By Alex Bender, Director, eGRC Programs and Strategy, EMC
Is GRC business continuity’s future? This is a question posed recently by Continuity Central, an information portal for business continuity.
It won’t surprise you to hear that I’d give that question a resounding ‘yes’ and that I consider this market trend to be a positive thing. What is also encouraging is that the majority of respondents over at Continuity Central agree with me.
I’m tempted to say that the answer is so obvious, there’s nothing to debate. But maybe that’s because I’m looking at it from the enterprise GRC perspective. An integrated approach is, after all, the whole rationale of enterprise GRC as a discipline. How can you claim to have an effective eGRC program if you don’t have plans to ensure the continuing operation of your business in the face of events that threaten to disrupt it?
Will integration destroy business continuity?
Maybe it’s not so clear if you look at it from the perspective of business continuity professionals. Maybe you don’t see what’s to be gained by ‘submersion’ of your discipline within a larger eGRC discipline and paradigm. For those commenters at Continuity Central who think that it would be a negative thing for business continuity to become an aspect of GRC, there seem to be two main worries:
- Some fear that integration would make it harder to serve the specific needs of business continuity with the specialist skills it requires. One commenter expresses it in this fashion: “BCM is a specialist subset of risk management that should be highlighted, not submerged under some generalist classification.”
- Some believe that GRC doesn’t work and would therefore be toxic to the established principles and practices of business continuity management. One commenter expressing this view says that the standard risk methods are based on flawed assumptions; and he or she asks: “Why not ‘governance, continuity and compliance’?”
Integration is not dissolution
To me these aren’t real objections. In my experience it’s just not true that integration of different disciplines has to make any of them less important or specialized. Nor would I ever recommend an approach that doesn’t preserve best practices within individual sub-disciplines of eGRC.
That’s why I think it’s important to leverage a single eGRC technological platform with the flexibility to have individual solutions built on it for the many functions of eGRC. The whole idea is to preserve the specifics of each function — such as business continuity management, policy management, incident management, compliance management, vendor management, etc — while at the same time giving you the visibility and control to do it all more efficiently and effectively with cross-functional relationships, workflows and reporting across all functions.
As for fears about the effectiveness of eGRC, clearly there are good and bad ways to approach any discipline. Those of us who’ve spent years developing the theory and practice of eGRC think we know quite a bit about how to do it well. And I’ve seen the difference that an integrated approach can make, including for business continuity management. If you keep an eye on this blog, I’m planning to bring you a case study that illustrates the benefits of applying the best practices of eGRC to business continuity management and how BCM can be tied to the broader risk function.
Why not governance, continuity and compliance?
For those who ask why not governance, continuity and compliance, to a certain extent it’s a matter of how we define our terms. The diagram below comes from an EMC paper on business continuity.* As it illustrates, we see risk management as concerning itself with more than the subset of risks dealt with by business continuity management. For example, if you’ve translated financial risks into IT, operational or legal terms, the information and activities that result from this financial risk management would extend beyond business continuity initiatives.
If you widen the meaning of the phrase ‘business continuity’ enough, so it means something like ‘successfully continuing business’, then you can see it as overlapping a lot with risk management.
But really, risk management as a discipline is much more than business continuity, especially if you use the Enterprise Risk Management – Integrated Framework from COSO(the Committee of Sponsoring Organizations of the Treadway Commission) as the foundation of your risk management program (see diagram below).
However you choose to define your terms, my point still remains that a siloed approach to any continuity/risk management discipline is not the way forward. And again, watch this space for a case study that illustrates this beautifully.
* Getting Your Business Back: Pulling Together Business Continuity, Crisis Management and Disaster Recovery, an EMC Consulting paper