Business continuity as an element of GRC. An illustration

In my last blog,  I promised to bring you a case study that illustrates the benefits of applying the best practices of eGRC to business continuity management. So here it is.

We’re looking at a financial institution that provides insurance, retirement and investment products, mainly to cooperatives, credit unions and their members worldwide. As a leader in its industry, this company takes risk management and data protection very seriously. Both its own high standards and the requirements of the regulations that it must adhere to make risk management a company priority.

Why doing the right things isn’t always enough
The company was doing the right things. It was carrying out vendor assessments to evaluate the risks presented by some 250 partners. It recorded policy exceptions, such as applications that wouldn’t support new standards for robust passwords. It was also conducting annual business continuity business impact analyses and had disaster recovery plans for all of its key applications.

Sounds pretty robust, right?

The catch is that all of these activities were standalone processes with outputs held by relevant business owners in emails, filing cabinets or limited fileshares. The company’s IT security and risk management team had little visibility of any of this documentation and had no easy way to identify emerging IT or business risks that might affect business continuity or disaster recovery plans. There was also limited collaboration between the IT disaster recovery team and the company’s business continuity team within its corporate risk function.

Senior business executives had even less insight. They just assumed that IT could get a data center up and running again in a few hours. They didn’t appreciate what might happen if a natural disaster struck. They didn’t really understand the risk or potential impact of a data breach, whether through a vulnerability of the company itself or a partner.

The company knew it could do better. It wanted to remove the various disconnects between business users, IT and senior management. “Our focus was to transition from standalone processes to a more complete company-wide view so that we could make better decisions based on the bigger picture without digging into details first,” says the company’s chief information security officer.

What happens when you integrate and share?
So now the company has implemented a central solution that supports both business continuity and other risk management activities.*  It has an integrated tool through which to gather, process, store and report on risk- and infrastructure-related information, including business impact analysis surveys and disaster recovery plans.

Everything is in one place and consistent processes and workflows can be applied to all business areas. Vendor assessments, policy exceptions and other risk-related documentation can all be accessed, reported on, and used to inform business continuity teams and risk management activities. Data from business impact analysis surveys can be combined with metadata about systems gathered through a different process, enabling the company to tie together its system, server and database dependencies. Disaster recovery plans developed with application owners are consistent and, instead of being treated as independent items, can be orchestrated into an overriding plan with priority given to applications based on their criticality.

Senior executives have direct access to a reporting dashboard and can quickly see open risks, vulnerabilities and whether disaster plans have passed their tests. There’s no longer a gap between their perceptions and reality. This visibility has given the IT security and risk management team the ability to justify appropriate investment to fix problems.

And there’s more

The impetus for this company was always the desire to protect its customers and prove itself a trustworthy partner. But it’s also saving a lot of time: a couple of hundred hours from efficiencies in conducting impact analysis surveys; and a 75% reduction in the number of people needed to perform vendor assessments.

So I hope I’ve illustrated my point from the previous blog: a siloed approach to business continuity or risk management is not the way forward; an integrated approach is the only way to get your organization into a best-in-class status among the business elite.

* In case you’re wondering: the solution referred to, which holds all the company’s critical disaster recovery information, is itself backed up to an active offsite instance so that it remains accessible in the event of a disruption taking out the primary tool.

Resources:

Large Financial Services Business Continuity Case Study
Large Telecommunicaitons Company Business Continuity Case Study

Business continuity as an element of GRC. Is there really any debate?

By Alex Bender, Director, eGRC Programs and Strategy, EMC

Is GRC business continuity’s future? This is a question posed recently by Continuity Central, an information portal for business continuity.

It won’t surprise you to hear that I’d give that question a resounding ‘yes’ and that I consider this market trend to be a positive thing. What is also encouraging is that  the majority of respondents over at Continuity Central agree with me.

I’m tempted to say that the answer is so obvious, there’s nothing to debate. But maybe that’s because I’m looking at it from the enterprise GRC perspective. An integrated approach is, after all, the whole rationale of enterprise GRC as a discipline. How can you claim to have an effective eGRC program if you don’t have plans to ensure the continuing operation of your business in the face of events that threaten to disrupt it?

Will integration destroy business continuity?

Maybe it’s not so clear if you look at it from the perspective of business continuity professionals. Maybe you don’t see what’s to be gained by ‘submersion’ of your discipline within a larger eGRC discipline and paradigm. For those commenters at Continuity Central who think that it would be a negative thing for business continuity to become an aspect of GRC, there seem to be two main worries:

  • Some fear that integration would make it harder to serve the specific needs of business continuity with the specialist skills it requires. One commenter expresses it in this fashion: “BCM is a specialist subset of risk management that should be highlighted, not submerged under some generalist classification.”
  • Some believe that GRC doesn’t work and would therefore be toxic to the established principles and practices of business continuity management. One commenter expressing this view says that the standard risk methods are based on flawed assumptions; and he or she asks: “Why not ‘governance, continuity and compliance’?”

Integration is not dissolution

To me these aren’t real objections. In my experience it’s just not true that integration of different disciplines has to make any of them less important or specialized. Nor would I ever recommend an approach that doesn’t preserve best practices within individual sub-disciplines of eGRC.

That’s why I think it’s important to leverage a single eGRC technological platform with the flexibility to have individual solutions built on it for the many functions of eGRC. The whole idea is to preserve the specifics of each function — such as business continuity management, policy management, incident management, compliance management, vendor management, etc — while at the same time giving you the visibility and control to do it all more efficiently and effectively with cross-functional relationships, workflows and reporting across all functions.

As for fears about the effectiveness of eGRC, clearly there are good and bad ways to approach any discipline. Those of us who’ve spent years developing the theory and practice of eGRC think we know quite a bit about how to do it well. And I’ve seen the difference that an integrated approach can make, including for business continuity management. If you keep an eye on this blog, I’m planning to bring you a case study that illustrates the benefits of applying the best practices of eGRC to business continuity management and how BCM can be tied to the broader risk function.

Why not governance, continuity and compliance?

For those who ask why not governance, continuity and compliance, to a certain extent it’s a matter of how we define our terms. The diagram below comes from an EMC paper on business continuity.* As it illustrates, we see risk management as concerning itself with more than the subset of risks dealt with by business continuity management. For example, if you’ve translated financial risks into IT, operational or legal terms, the information and activities that result from this financial risk management would extend beyond business continuity initiatives.

 

If you widen the meaning of the phrase ‘business continuity’ enough, so it means something like ‘successfully continuing business’, then you can see it as overlapping a lot with risk management.

But really, risk management as a discipline is much more than business continuity, especially if you use the Enterprise Risk Management – Integrated Framework from COSO(the Committee of Sponsoring Organizations of the Treadway Commission) as the foundation of your risk management program (see diagram below).

However you choose to define your terms, my point still remains that a siloed approach to any continuity/risk management discipline is not the way forward. And again, watch this space for a case study that illustrates this beautifully.

 

Recommended Reading:

* Getting Your Business Back: Pulling Together Business Continuity, Crisis Management and Disaster Recovery, an EMC Consulting paper