The relationship between business continuity, crisis management and risk management in building business resilience
Business continuity has been around from its early disaster recovery roots in the 1980s through to its present acceptance as a formal management systems standard by ISO. Risk management has had a similar heritage from its initial insurance and loss control days through to its current eminent position as a key component of corporate strategy. Crisis management has by contrast always been spoken about without ever being formalised – except arguably by the PR profession.
In the fallout from the global financial crisis of 2007-2008, risk management for a while looked a likely victim. There was a view in some quarters that conventional risk management had failed to predict the crisis or provided any effective way of mitigating the outcomes that emanated from it. This led many organisations to question their approach to operational risk, seeking an approach which relied less on theoretical models and more on practical techniques and understandable solutions.
As a result, there were some changes in the way previously disparate functions like risk, BCM, crisis communications, emergency planning and security were viewed. C-Level executives generally accepted the BCM that premise that in order to be successful they had to be able to guarantee operational continuity but saw this was insufficient in its own right. Other dimensions needed to come into play, such as the tracking of new risks and an appreciation of how the business contextual landscape might change in response to these risks.
The idea of adaptability to circumstances as well as continuity of existing processes was added to the debate and a new term ‘organisational resilience’ entered the corporate lexicon. What this has meant to traditional business continuity is that it has become entrenched as a technical specialisation providing a form of risk treatment, rather than an important way of viewing the total organisation from the dual perspectives of impact and timeliness.
It is sometimes useful to remind ourselves that the definition of business continuity management (ISO 22301:2012) is: “a holistic management process that identifies potential threats to an organisation and the impacts to business operations those threats, if realised, might cause. It provides a framework for building organisational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities”
In other words, if business continuity exists to build organisational resilience, where does this lead crisis management? The recent British Standard BS11200 for crisis management reaffirms its view that BCM is for predictable events, where a fixed response procedure can be designed, tested and exercised. It contrasts BCM responses with crisis management situations that are not predictable, have no documented recovery plan and have the potential to destroy the organisation. A crisis might not arise from an operational interruption but would more typically be related to issues that have a high reputational impact at a strategic level (like Toyota’s failure to address the US public’s safety concerns).
BS11200 considers BCM to be operational and crisis management to be strategic but this view is still quite contentious. The word resilience seems to offer a term most can be content with, but it is still far from clear that there is a consensus amongst practitioners as to what resilience really means at a practical level.
Most accept that resilience is more than continuity. Many argue that an organisation needs to both successfully manage disruptive challenges (continuity) and seamlessly handle changes in the external context in which it operates (adaptability). Some practitioners believe that resilience largely means the consolidation of business continuity (operational/tactical) and crisis management (strategic) concepts.
Others feel that this falls short as a business model because other members of the wider resilience family (most obviously security, emergency response and operational risk) are not fully integrated into this framework. The debate will continue.
Lyndon Bird is Technical Director and board member of the Business Continuity Institute (BCI). www.thebci.org
BCI World Conference on 5th and 6th November at London Olympia .
For more information visit http://www.thebci.org/index.php/upcomingevents/bciworld