The business continuity industry, driven by a growing body of regulations, standards and guidelines, is primarily focused on developing processes to limit the impact of a disaster to the business. This reactionary based approach is focused on developing plans to help employees and management react appropriately to disaster. Too often, this is viewed by executives and board members as simple ‘insurance’ and is rarely considered valuable unless it’s used in an actual disaster.
It’s time for a fresh perspective!
Business Continuity Management (BCM) grew out of the business leader’s need to manage the risk that, at some point in the future, operations may be impacted by an unforeseen event and as a result, may be limited or inoperable. We categorize all these events as ‘availability related risks’, because they ultimately affect the availability of the business.
There are two ways to reduce availability risks: reduce likelihood and limit impact. Traditional BCM methodologies focus on limiting impact (often through recovery planning, testing and training), but often ignore the opportunity to reduce the likelihood of disaster.
Although risk assessment is a common component of most business continuity methodologies, the business continuity professional’s involvement is normally limited to assessing the likelihood of occurrence as opposed to evaluating control operation and identifying recommendations to actually reduce likelihood. These tasks are often reserved for the business, but risk management and business continuity personnel can often add significant value in this area.
As a result, the business continuity industry must evolve and move closer toward enterprise-wide risk management concepts by not only estimating the likelihood of risk occurrence, but also identifying opportunities to affect the likelihood of occurrence.
Additionally, more and more organizations are recognizing the need and identifying opportunities to integrate various risk management disciplines, to include response-oriented processes. Integration opportunities exist between emergency response, IT incident response, crisis management, crisis communications, business resumption and IT disaster recovery (to name a few). In total, integration provides the organization with a cost-savings opportunity, but more importantly, an opportunity to respond to a wide variety of events in a more consistent and timely manner. Through the application of a group of subject matter experts using a common framework, enterprise risk management is advanced significantly.