In a post 9/11 environment, the terms business continuity and risk management are becoming common parlance within a wide range organizations.
However, with clear areas of synergy and a heated debate over their relevant definitions, what do we really understand by them and the relationship they currently share?
The ability to effectively define these two disciplines has been a topic of some argument for what seems like an eternity. With the increasing array of mutterings over the evolving nature of business continuity, there now exists a pressing need to understand the interaction that exists between it and risk management.
In simple terms, we know business continuity concerns the facilitation of continuous operation of key business functions in a crisis situation. In contrast, risk management is perceived as a much broader discipline, one that effectively sets out to identify and manage risks that affect an organization, often from a rather more strategic standpoint.
As a seemingly less comprehensive discipline, there exists a tendency to simply place business continuity under the umbrella of risk management. This is understandable, particularly in terms of the apparent overlap between business continuity and the operational risk sub-segment of risk management.
Blurred boundaries
In a practical context, the lines between the two are often blurred somewhat in that the two disciplines both use similar tools/techniques in order to reach their specific goals, including: risk assessment, business continuity planning and business impact analysis. Despite this it is possible to make fundamental distinctions between the two.
In December 2002, on the launch of the Good Practice Guidelines for Business Continuity Management, John Sharp, CEO of the Business Continuity Institute, commented: "The focus of business continuity is impact not cause. We are concerned with the impact to the business, the loss of critical functions and process, and not with potential root cause."
As a discipline that can provide real tactical solutions to the threat of risk we can understand why business continuity is often viewed as being subservient to the more strategic focused risk management function. The erroneous perception that often perpetrates this is often that business continuity is primarily concerned with issues that relate to physical loss, i.e. the destruction of a building or damage to inventory.
At its heart, risk management sets out to tackle risk at its very core, and as a consequence it incorporates a wider range and variety of functions, including those that fall within the positive, negative and non-business stoppage categories. It is important to remind ourselves that a specific risk will not necessarily bring about an instantaneous business stoppage. Insidious, low impact risks can often prove to be some of the most fatal, as shown in the downfall of the accounting firm Arthur Anderson, where cultural problems built up over a period of time and played a major role within the company's fall from grace.
In contrast, the inherent value of business continuity is clearer when we consider that not all risks can essentially be managed. For example, it is arguable whether the causes of the floods in Eastern Europe and the U.K's foot and mouth crisis of a couple of years ago could have been effectively foreseen and thus risk managed.
Business continuity's remit has grown and developed in recent years; however, the general image over what it incorporates remains a key sticking point. Many companies have yet to make the leap of faith that those within the business continuity industry have already made, in terms of a discipline that is now considerably more comprehensive, encompassing both the contextual and transactional environment, as well as the physical.
Encompassing enough - but not too much
In the light of September 11 and the raft of corporate scandals we saw in 2002, the threat of contextual and transactional risks has come much further to the fore. Despite this, the age-old issue of making provision for the loss of personnel/skill shortages in a crisis is still a major area of weakness for many companies. In a recent survey by the U.K.'s Chartered Institute of Marketing, only 5 per cent of business continuity plans included any kind of strategy for the loss of personnel and the related skills void that may ensue within a crisis.
Therefore, doubts clearly exist over how far companies are widening the scope of their business continuity plans, which prompts the question: don't such misgivings polarize concerns for business continuity's overall scope? With this in mind, the extent to which the discipline is further embraced may well depend upon whether business continuity specialists can practice what they preach, i.e. by addressing these issues and taking appropriate steps, spreading the word of an evolving discipline.
On the other hand, there are clear dangers over the expansion of business continuity's scopeif it reaches the point that its meaning and practical applications could be lost. This is further complicated by the deluge of terms that now exist, which essentially, equate to the same thing, such as: operational resilience, organizational continuity and service continuity. It is highly questionable whether swamping the industry with all these terms really provides any real value to the discipline of business continuity and the ability of companies to deal with risk.
In reality the two terms are often used interchangeably. But this creates a distinct problem, in terms of knowing what the user actually means. This is particularly apt when we consider the varying perceptions and confusion that persists over what business continuity now encompasses.
Although clear distinctions can be made in relation to the cause and effect focus areas of the functions, as business continuity continues to grow and effectively sheds its image of merely a physical loss related solution, such distinctions are likely to become harder to make within the future.
In essence, both business continuity and risk management have a similar focus, i.e. giving organizations the ability to effectively cope with risk, and how it affects an organization. Business continuity is about prevention, which parallels risk management in that it seeks to identify the early signs of disaster.
Embracing the concept of risk
However, the key thing we can derive from such comparisons is a greater insight into the ongoing issue of how these disciplines are effectively embedded within organizations. Although these activities are becoming increasingly prevalent, many organizations still view risk management/business continuity as an end in themselves rather than a means to encourage a risk focused culture, which essentially is the ultimate goal of management when adopting these disciplines into their decision making process.
Planning remains nothing without a corporate culture and dynamic measures that can address and pre-empt risk. As in nearly all business functions the key to success for business continuity and risk management remains firmly within effective communication, knowing how to bring about a culture that embraces the concept of risk across all their activities. In relation to business continuity, John Sharp adds, "Management need to create a 'what if' culture, which analyses what can be done to continue to deliver products and services rather than simply looking at what risks they may face."
Making comparisons between the functions of different disciples and constantly re-evaluing those functions certainly adds value to what we do. But in this case it is important that this is not done at the expense of separating such disciplines, rather than promoting ways in which they can work together more effectively. As we attempt to increase the efficacy of these areas we should not lose sight of what they are seeking to achieve at their core, i.e. to help companies to make better decisions and ultimately, assist them in making their businesses more profitable.
Dave Birch is operations director, BT CommSure (www.btcommsure.com).
