As the face of business continuity, security and compliance planning has changed with the new decade, so has the nature of the disruptive risks and vulnerabilities it strives to mitigate. For newer businesses or organizations first undertaking security and continuity planning, this refers to having a strong understanding of prevailing continuity, security & compliance trends, but it also hinges on understanding the various definitions of “risk.”
This notion in mind, one common mistake in planning is misconstruing inherent risk with residual risk. Businesses must be able to distinguish — and diligently prepare for — both types of risk if they hope to maintain a stable and secure corporate environment; thus promoting a culture of stability and control.
Inherent risk is commonly defined as “the level of risk in place in order to achieve an entity’s objectives and before actions are taken to alter the risk’s impact or likelihood.” In other words, this risk is naturally part of the business’s atmosphere, and, without intervention, it could yield damaging infrastructural results, stunt business progress towards goals, and even put employees at risk. This is the type of risk that I fondly liken to my years of working for the District of Columbia governments when I found myself hearing “That’s how we’ve always done it here” when identifying an inefficient and potentially dangerous policy and/or procedure.
Therefore, inherent risks should be identified as soon as possible to expose crucial loopholes in existing protocols. It is key to note that every workplace’s inherent risk will be a little bit different, so self-assessment and continuous evaluation is vital in laying an effective framework for improvement.
In contrast to my experience in D.C. (and New York before and Pennsylvania thereafter), Tennessee’s State Government points to a water filter metaphor to illustrate the difference between inherent and residual risk; the water flowing into the filter represents the former — or the aforementioned risks that are naturally occurring without intervention — while residual risk is represented by the occasional small impurities that pass through the filter without change.
Thus, while inherent risk assessment will help organizations identify and dissect broad risks jeopardizing key objectives; these efforts will almost always produce residual risks. In some cases, these residual pitfalls are overlooked or outright ignored in favor of lower hanging fruit objectives, leaving businesses potentially exposed to being blindsided. However, residual risk can also “serve as justification for the time and resources required to support a business’s recovery needs.”
Regardless of the risk in question, it is imperative that businesses invest proper time and resources in comprehensive risk management, considering a variety of risk scenarios and best practices from other organizations/industries in their entirety.