What is the relationship between Business Continuity and Risk Management?
The relationship between Business Continuity and Risk Management depends on the organization. In most cases, Business Continuity is a sub-domain of Risk Management.
If there is an existing Enterprise Risk Management framework in the organization, can you use that in your Business Continuity Planning? Or, should you create a new Risk Register and new Risk Assessments for each department inside the Business Continuity Plan?
- You should refer to your organizational Risk Register as a starting point. However, some Business Continuity Plans may contain lower level risks that are important to the department but not significant to the organization as a whole
- Risk Management is focused on the mitigation of issues and Business Continuity is more concerned about a worst case scenario action plan.
Enterprise Risk Management
When it comes to Business Continuity and Risk Management – Risk is in the driving seat.
Business Continuity as part of an overall Operational Resilience program is the mitigation of risk. However, Enterprise Risk Management, especially in large businesses can be focused either on the macro scale and / or miss localized impacts for satellite operations. This means the best approach is a mix of the top impacting risks from Enterprise Risk Management and a local risk analysis.
A modern 24/7 business cannot tolerate interruption and therefore looks for its resilience teams to prepare for the high risk scenarios which could occur. This allows them to proactively develop pragmatic strategies to mitigate the risk.
As an example, tropical cyclones are not instant events – they can be prepared for, as can wildfires. If flooding is a real risk in your area, then make plans to mitigate against it. Don’t wait for the water to be lapping round you and then get your plan out. As that is too late and your business will have been interrupted.
Business Continuity Management
Business Continuity Management is a tool that reacts when there is a business disruption, while Enterprise Risk Management is a strategic tool used by management to accomplish its business objectives. Although Business Continuity Management can be part of the action plans to achieve those business objectives, for example – to ensure the business resumes its operations continuously in the event of a disruption.
Business Continuity Management risk is a sub domain of Enterprise Risk Management, like Information Security Risk Management or Health and Safety Risk Management. It is a collection of good management practices linked together. The Business Impact Analysis pulls from the Enterprise Risk Management process, the Business Continuity Plan is a series of contingency actions.
The Business Continuity Management System framework is the system that stitches activities together. However, if we rely on Business Continuity specialists to manage the company Business Continuity, then we create the paradox of being unable to respond when our specialists are unavailable.
Enterprise Risk Assessment
The Risk Assessment carried out by Enterprise Risk Management professionals takes into consideration known knowns, and unknown knowns. The resulting Risk Register will be comprehensive and will cover almost all the risks and could be used both for Business Continuity and Risk Management.
The result of the Risk Assessment enables leadership to determine the acceptable risk appetite of the company. After the risk appetite is defined this will determine whether or not to move forward with the rest of the Business Continuity Management framework.
Business Continuity Risk Assessment
Performing a specific Business Continuity Management related risk assessment helps you consider the various in scope resources and risks to them. It also helps you validate current controls in place and assess any additional controls that could be put in place.
For example, a high risk premise – are there controls that could be put in place, or should relocation be a serious consideration. When you are evaluating the internal and external issues (Clause 4.1 of ISO 22301:2012) these can be sourced (in part) from the risk register and Enterprise Risk Management and evaluated with a Business Continuity Management lens. This is a high level input into the process that is often missed or skipped over.
Enterprise Risk Management is higher level than Business Continuity Management, as it looks at any uncertainty that can have an effect on the organizations objectives. While Business Continuity risk assessments will look at more specific risks to in scope resources affecting processes and delivery of products and services (such as a loss of premise risk).
A Business Continuity Management risk should also be tracked in the Enterprise Risk Register but can be treated with Business Continuity plans or preventative measures by the Business Continuity Management professional and then tracked upwards.
You should consider:
- What needs protecting
- What might disrupt it and how
- What happens if it gets disrupted
Business Continuity Management is by its very nature is more focused on the impact of risk events, rather than the likelihood of them – unpredictable and unavoidable as some such events are.
Preparing to Plan
One of the first steps you should take when considering the preparation of a Business Continuity Plan is to understand the risks faced by the business.
Business disruption incidents are triggered by both internal and external risk factors. It is therefore essential to understand what risks could potentially stop your business activities. Once you understand the risks then you can develop corresponding control/mitigation plans to avoid or minimize the disruption impacts.
All Hazards Approach
An alternative school of thought is that Business Continuity Planning should adopt an “All Hazards Approach”. This approach focuses on how to continue / recover services following the materialization of risk.
It is possible to prepare for a disruption without waiting for it to occur. You cannot mitigate a flood, wildfire or hurricane, however you can have the capability to respond and recover should such an event impact operations.
So, if you have the ability to recover from a specific hazard, that same strategy could be employed for a wide variety of threats. You should build recovery capabilities based on the impact of an event (loss of resources, locations, staff, etc.) not the risk itself. If a risk provides the opportunity to take pro-active measures then certainly do so, but many threats do not provide any warning and it is best to be prepared for the hazards you do not see coming. That includes the risks that may not even show up on a risk register.
In this approach Business Continuity is seen as equal to Risk Management and not a subset of it. Organizations should manage risks but must acknowledge that resources do not exist to reduce all risks to zero. This is why an equal amount of effort should be devoted to preparedness, which is where Business Continuity comes in. Equal time should be devoted to both Business Continuity and Risk Management, rather than two disciplines performing duplicate efforts.
We don’t need any Risk Assessments to do good Business Continuity. In Business Continuity Management, it doesn’t matter if the building is burning, the important point is how to relocate people and where they will work tomorrow. A plan should be a toolbox with only useful information for recovery. Putting a list of risks inside doesn’t bring any value.
Even if Business Continuity Plans are considered a risk control, the objective is different – they don’t mitigate the probability at all.
A generic “all hazards” plan ensures continuity regardless of the cause of the disruption. This is how you can effectively prepare for unanticipated or low probability events. If we plan for the impact then we can be more flexible in response, particularly if the cause is something we did not anticipate. Conversely, by focusing just on specific hazards, there is a danger of being more susceptible to the ones we did not plan for.
For a more in depth discussion of the All Hazard’s approach you can view Mark Armour’s article: On Stones, Clay and Rubber Balls
Whether you choose to take a Risk based or All Hazards approach to your Business Continuity Planning – you will be able to use BCP Builder’s Online Business Continuity Plan Template.