Our survey says, “BCM and Risk must work together”. All for one and one for all

28 October 2016

View Jack Armstrong's profile on LinkedIn

When I was just starting out in BCM, with all my BS25999 qualification front of mind, I worked with a company in the Middle East, trying to teach them the joys of Business Continuity - but I couldn’t work out why they kept trying to refer everything back to risk (they were primarily an organisation of engineers). Why couldn’t they keep to my BCM checklist and allow me to get things done without wanting to go back to talk about underlying risk?  Did they not know that the risk was irrelevant to Business Continuity as it was all about the recovery? 

After a good few months of this repeated head banging, I slowly got the idea that it might be worth integrating a bit of risk into my Business Continuity methodology. This seemed to ease my meetings and help them to understand what I was trying to achieve.  Fast forward a few months and I had to agree that the future clearly lay in integrating the approaches between Risk Management and Business Continuity in that organisation.  We successfully piloted how it would work and I thought we had predicted the future of the industry.  That was about a decade ago.

It turns out that we never saw a real merge of approach between Risk and Business Continuity. Instead, we’ve seen the emergence of something called ‘operational resilience’, an all-encompassing umbrella term that sits above every protective and recovery ‘discipline’ you can name; Security, Risk, InfoSec, BCM, IT, Crisis, etc.  In practice, what I actually see in organisations currently are varying levels of integration of these disciplines– ranging from one leader taking responsibility for all these areas right down to, “We don’t like them and we don’t speak to them” attitudes.  Secretly though, even in the latter organisations, most professionals tell me - privately in some cases! - that the organisation would benefit if these areas were working together more closely together.  To do so minimises the opportunity for things one area knows about (BCM, Security, Risk, Crisis, InfoSec, etc.) from getting lost in the gaps between the others.   

The survey we did with the BCI in the summer has backed this up, with an average of 44% of respondents asserting that BCM working more closely with Risk, Security, Information Security (Cyber) and IT is going to become more important. Even more telling is that only 2% believe it will become less important.

I’ve always thought that making sure these disciplines work together well is a basic ‘economies of scale’ approach. By working together we make everything more efficient, remove silos of knowledge and access and gain value from a joined-up approach.   But in practice, that’s not yet how many of us work.

I wonder if this statistic will be one of those that begins a debate at the BCI conference (where my colleague Charley Newnham, along with Deborah Higgins from the BCI will be officially releasing this and many more new statistics from our summer survey during the morning of Day 2). I will be there so if you have thoughts, please do find me for a chat about it. 

View Jack Armstrong's profile on LinkedIn


Great post, and I agree with your comments. I believe that one critical piece of the puzzle is missing here, however, and that is Communications. BC is about more than just systems. From a crisis communication perspective, it is about getting the entire enterprise back to 'normal' after an incident. Crisis communication planning and preparation must be woven into this multi-disciplinary work. Without effective communication, both across teams and with all stakeholders, enterprise-level BC efforts are not as effective, especially in situations that threaten the organization's reputation and brand.


Thanks for the comment. I completely agree on the importance of Communication during an incident and on it's integration with your other resilience disciplines. Unfortunately this wasn't one of the areas covered during this years survey but I think it could potentially be something we look at next year!

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated and will not appear until the author has approved them.