ERM and Business Continuity
Originally Published: March 11, 2005
Over the past few years, many have debated about how business continuity functions relate to risk management. There are three main viewpoints associated with this debate: those that say the two are closely related and work side by side, those that think business continuity is a sub-component of risk management, and those that agree there is a link but do not support the order of hierarchy.
Traditional risk management has been around for a long time and is an established function within most organizations, while business continuity is relatively new. Risk management is well understood within businesses and it is difficult to replace it with business continuity management because of people's views, understanding and the general resistance to change. Ultimately, people's experiences lead to which viewpoint on the relationship between risk management and business continuity management they will take.
For instance, if someone is comfortable with and understands risk management, then that person will presumably view business continuity as something downstream from risk management, which in turn leads to seeing business continuity as a component of risk management. Some adopt this view because individuals who have worked in risk management for many years think of business continuity as another name for the legacy disaster recovery function. However, this viewpoint is generally not reflective of current trends now that most business continuity management activity encompasses emergency planning, disaster recovery, security, health and safety, crisis management, and even risk management.
In contrast, some that argue that risks are managed in order to protect the continuity of the business. This analysis supports the argument that risk management is a component of business continuity. However there are flaws to this thinking as well.
Risk management primarily consists of two parts: a function of the business or management of risks to the business. Basically risk management can be a part of the business processes or it can be a separate intervening function that addresses threats to the business process itself. So the lack of a clear definition of functional scope causes the resulting argument on the relationship of risk management and business continuity. There are two very different scopes: there are portions of business processes that address risks to running a business and there are control procedures that deal with risks to the business continuing to function.
Some argue it does not matter where risk management and business continuity management are positioned within a business; rather, what is important is that they are employed within the business. However, other people disagree with this thinking. Poor positioning within an organization can greatly influence the success of the business. What is important is communicating what is really important within the business and reflecting the appropriate synopsis of each of the functions in the organization.