In our recent webinar with our customer Clariant, we got asked a very interesting question from one of the participants: “What’s the difference between enterprise risk management and business continuity management?”
Great question. And, like most great questions, the answer is a little fuzzy.
At the end of the day, enterprise risk management and business continuity management are tightly linked. The best way to think about it is probably this: Enterprise risk management (ERM) is about processes that are enacted before a disaster occurs, because enterprise risk management is concerned with protecting a business from risk by identifying the existence of vulnerabilities and defining a way to minimize their probability.
Business continuity management (BCM), on the other hand, is about processes that are designed to be enacted after a disaster has occurred, because business continuity management is the process of maintaining business operations during or after an actual disaster, which is executed through the use of business continuity plans.
To put a different spin on it, let me continue with my hiking analogy from an earlier blog post. Enterprise risk management is the part of the hike where you pack your survival kit full of flares—and business continuity management is the part of the hike where you shoot off those flares because you’ve broken your leg and can’t move.
One of the key differences between ERM and BCM is their approaches. Due to the preventive nature of ERM programs, enterprise risk management is a largely strategic undertaking—it’s focused on understanding and planning for hypothetical situations. Business continuity management, on the other hand, is much more tactical—it’s focused on the actual way that an organization should act when a business disruption occurs.
In many organizations, enterprise risk management and business continuity management are likely managed by the same team, since they’re so tightly intertwined—after all, it’s not possible to create a business continuity plan for a risk event if you don’t have a good sense of what risk events are likely to occur. By the same token, it’s not possible to adequately protect a business against disruption without a plan to address it when it happens. In other words: if your business has risk managers and business continuity managers, you better make sure they’re the best of friends.
But regardless of how your company is set up, here’s the bottom line: risk management and business continuity management are both critical functions if you want to keep your organization running. And although ERM and BCM are large topics that encompasses a number of types of risk, a significant chunk of those risks have to do with your organization’s ability to produce its product—which is heavily impacted by your supply network.