Our survey says, “BCM and Risk must work together”. All for one and one for all
28 October 2016
When I was just starting out in BCM, with all my BS25999 qualification front of mind, I worked with a company in the Middle East, trying to teach them the joys of Business Continuity - but I couldn’t work out why they kept trying to refer everything back to risk (they were primarily an organisation of engineers). Why couldn’t they keep to my BCM checklist and allow me to get things done without wanting to go back to talk about underlying risk? Did they not know that the risk was irrelevant to Business Continuity as it was all about the recovery?
After a good few months of this repeated head banging, I slowly got the idea that it might be worth integrating a bit of risk into my Business Continuity methodology. This seemed to ease my meetings and help them to understand what I was trying to achieve. Fast forward a few months and I had to agree that the future clearly lay in integrating the approaches between Risk Management and Business Continuity in that organisation. We successfully piloted how it would work and I thought we had predicted the future of the industry. That was about a decade ago.
It turns out that we never saw a real merge of approach between Risk and Business Continuity. Instead, we’ve seen the emergence of something called ‘operational resilience’, an all-encompassing umbrella term that sits above every protective and recovery ‘discipline’ you can name; Security, Risk, InfoSec, BCM, IT, Crisis, etc. In practice, what I actually see in organisations currently are varying levels of integration of these disciplines– ranging from one leader taking responsibility for all these areas right down to, “We don’t like them and we don’t speak to them” attitudes. Secretly though, even in the latter organisations, most professionals tell me - privately in some cases! - that the organisation would benefit if these areas were working together more closely together. To do so minimises the opportunity for things one area knows about (BCM, Security, Risk, Crisis, InfoSec, etc.) from getting lost in the gaps between the others.
The survey we did with the BCI in the summer has backed this up, with an average of 44% of respondents asserting that BCM working more closely with Risk, Security, Information Security (Cyber) and IT is going to become more important. Even more telling is that only 2% believe it will become less important.
I’ve always thought that making sure these disciplines work together well is a basic ‘economies of scale’ approach. By working together we make everything more efficient, remove silos of knowledge and access and gain value from a joined-up approach. But in practice, that’s not yet how many of us work.
I wonder if this statistic will be one of those that begins a debate at the BCI conference (where my colleague Charley Newnham, along with Deborah Higgins from the BCI will be officially releasing this and many more new statistics from our summer survey during the morning of Day 2). I will be there so if you have thoughts, please do find me for a chat about it.