As a consultant, I have had the opportunity to work for some of the largest and most complex corporations in the world. A common challenge that many corporations face is partnering effectively across functions. One of the most common challenges, for example, is the relationship between the business and information technology (IT). I also often see a lack of coordination between the company’s Business Continuity Management (BCM) and Enterprise Risk Management (ERM) teams.
Most companies say that the disciplines of BCM and ERM are well integrated. Yet, a closer examination indicates that the partnership and collaboration could benefit from some improvements. With all of the natural synergies and similarities between these two disciplines, there are clear opportunities to achieve value through working closely together. Based on my observations over the years, both positive and negative, I would like to share some ideas that will help bring the two disciplines of BCM and ERM together to achieve real business value and improve loss avoidance.
Role Of BCM
BCM is a major player for risk mitigation within a company. Those who do it well operate their BCM group as a service oriented, problem solving and value adding machine. Too often companies hide behind compliance and regulatory requirements to fund and manage their programs. The mechanics of a BCM program — such as administering business impact analyses (BIAs) on an annual basis, testing documented plans, etc. — should be secondary to the outcome of achieving greater resilience and lower risk for the enterprise. Focusing on compliance and regulatory aspects of the program often creates a culture of animosity, where it is challenging to gain support from business partners (to do tactical work like BIAs, risk assessments, plan development, etc.) as well as executive sponsors (who provide funding, access, and support). I have seen some of the largest corporations in the world continue to throw dollars and personnel into their BCM programs, all justified by the driver of compliance. By contrast, those who position their programs as service providers are in a better position to foster positive working relationships. Effective BCM teams are continuously working with a risk mindset. In addition to providing consistent policies, frameworks, and solutions for planning and response across the company, BCM teams will still meet compliance needs.
The new ISO22301 standard, Societal Security — Business Continuity Management Systems — Requirements, is being heralded as the new international standard for BCM. After years of development and debate about FEMA’s voluntary private sector preparedness program, PS-Prep, as well as other related standards, ISO22301 seems to have some optimism associated with it. Practitioners, so far, are more willing to adopt this than the previous standards that were available. This may be due to the international nature of the standard, as well as the stature that the International Organization for Standardization (ISO) has achieved. The ISO22301 standard is closely aligned with the Risk Management ISO standard, ISO31000. More details on that alignment will follow.
BCM groups often inquire about not having enough executive support for their programs. One reason for this might be difficulty in articulating why and how BCM can provide value to specific areas of the business, as opposed to being an intrusive audit-like exercise that takes time and effort for minimal perceived benefit. A partnership with ERM can not only help establish and maintain the credibility of the BCM program with executives and business areas alike, but also support the case that addressing BCM aligns with the strategic plan of the company.
Role Of ERM
ERM is the primary place to identify and report on all types of enterprise risks. ERM usually looks at the strategic level for risks impacting the overall business plan. Examples of this include events such as competitors introducing innovative products (e.g. Apple) or macro-economic issues that may impact payment for products/services (e.g. healthcare legislation). By contrast, BCM may identify more “tactical” operational risks, such as lack of appropriate power at a facility or single points of failure within the supply chain.
One function of ERM is to collect and maintain risks across the enterprise. This information is collected and aggregated either through a manual process, use of a custom or packaged software solution, or some combination of both. This data is refreshed on a regular basis, at a frequency which varies based on industry, size of company, and other factors.
Another typical function of ERM is reporting details and executive summary views of enterprise risk to executive management. These are typically reported to a steering committee of top level executives on a quarterly basis, and to the board (and possibly board audit committee) on a less frequent, but regular basis.
The ISO31000 standard, Risk Management — Principles and Guidelines, provides guidance for a risk management program. The framework for ISO31000 is nearly identical to that of ISO22301. The concepts of “Plan, Do, Check, and Act” appear in both standards. In addition to following the same approach, ISO31000 provides a clear linkage through Risk Assessment, which is a core component of any Risk Management and Business Continuity Management program.
Mature ERM programs could benefit from leveraging the power of their BCM colleagues and function as the foundation of its risk mitigation engine. Whereas ERM is skilled at identifying and tracking enterprise level risks, BCM is skilled at developing plans and capabilities to mitigate those risks.
Some companies make the case that their ERM and BCM programs are closely linked. However, more often than not, the functions operate in separate silos. Below are a few ideas that organizations can use to help align the functions more closely within your organization.
Idea 1: ERM and BCM collaborate closely during the risk assessment process. A clear place for ERM and BCM to collaborate is during the risk assessment process. Most companies have several groups in different functions conducting risk assessments (maybe a real estate team evaluates new sites, IT performs application level analysis, and the facilities team performs assessments within corporate headquarters). All the while, ERM is likely conducting risk assessments at a high level within the company. Collaboration between BCM and ERM during each other’s risk assessment activities allows use of the same data collection/analysis tools and importantly, more efficient use of stakeholders’ time. By joining forces during the risk assessment process, ERM and BCM can show business stakeholders that their time is valuable, which could also lead to more willing participation in the process. The collaboration can help produce accurate, timely, actionable data to mitigate risk in an efficient manner.
Idea 2: ERM provides a consistent risk assessment framework for use across the company. This may involve adapting a standard such as ISO31000 to meet corporate needs. It may also include providing a technology solution to conduct and manage risk assessments. A supplement to ISO31000, IEC3101 provides guidance and examples on conducting risk assessments. This supplement may be used by both ERM and BCM teams to establish common process and nomenclature throughout the risk assessment process. Of course, tailoring the standard to the specific needs of the corporation provides a customized approach aligned with the standard, flexible to the corporation’s needs. Utilizing an enterprise tool to collect and analyze risk assessment data provides many benefits, one of which is the ability to report results in a consistent format.
Idea 3: ERM and BCM establish recurring meetings (e.g. bi-weekly). In addition to sharing risk assessment data, issues may arise that require collaboration between the two groups. For example, ERM may identify that IT requires a more effective data replication solution. BCM participation in that conversation could help provide a solution to that risk (by providing BIA data, process owner contact information, etc.). Keeping a regular meeting on the calendar helps ensure that progress from each function is communicated in a timely fashion. Plus, this forum allows for opportunities to share new developments as they arise.
Idea 4: ERM can help BCM prioritize mitigation of risk through BCM planning and implementation. For example, ERM may uncover some business units that represent significant risk to the company. Those business units are prime candidates for prioritization for BCM activity. Going through the BCM planning process may be a part (or the whole) of the risk mitigation solution.
Idea 5: BCM can help articulate specifically what certain enterprise level risks may be to ERM. For example, during a risk assessment, the BCM team may discover that there is not enough resilience in the credit card settlement process, thus impacting the ability to recognize revenue to the company. As the ERM function may be operating at a high level, the BCM team may be better suited to investigate or maintain data at a more detailed level. BCM can provide risk related data to the ERM team, organized by business area.
Idea 6: BCM should provide ERM representation on its steering committee, and ERM should provide BCM representation on its steering committee. This will establish a united front to the rest of the organization, which minimizes redundancy during tactical information gathering and maximizes the value of solutions offered from both groups.
Call To Action
If you are a BCM leader or team member, make a point to meet your ERM team. Lunch is always a good way to start the relationship off on the right track.
Try some of the ideas discussed above for collaboration with your ERM counterpart. Collaboration of this nature can benefit all parties, and communicating success in this space will resonate with business management.
In summary, try offering to become the solution engine for the enterprise risk manager. Typically, ERM is fantastic at identifying risks, reporting on them to management, and possibly obtaining funding to mitigate risks. BCM is well positioned as the next step to coordinate solutions. A productive partnership will enable both BCM and ERM functions to exceed expectations while positioning the company for sustained success.