Business Continuity and the relationship with Risk
Category Business Continuity Management Briefing BCM - BCM & Risk Management
Spring Briefing 2006
Positioning BCM and Risk Management within the organisation
--------------------------------------------------------------------------------
To whom should the BC manager report? Isn’t BCM part of operational risk? If not then where does Business Continuity Management sit in relation to risk?
These are questions I am frequently asked by those seeking to establish BCM within organisations. The ultimate answer, just like quality, is that it is the responsibility of every manager and should be part of good business practice for the organisation. By trying to place BCM into a department there is a danger of creating an attitude by the organisation’s managers of voiding their responsibilities and placing the blame on the ‘BCM department’ for failures.
The most effective position for a BC manager is to be a direct report to the organisation’s executive; this may be the CEO or a director who holds the executive responsibility for BCM. The BC manager may have a small staff but should rely upon BCM co-ordinators operating within departments or directorates. The co-ordinators role is to ensure that business unit managers implement the organisation’s BCM policy (The BCM manager and his team may report to a department for pay and rations only).
Would it not be best to locate BCM as part of operational risk? My belief is that it should not, as operational risk only represents a proportion of the total risks facing an organisation. Last year I attended a presentation in Germany by Eberhard Knebel, a former BMW Risk Manager. He saw the portfolio of risk as being 50% soft or intangible risk, 40% financial risk and only 10% operational risk. The soft risks covered activities relating to corporate governance and culture and where failures have led to multi-billion euro losses. His examples included Shell and the Brent Spar, Enron, Parmalat and Polaroid cameras. It is these softer risks that are not usually on the ‘risk horizon’ and there are no mitigating plans in place to cover them.
Dr David Hilston in a recent newsletter stated that not all risks are foreseeable. Some of these risks may be time dependent; they occur after we have completed a risk scan. There are risks that develop as we progress through a project that were not planned for - the falling beam at Wembley Stadium construction site is an example. Finally there are secondary risks that we have not planned for, such a risk occurred when an organisation could not fulfil its complement of work area recovery seats because some staff were too scared to travel to the site following a serious terrorist attack.
There are risks associated with the inherently unknowable, in the words of Donald Rumsfeld, “There are things we do not know we don’t know and each year we discover a few more of the unknown unknowns”. Such an ‘unknown unknown’ occurred in late April 2006 when a 77 year old Bollywood actor died and many UK call centre operations in India were interrupted when staff took to the streets for 2 days of public mourning.
The basic tenet of BCM is that it does not matter what stops critical activities, it is the impact upon the organisation that matters. By adopting this principle then the impact of the ‘unknown unknowns’ can be accommodated. This is a different approach to risk management that seeks to identify all the possible reasons of failure and is very much based upon an historical perspective.
So where does BCM sit in relation to risk? I believe that it should be seen as complementary to a wider risk management framework so that an organisation can take a realistic view on likely responses that can be deployed to manage any consequence without unacceptable delay in delivering its products and services.
John Sharp
2/5/06
The Continuity Forum will be hosting a number of special events and workshops to introduce the new standard and help organisations achieve the accreditation. For more details on these activities and the general activities of the Continuity Forum please contact us directly on +44 208 993 1599 or visit or website at www.continuityforum.org.
Please do contact Sara Mckenna or Russell Price for more information on attending these valuable sessions.
END
*** Back to Spring Newsletter page***
For more details on our events, workshops and industry development work, as well as the general activities of the Continuity Forum please contact us directly on +44 208 993 1599 or mail us HERE!
Please do contact Sara Mckenna or Russell Price .
END
Creating Continuity ... Building Resilience ...
If you would like to know more about how your organisation can get involved and benefit from working with the Continuity Forum, please email us HERE! or call on + 44 (0) 208 993 1599.
___________________________
