Organizations have long practiced various parts of what has come to be called enterprise risk management. Identifying and prioritizing risks, either with foresight or following a disaster, has long been a standard management activity. Treating risk by transfer, though insurance or other financial products, has also been common practice, as has contingency planning and crisis management.
What has changed, beginning very near the close of the last century, is treating the vast variety of risks in a holistic manner, and elevating Payments Risk Management to a senior management responsibility. Although practices have not progressed uniformly though different industries and different organizations, the general evolution toward ERM can be characterized by a number of driving forces.
What is Risk Management?
Risk management is simply a practice of systematically selecting cost effective approaches for minimizing the effect of threat realization to the organization. All risks can never be fully avoided or mitigated simply because of financial and practical limitations. Therefore all organizations have to accept some level of residual risks.
Whereas risk management tends to be pre-emptive, business continuity planning (BCP) was invented to deal with the consequences of realized residual risks. The necessity to have BCP in place arises because even very unlikely events will occur if given enough time.
Risk management and BCP are often mistakenly seen as rivals or overlapping practices. In fact these processes are so tightly tied together that such separation seems artificial. For example, the risk management process creates important inputs for the BCP (assets, impact assessments, cost estimates etc).
Risk management also proposes applicable controls for the observed risks. Therefore, risk management covers several areas that are vital for the BCP process. However, the BCP process goes beyond risk management's pre-emptive approach and moves on from the assumption that the disaster will realize at some point.