Risk management and business continuity management (BCM) go hand in hand when identifying and managing business vulnerabilities. In both cases it is about being prepared for risks and disruptions that threaten the company’s business. Despite similarities, risk management and BCM often have different approaches and connections to decision-making.
In risk management the aim is to identify and assess risk factors and events that are critical to the business. Prioritized risks are controlled by determining measures to either prevent the risk from occurring or mitigating its impact. The prioritization of risks is often done by assessing the risks likelihood or frequency of occurrence in relation to its financial, or other qualitatively measured, impact.
Performing reliable risk assessment, however, is a challenging exercise that is often neglected. In fact, relying on traditional risk assessments in decision-making could even be questioned. Some studies show that assessing the likelihood of events is both challenging and unreliable[1]. Even experts struggle to assess the likelihood of events systematically and reliably. Furthermore, empirical data is rarely available to support assessments.[2] Even experts are inclined to underestimate the worst scenarios and their impact, and the chance for subjective misconception increases when the assessment is done by a single expert, and not collaboratively by a group[3].
Tackling risk management challenges with business continuity management
Business continuity management can be used to solve challenges in risk management by accepting the worst possible scenarios as the starting point. This shifts the focus to determining continuity and contingency plans for various disruptions caused by deviations and interdependencies in for example IT-systems, subcontractors, and supply chains.
Anticipating disruptions requires resources, which is why continuity management often for practical reasons is built on top of the risk management process. To save resources and ensure efficiency, business continuity planning should primarily focus on the most critical risks that threaten key processes and business functions. The state of a company’s continuity plans tells a lot about the organization’s risk management, contingency capabilities, and resilience.
BCM enables detailed analysis of possible disruptions and interdependencies. Identifying interdependencies between IT-systems, subcontractors, value chains and other processes is typically not included in traditional risk assessment. It is however an integral part of business continuity management. Having a systematic approach to BCM can give a complete understanding of possible scenarios and their impacts, essentially making it easier to prioritize risks and allocate resources to the most relevant contingency measures.
Collaboration is key
When discussing and assessing risks it is important to consider the diversity of the participants. It is natural that experts have varying views on the impact of different disruptions based on knowledge, experience, and position. Acknowledging that there are different views and understanding all viewpoints is key to succeeding in both risk management and BCM. In practice, however, it can be challenging to facilitate discussion and make decisions when different views collide.
Supportive functions that may be responsible for creating contingency plans such as IT and HR, rarely have a thorough understanding of the day-to-day operations of business units. Especially not in assessing the complete impacts of various disruptions. Conversely, the business units might not be able to evaluate critical resources with the same expertise, or to define response times and service levels. Therefore, exchanging views could be considered a critical part of reaching sufficient resilience. A collaborative process brings together the organization’s knowledge and helps assessing disruption sensitivities and interdependencies more comprehensively. This ultimately contributes to an improved capability to anticipate and prepare for disruptions.
Business continuity management is a continuous process
Risk management and BCM are continuous processes, and it is highly advised that organizations discuss and determine recurring activities for both. Even if a business or business environment does not seem to be subject to rapid change, people’s capability to identify and control risks is limited. Without frameworks and tools in place, it is challenging to continuously be aware of the situation and surroundings.
- The BCM process begins with identifying the most important processes from a business perspective. The aim is to limit the creation of continuity plans to critical functions.
- Collaboratively assessing the impact of disruptions in the identified key processes offers valuable insight into business units and the wider organization.
- Once key processes have been defined and disruption impacts assessed, the next step is to analyze interdependencies between resources and processes. The end-result should provide an understanding of the organization’s most important processes and interdependencies, as well as a detailed view of possible disruptions and concrete measures to improve recovery and resilience.
2. Rosqvist, Tuominen: Expert judgement models in quantitative risk assessment
Bunn (1975): Authoring Bias in the Assessment of Subjective Probability
3. Douglas, H. (2009): Science, Policy, and the value-free ideal, s. 133-148
