Observations
Overall responsibility for risk and governance in both government and the private sector2 lies with the board of directors, supported by management and specific committees. The responsibilities of directors require them to exercise care and diligence in overseeing the company or department’s operations, including its business continuity strategies. This involves staying informed about potential risks and ensuring that appropriate measures are in place to manage those risks effectively. The integration of ERM and BCM can provide directors, management, and specific committees with a holistic approach that provides a comprehensive understanding of potential threats, their impacts, and their treatment.
Common Goals and Stakeholders
ERM and BCM possess common and complementary goals; they both focus on identifying, assessing, and managing risks that could impact the achievement of the organisation’s strategic objectives. Their primary aim is to minimise the frequency of disruptions and reduce the impact of disruptive events. Both frameworks and their supporting programs are typically overseen by the same management team and committees and involve many of the same stakeholders.
The Role of ERM
ERM enables organisations to create and safeguard their value by systematically assessing, monitoring, reporting, and responding to risks that could hinder the achievement of their objectives3.
The Role of BCM
BCM enhances an organisation’s strategic and tactical capabilities by identifying and developing plans for response, recovery, and restoration in the event of incidents that may disrupt operations4.
Benefits and Perils of Integrating BCM and ERM
Scope
Most business continuity plans (BCPs) fail due to a lack of support for and understanding of the scope of BCM among senior stakeholders5, who often do not link its importance to their own areas of responsibility. Historically, organisations have associated disruptions with IT failures, such as data loss or system outages, leading to the belief that business continuity is primarily an IT concern. This focus on technology can overshadow other essential aspects of business continuity, such as personnel, processes, and overall operational resilience. This has resulted in a perception that recovery is largely the responsibility of IT, overshadowing the comprehensive planning required for business continuity. By linking BCM with ERM, the full scope of delivering business resilience is clarified and roles and responsibilities can be assigned to provide improved accountability and decision-making.
Effectiveness
ERM takes a broad view of potential threats across the organisation, actively identifying and assessing risks that could impact strategic objectives. In a complimentary fashion, BCM continues this process by focusing on responding to disruptions that have or may occur, ensuring that critical functions can resume quickly. Together, they provide a complete framework and supporting processes for managing risks before, during, and after incidents. Integrating the two frameworks can enhance business resilience by reducing the possibility of failing to identify critical business functions, breaking down the siloed sources of information and identifying all possible operation disruptions for which BCM should be undertaken.
Prioritisation
Creating and maintaining a BCP to address a risk is a resource intensive activity and therefore must be prioritised. BCM cannot protect an organisation from all the risk that it faces. The resources required to implement and maintain a BCP for every risk would be beyond the capacity of any organisation. Nonetheless, by integrating BCM and ERM, organisations can better prioritise the application of BCM to the most likely and impactful risks to provide effective mitigation. The ERM serves to highlight the most significant risks, allowing BCM to focus on the areas that require immediate attention and prioritise the allocation of resources accordingly. Equally, the business impact assessments conducted as part of a BCP can provide additional insights into ERM. This mutually supporting approach ensures that organisations can better identify, evaluate, and be prepared for the most impactful threats.
Continuous Improvement
The testing and simulation processes undertaken through BCM can provide valuable insights into real-world risks and the effectiveness of existing mitigation strategies. These insights can inform ERM, enhancing the assessment of risk and the mitigation strategies that treat risk and inform residual risk assessments. The integration of ERM and BCM can thus provide valuable feedback loops for continuous improvement in assessing and mitigating risks, allowing the organisation to develop more targeted and effective response and recovery plans.
Governance
Both ERM and BCM often involve similar stakeholders and governance structures. By integrating their efforts, organisations can streamline reporting and resource allocation, ensuring that risk management and continuity planning are aligned and cohesive, enhancing communication and coordination during a crisis. Integration of ERM and BCM can also provide the opportunity to build a common talent development program, building capabilities that prepare employees to not only manage risks, but to operate in crisis and restore operations. ERM and BCM frameworks should also use the same objective measurements of risks, focusing the organisation on all aspects of the risk lifecycle to create a culture of business resiliency.
Change Management
Managing the integration of two practices that have operated in separate silos can often be challenging, leading to resistance from teams that are accustomed to their established processes. Change should be well-managed and the benefits of integration effectively communicated to fully engage employees who may fear that it could complicate their existing workflows or dilute their responsibilities. Additionally, organisations should be cautious about the resources required to link BCM and ERM and take a measured, staged, and prioritised approach to applying BCM to critical risks.
Next Steps
- Articulate the value of integrating ERM and BCM by emphasising their complementary roles in enhancing organisational resilience by highlighting their shared objectives.
- Secure commitment from leadership to support the integration of ERM and BCM. This includes allocating necessary resources and support for fostering a culture that prioritises the unification of risk management and business continuity.
- Provide training for employees on the importance of integrating ERM and BCM, emphasising how they can identify, report, and address potential risks. This training should include the processes and procedures related to both areas.
Sample Enterprise Risk Register with BCM Integration
Risk ID: The risk ID is a unique identifier assigned to each identified risk. This identifier is crucial for tracking and referencing specific risks throughout the risk management process.
Risk Description: The risk description is a concise and clear statement that outlines the nature of a specific risk. This description is essential for understanding why the risk is considered a potential issue for the organisation.
Risk Category: The risk category is a classification that groups similar types of risks together. Some risks may span multiple categories and should be cross-referenced accordingly.
Likelihood: The likelihood refers to the probability or chance of a particular risk occurring. The likelihood helps in prioritising risks and determining the appropriate risk response strategies.
Impact: The impact refers to the potential consequences or damage that could occur if the risk materialises. The impact assessment considers factors such as the severity of the potential damage and the organisation’s vulnerability to the risk.
Risk Rating: The risk rating is a comprehensive assessment that combines the likelihood of a risk occurring and its impact on the organisation if it does occur. This rating is essential for effective risk management, allowing organisations to develop targeted strategies to address the most pressing risks.
Mitigation Strategies: Mitigation strategies refer to a set of high level actions and plans developed to reduce the likelihood of a risk occurring or to lessen its impact if it does occur. These strategies are crucial for effective risk management, helping organisations to prepare for potential threats and minimise their adverse effects on business operations.
BCP: This identifies if a business continuity plan has been developed to ensure that the organisation can maintain or quickly resume critical operations during and after the occurrence of the specific risk.
BCP Tested: This identifies when the BCP for this risk was last tested. Testing a BCP is essential for validating its effectiveness, identifying gaps, adapting to changes, enhancing team preparedness, and improving recovery times.
Residual Risk: Residual risk is the risk that remains after efforts have been made to reduce the initial risk rating through the implementation of mitigation strategies and/or through the formulation and testing of a BCP.
Footnotes
- ‘Building resilience: ISO Standard for business continuity just updated’, ISO, 2019.
- ‘Business continuity: 9 key areas of focus for your board’, Australian Institute of Company Directors, 2020.
- ‘Effective Risk Management’, ISO, 2021.
- ‘Security and Resilience – Business Continuity Management Systems – Requirements’, ISO, 2019.
- ‘Why business continuity plans fail and what you can do about it’, Dataguard Insights, 2024.