Indeed, risk management is rapidly becoming a significant area of concern for COO's and. Chief Insurance Officer, IRCA believes that, from 2006, risk management (not risk avoidance, which is commonly practiced in business) will become a core competency for the CIO position. The traditional areas of computer and information security, which are becoming more urgent in the heavily networked IT environment, fall into this category, but they comprise only a part of the overall risk management syllabus that COO's and CIOs must master.

Depending on the organisation's industry sector and culture, a significant percent of the budget should be devoted to risk management, including IT security, business continuity, and other risk-related issues and Regulations (e.g. CFR 11, Sarbanes-Oxley, King 2 and other corporate Governance standards) In simple terms, business continuity concerns the facilitation of continuous operation of key business functions in a crisis situation (e.g. flood, fire, business disruption, electricity power shortages, terrorism etc). In contrast, risk management is perceived as a much broader discipline and one that effectively sets out to identify and manage risks that affect an organisation, often from a more strategic standpoint (e.g. vendor viability). Typically, since business continuity is perceived to be a less comprehensive discipline, there is a tendency to place it under the umbrella of risk management. This is understandable, particularly in terms of the apparent overlap between business continuity and the operational risk sub segment of risk management

Blurred Boundaries or Close Gearing

In a practical context, the lines between business continuity and risk management often are blurred in that the two disciplines use similar tools and techniques to reach their specific goals, including risk assessment, business continuity planning, and business impact analysis. Nevertheless, it is possible to make fundamental distinctions between the two. As a discipline that can provide real tactical solutions to the threat of risk, business continuity is often viewed as being subservient to the more strategically focused risk management function. The erroneous perception that often perpetrates this is that business continuity is primarily concerned with issues that relate to physical loss (e.g. the destruction of a building, damage to inventory). Yet business continuity should actually encompass all of the processes necessary to restore business functionality during a time of crisis. Although this may include physical loss (e.g. a data centre flood), it could also include issues such as data loss, server outages, and loss of operational capability, plant, people and communications as well as supply chain issues as a few examples.

Risk management sets out to tackle risk at its very core, and as a result, it incorporates a wider range and variety of functions, including those that fall within the categories of positive impact, negative impact, and business non-stoppage. It is important to remember that a specific risk will not necessarily bring about instantaneous business stoppage. Insidious, low-impact risks can often prove to be some of the most fatal (e.g. Arthur Anderson, where cultural problems built up over a period of time and played a major role in the company's fall from grace). In contrast, the inherent value of business continuity is clearer when we consider that essentially not all risks can be managed. For example, it is arguable whether the World Trade Center attacks, the recent attacks in London, fuel shortages in December 2005 in SA and power cuts in the Western Cape, could have been effectively foreseen and thus the risk managed.

Encompassing enough--but not too much

In reality, the terms business continuity and risk management are often used interchangeably, but this creates a distinct problem in terms of knowing what the user actually means. This is particularly apt in view of the varying perceptions and confusion that persist over what business continuity now encompasses. Although clear distinctions can be made in relation to the cause-and-effect focus areas of business continuity and risk management functions, these distinctions will likely become harder to make as business continuity continues to grow and effectively sheds its image of being merely a physical loss-related solution. In light of September 11 and the raft of corporate scandals, the threat of contextual and transactional risks has come much closer to the fore. Despite this, the age-old issue of making provisions for the loss of personnel and skill shortages during a crisis is still a major area of weakness for many companies. In fact, the business continuity plans of most organisations do not include any kind of strategy for the loss of personnel and the related skill void that would result.

In essence, both business continuity and risk management have a similar focus--that is, giving organisations the ability to effectively cope with risk and understand how it affects their organisation. Business continuity is about prevention, which parallels risk management in that it seeks to identify the early signs of disaster.

Embracing the concept of risk

The key insight to be derived from these comparisons is greater awareness of the ongoing issue of effectively embedding these disciplines within organisations. Although risk management and business continuity efforts are becoming increasingly prevalent, many organisations still view these activities as an end in and of themselves rather than means to encourage a risk-focused culture, which is essentially the ultimate goal of management when adopting these disciplines into their decision-making process. Unless the concepts of risk management and business continuity are institutionalised into day-to-day activities, organisations will have limited success in these areas and leave themselves dangerously exposed.

Planning efforts are of no consequence without a corporate culture as well as dynamic measures that can address and pre-empt risk. As with nearly all business functions, the key to success for business continuity and risk management remains firmly within effective communication, in knowing how to bring about a culture that embraces the concept of risk across all activities. Comparing the functions of different disciplines and constantly re-evaluating those functions certainly adds value. In this case, it is important that comparisons be used to promote the ways in which the disciplines can work together more effectively rather than to promote separation of the disciplines. As organisations attempt to increase efficacy in these areas, they must not lose sight of what they are essentially seeking to achieve--that is, make better decisions as a company and ultimately to make the business more profitable.

Bottom line: Synergy between business continuity and risk management efforts should be exploited to maximise an organisation's protection from business interruption.

Business impact: Effective use of business continuity and risk management processes will enable organisations to minimise threats and increase profitability.

Auditing BCM

Auditing business continuity management (BCM) is rapidly becoming one of the most urgent issues throughout the audit community. Recent legislation and several regulatory initiatives have made it clear that Operational, financial and technology auditors must review business continuity (and not just IT disaster recovery) in much more detail than before. The events of 9/11/01, and the subsequent world terrorism and natural disaster issues coupled with organisational preparedness, have heightened interest in topics such as disaster preparedness, preventative measures, recovery and restoration of the core business - in other words: how will the business continue to function if a major event occurs that may impact organisational stability and the existence of the company or site of operation.

In the US, standards like Sarbanes Oxley , NFPA 1600 (National Fire Protection Association), HIPAA and the discussion about homeland security have put BCM on the audit agenda recent natural disaster events in New Orleans perhaps demonstrates the vulnerability of plans when not practised and the human element in all cases is tested as much as is practicable, In Britain and Europe, the Turnbull Report and various Codes of Corporate Governance are forcing auditors to quickly address an area previously neglected. In Eastern Europe, several national banks have adopted the ISO 17799 standard that mandates business continuity management for the financial sector. Germany introduced the Business Control and Transparency Act in 1998, enforcing the existence of corporate risk management and certain continuity-related controls for all listed companies. Australia has a BCM standard as does Canada (Risk Standard)

BCM audit is there to stay: in the global economy, most countries have adopted a "must-have" policy towards business continuity. This is sharply opposed to the traditional "nice-to-have" notion often entertained by senior managers, whose primary concern is to reduce cost and maximize quarterly earnings. As a result, it has been recognized that assurance is needed, and that adequate controls must be in place. BCM has become a vital part of the overall concept of corporate governance, independent review and compliance with good practices. It is now the auditor's responsibility to give due consideration to the concepts, plans and management processes that safeguard the survival of an organization under adverse conditions. In other words: BCM is a going concern issue and must be addressed accordingly. The British Standards Institute will bring a new BCM standard to the public domain in 2006 followed by a new Risk management standard later in 2006; they of course will be compatible with other BS/ISO standards following the guide 72 route.

Dr. Michael Robbins Head of European Operations IRCA International Business Division