Integrated business continuity, ERM plans help organizations build resilienceReprints
SAN DIEGO — Some corporations are beginning to recognize the benefits of connecting their enterprise risk management and business continuity management programs, but hurdles such as divergent vocabularies must be overcome before such linkages are widespread.
A primary function of a business continuity team is to ensure the company can function after an incident such as a supply chain disruption or a natural catastrophe that shuts down a major facility, meaning that continuity planning should be a core element of a strong enterprise risk management program, experts say.
“A lot of ERM and BCP is about trying to come up with plans that allow you to respond efficiently and effectively to uncertainty,” said Rich Michel, head of the national risk management practice at Wells Fargo Insurance Services USA Inc. in Atlanta. “You may not be able to prevent something from happening, but you can certainly decide how you need to respond.”
While business continuity management does not address every enterprise risk, it can identify and respond to fast-approaching, high-impact interruption risks that can overwhelm operational resilience, Philip Samson, a principal with PricewaterhouseCoopers L.L.P. in Dallas, told attendees of the Risk & Insurance Management Society Inc.'s annual conference in San Diego this month.
“Where do we need to become stronger so we can take a hit?” he said. “Let's see if we can build some resiliency into our infrastructure. Business continuity can help you do that.”
Business continuity is much more tactical and operational than enterprise risk management, but the programs have to be linked and integrated, said Lisa Kremer, San Francisco-based U.S. practice leader, enterprise risk management, for Marsh Risk Consulting, a unit of Marsh L.L.C.
“We're not necessarily seeing that all across the board, but when you think about all risks to the organization from an ERM standpoint, they need to have mitigation and controls in place,” she said. “If we're not seeing a business continuity program that's actually alive and well and sustained and not just a document, then that's a big gap. That is a primary way where I can see the integration and the linkages between those two.”
Some companies have started to link their ERM and BCM programs. Falken Tire Corp. did not have a formal business continuity program until a phone line disruption propelled business continuity onto its top-five priority list, said Luis Cortez, internal audit manager based in Rancho Cucamonga, California. That spurred it to integrate BCM into its ERM program this year and form one steering committee to identify risks and develop continuity plans, Mr. Cortez said.
“We've married both programs into one program, and what we're finding by doing that is some of the risks we've identified through ERM we have to address through BCM anyways,” he said.
Cyber risk was one of the exposures Falken identified through this process, which helped raise awareness of the need to revamp the company's business continuity plan for information technology, Mr. Cortez said. Falken also sought to address logistical challenges caused by weather issues, which had created problems delivering supplies into and out of the District of Columbia and during port closures in 2015, and the risk posed by receiving all of its product from overseas parent company Japan-based Sumitomo Rubber Industries Ltd.
“Because our sole source is our parent company, we're kind of handcuffed a little bit,” Mr. Cortez said. “As we were going through this assessment from a BCM perspective, we talked to the different players that came up with the contingency plans, and we were able to determine that because we get 100% of our supply from our parent company, the only thing we can do is try to have some type of buffer.”
But there are obstacles to linking ERM and BCM programs, including the traditional silos built up within organizations and the different disciplines of these teams, with business continuity planners generally coming from the engineering field and ERM staff having financial, accounting or auditing backgrounds, experts say.
“Sometimes you almost feel like a translator, and that's a very, very important thing to do,” said Christopher Johnson, executive vice president for FM Global in Johnston, Rhode Island. “The worlds of engineering, procurement, finance, insurance and on it goes, all have very distinct vocabularies. A starting point is to get everyone together to imagine what for them is probably unimaginable.”
It takes a skilled risk manager to articulate how ERM and BCM fit together and to reassure staffers that the goal is not to take their jobs away, said Geoff Taylor, San Francisco-based executive vice president for Willis Towers Watson P.L.C. Senior management can also drive efforts to adopt a singular culture, but ideally consensus would be built among the parties, which requires negotiation and cooperation, he said.
“The problem is, language of risk is not common,” Mr. Taylor said. “If you go to an accountant and say EBITDA, everyone knows exactly what you're talking about,” but not so for risk. “It's hard to advance things when you don't all speak the same language.”
One of the signs of progress is when ERM and BCM steering committees are joined into one working to identify core risks and develop response plans, Ms. Kremer said.
“When we think about it from an ERM standpoint, one of the fundamental, successful pieces of the framework is making sure you have that risk communication in place and try to establish that risk culture, that information is shared,” she said. “Not that they all have to speak the same language all the time, but you at least have to start that dialogue.”