Is Business Continuity Planning just another risk category?

Many organizations consider Business Continuity Planning (BCP) as an extension of Enterprise Risk Management (ERM) or more specifically another risk category within ERM. If your organization subscribes to this view, please read on.  Can an organization plan Business Continuity by using the same tools and framework used to manage risks? That is the question we will endeavor to answer briefly in this communique.

Risks are generally measured in alignment with ISO 31000 standards, mostly against the Likelihood and Consequence matrix. Controls are then implemented to mitigate these risks. In summary, we evaluate the probability of a negative event and its effects on the organization and then take pre-emptive action to avoid the occurrence of the negative event.

BCP, on the other hand, starts with the implicit assumption that the negative event, herein referred to as disruption to business, has occurred. This is how BCP fundamentally differs from a typical risk control.

So, is BCP just another risk category? Based on this brief analysis, the answer is clearly, No.

As organizations no longer operate in an isolated world, disruption to business operations impacts customers, trading partners, products, services, and staff. The aim of BCP is to identify organizational assets that are required to continue business operations in case of disruption and to develop a contingency plan that provides guidance for the continuance of operations after a crisis.

But how to do it? What frameworks to use and what are the tools which can help restore business continuity? This specialized framework, called a Business Continuity Management System (BCMS), is utilized by risk managers to prepare for the unexpected and ensure business continuity for their organizations. Here at Tickit we call it Tickit BCP. In the next blog post, we will talk about how our team went about the design of Tickit BCP and how you can benefit from it.