The Intersection of BCM and ERM

As Business Continuity Management (BCM) programs continue to evolve and mature, Enterprise Risk Management (ERM) processes are just beginning to take hold.  The promise of competitive advantage through effective risk management has captured the attention of executive managers worldwide.  And with crises capturing headlines every day, more and more executive managers are developing or maturing their business continuity programs.  Can BCM jumpstart ERM?  Why have both?  This article will explore the drivers for both BCM and ERM, as well as how the two intersect and complement one another.

Definitions

Business Continuity and Enterprise Risk Management have numerous definitions and meanings.  For the purposes of this article, BCM and ERM are defined in the following table.

Business Continuity ManagementEnterprise Risk Management
BCM addresses the development of strategies, plans and actions which provide risk reduction opportunities, response frameworks and alternative modes of operation for critical business processes and technologies.  BCM programs include crisis management, crisis communications, business resumption and IT disaster recovery elements.ERM is a process, affected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. (COSO ERM – Integrated Framework – 2004)

ERM is an umbrella process, whereas BCM represents a key element of the response framework.

Drivers

According to a 2005 study sponsored by Continuity Insights and KPMG, 25% of organizations have a fully functional and stable BCM program, whereas 50% are in the process of developing a viable program. Most experts would agree that relatively few organizations have attempted to implement ERM processes and none have fully implemented an entity-wide ERM solution. But with the advent of the COSO’s ERM – Integrated Framework, more and more organizations are beginning to take a look at the value proposition. So what’s driving the investment in both BCM and ERM? The following table identifies some of the key drivers affecting BCM and/or ERM.

DriverBCMERM
Regulatory ComplianceYesYes
Reputation ProtectionYesYes
Stakeholder and Customer DemandsYesYes
Environmental and Man-made ThreatsYesYes
Governance ExpectationsYesYes
Business-IT AlignmentNoYes
Program/Process EfficienciesNoYes
Capital OptimizationNoYes
Avoid SurprisesYesYes
Manage Risk LikelihoodNoYes
Management Event ImpactYesYes

Overall, ERM is a broad process designed to address the entire risk landscape.  BCM is a key element of an effective ERM program and is limited to managing the impact associated with availability and reputational risks.

How Are BCM and ERM Similar (or Different)?

Using the COSO ERM – Integrated Framework, the following tables identify where BCM achieves a similar objective when compared to key attributes and core fundamental concepts.

BCMCOSO ERM – Integrated Framework AttributeERM
check1Aligning risk appetite and strategy – Management considers the entity’s risk appetite in evaluating strategic alternatives, setting related objectives, and developing mechanisms to manage related risks.check1
check1Enhancing risk response decisions – Enterprise risk management provides the rigor to identify and select among alternative risk responses – risk avoidance, reduction, sharing and acceptance.check1
check1Reducing operational surprises and losses – Entities gain enhanced capability to identify potential events and establish responses, reducing surprises and associated costs or losses.check1
Availability and Reputational Risks OnlyIdentifying and managing multiple and cross-enterprise risks – Every enterprise faces a myriad of risks affecting different parts of the organization, and enterprise risk management facilitates effective response to the interrelated impacts, and integrated responses to multiple risks.check1
XSeizing opportunities – By considering a full range of potential events, management is positioned to identify and proactively realize opportunities.check1
XImproving deployment of capital – Obtaining robust risk information allows management to effectively assess overall capital needs and enhance capital allocation.check1

 

BCMCOSO ERM – Integrated Framework Fundamental ConceptsERM
check1A process, ongoing and flowing through an entitycheck1
check1Effected by people at every level of an organizationcheck1
Potentially, but also at the process level.Applied in strategy settingcheck1
Focused on Core Business and IT ElementsApplied across the enterprise, at every level and unit, and includes taking an entity level portfolio view of riskcheck1
Availability and Reputational Risk OnlyDesigned to identify potential events that, if they occur, will affect the entity and to manage risk within its risk appetitecheck1
Availability and Reputational Risk OnlyAble to provide reasonable assurance to an entity’s management and board of directorscheck1
XGeared to achievement of objectives in one or more separate but overlapping categoriescheck1

Managing the Risk Landscape with BCM and ERM Processes

Business Continuity Management grew out of the business leader’s need to manage the risk that, at some point in the future, operations may be impacted by an unforeseen event and as a result, may be limited or inoperable.   These events may be categorized as ‘availability related risks’, because they ultimately affect the availability of the business.

There are two ways to reduce availability risks:  reduce likelihood and limit impact.  Traditional BCM methodologies focus on limiting impact (often through recovery planning, testing and training), but frequently ignore the opportunity to reduce the likelihood of disaster.  The risk assessment is a common component of most business continuity methodologies.  However, the business continuity professional’s involvement is normally limited to assessing the likelihood of occurrence as opposed to evaluating control operation and identifying recommendations to actually reduce likelihood.  These tasks are often reserved for the business, but risk management and business continuity personnel can add significant value in this area if afforded the opportunity.

As a result, the business continuity industry must evolve and move closer toward Enterprise Risk Management by not only estimating the likelihood of risk occurrence, but also identifying opportunities to affect the likelihood of occurrence.  This type of analysis and decision-making is at the core of the Enterprise Risk Assessment (ERA) and the broader ERM process.  BCM is just one of the response elements of ERM, but together the two disciplines can add value to one another throughout the risk assessment/ERA process.  For the business continuity professional, ERM/ERA offers an opportunity for a “risk assessment done right.”

Going Forward

For a myriad of reasons, effective risk management is becoming a core business competency.  As a result, there is a huge need for management team members who are experienced in speaking a risk-based language to help champion the eventual deployment of ERM.

Although very few organizations have begun the ERM journey, the opposite is true of business continuity program development and maturation.  BCM program development lessons learned are well known and documented, and can be applied to future ERM initiatives.

BCM and ERM complement one another, and both are necessary in today’s high risk business environment.  Business continuity professionals should understand the principles found in the ERA process in order to deliver higher levels of value with the objective of managing risk likelihood and impact.  Additionally, BCM professionals should recognize that they are key team members focused on managing availability and reputational risk.