Program governance
- ERM and BCM program governance is tightly coupled, sharing many of the same stakeholders
- The ERM and BCM program owner can be the same individual, yet supported by separate administrative teams
- The ERM and BCM programs report to the same risk committee and/or board of directors
Risk assessment/business impact analysis (BIA)
- ERM and BCM risk assessment scopes align for areas related to operational interruption risks
- ERM risk impact categories and their thresholds are used to standardize the way BCM BIA participants describe operational interruption impacts
- Management’s risk appetite and tolerance decisions are informed by BIA results
Risk treatments/strategies
- Deciding whether and how to respond to interruption risks is based on management’s risk tolerance and risk appetite
- Resiliency improvements are made to areas that leadership identifies as critical to achieving operational and strategic goals
Risk plans/business continuity plans
- Approved strategies for responding to interruption risk are documented in actionable business continuity plans
Program effectiveness monitoring and reporting
- Responses to actual interruption events and the results of business continuity and crisis management exercises are formally evaluated against risk reduction objectives
- The BCM program’s effectiveness analysis provides a feedback loop to the overall ERM program, thereby providing comfort that resiliency and recoverability efforts reduce interruption risk impact