Enterprise risk management and business continuity management: Together at last

Start adding items to your reading lists:
Save this item to:
This item has been saved to your reading list.

Organizations that integrate enterprise risk management (ERM) into their strategic planning efforts have found that business continuity management (BCM) enhances both their value creation objectives and their protection objectives. The confidence that comes from identifying and appropriately addressing interruption risks enables them to more boldly execute those strategic plans. But to gain that confidence requires the melding of ERM and BCM programs.

Executing a series of well-coordinated ERM and BCM integration activities makes it possible to realize the full value of optimized business continuity management

Leading-practice integration examples include:

  1. Consider ERM and BCM program integration
  2. Involve BCM management in the ERM risk assessment process
  3. Involve ERM management in BCM interruption risk assessment planning and analysis
  4. Perform a BCM business impact analysis (BIA) that is informed by the ERM program’s impact categories, weighting, and thresholds
  5. Develop ERM-informed risk resiliency improvement recommendations
  6. Enhance risk scenario analysis
  7. Conduct BCM capability examination and post-incident analysis
  8. Link BCM and ERM program effectiveness reporting
  9. Leverage governance, risk management, and compliance (GRC) technology


ERM lifecycle and BCM lifecycle synergies

Program governance

  • ERM and BCM program governance is tightly coupled, sharing many of the same stakeholders 
  • The ERM and BCM program owner can be the same individual, yet supported by separate administrative teams 
  • The ERM and BCM programs report to the same risk committee and/or board of directors 

View more

Risk assessment/business impact analysis (BIA)

  • ERM and BCM risk assessment scopes align for areas related to operational interruption risks 
  • ERM risk impact categories and their thresholds are used to standardize the way BCM BIA participants describe operational interruption impacts 
  • Management’s risk appetite and tolerance decisions are informed by BIA results 

View more

Risk treatments/strategies

  • Deciding whether and how to respond to interruption risks is based on management’s risk tolerance and risk appetite 
  • Resiliency improvements are made to areas that leadership identifies as critical to achieving operational and strategic goals

View more

Risk plans/business continuity plans

  • Approved strategies for responding to interruption risk are documented in actionable business continuity plans

View more

Program effectiveness monitoring and reporting

  • Responses to actual interruption events and the results of business continuity and crisis management exercises are formally evaluated against risk reduction objectives 
  • The BCM program’s effectiveness analysis provides a feedback loop to the overall ERM program, thereby providing comfort that resiliency and recoverability efforts reduce interruption risk impact

View more

Contact us

Mike Maali

Mike Maali

Partner, Risk and Regulatory, PwC US

Steve Zawoyski

Steve Zawoyski

Enterprise Risk Management Solutions Leader, PwC US

Follow us