Several management disciplines benefit from academic literature. Some of the most evident cases include strategic management, sustainability, and recently cyber security. Where the connection between industry and scientific research is the strongest, academics are up to date regarding best practices and are able to address relevant problems for organizations. Similarly, practitioners are keen to consult scientific material, whether in the form of journal articles, blogs or webinars.
In the organizational resilience field, some disciplines enjoy greater academic attention than others. For instance, a quick search on Scopus, one of the largest academic databases, reveals a significant disparity in the number of papers with a main focus on risk management (over 125,000) compared to those on business continuity management – or BCM – (405).
Furthermore, it is often the case that industry and academia are not really in synch. For instance, several papers only consider business continuity as a set of plans, instead of a holistic management system, while others deem it only a subset of other disciplines. This is quite different from the latest best practices in the field, which identify BCM as a specific function that should have an impact on business culture.
On a similar note, there are interesting works on risk management that evaluate traditional methods and how they fit within organizations. Reflecting on such academic ideas might help professionals improve their risk assessments by adjusting their methodology and perspectives.
In an attempt to bridge this gap between academia and industry, we are starting a series of articles where we will present some ideas from scientific research, free from excessive jargon and with a focus on the real priorities of professionals. To begin, this first article focuses on BCM and risk management.
Investing in Enterprise Risk Management (ERM)
An insightful work from Beasley et al. (2015) looks into how companies commit to risk management, exploring issues such as top management’s involvement and the assignment of formal roles and responsibilities within the organization. Due to the relatively large sample of participants, they also perform a sector analysis, highlighting the differences between the financial sector – which must comply with several regulations – and the rest of the organizations in the study.
At the foundation of their work is the dichotomy between institutional and agency theory. Institutional theory states that an organization takes certain actions (in this case investing in risk management) only to satisfy legal or regulatory requirements. This leads to a superficial commitment that bears no real results. Differently, agency theory highlights those cases where organizations truly make an effort to establish a specific set of policies, through concrete actions such as the assignment of roles and responsibilities or training programmes.
The study finds the most mature ERM programmes to have a positive correlation with training programmes for senior management, the creation of risk committees, and the frequent update of risk inventories. Interestingly enough, companies in the financial sector show a more formal effort towards ERM (in line with institutional theory) despite having to comply with tighter regulations.
Differently, those cases where there is a real commitment towards ERM (in line with agency theory) highlight a stronger association with a perceived strategic value of such function. This is an empirical validation of the fact that committing specific resources and establishing clear policies for resilience functions such as risk management does bear results.
The Risk Management of Nothing
In a different and rather provocative study, Power (2009) takes a critical look at risk management practices. It is important to understand that this publication dates back to right after the financial crisis of 2008, which means the author started writing it probably right in the middle of it. Hence, this paper is for a large part a response to the risk management failure of that time; however, the reasoning is still very relevant.
Power revises the idea of risk appetite, questioning the relevance and accuracy of risk metrics. Specifically, the author criticizes the fact that risk management activities often have the goal to satisfy audits rather than understanding real risks and challenges. This turns such function into a bureaucratic action and not into a strategic tool as it should be.
Furthermore, traditional risk management practices tend not to be holistic, since risk is detected in a very static and centralized way that might not necessarily reflect the threat landscape. To improve this process, it is then pivotal to gather information from different perspectives within the organizations, since risk appetite within an organization includes a variety of risk appetites that senior management must then mediate. This is not an easy task, but it provides a better understanding of what to expect.
Central to this call for change in risk management is the concept of interconnection. An organization is the result of complex interactions both with internally (different units) and externally (customers, investors, suppliers). In this regard, BCM can be of great help, due to its search for the interdependencies of an organization and the challenges that they carry.
The BCM analysis phase does mirror what the author states in this paper, since that is the stage where the business continuity manager can identify possible bottlenecks, single points of failure, and concentrations of risk. This approach is decentralized in nature and has the potential to synthesize various viewpoints and risk perceptions.
A Strategic Role for BCM
The third and final paper we examine in this article is from Herbane et al. (2004) and it examines the possibility for BCM to have a strategic role within the organization. Despite being a publication from over 15 years ago it is still tremendously relevant today, especially in this time and age. The study has an initial theoretical discussion on the fact that BCM should be a strategic function, since it plays a key role in preserving competitive advantage, followed by a series of case studies with UK financial companies.
As a small digression, there is also a very interesting and growing body of literature on how organizations should manage their internal resources to create and sustain competitive advantage in unstable and changing environments. BCM could benefit from integrating part of this literature to better show how it can deliver return on investment.
For instance, the field of strategic management is already adopting some of these principles, borrowing from academia to propose innovative ideas to practitioners. There is no reason BCM professionals shouldn’t do the same, supporting their own cause.
In this regard, Herbane et al. underline that:
“For commercial organisations, the adjective ‘strategic’ evokes the idea of a long-term competitive advantage. BCM is not only wholly compatible with this view but (as we discussed above) it is also a strategic precursor since a threat to the advantage (due to lack of crisis resilience) threatens the continuity of operations over a prolonged period. And just as planning is considered strategic when it facilitates the long-term development of competitive advantages, it can be argued that BC management which readies an organisation to preserve value derived from competitive advantage is also strategic”.
The case studies present in the paper examine the role of BCM under four main dimensions, namely human resources, business continuity planning and processes, communications, and ownership and attitude towards the programme. The results show how those organizations that did not associate BCM exclusively with IT and disaster recovery, giving it a wider scope, benefited from this multifunctional background.
This finding goes hand in hand with Power’s idea that a great part of BCM’s significance comes from being able to break silos and take a look across the organization. Furthermore, similarly to Beasley et al.’s findings on risk management, assigning formal responsibilities – and therefore targets and rewards – for BCM led to a greater embeddedness of the function through the entire organization and not just a one-off mechanical process.
What can we take away from this read?
Whilst every organization is different, there are some key points that might be helpful to a large group of professionals:
- The way organizations evaluate risks should be subject to a reflection, since centralized risk assessments that do not include different perspectives are likely to miss trends and challenges;
- Assigning formal responsibilities does make a difference. The establishment of a formal BCM or risk management team – with targets and rewards – encourages concrete action and avoids a superficial approach;
- Investing in resilience means also dedicating people, time, and processes to it;
- The cross-functional view that BCM offers can be a strategic asset as a standalone function, not as a subset of another division;
- One of the main strengths of BCM is its evolution from a mainly IT/disaster recovery function to a more encompassing division with a strategic background;
- Borrowing from academic studies can help practitioners build their case in front of top management and improve resilience levels;
In conclusion, this is also an opportunity for academics and students to join the debate with practitioners from all over the world. If you have any research you wish to bring to our attention please do so through our Call for Contributions.