What’s in a name? Depending on the person offering the definitions, business continuity and risk management are sometimes considered as different functions, or subsets of each other, or simply the same. For example, the prevention, preparedness, response and recovery approach to risk management or PPRR is presented as risk management. However, when all the steps are accomplished and the results put together, you end up with a business continuity plan. Indeed, risk identification and business impact analysis are two classic steps in preparing overall business continuity. But what then of the opposite idea that business continuity is a subset of risk management?
It is a fact that the term ‘business continuity’ arrived on the scene after ‘risk management’. Risk management can be summarised as avoid, mitigate, transfer or accept risk. Business continuity corresponds to avoiding or transferring risk, more than mitigating or accepting it. In this sense, it would seem to be a subset of risk management. However, there is a counter-argument. Risk management is not always confined to protecting an organisation as a whole. It may be done in the case of individual projects or even transactions. Credit checks on borrowers or purchasers, and exchange rate hedging for export sales are examples. Each check or hedge may be an application of risk management, but in itself unlikely to affect the continuity of the organisation.
We end up with a situation where business continuity (overall) and risk management (overall) overlap. They are not the same, even if there are common components, and one is not necessarily a subset of the other. The point is that it is important to have a mutual understanding of what somebody means by ‘risk management’ if you really want to be sure you understand the relationship with business continuity. By correctly understanding the differences, you also have a better chance of making sure that each function is being correctly carried out within your organisation, to the level required.