Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

The Continuity Central debate: is GRC business continuity’s future?


In a recent Continuity Central webinar, it was predicted that business continuity management will decline as a separate discipline and will become increasingly seen as an aspect of GRC.

During the webinar ‘BCM: The Road Ahead,Coop Systems’ CEO, Chris Alvord, made the point that GRC (Governance, Risk and Compliance) is emerging as the overarching risk discipline and he expects business continuity management to become increasingly aligned with risk management and therefore with GRC. There will be an emphasis on breaking down the silo of business continuity management as a separate distinct discipline and upon getting more cross-discipline expertise.

Chris has raised an important point.

Business continuity management emerged from the technical discipline of IT disaster recovery. With the advent of BS 25999 and that standard's emphasis on business continuity as a management system, many felt that BCM had arrived at its destination and that future developments would probably be ‘tweaks’ to the planning and management process rather than whole-scale rexaminations of the fundamentals of business continuity management. But is that really going to be the case? Is BCM about to be acquired by GRC and, if so, what will the consequences be?

To discuss these questions Continuity Central ran an online debate, inviting business continuity professionals to comment on the points made above. A total of 131 people took part and the reponses are below.

Direct questions

Participants were asked to answer two direct questions:

Is GRC business continuity’s future?
56 percent of participants thought that 'Yes' GRC is business continuity’s future and 26.5 percent thought that 'maybe' this would be the case. 17.5 percent disagreed with the statement.

If BCM becomes an aspect of GRC would that be a positive or negative thing?
68 percent of participants said that business continuity management becoming part of GRC would be a positive thing; 15 percent said that this would be a negative occurance. 17 percent were unsure.

[Please note that these have been spell checked but otherwise are unedited]

Comments from people who think that it would be a negative thing if BCM became an aspect of GRC:

• Resilience is a much more likely tag but for goodness sake GRC is just another of the ERM category - no excitement in GRC whatsoever - it's not going to fly!

• GRC is the ‘new boy’ on the block and seems to be struggling to find a home. While the RM disciplines have been around a while and have clear practices and guidelines; I don’t believe that GRC has any of this. The functions are obvious but to merge BCM into the fold I don’t believe is a good idea. BCM has a well documented, tried and tested set of specialised practices. BCM draws information from many different sources, in particular from RM functions, but I can’t see that GRC can bring anything to the table that is not already provided by Audit or Internal Control type functions. If BCM is wrapped into GRC the BUSINESS IMPACT ANALYSIS aspect will be eroded and that will signal the end of BCM as we know it. BCM has always been about understanding specific BUSINESS process impacts; categorized them and creating plans / processes / infrastructure to mitigate / reduce the impact to within manageable levels.  GRC doesn’t do any of this; it looks at Group Risk and Compliance!  The compliance part can monitor how the BCM GPG or standards are being adhered to but that were it ends. Another point to remember is that by definition RM focuses on Core competencies of a business and attempts to express their disruptions in monetary terms; BCM looks at the non-core competencies (eg, Power outage, natural disasters) as well and creates plans and processes to mitigate / or manage the impacts to a acceptable level to the business.

• I think that Risk and Governance should be under the BC umbrella, not the other way around. This would ensure that R&G look after the operational ability of the company and would give it the focus it has lacked over the past 20 years or more.

• GRC in many organizations is about risk assessment and mitigation. It is often limited to risk reduction measures and event reporting. The financial coverage is often included. BCM has to cope with disaster "in real". It has to cope with destructive events -in the GRC list of risk or NOT- it has to build in advance different type of responses. Only one part of the emerged BCM iceberg is candidate to join the GRC approach. The question should not be posed that way, because it is not a real life situation... GRC is a staff job. BCM is a line, operations job. Only the management system of BCM could be candidate to sit beside GRC team. Why not put everything the other way around? after all, the risks we fear are those that prevent Business to continue?

• GRC deals with the core competency of the organisation whereas BCM deals with non core competencies and there lies the answer. In a Bank if you have a process failure, GRC can handle and mitigate it, if there is a fire or electrical failure BCM is trained to handle this. Risk analysis in all forms has always fed data into BCM to help focus and financially quantify issues and solutions. So in short, keep them separate - they are two different disciplines. GRC is the new boy on the block, there is no real industry definition and no best practice for GRC yet, once it matures and finds a place, this would be the point to debate what it goes with or doesn't go with.

• GRC will make us start from the scratch and can lead to loss of focus

• Unsure, because in many companies compliance and governance are already the main drivers, and primary outcomes, of BCM. Perhaps it is the present as much as the future. It is a bad thing today; it will remain a bad thing in the future. Ironic that a systems vendor should assert this, as the idea that you can achieve a capability to respond/recover via a system is partly the reason why the compliance mentality took hold in the first place.

• BCM has the GRC elements and is related. However, the approach is different. GRC depends mostly on historical where as BCM is management and is futuristic and pro active. GRC is reactive entirely. BCM has some elements of reactive approach but is relatively more proactive.

• The root of BCM has always been to provide an understanding of the critical activities of any organisation and to put in place plans and processes to ensure that these remain viable throughout any major incident. It also maintains consistency in line with the strategic growth of the organisation. Whilst there is certainly room for closer links to GRC, I would prefer to see BCM as a separate entity.

• BCM needs to work in partnership with Risk and Compliance/Quality/Safety in order for it to survive as an industry wide practice. A partnership of like minded principles (rather than a submersion of one set of practices within another) will deliver meaningful rewards. BCM does consider the above practices, but perhaps not to the level of detail required. I do not see the practice of BCM declining, especially if it is aligned to GRC. In fact I see GRC as a positive driver to ensuring that Business Continuity is actually practised as much as it is preached.

• While GRC is the overarching umbrella, which may be good overall (personally I doubt this), such arrangements tend to supersede the sub-components. BCM is a specialist subset of risk management that should be highlighted, not submerged under some generalist classification.

• BCM is the whole cycle, whereas the Risk and compliance is just one part of it. I would say that BCM is 3-tier architecture namely the REDUCE tier, which is achieved by the RISK Management, the RESPONSE tier, which addresses the containing the incident at a crisis stage itself and not allowing it to become a major disaster, the RECOVER tier, which is addressed by Strategies, Procedure and plans to resume, restore and return to Business As Usual (BAU). If BCM gets acquired by GRC, the focus gets shifted only to the first tier and that would not be a holistic approach. It would have a negative effect on BCM and would not address 6 phases of the BCM lifecycle as suggested per the BS25999 standard.

• While the standard Risk methods are still based on so many flawed assumptions BCM needs to keep its distance from Risk - or it will just become 'plans for things that are unlikely so will never happen'. Why not 'Governance, Continuity and Compliance'?

• Governance, Risk and Compliance has spectacularly failed to manage risk, ensure compliance or institute good governance - see Enron, financial crisis and any number of other examples. Put BCM in here and it becomes another tick box exercise and part of a discredited area.

• Governance Risk and Compliance (GRC) is a method and may be a tool used as part of Operational Risk Management under which fits Security and BCM. It is much more likely that BCM will with Security and Security Risk Management fold into OP Risk (ORM) which in turn fits under the higher level ERM. In practical terms if Security mitigation fails then BC needs to respond to ensure losses are minimised. We are also recommending BIA as part of prioritisation of technical security solutions ...

Comments from people who think that it would be a positive thing if BCM became an aspect of GRC:

• For too long BC and EM have been isolated marginal activities in organisations. We talk endlessly about trying to influence management and executives to take BC seriously. Managing risk is now a core part of good governance for all organisations. That is why we wrote AS/NZS 5050 to seamlessly integrate with ISO 31000. The need and pressure for integration of functions and activities is only going to grow in organisations. There is no future in existing as an isolated marginal activity. The holy grail of "the plan" must give way to more sophisticated approaches to managing the risk of disruptive situations.

• BCM needs to be taken in the widest spectrum of RM. In place of several competing depts. handling various aspects, it is always prudent to adopt a consolidated approach, as per GRC

• The Risk element of GRC is now the more holistic ERM. As such Business Continuity integrates with the ERM process in many areas not least with the BIA contributing to the mapping of processes against objectives and understanding the interdependencies and resources. The risks identified become assessed as part of the overall ERM framework and treated as such. BC Plans provide one of the Risk Treatments i.e. for risks that are, or have to be, accepted or cannot be mitigated to an acceptable level. Just a shame ISO lost its way calling it Societal Security ... what’s that about? Desperate for yet another new identity

• BCM is a huge area that should sit within the GRC of an organisation.  If it doesn't then we are in danger of creating our own 'silo' and becoming remote from other risks within the business.  I fear this argument will rage on, like the 'which came first, the chicken or the egg'.  But it is as pointless as Gulliver's travel war of which end to open an egg!  The point is that we need to ensure BCM is managed effectively in the business and therefore will require a structure management approach and I believe the ERM approach is one of the best methods to get our collective, BCM voices heard.

• Having introduced BS-25999 the standard for BCM good practices and also a yardstick for a fullblown check of the entire BCMS, it is strongly recommended that BCM should be a separate entity unbiased to either IT or Operations.

• Business Continuity Management is the general title given to managing serious and unwanted incidents; i.e. risks and their impacts.  There is greater security for an organisation if it embraces the component disciplines of GRC, of which BCM must be an inclusive component. In the fullness of time, more and more organisations will adopt full blown Risk Management practices and processes and I predict that BCM will be consumed by GRC as natural consequence.  However, the general appetite for GRC occurs in very few organisations in practise, despite the requirement for a formal statement to be included in the Report and Accounts.  Such statements do occur, but when you scratch the surface there is precious little of practical value and of the 250+ companies we have dealt with, those with proper practices and processes in place can be numbered on the fingers of half of one hand.  On this evidence, although GRC may likely ingest BCM, it will be a long time coming.  Furthermore, standards and practices are currently so varied, not least because they are interpretive, trying to pull them all together will take massive evolutionary effort most noticeably when one standard is proposed to displace another and there will be natural resistance from practitioners of component disciplines, particularly if it is their core business.  It's a great idea but at the minute it has a distance to go and the perilous journey has to go negotiate "no man’s land" before it emerges as a shining standard with an enthusiasm of following normally reserved for a religion.

• I think that in any organisation Enterprise Risk Management should be the controlling influence over the extent of BC. This is because a key element of ERM is proportionality and increasingly, the application of emotional intelligence.  If you leave it to BC people alone it is likely they will just keep rolling out endless plans to gather dust because that's what the process demands and it becomes an 'activity trap'.  I believe the real challenge is not in having discussions around 'who sits where' (in effect - self interest) but in influencing how executives think and behave in this crazy world that we live in.

• I often describe a BCP as an expensive risk mitigation strategy. If aligning BCM closer to GRC puts it more front and centre for Boards (locks in c-level champions), then I am all for it.

• It is increasingly difficult to draw lines between these disciplines - and we should not try - they are inter-related.  This doesn't mean that we need lose professional capability in each though.

• BCM cannot be treated in isolation and I for one identify myself as a Senior BCP-GRC Consultant

• BC and Risk management must be integral, it’s critical to understand the risks, challenge mitigation and to be able to identify those residual risks that may materialise as a crisis to be managed.  Audit functions are therefore critical to ensure that the controls are in place and test their effectiveness.  by aligning these functions the business should be able to enjoy additional assurance and be better prepared for the day of crisis.

• To keep BCM isolated from GRC would marginalise BCM as if it had nothing to do with the way a company protects itself from risks.  Taking a holistic view, it is important to embrace all activity that ensures a company operates in a legal and safe and honest way and protects itself from its risks.  This would include all activities - audit, insurance, BCM, disaster recovery etc.  However, this does not mean that all such activities should become one large department at the working level as many of the skills required are unique to each discipline (although there are also many similarities) for example it could be argued that IT BCM is best owned by the IT department due to its technical nature, similarly, the world of insurance requires a detailed knowledge of how the insurance industry works and auditors need specialist financial skills and knowledge.  What is needed is a company culture that understands that all of these activities are connected if a company is to protect itself and be resilient to threats.  While teams may practise their individual disciplines of BCM, audit, insurance etc, the Management of these departments should come together at a single point of responsibility either at senior management or Director level to ensure that activities are truly integrated.  In summary, BCM survives and indeed thrives but as part of a suite of activities that protect the business (GRC).

• I have always preferred and promoted BCM as a separate entity, but it would irresponsible of me to ignore the benefits of incorporating BCM into GRC. In my current position, Global Business Continuity Officer, for a major pharmaceuticals company BCM sits within the Governance, Risk, and Compliance organization and because of the high level exposure I’m able to promote, develop and implement BCM activities within weeks vs. months (when BCM was a “stand alone”).  It is my belief, that we (BCM specialists) now have an opportunity to define how and when BCM evolves or if it’s integrated into GRC. I say, let’s have our cake and eat it too!

• This would be a sensible progression, although I believe that Resilience is a wider discipline encompassing Risk, BCM, and security (physical and information)

• In a small company such as mine, GRC and Business Continuity go hand in hand.  Business continuity testing is one element to identifying risks and control failures and drives our compliance program.  In a large corporation, the two sectors would be much more divided although complementary.

• Business continuity management has emerged from IT disaster recovery only to become its own silo, despite the huge overlaps with DR, information security, physical security, occupational health, insurance and other corporate defence disciplines. In trying to carve out turf and respect for business continuity management as a "profession", practitioners have built walls around their turf. Alignment with GRC and enterprise risk management may help break down the walls.

• BCM as a discipline is still very much split over several expertise areas itself.  BCM stands as a silo next to a number of other disciplines (Information Risk Mgt, IT security...) whereas most of these disciplines all aim to improve business resilience.  Hence, with cost reduction in mind I'd rather believe that resilience is BCM's future.

• Need risk management methodology and discipline to entrench BCM in a company. See as positive move and sign of maturity of risk management function.

• It will be a part of governance which should be accountability of Board to ensure the effectiveness of BCM in place.

• BCM is part of Operational Risk. As such BCM operators will be required to become more than BCM specialists. They will leverage their knowledge and expand into the wider Risk & Compliance field.

• In my organisation risk has more high level sponsorship than business continuity and there is more awareness. This may partly be because it is more established, and I have been in post a short time, but even the reporting structures show risk as being more important than business continuity.

• The discipline of business continuity needs to be reenergized and realigned. It has not kept pace with business. GRC is a good choice, but not an answer in and of itself.

• If we are to be 'risk aware" and have an integrated risk management system which ISO, COSO and others promote than how can BCM stand alone, it was essential for it to do so to make organisations take action but like other risk disciplines when it reaches maturity as a standalone ! Time to integrate !!

• It is already a part of GRC

• Can certainly see the logic of merging BC into GRC. The positive is that sitting there alongside other corporate risks, compliance and audit it is likely to get greater recognition at board level as well as come under the direct remit of a board member.

• I see GRC encompassing Enterprise Risk Management (ERM). GRC looks at how an organisation governess its risk practices in line with the strategic vision of the organisation. ERM ensures that the methods and processes of identifying and mitigating risks are in place. BCM is a risk discipline within ERM, which is under operations risk management. BCM a specialist role within ERM or GRC that ensures governance is adhered to.

• It would be a positive because BCM will get the required attention at executive level.

• It would be a positive thing; it gives business continuity management a proper place in the organisation and provides the communication channel for upward reporting through a formal risk management organisation.

• Many of the 'old guard' need to wake up to the fact that BC is not a separate discipline to GRC. BC professionals may have a different outlook to risk than their GRC colleagues, but the two areas are so intertwined, they cannot work apart from each other. Both disciplines have opportunity to work with and learn from each other.

• BCM is a risk treatment and therefore nicely aligns with the 'R' in GRC. Although, it should actually be 'GRA' - Governance, Risk & Assurance. Compliance is a form of assurance.

• More so from a "governance" and "compliance" point of view, rather than risk per se. GRC seems to have better Executive recognition from a corporate/legal business perspective. This would be better to leverage to overcome issue of fighting for executive recognition of BC. Compliance is "stick" to ensure it gets annual review/recognition - i.e. embedded into organisation. Should be seen as a positive benefit - not just "response to a disruption event" (or insurance paradigm). Aspect of risk is too narrow (even review of impacts rather than cause), as just as important to understand response strategy/having plans and exercising them - again positive benefits.

• Needs to be a standard part of business planning and an expectation within the role of managers that they are required to be prepared to the extent possible in the event of a business interruption. For managers to have this expectation they need a recognizable framework that's organisationally mainstream, broader than IT recovery and covers all aspects of their business - GRC is better placed to provide this as, although being constantly refined, it has a longer historical place in business and is recognised practice. Combining BCM and GRC will give depth and greater expertise to business practice.

• All three areas are so very similar and complement each other. There is no point having one without the other. It makes sense for governance, risk, and compliance to be together.

• BCM alone is not enough to warrant being a separate entity. BCM is there to protect the business and ensure damage limitation, it needs to be embedded and accepted throughout an organisation. The future for BCM is to align with the compliance and risk elements of the organisation.

• This is already the way we work.

• I regard business continuity management as part of a risk management. Business continuity plans are a response to a risk of an event affecting a business process. So for me, this change makes sense. There'll be one process not two competing processes that cover the same ground.

• BC has always needed to be championed by the business. If Governance, Risk and Compliance are closer to the attention of senior leadership (and they certainly should be) then that is good for BC. There are often Risk committees on Boards and I would say that puts BC in a good place. Hard to tell if it will actually happen as changes like that are typically very slow until someone realizes it's a good move for the business.

• I've never understood why we have a separate BC industry - there just isn't the time or resource to devote to it nor is it sensible in isolation of information security and risk management and resilience and disaster recovery - it should all be under the one umbrella and no doubt the latest acronym du jour of GRC will win the day.

• I see that as feasible in countries like Spain. They usually take great leaps when advancing. As BCM is still at a very early stage, the leaps will probably be towards this more global cross-company approach.

• GRC is in my opinion positioned at strategic level of an organization. In the Netherlands we see BCM most on operational level. If BCM is part of GRC it comes automatically on the preferred level.

• If within GRC, BC would be taken more seriously by organisations and there would be less resistance to following the BC programme in my opinion.. more teeth for BC!

• BCM is a constituent part of the overall risk management process of risk identification-risk assessment and risk treatment.

• BCM for years has been the red headed step child reporting to departments like Corporate or Information Security, or Information Technology, or even in Operations. For those organizations that have a Risk Management department, I wholeheartedly support BCM moving there. We may be red headed step children as the saying goes, but we are the guardians and protectors of organizations which is what GRC is all about. As the corporate world matures, let's hope that the right decisions are made about BCM and its importance. We might not contribute to the bottom line, but we might end up saving the bottom line....

• I am already seeing this happen in our organization. I think that it has both positive and negative consequences. Positive because decision makers respect and support GRC, probably because the potential impact areas it represents demonstrate a more tangible connection between business resource protection and financial commitment.

• GRC is an integrated part for businesses to effectively achieve ERM. By which the R is for Risk Management that encompasses several risk among them, Business Continuity. Therefore, is more than accurate to allocate the BCM under the GRC umbrella; breaking one of the silos that should be viewed as a risk control/mitigation requirement to the businesses.

• BCM is already a risk business where, regrettably, board rooms frequently take a chance on the probability of a disaster rather than pay for preventative or resilient measures.

• Compliance is a significant driver in any organisation; board rooms understand their responsibility to comply and the real threats of punishment to them of non compliance. Thus the aspect of being governed can only be positive and generate more Business Continuity planning.

• Business continuity is viewed as expensive and largely unnecessary in most organizations. By including it in the larger risk evaluation and governance/compliance processes it gives BCP business traction and drivers.

• The market has voted. GRC technology spending is at least 30X greater than BCM per the analysts. Mature organizations are deciding that Operational Risk (as part of GRC) is equivalent to BCM. ISO standards are blending Risk (31000) and BCM (22301).

• I am seeing those areas expanding into BC responsibilities at my organization. Our organization needs to comply with government requirements, we need to ensure different areas of the organization comply, and we need to ensure that senior management is aware of the risks to the organization.

• There is a convergence of operational risk management disciplines in matured and regulated multi-national organisations. It makes sense to ensure Information Security Management, Technology Risk Management, Business Continuity Management, IT/DR Governance, and Regulatory Compliance Management work in synergy rather than overlap one another.

• BC and RM are all about managing the risk of operating a business. The incorporation of BC into GRC allows for greater identification of BC with standards and regulations that will provide for growth of the risk based processes used. GRC will merger BC, RM and Information Security into a new arena that will promote growth and greater expansion of roles and responsibilities for BC professionals.

• As regional Business Continuity coordinator within a large international bank I am already hierarchically attached to Governance and Compliance. Regulators, all over the world, are more interested in BCM particularly interdependencies and outsourcing for large international financial institution (FSA, OSFI). It’s very positive aspect; it brings a sense of oversight on internal BCM policies.

• The basic pillars of BCM revolve around management of risks which I like to summarize this way:
- Actively do something about what you know are real potential threats to your organisation's business operations,
- Have a working actions plan to stand in front of adversity wherever it may come from.(i.e. your worst nightmares), therefore being proactive not defeated.

• In my opinion, BCM is already a key part of GRC in organizations with matured GRC programs. The author is right in saying that GRC will become 'overarching risk discipline' if it’s not already is. BCM will continue to exist as one of the key tools within GRC to govern and manage specific types of risks (BC risks) that an organization faces. Similar to BC, Information security, data privacy programs will also exist as key tools under GRC to achieve its goal. Definitely BCM cannot exist as a silo and needs much more open interfaces with all other risk management tools such are information security and data privacy. A matured GRC definitely is going to remove the ‘silo’ and bring in the much needed interface between all risk management tools under it.

• Organizations design (and redesign) themselves to align to and support their business objectives. That BCM may become a programmatic function under GRC happens is a reflection of that. Could be "good" or "bad" depending on the circumstances of the enterprise itself and the leadership quality of the GRC and the BCM managers. I see mostly an upside to this for the company and the BCP program as well. Better opportunity to align BCM to the business operations via a centralized and priority coordinated framework, metrics reporting, better leadership alignment and management potential. Downside, well, that depends on the organization itself. If the GRC function is an unsupported placeholder for orphaned programs, then as a manager I'd want to find a better home somewhere where BCM - because of the specific program benefits it provides it valued. Thanks for asking the question - good food for breakfast thought.

• Anything that brings BCM into the "fold" of management risk expertise is a good thing. Having all these separate elements of good risk management is a nightmare - both for experts and businesses, who don't understand them properly. I definitely think this is a great evolution of embedded BCM.

Comments from people who are unsure:

• I believe it was inevitable that BCM would merge into GRC. There are pros and cons to this merge: Pro: As a fundamental component of the GRC, I would think it would be far more difficult for business management to 'play the odds' by failing to implement an effective BC program. Con: BCM may well have to struggle for recognition and respect as a component of GEC rather than a standalone discipline.  It would be very detrimental if BCM was relegated to merely lip service instead of a serious program.

• BC cannot stand on its own as a discipline or sector and will definitely have to get into bed with some wider disciplines in order to not become a silo.  Whether this is GRC or whether it is organisational resilience or any one of a number of potential adages remains to be seen. Key is that it does not shrink as an outsider but engages properly with other disciplines.  BC is not a heavy hitter at board level and joining with other relevant areas can only serve to help and strengthen its position. BC is very much an operational architecture which is rooted in reality and it requires to remain so in order to deliver best value; this is where care must be taken not to reduce the sum of its impact through dilution amongst policy areas. The strength of 25999 is that it works and is in place whereas risk and compliance is a constantly moving battlefield and is likely to remain so.  A link is highly possible but may not be as positive in the long run.

• The first part of the problem with this whole discussion is that the entire notion of GRC is utterly confused and totally unclear.  How many of the people involved in this discussion truly understand the fundamental concepts of governance as they exist in governance of an organisation?  Governance and management are separate concepts.  Governance involves setting direction, supervising management, and monitoring and assuring performance and conformance.  Governance oversight requires effective systems of management that are directed through policy and strategy, and which provide feedback on performance and conformance.  BCM is ONE of the management systems that should be supervised thus.  From that point of view, BCM is already under the governance umbrella.  Further, BCM already necessarily involves significant aspects of risk assessment and conformance, depending on the context of the organisation.  The reason I hedge my survey responses is not that BCM is a management system that should be governed, but because GRC has become such a cluttered and confused concept in its own right.

• The discussion should be focused on Enterprise Risk Management (ERM) and not "GRC".  GRC represents components of the larger enterprise program that will be successful only if embraced and championed by executive management.  Clearly, BCM is a form of risk management in that it addresses one of the four T's: Treat (Tolerate, Transfer, Terminate, Treat).  BCM has had a life of its own and has evolved to a prominent place in business as appropriate.  ERM and GRC have embarked on that same journey.  Unless the incorporation of BCM is into a more formal ERM structure, one should not add risk by possibly undermining the importance and growth to date of BCM.

• From a code of practices (best practices), BCM has matured to an auditable standard (BS25999, with the release of part 2 in 2008). Now BCM is no more IT driven practice, it has become a necessity for business survival. Maturity of BCM standard is that it can be audited for compliance; however to develops an effective Business Continuity Management Systems (BCMS) one has to understand governance and risk. It may be too early to envisage that business continuity management will decline as a separate discipline and will become increasingly seen as an aspect of GRC.

• The umbrella should be RISK MANAGEMENT. Period. It is, after all, ALL "risk management". BC and GRC are splitting semantic hairs to no purpose - functional "buzz words du jour" as is "resiliency" and other terms contrived by marketing & sales folk.

• Crises proneness and/or preparedness is equally about individual organisational culture, beliefs, value judgements, and leadership style. RBS, Enron, Lehman Bro, and MP expenses demonstrate how it is much more than GRC convergence alone. Although GRC is possibly a good building block it is and always will be about responsible and informed leadership.

• An integrated approach to management of risks and recovery from disruptions would be a good thing.  I do not see this currently within the GRC mindset.  It would be a good thing to regroup all of the control professionals under a single Risk umbrella, but it would be a bad thing if the current approach followed by Compliance and financial risk were to rule this new entity.  What we need is a CRO capable of uniting the professions, not just imposing an existing mentality on all of them.

• Incident response (and strategies developed to aid it) would not develop well and be looked after well in a policy type environment.

• If you think of business continuity in the terms outlined above then the logic probably stands but I prefer to focus on resilience which encompasses risk management, ITIL, DR, recovery, strategy and a range of other disciplines. You can have governance, risk and compliance but still be vulnerable to disruptions - look at the banks and governments. Compliance assumes that someone has determined what the ideal process or situation should look like and as we have seen frequently over recent years, you cannot draw a line in the sand and work to that. We live within a natural system that is continually evolving. All this hypothesis is nugatory and distracting. Resilience is common sense but not common practice - let's not get distracted with certification and standardisation mumbo jumbo.

• The development of Governance, Risk and Compliance disciplines and rollout have hardly been smooth sailing and are still struggling to achieve to position themselves as credible value add practices in the business. The disciplines are generally agreed but the practitioners are in most cases still getting past the spreadsheets and box ticking stage. BCM is a long way ahead in practice and getting involved in GRC will slow the effort yet again. Having said that it is probably where it belongs (BC in GRC) - I just wish they were further developed and not slow it down even further with even more standards and regulations.

• It would be a good idea to consider the implications and in particular, whether it would diminish the importance of business continuity management as a separate discipline.

• BC is already embedded within Risk in many companies, however we need to be careful that the expertise is not lost and just picked up by generalists who are the jack of all trades, master of none. Which would result in half hearted attempts of BC and Crisis Management.

•Date: 25th July 2011 • Region: World •Type: Article • Topic: BC statistics

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here