Provided by |
Organisations need to understand and exploit the synergies between risk management and business continuity.
With the increased awareness of organisations regarding the need to protect vital business functions, the terms -business continuity" and -risk management" are becoming common parlance. However, the ability to effectively define these two disciplines has become a topic of argument, due to user confusion over their relevant definitions, despite clear areas of synergy. With the increasing array of mutterings over the evolving nature of business continuity, there now is a pressing need to understand the interaction that exists between it and risk management.
Indeed, risk management is rapidly becoming a significant area of concern for CIOs. Meta Group believes that, by 2006, risk management (not risk avoidance, which is commonly practiced in business) will become a core competency for the CIO position. The traditional areas of computer and information security, which are becoming more urgent in the heavily networked IT environment, fall into this category, but they comprise only a part of the overall risk management syllabus that CIOs must master.
Depending on the organisation's industry and culture, between 5 percent and 20 percent of the IT budget should be devoted to risk management, including IT security, business continuity, and other risk-related issues. Regulations (eg CFR 11, Sarbanes-Oxley), civilian infrastructure, and substantial revenue transactions all have incremental effects on responsible spending.
In simple terms, business continuity concerns the facilitation of continuous operation of key business functions in a crisis situation (eg flood, fire). In contrast, risk management is perceived as a much broader discipline and one that effectively sets out to identify and manage risks that affect an organisation, often from a more strategic standpoint (eg vendor viability). Typically, since business continuity is perceived to be a less comprehensive discipline, there is a tendency to place it under the umbrella of risk management. This is understandable, particularly in terms of the apparent overlap between business continuity and the operational risk subsegment of risk management (see Figure 1 below).
 |
Blurred boundaries
In a practical context, the lines between business continuity and risk management often are blurred in that the two disciplines use similar
tools and techniques to reach their specific goals, including risk assessment, business continuity planning, and business impact analysis. Nevertheless, it is possible to make fundamental distinctions between the two.
As a discipline that can provide real tactical solutions to the threat of risk, business continuity is often viewed as being subservient to the more strategically focused risk management function. The erroneous perception that often perpetrates this is that business continuity is primarily concerned with issues that relate to physical loss (eg, the destruction of a building, damage to inventory). Yet business continuity should actually encompass all of the processes necessary to restore business functionality during a time of crisis. Although this may include physical loss (eg a data centre flood), it could also include issues such as data loss, server outages, and loss of people and communications.
Risk management sets out to tackle risk at its very core, and as a result, it incorporates a wider range and variety of functions, including those that fall within the categories of positive impact, negative impact, and business non-stoppage. It is important to remember that a specific risk will not necessarily bring about instantaneous business stoppage. Insidious, low-impact risks can often prove to be some of the most fatal (eg Arthur Anderson, where cultural problems built up over a period of time and played a major role in the company's fall from grace).
In contrast, the inherent value of business continuity is clearer when we consider that essentially not all risks can be managed. For example, it is arguable whether the World Trade Center attacks could have been effectively foreseen and thus the risk managed. Benefits gained from business continuity have increased in recent years; however, the general image over what business continuity incorporates remains a key sticking point. Many organisations do not understand that business continuity covers both the contextual and transactional environments as well as the physical environment. In fact, to many organisations, business continuity is still viewed in the context of disaster recovery planning, which is a very narrow and specific discipline.
Encompassing enough--but not too much
In reality, the terms business continuity and risk management are often used interchangeably, but this creates a distinct problem in terms of
knowing what the user actually means. This is particularly apt in view of the varying perceptions and confusion that persist over what business continuity now encompasses.
 |
In essence, both business continuity and risk management have a similar focus--that is, giving organisations the ability to effectively cope with risk and understand how it affects their organisation. Business continuity is about prevention, which parallels risk management in that it seeks to identify the early signs of disaster.
Embracing the concept of risk
The key insight to be derived from these comparisons is greater awareness of the ongoing issue of effectively embedding these disciplines within organisations. Although risk management and business continuity efforts are becoming increasingly prevalent, many organisations still view these activities as an end in and of themselves rather than means to encourage a risk-focused culture, which is essentially the ultimate goal of management when adopting these disciplines into their decision-making process. Unless the concepts of risk management and business
continuity are institutionalised into day-to-day activities, organisations will have limited success in these areas and leave themselves dangerously exposed.
Planning efforts are of no consequence without a corporate culture as well as dynamic measures that can address and pre-empt risk. As with nearly all business functions, the key to success for business continuity and risk management remains firmly within effective communication, in knowing how to bring about a culture that embraces the concept of risk across all activities. Comparing the functions of different disciplines and constantly re-evaluating those functions certainly adds value. In this case, it is important that comparisons be used to promote the ways in which the disciplines can work together more effectively rather than to promote separation of the disciplines.
As organisations attempt to increase efficacy in these areas, they must not lose sight of what they are essentially seeking to achieve--that is, make better decisions as a company and ultimately to make the business more profitable.
Bottom line: Synergy between business continuity and risk management efforts should be exploited to maximise an organisation's protection from business interruption.
Business impact: Effective use of business continuity and risk management processes will enable organisations to minimise threats and increase profitability.
 | ||||||||||
| More from META Group | ||||||||||
|
|
|
||||||||
|
| | ||||||||
| ||||||||||
| ||||||||||
