Business continuity and disaster recovery (BC/DR) management programs typically do a good job of evaluating business criticality through performing business impact analyses to determine recovery priorities. But, how many BC/DR programs coordinate planning with their Enterprise Risk Management program (ERM), approach and results?
This is especially critical due to recent guidance from the new ISO 22301 standard. However, this is where BC/DR planning and ERM converge in their needs, but are rarely synchronized in their discipline, and here’s a real example. A Fortune 100 financial services (FS) company I consulted with performed over 3,000 BIAs and had as many documented BC plans. Their central BC program’s charge was to audit as many of these plans as possible (I would dare say “as necessary” and here’s why) but how did they determine which BC plans to audit? At the time, the company had their own rudimentary risk assessment process that would help them determine which BC plans to audit (i.e., go onsite, verify plans were documented and tested) versus having those business process owners self-audit through a quick questionnaire that the BC program would review. However, what their risk assessment process didn’t take into account was how their larger ERM program felt about the risk in those same business process areas. Were they worth the trip to audit (some of these locations were international, resulting in lots of travel expense)? Who really knew because the BC and ERM programs did not align on their definitions of “high risk” versus “low risk”. Furthermore, they didn’t take into account risk remediation that might have reduced the risk to acceptable levels, allowing them to move that area from “to be audited” to “self-audit” category, thereby allowing the BC program to focus on higher impact activities.
This is just one example of why it is important for BC programs to align their approaches, methodologies and activities with other related governance, risk and compliance (GRC) programs and disciplines – and vice versa. Really - your organization’s ERM, GRC or ABC program has a lot to learn from the BCM program too. Believe it or not, there are many points of intersection and alignment that can and should occur making both programs more effective. It’s all about effectively reducing risk and doing so with the most efficient use of resources.
Patrick Potter’s DRJ Fall World 2013 session will focus on several similar use cases with real world examples.