The Siscuss ERM conference I am a keynoter at just raised a question you may find insightful. How can you have a business continuity management program (BPM) without knowing your current state and the inherent underlying major risks (Million Dollar Blind Spots) from an enterprise risk management (ERM) perspective?
http://www.risk2013.siscuss.com/
Had not thought about the need for a risk assessment as the foundation for an effective value creating BPM program.