Andrew McCrackan explores the relative positioning of business continuity and risk management within organisations and explains why this is an important debate.
There has been great debate in recent years on the relative positioning of business continuity functions with respect to that of risk management. It’s a debate on which there are three points of view: those that say the functions are closely related and sit side by side; those that feel they are indelibly linked and that continuity is a component of the risk function; and those that agree to the link between the two but not the order of hierarchy. All in all it’s a pretty difficult issue to resolve, and one that tends to inspire some very strong argument between many business continuity and risk professionals.
Risk management has been an established function within businesses for a relatively long time, compared to business continuity, and is well ingrained and understood in many organisations. It is difficult to displace this function with modern business continuity management. This is not necessarily because of any conclusive reasoning but more to do with perception, understanding and general resistance to change. The point is that opinions are led here by experience, and if risk management is something that you know and feel comfortable with then you will probably take the view of business continuity being something that is downstream of risk. This downstream thinking leads to the perception that business continuity is a component of risk management. I believe this to be a misunderstanding of what business continuity is as a function and to some degree this is reinforced by misplaced extensions to the scope of risk management activities. It is essentially thinking of business continuity as a reinvention of legacy disaster recovery functions, which it is not. Those that have worked in risk management for some time would have seen the predecessors of modern business continuity, disaster recovery, emergency planning and so on, and will be familiar with the function being largely a treatment for particular types of risk. These are the foundations of this school of thought on the subject, and from this perspective it is not unreasonable to believe that business continuity is a component of risk management. The fundamental flaw with this argument is that business continuity is not just a new name given to legacy disaster recovery planning and the like. Business continuity management is the evolutionary result of developments in emergency planning, disaster recovery, security, health and safety, crisis management, and, dare I say it, risk management.
If we remove the pretence of history for a moment and look simply at the functions, as they are commonly defined, we can break them down into the management of continuity of business, and the management of risk to the business. The key question to ask is why do we manage risk? Somewhat rhetorically, the answer is to protect the continuity of the business. This is the key argument for positioning risk management as a function of business continuity, and it seems to make a degree of sense. After all, one of the initial steps in operating any business continuity programme is to assess risk. However, there is a fundamental problem with this argument also.
Risk management, in many businesses, can commonly be divided into two parts, or two categories of risk. I think of risk management as either a function of the business, or management of risks to the business. A lender conducting a credit check on a prospective borrower is a risk management function. The protection of the continuity of this business process also has a component of risk management to it, which is part of wider business continuity management. So risk management can either be part of end-to-end business processes or it can be an overriding function that addresses threats to the operation of the process itself.
Therefore the solution appears simple and is a matter of definition of role and responsibility. The lack of clear definition of functional scope is essentially the root cause of the ensuing argument on this subject. There are aspects of business process which address the risk of conducting business, and there are systems of control which address risks to the business continuing to function. The two are quite separate. Let’s take exchange rate hedging as an example. This is part of conducting business and has little to do with business continuity, but it is risk management. Business continuity is concerned with the ability of the business to continue to perform the function of exchange rate hedging, and there may be a number of risks associated with doing this. This is the risk management aspect of business continuity management. Fraud is an interesting example. Risk management may identify risks of fraud as a result of analysis of business process, and implement systems of control to treat any identified risks. However, potential failure of these systems of control rests with the function of business continuity management.
It follows that risks to property, people or any resource upon which the business relies for continued operation is firmly that associated with business continuity management and is subordinate to it. The risk management function within business continuity will identify, assess and treat these risks. This does not include capitalisation of the business, hedging and similar functions, though it should be noted that financial hedges can be employed in the treatment of risks to continuity of business process in a similar way to business interruption insurance.
Some will argue that it doesn’t matter where you position either of these functions, risk or continuity, as long as you are doing them. This is not true. Poor positioning in an organisation can have a dramatic influence on success. It’s all about communicating a sense of importance and reflecting the correct profile of the function in the organisation. You will never convince anyone you are running a comprehensive business continuity programme from within your property management department, for example.
My conclusions are as follows. Business continuity should not be considered subordinate to risk management. There is a risk management function that sits within business continuity. There may also be a separate risk management function outside of this function, but not above, that deals with day-to-day risk of conducting business, depending on your organisation. Anything more proscriptive that this, I believe, rests with individual organisations to figure out for themselves.
Andrew McCrackan is the author of a Practical Guide to Business Continuity Assurance, Artech House, Boston, 2004.
MAKE A COMMENT
25th February 2005 •Region: World •Type:
Article •Topic: BC general
this article or make a comment - click