As Business Continuity Management (BCM) programs continue to evolve and mature, Enterprise Risk Management (ERM) processes are just beginning to take hold. The promise of competitive advantage through effective risk management has captured the attention of executive managers worldwide. And with crises capturing headlines every day, more and more executive managers are developing or maturing their business continuity programs. Can BCM jumpstart ERM? Why have both? This article will explore the drivers for both BCM and ERM, as well as how the two intersect and complement one another.
Business Continuity and Enterprise Risk Management have numerous definitions and meanings. For the purposes of this article, BCM and ERM are defined in the following table.
|Business Continuity Management||Enterprise Risk Management|
|BCM addresses the development of strategies, plans and actions which provide risk reduction opportunities, response frameworks and alternative modes of operation for critical business processes and technologies. BCM programs include crisis management, crisis communications, business resumption and IT disaster recovery elements.||ERM is a process, affected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. (COSO ERM – Integrated Framework – 2004)|
ERM is an umbrella process, whereas BCM represents a key element of the response framework.
According to a 2005 study sponsored by Continuity Insights and KPMG, 25% of organizations have a fully functional and stable BCM program, whereas 50% are in the process of developing a viable program. Most experts would agree that relatively few organizations have attempted to implement ERM processes and none have fully implemented an entity-wide ERM solution. But with the advent of the COSO’s ERM – Integrated Framework, more and more organizations are beginning to take a look at the value proposition. So what’s driving the investment in both BCM and ERM? The following table identifies some of the key drivers affecting BCM and/or ERM.
|Stakeholder and Customer Demands||Yes||Yes|
|Environmental and Man-made Threats||Yes||Yes|
|Manage Risk Likelihood||No||Yes|
|Management Event Impact||Yes||Yes|
Overall, ERM is a broad process designed to address the entire risk landscape. BCM is a key element of an effective ERM program and is limited to managing the impact associated with availability and reputational risks.
How Are BCM and ERM Similar (or Different)?
Using the COSO ERM – Integrated Framework, the following tables identify where BCM achieves a similar objective when compared to key attributes and core fundamental concepts.
Managing the Risk Landscape with BCM and ERM Processes
Business Continuity Management grew out of the business leader’s need to manage the risk that, at some point in the future, operations may be impacted by an unforeseen event and as a result, may be limited or inoperable. These events may be categorized as ‘availability related risks’, because they ultimately affect the availability of the business.
There are two ways to reduce availability risks: reduce likelihood and limit impact. Traditional BCM methodologies focus on limiting impact (often through recovery planning, testing and training), but frequently ignore the opportunity to reduce the likelihood of disaster. The risk assessment is a common component of most business continuity methodologies. However, the business continuity professional’s involvement is normally limited to assessing the likelihood of occurrence as opposed to evaluating control operation and identifying recommendations to actually reduce likelihood. These tasks are often reserved for the business, but risk management and business continuity personnel can add significant value in this area if afforded the opportunity.
As a result, the business continuity industry must evolve and move closer toward Enterprise Risk Management by not only estimating the likelihood of risk occurrence, but also identifying opportunities to affect the likelihood of occurrence. This type of analysis and decision-making is at the core of the Enterprise Risk Assessment (ERA) and the broader ERM process. BCM is just one of the response elements of ERM, but together the two disciplines can add value to one another throughout the risk assessment/ERA process. For the business continuity professional, ERM/ERA offers an opportunity for a “risk assessment done right.”
For a myriad of reasons, effective risk management is becoming a core business competency. As a result, there is a huge need for management team members who are experienced in speaking a risk-based language to help champion the eventual deployment of ERM.
Although very few organizations have begun the ERM journey, the opposite is true of business continuity program development and maturation. BCM program development lessons learned are well known and documented, and can be applied to future ERM initiatives.
BCM and ERM complement one another, and both are necessary in today’s high risk business environment. Business continuity professionals should understand the principles found in the ERA process in order to deliver higher levels of value with the objective of managing risk likelihood and impact. Additionally, BCM professionals should recognize that they are key team members focused on managing availability and reputational risk.