Business Continuity: How to Apply Enterprise Risk Management to Your BCM Planning Efforts…and Vice Versa!

Categories: Governance, Risk & Compliance,GRC Insights

by Patrick Potter, RSA Archer GRC Solutions

Business Continuity Management (BCM) programs typically do a good job of evaluating business criticality through performing Business Impact Analyses (BIAs) to determine recovery priorities.  However, how many BCM and IT Disaster Recovery (DR) programs adequately assess risks starting at the overall program level down to the process or IT infrastructure level?  How do they properly integrate the business and IT in this analysis?  Further, how many BC/DR programs coordinate or leverage planning with their organization’s Enterprise Risk Management (ERM) program, approach and results?  This is especially critical due to recent guidance from the new ISO 22301 standard.

This is where BC/DR planning and ERM converge in their needs, but are rarely synchronized in their discipline, and here’s a real example.  A Fortune 100 financial services (FS) company I consulted with performed over 3,000 BIAs and has as many documented BC plans.  Their central BC program’s charge was to audit as many of these plans as possible (I would dare say “as necessary” and here’s why) but how did they determine which BC plans to audit?  At the time, the FS had their own rudimentary risk assessment process that would help them determine which BC plans to audit (i.e., go onsite, verify plans were documented and tested) versus having those business process owners self-audit through a quick questionnaire that the BC program would review.  However, what their risk assessment process didn’t take into account was how their larger ERM program felt about the risk in those same business process areas.  Were they worth the trip to audit (some of these locations were international, resulting in lots of travel expense)?  Who really knew because they did not align on their definitions of “high risk” versus “low risk”.  Furthermore, they didn’t take into account risk remediation that might have reduced the risk to acceptable levels, allowing them to move that area from “to be audited” to “self-audit” category, thereby allowing the BC program team to focus on higher impact activities.

This is just one example of why it is important for BC programs to align their approaches, methodologies and activities with other related Governance, Risk and Compliance (GRC) programs and disciplines – and vice versa.  Really – your organization’s ERM, GRC or ABC program has a lot to learn from the BCM program too.  Believe it or not, there are many points of intersection and alignment that can and should occur making both programs more effective.  It’s all about effectively reducing risk and doing so with the least amount of resources isn’t it – whether we’re talking BCM, ERM, GRC, or whatever?

This blog series will continue to explore practical ways BCM, GRC, ERM and other related programs, approaches and disciplines can converge to make everyone’s life easier.  Stay tuned!   To follow this series, check out Patrick’s blog on the RSA Archer GRC Community at: https://community.emc.com/community/connect/grc_ecosystem/blog

Patrick Potter, CBCP, CISA,  has over 20 years’ experience leading business continuity management, strategic planning, internal audit, process and cost improvement, compliance and other related activities at Fortune 500 companies.  Mr. Potter is responsible for applying his experience in BCM, audit and other related disciplines to product design and strategy of RSA Archer’s GRC solutions. 

Patrick Potter
Author:

Patrick is currently a GRC Strategist for the RSA Archer organization, where he helps drive the strategic direction of the Business Continuity and Audit Management solutions. Prior to RSA, Patrick spent over 20 years leading business continuity, internal audit, strategic planning, process improvement and related activities at Fortune 500 companies in both industry and consulting roles. Patrick has developed a strategic perspective working with analysts, partners and customers spanning such industries as financial services, higher education, manufacturing, high-tech, healthcare, and media and hospitality. He has been a speaker for the Institute of Internal Auditors, Disaster Recovery Journal, RSA Archer Summit, Financial Executives Networking Group, Association of Continuity Planners and the Information Systems Audit and Control Association. Patrick has also contributed various thought leadership articles for Continuity Insights, SC Magazine and Disaster Recovery Journal.