The interdependency of Supply Chain Risk Management and Business Continuity Management

Sep 9, 2014    Eberhard Raue


This blog series outlines the relationship between Supply Chain Risk Management (SCRM) and Business Continuity Management (BCM). In order to provide a transparent view it is necessary to bring BCM and SCRM in perspective to Enterprise Risk Management (ERM) and Supply Chain Management (SCM).  

As of today many of the hereinafter described processes are represented by isolated standards. In consequence many solutions targeting the specific areas have been developed in silos.

Definition of terminology is important when it comes to discussions about Business Processes. Consequently this is true for discussions on BCM and SCRM.

Another aspect is where to position BCM, SCRM and ERM. Arising questions are:

  • Where to position each solution and how do they correlate to each other?
  • Which solution is part of which other solution or complementing other solutions?
  • Is the particular discussed solution to be considered a standalone solution, e.g. is BCM a standalone solution or is it even a part of an Enterprise Resource Planning (ERP) or ERM solution?
  • Is SCRM a standalone solution or is it a part of an ERM solution?

Definitions and answers to questions are found in many publications, last but not least in Wikipedia. A clear answer often enough remains missing. Best of all is when definitions are represented in ISO standards or equivalent documents.

Nevertheless to bring it all under one umbrella remains challenging!


Business Continuity

Business Continuity (BC) is defined as the capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident. (Source: ISO 22301:2012)

Business Continuity Management

Business Continuity Management (BCM) is defined as a holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities. (Source: ISO 22301:2012)

Risk Management (=ERM)

The de facto standard for Risk Management (RM) is the ISO 31000, it provides a framework for RM. It defines Risk as “Effects of uncertainty on objectives”.

An extension to ISO 31000 is provided through the Austrian Standards Institute (ON) by the ONR 49000 rules, dealing with “Risk Management for Organizations and Systems”. The ON-Rules are typically used in order to document the development during the process of definitions towards standardization.

At its actual status the ONR 49000 goes beyond ISO 31000, it defines Risk as “Effect of insecurity on targets, activities and requirements”. Rather than focusing on strategic targets only, this intents to include operational activities as well.

Supply Chain Management 

Supply Chain Management (SCM) is the collaborative planning, management and control of intercompany value-chains with a network structure in which the network entities and its processes regarding flows of goods, finance and information are interrelated. SCM is a logistical management task and has an impact on product development, procurement, production and sales. Logistic is a part of SCM with an intra-organizational perspective.

Supply Chain Risk   

Supply Chain Risk (SCR) is the damage caused through a potential dysfunction or disruption in the Supply Chain, measured in relation to the likelihood of such an event. The Supply Chain Risk affects value generating performance-objects (e.g. production location, warehouses) as well as pure risk objects (e.g. weather, transport routes).      

Supply Chain Risk Management

As of today there is no standard in place for Supply Chain Risk Management (SCRM). Nevertheless the definition for this article will be:

SCRM is a component of Enterprise Risk Management. SCRM deals with the activities in order to mitigate risks in the supply chain processes of any organization. SCRM covers:

  • The identification and evaluation of risks and it’s caused damages within the supply chain.
  • The development, implementation, continuously adjustment and monitoring of an appropriate strategy and provisions based on joint activities of all supply chain members in order to reduce:
    • Probability of risk occurrence
    • Frequency of risk events
    • Size of damage
    • Time of recovery from damage
    • Time of detection of risks
    • Missing or inadequate provisions
    • Wrong allocated provisions
    • Wrong insured risks
    • Missing insurances    

Business Impact Analysis

The Business Impact Analysis (BIA) is an essential component in any kind of Risk Management, consequently it is a component in BCM and SCRM. Typically the BIA has

  • an exploratory component in order to reveal the vulnerabilities and its value and
  • a planning component in order to develop a strategy for risk mitigation.  


After analyzing many of the ongoing discussions, publications and taking standards into consideration, all in order to get the best understanding of “…how BCM and SCRM relate to each other….”, it is stated:

  • BCM and SCRM are side by side, in no hierarchal order, components of ERM.

So my next blog post will put Business Continuity Management and Supply Chain Risk Management into context to each other.

Sign up to receive updates from the riskmethods Blog

Related Posts: