Why we need to agree on our definitions and change our thinking around risk management, business continuity and resilience.
First, this is not about where the responsibility for business continuity should reside within an organization. It is about the responsibilities of the business continuity profession and its practitioners. Lately, I’ve witnessed the practice of risk management begin to take over that of business continuity. Many practitioners promote this alignment and foster the perception that business continuity is simply a part of the practice of risk management. I say this is bad for both disciplines and the organizations they serve.
For the sake of clarity, let’s start with some simple definitions:
- The Institute of Risk Management states “Risk management involves understanding, analysing and addressing risk to make sure organisations achieve their objectives.” The International Risk Management Institute describes its work as “The practice of identifying and analyzing loss exposures and taking steps to minimize the financial impact of the risks they impose.”
- ISO 22301 defines Business Continuity as “the capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident.” Since this definition is also quoted by the Business Continuity Institute (BCI) within their explanation, then I don’t believe additional definitions are required.
- Dictionary.com defines Resilience as “the power or ability to return to the original form, position, etc…” The Oxford English Dictionary defines it thus: “the capacity to recover quickly from difficulties; toughness.”
- I’m also providing a definition for Preparedness. The Cambridge Dictionary defines this as “the state of being prepared for a particular situation”. The Oxford English Dictionary calls it “A state of readiness”.
Risk Management in execution
Risk management is probably the most nebulous of the endeavors we’re discussing. This is a field that is evolving and must continue to do so in order to keep pace with the ever more complex business world of tomorrow. Traditionally, risk management has concerned itself with the identification, analysis and control of risk. Methodologies vary but largely follow an iterative cycle of identification, analysis, categorization, and decisioning, followed by monitoring and review.
The high-level decisions made with regards to each risk include: mitigate, transfer or accept. In many cases, controls are put in place to either limit the likelihood of the risk from occurring or minimizing the impact to the organization if it does. Transferring the risk means obtaining insurance to recoup the costs incurred from the materialization of the risk. Note that this only transfers the cost associated with the risk. Consequences that are more difficult to quantify, such as reputational impact and loss of customer confidence, are not as easily transferable, if at all. Lastly, the decision may be to accept the risk. This includes situations in which the risk cannot be easily mitigated, such as from physical threats like storms and earthquakes, or the cost to mitigate is simply too high and cannot be justified. It should be noted that this methodology provides no solution for those risks that simply cannot be easily predicted.
Simply put, risk management is concerned with the mitigation of known risks, prior to their occurrence, and about which the organization has adequate resources to control. What the risk management discipline omits from its responsibilities are the activities that follow when a risk or threat materializes. This means that for each risk accepted, inadequately controlled or simply not identified, there is the potential for material impact to the organization. This is the space that preparedness occupies.
What is Business Continuity?
Let’s look again at that definition used by both ISO and the BCI: “the capability of the organization to continue delivery of products or services at acceptable predefined levels following [emphasis mine] a disruptive incident.” This is an important distinction. We can clearly posit that risk management is concerned with minimizing the likelihood and impact of risks before they occur, while business continuity is squarely focused on minimizing the impact after a disruptive event.
This is not to say one endeavor is more important than the other, but they are clearly different. The problem is that we have been treating them the same, or at least overlapping the activities of both, for much of the existence of the business continuity and disaster recovery disciplines. When business continuity concerns itself with mitigation activities, it is indeed doing the work of risk management. This is despite the fact that organizations that devote resources to business continuity also have risk management teams as well as related functions like security, facilities and safety that are already doing this work.
Preparedness, as we see from the definitions provided, is the state of being ready. It is concerned with putting in place the capabilities to be able to respond adequately in the face of an unforeseen threat or disruption. One can manage the risk of their house burning down, for example, by minimizing the use of flammable materials in construction, installing smoke alarms and positioning fire extinguishers near sources of potential flames. Even with all these measures in place, however, there is still the possibility that the house can burn down. One can be prepared for this event by having an evacuation plan so as to avoid perishing in the fire. One can also purchase fireproof safes for the storage of valuables and even create a visible checklist that identifies all the costly and sentimental items one should grab should the decision be made to vacate.
It is tempting to put all these activities into one bucket as they deal with threats and their potential to disrupt lives and activities. But these endeavors are fundamentally different. Smoke alarms, fire retardant materials and fire extinguishers have a single purpose: to prevent or minimize the potential for fire. Understanding that particular risk, and the means to prevent or control it, is critical. If one is not versed in the various causes of fires and how to extinguish them, very bad things can happen such as the results of throwing water on a grease fire. There is a very specific set of skills and knowledge necessary to identify and implement all the proper controls.
Preparedness planning, on the other hand, provides for the ability to respond to a number of potential threats. An evacuation plan can be followed whether the house is on fire, flooded, filling with natural gas or the structure is unsound due to some other event (subsidence, a fallen tree branch or an errant vehicle for instance). Steps can be taken to protect valuables by putting them in sturdy containers that are both fire proof but also less prone to the effects of flooding or falling debris. But the implementation of such capabilities does not require an understanding of fire and its inherent causes. Likewise for the many other threats for which one should be adequately prepared to respond.
Preparedness, as you can see, requires a different mindset and a different level of expertise to adequately implement. And it is this space that business continuity occupies. This is because business continuity planning is concerned with what happens after the risk materializes. Recovery, by definition, assumes that there is something to recover from. Related functions such as technology / disaster recovery and crisis management are similarly focused on the strategies and procedures for responding to an event that has already transpired.
Defining the Problem
The fundamental problem we’ve seen in the business continuity discipline is twofold. First, it seeks to lump two separate and distinct activities – that of preparedness and that of risk management – under one umbrella. Second, in doing so, it has mistakenly conflated the two. The belief that business continuity is a risk management discipline is almost universal not just in our own profession but within the risk management arena as well. This is unfortunate as it means undoing decades of misinterpretation and requires major re-education.
The most serious issue with our combination of risk and preparedness is that we fail to realize how distinct the efforts are in reality. What this means is that time spent on one effort is time taken away from another. In other words, one undertakes risk management activities at the cost of less time, effort and resources available for preparedness. The converse is equally true. While it is certainly possible to split time evenly between the two efforts, it is foolhardy to think that there is any single action that can satisfy both endeavors.
So, when published business continuity standards dictate that a risk assessment be performed, they are really mandating that precious time and resources be taken away from preparedness. Yet there is no corresponding requirement within the risk management discipline that time be spent on preparedness efforts. This is despite the fact that no risk can be reduced to absolute zero. In fact, as the world becomes more connected and expectations for system and service availability increase, the potential for serious impact from even relatively minor risks is on the rise! Surely this makes preparedness all the more critical. Yet more and more, business continuity practitioners focus their attention on risk mitigation while devoting less time on proper response and recovery.
It is human nature, when disaster falls, for leaders to look for ways to prevent the next similar catastrophe. Hurricane Katrina led many to question why the levees protecting New Orleans were not strengthened. When acts of terrorism occur, it is only natural to wonder how we can catch the next perpetrator before he or she strikes. When systems fail, business and technology executives wring their hands in frustration as they’d been previously convinced that the potential for such errors had been adequately controlled.
And this is the problem. The more we focus our time and attention on prevention, the more convinced we become of its benefits. Every problem becomes an opportunity, not to become better prepared for the next issue, but to address the symptoms that contributed to or resulted in the problem arising. There is value to this, to be sure, but it can also result in time wasted trying to prevent extremely unlikely events from ever occurring. Better managed organizations collect data for every event, major and minor, then focus their efforts on remediating only the most frequent or costly of them. But they should also devote time and effort to improving their response to those events, knowing that they will occur, despite their best efforts at preventing them.
…and a word about Resilience
This bring us to resilience. David Lindstedt specifically defines resilience as an inter-discipline (Resilience is an Inter-discipline, Lindstedt, Sept 2015). This is true in that it combines the disciplines associated with risk management and preparedness. This is inclusive of business continuity but also activities that may otherwise involve both such as life safety, security, crisis management and others. And this makes sense.
Think of how the term resilience applies in the material world. We don’t think of rocks and stones as resilient. They may be strong, but if hit hard enough can be broken and, upon breaking, cannot be returned to their original form. This might be analogous to organizations that devote all of their resources to risk management and little, if any, to preparedness. Conversely, clay is not considered resilient either. It can be molded, broken and the two pieces put back together, but it is too malleable to return to an original form or shape. A rubber ball would fit the traditional definition of resilience. It can withstand abuse not through sheer rigidity but by absorbing the shock and returning, again and again, to its spherical form. Likewise with organizations that devote equal time and capital to managing their risks as well as their ability to effectively recover when serious disruptions occur.
So, to my fellow business continuity practitioners I say the following:
1. Business Continuity is NOT risk management
2. Business Continuity IS preparedness
3. Resilience is achieved through effective risk management AND preparedness
The sooner we divorce business continuity from the all-too welcoming arms of risk management the better. Only by doing so can we position business continuity as the proper discipline that it is. And we must abandon resilience as simply a re-definition of business continuity and begin using it in its proper context. As such, we must recognize that it is two distinct efforts – risk management and preparedness – that make for resilience. And resilient enterprises can only come about through the equal application of both.
Mark Armour and David Lindstedt are co-authors of Enterprise Security Risk Management: Concepts and Applications and The Manager’s Guide to Enterprise Security Risk Management: Essentials of Risk-Based Security.