Expert Views

The relationship between business continuity, crisis management and risk management in building business resilience

Business continuity has been around from its early disaster recovery roots in the 1980s through to its present acceptance as a formal management systems standard by ISO. Risk management has had a similar heritage from its initial insurance and loss control days through to its current eminent position as a key component of corporate strategy. Crisis management has by contrast always been spoken about without ever being formalised – except arguably by the PR profession.

In the fallout from the global financial crisis of 2007-2008, risk management for a while looked a likely victim. There was a view in some quarters that conventional risk management had failed to predict the crisis or provided any effective way of mitigating the outcomes that emanated from it. This led many organisations to question their approach to operational risk, seeking an approach which relied less on theoretical models and more on practical techniques and understandable solutions.

As a result, there were some changes in the way previously disparate functions like risk, BCM, crisis communications, emergency planning and security were viewed. C-Level executives generally accepted the BCM that premise that in order to be successful they had to be able to guarantee operational continuity but saw this was insufficient in its own right. Other dimensions needed to come into play, such as the tracking of new risks and an appreciation of how the business contextual landscape might change in response to these risks.

The idea of adaptability to circumstances as well as continuity of existing processes was added to the debate and a new term ‘organisational resilience’ entered the corporate lexicon. What this has meant to traditional business continuity is that it has become entrenched as a technical specialisation providing a form of risk treatment, rather than an important way of viewing the total organisation from the dual perspectives of impact and timeliness.

It is sometimes useful to remind ourselves that the definition of business continuity management (ISO 22301:2012) is: “a holistic management process that identifies potential threats to an organisation and the impacts to business operations those threats, if realised, might cause. It provides a framework for building organisational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities”

In other words, if business continuity exists to build organisational resilience, where does this lead crisis management? The recent British Standard BS11200 for crisis management reaffirms its view that BCM is for predictable events, where a fixed response procedure can be designed, tested and exercised. It contrasts BCM responses with crisis management situations that are not predictable, have no documented recovery plan and have the potential to destroy the organisation. A crisis might not arise from an operational interruption but would more typically be related to issues that have a high reputational impact at a strategic level (like Toyota’s failure to address the US public’s safety concerns).

BS11200 considers BCM to be operational and crisis management to be strategic but this view is still quite contentious. The word resilience seems to offer a term most can be content with, but it is still far from clear that there is a consensus amongst practitioners as to what resilience really means at a practical level.

Most accept that resilience is more than continuity. Many argue that an organisation needs to both successfully manage disruptive challenges (continuity) and seamlessly handle changes in the external context in which it operates (adaptability). Some practitioners believe that resilience largely means the consolidation of business continuity (operational/tactical) and crisis management (strategic) concepts.

Others feel that this falls short as a business model because other members of the wider resilience family (most obviously security, emergency response and operational risk) are not fully integrated into this framework. The debate will continue.

Lyndon Bird is Technical Director and board member of the Business Continuity Institute (BCI). www.thebci.org

BCI World Conference on 5th and 6th November at London Olympia .
For more information visit http://www.thebci.org/index.php/upcomingevents/bciworld

 

Share with others

Subscribe to our newsletter

* indicates required
Interests

By subscribing to our newsletter, you agree that we may process your information in accordance with our Privacy policy.

You can change your mind at any time by clicking the unsubscribe link in the footer of any email you receive from us, or by contacting us at enquiries@ferma.eu.

We use MailChimp as our marketing platform. By subscribing to our newsletter, you acknowledge that your information will be transferred to MailChimp for processing. Learn more about MailChimp’s privacy practices here.

Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

Strictly Necessary Cookies

Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.

If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.

3rd Party Cookies

This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.

Keeping this cookie enabled helps us to improve our website.