There have been a number of recent posts on various blogs, about the value and hierarchy of the labels and names we go by. Sometimes it appears that we are as emotional as Shakespeare’s famous “star crossed lovers”, rather than logical management consultants.
The Montagues and Capulets in this case being Risk Management and Business Continuity Management. The cast of characters include;
- Peter Power
- Ian Charters, and
- Gregg Jacobsen
Act 1
Our story begins, not in fair Verona, but with Peter Powers article – RISK AND CONTINUITY: CONVERGENCE IS IN THE AIR…, published on Continuity Central.
As you would guess from the title, Peter is promoting the need for some form of convergence. He cites similar arguments to those used by Nat Forbes’ recent article – that Risk is rated higher than BC in every board room they know.
He is arguing for the need to look more at the upside of risk and that both disciplines exist because of the high level of ‘risk awareness’ in contemporary business. The article also talks about the future successful entity being one that attempts to be risk shapers rather than risk takers. Shaping seems to include the capacity to exploit the upside of risk and the bad things that happen to your competitors.
Peter rejects the old ‘BCI Umbrella’ – the idea that Risk Management is one of a large number of disciplines that should live under the broader BCM Umbrella. I don’t think the BCI promote this idea anymore either. He also dismisses the way that the BCI contrasted risk and BC in the 2008 Good Practice Guide. (BC not being interested in the probability side of risk).
There are some key messages from Peter’s article that fit well with my own thoughts on the subject;
- he coins a wonderful slogan that I shall ‘borrow’ – “from silos to synergy”.
- To me this sums up what the entire philosophy of convergence should be about
- he suggests that BC and Risk need could be drawn together, possibly under the banner of resilience
- combining the proactive and reactive capabilities into a single stream
- highlights the risk of compliance thinking
- Peter promotes the need for innovation over compliance . He flags the risk that “compliance can so easily replace innovation, no matter where you are.”
- proposes that we need to pull, rather than push, the two disciplines together
- this is achieved by highlighting the advantages that those who have implemented converged approached have gained, rather than trying to push the entrenched thinking of the professional bodies
One of the vehicles to create this new gravitational pull is suggested to be Enterprise Risk Management. Interesting that he also seems to position RM and ERM as different things. Perhaps not surprising as you will not find the term ‘Enterprise Risk Management’ in the ISO 31000 standard.
ACT 2 – Enter Ian Charters.
Ian has posted a response to Peter’s article – also on Continuity Central – entitled RISK MANAGEMENT AND BUSINESS CONTINUITY MANAGEMENT: UNDERSTANDING THE DIFFERENCE. I guess the title tells you that Ian is taking a different view to Peter!
Ian highlights the standard problem with Risk Management – it needs to define the universe of possible risks and only mitigate those it deems likely to occur. There is no science to the probability of things occurring, other than to look at history. Ian notes that while BC may paint itself as the ‘Department of Unlikely Events’, recent history has shown an increase in these unusual events.
Ian also makes the point that the BCI has changed its position on the subject – Risk Analysis has been replaced in the 2010 GPG with ‘Threat Assessment’. This is actually a little misleading – while they have changed the label, it still uses risk assessment methods including determination of likelihood, score derived from likelihood and impact and the concept of acceptable risk as a result.
He also points out that Risk being rated higher in the Board Room does not make it right. That is true in a purely professional sense, but I think he needs to understand the ‘Golden Rule’ (those who have the gold make the rules).
Ian finishes his piece with a simple solution to the problem. Rather than try to push these functions together – just rename BCM to ‘Resilience Management’.
This is an interesting debate between two Fellows of the BCI, spoiled to some extent with the suggestion of just renaming the discipline, while continuing to do the same thing.
Act 3
Meanwhile, across the Atlantic, Gregg Jacobsen posts on the Disaster Recovery Journal Blog. This site is not publicly available, you need to register and login to read. His post is entitled BCM, ERM, To-MAY-to, To-MAH-to? A Call to (join) Arms.
Gregg is also approaching the problem of convergence by simply changing the name, but with a different twist to Ian. Gregg has decided to take the lead of John Glenn and use the terms ERM and BCM interchangeably. Gregg puts it this way “unless practitioners from both disciplines can identify ANY risk that isn’t suitably addressed by their counterpart’s established professional practices, I’m going to use the terms interchangeably from now on”.
In fact John equates ERM, BCM, COOP and Contingency Planning as the the same thing.
It seems Gregg’s major motivation for this decision is the number of job ads that claim to be for BC professionals, but in fact are for IT (DR and IT Security) folks. As a result he hopes to market himself to ERM rather than BCM hirers.
EPILOGUE
Is this an emerging international trend to just rename things? I suspect it reflects the need for the various ‘disciplines’ to protect their turf. The extensive ‘body of knowledge’ – and more importantly the booming business of certification.
At the risk of stealing my own thunder for the WCDM presentation – we have been just renaming things for over 20 years.
When I first entered this field it was called DR Planning. It has undergone a number of name changes, BCP, BCM, new trends to resilience. The problem is too many people just crossed out the label on their business cards, added the new name and just kept doing what they had always done. The practices and outcomes didnt really change.
One of the fascinating aspects of all this is different uses and meanings attributed to the term ‘Enterprise Risk Management’. Perhaps I have discovered a concept that is less clearly defined than resilience!
Are you looking at the renaming option too?
What do you plan to call your discipline?
According to http://www.merriam-webster.com/dictionary/resil…, RESILIENCE (dates from 1824) means:
1 : the capability of a strained body to recover its size and shape after deformation caused especially by compressive stress
2 : an ability to recover from or adjust easily to misfortune or change
To this practitioner, RESILIENCE = (Disaster) RECOVERY.
Unfortunately, Merriam-Webster fails to provide a definition for “Risk Management,” but the first 2 (of 4) definitions for RISK are
1 : possibility of loss or injury : peril
2 : someone or something that creates or suggests a hazard
and the first 2 (of 3) definitions for Management ) are
1 : the act or art of managing: the conducting or supervising of something (as a business)
2 : judicious use of means to accomplish an end
What I (try to) do is manage risks on an enterprise (vs. functional unit only) ergo I promote what I do as Enterprise Risk Management (ERM).
I concur that to too many, BCP, ERM, COOP, et al and etc. are considered simply the nom du jour for disaster recovery, but there really IS a difference (and it's a major one).
Hi John, thanks for your comment.
Am totally with you on the need to take the holistic perspective rather than just for a functional unit.
It is interesting how we all use certain terms differently – when I see “Disaster Recovery” I think of IT Recovery. Rarely would I use that label to apply to recovery of a business unit/function after an outage.
Do you use it in the same context?
I agree the difference between ITDR and BCM is significant.