Faced with a widening variety of potentially catastrophicexposures--both natural and man-made--risk managers are integratingbusiness continuity and disaster recovery planning into theirenterprise risk management efforts, and not a moment too soon, losscontrol experts say.

"Business continuity management and related areas, such assecurity and disaster recovery, are all components of operationalrisk, and that in turn is a component of ERM," said John B.Copenhaver, president and chief executive officer of the DisasterRecovery Institute, with offices in Atlanta and Washington,D.C.

"That's how we see all of this working together today, and we'reworking hard to get that message across," added Mr. Copenhaver, aformer senior Marsh executive.

"There's no question that ERM and business continuity planningconnect and are inseparable. They're really two sides of the samecoin," added Chris Duncan, chief operating and finance officer atThe McCart Group, a national insurance brokerage outsideAtlanta.

Mr. Duncan, the former chief risk officer at Delta Airlines,added that while there are differences in ERM and continuityplanning, at the end of the day, "the fundamental premise behindboth is the same. It's to increase organizational resilience so youcan avoid bad things--and to increase your ability to mitigatedamage if bad things happen."

Combining continuity planning--including disaster recovery--andERM is a relatively new development, many loss control expertsagree.

"It is still a minority of companies that see the linkagebetween BCP and ERM, but it is beginning to happen," said AndrewTait, a principal and head of business continuity planning at CoreRisks Ltd., a consulting firm in King of Prussia, Pa.

He said some organizations are developing their continuityplanning function first because it's easier for boards and"C-suite" executives to comprehend.

Others, he noted, keep doing what has been donehistorically--keeping the two functions separate. "Unfortunately,that remains the most prevalent model, and it's too bad becausethere is no connection, no common language or approach, and this isa major material weakness for these companies," according to Mr.Tait.

Many companies still run the two functions separately becausethey're still trying to determine what "business continuity" means,and what functions are included as part of it.

"The reason they're at the beginning of looking at how ERM andbusiness continuity planning work together is in part because thecontinuity planning function itself is still broadly misunderstoodwithin corporations," said Eli Dabich, co-practice leader of thebusiness continuity practice at Global Risk Advisors, a RedwoodShores, Calif.-based consulting firm.

He added it's not uncommon for a firm with a disaster recoveryfunction to believe this alone constitutes a continuity plan.

"The fact is that, by itself, that's not sufficient, so we spenda lot of time on gap analysis--figuring out where they are versuswhere they need and want to be," he said. "Only after that'scompleted can you really begin to think of it in terms of the largeissue of ERM."

While those developing ERM strategies first, then later creatinga continuity function may be in the minority, this strategy ispicking up steam quickly.

For example, Elan--an Irish pharmaceutical company with growingoperations in the United States--is taking an approach that callsfor developing ERM first and then including continuity planning,according to Deborah Penza, vice president of corporate complianceand head of the company's ERM endeavors.

Others are hopping on the bandwagon. "In fact, there are anumber of companies that are linking risk and BCP and, in somecases, putting them under the same person," said Carol Fox, seniordirector of risk management and business continuity at Convergys inCincinnati.

"We've done it, but so has Blue Cross and Blue Shield ofFlorida, for instance," added Ms. Fox, who also heads the ERMDevelopment Committee of the Risk and Insurance ManagementSociety.

At RIMS, she said, a "convergence" project is underway toexamine how the two should work together.

Convergys' way of managing risk and continuity planning comeswith something of a unique twist. Historically, each of itsbusiness units ran its own continuity planning function. Then, in2002, before the company combined the function and Ms. Fox tookcharge of both, it formed the Business Continuity Council, whichoversees the continuity plan.

The group includes members "from any number of corporatedepartments or silos, including legal, human resources and[information technology] security," she said.

Whatever barriers there are to bringing ERM and continuityplanning together, the convergence must happen inevitably forseveral reasons, a growing number of loss control executivesagree.

Most importantly, new federal regulations passed last year--aresponse to the 9/11 Commission's recommendations--call for theDepartment of Homeland Security to work on a voluntary basis withcorporations to develop transparent and effective businesscontinuity strategies.

"It's on a volunteer basis, but it's moving like a freighttrain, with people moving toward a continuity planning approach,"said The McCart Group's Mr. Duncan.

Also, it's crucial that internal silos involved with riskmanagement speak the same language "if you want to communicateeffectively with the 'C' units and obtain the necessary resourcesand authority you need to be effective," said Laurie J. Champion, amember of the RIMS ERM committee.

Alignment of continuity programs and ERM makes sense whencontinuity program activities "are focused on critical operatingand management processes," according to Ms. Champion, vicepresident of risk management at Coca-Cola Enterprises.

In these cases, well-designed continuity planning efforts shouldimprove operational readiness regarding major risks identifiedthrough an ERM program, she said.

She added that when any management program--continuity planning,ERM, financial risk management or others--"consistently useslanguage and reporting metrics recognized by operating management,they are much easier to implement and update, and everybody comesout ahead."

Finally--and perhaps most important--global corporations can nolonger afford to have individual risk silos acting in a vacuum,according to Mr. Duncan.

"Let's say someone in continuity planning wants to spend $5million on [risk management] upgrades," he said. "How do you knowwhether that's a good decision? It could be that the same $5million investment would save you many more times that in anotherarea of risk management, and possibly yield other benefits aswell."

Risk management is "all about finite resources chasing infiniterisk," added Mr. Duncan. "Only through ERM--and an ERM approachthat includes continuity planning--will you know that you'reultimately getting the maximum mileage possible from those finiteresources."