As mentioned previously, Business Continuity Management has an inseparable relationship with Risk Management. Traditional thinking has positioned Risk Management as a tool to be used within Business Continuity, whereas more contemporary thinking sees Risk Management as a broad philosophy looking at understanding uncertainty, informed decision making and managing surprise in the achievement of objectives. This thinking also views BCM as an integral part of the broad field of Risk Management, a part that considers the management (both pre- and post-incident) of those risks which may result in disruption to the organisation [HB 292-2006].
HB 292-2006 goes on to include the following among the benefits of this more contemporary approach to Risk and Business Continuity:
- a more comprehensive consideration of risk within the BCM process
- improved integration between BCM and Risk Management activities which in turn includes:
- improved flow of risk related information;
- a better understanding of the requirements of both activities;
- a reduction in repeated demands for the same sets of information;
- an organisational focus on priority risks including those related to Business Continuity;
- a more cost effective use of resources;
- an improved focus of BCM activity on business improvement rather than reactive planning only.
The figure on the right shows the overlap between the Risk Management process and the Business Continuity process, where the definition of the framework for the Business Continuity Management could be carried out as part of the definition of the Risk Management framework. Conducting a Business Impact Analysis is an extension of assessing risk and the two tasks can be carried out simultaneously as a way of gaining complete insight into the risks faced by the organisation, the likelihood of them occurring and the impact upon the organisation’s ability to continue to operate. However, further work is required during this stage of Business Continuity to determine the resources required by the critical processes and the timescales for recovery should there be an incident which prevents normal operation.
When determining the strategy for recovery it is likely that further risks relating to continuity of operation will be highlighted. These are then fed back into the Risk Management process (see pink arrow labelled “Acceptance of continuity risks”). Decisions are taken whether to accept the risks or develop an action plan to treat the risk. This may then feed back into the Business Continuity process.
The stage of Risk Treatment in the Risk Management process determines the action to take to avoid, share, retain or modify the risk. One method of modifying risk is to lessen its impact by implementing a plan for continuity: this is shown in the pink arrow labelled “Controls for Continuity”.
This figure represents the classical approach to Business Continuity, where Business Continuity is seen as a way to cover residual (continuity) risk only and is therefore not seen as a preventative control. This view is presented in BS 25999-1 and FEMA 141 [FEMA] and is discussed further in this report.
Other standards present a more integrated approach to Risk Management and Business Continuity, where preventative controls are part of Business Continuity Management. These standards include HB 292-2006, NIST 800-34 and NFPA 1600.