Business continuity and risk management have both come from very different places, yet there are increasingly obvious similarities on how both disciplines are applied in practice, says Douglas Ure

Business continuity management and risk management are both fundamental to ensure the success of an organisation, yet their effectiveness could be compromised by both areas working independently of one another.

It is not unusual for silos to exist within organisations. In fact, it is common and to a certain extent necessary, particularly where technical and specialist expertise is needed. Taking a step back and looking at where both disciplines derived from might give us a clue as to why business continuity management and risk management areas do not talk as regularly as they should. Historically, business continuity management derived from the technology area and focused on disaster recovery, whereas risk management has perhaps a slightly more varied past, ranging from insurance purchasing, finance, legal and compliance among others.

The skill sets certainly vary: a business continuity manager perhaps being more operationally focused towards maintaining critical processes, while the risk manager takes a more strategic approach. They should, however, not be mutually exclusive, and risk management that excludes those operational processes is likely to be as flawed as business continuity not taking stock of the bigger picture.

Protecting positions and being biased towards your own discipline are likely to create barriers, and understandably so. If both disciplines have different reporting lines and sit within different areas of the business, it is likely that that the processes will be disjointed, and there will be little incentive to work more collaboratively. Having personal and team targets is, of course, important and necessary for accountability. Broadening this to larger group-oriented objectives and targets under a broader risk strategy that incorporates not just risk and business continuity but also security, internal audit, compliance and health and safety might help break down silos and assist organisations in managing risk in a much more co-ordinated way.

Discussions about whether risk management sits under business continuity management or vice versa continue, and probably will do so for sometime. There are undoubtedly overlaps between the two but does it really matter if business continuity management sits under risk management or vice versa? Provided both are given the appropriate resources, have the available skills and are positioned with sufficient authority within an organisation this should ensure both areas add value to the organisation.

However, there are areas of duplication, and perhaps organisations are missing a trick in the way business continuity and risk management often sit parallel to each other. The business continuity manager will want to ensure the key processes that underpin the success of the business are identified, and include those threats that might disrupt them. The risk manager should also be focusing on the same key processes and will also need to know the inherent risks within each of them.

Both areas will of course need to consider slightly different aspects. The business continuity manager will consider alternative work arrangements and dependencies if processes were to fail and how quickly the key processes could be made operational again. The risk manager might focus more on process inefficiencies, financial exposures and compliance breaches. Either way, ensuring a coherent understanding of the business, the key processes, risks and threats to those processes are important for both.

The ultimate holy grail of risk management and business continuity is to ensure that both disciplines are embedded and form part of the organisation’s culture. To do this, both areas need to be talking to one another. Ensuring business continuity staff are adequately involved in the decision making processes, and have the ability to influence those decisions, depending on the level of risk, is as important for the business continuity manager as it is for the risk manager.

Business continuity managers should be proactive in addressing inherent risk, both in terms of reducing the probability and impact of the risk occurring. Some might argue that they do not do enough proactively to reduce the number of times the business continuity plan has to be implemented. In terms of measuring the success of the business continuity management programme, should the number of losses and other unwanted events be taken into account when assessing the effectiveness of the business continuity plan?

An organisation with both a business continuity manager and a risk manager will be likely to find a number of areas where their roles overlap. Understanding the organisation is obviously a given, as is to ensure the approach taken fits with the culture of the organisation. It is also important for both managers to know what the critical assets and processes are and what might cause them to fail. A business continuity manager might do this through a business impact analysis or a workshop with those people who know the processes best; a risk manager might do it through a range of other techniques.

Understanding the risks to the business, prioritising those risks through a reliable assessment process and targeting resources to those areas are essential for both. The business continuity manager might focus more towards preparing contingencies if these processes were to fail, whereas the risk manager might have more focus on the mitigating actions necessary to minimise the failure in the first place. Either way, both should have a consistent view as to what is critical to the business.

A joined-up approach should not only make the process more robust but also reduce the frustrations of those people who are closest to thebusiness’s critical processes. Being asked the same question by different departments causes frustration. It can also hinder support and make the goal of embedding the processes far more challenging.

Reaching a solution

The actual solution for bringing together all risk disciplines will vary from one organisation to another depending on the industry sector, and the need for specialist expertise. It is, however, important that all areas have input into a group-wide risk register and have a common theme in terms of risk appetite and tolerance. Ensuring all areas’ input into a regular risk report will not only improve the reliability and robustness of the content but will ensure the board gets a complete picture of the significant risks facing the organisation.

There might also be merit in having a consistent approach for assessing risks and threats relating to each key process, enabling the board to prioritise and focus its attention on those risks that are considered significant. Having different assessment criteria may give mixed messages and potentially undermine significant risk issues.

The board and executive management team need to have a complete view of risk, not a bias towards one area, such as

financial risks, operational risks or security risks. Hoping that the risk manager and business continuity manager will bump into each other at the coffee machine and find that they have something in common is not the best way to ensure risk issues are being managed coherently! The board of any organisation has to process an enormous amount of information (see figure 1) and reporting risks from numerous areas makes their job that much more difficult.

Some organisations have put in place a risk committee, sitting underneath the board, which has representation from all the various risk areas. The approach might be useful in providing the board with the necessary assurance that risks are being managed robustly. It also ensures that those risk issues which are escalated to the board are presented in a consistent and coherent way.

The strategy for managing risk must be set at the top of the organisation. The board needs to review regularly the effectiveness of risk management, including areas of duplication and how the various disciplines interact. In particular, it should review and consider:

the types of risks facing the business and the

need for having specific functions to co-ordinate risk management

reasons for losses and events that should have been prevented

availability of technical skills and any skills gap

reporting lines of the various risk disciplines

the need to have a consolidated view of risk across the organisation

the need for board representation (for example a chief risk officer).

Benefits

What benefits might organisations experience by providing a structure where the risk management and business continuity functions, along with other relevant functions, work in a collaborative way?

Ultimately, the obvious benefit is that the organisation should be able to make better informed decisions covering the prioritised risk areas. This will not only reduce the number of unwanted events but also make the organisation much stronger and able to respond to those events when they do occur.