk factor.A. First, determine the recovery time objective (RTO) for the business unit. Though there may be two, three, four, or more processes associated with a particular unit, the residual risk formula considers only the RTO of the most critical process. So if Process A needs to be recovered in 24 hours and Process B is 48 hours, evaluate the business recovery plan for the unit using only the RTO for Process A. The RTOs of each business unit and their business processes should have been uncovered as part of the BIA process. B. Next, determine the business impact score. Each RTO category has a level of potential business impact associated with it. A critical business unit with a very short recovery timeframe indicates a high level of criticality and would therefore have a significant impact on the business should a disruption occur versus a business unit with a much longer recovery timeframe. Each RTO would have a corresponding impact score associated with it, such as:
Putting It Into Practice C. Identify the threat landscape and assign a threat probability level. Evaluate the natural, human-made, and technological threats facing the business unit. Is it in a high-risk area geographically (for any reason)? Are its processes especially vulnerable to attack? Assign a threat-level score to the unit, with 5 being high, 3 being moderate, and 1 being low. D. Calculate the inherent risk factor. Multiply the business impact score and the threat landscape score; then divide by 5. The resulting number is the plan’s inherent risk level. What Does The Score Mean? Step 2: Identify management’s level of risk tolerance.A. First, educate management. Management will be unfamiliar with the concept of residual risk calculation and its significance. It’s up to you to explain to the management team how it works and why it’s important. B. Next, advise management on an acceptable level of risk tolerance. Based on the level of inherent risk, assign a percentage to indicate how much risk your management team should be willing to accept, for example:
The lower the percentage, the tighter your controls should be. The more effort you put into it, the better your chance of recovery will be. C. Finally, calculate management’s level of risk tolerance. Multiply the percentage of risk tolerance times the inherent risk factor. The resulting score is your risk tolerance. Putting It Into Practice Step 3: Assess and score your mitigating controls.A. First, assign weights to your mitigating controls based on their importance. The controls that we think protect a recovery plan are:
Want more information about how to weigh and evaluate your mitigating controls? The Residual Risk (R2) online tool can help.Controls should be weighted based on how important each one is to the success of the plan. In our view, the two most important controls (and the ones that should be most heavily weighted) are the recovery strategy (the plan you actually have in place to recover a particular business unit) and recovery exercises (the practice you’ve had testing the plan and its ability to help you recover). B. Next, evaluate each of your mitigating controls against the standards. Is your recovery plan in line with the recommendations outlined in the standards? Depending on how well each control stands up to the recommended qualifications, give it either a 1 (poor), 3 (average), or 5 (best practice). C. Finally, determine the weighted score of your mitigating controls. For each control, multiply the score times the weight. Then, add up those results to come up with one overall score for your mitigating controls (your mitigating control state). Putting It Into Practice Step 4: Calculate your residual risk.To complete the residual risk formula, compare the mitigating control state to the risk factor-tolerance number. Look at the resulting number. How close is it to the risk factor-tolerance number? If it’s equal to or higher than the risk factor-tolerance number, you are well within tolerance range. The business recovery plan you’ve created is right on the mark. If the number is lower than your risk tolerance, the plan is insufficient. Depending on how far off the mark you are, you’ll have to take further action to improve the strength of your business recovery plan. Need help calculating residual risk?For further guidance on how to calculate residual risk, take a look at our Residual Risk (R2) application. Part of the BCMMetrics™ suite of business continuity software, it is designed to provide BCM practitioners and risk managers with a simple, quantitative method to evaluate risk. You can easily assess the risk factor of each business unit or system/application recovery plan, weight the importance of mitigating controls and evaluate them, establish risk tolerance levels, and perform a residual risk calculation for each plan. BCMMetrics also comes with the Compliance Confidence (C2) tool, which gives you a “FICO-like” score for your business continuity planning. With the BCMMetrics suite of self-assessment applications, you’ll have everything you need to ensure that your business continuity program complies with current standards and minimizes residual risk. Want to see the tool in action? Schedule a demo. What Is Residual Risk (& How Do You Calculate It)?2017-04-112017-04-11https://bcmmetrics.com/wp-content/uploads/2018/06/bcmmetrics.pngBCMMETRICShttps://bcmmetrics.com/wp-content/uploads/2017/04/fotolia_100525189_subscription_monthly_m.jpg200px200px About Michael HerreraMichael Herrera is the Chief Executive Officer (CEO) of BCMMETRICS and its sister company, MHA Consulting. In his role, Michael provides global leadership to the entire set of industry practices and horizontal capabilities within MHA. Under his leadership, MHA has become a leading provider of Business Continuity and Disaster Recovery services to organizations on a global level. He is also the founder of BCMMETRICS, a leading cloud based tool designed to assess business continuity compliance and residual risk. Michael is a well-known and sought after speaker on Business Continuity issues at local and national contingency planner chapter meetings and conferences. Prior to founding MHA, he was a Regional VP for Bank of America, where he was responsible for Business Continuity across the southwest region. Comments pingbacks / trackbacks
|