We often see discussions about and hear of clients segregating risk management and business continuity into two separate silos. When we have worked with organizations who have a risk manager (or similar job title) and a business continuity manager, we are surprised how often the two do not work together.·This is usually a good starting point when assisting clients and users of our solutions as a means of simplifying the risk management and business continuity management process.
Nourishing the interconnectedness of the two managers’ roles allows for the development of effective and efficient risk management and business continuity management programs. We see this as a vital relationship as we come from the school of thought that effective business continuity proficiency is found through adequately managing risks. On the flip side of this statement, we feel that risk cannot be effectively managed without a proper business continuity plan and strategy for recovery in place.
This relationship is pointed out in the ISO 27001 – Information technology – Security techniques – Information security management systems – Requirements and the BS 25999 Business Continuity Management standard. According to ISO 27001, Business Continuity Management is considered to be an essential control to an organization from a legislative point of view. According to BS 25999 organizations should have a process for risk assessment. This process should allow for an organization to understand the threats and vulnerabilities of its critical activities and supporting resources.
These two separate standards, when implemented together within a single organization can lead to effective and efficient management systems which reduces risk and the potential negative effects of a disruption.
At the end of the day, business continuity management and risk management are interconnected. You cannot have a truly effective business continuity management and risk management program without integrating this connection within your organization.