21 Jul 2009
The consequences of the last 12 months have been huge: suppliers and customers have gone out of business, lines of credit are increasingly hard to come by; businesses are beset by concerns about their cash-flow and resources. Such a conflagration of forces is causing many businesses to radically change how they respond to crises and limit their future exposure to future shocks and disruption, whilst not creating extra financial burdens.
Business continuity management (BCM) and risk management (RM) are traditionally treated as separate entities. However, the advantages of aligning the two disciplines are now being given serious attention by many far-seeing corporates. Both BCM and RM are, of course, two sides of the same operational coin. They both consider threats, impacts and controls, but they just do it in a different sequence.Let’s look at this in more detail.
BCM and RM – the power of two
The historic separation of BCM and RM can have a number of adverse consequences long term. Martin Caddick, business continuity risk management practice leader at Marsh Risk Consulting says risk management programmes simply fail to deliver because high impact issues and low probability risks are often filtered out and not properly dealt with beforehand – it’s just too unlikely to happen to us. “The current credit crunch is, I would say, a glaring example of this. The quantification of impact is also imprecise, often done by techniques as simple as a show of hands in meetings. Furthermore, risks identified lower down in the organisation are aggregated, and so the specific nature and route cause of many risks is lost completely – nor are they controlled.”
Meanwhile, Caddick says BCM programmes often lack impact because the nature of risks varies greatly across a value chain – and BCM often fails to adapt to these varying risks.
“BCM, I’m afraid, can get bogged down at the grassroots level, which means that the opportunity to plan for future potential threats is often missed. Both types of programme can be expensive, demand time and resources from the business, and they sometimes actually detract from each other.”
This makes a potent case for change. But how realistic is it to combine the power of two in the real world? Although BCM and RM have their own distinctive identities, the benefits of splicing and sharing both brings a wealth of real world benefits says Caddick:
- The quality of your analysis will be far better – more complete and better balanced.
- A more comprehensive balanced blend of controls can now be determined, leading to much greater efficiency of risk investment and more effectiveness of corporate controls.
- A combined programme not only creates less demands from business managers time, but is more easily accepted across the board. It simply makes better commercial sense.
Clients’ driving the changes
The shift to integrating BCM and risk management is being led by a range of forces says Marsh’s Eddie McLaughlin, managing director of strategic risk consulting for Europe, the Middle East and Africa. Take, for example, global supply chains and outsourcing: “Businesses here are now extending their supply lines and increasing their inter-dependency. Corporate governance requirements are also tightening for both BCM and risk management. Just look at the changes the UK’s FSA are bringing about as a consequence of the global credit crunch, as well as legislative changes brought about by the Solicitors’ code of Practice.”
Existing BCM and risk management measures have also been shown, in the face of the credit crunch and systemic risk concerns, to be incomplete, and there is often a challenge in measuring the return on investment from ERM and BCM programmes adds Caddick.
An intelligent approach
Bringing BCM and risk management together needs careful thought. Some companies may find, for operational reasons, that it is difficult to integrate them completely. Unpicking existing organisations and approaches and rebuilding requires commitment. Happily, the process is flexible and can be undertaken gradually over time. When the two processes are integrated, effective, tangible results are rapidly realised.
Let’s look at how the integration process in more depth. The approach is normally carried out in four basic stages.
- Strategy – Identify business strategy, direction, KPIs, financial goals and other factors that lead to an understanding a business’ risk appetite in terms of its overall strategic priorities.
- Strategic business impact analysis – review of key business activities, processes dependencies, and risks/controls identifying exposures and priorities.
- Drill-downs and strategy – drill down on key areas, developing strategies for both risk and resilience.
- Plan implementation – BCM plans now broadened to encompass BCRM plans, handling operational risks, whilst strategic and financial risks are managed at divisional or board level.
Keeping it practical and professional
Naturally combining the two disciplines won’t happen overnight. A maturity model is helpful when developing understanding and capability in stages over time. “This,” says Marsh Risk Consulting’s Caddick, “is a pragmatic approach that delivers benefits as you go, and allows learning to adjust the direction you are taking. Avoid too much analysis. Look at the decisions you need to make, and work backwards from the decisions you want to make, and only analyse as far as you need.”
The underlying risk/resource/business process model is, not surprisingly, often complex and easy to get lost in. Although any large organisation will need to capture data using some form of computerised mechanism, tools should be treated with caution advises McLaughlin. “They have a tendency to drive your thinking rather than the other way around”. A mechanical process cannot direct business decisions. You will need skilled professionals to sift what is important out of the mass of detail while also having the ability to be flexible – and without creating inconsistencies along the way.
“Be aware of current standards,” warns McLaughlin. “The standards for risk and BCM are built around their traditional siloed view, and you run the risk that an improved integrated approach may not comply with BS 25999, for example. It depends a bit on whether the auditor is looking at the big picture – as the authors intend – or whether he is following the book.”
Bringing risk and BCM together
Let’s look at a fictional scenario – fictional but rooted in real life. A major multinational engineering giant, based in Asia, has an established operational risk management backbone. Its engineers traditionally understand risk but struggle to understand the impact of BCM. So Marsh Risk Consulting adapted its approach to the client. It found that the client was unintentionally filtering out some critical low-probability risk, such as the possibility of irreparable damage to critical equipment. Replacing this equipment could take as long as 18 months, leading to losses of hundreds of millions of dollars.
“Low probability risks can be ruinous,” says McLaughlin. “The key message is that it’s just not responsible to separate BCM from risk management. Yes, they often sit in two different practice areas, but there it too much overlap not to treat them as a whole.”
Using this combined approach, the business now captures a wider range of risks, with business continuity plans taking care of localised mitigation and avoidance, with the backing of the risk committee where large scale investment is needed. Broader risks are being escalated as part of the ERM process and a much ‘richer debate’ has been created around the acceptance and mitigation of risk.
Eddie McLaughlin is a managing director of strategic risk consulting for EMEA at Marsh Risk Consulting and Martin Caddick is a business continuity risk management practice leader at Marsh Risk Consulting.