Is Business Continuation ERM?

Have you wondered if or how risk management and business continuation relate? Intuitively, business continuation seems like it should be (and typically is) a distinctly separate discipline with little connection to enterprise risk management.

By Christopher E. Mandel

However, recent chatter from the consulting community suggests that more than one consultancy that started out with an aggressive push on ERM-related services has migrated over time toward a greater emphasis, albeit not an exclusive move, into disaster recovery, crisis management or other areas often identified with business continuation.

It appears that this trend is being driven by the demands of clients that reflect this focus as the bigger priority and/or the underlying perceptions of senior management of what ERM should be or deliver. This is revelatory about the path many have taken with ERM and the real interests of those with the purse-strings.

Ineffective at Managing Risk (05/01/13)
RIMS Attendees Talk Drones, Product Recall (05/01/13)
Navigating the Fear Farm (03/01/13)
Who is the Real Gambler? (05/01/13)
Abuzz With Energy (04/12/13)

Until recently, I probably wasn't all that qualified to address this issue but since I'm now teaching Business Continuity for the Risk and Insurance Management Society, a light has come on about the much more significant connection between these two historically distinct disciplines.

It's not that I haven't realized this before, but it was to a more limited degree. In fact, in the past I've practiced ERM with a pretty close alignment with BC at a firm that arguably viewed BC with higher potential impact and priority than ERM.

As I look more closely at the fundamentals of business continuation, I see more clearly that the key components significantly overlap with those of a typical ERM framework. This overlap is seen in most of the "standards" in the BC world -- such as from NFPA, ISO, BS and ASIS -- most notably in having a framework/strategy and planning components so critical to getting it right.

I believe the success of BC is dependent on the risk identification, assessment and prioritization of key risks. In actual practice it goes beyond these activities to questions of having, understanding and most importantly, managing to, a risk-appetite framework and strategy.

Without such linkage, BC leaders would have no targets on which to focus.

However, a key to effective BC is not planning around specific events or incidences but using those scenarios as a basis for that planning in order to be ready for the possibilities that are the exposures of any particular entity.

My experience with BC strategies suggests that these two critical functions are both distinct and yet heavily co-dependent. Well-defined risk and BC strategies are also never developed in a vacuum but in alignment with each other.

That overlap is most evident where risks and their primarily negative consequences intersect. This also demonstrates that management and governance are not most interested in knowing what their risks are as much as being assured that, when losses occur, the potential disruption to mission and strategy are contained.

This potential for collaboration is the key to success in both realms, for just as risks identified but not managed are an increased legal exposure, consequences not effectively planned for are the bane of a BC leader's existence. This possibility represents the threat to success that should be the center-point focus of both disciplines.

CHRIS MANDEL is the president, Excellence in Risk Management LLC, and executive vice president, rPM3 Solutions LLC, a long-term risk management leader and former president of RIMS. He can be reached at riskletters@lrp.com.

September 15, 2012

Newsletter Sign-up