Three important activities in running a business include governance, risk management and compliance, or GRC. They...
are used to help the organization achieve its goals and typically work best when aligned together, complementing each other.
Governance typically defines the management processes the organization uses to achieve its goals. Risk management identifies situations that could negatively impact the firm's ability to achieve its goals. It also helps identify the firm's risk appetite, or the amount of risk the organization is prepared to accept. Compliance with key standards, practices, regulations and other similar controls helps ensure that the organization achieves its goals using the most appropriate methods. In practice, each of these activities should work together as a comprehensive GRC program so that the organization has the best information available for achieving its goals.
Business continuity (BC) also helps an organization achieve its business goals by ensuring events that threaten the continued operation of the organization can be identified, prevented and mitigated if they occur. A major activity in the BC process involves understanding how the organization functions. This typically includes researching and identifying the mission-critical business processes, the technologies that support those processes, the people needed to perform the processes and the strategies for achieving business recovery in an emergency. Two important tools for gathering this data are the business impact analysis (BIA) and the risk assessment (RA).
What to look for with the BIA and RA
Data acquired during the BIA and RA activities can be used to support the organization's GRC program. Let's examine them more closely.
In the BIA, we are looking for information on how the business operates, especially by identifying its most important processes. To properly understand how mission-critical processes impact the organization, another activity in a BIA is to understand how the organization functions. That includes:
- the impact of a loss of mission-critical processes to the organization;
- the technologies that support key processes and the overall business objectives; and
- the financial, operational, competitive and reputational implications to the business if a loss occurs.
Each of these activities contributes to governance of the organization.
When conducting an RA, we are looking for situations -- both internal and external -- that could have a negative impact on the organization's ability to perform its mission-critical functions. We identify a variety of risks and vulnerabilities, then try and quantify the likelihood of an event occurring, the potential severity of the event on the organization and the financial and operational impacts to the firm. Data for RAs comes from many sources -- some highly empirical (such as underwriting tables) and others more subjective (such as experience of employees with specific risks). These values are then calculated to obtain a risk rating score. This is used then to prioritize the risks, threats and vulnerabilities to the organization in terms of prevention and mitigation.
BC and GRC teams should work together
BC professionals are well-aware of the importance of compliance. Several international and domestic BC and disaster recovery (DR) standards have been developed over the past 20 years. Standards, regulations and good practices all contribute to the various activities in a BC program. From an audit perspective, compliance with standards and regulations is increasingly important to ensure a successful audit. Prospective business partners and customers increasingly want to see the results of BC and DR audits as part of their decision process.
The information we have been obtaining through various BC activities can all be used by a GRC function. The challenge may be for the GRC team to collaborate with the BC team so that the BC information can be reviewed and used by the GRC team. It is counterproductive to not use data from BC activities in a GRC program. However, it is usually incumbent on both teams to connect and begin sharing information.
BIA data can be leveraged by the governance team, RA data can support the risk team and standards expertise can support the compliance team. The BC team can continue performing its normal activities, but now, it adds value to the GRC team by sharing data from its various activities.
All too often, internal departments are either unaware of other complementary groups that can add value to their efforts, or there may be a fundamental silo mentality that needs to be superseded by greater data sharing and collaboration. The BC function can be an essential source of useful data to an organization's GRC program.