Skip to content Skip to footer

Risk Management Approach to Business Continuity: Aligning Business Continuity with Corporate Governance


This textbook is the first practical guide to integrating risk management, business continuity management (BCM) and corporate governance.

It is written by two veteran practitioners who bring extensive international experience in all aspects of risk management and business continuity, having worked with organizations in a combined total of 50 countries. Their message is that risk management has evolved beyond its initial concerns with insurance and that business continuity is evolving beyond just the recovery of disrupted IT operations or facilities.

Risk management has become a strategic tool in managing all risk across an organization, and BCM forms just one more important tool in a much wider and coordinated risk management program. They are now complementary disciplines that set out critically to understand what the exposure is and the consequences of that exposure to the resiliency of the organization. As such, they require the understanding and support of senior management and boards.


Your practical guide to integrating risk management, business continuity management (BCM) and corporate governance.

Ideal textbook for MBA programs, senior undergraduate programs

Endorsed by…

Comprehensive Instructor Materials are available upon confirmed adoption, including PowerPoint slides and syllabus for 12-week course with lecture outlines/notes, quizzes, reading assignments, discussion topics, projects.

Topics covered in depth include stakeholder management, supplier management, outsourcing, the people factor, technology recovery, and communication, both internally and externally. These topics cover a wide range of challenges, including supply chain disruptions, media and brand attack, product contamination and product recall, bomb threats, chemical and biological threats, etc. There are instructions for designing/executing team exercises with role playing to rehearse scenarios. The book concludes with a glossary of 150 risk management and BCM terms.

Published by Rothstein Associates Inc. 420 pages, ©2006, ISBN 978-1-931332-36-1

Contact Phil to see if you qualify to receive a complimentary copy


Rothstein Publishing Logo

Stay in touch with Our Updates

We don’t spam!


Preface, by Senator George Mitchell (see Excerpt tab for full text)

Preface, by Steve Mellish, FBCI, The Business Continuity Institute (see Excerpt tab for full text)

Introduction (see Excerpt tab for full text)


  1. A Risk-Based Approach To Business Continuity
  2. Stakeholders
  3. Governance, Good Practice, Standards, Regulation and the Law
  4. Culture, Strategy, Performance, Risk and Business Continuity
  5. Getting Started: The Business Continuity Management Cycle
  6. Introduction to the Business Impact Analysis
  7. The Business Impact Analysis: A Hitch-Hikers Guide
  8. Application and Uses of BIA Information
  9. Technology, Exposures and Continuity
  10. Dependency Management: Supplier Management, Outsourcing and Business Support
  11. Opportunities and Other Applications for Business Continuity Tools and Principles
  12. The People Factor
  13. The Value of Insurance When Facing Potentially Catastrophic Risk
  14. Communications
  15. Emergency and Governmental Services
  16. Rehearsals and Exercising of Plans and Risk Decision-Making
  17. Maintenance, Benchmarking, Assurance and Audit
  18. Developing a Plan – Putting Theory Into Practice

APPENDIX A: British Standard PAS 56, Guide to Business Continuity Management, Annex B: BCM Evaluation Criteria



Contact Phil to see if you qualify to receive a complimentary copy


Excerpt from the Preface by the Business Continuity Institute

At last, a book for those involved in risk and business continuity management that proves beyond doubt why the traditional “silo approach” to risk management and business continuity management must be removed and replaced with a modern day “joined up” approach to protecting a business and the interests of its stakeholders.

Today’s business world faces an increasing assortment of risks and threats that can have devastating effects. However, we should not lose sight of those day-to-day incidents that can ultimately result in “death by a thousand cuts.”

This book, written by authors with acclaimed knowledge, experience and wisdom within both risk management and business continuity management, provides clear guidance supported with a wide range of memorable and highly relevant case studies for any risk manager or business continuity manager to successfully meet the challenges of today and the future.

~ Steve Mellish, FBCI, Chairman The Business Continuity Institute

Excerpt from the Preface by Senator George J. Mitchell

The escalating pace of change, a rising tide of technological innovation, almost instantaneous transmission of breaking news and the globalization of crime and terrorism, all combine to provide a heady cocktail of challenge for today’s organization.

Clear to all business watchers are the dramatic ways that businesses have responded to these challenges and reorganized themselves, as they have taken up the opportunities available. These include new uses for technology, faster and direct to customer communications, increasingly open foreign market opportunities, outsourcing and offshoring, harnessing the power of the brand, sophisticated supply chain management, just-in-time delivery cycles, the ability to mine huge databases in milliseconds, and new relationships with the workforce.

These elements of the modern business may offer great flexibility and a magnificent ability to relate precisely to the needs of individual customers and other stakeholders. They have, however, also given rise to critical dependencies and single points of potential catastrophic risk and failure. Organizations can upsize and respond to new selling opportunities very quickly indeed. If an organization is fighting though a crisis, its competitors will most likely be well positioned to seize any opportunities created by the distraction and diversion of attention that recovery can demand. Interestingly therefore, the risk of sudden destruction of today’s modern organization, however huge, diverse, financially strong and multinational, is more likely than businesses using the models seen in the 1990s and before.

The most critical failure points are not financial. Company boards have long established financial risk measuring mechanisms but the response to these new exposures and the growing influence of regulators are driving boards increasingly to consider non-financial risk. This is tougher to quantify, harder to grasp and consequently can give rise to boards feeling less comfortable and in control and consequently, less confident.

Business Continuity Management is coming of age to respond to the new needs of its own stakeholder, the organization for which it carries the responsibility. It is indivisible from risk management and is an increasingly important tool of risk management. The Continuity Industry leaders are now looking well beyond technology and other infrastructure replacement, and see a crucial value for themselves at the very top of level of their organization’s strategy setting. They set out to understand the importance of these dependencies, measure the risk and impact in its very widest sense, and then ensure resilience and an ability to respond and recover to a level that the whole range of stakeholders are entitled to expect.

This book is a must read for those senior managers, risk managers and continuity managers who have the vision to see both the new opportunities and the new responsibilities of business continuity management.

~ George J. Mitchell, Chairman DLA Piper Rudnick Gray Cary Former Senate Majority Leader and U.S. Senator for Maine Senator Mitchell successfully chaired the peace negotiations in Northern Ireland.

Excerpt from the Introduction

As business practices and sensitivities change, Business Continuity Management (BCM) is increasingly a central and crucial tool for the risk manager. Responses to the Bi-annual Risk Management and Risk Financing Survey by AON in 2005 amongst risk managers, insurance managers and finance directors of the United Kingdom’s top 1,000 organisations placed business continuity as the second most important risk issue that concerns them. The greatest concern, protection of the brand value, and others in their top ten, (1) loss of reputation, (4) product liability/tamper, (5) regulatory/legislation (6) physical damage, (8) terrorism, (9) corporate governance and (10) professional indemnity, are all commercial survival issues and key elements of continuity management.

The consequences of damage by a risk incident might not just be quantifiable initially in monetary terms, such as in the loss of valuable assets or by destructive levels of litigation. The consequences might involve the loss of life or valuable dependencies that are necessary for the organisation’s very survival. These include intellectual assets, brand values, regulatory approvals, legality, the confidence of its various stakeholders, and its ability to deliver urgent, contracted, products and services on time. Furthermore the consequence may be that the organisation has to step away from its marketplace for a period of time and give free reign to competitors to do lasting damage to the customer, supply or distributor base.

The damage, of course, may not only be within the organisation. There could be destruction of the legal or physical environment on which the organisation depends. An urgently needed “just in time” supplier or distributor might be the one directly affected by a disaster, but their failure to deliver as contracted may have an equally destructive impact on the production line of the organisation expecting urgent and key ingredients into their own products.

We set out to write this book because we have seen thinking about business continuity starting to evolve from its roots in IT back up and contingency equipment and facilities departments, typically referred to as “disaster recovery.”. We believe, though, that these roots are still often the drivers for business continuity and its practitioners and that they, and too often their employers, remain within these narrow thought horizons. The modern business is much more complicated than this, is exposed to entirely new dependencies and criticalities, and, in spite of its wealth and scale is even more exposed to single, organisation-wide exposures to destruction than in earlier business models. This causes us great concern and we feel significantly exposes organisations to destruction and total failure.

In the same way that risk management has moved on from being the purchase of insurance products, business continuity needs to emerge from its silos and position itself as part of the much wider risk and strategic management framework of the organisation. This book sets out to take the reader forward and has, we believe, important messages for chief executives, directors, non-executive directors, risk managers, continuity managers, internal and external auditors, investment managers, compliance managers, finance directors, project managers, regulators, education programmes and others.

An important aspect is that different organizations – and even personalities within an organization – can take very different views on acceptability and unacceptability of risk exposures. They will make these decisions within their different backgrounds and cultures, and also the quite different pressures upon them. A bank, servicing credit cards and cash machines 24 hours, seven days a week, will take an entirely different view on acceptable gaps in service than an organisation where customers could reasonable wait a few days for the contracted service, product or for another response. Some organisations, especially those using e-commerce distribution may have competitors who could upsize and respond incredibly quickly to any difficulties seen in another player in their marketplace. It is for this reason that the amount of time lost or “time out” from the market place is another vital consequence for the risk manager.

Equally an organisation cannot allow damage to destroy their financial and other business controls over their organisation. An insurance company may, for example, be dealing at any one time with current claims valued at many billions of pounds and will have reserved accordingly. To lose records and thus intellectual control over such a claims portfolio could totally destroy that organisation.

As always, the responsibility for risk understanding and management rests firmly with the board of directors. The board may delegate the processes for achieving risk understanding and risk management, but it cannot delegate the responsibility. Once the risks and the potential consequences are understood, the directors cannot ignore them and must make decisions around the information obtained. This is not just a regulatory issue, it is simply good management.

The decision could be that the exposure is an acceptable one. This might be a reasonable decision if the potential worst-case consequences are clearly understood and the board considers that they could not possibly have an unacceptable impact on their own people, their stakeholders, balance sheets, controls, legality, market presence, brand values, revenue accounts nor cash flows. If the exposure, however, is deemed to be unacceptable then the organisation has further choices to make:

  • The board can invest resources to manage the exposure or the potential consequences down to what is considered to be the acceptable level.
  • It could, of course, decide to avoid the particular activity or environment altogether.
  • It can enter into a contract to transfer the risk into an insurance product or to another counterparty.
  • It can prepare beforehand for the consequences of a risk incident; knowing that, with that preparation, that business critical dependencies are safe and that the strengths of the organisation can be used to manage through the consequences without unacceptable damage.

The risk manager could use one of the tools listed above, but in practice is more likely to use the most cost-effective and commercially realistic combination.

It is worth mentioning at this point the ability of the organisation’s lawyers to transfer by contract the potential cost of risk to suppliers, distributors or other counterparties. There is no real value however, when a risk incident destroys a just-in-time and critical supplier or a distributor; and that it in turn by its failure damages or destroys the risk manager’s own organisation’s ability to remain in business. The lawyer’s view needs also the additional and important dimension of business continuity. Furthermore it is interesting to recognise that the most destructive of risks highlighted by the AON survey are not insurable ones in the conventional insurance market. ‘We didn’t need risk management because we had insurance’ is too often a cry from the corporate grave.

This book deals with the last of the four options listed above, i.e., business continuity management. The message of this book is that business continuity forms just part of a much wider and coordinated risk management programme that sets out critically to understand what the exposure is and the consequences of that exposure. We believe, in just one example, that there is a crucial role at strategic level for the business continuity manager when an organisation is considering, choosing and establishing contractual and operational relationships with a potential outsourced supplier. This book takes a view across the options available for managing any exposure, or potential impact that would be life-threatening to the organisation. It is important, though, that the reader keeps in mind throughout this much wider picture of risk and risk management that BCM is just one of the tools available to be used in isolation or in conjunction with the others. The existence of a business continuity manager, especially one whose task is only to ‘recover’ the organisation from a physical disaster, is very likely to be raising expectations of resilience well beyond the ability to deliver.

We should begin with the rather obvious but important maxim that – if the organisation allows itself to die during the risk incident – the best continuity planning will provide nothing more than a mechanism for trying to revive an already dead horse.

During a potentially catastrophic disaster in a modern multinational, the board’s attention is on the survival of the business. It is too easy to consider only the insurers’ view and believe that the most important concern is the replacing of buildings and contents, or defending from litigation. The loss of physical operations; whether they be buildings, contents, equipment or similar are, of course, important. The risk manager’s view on BCM embraces these issues but also needs to look way beyond. It is crucial to consider the foundation stones, and thus vital dependencies, that enable a modern business to survive. These can then be matched against stakeholders who, in their own way are critical dependencies. Only then, we suggest, can we see the real post-damage pressures, and what is needed to be done, before the incident too, to ensure that the organisation can be kept alive.

In recent years, there have been important changes in the way businesses deliver and market their own products; changes too in their relationships with their stakeholders, and in the risks themselves.

Many a modern organisation can fairly be described as made up of no more than a brand, miners of owned or rented intellectual assets, controls, and outsourcing contracts. These ingredients have become crucial, urgent dependencies and single points of risk for the very survival of that organisation.

It is valuable to also consider organisations from the perspective of their stakeholders. We could recognise stakeholders simply as those organisations and individuals that have a ‘stake’ or interest in the current organisation’s affairs. The stakeholders demanding the attention of the continuity risk manager are not just investors; they include internal and ‘outsourced’ employees, customers, suppliers, distributors, financiers and their advisors, and the political, legal and natural environment. Their needs and demands are different and in some cases contradictory.

If these are not problems enough, in the real world of damage, the problems of a company reeling from serious damage, are just beginning. All sorts of new stakeholders emerge, identified by their abilities and propensities to react to damage. These stakeholders can shift the ground even further away from underneath managers in already difficult circumstances, to keep the organisation alive. These include competitors, the media as wholesalers of confidence, the brand values, bankers, credit rating agencies and regulators. Many organisations have, of course, their own unique stakeholders in addition.

This book sets out to look at these processes, stakeholders and dependencies and places them firmly at the strategic issue end of the Board’s attention. Above all, this book sees business continuity not just as something to remove a threat, but as something that is as much about opportunities for development and for enabling the much wider objectives of the organisation.


Risks themselves, therefore, have not only changed, but also the potential for damage from these new risks is totally different. Furthermore, consider the potential for damage to the organisation that can occur from old risks. A fire or storm damage that that occurs in a building housing a group-wide computer system causes damage that is unrecognisable from the extent of damage we could envisage in past business models from a fire in one building.

So many of these risks are not physical ones. The loss of intellectual assets, the reputation, key stakeholders walking away, a drop in credit rating raising significantly the cost of capital and destroying dependant financial models, are just a few of the impacts that would cause so much more damage than the loss of buildings and their contents. This concentration of single points of destructive risk too can cause the skills of one individual or small team to be skills on which the entire delivery of a multinational depends.


The issue we address is not just the individual continuity manager’s own department: it is more than this. It is about ensuring, at the highest level in an organisation, that continuity is not something that is pushed aside as unimportant, but needs to be positioned, structurally, and especially in business understanding and skill levels, in the very heart of today’s organisations. To do otherwise is just lip service, and creating a risk in itself, because it will raise expectations amongst stakeholders including shareholders, employees, customers and regulators, and as such is more dangerous than having no ‘business recovery’ position at all.

Contact Phil to see if you qualify to receive a complimentary copy


About the Authors

JULIA GRAHAM, FCII, FBCI, MIRM, CHARTERED INSURER, worked in the insurance industry in the UK for 30 years in a variety of managerial roles, including marketing, underwriting and operations. In the early 1990s she set up the first in-house Risk Management capability for the multi-national insurance company Royal Insurance. In 1996, following the Manchester bombing, Julia led the recovery team for the Royal Insurance business in Manchester, one of the most severely affected locations in Manchester and working environment for more than 600 employees.

Julia went on to become the Group Risk Manager for Royal & SunAlliance with global responsibility for operational and strategic risk. This role included the responsibility for establishing policy and good practice for business continuity management across the organisation. In addition to the Manchester bomb recovery which touched aspects of post-trauma, asset recovery and insurance claims management, Julia has practical experience of recovery situations including those touched by asset damage, SARS, employee death, kidnap for ransom, The World Trade Center and the bombings in London July 2005.

An enthusiast for the risk profession, Julia has experience in a number of industry governance roles as an officer of local and national Chartered Insurance Institute committees, the Council of AIRMIC (the UK association for insurance and risk managers), the Board of the BCI (Business Continuity Institute), the Board of the ifs (The Institute of Financial Services) and the UK Advisory Board for SunGard.

A resident of the UK, Julia has worked in all continents of the world and is a regular author of risk management articles. Her conference speaking engagements have included the US, Australia, New Zealand, the UK, Continental Europe and Asia.

In 2004 Julia took up a position with the global legal services organisation DLA Piper Rudnick Gray Cary as Chief Risk Officer. One of the world’s leading legal organisations, Julia’s role covers all aspects of risk management, including operational risk and business continuity management. DLA Piper is a rapidly expanding organisation and at the time of publication, Julia’s role embraced 23 countries and more than 50 cities.

Julia is currently the chair of the team assisting the British Standards Institution (BSI) in creating a British and International Standard for risk management.

Julia is a Fellow of the Chartered Insurance Institute, a Fellow of the Business Continuity Institute, a Member of the Institute of Risk Management and a Chartered Insurer.

DAVID KAYE, FRSA, FCII, FBCI, MIRM, CHARTERED INSURER, has spent much of his working life as a resident, and with bottom-line responsibility, for multi-million-pound insurance and financial services businesses in the United Kingdom, Holland, Caribbean and the Far East. A two-year secondment to work with a Police Service reporting to the Chief Constable added further valuable and wide-ranging experiences.

Prior to becoming a management consultant, David was a Divisional Director within the multinational group of companies and carried the Group responsibility worldwide for operational risk and continuity planning. In this role David evaluated and managed risk, and also developed and exercised continuity plans. He was required on numerous occasions to implement those plans and lead the response following potentially business-destroying damage by IRA bombs, and by numerous other natural and manmade disasters around the world.

David therefore brings to this book a mixture of wide international experience, a track record of achievements at Board level and as CEO, and also a deep experience of the international world of business risk and its consequences. He currently writes, lectures and provides guidance on matters of risk and business continuity to a wide range of business and public service clients around the world.

He has lived in six different countries, worked in 26 countries and has lead workshops and/or addressed public and corporate audiences on Business Risk in 17. He is the current author of the Chartered Insurance Institute’s examination textbook on Risk Management. The Institute of Risk Management has appointed David to the new role of lead examiner on business continuity risks.

Many articles on risk and related subjects have been published by the Geneva Association and many other magazines and professional bodies. David is currently a member of the team assisting the British Standards Institute in creating a British and International Standard for Continuity risk management and has assisted other industry bodies in a variety of ways.

David is a Fellow of the Chartered Insurance Institute, A Fellow of the Royal Society of Arts, a Fellow of the Business Continuity Institute, a Member of the Institute of Risk Management and a Chartered Insurer.

Contact Phil to see if you qualify to receive a complimentary copy

Instructor's Materials

Instructor materials include the following for a 12-week course:

  • PowerPoint slides for each of 12 lectures
  • Syllabus with lecture outlines/notes, quizzes, reading assignments, discussion topics, projects
Excerpts from Syllabus

Course Description:

This course provides an introduction to business continuity management. The course starts with the relationship between business continuity management and risk management as complementary disciplines. The course then takes the student through the business continuity management cycle: how to understand the organization; continuity strategies; how to develop and implement a business continuity response; building and embedding a business continuity culture, exercising, maintenance and audit. Specific topics covered in some depth include stakeholder management, supplier management, outsourcing, the people factor, technology recovery, and communication. The course will provide an overview of plan maintenance, benchmarking, assurance and audit supported by case studies, concluding with guidance on how to develop a plan.

Objectives: Upon successful completion of the course, the students will be able to:

  1. Discuss the relationship between risk management and business continuity management as part of a risk and governance framework. (Week 1 – Chapter One)
  2. Recognize the range of stakeholders in the organization, their importance, roles and needs. Consider the position of governance, good practice, standards, regulations and the law as part of the risk and governance framework of the organization. (Week 2 – Chapter Two and Chapter Three)
  3. Consider business continuity from the internal and external context with a focus on the cultural dimension. Review the role and response of emergency and governmental services. (Week 3 – Chapter Four and Chapter Fifteen)
  4. Understand the business continuity management cycle. (Week 4 – Chapter Five)
  5. Examine the role and value of Business Impact Analysis and the associated practical considerations. (Week 5 – Chapter Six, Chapter Seven and Chapter Eight)
  6. Consider the special dependencies and exposures concerning technology. Establish the ground rules in creating technology continuity plans. (Week 6 – Chapter Nine)
  7. Investigate the issues associated with production-line management techniques, dependency, supplier management, outsourcing and business support. (Week 7 – Chapter Ten)
  8. Use business continuity tools and techniques for other risk-related applications across the organization. (Week 8 – Chapter Eleven)
  9. Demonstrate an appreciation of the issues associated with people in the context of business continuity management. Explain the related training and education needs and options for delivery. Evaluate the options for communication across a range of scenarios. (Week 9 – Chapter Twelve and Chapter Fourteen)
  10. Assess the relationship between business continuity management and insurance. (Week 10 – Chapter Thirteen)
  11. Consider the drivers and options for plan review and maintenance. Discuss and evaluate quality assurance, compliance and the processes of internal and external audit. (Week 11 – Chapter Sixteen and Chapter Seventeen)
  12. Apply the knowledge gained, putting theory into practice. (Week 12 – Chapter Eighteen)
Sample Syllabus With Instructor's Notes

Week 5 – The Business Impact Analysis (CO 5)

  • General Housekeeping
  • Syllabus Review
  • Attendance


A risk is the threat that an event or action will adversely affect an organization’s ability to maximise shareholder value and to achieve business objectives. Risk arises as much from the possibility that opportunities will not be realised as it does from the possibility that threat will materialise or that mistakes will be made. A risk is integral to all opportunity and is as much about opportunity as it is about threat.

The importance of the BIA as a basis for continuity activity has been stated in an earlier chapter and will well be reinforced at this point.

The ‘business,’ therefore, of the Business Impact Analysis is to identify the exposures and to quantify, quite precisely, the potentially destructive impact which they could cause on the very arteries of the organization.

We have said that those arteries are not only physical ones. They can include ‘soft’ but difficult issues such as stakeholder confidence, wider brand values, intellectual assets and legality. With that clear and focused understanding, the risk/continuity manager can begin to encourage realistic decisions about balancing risk and reward. Furthermore the risk/continuity manager can also obtain decisions to protect, duplicate or otherwise manage any unacceptable exposure down to an acceptable level. A further value, of course, is that a clear understanding of the potential business impact emerging from a difficulty will be crucially useful information to continuity planners who are putting together the recovery plans. These plans, necessarily, should reflect decisions about urgencies and the positioning of resources to meet those urgencies.

A. Role and value of the BIA

  • The crucial role of the BIA in enabling a clear understanding of critical assets and resources needed to enable survival
  • Information about risk and consequence aiding informed, and therefore better, decision making about the protection and duplication of crucial assets and resources.
  • Crucial assets and resources include people, information, other intellectual assets and supply chains as well as the more obvious buildings, technology and machinery.
  • Crucial dependencies include including stakeholder confidence, brand values, and legality
  • The information developed can help decide urgencies and maximum time out tolerances and thus ensure a clear focus in the recovery plan to be developed.

B. The BIA framework and ownership

  • It is vital that the BIA report has credibility amongst senior managers who will need to make decisions around the risks and consequences reported.
  • Whilst the risk manager or continuity manager will develop the work, the ownership of risk and its decisions lies with the most senior authority in the organization.
  • Greatest value and success is when the BIA fits comfortably within the organization’s wider control and governance procedures

C. Need for consistency in information and decision making

  • Consistency in defining risk and consequences throughout the whole organization is crucial in assessing relativity and priorities.
  • Therefore the objectives and scope must be clearly defined beforehand, as also the definitions of terms to be used.
  • These definitions will include the consequence levels of incidents such as Negligible, Marginal, Critical and Catastrophic. This enables relative risk categorization for reporting purposes and categorization that embraces both financial impact and non-financial impact.
  • The definition of maximum probable loss or maximum possible loss needs care.

D. Practical considerations when developing BIAs

  • There are special needs when considering potentially catastrophic risk; including the lesser weight given to frequency over impact.
  • Relationships between the organization’s risk matrix and the BIA
  • The project plan and its stepping stones is defined on page 107
  • There is a choice of information sources and tools used by the continuity manager to research the risk information available amongst operational managers
  • There is crucial need for a clear reporting structure and process to ensure risks are understood clearly and that informed decisions are made at the right level within the organization.

E. BIA values and implications for individual risks

  • Enables informed decision making
  • Knowledge of risks brings a responsibility to do something about them; both from a regulatory point of view and also as a management responsibility to stakeholders.
  • Choices can be to accept the risk, reduce the likelihood, reduce the impact, transfer the risk or prepare continuity plans to manage the incident without destructive damage.
  • Discuss the special needs in managing continuity risks around intellectual assets, computer databases, paper files, skills and information within human beings, information within the supply chain, and physical damage to workstations and production lines.

F. Links from the BIA into the recovery plans

  • The BIA also enables continuity planners to have a clear idea of the dependencies, resources and requirements that are necessary if the organization is to survive.
  • The BIA will also establish the urgencies, in other words the maximum amount of time that they can cease delivery before damage becomes destructive.
  • Plans can then evolve, and be kept up to date around these precise and understood criticalities and urgencies.


  • Presentation of project assignment from Week 4
  • Discuss Topic of the Week


  • Topic of the Week
  • Chapter Nine

Instructor Notes:

  • Instructor should define the “Topic of the Week” for the students
PowerPoint Slide to Accompany Lecture

sample power point Risk Management approach

Excerpt from Chapter 10: Dependency Management: Supplier Management, Outsourcing and Business Support

Objectives Of This Chapter Are To:

  • Provide definitional language for supplier management, outsourcing and in-sourcing
  • Explore the implications of supplier management and lead times for replacement following loss or disruption
  • Examine the issues involved and the planning required in managing the exit from an outsourcing agreement
  • Examine with the use of case studies the implications of single-source and critical components in production and supply-chain processes
  • Investigate the issues associated with production-line management techniques including just-in-time
  • Consider the services provided to support business continuity management and the issues of dependency associated with these
  • Offer an approach for dovetailing business continuity with supplier and outsourcing management

 Transferring Risk, Not Responsibility

Using suppliers or outsourcing providers is one way of transferring risk away from an organization, but it is not a way of eliminating risk or transferring responsibility for managing risk to others. Further, while services or processes can be passed on, there are risks associated with finding an appropriate partner, in managing that partner relationship and in ensuring effective and efficient ongoing retention of contracted goods or services with appropriate control and governance.

The Rising Tide of Dependency On Suppliers And Outsourcing Providers

Outsourcing remains the star turn in the IT services and solutions sector. But as economic pressures to compete escalate, and organizations search for ways to shed cost, many organizations are focused on reducing the overheads associated with running their operations and are looking to:

  • Reduce process costs by improving process efficiency
  • Reduce overheads by taking out people and facility costs
  • Avoid capital expenditure.

The outsourcing of other business processes is close on the heels of IT.

At Risk – The Business Value Chain

Every organization has direct, indirect and quality assurance value activities. Direct activities are those that create value for the buyer, such as assembly. Indirect activities make it possible to perform direct activities, such as maintenance. Quality assurance ensures the quality of the other activities, such as monitoring and inspecting.

These activities are important components of an organization’s value chain and understanding these concepts is consequently key for appreciating the construction of an organization. Poor analysis of the value chain may translate into components being inadequately addressed as part of any business process, including business continuity arrangements, and consequently contribute to organizational failure in the event of disruption to business as usual.

But analysis does not stop at the doorstep of the organization. These activities must also be analyzed for any supplier or outsource provider that forms a link in an organization’s value chain. “Defining relevant value activities requires the activities with discrete technologies and economics be isolated. The linkages between suppliers’ value chains and a firm’s value chain provide opportunities for the firm to enhance its competitive advantage.” Dependencies between an organization and its suppliers and outsource providers may be complex and deeply entwined. In the event of an incident which leads to the failure of a supplier or outsource provider’s value chain, a resulting “domino effect” may have serious consequences for all parties in the relationship…


At last, a book that integrates Business Continuity and Risk Management.”

~Lorraine Lane, Chief Executive Officer, Survive – The Business Continuity Group

Business Continuity Management is coming of age to respond to the new needs of its own stakeholder, the organization for which it carries the responsibility. It is indivisible from risk management and is an increasingly important tool of risk management. The Continuity Industry leaders are now looking well beyond technology and other infrastructure replacement, and see a crucial value for themselves at the very top of level of their organization’s strategy setting. They set out to understand the importance of these dependencies, measure the risk and impact in its very widest sense, and then ensure resilience and an ability to respond and recover to a level that the whole range of stakeholders are entitled to expect.

This book is a must read for those senior managers, risk managers and continuity managers who have the vision to see both the new opportunities and the new responsibilities of business continuity management.”

~ George J. Mitchell, Chairman, DLA Piper Rudnick Gray Cary; Former Senate Majority Leader and U.S. Senator for Maine

Business continuity is a vital area of modern risk and resilience management for any organisation. This book provides an ideal introduction to the subject for both the practitioner and for leaders and managers in general. It is also the core text for the Institute of Risk Management’s (IRM) own business continuity qualification.”

~ Steve Fowler, Chief Executive Officer, The Institute of Risk Management

The topic of Business Continuity Management is growing dramatically in importance to corporate executives, as the nature and seriousness of the threats to the business sector continue to be revealed. This book is both a clear and insightful presentation of the concepts of Business Continuity Management that should become a part of every executive’s bookshelf.”

~ John Copenhaver, Chairman, The Disaster Recovery Institute International

This book… provides clear guidance, supported with a wide range of memorable and highly relevant case studies for any risk manager or business continuity manager to successfully meet the challenges of today and the future.”

~ Steven Mellish, Chairman, The Business Continuity Institute

Organizations of all types are placing greater emphasis than ever before on planning to ensure business continuity. At the same time, the need for knowledgeable professionals to create and maintain these plans is growing, as is the need for good textbooks to guide them. A Risk Management Approach to Business Continuity: Aligning Business Continuity with Corporate Governance is a helpful start.

Authors Julia Graham and David Kaye and editor Philip Jan Rothstein are all seasoned specialists and the text is a solid guide to the basic components of creating business continuity plans of all types. Among the book’s strengths is its demonstration that planning about business continuity is starting to evolve from its roots in IT backup, and that risk management no longer means simply buying an insurance policy. There is also an emphasis on the importance of involving senior organizational leadership in the planning and the need to identify all stakeholders at some point in the process.

Helpfully, there are a number of useful suggestions for doing this. Some sections provide considerable information, and there are a number of useful outlines. One provides suggested section headers for a continuity plan.

This book is a very good beginner’s reference guide for any manager new to the business continuity game. Experienced planners will find it a helpful refresher.”

~ Security Management Magazine

One of today’s priorities for any business organization – whatever its size, sector or location – is that it continues successfully. Yet there is an increasing array of potential threats – both internal and external – to staying in business, ranging from IT failure and human resource issues to terrorism and climate change. Meanwhile, a growing number of interested stakeholders exist with an enhanced awareness of business management and performance.

Therefore Business Continuity Management (BCM) is attracting greater recognition as a vital tool that should be understood by the organisation as a whole. Protection of brand value, loss of reputation, product liability, existing and upcoming regulation and legislation, corporate governance and professional indemnity, are examples of commercial survival issues covered by BCM and addressed in this excellent book. Filled with case studies and illustrations, the authors provide a comprehensive approach that:

  • sets the scene for BCM;
  • demonstrates its value;
  • assesses risks and opportunities;
  • examines practical tools as part of risk management and corporate governance; and,
  • gives clear direction that moves the reader on from theory to practice.

This is a thorough work that is a must for all organisations. A Risk Management Approach to Business Continuity enables the reader to grasp the key issues in an accessible manner. It uniquely integrates the concerns of risk management and corporate governance in a practical manner that develops the interest of the reader so that it can – and should – attract the attention of the management of the organisation as a whole.”

~Women in Law Newsletter

Contact Phil to see if you qualify to receive a complimentary copy