Business continuity as an element of GRC. An illustration

In my last blog,  I promised to bring you a case study that illustrates the benefits of applying the best practices of eGRC to business continuity management. So here it is.

We’re looking at a financial institution that provides insurance, retirement and investment products, mainly to cooperatives, credit unions and their members worldwide. As a leader in its industry, this company takes risk management and data protection very seriously. Both its own high standards and the requirements of the regulations that it must adhere to make risk management a company priority.

Why doing the right things isn’t always enough
The company was doing the right things. It was carrying out vendor assessments to evaluate the risks presented by some 250 partners. It recorded policy exceptions, such as applications that wouldn’t support new standards for robust passwords. It was also conducting annual business continuity business impact analyses and had disaster recovery plans for all of its key applications.

Sounds pretty robust, right?

The catch is that all of these activities were standalone processes with outputs held by relevant business owners in emails, filing cabinets or limited fileshares. The company’s IT security and risk management team had little visibility of any of this documentation and had no easy way to identify emerging IT or business risks that might affect business continuity or disaster recovery plans. There was also limited collaboration between the IT disaster recovery team and the company’s business continuity team within its corporate risk function.

Senior business executives had even less insight. They just assumed that IT could get a data center up and running again in a few hours. They didn’t appreciate what might happen if a natural disaster struck. They didn’t really understand the risk or potential impact of a data breach, whether through a vulnerability of the company itself or a partner.

The company knew it could do better. It wanted to remove the various disconnects between business users, IT and senior management. “Our focus was to transition from standalone processes to a more complete company-wide view so that we could make better decisions based on the bigger picture without digging into details first,” says the company’s chief information security officer.

What happens when you integrate and share?
So now the company has implemented a central solution that supports both business continuity and other risk management activities.*  It has an integrated tool through which to gather, process, store and report on risk- and infrastructure-related information, including business impact analysis surveys and disaster recovery plans.

Everything is in one place and consistent processes and workflows can be applied to all business areas. Vendor assessments, policy exceptions and other risk-related documentation can all be accessed, reported on, and used to inform business continuity teams and risk management activities. Data from business impact analysis surveys can be combined with metadata about systems gathered through a different process, enabling the company to tie together its system, server and database dependencies. Disaster recovery plans developed with application owners are consistent and, instead of being treated as independent items, can be orchestrated into an overriding plan with priority given to applications based on their criticality.

Senior executives have direct access to a reporting dashboard and can quickly see open risks, vulnerabilities and whether disaster plans have passed their tests. There’s no longer a gap between their perceptions and reality. This visibility has given the IT security and risk management team the ability to justify appropriate investment to fix problems.

And there’s more

The impetus for this company was always the desire to protect its customers and prove itself a trustworthy partner. But it’s also saving a lot of time: a couple of hundred hours from efficiencies in conducting impact analysis surveys; and a 75% reduction in the number of people needed to perform vendor assessments.

So I hope I’ve illustrated my point from the previous blog: a siloed approach to business continuity or risk management is not the way forward; an integrated approach is the only way to get your organization into a best-in-class status among the business elite.

* In case you’re wondering: the solution referred to, which holds all the company’s critical disaster recovery information, is itself backed up to an active offsite instance so that it remains accessible in the event of a disruption taking out the primary tool.

Resources:

Large Financial Services Business Continuity Case Study
Large Telecommunicaitons Company Business Continuity Case Study

Advertisements

One thought on “Business continuity as an element of GRC. An illustration

  1. “It was also conducting annual business continuity business impact analyses and had disaster recovery plans for all of its key applications.”

    It’s clear the “financial institution” did not fully understand the full breadth of business continuity if the descriptive above encompassed their COB program. 
    Simply assessing impact and having a plan on paper doesn’t equate to a robust approach at all. The institution failed to adequately perform testing of said plans. At the very least, standardized test script scenarios for localized, area, and or regional business interruptions always root out those unseen issues that can escape even the best planners.
    The best COB programs begin with a good COB policy to solidify the process.
    F.J. Varone
    xCBCP

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s