Sometimes questions arise about the relationship between the business continuity management (BCM) team and the enterprise risk management (ERM) department. The fact is, both units—as well as the organization—benefit when BCM and ERM are BFFs (or best friends forever, as the kids say).
Related on MHA Consulting: The ABCs of ERM: The Rise of Enterprise Risk Management
Enterprise Risk and Business Continuity
From time to time, clients of ours express confusion about the roles and relationship of the enterprise risk management department and the business continuity team.
ERM is concerned with identifying and evaluating all the risks facing the company, including but not limited to those pertaining to finance, insurance, third-party vendors, and operations. Theirs is a strategic role that involves the research and study of models, financials, and procedures, and risk managers tend to have a lot of authority in an organization.
BCM is more tactical and operations-focused. The BCM team is concerned with identifying the most critically time-sensitive business processes and devising plans and procedures to ensure they are protected against prolonged and damaging outages. Everything BC does is about reducing risk; in this way its priorities dovetail with those of the risk management folks. The difference is, BC’s focus is limited to operations and more boots-on-the-ground.
Best Practice and BCM
An important issue in the relationship between ERM and BCM is where they sit on the org chart. Different companies take different approaches.
The best practice is that BC should roll up to enterprise risk. It’s easy to see why. Both are concerned about reducing risk. ERM tackles this on the strategic level with a portfolio that includes operations as well as many other areas as discussed above. BC’s focus on operations nests neatly under the ERM umbrella. This arrangement is becoming more common, a positive development.
Sometimes BC reports to operations, legal, or IT or is an independent group. None of these arrangements are as effective as when BC is under ERM. Of these other options, the worst is when BC reports to IT. Where this setup exists, it is usually a holdover from the early days of BC when managers seized on the surface similarity of the new discipline of recovering business processes and the existing one of recovering computer processes, a skill already mastered by the IT departments of the day. In fact, BC’s concerns go far beyond computer systems, making the IT department a bad home for them.
The best place to put the business continuity office is in the enterprise risk group.
ERM and BCM Are Natural Allies
Whatever the organizational relationship is between ERM and BCM, the working relationship can and should be one of close, supportive teamwork. In other words, they should be like BFFs, best friends forever, as the kids put it.
Some groups within an organization have conflicting priorities. An example is, the BCM office and senior management. A common situation is, the BCM team wants more resources so they can make the organization more resilient, but senior management balks because they find BCM uninteresting and would rather put any available funds into profit-generating activities. This is a clash both of goals and temperament.
There is no such clash between ERM and BCM; they are natural allies. Both tend to be allergic to risk and are obsessed with bringing it down. What’s more, ERM and BCM can both help each other in achieving their mutual goals, whether this is conducting a threat and risk analysis (something of critical importance to both teams) or assessing the organization’s supply chain and vendor risks.
While the BCM team is engaged in assessing and managing operational risks, the ERM team will eagerly scoop BC’s findings up and incorporate them into its assessment of the organization’s risk profile overall.
One way to think of the role ERM and BCM in relation to the overall organization is to compare them to sheep dogs working together to keep the flock safe. While the sheep are busy grazing, the enterprise risk management department and business continuity management work together like a pair of vigilant, energetic border collies to protect them from harm.
Protecting the Organization from Risk
The enterprise risk management department and business continuity team both play a crucial role in protecting an organization. ERM takes a strategic perspective and concerns itself with the whole array of risks facing a company while BCM works more tactically to protect the organization from impacts caused by disruptions to its business processes and operations.
It is best practice for BCM to report to ERM rather than some other department such as IT. Whatever the organizational arrangement, a close, supportive relationship between ERM and BCM is of tremendous benefit in protecting the organization from risk.
Further Reading
For more information on risk management, and other hot topics in BC and IT/disaster recovery, check out these recent posts from MHA Consulting:
Richard Long
Richard Long is one of MHA’s practice team leaders for Technology and Disaster Recovery related engagements. He has been responsible for the successful execution of MHA business continuity and disaster recovery engagements in industries such as Energy & Utilities, Government Services, Healthcare, Insurance, Risk Management, Travel & Entertainment, Consumer Products, and Education. Prior to joining MHA, Richard held Senior IT Director positions at PetSmart (NASDAQ: PETM) and Avnet, Inc. (NYSE: AVT) and has been a senior leader across all disciplines of IT. He has successfully led international and domestic disaster recovery, technology assessment, crisis management and risk mitigation engagements.
