Risk Management

Risk Readiness: ERM’s Key Role in Business Continuity Planning

By January 31, 2024No Comments

Amid rising geopolitical, climate and cyber risks, enterprise risk managers play an important part in preparation plans.

Recent natural disasters, cyberattacks and wars in Ukraine and Gaza are underscoring the importance of developing robust business continuity plans (BCPs) to ensure companies can keep operating in the aftermath of a crisis. The current, volatile state of affairs is also drawing attention to the value enterprise risk management (ERM) teams bring to business continuity management, including the identification of risks that could require the use of BCPs.

  • A recent session of NeuGroup for Enterprise Risk Management made clear that collaboration between ERM and business continuity teams is both widespread and essential. Members participate in the development of plans, tabletop exercises, education and risk frameworks for BCPs.
  • “We basically make sure that we’re in sync on what they’re seeing,” one member said, referring to his company’s business continuity team. “They talk to some of the stakeholders we do, so we stay pretty aligned with them.”

Different structures, common purpose. Business continuity teams sit within a variety of functions, including ERM, quality, operations, finance and security. Members discussed the pros and cons of business continuity teams consisting of dedicated team members or subject matter experts from multiple teams. Whatever the structure, though, the goal of integrating ERM within the continuity planning process is increasing readiness.

  • One ERM member shares staff with the business continuity team, which spends much of its time going to different units ensuring that plans are in place. Business continuity also connects closely with the crisis management team that sits under corporate security. The key to this structure working is cross-functional collaboration.
  • One member whose business continuity team sits within ERM said this about the BCP: “We set the framework, and we have our critical partners from supply chain, facilities, etc. They have their own designated plans, and we have a requirement where everyone needs to do their tabletop exercise every year. Then ERM provides an update to our board committees.”
  • Another member added, “I’m not responsible, but I partner with our business continuity office. We are doing a relaunch, if you will. We want to restructure it and refine some areas, so I’m partnering with them to help navigate through the company and look at things from a high level, risk-down perspective.”

Calling out climate change. One member mentioned the tornado that destroyed a Pfizer warehouse last summer, another example of the rising risks of natural disasters that ERM must communicate to the C-Suite. “We’re starting to call out climate change to our leadership,” he said.

  • That’s a smart move: This member’s company recently suffered the total loss of a data center that ran local manufacturing in a European country. “So when the flood hit, crisis management runs the show and business continuity comes along to make sure that all the things they’ve been doing in tabletop exercises gets operationalized.”
  • The event revealed the company had key risk management infrastructure in place. “In some ways it was actually pretty remarkable how quickly the team was able to mobilize,” the member said. “Within a week, they pretty much got operations back to normal. Now it’s a matter of going and getting the equipment and rebuilding the data center—ideally in a place that won’t flood.”

Preparation pays off. In NeuGroup’s 2024 Finance and Treasury Agenda Survey, members ranked geopolitical conditions the fourth biggest risk facing their companies. Given that backdrop, companies have tasked risk managers with gaming out scenarios to judge readiness. One member recently reported the results of tabletop exercises to the board.

  • The company has a large credit and collection team in Romania which, due to its proximity to Ukraine, is at risk of a disruption in operations. To test preparedness, the company told the whole unit to stop work for two weeks and focus on longer-term projects. “We turned the whole team off without any warning and looked at how other teams around the world did picking up their work.”
  • The exercise turned out to be something of a success. The member said that there were “a lot of lessons learned. Nobody freaked out.”
  • The member’s company also ran a tabletop exercise focused on Israel a couple of weeks before the war in Gaza began. The timing of the exercise meant “now we can use what we learned then, live for the event itself,” he said.

Aha moments. Another escalating risk causing corporates to reassess their BCPs is cyberattacks. One member had run a mock crisis exercise just the week before a high-profile cyberattack was carried out on another company.

  • “Through that, there were some ‘ahas!’ that this isn’t going to be a 48-hour event. This could be several weeks and the ramifications could go on for several months after that,” he said.
  • Another member sees room for improvement in their business continuity setup. “I don’t think the cybersecurity and BCP are as well integrated as they should be. We are having a tabletop exercise next month.”
  • Several members shared that their companies have a separate cybersecurity council in their corporate structure that must work closely with their business continuity and ERM teams.

Overcoming obstacles. In a perfect world, ERM would work hand in glove with the business continuity team, but in reality it’s not always so simple.

  • One member shared, “I had participated in some of the local tabletops at manufacturing sites some years ago, and now they are managing them more locally.”
  • The company is planning a cyber tabletop exercise, and the member added, “I managed to get myself invited to this cyber tabletop but I had to force my way through the door and promise to not speak.”
  • A different member’s company’s cyber and crisis committees do not yet include IA or ERM in their exercises. The member added, “I have not pushed just yet for that. There are other priorities from a resource, bandwidth standpoint.”
Justin Jones

Author Justin Jones

More posts by Justin Jones