I just read a digital promo for a US$500 book titled
"Strengthening The Relationship Between Risk Management And Business Continuity " being peddled by Forrester, "an independent research company that provides pragmatic and forward-thinking advice to global leaders in business and technology."
The blurb, an excerpt from the book, tells me that "Business continuity is an essential element of enterprise risk management (ERM), although organizationally, the two disciplines are not often connected directly."
So, I ask, what is the difference between enterprise risk management and enterprise business continuity?
Although what (I think) I do is "risk management," my certification is as a "business continuity" practitioner - not a "professional" since I am certified by the Business Continuity Institute and DRII tells me only people certified by DRII are entitled to be called a "certified business continuity professional". My initial certification, from Norm Harris was as a "certified recovery planner," although even then (1999) the emphasis was on enterprise-level risk avoidance/mitigation efforts.
Maybe an "enterprise risk manager" can tell me what he or she does that I don't do.
There ARE risk managers - note lack of the word "enterprise" - who deal with insurance issues. There are risk managers - again, sans the word "enterprise" - who deal with risks to medical organizations. There are a number of specialty risk management fields, but none carry the "enterprise" label.
That is not in any way presented to denigrate what these people do. As a matter of fact, these specialty risk managers are Subject Matter Expert resources for the enterprise risk management practitioner (a/k/a enterprise business continuity planner) in the same way as are Facilities, Finance, HR, IT, and vendor management, etc., SMEs.
What DOES an "enterprise risk manager" do that is different from a business continuity practitioner?
- Both can manage a project or program
- Both identify critical business functions (profit center processes)
- Both identify internal and external risks to the critical business functions
- Both identify means to avoid, mitigate, or "transfer" (i.e., insure) risks
- Both attempt to prioritize identified risks
- Both depend on SME input and management decisions re risk limitation measures
In my case, I also
- Create, with SME input, documentation to recover the critical business functions (and their resources) to business as usual in the most expedient, efficient, and economical manner possible
- Develop personnel safety and awareness programs
- Create a plan maintenance process
- Create, with professional trainers if available, programs to exercise the plan and means to critique the exercises to see how things can be done better (vs. pointing fingers about what whet wrong).
I search for risks within the organization and without. The "usual suspects" always are present - environment, technology, human error - but I look beyond those to vendors and clients.
"Everyone considers vendors," I hear you say.
True, but most practitioners fail to consider money vendors - lenders, stock and bond markets.
I also consider policies and procedures since most organization's P&Ps lack anything specific to a business interruption.
So, again, what is the difference between what I call myself - an enterprise risk management practitioner - and what it states on my BCI certification - certified business continuity planner?
There IS a difference between "disaster recovery planner" and enterprise risk management/enterprise business continuity practitioner; disaster recovery is an integral part of the latter . Disaster recovery, by the way, should be enterprise wide, not limited to information technology.
So tell me, someone, anyone:
What is the difference between
(a) Enterprise Risk Management (ERM) and
b)[ Enterprise] Business Continuity (BC)
I can be reached at JohnGlennMBCI at gmail dot com.
John Glenn, MBCI
Enterprise Risk Management practitioner
Hollywood/Fort Lauderdale Florida