BCM vs ERM: The Reasons for the ‘Separation’ and the Business Case for the Integration

On 24 January 2013 a dual event was organised by SBF and by SPRING Singapore. The purpose of this event was first to be an award ceremony to present plagues to over 20 companies that are BCM certified in 2011/12 and second the be the official launch of the SS ISO 22301 standard on Business Continuity & Social Sustainability.

As an expert in both ERM and BCM, I was invited to be the Keynote speaker for this event. The brief was to share on ‘what is ERM, why there is a difference with BCM, how organisations could/should integrate BCM and ERM and why? The audience consisted mostly of people on the BCM side of the equation: business leaders, BCM Certified Companies’ representatives, BCM practitioners, representatives from media and of various government agencies and it was an interesting opportunity for me to reach out to them and explain how to bridge the gap between the ERM & BCM bodies of theories and practices.

While BCM and ERM have overlapping area of responsibilities, they are typically undertaken by different teams, often in different parts of the organisation using different methodological process and terminology.

An ERM approach typically focuses on corporate objectives and aims to identify current potential risk issues that could affect them. Then method assessment consists in evaluating the likelihood and impact of each risk issue, rank them in priority order and to ensures that organisations put in place the appropriate management treatment controls and mechanisms to manage effectively the key exposures.  From the ERM perspective, BCM is usually understood as one of the treatment controls, applicable when a risk materialises causing a business disruption.

A BCM approach typically focuses on identifying  and prioritising the critical processes and resources supporting the delivery of key products/services of an organisation. It will assess the impacts of a disruption to such processes and resources in order to identify and prioritise the critical disruptions for treatment. BC plans put controls in place to ensure that an organisation is able to maintain critical activities and processes or at least to recover from such disruptions.   From a BCM perspective, ERM is often considered as only applying to big pictures risk issues too often disconnect from key processes and resources. In the BCM methodology, specific risks or threats potentially affecting the key  processes are considered a secondary issue that come only after the Business impact has been conducted to identify the critical processes and resources.

This ‘separation’ between ERM & BCM functions and activities has some very negative consequences for organizations:

I indeed strongly recommend an integrated approach for ERM & BCM. This does not mean necessarily a functional integration as I recognise the benefit for the two disciplines to have separate identities that reflect their differences in scope and focus. However, at the same time it is also necessary to integrate the ERM and BCM methodology and activities within the same risk to crisis management lifecycle. This would eliminate the gaps and overlaps helping to optimise the management of opportunity and risk thus supporting sustainable and profitable performance.

In summary, organisations will benefit from adopting an integrated approach and as I am regularly approached to give my views on this issue, I thought it would helpful to share more widely the presentation I gave at the BCM awards. Therefore I have attached it in this post below. Enjoy and if you have any questions do not hesitate to contact me.