Meet The Experts

The Intersection of BCM and ERM

By Brian Zawada (CBCP, PMP, CISA, CHS-I)

As Business Continuity Management (BCM) programs continue to evolve and mature, Enterprise Risk Management (ERM) processes are just beginning to take hold. The promise of competitive advantage through effective risk management has captured the attention of executive managers worldwide. And with crises capturing headlines everyday, more and more executive managers are developing or maturing their business continuity programs. Can BCM jumpstart ERM? Why have both? This article will explore the drivers for both BCM and ERM, as well as how the two intersect and compliment one another.

Definitions

Business Continuity and Enterprise Risk Management have numerous definitions and meanings. For the purposes of this article, BCM and ERM are defined in the following table.

Business Continuity Management	Enterprise Risk Management
BCM addresses the development of strategies, plans and actions which provide risk reduction opportunities, response frameworks and alternative modes of operation for critical business processes and technologies. BCM programs include crisis management, crisis communications, business resumption and IT disaster recovery elements.	ERM is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. (COSO ERM – Integrated Framework – 2004)

ERM is an umbrella process, whereas BCM represents a key element of the response framework.

Drivers

According to a 2005 study sponsored by Continuity Insights and KPMG, 25% of organizations have a fully functional and stable BCM program, whereas 50% are in the process of developing a viable program. Most experts would agree that relatively few organizations have attempted to implement ERM processes and none have fully implemented an entity-wide ERM solution. But with the advent of the COSO’s ERM – Integrated Framework, more and more organizations are beginning to take a look at the value proposition. So what’s driving the investment in both BCM and ERM? The following table identifies some of the key drivers affecting BCM and/or ERM.

Driver	BCM	ERM
Regulatory Compliance	Yes	Yes
Reputation Protection	Yes	Yes
Stakeholder and Customer Demands	Yes	Yes
Environmental and Man-made Threats	Yes	Yes
Governance Expectations	Yes	Yes
Business-IT Alignment	No	Yes
Program/Process Efficiencies	No	Yes
Capital Optimization	No	Yes
Avoid Surprises	Yes	Yes
Manage Risk Likelihood	No	Yes
Management Event Impact	Yes	Yes

Overall, ERM is a broad process designed to address the entire risk landscape. BCM is a key element of an effective ERM program and is limited to managing the impact associated with availability and reputational risks.

How Are BCM and ERM Similar (or Different)?

Using the COSO ERM – Integrated Framework, the following tables identify where BCM achieves a similar objective when compared to key attributes and core fundamental concepts.

BCM	COSO ERM – Integrated Framework Attribute	ERM
	Aligning risk appetite and strategy – Management considers the entity’s risk appetite in evaluating strategic alternatives, setting related objectives, and developing mechanisms to manage related risks.
	Enhancing risk response decisions – Enterprise risk management provides the rigor to identify and select among alternative risk responses – risk avoidance, reduction, sharing and acceptance.
	Reducing operational surprises and losses – Entities gain enhanced capability to identify potential events and establish responses, reducing surprises and associated costs or losses.
Availability and Reputational Risks Only	Identifying and managing multiple and cross-enterprise risks – Every enterprise faces a myriad of risks affecting different parts of the organization, and enterprise risk management facilitates effective response to the interrelated impacts, and integrated responses to multiple risks.
X	Seizing opportunities – By considering a full range of potential events, management is positioned to identify and proactively realize opportunities.
X	Improving deployment of capital – Obtaining robust risk information allows management to effectively assess overall capital needs and enhance capital allocation.

BCM	COSO ERM – Integrated Framework Fundamental Concepts	ERM
	A process, ongoing and flowing through an entity
	Effected by people at every level of an organization
Potentially, but also at the process level.	Applied in strategy setting
Focused on Core Business and IT Elements	Applied across the enterprise, at every level and unit, and includes taking an entity level portfolio view of risk
Availability and Reputational Risk Only	Designed to identify potential events that, if they occur, will affect the entity and to manage risk within its risk appetite
Availability and Reputational Risk Only	Able to provide reasonable assurance to an entity’s management and board of directors
X	Geared to achievement of objectives in one or more separate but overlapping categories

Managing the Risk Landscape with BCM and ERM Processes

Business Continuity Management grew out of the business leader’s need to manage the risk that, at some point in the future, operations may be impacted by an unforeseen event and as a result, may be limited or inoperable. These events may be categorized as ‘availability related risks’, because they ultimately affect the availability of the business.

There are two ways to reduce availability risks: reduce likelihood and limit impact. Traditional BCM methodologies focus on limiting impact (often through recovery planning, testing and training), but frequently ignore the opportunity to reduce the likelihood of disaster. The risk assessment is a common component of most business continuity methodologies. However, the business continuity professional’s involvement is normally limited to assessing the likelihood of occurrence as opposed to evaluating control operation and identifying recommendations to actually reduce likelihood. These tasks are often reserved for the business, but risk management and business continuity personnel can add significant value in this area if afforded the opportunity.

As a result, the business continuity industry must evolve and move closer toward Enterprise Risk Management by not only estimating the likelihood of risk occurrence, but also identifying opportunities to affect the likelihood of occurrence. This type of analysis and decision-making is at the core of the Enterprise Risk Assessment (ERA) and the broader ERM process. BCM is just one of the response elements of ERM, but together the two disciplines can add value to one another throughout the risk assessment/ERA process. For the business continuity professional, ERM/ERA offers an opportunity for a “risk assessment done right.”

Going Forward

For a myriad of reasons, effective risk management is becoming a core business competency. As a result, there is a huge need for management team members who are experienced in speaking a risk-based language to help champion the eventual deployment of ERM.

Although very few organizations have begun the ERM journey, the opposite is true of business continuity program development and maturation. BCM program development lessons learned are well known and documented, and can be applied to future ERM initiatives.

BCM and ERM compliment one another, and both are necessary in today’s high risk business environment. Business continuity professionals should understand the principles found in the ERA process in order to deliver higher levels of value with the objective of managing risk likelihood and impact. Additionally, BCM professionals should recognize that they are key team members focused on managing availability and reputational risk.

About the Author

Brian Zawada is the Director of Consulting Services for Avalution Consulting (www.avalutionconsulting.com), a firm specializing in event risk management and business continuity solution design, development, implementation and long-term maintenance. Brian has been involved in the business continuity industry for ten years and is a member of the Continuity Insights Editorial Advisory Board and President of the Northern Ohio Association of Contingency Planners (ACP) chapter. Brian can be reached at brian.zawada@avalutionconsulting.com or via phone at 800.941.0381.