What role does the risk manager have in crisis management and business continuity?

  • 12 Mar 2018
  • Sean

Professionals in our industry often get this question from senior executives. If we have ten professionals in a room, we will get twenty different answers. The truth is, the answer will vary depending on organizational characteristics such as an in-house expertise, culture, history, business model, value proposition, risk landscape, and each company’s industry. 

As our risk industry1  and companies continue to transform and adapt to market conditions, we as leaders in our profession need to challenge the value we bring to market. It is our job to create the conditions for success. One of the challenges we face today is how to properly structure an organization’s risk competencies such as risk management, crisis management and business continuity. If the answer is ‘it depends’, how do we make the ‘depends’ part applicable to our or organization and successfully communicate it to leadership? 

It begins not with an answer, but with a process. We must establish a line of questioning to help us frame our challenges and opportunities. It begins with understanding two sets of questions that will serve to help us understand the current situation, identify gaps in our knowledge. By understanding the answers to these questions, we can begin to define the right risk structure and roles for each organizations. The first set of questions gets at the current situation, situation awareness. The second set of questions is more investigative in nature to vet out gaps in our knowledge in a collaborative way.  

Situation Awareness

Critical Information Requirements

What is working? Why?

What do we know?

What is not working? Why?

What don’t we know?

What does success look like? Why?

What do we need to know?

What does failure look like?  Why?

Who knows?

Table 1 Program questions to understanding the role of the risk manager in crisis management and business continuity

Situation awareness questioning is important to understanding the operational environment, which is the precursor to all effective action. Situational awareness questioning will tell us what we need to fix and why. It is important to understand people’s perceptions, beliefs, and behavior to the success and failure. We need to incorporate culture awareness, relevant social and political factors, and other informational aspects into our decision making process. Employees at the lowest level can be the most powerful component to engagement. Critical information requirement questions continues the investigation on what the role of the risk manager by providing clarity on the challenges of the existing structure and identifying gaps in our knowledge. 

When we are evaluating the role of the risk manager in crisis management and business continuity, in the context of situation awareness and information requirements, there are a three program considerations to include in the evaluation: 1) initiative atrophy, 2) specific expertise, and 3) consumer centric. 

Initiative Atrophy - Over the last few years, organizations are beginning to consolidate these programs. The last thirty years have brought a plethora of incredible risk programs2  to the market.  These programs are dedicated to managing and responding to risk, yet have specific specialties that allow us to continual manage risk better. However, this rapid organic growth in programs and competencies has also led to inefficiencies, ineffectiveness, and confusion within many organizations. Organizations are becoming oversaturated with additional initiatives and programs. When considering the role of the risk manager in crisis management and business continuity, consider the pruning and consolidation of programs. 

I have personally been involved in a number of consolidation projects (e.g., program, processes, technology, power, resources) to reduce redundancy and enhance effectiveness. One great example is a recent client who has rebranded their program to BeReady. Rather than have individual programs for incident management, business continuity, emergency management, business partner risk, IT recovery, etc., the company has consolidated all programs into one program called BeReady. This streamlined effort provides better consistency and quality, but most importantly it has greatly enhanced participation. In this specific example, the BeReady program is under the leadership of the Chief Risk Officer (CRO), which allows the program to be more agile under single leadership, and helps to align with global risk standards. As part of the consolidation, many of these programs will need to be rebranded and marketed internally within the organization. 

Specific expertise - Another important consideration are the similarities and differences of these competencies. When we look at risk management as it relates to crisis management and business continuity they are very much the same, and yet different. Both identify and mitigate risk and each has strategies, plans, audits, and training. Both have a before, during, and after incident perspective. Both are centralized functions that are required to work in a cross-functional manner. The list continues. But there are differences. The difference lies in the type of risks, accountability, and timing.  For example, risk management tends to be more methodical and planned (e.g., annual insurance renewals), whereas crisis management and business continuity are much more time sensitive and urgent. When considering the role of the risk manager in crisis management and business continuity, consider the alignment of expertise. 

Risk management is typically not as time sensitive as crisis management and business continuity, which require an immediate response to a situation. Crisis management and business continuity tend to operate in a high stakes environment with time constraints, inadequate information, and dynamic conditions. 

Risk management is seen as a competency that manages organizational risk such as strategic, financial, liquidity, market, catastrophic, etc. Risk management worries about solvency and performance variability. This is why Enterprise Risk Management (ERM), global insurance, and corporate financing typically falls within risk management. 

Business continuity, on the other hand, manages more of the physical hazards (e.g., hurricanes, fires, IT, and power outage), operational resiliency strategies (e.g., relocate people, reassign processes, and workarounds),  and supply chain/business partner risk. Business continuity works at a managerial level to ensure the continuation of operations over a spectrum of threats. 

Understanding each of the required skill sets and how they work together is necessary to define the role of the risk manager in crisis management and business continuity. 

Customer Centric – We need to remind ourselves of the customer. Everything we do in centralized functions needs to be deployed locally. Leaders and managers in our organizations need to be able to successfully learn, apply, and adapt to our methods and training. These functions cannot be successful if they operate in a stovepipe fashion (vs. communities of interests) with limited information, knowledge, and effort sharing. Operating separately will only cause organizational confusion, end-user frustration, cloud risk visibility, and lead to poor investments. Whether crisis management and business continuity roll up to risk management or not, risk management is a key enabler. Crisis management and business continuity cannot be effective without a mature risk management program. When we evaluate the role of a risk management in crisis management and business continuity, we need to consider the three-phase archetype of any risk or crisis program: 

  1. Before: preparation – e.g., planning, plans, practice, planners, monitoring
  2. During: response – e.g., preemptive, response, recovery
  3. After – e.g., lessons learned 

Risk management begins with the risk manager assessing the quality and capabilities of an organization’s existing crisis management and business continuity program. Understanding the program performance before, during, and after will assist in positioning the risk manager. What has been done to prevent, prepare, respond, and recover? An organization’s After Action Reviews (AARs) is a good area to gain insight. Are we building leaders for the future?

Crisis management and business continuity must sit within the risk management framework. Both competencies are specific (something referred to as operational risk) that organizations employ to manage and respond to a spectrum of threats. Risk management should provide the overarching risk structure and guidance. This includes such items as the organization’s risk tolerance, global consistency. Risk management is tied to ERM and reputation management, and measures (KPIs, KRIs, impact ratings) priorities, accountability and responsibilities.

The challenge many risk managers face is that many don’t actively participate in managing crisis and/or incidents. They are not active in the organization’s Global Security Operations Center (GSOC) or Emergency Operations Center (EOC). Nonetheless, in the same way a CEO doesn’t know how to do everyone’s job within their organization but does know how to run a company, the same goes for risk managers. Be the entrepreneur.

1 - Risk management, crisis management, business continuity

2 - To name a few: crisis management, incident management, emergency management, business continuity, IT recovery, resiliency, reputation management, public relations, product recall / incident, physical security, cyber security, privacy, business partner risk, health safety environment, communications, executive protection, travel security, insurance, reinsurance, resiliency engineering, asset protection / conservation, captives, enterprise risk management, agility, and the list goes on. 

More on
About the author

Sean Murphy

CEO

I founded Lootok, Ltd. in 2006, and currently serve as the President and CEO. My vision was to establish Lootok as a new kind of business continuity consulting company - one that draws from dynamic industries such as education, design, and branding - to breathe new life into the practice. ➞➞For more information feel free to connect with me here on LinkedIn or check out our website: www.lootok.com I have over 25 years of contingency experience, with 18 years of consulting experience in operational risk management and business continuity management and 7 years military contingency planning. I have worked and trained both nationally and internationally in the risk and business continuity industry, specializing in advisory services for Crisis Management and Communication, Business Continuity, Incident and Emergency Management, Supply Chain and Business Partner Risk, and Governance. Prior to founding my own practice, I was a Vice President at Marsh & McLennan Risk Consulting and a Senior Consultant at Ernst & Young. I have performed risk assessments, strategy development, and plan execution for a multitude of industries including banking, brokers/dealers, contact centers, government, healthcare, insurance, manufacturing, retail, telecommunication, and utilities.