Despite what many still believe, business continuity is not just about creating a recovery plan for IT resources in case there is an outage. Of course, that is a part of it, but business continuity management, or BCM, is really about having a plan (including processes and resources) for the organization to face critical situations and continue to function—even if in degraded mode—and limit as much as possible the disruptions.
In this sense, it’s very close to risk management, where the intent is to document, analyze, and respond to uncertainties.
Why have the two processes been growing apart for so long?
Unfortunately, I don’t have a complete answer to that, but I will still share what I have learned from various interactions with stakeholders from both worlds (yes, in many cases they are still worlds apart):
- Business continuity is owned by IT and focuses only on IT disruptions. Remember when cybersecurity was only perceived as an IT issue? Well, in many organizations, this is still the case for BCM.
- Business continuity is owned by environmental, health, and safety (EH&S). Many organizations manage their EH&S risks in silos. Since one of the most important resources for an organization are humans, some organizations have assigned the continuity topic to their EH&S team.
It’s not fatal—others are integrating BCM and GRC
Don’t get me wrong; IT and humans are critical assets for the good functioning of an organization. In today’s world, no organization could produce and deliver its goods and services without these two resources. But they aren’t the only dependencies companies should consider when documenting their continuity plans.
A simple three-step plan
1. Reuse your process documentation
- If the processes have been documented by internal control and audit management, aren’t they worth leveraging? There is still a perception that control and audit focus exclusively on financial reporting, but this is simply not true. Both have one intent in mind: help the company perform better—for all processes.
- As a result, BCM could (and should) reuse the processes documented by these teams even if just to ensure that they cover the processes identified as the most important.
2. Leverage your risk register
- Risks are everywhere, sometimes in so many registers. But for companies that have an enterprise risk management framework, the central risk register is the single source of truth. Instead of creating its own subset, BCM should really leverage the risk register to ensure that the most critical risks identified are covered with an appropriate plan.
- Doing so will automatically help the risk owner reduce the impact of a risk should it manifest. Collaboration between business continuity teams and operational teams therefore becomes a no-brainer!
3. Use the incidents—and near misses—for feedback
- Continuous improvement for risk mitigation is of utmost importance. Nothing could be worse for an organization than to have a set of risk responses (actions plans, controls, policies, continuity plans!) that are ineffective because they’re obsolete.
- It’s invaluable for the risk owners to be able to review the incidents that have triggered a continuity plan and learn from what was done in reaction. Indeed, the documentation of the real-life incident should include all the triggers—not just the first ones, but also as the incident developed. Hence, this goes further than a simple root cause analysis that is more of a theoretical exercise.
- As a result, the risk owner could add more potential drivers to the risk register and design an all-encompassing mitigation strategy that should prevent the risk from turning into a crisis—or at least mitigate it more rapidly in the future.
What about you? Has your company already integrated the two processes of BCM and GRC together? If so, feel free to share your feedback either on this blog or via Twitter @TFrenehard