The Critical Convergence

of Business Continuity
and Risk Management
 one
two
Business continuity and risk management have long
resided in separate siloes, yet their missions, goals, There are three
and tactics complement and often overlap one
another. This has given enterprises across all industries compelling reasons
pause for thought: should these two disciplines
converge? Are there benefits that could be realized by to pursue the convergence
of business continuity and
breaking down the silo walls? According to a Gartner
article, by 2022, 40% of BCM programs will be

risk management.
subsumed into the digital business risk management
structure rather than exist as separate practices.*

*Gartner Predicts 2019: Security and Risk Management Programs

Published 27 November 2018 - ID G00375263
1
Process: How It All Fits Together
To begin, consider the origins of business continuity and risk management. Process-centric business
continuity grew out of the IT department to complement more IT system-centric disaster recovery
programs. Business continuity has historically had a very solid understanding of the building blocks
of the organization, including all the departmental processes involved and the interdependencies
between them. The result of this “bottom up” approach is an extensive mapping of the organization
to meet business continuity’s goals for understanding impacts and how to quickly become
operational after a disruptive event.

Risk management, on the other hand, has traditionally taken a more “top down” approach when
assessing enterprise, operational, and IT risks. While risk management is strategic to the organization,
this “top down” approach does not typically delve into the inner workings of the organization.
Therefore, risk management often provides less visibility into the dependencies that comprise the
organization’s ecosystem. However, these dependencies are key to understanding derivative risks and
impacts, that is, those risks and impacts that are created due to relationships that exist between other
elements within the organization that each have their own inherent risks and impacts.

This is the first area where the convergence of business continuity and risk management yields direct
benefits. Business continuity often has the information that would benefit risk management in gaining
a better perspective of operational risk. If business continuity has been effective in its mission, the
processes and dependencies will have already been mapped for the organization. With collaboration,
business continuity and risk management should be able to align terms and taxonomies to create a
much broader, clearer, detailed picture of the enterprise. This, in turn, empowers risk management to
identify and address risk to a finer degree to support organizational resiliency.

PROCESS
2 People: The First Line of Defense
Because business continuity’s objective is to respond and recover quickly after
a business interruption, it has always worked directly with frontline managers –
the “first line of defense.” In contrast, risk management has typically involved
the “second and third lines of defense,” in the form of risk management, IT
security, and audit and compliance personnel to ensure that appropriate
controls are in place. Risk management has historically not engaged operational
management to the point of giving them the ownership, responsibility, and
accountability for directly assessing, controlling, and mitigating risks.

This brings us to the second area where business continuity and risk
management can converge to the benefit of the organization. For years,
business continuity has been performing business impact assessments (BIAs)
with frontline managers. This has given operational management an
understanding – not of the entirety of the risk – but of the impact of an outage
and the potential losses that could result from a disruption. Business continuity
has also worked with frontline managers to develop detailed response plans.
Through business continuity, risk management could be operationalized at the
first line of defense to support organizational resiliency.

PEOPLE
3
Prioritization: Qualitative Risk Scoring
The traditional model for determining an enterprise’s greatest inherent risks is based on
understanding the likelihood of a certain event occurring and the impact – measured in
financial terms – should that event occur. Those factors, when multiplied, produce the
probable loss to the organization. This calculated inherent risk is then used to prioritize
risks and risk mitigation measures.

The traditional risk model, with its emphasis on financial loss, has its challenges.
The problem is that it fails to consider other non-financial impacts that can be devastating
to the organization. For example, take a manufacturing company. The model works fine when
it is applied to a manufacturing process that is directly tied to product output, which can be
tied to sales revenue. The impact of a disruption to the process can be measured in financial
terms of reduced sales due to a production delay or product shortage. What the model
cannot resulting in the company’s stock taking a 30 percent hit because of a
false rumor and brand damage. Because it cannot quantify the impact of
such an event, the model cannot prioritize such a risk. Consequently, risks
like these can go unrecognized and uncontrolled.

Here is the third area where the convergence of business continuity and
risk management can generate value. Business continuity has developed
qualitative ways of measuring impacts that, while not representing
financial loss, deliver meaningful ways of rating and ranking risks.
By using a similar qualitative rating system, risk management can
ensure that all risks – whether or not they can be measured in terms
of dollars – are included for evaluation and mitigation.

PRIORITIZATION
 Business Continuity
and Risk Management:
Better Together
Promoting the convergence of business continuity and
risk management is key to strengthening organizational
resiliency in a risk-filled world. Business continuity is
able to support risk management through its expertise
in process dependency mapping, its relationships with
operational managers, and its ability to evaluate risk
using qualitative rating methods. By converging these
two disciplines, organizations can build a more effective
and efficient risk and business continuity management
program, and a more resilient enterprise.

Learn more about the convergence of risk at

fusionrm.com/integrated-risk-management.

Robert Sibik
Robert Sibik has more than 35 years of experience in the Business Continuity, IT Disaster
Recovery and Risk Management field. Sibik is currently responsible for all aspects of the
management of client engagements at Fusion Risk Management. Prior to co-founding
Fusion, Sibik ran the boutique disaster recovery and business continuity planning firm,
R.A. Sibik Co., focusing on developing new methodologies for effectively organizing and
managing technology-centric recoveries. Sibik has spent most of his career introducing
new technologies and innovative solutions to enhance recovery capabilities. He has
been an occasional speaker at industry conferences, most recently speaking on the topic
of effectively organizing and managing IT Recoveries. Sibik received a Master of Science
degree in Computer Science from Northern Illinois University.