BCM World Conference 2013: Risk Management and Business Continuity
November 18, 2013
Again this year, I made the pilgrimage to London to attend the BCM World Conference and Exhibition; a link to the background paper for my presentation is here.
As always, there were some nuggets. Here is one:
Risk and Business Continuity (Mike Power – LSE)
Professor Power cogently described how Business Continuity Management can contribute to effective enterprise risk management. He began by detailing the challenges to manage enterprise risks:
- The Illusion of Control, characterized by the assumption that we have more of an understanding of cause and effect than we really do. As I have written elsewhere, in complex and anarchic events, cause and effect can only be understood after the fact
- Fragmentation of capability to manage specific risks
- Entity v System Focus, resulting in organizational stove pipes
- (Unrecognized) Interconnectedness, concomitant with today’s complex systems
Power then turned to the challenges for Business Continuity Management in the enterprise:
- BCM has historically been disempowered, considered overhead and not a value-generating part of the business
- The slow emergence of operational risk
- Weak institutionalization, stemming from the perception that BCM has only an operational or technology focus
- Weak accountability within the enterprise for low probability-high impact events, which are the bread and butter for BCM
To respond to these challenges, Professor Power proposed a number of solutions:
- Establish and formalize the Three Lines of Defence: Business, Corporate Risk Management, and Internal and External Audit. These lines are graphically depicted at Figure 1.
Figure 1 – Three Lines of Defence
- Identify the scenarios under which your organization will fail . . . completely, and then decide what will be your strategies to recover from catastrophic loss
- Establish a risk culture – the ability to think of alternate futures and build action plans around them – where:
- The authority for risk and control functions are clear
- There is a respect for controls
- There is close attention to incentives risk
- Accept that you can do your best, but there is still a chance for failure
- Recruit charismatic BCM leaders
- Build the narrative of BCM’s value generating capacity:
- Embed resilience as a core organizational value and ‘BAU’
- Circulate stories of success
- Create the discourse, incorporating the performance nature of language: if you talk in a certain way, it will happen
- Incentivize collaboration: when the world is moving against you, to succeed, collaboration must increase.
Professor Power’s presentation resonated with me because the content was consistent with my experience. First, there is a common bias toward a programme, or entity, approach over a system approach. This in turn complicates the management of operational risk, which can only be done effectively by an enterprise approach. Second, it is ironic that fragmentation features in a field – emergency management – in which consolidation is almost always a good idea.
Third, there is a critical message implicit in the Three Lines of Defence: corporate BCM can support businesses prevent, prepare, respond and recover, but each business is responsible for their continuity and resilience.
Finally, BCM is a value generator. The focus of BCM is to find and preserve value within the organization. Executing this responsibility, connects BCM with all parts of the enterprise, inevitably generating serendipitous effects that are typically of significant value. Any time you have a conversation around risk, good things happen.
- Organizational resilience at the United Nations Secretariat (buridansblog.com)
- Reflections on BCM World 2013 (crisisthinking.co.uk)