In About Resilience’s most recent webinar on implementing operational resilience, which you can find here, the speakers addressed several topics that sparked interest among the audience. One of the most captivating ones was the role of business continuity management (BCM), which Sam Reason, Head of Operational Resilience at Zurich, defined as “three-quarters of resilience”. This expression resonated with both the panel and the attendees, as it explored the role of BCM as a facilitator of the broader resilience framework.
The conversation on the placement of BCM in this context has been going on for years, with different perspectives changing according to function, management level, and geographical area. For instance, in a country where BCM is more mature, top management might consider it more relevant, since the organization has had more time to experience the benefits of a BCM programme. Differently, where the discipline is in its infancy it is more likely that it will play a more marginal role.
It is also true that many organizations worldwide have started to pay true close attention at what resilience truly means only in this almost post-pandemic era. While international standards and guidelines have been out there for roughly two decades now, and research on the topic has intensified significantly in the last ten years, resilience remained nothing more than a desirable abstract concept for a long time. However, a very real series of international crises in the last two years have been forcing leaders to shift their attitudes.
Still, the question remains, what does resilience looks like? And where does BCM come in?
Most practitioners around the world would rely on documents such as the ISO 22301 standards or the Business Continuity Institute’s Good Practice Guidelines to find an answer, or as an alternative they might look into industry discussions at conferences or online. In any case, it is likely that they would come to the same conclusion, resilience is the result of collaboration among several disciplines that have traditionally been associated with the protection of the organization.
These include but are not limited to BCM, risk management, information security, physical security, and health and safety. A more modern vision of resilience might also include core organizational functions such as IT, finance and payroll, human resources, and logistics. It won’t be hard to get professionals to agree on this idea (although some more than others); however, it is also important to define how these disciplines should interact.
It is as this point that the opening sentence – BCM is three quarters of resilience – becomes relevant again, and not because BCM professionals can get the job done on their own, but because they are best suited to enhance collaboration. That is where the added value of BCM lies.
A full BCM programme includes many elements of connection across various management disciplines. To begin with, it relies on raising awareness with key figures within the organization, most importantly top management. As the lifecycle moves along, it also mandates activities akin to risk management, such as risk assessments and horizon scanning exercises.
While it is true that these cannot substitute a risk management programme, they offer a unique opportunity to work together and share information. Furthermore, implementing a business continuity plan comprises the creation of a crisis management committee and the establishment of clear rules for the escalation of an incident, up to a full-blown crisis. This activity also includes planning for crisis communications.
From a broader perspective, it is possible to appreciate how business continuity managers have the chance to gain a holistic view of the organization, running business impact analyses (BIAs) that will lead them to talk to those in charge of critical servicers for virtually any modern organization, such as IT, finance, and human resources. This is an integral part of the BCM lifecycle, since those functions are often those that need to recover swiftly for the whole organization to work after a disruption. The same goes for logistics, and in general for the management of suppliers, which could be providing critical goods or services.
The difference between BCM and other protective disciplines is that the former is not threat-specific. For instance, cyber security is a highly important division, especially nowadays, but it accounts for certain specific types of vulnerabilities. The same might be argued for physical security or health and safety. A sound BCM programme will cover disruptions of different natures, ranging from reputation issues to financial loss or staff safety. However, it will not be able to do so without liaising with all the other functions listed above, which provide in-depth expertise.
The main point is that there is no other discipline that has as wide a reach as BCM, when it comes to resilience. Enterprise Risk Management (ERM) is aligning to this idea, but the ability to map interdependencies, spot concentrations of risk, and identify critical services still places BCM in a better position. Besides, the underlying principle of BCM is perfectly in line with the idea of resilience, since both embody the acceptance of disruptions to business – and life in general – and help prepare to perform in a volatile environment.
In conclusion, to those who ask whether BCM is obsolete, who claim it should all just be resilience and who wish to get rid of the current paradigm, the answer is no, or not yet at least. The winning trend for the future is to get all the protective management disciplines to work together, and BCM is the key facilitator that can make it happen.
Author: Gianluca Riglietti
If you liked this article, you might also want to read this one.