Peter Power explains why he believes that enterprise risk management can bring the risk management and BCM professions closer together.
I would not be the first to point out that an organization that has good business continuity management might have a competitive edge compared to others simply because they should be able to recover more quickly from incidents and this might inadvertently create an occasional business opportunity. However, I want to look much further than that and probe how collectively we might better manage and shape future risks linked to business continuity and at the same time seek opportunities as a connected series of actions. Not by chance but by joined up planning.
So let’s start by looking at future risk management - and straight away we find ourselves caught in the defensive barbed wire that we’ve put up ourselves.
At the risk of being branded a heretic we need to look at risk management and business continuity in the future through the other end of the telescope. This means focusing much more on the concept of risk as I have suggested below, rather than as seen solely by the Institutes of RM or BC. Excellent though both organisations are (I have been a Fellow of each for many years) I suggest we undervalue the benefits of risk and so ensure real opportunities will forever elude us.
The word ‘risk’ itself has lots of interpretations. For example: “A chance of loss,” “A physical property that is insured”, or more accurately “A measure of the possibility of unexpected outcomes.” I can see some synergy with business continuity with that one, although too many risk and business continuity managers still look at risk, if at all, in its limited, negative sense with little or no sense of opportunity.
It therefore follows that we should:
* Avoid perpetuating the view that risk management exists under the umbrella of business continuity. Both risk management and business continuity only exist as a consequence of risk awareness. Every company I know, accurately or otherwise, has risk management nearer the board and above business continuity.
* Think again about asserting that business continuity has no interest at all in the probability of risks as illustrated in the table on page seven of the BUsiness Continuity Institute's 2008 Good Practice Guidelines. In 2010 can it be right to go on separating impact from probability, proactive from reactive just to define two disciplines that are actually both parts of a single concept: risk awareness?
* Stop using the language of silos that define rather than synergise. For example, page six of the 2008 Good Practice Guidelines states “the focus and methods of business continuity differ significantly from that of risk management”. One thing that defines the boundary between modern times and the past is our comparative mastery of risk so I am uncertain if statements intended to separate continuity from risk will ever help us gain corporate opportunities for the future.
* Change the role of risk managers who are all too often shackled only to insurance. Seeing risks as nothing to do with opportunity by seeking to avoid, transfer, reduce or mitigate them instead. I suggest exploit and share with more emphasis on enterprise risk management (ERM – see below). 10 years ago the highly influential Turnbull working party report (Institute of Chartered Accountants) proclaimed that we should “move away from risk management and control as an exercise purely for the sake of compliance … risks are significant to the fulfilment of business objectives”. In other words connect risks with objectives and opportunities.
* Think again about publishing text in well intentioned standards, guides and rule books that all too often result in stifling rather than encouraging initiative and enterprise. Compliance can so easily replace innovation no matter where you are.
A friend of mine who is a long standing member of the BCI and very well known in the business continuity world in Asia is Nat Forbes. He is also the Council President (Asia) of the International Association of Emergency Managers. A few weeks ago he published on this website very similar thoughts:
“Your average BCM professional isn't asked to contribute to strategic business decisions at the executive level or in the board room ... the notion of BCM as an organizational silo simply will not survive another decade at most Western multinational companies, in my opinion. The urge to merge responsibilities will become irresistible…”
“A guy asked me whether I thought business continuity management was part of risk management, or risk management a part of business continuity management. I said business continuity management was part of risk management. He said the correct answer was that risk management is a part of business continuity management. That's still the Business Continuity Institute’s official view, but business continuity management is considered subordinate to risk management in every board room I've ever been in.”
Our present dichotomised attitude to risk will seldom if ever produce real commercial opportunities. If we carry on fortifying progressively outdated positions rather than at least making the edges of business continuity and risk management far more open and flexible we will never realise greater business opportunities.
So what are the illusive business gains out there if we can, after all, move from silos to synergy, encourage innovation, shrink defensive bureaucracy and make resilience a reality? Perhaps we should pull rather than push risk management and business continuity together by making the advantages sufficiently irresistible by the creation of a sort of gravitational pull. The route might be through enterprise risk management to start with.
Enterprise risk management is often defined as the process used to manage risks and seize opportunities related to the achievement of objectives. It typically involves identifying particular events or circumstances relevant to objectives (risks and opportunities). The objective of ERM is to add value by aligning risk management with the business strategy and operations and also forming part of corporate social responsibility (CSR). By identifying and proactively addressing risks and opportunities, businesses can protect and create value for all their stakeholders to create a sense of entrepreneurial risk awareness. With this in mind consider these extracts from two reports published in recent years:
* KPMG 2007. ‘Living on the Front Line’: The Resilient Organisation. “Business continuity teams must embrace multi disciplined skills ... the emphasis is now clearly on delivering advanced business continuity solutions ... achieving greater diversity in business continuity arrangements is vital ... an organisation that is unable to respond to change will not survive”.
* Marsh 2008. ‘The upside of Business Continuity’. “A more mature and integrated BCM approach can yield significant advantages to organisations, not just through risk mitigation but also through improved strategic decision-making ... BCM is not just a risk mitigation and control tool – but can also add value and creates an upside to your business”.
More recently KPMG published a new research document in February 2010 entitled ‘The convergence challenge Global survey into the integration of governance, risk and compliance’. It also refers very much to resilience and a need to converge rather than diverge traditional disciplines and specifically states: “More and more, companies are looking at reducing risk, cutting costs and improving performance by adopting a more integrated approach to managing their governance, risk and compliance activities. In our survey, 64 percent of respondents consider this to be a priority for their organisation.”
I believe many crises can ultimately bring new opportunities and benefits to an organization - if they are handled successfully with a view to creating opportunities. Even if the organization is perceived to be at fault or blameworthy the demonstration of virtue, integrity and compassion can mitigate the damage to its reputation and commercial/ethical standing. After all misfortune is the mother of opportunity, perhaps even more so when it happens to someone else?
Leaving aside a random chance to show our own resilience purely by accident, what about simply waiting for something to go wrong with a rival organization? The Germans have a word for it: Schadenfreude. Put simply it’s making a profit or at least getting some malicious enjoyment as a direct result of the opportunity that comes when a competitor has messed up. The Romans 2000 years ago also referred to delectatio morosa, which is the habit of dwelling with enjoyment on evil thoughts, especially in relation to another’s misfortune.
One recent and obvious example is the catastrophic damage to reputation suffered by Toyota at the start of 2010 and the speed especially in the USA that Ford and General Motors have rushed in to entice disgruntled Toyota customers. A separate car manufacturer (Hyundai) even referred to them as ‘vultures’. There is however, a better way to create opportunities:
When joining together business continuity management and enterprise risk management, there are several options to take. The first and perhaps most obvious is to have a single and central management for both BCM and ERM most likely under the banner of resilience – as sometimes happens already. The second option would be to create a shared responsibility with BCM and integrate it functionally into the ERM program. A third and much less efficient way is to continue with BCM and ERM locked in their separate silos so that both work according to their own strategy. In which case it’s difficult to imagine what could be less efficient, effective or able to create any business opportunities.
I believe that over the next few years enterprising business leaders will progressively come to understand that risks can be not merely controlled but transformed into potential gains. Not just inadvertently creating an occasional business opportunity as I mentioned at the start of this article simply because post crisis recovery went to plan. I mean actually re-shaping our attitude to risks and integrating with business continuity management to create a sense of entrepreneurial risk awareness leading to greater business opportunities by:
* Recognising risk management and business continuity as both existing only as a consequence of risk awareness. Taking one step further to now form a single discipline that combines proactive and reactive capabilities, not as disconnected silos but as a positive selling feature. Innovation above compliance.
* Deliberately aligning business continuity management with corporate social responsibility and enterprise risk management to openly demonstrate to all potential customers a positive attitude to risk appetite with logical and tested contingency arrangements to continue all key business operations irrespective of any turbulence or crisis.
* Creating business continuity management upside along with enterprise risk management to become a coherent and transparent feature to support all corporate objectives, against competitors still operating silos, to show seamless competence all the way from identifying risk probability to sustaining key business operations whenever required.
* Making these forward looking changes that do not overlay, but are integral to operational activities and which does not need to create bureaucracy, added costs or delay. Indeed, there would be cost savings.
In an age of increased volatility, intensified competition, heightened risk and immediate/global communication one factor has become more important than ever in sorting the champions from the also-rans. That factor is foresight linked to flexibility, innovation and realism to shape a new opportunity focused discipline that dismantles silos and meshes enterprise risk management and business continuity management along with risk management under a single and central management.
After all the leaders of tomorrow’s most successful companies will not so much be risk takers. They will be risk shapers. But as long as business continuity remains disconnected from helping to shape those risks it will never take its part in tomorrow’s opportunities, so let’s start by pulling up the barbed wire now.
Author: Peter Power, FBCI, is MD of Visor Consultants (UK) Ltd email@example.com
Make a comment
This article is copyright Visor Consultants (UK) Limited and is an extended version of one published in the latest issue of the Business Continuity Institute’s Continuity magazine.
Many congratulations on an excellently presented article. Kindly allow me to respond as follows:
From my personal working experience, it has always been found that we had successful BC Managers who were essentially business managers who either double-hatted or went on to don the BCM hat, and in a similar vein, risk managers from the business side, rather than 'specialists' who had an excellent grasp (of either BCM or ERM ) but had no business side experience or exposure.
Whether business continuity is a sub-set of ERM or whether it is a stand-alone stream, never seemed to matter; irrespective of the 'pecking order', BCM was taken seriously and practiced as an important component of business side deliverables, if the BC manager was not just capable but also sensitive to business-side issues.
Thus to a person like me, the issues like BCM vs ERM etc is just a throw-back to the days of BC vs DR, whether BC is an IT issue or whether DR is an IT issue, etc. Like those issues, time will surely answer the present questions. The most important thing is to get both BCM and ERM right.
Personally, I am of the opinion that BCM and operational risk management will have to serve a higher level of operational resilience, along with ITSMS, supply chain management etc. Work on this seems to be going on in the academia like The University of Eindhoven, University College of Cork, etc. It would be very useful to follow the same to see how it can be practically applied to the satisfaction of stakeholders at the commercial entity levels.
Once again, thank you for such a thought-provoking article on this subject.
Sridhar Kalyanasundaram, MBCI
Peter has constructed a compelling argument.
I take no credit for having advocated a similar policy for years. Even a basic analysis of risk and business continuity activity will reveal parallel activity, which in these days of ruthlessly pared down costs and business efficiency would suggest Peter’s suggestion is the right path.
It would be worthwhile to pursue this vein of thought to include security (ISO 27001) as the next logical step.
Tony Drake, MBCI
Responding to Peter Power's excellent article:
One way to identify situations where risks can be turned into opportunities is to better understand the existing business processes within the organization. A well-organized and structured business impact analysis can shed light into ways that existing business processes can be improved. This is true not only internally but also externally.
In the process of understanding - and hopefully improving - existing business processes, it's quite possible that new opportunities can also be identified. A better understanding of the dynamics of business processes should also help reduce potential risks to launching new business initiatives simply because it should be easier to spot potential pitfalls before they make their presence known.
Collaboration and silo elimination are parallel activities - not necessarily popular in the US, to be sure - but ought to be key parts of an overall program to transform risks into opportunities. After all, where would we be today had our predecessors not taken any risks?
Paul Kirvan, CISA, CISSP, FBCI, CBCP
I'd be surprised if this is news to any serious and experienced practitioner within our field.
At Veterus we've been covering all risks and integrating risk, business continuity, emergency planning, security, corporate governance, strategic planning and operations for years. Unfortunately common-sense is rarely common practice.
Businesses must innovate, change and grow to survive and thrive. Internal and external uncertainties must be anticipated, planned and trained for and minimised or prevented to reduce the need for old-school crisis management and response.
Proactive, holistic, opportunity and risk management is a key part of resilience building in any organisation and all siloed working threatens continuity of operations, reputations and revenues. A common example of this is when organisations write strategies and plans in splendid isolation omitting interfaces with the emergency services. Peter's points refer in the main to the internal silos which make no commercial sense in these straitened times as Tony points out.
Bradley Wright, Veterus
I'm most grateful for the comments made so far that seem to support the views expressed, likewise the many other comments I have received outside of Continuity Central. A growing number of organisations are already well down this path and I merely wanted to add my opinion to something that is already starting to happen, albeit organically.
The motivation as Tony Lake has suggested is often financial to avoid (a) appointing so many managers doing broadly similar tasks, (b) ineffective discoordination of effort and (c) putting a positive rather than negative emphasis on the broad concept of risk. I actually do believe tomorrow's most successful companies will not so much be risk takers - they will be risk shapers. However, some membership organisations and so called centres of excellence might (understandably when seen from their view/remit) perceive such coalescence as a threat, but commercial imperatives such as the need to be competitive, reduce overheads and predicate business resilience on the basis of growing corporate uncertainty rather than maintaining a perceived status quo seems to suggest otherwise?"
Risk management and business continuity management: understanding the difference
Ian Charters responds to Continuity Central’s recent article ‘Risk and continuity: convergence is in the air...’
•Date: 30th Mar 2010 • Region: UK/World •Type: Article •Topic: BC general
Rate this article or make a comment - click here
UPDATED 20TH APRIL 2010