Business continuity as an element of GRC. Is there really any debate?

By Alex Bender, Director, eGRC Programs and Strategy, EMC

Is GRC business continuity’s future? This is a question posed recently by Continuity Central, an information portal for business continuity.

It won’t surprise you to hear that I’d give that question a resounding ‘yes’ and that I consider this market trend to be a positive thing. What is also encouraging is that  the majority of respondents over at Continuity Central agree with me.

I’m tempted to say that the answer is so obvious, there’s nothing to debate. But maybe that’s because I’m looking at it from the enterprise GRC perspective. An integrated approach is, after all, the whole rationale of enterprise GRC as a discipline. How can you claim to have an effective eGRC program if you don’t have plans to ensure the continuing operation of your business in the face of events that threaten to disrupt it?

Will integration destroy business continuity?

Maybe it’s not so clear if you look at it from the perspective of business continuity professionals. Maybe you don’t see what’s to be gained by ‘submersion’ of your discipline within a larger eGRC discipline and paradigm. For those commenters at Continuity Central who think that it would be a negative thing for business continuity to become an aspect of GRC, there seem to be two main worries:

  • Some fear that integration would make it harder to serve the specific needs of business continuity with the specialist skills it requires. One commenter expresses it in this fashion: “BCM is a specialist subset of risk management that should be highlighted, not submerged under some generalist classification.”
  • Some believe that GRC doesn’t work and would therefore be toxic to the established principles and practices of business continuity management. One commenter expressing this view says that the standard risk methods are based on flawed assumptions; and he or she asks: “Why not ‘governance, continuity and compliance’?”

Integration is not dissolution

To me these aren’t real objections. In my experience it’s just not true that integration of different disciplines has to make any of them less important or specialized. Nor would I ever recommend an approach that doesn’t preserve best practices within individual sub-disciplines of eGRC.

That’s why I think it’s important to leverage a single eGRC technological platform with the flexibility to have individual solutions built on it for the many functions of eGRC. The whole idea is to preserve the specifics of each function — such as business continuity management, policy management, incident management, compliance management, vendor management, etc — while at the same time giving you the visibility and control to do it all more efficiently and effectively with cross-functional relationships, workflows and reporting across all functions.

As for fears about the effectiveness of eGRC, clearly there are good and bad ways to approach any discipline. Those of us who’ve spent years developing the theory and practice of eGRC think we know quite a bit about how to do it well. And I’ve seen the difference that an integrated approach can make, including for business continuity management. If you keep an eye on this blog, I’m planning to bring you a case study that illustrates the benefits of applying the best practices of eGRC to business continuity management and how BCM can be tied to the broader risk function.

Why not governance, continuity and compliance?

For those who ask why not governance, continuity and compliance, to a certain extent it’s a matter of how we define our terms. The diagram below comes from an EMC paper on business continuity.* As it illustrates, we see risk management as concerning itself with more than the subset of risks dealt with by business continuity management. For example, if you’ve translated financial risks into IT, operational or legal terms, the information and activities that result from this financial risk management would extend beyond business continuity initiatives.

 

If you widen the meaning of the phrase ‘business continuity’ enough, so it means something like ‘successfully continuing business’, then you can see it as overlapping a lot with risk management.

But really, risk management as a discipline is much more than business continuity, especially if you use the Enterprise Risk Management – Integrated Framework from COSO(the Committee of Sponsoring Organizations of the Treadway Commission) as the foundation of your risk management program (see diagram below).

However you choose to define your terms, my point still remains that a siloed approach to any continuity/risk management discipline is not the way forward. And again, watch this space for a case study that illustrates this beautifully.

 

Recommended Reading:

* Getting Your Business Back: Pulling Together Business Continuity, Crisis Management and Disaster Recovery, an EMC Consulting paper

Advertisements

3 thoughts on “Business continuity as an element of GRC. Is there really any debate?

  1. IMO, this is a problem of perspective. BCP/DR is no more a component of GRC than are Information Security, Vendor Management, Privacy, or any other risk management discipline. All of these — along with Market, Credit, Reputation, Payments, Fraud and other risk areas — are components of Enterprise Risk Management. GRC itself is really just a framework for addressing the common elements of ERM. 

    If you think about the very definition of GRC …

    Governance: corporate goals, objectives and “rules” for management

    Risk: things that could negatively impact goals, objectives and management’s ability to achieve them

    Compliance: monitoring and reporting Re the organization’s ongoing efforts to manage risks

    … it becomes readily apparent that all risk areas — including BCP/DR — share certain core needs and functions:

    Policy and Exception Management — the means for articulating corporate goals and objectives and accommodating specific business needs

    Risk Management — including cooperative processes and business practices for incident reporting and response, risk assessment, measurement and reporting

    Compliance Management — common processes and practices for assessing, monitoring and reporting on compliance with corporate policies, laws and regulatory requirements

    It should come as no surprise, then, that all of the above are core components of a GRC program and any utility framework that supports it. 

  2. IMO, this *is* really more of a problem of perspective. BCP/DR is no more a component of GRC than are Information Security, Vendor Management, Privacy, or any other risk management discipline. All of these — along with Market, Credit, Reputation, Payments, Fraud and other risk areas — are components of Enterprise Risk Management (ERM). GRC itself is a framework for addressing the common elements of ERM.

    If you think about the very definition of GRC …

    – Governance: corporate goals, objectives and “rules” for management

    – Risk: things that could negatively impact goals, objectives and management’s ability to achieve them

    – Compliance: monitoring and reporting Re the organization’s ongoing efforts to manage risks

    … it becomes readily apparent that all risk areas — including BCP/DR — share certain core needs and functions:

    – Policy and Exception Management — the means for articulating corporate goals and objectives and accommodating specific business needs

    – Risk Management — including cooperative processes and business practices for incident reporting and response, risk assessment, measurement and reporting

    – Compliance Management — common processes and practices for assessing, monitoring and reporting on compliance with corporate policies, laws and regulatory requirements

    It should come as no surprise, then, that all of the above are core components of a GRC program and any utility framework that supports it.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s