Emergency management, business continuity and enterprise risk management are different areas, but have significant overlaps, says Christopher Stitt, CEO of CrisisLead.
When it comes to managing risk and developing resilience, an organization’s emergency management, business continuity and enterprise risk management programs need to work in concert.
In many companies, these functions fall under different programs and leads, but they share many of the same attributes and stakeholders.
Each of these deals with identifying potential hazards, vulnerabilities and threats, assessing the potential impact should the issue manifest, finding ways to mitigate the impact, and determining and preparing for the residual risk.
However, each of these programs comes from slightly different angles of approach.
Emergency management typically begins with an assessment of the hazards faced.
These may be natural, man-made or due to a technical disruption.
The goal of emergency management is the safety of life and property.
The phases of emergency management are to mitigate, prepare, respond and recover.
This cycle is wrapped in constant evaluation and validation through regular training, drills and exercises, with after-action assessments.
Some organizations have included “prevention” ahead of mitigation.
A great example of emergency management is fire. A fire can be caused by any of the three hazard categories (human, natural or technical failure).
Organizations work to prevent or mitigate the impact of fires through building codes, construction methods, sprinkler systems, etc.
Personnel are trained and drilled in actions to take if there is suspicion of (smelling smoke, alarm activation) or an actual fire.
An organization’s fire plan will also typically have at least some instructions for how to recover and resume operations after a fire.
This may include shifting operations to unaffected sites, restoring affected sites and caring for affected personnel.
It is this recovery phase that really overlaps with business continuity.
Business continuity as a concept originated in the IT sphere in the 1970s with a focus on recovering data and systems after a disaster.
More recently, business continuity programs have expanded to take a more holistic approach, looking at all facets of operations, including IT infrastructure, protecting key staff and facilities, supply chain resilience and stakeholder communication.
The starting point for business continuity differs from emergency management.
Whereas emergency management starts with an assessment of hazards, business continuity starts with a Business Impact Analysis – an assessment of key business activities and the critical dependencies to support those key activities.
When exploring key activities, there is a much closer look at the impact on the overall business operations if those key activities are interrupted, with timeframes for required restoration of the key activity before that impact becomes substantially disruptive or even lethal to the organization.
When exploring critical dependencies, business continuity programs look at succession authorities for key personnel, alternate supply chains for essential ingredients or components and even more mundane issues such as power, communications, water and access to facilities.
It is important for business continuity planners to examine critical dependencies both inside and outside the organization.
A great example was the recent fire at an electrical substation that shut down operations at London’s Heathrow airport for more than 24 hours.
There was an impact on airport operations and the rest of the area around the substation, but also follow-on disruptions to the movement of people and cargo.
Continuity planners need to do a lot of imaginative scenario planning and table-topping to identify all the critical dependencies.
When it comes to supply chains, security officials may have unique insights into how geopolitical issues, criminal activity and disasters can cause disruptions.
Going back to the earlier example of fire as an example of emergency management, from a business continuity perspective, a fire may result in disruption of key activities due to complete or partial loss of a facility, injury or death of key personnel, damage to equipment, loss of inventory, damage to communications or IT infrastructure, or other issues.
Business continuity managers and planners will work with stakeholders to determine what the key activities are, assess the impact of a disruption to those key activities or critical dependencies the activities rely on, the maximum time allowed for restoration of the activities and proposed solutions to facilitate restoration of those activities within the timeframes.
In an organization, almost all operations will try to claim they are key.
This is why it is essential to have leadership buy-in and involvement to help prioritize which of the operations are indeed key.
The procurement and development of redundant systems and sites can involve a significant cost, which will need the approval of top management.
Enterprise risk management (ERM) is the third area that overlaps with the other two.
ERM’s approach is again from a different angle, looking at not only the physical risks, but also financial and reputational.
ERM is where you will typically encounter “risk registers” that categorize the hazards, threats, mitigation measures and residual risk that must be accepted by leadership or transferred (such as via insurance policies).
Crisis communications are often closely tied to or even within ERM programs due to the issues with reputational risk.
Prior to the 1990s, risk was often managed in silos:
Starting in the 1990s, regulators, boards or directors and shareholders recognized that these silos impeded strategic decision-making regarding risk and companies started to find ways to break down or bridge these silos for more effective risk management.
This led to the development of standards such as ISO 31000 – “Risk Management”, and the COSO ERM Framework.
All three of these concepts, emergency management, business continuity and enterprise risk management, share many of the same stakeholders throughout an enterprise.
Studies conducted by PwC and Deloitte indicate that many companies are beginning to more tightly couple business continuity and enterprise risk management.
On the US Federal side, continuity programs (including continuity training) fall under the Federal Emergency Management Agency.
In Fairfax County, Virginia, continuity planning likewise falls under the county Department of Emergency Management and Security but also has a direct reporting line to the County Executive and Deputies as well.
Security officials benefit from understanding the differences and overlaps between these programs, as they are major stakeholders in all three, even if the overall programs may not fall under the security section.
Also, the perspective and mindset that security can bring to these programs adds significant value, leading to a greater likelihood of success, and is another area in which security can be seen as a business enabler, rather than a cost center.
Christopher Stitt is the CEO of CrisisLead, LLC. He has almost 30 years of experience in international security, risk and emergency management.
He is an IAEM Certified Emergency Manager, holds the FEMA Master Continuity Practitioner Certificate, is a Board Member for the Association of Continuity Professionals DC Chapter and he recently co-presented with Michael Gips on creating high-performing enterprise risk management programs at the 2024 RIMS ERM conference.
This article was originally published in the May edition of Security Journal Americas. To read your FREE digital edition, click here.