business risk analysis
PSU Business Continuity BLOG
- How does Business Continuity Planning and Risk Management Work Together?
After reading an article from the Disaster Resource Guide - Executive Issue (Volume 12, Issue 3), I wanted to comment on one of the articles in the guide. The article, "Business Continuity Planning and Enterprise Risk Management", by John R Phelps, gave an account of how Blue Cross and Blue Shield of Florida, Inc is allowing Business Continuity Management (BCM) and Enterprise Risk Management (ERM) programs to collaborate and integrate together.
Usually, Risk Management (RM) and Business Continuity (BC) plan in silos, meaning they work with business units towards a goal, however, the goal for BC and RM may not a common goal. This causes frustration and long term planning gaps for the business units because they do not see how Risk Management and Business Continuity can work together to make their plans more viable, usable and realistic.
Risk Management assists business units in identifying the vulnerabilities to the business processes. Like Business Continuity, Risk Management does not own the business process, nor the vulnerabilities. They are just responsible for assisting the business unit in identifying them and providing information on how to mitigate them within acceptable means. The business units are still responsible for the continuity of critical processes and mitigating potential risks.
It makes sense that Business Continuity and Disaster Recovery are components of Risk Management. By using information from the risk analysis, recovery plans can be written for critical applications, services or systems. These critical processes can be determined by completing a Business Impact Analysis (BIA), but the BIA will only help determine the impact of an outage not the likelihood of it. So a Risk Assessment should be completed by the business units. The Risk Assessment helps identify the local vulnerabilities, but an Enterprise Risk Management analysis should be able to see the big picture and determine what the likelihood of an event occurring would be and how that may affect various business processes.
Within the article, John Phelps refers to three models of how BCM and ERM can work together:
1. Having a central management for both BCM and ERM. This is the model Blue Cross and Blue Shields of Florida, Inc. uses.
2. Create a shared responsibility with BCM and integrate the functionality into ERM.
3. Maintain BCM and ERM programs in separate silos. This is the model Penn State uses. According to John Phelps, this model is the least effective and efficient.
How can we move in this direction? All groups working on any type of recovery at Penn State are meeting on a regular basis to ensure we all understand the objectives of the type of recovery we are working towards. At some point, it would be beneficial for Penn State to integrate some of this recovery planning effort so that we are all working towards the same goal to ensure Penn State will be able to instruct students, provide research and outreach. "We" (all Penn State employees, faculty and staff) need to ensure we will continue Penn State's mission in the event an outage occurs which could risk that mission and still maintain a safe environment for all. That is what we are all working towards and hopefully we will begin to align our efforts so that we can accomplish that.
- Disaster Recovery Journal - Spring World Conference (March 2008)
Last month, several of us from Administrative Information Services (AIS) attended the Disaster Recovery Journal (DRJ) Spring World Conference in Orlando. I have had the opportunity to attend this conference for the past several years, and thought I would share some of the information we were able to bring back.
First, I would like to mention that the conference draws about 1300 business continuity professionals from various industries. Over the past few years, I expected the number of higher education institutions to attend this event to increase, especially with all the recent events in the news. I was disappointed again this year, that the number of higher education attendees was a low turnout. Here's hoping to a better year next year!
Our group had an opportunity to sit in many great sessions. We sat in on topics that included IT strategies for recovery, BIA, Risk Assessment, Risk Management and Global Warming - yes, a wonderful speaker talked about how business continuity professionals will need to deal with risks and vulnerabilities that will be/and is caused by global warming.
The greatest piece of knowledge I was able to bring back from the conference is that the process we are developing at Penn State for business continuity planning is inline with the process that large corporations are using. It provided validation to the process we are rolling out across the University, which gives our team more confidence in pushing ahead and continue to make progress.
It was interesting to hear that corporations still struggle with the issues of getting executive support for business continuity planning. Though, it is getting easier with all the events that have occurred across the world, executive management still does not see the value in using the plans for more than just recovery. They have a hard time using this information for strategic planning and understanding the breadth of their operations. Some of the corporations that are successful in planning, have the executive support and they seem to understand the importance of not only having these plans, but actually using them to their fullest potential.
My final observation is that, corporations that believe in the process give authority to the business continuity professionals. They create a Business Continuity Office, which has the responsibility and authority to oversee all the planning efforts for the Enterprise. As