When examined from the outside, some people may think that business continuity, risk management and insurance may be different names for the same thing. While these terms, and essentially different business functions, do have some corroborating concepts, it is very important to understand the distinctions between them. Understanding these differences allows for each discipline’s role within an organization to be defined, and that definition will in turn allow for the correct utilization of each concept’s function.
Getting Our Definitions Sorted
Let’s start with the definitions of each, and we will move on to their role as it relates to organizational resilience.
According to DRI International, business continuity is defined as a, “Holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities.
The Institute of Risk Management defines risk management as, “Risk management involves understanding, analyzing and addressing risk to make sure organizations achieve their objectives. So, it must be proportionate to the complexity and type of organization involved. Enterprise Risk Management (ERM) is an integrated and joined up approach to managing risk across an organization and its extended networks.”
Finally, the National Association of Insurance Commissioners defines insurance simply as, “An economic device transferring risk from an individual to a company and reducing the uncertainty of risk via pooling.”
The Difference Between BCM, Insurance, and Risk Management
As you can see above, the overarching theme throughout these concepts is the “management of risk,” but the function of each and the way that is accomplished is quite different.
When thinking of insurance as it relates to business continuity, it’s best to use a simple but albeit perfect metaphor. Thinking that you don’t need BC because you have insurance is like saying you don’t need smoke detectors because you have homeowner’s insurance. Yes both concepts deal with risk, but insurance in a nutshell only provides peace of mind against it, while BCM helps you manage and mitigate the effects of a risk-event if it occurs. To get the payments and security of insurance you need processes in place to prepare for, and manage, said event – and that’s done through BCM.
Risk management on the other hand may be a little more tricky to define as it relates to BCM, but it is best to think of both concepts as different sides of the same coin. While risk managers analyze and address risk to protect a company department or objective, BCM professionals assess and develop plans to manage incidents that affect operations and organizational resiliency. Andrew McCrackan puts it best when he used this example in an article for Continuity Central saying:
“Risk management may identify risks of fraud as a result of analysis of business process and implement systems of control to treat any identified risks. However, potential failure of these systems of control rests with the function of business continuity management.”
As you can see both identify and manage risks to a company, but it is business continuity that identifies, protects and manages criticalities that can disrupt operations.
While these three terms may be similar as they relate to risk, it is important to understand the functions of each when considering your company’s organizational resilience.