The Intersection of BCM and ERM

As Business Continuity Management (BCM) programs continue to evolve and mature, Enterprise Risk Management (ERM) processes are just beginning to take hold.  The promise of competitive advantage through effective risk management has captured the attention of executive managers worldwide.  And with crises capturing headlines every day, more and more executive managers are developing or maturing their business continuity programs.  Can BCM jumpstart ERM?  Why have both?  This article will explore the drivers for both BCM and ERM, as well as how the two intersect and complement one another.

Definitions

Business Continuity and Enterprise Risk Management have numerous definitions and meanings.  For the purposes of this article, BCM and ERM are defined in the following table.

Business Continuity Management Enterprise Risk Management
BCM addresses the development of strategies, plans and actions which provide risk reduction opportunities, response frameworks and alternative modes of operation for critical business processes and technologies.  BCM programs include crisis management, crisis communications, business resumption and IT disaster recovery elements. ERM is a process, affected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. (COSO ERM – Integrated Framework – 2004)

ERM is an umbrella process, whereas BCM represents a key element of the response framework.

Drivers

According to a 2005 study sponsored by Continuity Insights and KPMG, 25% of organizations have a fully functional and stable BCM program, whereas 50% are in the process of developing a viable program. Most experts would agree that relatively few organizations have attempted to implement ERM processes and none have fully implemented an entity-wide ERM solution. But with the advent of the COSO’s ERM – Integrated Framework, more and more organizations are beginning to take a look at the value proposition. So what’s driving the investment in both BCM and ERM? The following table identifies some of the key drivers affecting BCM and/or ERM.

Driver BCM ERM
Regulatory Compliance Yes Yes
Reputation Protection Yes Yes
Stakeholder and Customer Demands Yes Yes
Environmental and Man-made Threats Yes Yes
Governance Expectations Yes Yes
Business-IT Alignment No Yes
Program/Process Efficiencies No Yes
Capital Optimization No Yes
Avoid Surprises Yes Yes
Manage Risk Likelihood No Yes
Management Event Impact Yes Yes

Overall, ERM is a broad process designed to address the entire risk landscape.  BCM is a key element of an effective ERM program and is limited to managing the impact associated with availability and reputational risks.

How Are BCM and ERM Similar (or Different)?

Using the COSO ERM – Integrated Framework, the following tables identify where BCM achieves a similar objective when compared to key attributes and core fundamental concepts.

BCM COSO ERM – Integrated Framework Attribute ERM
check1 Aligning risk appetite and strategy – Management considers the entity’s risk appetite in evaluating strategic alternatives, setting related objectives, and developing mechanisms to manage related risks. check1
check1 Enhancing risk response decisions – Enterprise risk management provides the rigor to identify and select among alternative risk responses – risk avoidance, reduction, sharing and acceptance. check1
check1 Reducing operational surprises and losses – Entities gain enhanced capability to identify potential events and establish responses, reducing surprises and associated costs or losses. check1
Availability and Reputational Risks Only Identifying and managing multiple and cross-enterprise risks – Every enterprise faces a myriad of risks affecting different parts of the organization, and enterprise risk management facilitates effective response to the interrelated impacts, and integrated responses to multiple risks. check1
X Seizing opportunities – By considering a full range of potential events, management is positioned to identify and proactively realize opportunities. check1
X Improving deployment of capital – Obtaining robust risk information allows management to effectively assess overall capital needs and enhance capital allocation. check1

 

BCM COSO ERM – Integrated Framework Fundamental Concepts ERM
check1 A process, ongoing and flowing through an entity check1
check1 Effected by people at every level of an organization check1
Potentially, but also at the process level. Applied in strategy setting check1
Focused on Core Business and IT Elements Applied across the enterprise, at every level and unit, and includes taking an entity level portfolio view of risk check1
Availability and Reputational Risk Only Designed to identify potential events that, if they occur, will affect the entity and to manage risk within its risk appetite check1
Availability and Reputational Risk Only Able to provide reasonable assurance to an entity’s management and board of directors check1
X Geared to achievement of objectives in one or more separate but overlapping categories check1

Managing the Risk Landscape with BCM and ERM Processes

Business Continuity Management grew out of the business leader’s need to manage the risk that, at some point in the future, operations may be impacted by an unforeseen event and as a result, may be limited or inoperable.   These events may be categorized as ‘availability related risks’, because they ultimately affect the availability of the business.

There are two ways to reduce availability risks:  reduce likelihood and limit impact.  Traditional BCM methodologies focus on limiting impact (often through recovery planning, testing and training), but frequently ignore the opportunity to reduce the likelihood of disaster.  The risk assessment is a common component of most business continuity methodologies.  However, the business continuity professional’s involvement is normally limited to assessing the likelihood of occurrence as opposed to evaluating control operation and identifying recommendations to actually reduce likelihood.  These tasks are often reserved for the business, but risk management and business continuity personnel can add significant value in this area if afforded the opportunity.

As a result, the business continuity industry must evolve and move closer toward Enterprise Risk Management by not only estimating the likelihood of risk occurrence, but also identifying opportunities to affect the likelihood of occurrence.  This type of analysis and decision-making is at the core of the Enterprise Risk Assessment (ERA) and the broader ERM process.  BCM is just one of the response elements of ERM, but together the two disciplines can add value to one another throughout the risk assessment/ERA process.  For the business continuity professional, ERM/ERA offers an opportunity for a “risk assessment done right.”

Going Forward

For a myriad of reasons, effective risk management is becoming a core business competency.  As a result, there is a huge need for management team members who are experienced in speaking a risk-based language to help champion the eventual deployment of ERM.

Although very few organizations have begun the ERM journey, the opposite is true of business continuity program development and maturation.  BCM program development lessons learned are well known and documented, and can be applied to future ERM initiatives.

BCM and ERM complement one another, and both are necessary in today’s high risk business environment.  Business continuity professionals should understand the principles found in the ERA process in order to deliver higher levels of value with the objective of managing risk likelihood and impact.  Additionally, BCM professionals should recognize that they are key team members focused on managing availability and reputational risk.