BarnOwl Info Sharing Insight: Integrated BCM (Business Continuity Management) and Risk Management Explained with Steve Simmonds & Jonathan Crisp

August 12, 2020

BarnOwl Info Sharing session: 30 July 2020

Integrated BCM (Business Continuity Management) and Risk Management explained

Presented by Steve Simmonds, Director, SynergyGRC and Jonathan Crisp, Director, BarnOwl

Thank you very much Steve for presenting at our info-sharing event on the 30th July 2020. Thank you also to all those who attended.


Whilst, BCM is a sub-set of the greater enterprise risk management discipline, the link between BCM and Risk Management is often not very well understood. This presentation focusses on BCM and how risk management integrates with BCM, provides objective value, and the ability to recover from setbacks, adapt well to change and keep going in the face of adversity.

In a nutshell, risk management together with BCM enables an organisation to optimise the level of risk being taken to best achieve the organisation’s objectives whilst still operating within the risk appetite of the organisation. Risk management is about preserving and enhancing value creation whilst minimizing the risks that lead to value erosion.

The definition of risk management, BCM and business resilience planning are as follows:

  • According to ISO 31000, risk is the “effect of uncertainty on objectives” and an effect is a positive or negative deviation from what is expected. Risk management refers to a “coordinated set of activities and methods that is used to direct an organization and to control the many risks that can affect its ability to achieve objectives.”
  • The COSO “Risk Management-Integrated Framework” defines RM as a “… process, effected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
  • ISO 22301 provides a framework to plan, establish, implement, operate, monitor, review, maintain and continually improve a business continuity management system (BCMS). It helps organisations protect against, prepare for, respond to, and recover when disruptive incidents arise.
  • Business Resilience Planning: Business resilience planning is a governance and risk management responsibility that boards address to enable them to survive and thrive in an increasingly hostile environment.

Threats (Risks) and Impacts (Consequences)


If we look at the highest WEF (World Economic Forum) findings as seen on the slide above, we can surmise that some things in life are unavoidable; we certainly cannot control all the threats to our business that lead to many of these unforeseen situations.

current threats

If we look at the slide above and the threats (on the left hand side) posed through WEF, they will impact the business and cause disruptions in various ways, shapes and forms (on the right hand side):  Let’s take a look at some of these impacts:

  • Supply chain interruption — any disruption to suppliers, service providers, utilities or infrastructure that impedes the flow of goods or services in or out of the business.
  • Compromised worker H&S – Absenteeism, stress, excessive pressure, uncertainty
  • Loss of staff and staff morale – Indecisive Leadership, loss of key personnel, negative economic growth, remote working, 
  • Data loss/corruption – disruptions affecting access to IT services (IT disaster recovery) or the protection of critical data (cybersecurity). 
  • Restricted Access to Facilities – disruptions of a business entity (like offices, call centres, retail locations, manufacturing plants or warehouses) as well as critical assets like specialised equipment.

However, by doing our due diligence and looking at ways of developing strategies to mitigate these threats and the impact they have on our businesses, we will be well prepared to maintain business functions and overcome these unavoidable situations and as a business, be resilient when we are faced with new unavoidable situations! But what is business resilience? 

Business Continuity Management (BCM)

BCM can be described as a process of identifying and responding to fast – approaching, high – impact interruption risks that can overwhelm inherent operational resiliency.Operational resiliency focuses on preserving the people, processes and procedures that help businesses survive unexpected threats. A resilient business can return to its previous state of operation following a threat to the business that might otherwise disrupt it or shut it down. Such an organization achieves its state of resilience using several techniques such as business continuity management (BCM) that includes disaster recovery (DR) as an important sub-set.

Business Impact Assessment (BIA) and Risk Assessment (RA) explained


Business Impact Assessment: Focuses on

  • The potential impacts of a disruption to critical business sub processes / activities because of a disaster, accident, or emergency
  • Names of organizations and/or sub-processes / activities the critical sub process / activity depends on for normal operations
  • Quantitative Impacts – Financial amount associated with the critical sub process / activity, e.g., annual revenue generated by the process
  • Qualitative Impacts – Non-financial impact to the company, e.g., loss of reputation, loss of customers 

Threat and Risk Assessment: Focuses on

  • Identifying potential threats – Power Outage (Regional Blackout), IT System crash etc.
  • Information types affected – Accounting records – invoices, bills, accounts, Supplier contracts etc.
  • Risk decisions – inherent and residual and preventive actions (Proposed controls)
  • Concurring where BCP’s (Business Continuity Plans) are required 

Business continuity management and risk management complement one another, and both are necessary in today’s high-risk business environment.

Embedding BCM with the Organisations Culture

In the Model below, the Board will focus on corporate strategy development and understanding the business model as many companies do today, however prior to any risk assessment activities the Board will identify and document critical processes and assets which underpin its ability to create value for its shareholders. The criticality of these processes and assets will obviously vary from organisation to organisation.

In the next step the question is asked “what the impact on the business would be if these processes failed or an asset was not available.”
From this stage an “Impact Policy” can be developed. This will be a clear statement from the Board on the processes and assets that drive shareholder value within the business and the need to make all reasonable efforts to minimise anything that would impair their performance.

The Risk Assessment phase is now focused on any risk that has an impact on the above, arguably devoid of any arbitrary view on probability.

The next stages are to be conducted at the specialist operational level of the organisation and will look at determining the Business Continuity Strategy and developing and implementing the BCM response.

The final stage does require direction and investment of time and resources from the Board and effectively supports the whole framework and concerns the need to embed good practice throughout the organisation.
embed bcm

Integrated Risk Management and Business Continuity Management

In summary, once we have identified the most significant goals/objectives/ processes/ assets/ resources that make-up our business and what the impact would be if they were compromised, we perform risk assessments to identify the risks that threaten our objectives and what risks (opportunities) to take to achieve our objectives (within our risk appetite and tolerance). Based on our risk response strategy (treat, terminate, tolerate, transfer), we put controls in place to mitigate the risks where possible:

business objectives

In summary

Strategy and risk management are inseparable. Risk and assurance management is a critical management tool which enables an organisation to optimise the level of risk being taken to best achieve the organisation’s objectives whilst still operating within the risk appetite of the organisation. Risk management, business continuity and sustainability are more important now than ever.

Presentation and Video links:

Please see attached presentation here and video link here 
You can find more information about SynergyGRC at or
and Steve Simmonds at

Useful and associated links: and 

Thank you:

Once again thank you Steve for your time and for your informative presentation and thank you to all those who attended our info sharing session. We look forward to seeing you at our next info sharing session. Please keep a look out for our upcoming events at: and feel free to join our next event at on the 27th August 2020 from 9am to 10am.

Kind regards
Jonathan Crisp
Director – BarnOwl GRC and Audit software

About Steve Simmonds, Director, SynergyGRC

Steve has over 20 years’ experience as a Governance, Risk and Compliance (GRC) Consultant, Management Systems Auditor and subject matter expert in the implementation of management systems and technology frameworks.  He has had exposure to Government, & NGO, State Owned Enterprises, Information Technology Software (Systems, Applications), Manufacturing, Mining and Extraction, and Transportation & Storage industry sectors.  Steve has managed numerous small, medium and large-scale local and international management systems including information technology and information management infrastructure projects incorporating the disciplines of; Governance and Compliance, Information Security, Enterprise Risk,  Business Continuity, Quality Management, Health Safety and Environment, Food Safety, Occupational Hygiene and Occupational Health.

About Jonathan Crisp, Director, BarnOwl

Jonathan Crisp has a BSc Honours in Computer Science, as well a Risk-Based Internal Auditing certification. He has over 30 years’ experience in the IT industry and is one of the founding directors of IDI Technology Solutions.
IDI are the owners and software developers of the BarnOwl GRC and Audit software solution which is the preferred GRC solution in the public sector, endorsed by the Office of the Accountant General (OAG) of South Africa.
Jonathan is an active member of the Risk Intelligence Committee at IRMSA (Institute of Risk Management SA) and is a member of the IIA (Institute of Internal Audit SA).

About BarnOwl:

BarnOwl is a fully integrated governance, risk management, compliance and audit software solution used by over 200 organisations in Africa, Australasia and the UK. BarnOwl is a locally developed software solution and is the preferred risk management solution for the South African public sector supporting the National Treasury risk framework.

Please see  for more information.