Friday, July 25, 2008

ERM-BC-COOP: The same or different?

"In simple terms, risk management is focused on prevention, while business continuity management is focused on cure. For example, risk management would view the lack of fire extinguishers in a paper factory as a high risk and recommend fire extinguishers be installed to reduce that risk. Business continuity management would not be concerned about the inadequacy of fire extinguishers but rather how to deal with the loss of the paper or the building, for example, regardless of the event that caused the loss."

I consider myself to be an Enterprise Risk Management-slash-Business Continuity-slash-COOP practitioner and I will state, unequivocally that the statement above is wrong. Very wrong.

Both risk management and business continuity, in my world at least, are concerned with

    * identifying processes

    * identifying risks to the processes

    * identifying means to avoid or mitigate risks

among other things.

In my not-at-all humble opinion, Enterprise Risk Management = Enterprise Business Continuity.

So if there is a difference it may be how it is interpreted by the practitioner - or the client, be the client internal or external.

I think Enterprise Risk Management better defines what we should be doing: managing, directly or indirectly, all risks to the enterprise, to the organization.

I am not suggesting that the practitioner must, or even should, be a Subject Matter Expert (SME) in insurance, or finance, or anything other than risk management. I am not an Info Tech guru but I can, with input from Info Tech SMEs - both the client's and my own network - create a plan to protect Info Tech resources from all manner of threats. I expect the practitioner to be an SME in ERM/BC. Anything in addition to that is a bonus which may, or may not, "get in the way."

I also am not suggesting that the SMEs or the CFO or CLO or any other "C" report to the ERM practitioner. What I am suggesting is that the ERM practitioner manage the risks - to "hold the umbrella" over the risks, to coordinate risk identification and avoidance/mitigation.

Risk management also includes dealing with risks when they occur (disaster recovery).

How does that differ from business continuity?

Risk management - identifying threats and finding ways to avoid, mitigate, or absorb the threats - is Risk Management Part 1.

Obviously the author of the lead paragraph sees things differently. Maybe it's a difference in background. The person who penned (keyed?) the opening paragraph is the managing partner of an Australian information security firm.

Or perhaps, looking at the author's title, it has something to do with the person's focus on information security.

Whatever the reason, my "take" or ERM/BC is that, properly done, they are essentially the same.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
Planner @

No comments: