The Continuity Central debate: is GRC business continuity’s future?
This debate has generated a huge amount of interest. Your thoughts and comments so far are here...
Summary of the preamble:
In a recent Continuity Central webinar, it was predicted that business continuity management will decline as a separate discipline and will become increasingly seen as an aspect of GRC. Is BCM about to be acquired by GRC and, if so, what will the consequences be? (Read the full introduction here)
Responses so far:
Is GRC business continuity’s future?
If BCM becomes an aspect of GRC would that be:
Comments so far:
Comments from people who think that it would be a negative thing if BCM became an aspect of GRC:
• The root of BCM has always been to provide an understanding of the critical activities of any organisation and to put in place plans and processes to ensure that these remain viable throughout any major incident. It also maintains consistency in line with the strategic growth of the organisation. Whilst there is certainly room for closer links to GRC, I would prefer to see BCM as a separate entity.
• BCM needs to work in partnership with Risk and Compliance/Quality/Safety in order for it to survive as an industry wide practice. A partnership of like minded principles (rather than a submersion of one set of practices within another) will deliver meaningful rewards. BCM does consider the above practices, but perhaps not to the level of detail required. I do not see the practice of BCM declining, especially if it is aligned to GRC. In fact I see GRC as a positive driver to ensuring that Business Continuity is actually practised as much as it is preached.
• While GRC is the overarching umbrella, which may be good overall (personally I doubt this), such arrangements tend to supersede the sub-components. BCM is a specialist subset of risk management that should be highlighted, not submerged under some generalist classification.
• While the standard Risk methods are still based on so many flawed assumptions BCM needs to keep its distance from Risk - or it will just become 'plans for things that are unlikely so will never happen'. Why not 'Governance, Continuity and Compliance'?
• Governance, Risk and Compliance has spectacularly failed to manage risk, ensure compliance or institute good governance - see Enron, financial crisis and any number of other examples. Put BCM in here and it becomes another tick box exercise and part of a discredited area.
• Governance Risk and Compliance (GRC) is a method and may be a tool used as part of Operational Risk Management under which fits Security and BCM. It is much more likely that BCM will with Security and Security Risk Management fold into OP Risk (ORM) which in turn fits under the higher level ERM. In practical terms if Security mitigation fails then BC needs to respond to ensure losses are minimised. We are also recommending BIA as part of prioritisation of technical security solutions ...
Comments from people who think that it would be a positive thing if BCM became an aspect of GRC:
• It will be a part of governance which should be accountability of Board to ensure the effectiveness of BCM in place.
• BCM is part of Operational Risk. As such BCM operators will be required to become more than BCM specialists. They will leverage their knowledge and expand into the wider Risk & Compliance field.
• The discipline of business continuity needs to be reenergized and realigned. It has not kept pace with business. GRC is a good choice, but not an answer in and of itself.
• If we are to be 'risk aware" and have an integrated risk management system which ISO, COSO and others promote than how can BCM stand alone, it was essential for it to do so to make organisations take action but like other risk disciplines when it reaches maturity as a standalone ! Time to integrate !!
• It is already a part of GRC
• Can certainly see the logic of merging BC into GRC. The positive is that sitting there alongside other corporate risks, compliance and audit it is likely to get greater recognition at board level as well as come under the direct remit of a board member.
• I see GRC encompassing Enterprise Risk Management (ERM). GRC looks at how an organisation governess its risk practices in line with the strategic vision of the organisation. ERM ensures that the methods and processes of identifying and mitigating risks are in place. BCM is a risk discipline within ERM, which is under operations risk management. BCM a specialist role within ERM or GRC that ensures governance is adhered to.
• In order for one to have a full view or understanding of GRC or ERM; all disciplines of must understood as the support each other to give the organisation entire overview of its risk profile.
• It would be a positive because BCM will get the required attention at executive level.
• It would be a positive thing; it gives business continuity management a proper place in the organisation and provides the communication channel for upward reporting through a formal risk management organisation.
• Many of the 'old guard' need to wake up to the fact that BC is not a separate discipline to GRC. BC professionals may have a different outlook to risk than their GRC colleagues, but the two areas are so intertwined, they cannot work apart from each other. Both disciplines have opportunity to work with and learn from each other.
• BCM is a risk treatment and therefore nicely aligns with the 'R' in GRC. Although, it should actually be 'GRA' - Governance, Risk & Assurance. Compliance is a form of assurance.
• More so from a "governance" and "compliance" point of view, rather than risk per se. GRC seems to have better Executive recognition from a corporate/legal business perspective. This would be better to leverage to overcome issue of fighting for executive recognition of BC. Compliance is "stick" to ensure it gets annual review/recognition - i.e. embedded into organisation. Should be seen as a positive benefit - not just "response to a disruption event" (or insurance paradigm). Aspect of risk is too narrow (even review of impacts rather than cause), as just as important to understand response strategy/having plans and exercising them - again positive benefits.
• Needs to be a standard part of business planning and an expectation within the role of managers that they are required to be prepared to the extent possible in the event of a business interruption. For managers to have this expectation they need a recognizable framework that's organisationally mainstream, broader than IT recovery and covers all aspects of their business - GRC is better placed to provide this as, although being constantly refined, it has a longer historical place in business and is recognised practice. Combining BCM and GRC will give depth and greater expertise to business practice.
• All three areas are so very similar and complement each other. There is no point having one without the other. It makes sense for governance, risk, and compliance to be together.
• BCM alone is not enough to warrant being a separate entity. BCM is there to protect the business and ensure damage limitation, it needs to be embedded and accepted throughout an organisation. The future for BCM is to align with the compliance and risk elements of the organisation.
• This is already the way we work.
• I regard business continuity management as part of a risk management. Business continuity plans are a response to a risk of an event affecting a business process. So for me, this change makes sense. There'll be one process not two competing processes that cover the same ground.
• BC has always needed to be championed by the business. If Governance, Risk and Compliance are closer to the attention of senior leadership (and they certainly should be) then that is good for BC. There are often Risk committees on Boards and I would say that puts BC in a good place. Hard to tell if it will actually happen as changes like that are typically very slow until someone realizes it's a good move for the business.
• I've never understood why we have a separate BC industry - there just isn't the time or resource to devote to it nor is it sensible in isolation of information security and risk management and resilience and disaster recovery - it should all be under the one umbrella and no doubt the latest acronym du jour of GRC will win the day.
• I see that as feasible in countries like Spain. They usually take great leaps when advancing. As BCM is still at a very early stage, the leaps will probably be towards this more global cross-company approach.
• GRC is in my opinion positioned at strategic level of an organization. In the Netherlands we see BCM most on operational level. If BCM is part of GRC it comes automatically on the preferred level.
• If within GRC, BC would be taken more seriously by organisations and there would be less resistance to following the bc programme in my opinion.. more teeth for bc!
• BCM is a constituent part of the overall risk management process of risk identification-risk assessment and risk treatment.
• BCM for years has been the red headed step child reporting to departments like Corporate or Information Security, or Information Technology, or even in Operations. For those organizations that have a Risk Management department, I wholeheartedly support BCM moving there. We may be red headed step children as the saying goes, but we are the guardians and protectors of organizations which is what GRC is all about. As the corporate world matures, let's hope that the right decisions are made about BCM and its importance. We might not contribute to the bottom line, but we might end up saving the bottom line....
• GRC is an integrated part for businesses to effectively achieve ERM. By which the R is for Risk Management that encompasses several risk among them, Business Continuity. Therefore, is more than accurate to allocate the BCM under the GRC umbrella; breaking one of the silos that should be viewed as a risk control/mitigation requirement to the businesses.
• BCM is already a risk business where, regrettably, board rooms frequently take a chance on the probability of a disaster rather than pay for preventative or resilient measures.
• Compliance is a significant driver in any organisation; board rooms understand their responsibility to comply and the real threats of punishment to them of non compliance. Thus the aspect of being governed can only be positive and generate more Business Continuity planning.
• Business continuity is viewed as expensive and largely unnecessary in most organizations. By including it in the larger risk evaluation and governance/compliance processes it gives BCP business traction and drivers.
• The market has voted. GRC technology spending is at least 30X greater than BCM per the analysts. Mature organizations are deciding that Operational Risk (as part of GRC) is equivalent to BCM. ISO standards are blending Risk (31000) and BCM (22301).
• I am seeing those areas expanding into BC responsibilities at my organization. Our organization needs to comply with government requirements, we need to ensure different areas of the organization comply, and we need to ensure that senior management is aware of the risks to the organization.
• There is a convergence of operational risk management disciplines in matured and regulated multi-national organisations. It makes sense to ensure Information Security Management, Technology Risk Management, Business Continuity Management, IT/DR Governance, and Regulatory Compliance Management work in synergy rather than overlap one another.
• BC and RM are all about managing the risk of operating a business. The incorporation of BC into GRC allows for greater identification of BC with standards and regulations that will provide for growth of the risk based processes used. GRC will merger BC, RM and Information Security into a new arena that will promote growth and greater expansion of roles and responsibilities for BC professionals.
• As regional Business Continuity coordinator within a large international bank I am already hierarchically attached to Governance and Compliance. Regulators, all over the world, are more interested in BCM particularly interdependencies and outsourcing for large international financial institution (FSA, OSFI). It’s very positive aspect; it brings a sense of oversight on internal BCM policies.
• In my opinion, BCM is already a key part of GRC in organizations with matured GRC programs. The author is right in saying that GRC will become 'overarching risk discipline' if it’s not already is. BCM will continue to exist as one of the key tools within GRC to govern and manages specific types of risks (BC risks) that and organization faces. Similar to BC, Information security, data privacy programs will also exist as key tools under GRC to achieve its goal. Definitely BCM cannot exist as a silo and need much more open interfaces with all other risk management tools such are information security and data privacy. A matured GRC definitely is going to remove the ‘silo’ and bring in the much needed interface between all risk management tools under it.
• Organizations design (and redesign) themselves to align to and support their business objectives. That BCM may become a programmatic function under GRC happens is a reflection of that. Could be "good" or "bad" depending on the circumstances of the enterprise itself and the leadership quality of the GRC and the BCM managers. I see mostly an upside to this for the company and the BCP program as well. Better opportunity to align BCM to the business operations via a centralized and priority coordinated framework, metrics reporting, better leadership alignment and management potential. Downside, well, that depends on the organization itself. If the GRC function is an unsupported placeholder for orphaned programs, then as a manager I'd want to find a better home somewhere where BCM - because of the specific program benefits it provides it valued. Thanks for asking the question - good food for breakfast thought.
• Anything that brings BCM into the "fold" of management risk expertise is a good thing. Having all these separate elements of good risk management is a nightmare - both for experts and businesses, who don't understand them properly. I definitely think this is a great evolution of embedded BCM.
Comments from people who are unsure:
• Incident response (and strategies developed to aid it) would not develop well and be looked after well in a policy type environment.
• If you think of business continuity in the terms outlined above then the logic probably stands but I prefer to focus on resilience which encompasses risk management, ITIL, DR, recovery, strategy and a range of other disciplines. You can have governance, risk and compliance but still be vulnerable to disruptions - look at the banks and governments. Compliance assumes that someone has determined what the ideal process or situation should look like and as we have seen frequently over recent years, you cannot draw a line in the sand and work to that. We live within a natural system that is continually evolving. All this hypothesis is nugatory and distracting. Resilience is common sense but not common practice - let's not get distracted with certification and standardisation mumbo jumbo.
• The development of Governance, Risk and Compliance disciplines and rollout have hardly been smooth sailing and are still struggling to achieve to position themselves as credible value add practices in the business. The disciplines are generally agreed but the practitioners are in most cases still getting past the spreadsheets and box ticking stage. BCM is a long way ahead in practice and getting involved in GRC will slow the effort yet again. Having said that it is probably where it belongs (BC in GRC) - I just wish they were further developed and not slow it down even further with even more standards and regulations.
• It would be a good idea to consider the implications and in particular, whether it would diminish the importance of business continuity management as a separate discipline.
• BC is already embedded within Risk in many companies, however we need to be careful that the expertise is not lost and just picked up by generalists who are the jack of all trades, master of none. Which would result in half hearted attempts of BC and Crisis Management.
•Date: 20th May 2011 • Region: World •Type: Article • Topic: BC general