Risk Managers Play Critical Role In Disaster Recovery

Faced with a widening variety of potentially catastrophic exposures--both natural and man-made--risk managers are integrating business continuity and disaster recovery planning into their enterprise risk management efforts, and not a moment too soon, loss control experts say.

"Business continuity management and related areas, such as security and disaster recovery, are all components of operational risk, and that in turn is a component of ERM," said John B. Copenhaver, president and chief executive officer of the Disaster Recovery Institute, with offices in Atlanta and Washington, D.C.

"That's how we see all of this working together today, and we're working hard to get that message across," added Mr. Copenhaver, a former senior Marsh executive.

"There's no question that ERM and business continuity planning connect and are inseparable. They're really two sides of the same coin," added Chris Duncan, chief operating and finance officer at The McCart Group, a national insurance brokerage outside Atlanta.

Mr. Duncan, the former chief risk officer at Delta Airlines, added that while there are differences in ERM and continuity planning, at the end of the day, "the fundamental premise behind both is the same. It's to increase organizational resilience so you can avoid bad things--and to increase your ability to mitigate damage if bad things happen."

Combining continuity planning--including disaster recovery--and ERM is a relatively new development, many loss control experts agree.

"It is still a minority of companies that see the linkage between BCP and ERM, but it is beginning to happen," said Andrew Tait, a principal and head of business continuity planning at Core Risks Ltd., a consulting firm in King of Prussia, Pa.

He said some organizations are developing their continuity planning function first because it's easier for boards and "C-suite" executives to comprehend.

Others, he noted, keep doing what has been done historically--keeping the two functions separate. "Unfortunately, that remains the most prevalent model, and it's too bad because there is no connection, no common language or approach, and this is a major material weakness for these companies," according to Mr. Tait.

Many companies still run the two functions separately because they're still trying to determine what "business continuity" means, and what functions are included as part of it.

"The reason they're at the beginning of looking at how ERM and business continuity planning work together is in part because the continuity planning function itself is still broadly misunderstood within corporations," said Eli Dabich, co-practice leader of the business continuity practice at Global Risk Advisors, a Redwood Shores, Calif.-based consulting firm.

He added it's not uncommon for a firm with a disaster recovery function to believe this alone constitutes a continuity plan.

"The fact is that, by itself, that's not sufficient, so we spend a lot of time on gap analysis--figuring out where they are versus where they need and want to be," he said. "Only after that's completed can you really begin to think of it in terms of the large issue of ERM."

While those developing ERM strategies first, then later creating a continuity function may be in the minority, this strategy is picking up steam quickly.

For example, Elan--an Irish pharmaceutical company with growing operations in the United States--is taking an approach that calls for developing ERM first and then including continuity planning, according to Deborah Penza, vice president of corporate compliance and head of the company's ERM endeavors.

Others are hopping on the bandwagon. "In fact, there are a number of companies that are linking risk and BCP and, in some cases, putting them under the same person," said Carol Fox, senior director of risk management and business continuity at Convergys in Cincinnati.

"We've done it, but so has Blue Cross and Blue Shield of Florida, for instance," added Ms. Fox, who also heads the ERM Development Committee of the Risk and Insurance Management Society.

At RIMS, she said, a "convergence" project is underway to examine how the two should work together.

Convergys' way of managing risk and continuity planning comes with something of a unique twist. Historically, each of its business units ran its own continuity planning function. Then, in 2002, before the company combined the function and Ms. Fox took charge of both, it formed the Business Continuity Council, which oversees the continuity plan.

The group includes members "from any number of corporate departments or silos, including legal, human resources and [information technology] security," she said.

Whatever barriers there are to bringing ERM and continuity planning together, the convergence must happen inevitably for several reasons, a growing number of loss control executives agree.

Most importantly, new federal regulations passed last year--a response to the 9/11 Commission's recommendations--call for the Department of Homeland Security to work on a voluntary basis with corporations to develop transparent and effective business continuity strategies.

"It's on a volunteer basis, but it's moving like a freight train, with people moving toward a continuity planning approach," said The McCart Group's Mr. Duncan.

Also, it's crucial that internal silos involved with risk management speak the same language "if you want to communicate effectively with the 'C' units and obtain the necessary resources and authority you need to be effective," said Laurie J. Champion, a member of the RIMS ERM committee.

Alignment of continuity programs and ERM makes sense when continuity program activities "are focused on critical operating and management processes," according to Ms. Champion, vice president of risk management at Coca-Cola Enterprises.

In these cases, well-designed continuity planning efforts should improve operational readiness regarding major risks identified through an ERM program, she said.

She added that when any management program--continuity planning, ERM, financial risk management or others--"consistently uses language and reporting metrics recognized by operating management, they are much easier to implement and update, and everybody comes out ahead."

Finally--and perhaps most important--global corporations can no longer afford to have individual risk silos acting in a vacuum, according to Mr. Duncan.

"Let's say someone in continuity planning wants to spend $5 million on [risk management] upgrades," he said. "How do you know whether that's a good decision? It could be that the same $5 million investment would save you many more times that in another area of risk management, and possibly yield other benefits as well."

Risk management is "all about finite resources chasing infinite risk," added Mr. Duncan. "Only through ERM--and an ERM approach that includes continuity planning--will you know that you're ultimately getting the maximum mileage possible from those finite resources."