Business Continuity Management & Enterprise Risk Management: The Super Duo of Resilience
To quote one of the world’s most famous and influential fictional characters, “Jenny and me was like peas and carrots!” Just as Jenny and Forrest Gump were two halves of one soul – or as Forrest so eloquently said, peas and carrots – I know another super duo that fits together well: business continuity management (BCM) and enterprise risk management (ERM).
Now, if you’re wondering how these two things work so closely together yet differ from each other (that’s a bit of an oxymoron, isn’t it?), you’re probably not alone. It’s true that they are both integral parts of the risk management process, but they play different roles that support the entire spectrum for an efficient credit union risk foundation, from identifying risks and implementing controls to prevent those risks from happening (as much as possible), to creating a plan that addresses those risks should they come to fruition.
The SEPARATE Roles of BCM & ERM
Let’s first analyze the difference in functions for both of these risk management mechanisms.
ERM – Diagnosis and Prevention
And just like another nugget of wisdom bestowed upon us by the unintentionally inspiring Forrest Gump, “…life was like a box of chocolates. You never know what you’re gonna get.” That’s exactly why we perform ERM, because the amount of risk a credit union can face on any given day is just as unpredictable. ERM is the process of identifying, assessing, reporting, monitoring and instilling policies, procedures and controls to address risks that a business could potentially experience, which makes it a primary step in the risk management cycle.
Think of this as the “diagnosis,” or identification, stage of risk management, with an ever-circulating number of processes to analyze and attend to. As such, it’s a predecessor of BCM because we must first understand the risks that lie within our business, our industry, our operations, our vendor relationships, our systems and more.
BCM – Response and Treatment
On the other hand, BCM attempts to take those identified risks, or “diagnoses” if you will, and lays out a proper response plan to minimize the impact to your credit union. Think of this as the “treatment” phase of the risk management process, where we dissect the findings in ERM to create a sort of blueprint that maps out the who, what, where, when, why and how of an action plan. Action is the key when it comes to BCM.
That’s because, as previously mentioned, the ultimate goal of BCM is to reduce the impact to your organization and mitigate the risks that arise by being as prepared as possible for, well, everything that’s possible. Again, there’s no way to know what kind of chocolates life is going to hand us in that box, but we can anticipate and make decisions, preferably prior to any issue, that will ensure resilience within our credit unions.
The SIMILAR Roles of BCM & ERM
Now, let’s look at what BCM and ERM have in common. There are plenty of similarities to be sure, but one that stands out above the rest is that both are proactive in managing risk. In other words, they seek out a deeper understanding and establish a series of subsequent protocols to handle the risks and vulnerabilities your credit union is likely to encounter before they may be realized. Performing BCM and ERM is almost akin to taking a look in the proverbial crystal ball to see the probability of things like data breaches or vendor instability, for example, and the business impact that is sure to follow.
By working together in a proactive way, BCM and ERM create a greater, all-encompassing risk management approach that goes beyond the stage of simple survival, and into the realm of resilience. They work in tandem to tackle risks from a perspective that spans the moment of identification to the moment of realization and reaction, which is a powerful combination.
My advice is to try and mesh BCM and ERM together as much as possible. That may include integrations such as:
- Conducting simultaneous risk assessments to compare findings and determine strategic actions to combat high-risk threats.
- Creating a dual risk report for your board to show the risks identified by ERM and the proposed plan for maintaining continuity.
- Finding a combined software where you can store all of your BCM and ERM data and perform all related tasks within a single comprehensive (integrated) resource.
- Bring your BCM and ERM teams together so that they are able to better leverage their collective knowledge and streamline the process of assessments, planning, reporting, monitoring, etc.
Forrest Gump was so wise in his own special way. He led a life full of amazing experiences and milestone moments, yet he was able to so simply describe the bond between his heart and Jenny’s as “peas and carrots.” As a professional in credit union risk, I really couldn’t have said it better myself when it comes to the relationship between BCM and ERM. Their roles are unique, yet they complement each other in a way that supports holistic risk protection for credit unions each and every day. Whether you want to call them friends and allies, peas and carrots or a super duo of resilience, there’s just no denying that BCM and ERM are a match made in heaven for risk prevention.
Mark Clarke works as the business continuity administrator for Vizo Financial Corporate Credit Union. In this role, Mr. Clarke supports the performance of business continuity planning, business impact analysis and business continuity training for the Corporate and the credit union industry. Mr. Clarke also delivers tailored consulting services for credit unions, assisting them with their specific business continuity needs.