|
 Business continuity and enterprise risk management are becoming more closely aligned, and organizations will benefit from a more efficient and more effective investment by adopting an integrated approach, the recent Airmic conference heard.
An enterprise risk management approach typically identifies potential risks and evaluates their likelihood and impact, and ensures that organizations have the proper controls and mechanisms to manage these, according to workshop leaders Eddie McLaughlin and Stephen Roberts of Marsh. Business continuity management is viewed as one such control, applicable to a class of risks causing business interruption.
A business continuity management led approach prioritises key products, processes and services delivered by a business, identifies dependencies, and assesses the impacts of disruption. Business continuity plans ensure the business is able to recover from such disruptions. Specific risks are a secondary issue. ERM can be seen as only applying to business strategy not processes or value chains.
Typically the two disciplines are undertaken by different teams, often in different parts of the organization. Airmic’s view is that ERM and BCM are ‘two sides of the same coin’. Both consider threats, impacts, and controls. They just do this in a different sequence using different language.
The historic separation of these two disciplines has potential adverse consequences:
• High impact low probability risks are often filtered out and not dealt with adequately (eg the Credit Crunch);
• The quantification of impact is imprecise, often done by simple voting;
• Risks identified lower down in the organisation are aggregated and the specific nature of many risks is lost;
• The nature of risks can vary greatly across a value chain, and this can be missed;
• Some processes can become ‘bogged down’ at the operational level missing the ‘big picture’;
• Both types of programme can be expensive, demand time and resources from the business.
The speakers from Marsh recommended an integrated approach that eliminates these gaps and overlaps whilst still recognising the desire for the two disciplines to have separate identities but with a common goal – to achieve the optimal balance between organisational performance and risk governance’ thereby allowing a more efficient allocation of capital and risk adjusted decision making.
Make a comment.
I think there are two key points:
1. According to COSO ERM addresses ‘strategic, operations, reporting and compliance’, therefore the reference to ERM only addressing strategic issues is not correct.
2. Does BCM increase revenue, drive down costs, or reduce cycle times … no, therefore the only reason for BCM is to mitigate risk.
A robust approach to ERM should embody BCM as part of the risk treatment approach. I recognize that this may not be the reality on the ground in many organizations, but we are all still travelers on a journey.
Roger Southgate
•Date: 18th June 2010 • Region: UK/World •Type: Article •Topic: BC general
Rate this article or make a comment - click here
UPDATED 14TH JULY 2010
|
