Risk management and business continuity management: understanding the difference
I don't want to spoil the party or question the application of common sense by any individuals, but philosophically the approaches of risk management and business continuity management are as far apart as the perennial argument of whether a glass is half full or half empty. It is no use trying to push the two together until you have found a way of resolving the fundamental differences in their views of the world; or we go back to 'trust me, I am expert/consultant'. The basic assumption of risk management is that you can reactively make judgements on the probability of events based on the past (what other evidence is there to go on?) and therefore only need to mitigate those judged 'likely'. In contrast, business continuity management proactively prepares an organization for any future eventually by understanding the organization and developing an appropriate response structure. In the case of the glass, risk management will see it as probably half full of beer, but business continuity management will worry about the impact if the glass falls off the table or that it contains something toxic and how long it will take to clear up. Perhaps the later is overcautious and appears over-concerned with things that will 'never happen' but after days of disruption this year due to severe weather and now volcanic ash grounding flights for an unknown period who can argue that this pessimism is inappropriate when an organization's survival is at stake? Peter is right that most boards place risk management above business continuity management but that doesn't mean it is correct and he will be disappointed that ‘risk analysis’ has been renamed 'threat assessment' in the Business Continuity Institute’s GPG2010 in recognition that probability analysis of future operational threats has no scientific basis. Perhaps the future opportunities that we seek are more likely to come from business continuity management's deep operational understanding of the business - in both business as usual improvements and in the boost that a well managed incident appears to give to any business. Perhaps if we just changed the name from business continuity management (with the scope currently described in GPG 2010) to ‘resilience management’ then everyone would be recognise it as what they are looking for... Author: Ian Charters, FBCI Reader comment Ian has clearly given much thought to his very interesting response to my article, ‘Risk and continuity: convergence is in the air...’, one that reflects his long experience as a highly regarded BC practitioner and member of the BCI Membership Council and former BCI board member. From such a position I can see why he says it is no use trying to push risk management and BCM together. However, an alternate view is that the gravitational pull of actually doing this (as suggested in my article) is already occurring so that organizations are now being pulled by the benefits rather than pushed without clear reason. This is reflected in some of the comments from various readers now added beneath the above article. For example: “The issues like BCM vs ERM etc is just a throw-back to the days of BC vs DR”, “Even a basic analysis of risk and BC activity will reveal parallel activity, which in these days of ruthlessly pared down costs and business efficiency would suggest (this) is the right path”, “Businesses must innovate, change and grow to survive and thrive”, “Unfortunately common-sense is rarely common practice”. The article I wrote deliberately refers to the problems of entrenchment that can only be overcome by rising way above historical battle lines to see a fundamentally different picture where the leaders of tomorrow’s most successful companies will not so much be risk takers. They will be risk shapers. It follows that just renaming risk analysis ‘threat assessment’ or swapping the name BC for ‘resilience management’ might for some provide a short term solution, but will I fear, only perpetuate a long term problem. Peter Power FBCI FIRM Visor Consultants Ltd
Ian Charter’s observations on risk management and business continuity as being poles apart may be true in theory, but practically I do not experience it this way. Business continuity may look to identify timelines for tolerable outages, and then reduced timelines to recover. However, any client I have ever worked with will have been taken through the process of prioritising continuity strategies and contingencies based on: * Timelines for critical activities The client then selects the continuity strategies, contingencies and new controls based on what risk appetite and tolerance they have. They may desire, in an ideal world, continuity against any disruption but they will prioritise what they can afford to do and what they are willing to implement based on a classical risk management approach : appetite, tolerance, threats and prioritising against the main vulnerabilities. This is particularly the case in manufacturing environments. I would agree that risk management is seen as being ‘higher up the food chain’ than business continuity. Risk management must at least be presented at board level and have some level of active control by senior management. Business continuity is regularly seen as risk mitigation, within risk management. Niall Duffy, Risk Management International Ltd
I see no reason why risk management need be characterized as “reactive” and business continuity as “proactive.” Risk management is the roll up umbrella at the board level for reporting from business continuity, global response, corporate and information security, infrastructure and business practices such as outsourcing and off-shoring, vendor assurance, succession planning and business line specific risks. Surely the last several years have taught us that risk management must necessarily be asking “how can I get ahead of this risk?” rather than relying upon siloed reports on market, credit or operational risk that go red/green/yellow. Annie Searle
•Date: 20th April 2010 • Region: UK/World •Type: Article •Topic: BC general |
