Page 39 of 48
Previous Page     Next Page        Smaller fonts | Larger fonts     Go back to the flash version
Risk Management
is already well-established. Unpicking existing governance and process, and undertaking Unpicking existing
any level of rebuild, requires commitment. Happily, the process is flexible and can be
delivered gradually over time. When the two processes are integrated, effective, tangible
governance and process,
results can be rapidly realised.
The approach to integration that our firm has seen from clients is normally carried out in
and undertaking any
four basic stages:
level of rebuild, requires
• Strategy – Identify business strategy, direction, key performance indicators (KPIs),
financial goals and other factors that lead to an understanding of a business’ risk
commitment. Happily, the
appetite and its overall strategic priorities.
• Strategic business impact analysis – review of key business activities, processes process is flexible and can
dependencies, and risks/controls identifying exposures and priorities.
• Drill-downs and strategy – focus on key areas, developing strategies for both risk and
be delivered gradually over
resilience.
• Plan implementation – BCM plans now broadened to encompass business continuity
time
risk management plans, handling operational risks, whilst strategic and financial risks
are managed at divisional or board level. This process is illustrated below:
Case study
Business
Interviews
an integrated scenario
Strategy
Workshops
Let’s look at a fictional scenario 
risk map
which is based on some real-life 
key risks/ risk
risk register
threats assessment
Threats, impact
experiences. A major multinational 
likelihood
risk strategy
engineering giant, based in Asia, 
risk mitigation
(inc controls)
plans
BIa
has an established operational 
key processes
BIa of key
Dependencies
risk management backbone. Its 
processes
Vulneribility
Impact
engineers traditionally understand 
risk but struggle to understand the 
impact of BCM. The company was 
Integrating BCM and risk management in practice
unintentionally filtering out some 
Keeping it practical and professional
critical low-probability risks, such as 
Naturally combining the two disciplines won’t happen overnight, and sometimes a
the possibility of irreparable damage 
maturity model is helpful when developing understanding and capability in stages over
time. This should be a pragmatic approach that delivers benefits as you go, and allows
to critical equipment. Replacing this 
learning to adjust the direction you are taking. Those companies that have been most equipment could take as long as 18 
successful in such an integration process are often the ones that are not overly analytical,
months, leading to losses of hundreds 
look at the decisions they need to make and work backwards from these with the requisite
of millions of dollars. 
level of analysis.
The underlying risk/resource/business process model is, not surprisingly, often complex
However, low probability risks can 
and easy to get lost in. While any large organisation will need to capture data using be ruinous, and in this case it was 
some form of computerised platform or tool, these should be treated with caution as they
just not responsible to separate BCM 
often have a tendency to drive thinking rather than support it. Skilled professionals are
from risk management. While they 
much more important, equipped with the talent and perspective to sift what is important
out of the mass of detail, while also having the ability to be flexible, without creating
often sit in two different practice 
inconsistencies along the way. areas, there is too much overlap not 
Companies interested in aligning and integrating the two approaches should also look
to treat them as a whole.
to current standards with caution. The standards for risk and BCM are unsurprisingly built
It is therefore necessary to look at 
around a traditional siloed view, which runs the risk that an improved integrated approach
may not comply with BS25999, for example. A lot will depend on whether the auditor is
adapting the company’s approach 
looking at the big picture, or whether they are following the letter of the law. to evaluating and managing risk. 
Under a combined approach, the 
A beneficial alignment
business can capture a wider range of 
Both BCM and risk management are, of course, naturally aligned disciplines from a
theoretical perspective. They both consider threats, impacts and controls, but they just do it
risks, with business continuity plans 
in a different sequence. Despite this, aligning these two historically separate strands is not taking care of localised mitigation 
a straightforward process and requires commitment and careful planning. Those companies
and avoidance, with the backing 
which do succeed in amalgamating these two approaches will, however, benefit from
of the risk committee where large 
enhanced analysis procedures, greater overall corporate control and improved risk
investment all achieved through a more streamlined and cost-effective process.
scale investment is needed. Broader 
risks are being escalated as part of 
the ERM process and a much richer 
rICharD WaTerer
debate has been created around the 
richard waterer is a senior vice president in the risk consulting practice at marsh
acceptance and mitigation of risk.
Richard.waterer@marsh.com.
November/December 2009  Continuity  37
Cont Nov/Dec 09_insides.indd 37 27/11/09 14:14:33
Previous arrowPrevious Page     Next PageNext arrow        Smaller fonts | Larger fonts     Go back to the flash version
1  |  2  |  3  |  4  |  5  |  6  |  7  |  8  |  9  |  10  |  11  |  12  |  13  |  14  |  15  |  16  |  17  |  18  |  19  |  20  |  21  |  22  |  23  |  24  |  25  |  26  |  27  |  28  |  29  |  30  |  31  |  32  |  33  |  34  |  35  |  36  |  37  |  38  |  39  |  40  |  41  |  42  |  43  |  44  |  45  |  46  |  47  |  48