We believe organizations today face more risks and changes than they are positioned to keep up with. Business Continuity Management (BCM) or Business Resiliency (BR) programs are no different. These programs have existed for many years, yet most have not evolved to keep up with the magnitude or velocity of business changes, risks or compliance requirements their organizations face.
In order to truly mature from business recovery to driving true resiliency into their organizations, teams must collectively address risks and compliance with their governance, risk and compliance (GRC) programs. They must take a coordinated, risk-based approach because siloed, BCM-only approaches are not sustainable. Most BCM teams agree with this, but the most common question is, “where and how do we start?”
The first step is to understand where your BCM program lies on the maturity spectrum versus where you should be. The RSA Archer Maturity Model defines five stages as follows:
The Siloed stage - where many organizations sit today – relies on the constant fire-fighting mode of BCM teams.
The focus is mainly on compliance activities and reacting to basic risks such that they cannot see beyond the immediate threats. BCM programs in the Siloed category are usually addressing risks and compliance by themselves.
In order to move from Siloed to the next phase, you need to Transition by taking “Compliance stress” off the table and solving regulatory needs in the most efficient and effective manner. This requires building a cohesive strategy to deal with the basic requirements of doing business by:
- Automating compliance processes and eliminating duplicative efforts and data siloes;
- focusing on building effective processes such as the business impact analysis (BIA), incident management and recovery planning;
- and collaborating across IT and business functions to establish connected strategies.
Once you free up resources from compliance activities you can start directing those activities to evaluate and respond to risks, which moves you into the Managed stage. In the Managed stage, you have expanded your visibility into issues through common data repository and analytical capabilities, defined and improving BCM processes, and efficient methods to measure, monitor and report on BCM activities. Compliance and risk
processes are in an operational state – repeatable, consistent and resulting in solidreporting of gaps or issues. Organizations in this state become aware of the various risks they are juggling and put in individual plans to manage these risks within the context of a broader strategy. The organization understands the risks on its landscape. This progress is fueled more and more by visibility into risk through metrics and analysis capabilities.
In order to move from Managed to Advantaged, organizations need to Transform from recovery planning to driving business resiliency by connecting risk to business value, needs and activities, and moving beyond just managing risk to anticipating the business’ needs. This allows the organization to stay ahead of emerging threats, and to design controls and plans to deal with the full variety of today’s threats while meeting business objectives - moving the program into the Advantaged stage.
In the Advantaged phase, organizations have anticipated and conquered the ‘negative’ risk landscape through prescriptive and pre-emptive measures and are poised to help the business explore the opportunity, or positive risk, landscape. A good example is of an organization who improved from an over 40-day process to perform risk assessments on new products and services to a six day turnaround. This enabled business executives to evaluate new business opportunities (i.e., positive risks) more quickly. This is what it means to manage risk at the pace of your business.
RSA Archer’s BR solutions enable organizations to automate much of their planning and execution, focus on addressing risks effectively and become a “business-enabler”. Our latest Archer release, 6.1 in June 2016, enables organizations to implement individual use cases that help them move up the maturity spectrum. Look for my next blog where I describe the use cases and how they can benefit your BR program as you advance toward business resiliency.