top of page

Evolution of Enterprise Risk Management and Business Continuity Management: A Symbiotic Relationship


Enterprise Risk Management (ERM) and Business Continuity Management (BCM) are two vital components of an organization's strategic planning. While ERM has a longer history dating back millions of years in its primitive forms, BCM emerged more recently, about 2-3 decades ago. Despite their differing timelines, both ERM and BCM play indispensable roles in ensuring the resilience and continuity of an organization. This article explores the similarities and differences between ERM and BCM, highlighting their symbiotic relationship.



1.     Similarities:

a.     Foundation in Risk Identification:

ERM focuses on identifying and assessing risks across the entire spectrum of an organization, including financial, operational, and strategic risks.

BCM, although emerged later, also relies on a thorough risk assessment. It delves into potential disruptions that could threaten an organization's ability to operate.

b.     Risk Mitigation Strategies:

ERM involves the development and implementation of strategies to mitigate risks, aiming to reduce the impact or likelihood of adverse events.

BCM complements ERM by addressing the residual risks that persist despite risk mitigation efforts. It focuses on developing strategies for business continuity in the face of unforeseen challenges.

c.      Integration into Organizational Culture:

Both ERM and BCM require a cultural shift within an organization. They necessitate a proactive approach to risk, promoting a mindset that anticipates challenges and seeks solutions.

d.     Focus on Stakeholder Communication:

ERM emphasizes communication with stakeholders to ensure they are aware of potential risks and the organization's efforts to manage them.

BCM extends this communication strategy by emphasizing the need to keep stakeholders informed during times of crisis, thereby maintaining trust and credibility.

The following communication cycle is equally applicable to ERM and BCM (and all other parts of the organization):


2.     Differences:

a.     Temporal Perspective:

ERM has a forward-looking perspective, identifying and managing risks before they materialize.

BCM operates with a more reactive approach, kicking in when identified risks become reality to ensure the continuity of critical functions. This statement may be challenged by the BCM knowledge bodies. Keeping it simple, it can be said that both are complementary to each other, BCM being a natural extension or expansion of ERM.

b.     Scope of Impact:

ERM addresses a broad range of risks that could affect an organization's overall performance.

BCM specifically focuses on events that could disrupt normal operations and threaten the organization's ability to provide essential services.

c.      Response and Recovery:

ERM primarily deals with risk response and recovery from a strategic standpoint, emphasizing the overall health and longevity of the organization.

BCM, on the other hand, hones in on tactical and operational responses, ensuring the organization can continue its core functions during and after a crisis. It is to be understood that BCM is not BAU (Business as Usual). Its scope is ‘pre-identified processes, to pre-agreed levels, in pre-agreed timeframes’.


Testing in ERM and BCM:

Testing of risk plans/ arrangements is rarely heard of or is less intensive or covers less, while the testing of BCM plans and arrangements is a formal requirement in ISO 22301:2019. So, detailed testing program plan, test plans, and test reports are to be developed. The scope, coverage, and involvement increase to involve external interested parties like third parties, customers, regulators, media, and the general public.



In conclusion, Enterprise Risk Management and Business Continuity Management are not mutually exclusive but are complementary elements of a comprehensive risk-resilience management framework.

Risk-Resilience as an integrated management system may appear to be new (there is no ISO standard also yet for this) but independently Risk and Resilience (that has vast scope) do exist in organisations in varying shapes, forms, and formats (ISO 31000:2018 exists for Risk Management while ISO 22316:2017 exists for Organisational Resilience). ERM provides the foundation for identifying, assessing, and mitigating risks, while BCM steps in to ensure organizational resilience when faced with unexpected challenges.

BCM seeks formal testing of the plans and arrangements with the involvement of varied interested parties. Together, they form a symbiotic relationship that strengthens an organization's ability to navigate the complexities of the modern business landscape, fostering both sustainability and continuity.

Organizations that recognize the value of integrating these two disciplines will be better equipped to thrive in an ever-changing environment.

186 views1 comment

Recent Posts

See All
bottom of page