Have you noticed the recent chatter about divorcing continuity and risk management? It seems to me that this mindset is anchored in a cloudy, blinkered mentality. At R2 we're really clear about the value of both risk management and continuity, and more importantly about how they fit together and, backed by a capable and flexible team, how they produce resilience. We're not renowned for our algebra, but there's one formula we know works well. R + C2 = Resilience; that is to say, combining effective Risk management, Continuity management and a Capability vested in people provides real Resilience.
As business owners its obvious to us that business and risk go hand in hand, both in terms of understanding the risks you are presented with and in relation to the amount of risk you are prepared to take to achieve your goals. Fair to say therefore that if you're running an organisation you're involved in risk. Accepting that risk is the 'effect of uncertainty on objectives' it stands to reason that being able to deal with this uncertainty, reduce it when possible and respond when it disrupts are crucial skills for any organisation. Its a mistake to expect risk management and continuity to work independently; in fact its our view that continuity management provides key tools that form a key element of the overall risk strategy.
To explain; there is no point in assessing the risk of every conceivable eventuality when its the risk to those things that are most crucial to your success (processes, information, resources) that should occupy your conceptual and physical efforts. In other words if the risk has no bearing on your short or long term business objectives then why manage it? Best to focus on what matters most. Business continuity's business impact assessment provides a great vehicle for developing this focus at the strategic, tactical and operational levels. Done properly it provides a focus for risk, relevant to the whole organisation and its objectives, not just to continuity or operations. Similarly continuity strategies and plans provide the treatment for many risks, both in terms of mitigation and response. In these regards, risk and continuity work very well together to achieve resilience; keep these two disciplines in silos at your peril.
More importantly, despite the best risk management efforts, there's no such thing as 'risk free' if you're going to make progress; ships are safest in the harbour, but that's not really what ships are for. So, given that you will be setting sail, its essential to have the resilience to recognise, monitor and deal with uncertainty and residual risk (the risk that you know is there but cant remove) as well as being resilient enough to deal with those unexpected and unforeseen risks (events that 'blindside' you). In this regard its the capability of your people and the flexibility of your plans that will see you through the unforeseen.
Risk, continuity and capability: the whole is greater than the sum of the parts. Break the silos and combine these components for real resilience.
(With thanks to John McKee from Linkubator for the ships metaphor!)