Inherent Vs. Residual Risk & Cascade Effects In BCP

In the uncertain and often fierce world of business and commerce, a single mistake can result in bankruptcy or set a company back years. The business world is fraught with risks, and companies that do not learn how to properly manage it will struggle to survive over the long haul. Statistically, 50% of businesses go bankrupt in their first 10 years, therefore, you need every protection possible to allow you to maintain a competitive edge. Understanding what risk is, is a vital part of this equation.

Planning for sudden shifts in demand, anticipating disruptions in value chains, and securing alternative supply chains are all vital tasks for many businesses. All these tasks are done by understanding risk and implementing a proper mitigation plan to ensure business continuity. It is far from the easy and straightforward task and to give the topic justice, we would probably need to fill an entire book. That is why we are focusing on one single, yet crucial aspect of risk management in this article: inherent & residual risk. What are they? How are they useful? And how can understanding these two concepts help you manage risk more effectively? Let us dive straight in.

Inherent and Residual Risk: Basic definitions

There are two main ways in which you can think about risk within a business: inherent and residual. Here is a very quick one-sentence to help you understand the difference:

• Inherent Risk is the amount of risk your business faces naturally
• Residual Risk is the remaining risk to your business after you accounted for your inherent risk

INHERENT RISK

One view of Inherent risk focuses on the danger your business faces without any containment or risk management techniques. However, more often than not, there are controls (things we do that reduce the impact or likelihood) that reduce either the likelihood and or impact of an event exposing the risk. Some risk managers advocate that you should ignore the existing controls when measuring the risk i.e. raw inherent risk. Others argue that it is counter-intuitive to ignore the current controls as that is the real world of the risk i.e. if I ignore the current controls then, of course, it is more likely that the risk will be high. They would rather work from the perspective of how I improve my current controls to reduce the likelihood and/or impact.

When trying to calculate the inherent risk of a bad event, you should try to decouple the risk from all the internal business processes and look at it in a vacuum. Imagine the risk of a supply chain from China breaking down and forcing you to buy some materials at twice the normal price. Normally, in your day-to-day business operations, you might have already taken some steps to reduce the chances of this happening (current controls). You may have increased your spare stockpile of this material. You may even have bought shipment insurance to protect yourself. These are all facts related to your business and when you’re calculating inherent risk you need to either discard them all (if you are proppant of raw inherent risk) or alternatively include them as currency controls. Either way, you will be right, it's a philosophy, not an ideology.

RESIDUAL RISK

Residual risk is the risk to your business that remains after you take all relevant precautions and design detailed mitigation and recovery plans. Even though these precautions and plans will significantly reduce the risks involved, there will always be some lingering risk that you’ll have to take into calculation: this is called residual risk. To continue our example, most businesses have some plan in place to deal with supply chain disruptions: stockpiling, having alternatives on hand, shipment insurance, etc. If you want to calculate the residual risk of supply chain disruptions harming business continuity management and eating into your profit margins, you need to consider the mitigation plan. This means residual risk is always equal to or smaller than the inherent risk.

How Can These Concepts Help You Manage Risk Better?

Learning about the differences between residual and inherent risk, calculating them for various situations, and coming up with different scenarios will improve your business continuity management, allow you to manage risk more effectively, and gives you a more long-term view of your operations.

IT ALLOWS FOR MORE EFFECTIVE RISK MANAGEMENT

Getting into the habit of analyzing the level of risk of an event, considering all the eventualities, and then figuring out the residual risk after your mitigation plan is considered allows you to easily calculate the effectiveness of your management plan in ensuring business continuity.

Although the calculations are far from straightforward, getting into the mindset of thinking about risks in terms of inherent and residual alone will allow you to focus on management better, and force yourself to think about the amount of risk you can mitigate. All of this results in a much more effective management approach.

IT HELPS YOU COMPARE DIFFERENT APPROACHES

How do you choose between different risk management approaches? This is one of the core questions that you need to constantly ask yourself. By thinking about the inherent risk and then running through all the different approaches and their residual risk, you’ll be able to compare and contrast different management approaches easily. This gives you a relatively straightforward way of turning risk management questions into mathematical and logical questions you can answer easier. I personally like to consider the Value at Risk (VAR). In simple terms; most executives find it difficult to comprehend the abstract of probability and therefore, some tend to have a higher level of risk acceptance than is appropriate to their organization. What all executives understand is CASH. Utilizing the VAR approach focuses the attention in respect of spending to reduce risk i.e. if I spend cash to reduce a risk how much will that reduce my residual cash at risk. Calculating the frequency is helpful e.g. if you can state that the risk will materialise in a one in five, ten, or fifteen-year event. Then you will have a solid basis for the cost to mitigate the risk. The cream on top of all of this is, "upside risk" e.g. if I can attribute an upside benefit to my risk mitigation (win more business, gain a reputational advantage, etc.) then it's a win-win.

IT HELPS YOU AVOID RISK MANAGEMENT PLANS THAT ARE TOO COSTLY

Paradoxically you don’t always want to minimize risk. This is something that you must understand for you to be able to design effective mitigation and recovery plans. There are always trade-offs. Imagine there’s a minuscule chance of supply chain disruption for one of your main products that might halt the operation of your business and impact its continuity. Having an alternative supply chain will reduce the risks, and it won’t cost much. You could also further reduce the risks by having a large stock of said item to create a buffer against any supply shocks. However, how much would the storage and maintenance of these items cost? Likely a hefty amount. You might make more of a profit in the long run while having a larger chance of being exposed to supply shocks than reducing the risk further.

Thinking in terms of inherent and residual risk helps you understand the fact there is always some risk that you need to deal with, and it helps you make better decisions and design a better business continuity program.

What’s Business Continuity Planning and Management and Why Is It Vital for Your Company

The corporate world is fraught with risks, uncertainty, and unexpected events that might cause serious damage to your business if they go unmitigated. In the face of all this risk and unpredictability, the business community has to come up with contingency plans. This is how a business continuity plan is developed. A business continuity plan refers to the steps companies take to make sure they reduce risk to their business and ensure the continuity of the operations of the company. It’s called a “business continuity plan” because it allows them to carry on doing business. This could mean having alternative plans ready, hiring advisors, or planning in accordance with risks specific to a company’s industry and sector when faced with a specific setback or disaster. It has to include processes for every part of the business, including assets, business partners, employees, data, products, or properties. The risks that you plan against might be hurricanes, earthquakes, fires or floods - anything that may significantly and suddenly impact your operations. The business continuity plan has to include recovery planning, recovery, and training.

In this article, we’re not going to give a complete overview of business continuity planning, risk management, or the different schools of thought that accompany it. It is an immensely complicated topic that could take an entire book to explain. Instead, we’re going to look at one key area that is one of the primary reasons business continuity planning and business impact analysis are so difficult: cascade effects.

What are Cascade Effects

No part of your company exists in a vacuum, it is all interconnected and each part has a complex relationship with other parts of your company. The sales department will be in jeopardy if the production department doesn’t create a product that’s up to market standards. The financial department will be affected if the sales department makes a mistake. Any risk that disrupts the continuity of the company will cascade, and this is how we get cascade effects.

By definition, cascade effects are the chain reaction an initial failure/risk/unexpected event kicks off that results in more risk to the continuity of your business. It is quite rare that an initial failure won’t result in exposing fault lines in other parts of your business model, which is what makes cascade effects so common and so crucial to learn about.

How Should You be Thinking About Cascade Effects in Business Systems

Although cascade effects might sound complicated to manage at first, there are some common patterns of thinking business managers fall into when dealing with cascade effects that are quite destructive to crisis management. If you know more about these traps, it will be easier to avoid them:

DOMINO EFFECT

Many businessmen think cascade effects work like dominoes - one falling piece resulting in the fall of others sequentially in an orderly fashion. This couldn’t be further from the truth. In the real world, cascade effects are extremely hectic and one event might set off ten others. They work in parallel and escalate quickly to put a large strain on your business progressively, and this is one of the main reasons why they’re so extremely dangerous.

THEY OCCUR ON ALL LEVELS OF BUSINESS OPERATIONS

There’s a common misconception that cascading effects could only occur within the same level of operations, i.e. only on the tactical, operational, managerial level, etc., and that there aren’t a lot of cascade effects between the different levels of business operations. This is patently false, as we can see from the experience of many companies. The cascade effect can be easily felt at all levels of a company.

CASCADE EFFECTS ARE USUALLY SMALL AND INCONSEQUENTIAL

Because, oftentimes, the thing that kicks off the cascade effect is small and inconsequential by itself, some businessmen get into the habit of considering the cascade effects small and inconsequential too. This couldn’t be further from the truth. As the butterfly effect shows us, even a small initial effect could cascade into something much, much larger than would put strains on the business continuity. This is why it is important to not be dismissive.

How to Create an Effective Business Continuity Plan with Cascade Effects in Mind

Due to the nonlinearity of the cascade effects, a lot of business managers find it hard to conceptualize cascade effects and how to create effective business continuity management plans and accurate business impact analyses with them in mind. It takes time, experience, and knowledge. In this section, we’ll go over a few methods you can use to better handle cascade effects:

TRY TO VISUALIZE CASCADE EFFECTS USING CHARTS AND SHAPES

One of the best ways of understanding events that occur in a parallel manner is by using visualization techniques — a flow chart will aid immensely in learning how a failure somewhere will ripple through various parts of your company. This is an exercise commonly done when business managers think about cascade effects, and you’ll certainly benefit from it if you also adopt it as a business practice in your company when planning an emergency response, a resilience scheme, or disaster avoidance. The data for this visualization should be gleaned from your business impact analysis. It is important to realize the dependencies at a macro and micro level. Ensure that during your BIA journey, you map these dependencies, even when the dependency sits outside of your operational sphere and indeed outside of your organization.

UNDERSTAND THAT YOU’LL NEVER KNOW ALL THE VARIABLES INVOLVED NOR ALL THE CASCADE EFFECTS

As with many complex systems, it is simply impossible to know all the variables involved nor how the cascade effects will play out perfectly. There are just too many variables out there and the corporate world is hectic by nature. It doesn’t lend itself easily to predictions. If there were a way to perfectly know all the variables involved and every failure’s cascade effects, almost no company would go bankrupt anymore. This is why you need to have realistic goals for your business continuity management plan and learn how to prioritize certain risks over others.

THINGS WILL MOVE QUICKLY ONCE A FAILURE OCCURS

You have to remember that you have a very limited window to respond to most risks successfully, and if you miss it, you’re likely inviting even more failures and risking a potential disruption to business continuity. For example, if one of the base materials you use for construction has its supply chain disrupted, this might cascade into running out of inventory and a complete halt of operations in mere days.

Courtesy: management consultancy in Australia