GRC Tuesdays: Is Business Continuity a Separate Activity?
During a breakfast event few months ago – back when it was still possible, I was having coffee with two security managers who were in charge of business continuity for their organizations: one was from the IT department and the other one was a business operations manager.
The questions of our debate revolved around who should be the most significant contributor to business continuity activities and should continuity management be a separate activity?
Interestingly, we all agreed that we saw more and more business continuity management reaching outside IT domain where it historically focused on IT disaster recovery planning and information security to a more business-process orientated approach. The key value assets and processes of the company are identified and continuity plans are defined and tested specifically to ensure that these assets and processes are always operational, even if on a degraded more. The final intent being for the company to continue functioning and delivering its services and products.
Unfortunately, the restart of the presentations didn’t allow us to continue this discussion, but today I’d like to share a few of my thoughts with you. And if these gentlemen are reading, I invite them to respond to this blog, of course!
To me, business continuity isn’t a separate activity. As a matter of fact, it’s a true example of an integrated approach that is at the cross-roads of many functions including the following:
- Risk management: since business continuity leverages the critical risks identified that would prevent the company’s objectives from being achieved and on which continuity plans can be true mitigation measures – not preventing the risk from occurring that is – but reducing its impact in time and damage caused should an incident occur;
- Internal control: since sections of the Business Impact Analysis will derive from the process map and its associated control level;
- Audit (internal and external): since auditors will be key in reviewing the business continuity plans, sometimes even testing them, and potentially issuing some improvement recommendations.
I personally think that great business continuity managers have a rare talent – being able to understand the business context and its necessities, and being able to assess the recovery measures (technical and non-technical) that need to be implemented to secure the continuity of the operations, in particular.
Furthermore, in our constantly evolving environments, they also have the ability of regularly taking a step back and asking themselves: Is this sufficient today? Will it suffice tomorrow?
They are certainly not alone in this quest and my belief is that they should be supported by the different functions I mentioned earlier and more, such as facilities, communications, and so on, since I don’t think that they can operate efficiently if maintained in a silo.
I hope I’ll be able to continue the discussion that started with the two gentlemen, and I would also very much like to have your opinion on the topic either on this blog or on Twitter @TFrenehard
Originally published on the SAP Analytics Blog