Did you know that Business Continuity Awareness Week 2013 takes place March 18–22, 2013? The theme this year is ‘Business Continuity for the risks you can see and the ones you can’t.’
The theme announcement was made by the Business Continuity Institute (BCI), the organization that coordinates Business Continuity Awareness Week. The BCI explains that “In a world of increasing uncertainty and constant change, organizations are confronted with an ever growing range of risks to deal with. Business continuity enables an organization to increase its capability to respond to any existing, emerging or unknown risk by focusing on mitigating the impact of any disruption on the most urgent and high priority activities.”
RSA Archer helps customers focus on risk management, whether it be continuity-related risk, operational risk, audit risk, enterprise risk or many other risk types. Business Continuity (BC) risk has been part of the Governance, Risk and Compliance (GRC) picture for years, but the challenge has been, and still is, how to better integrate with other related risk disciplines by driving common approaches to identify, mitigate, monitor and treat risks. This should then drive smarter BC strategies that further reduce risk.
Here's an example of this concept in practice today. The BC profession has been dedicated to developing and implementing effective business and IT recovery plans and has done so quite effectively. However, organizations are increasingly looking at BC groups as an integral part of their Enterprise Risk Management (ERM) framework and resources, expanding their importance and scope, yet also increasing the range and complexity of risks they have to deal with. BC teams are being expected to think outside the box of typical BC-type risks (i.e., what happens if we lose a facility or a process is disrupted) to such areas as upstream supply chain risk (e.g., a critical partner's critical partner is impacted), extended regional risks (i.e., what happens in China affects India which affects our organization in London), or regulatory risk (e.g., a distribution facility is shut down so where do we ship from). Just from these examples, we see risks are becoming more diverse, complex and less predictable and I would add even more critical and impactful.
Further to this point, I'm writing this while attending the 2013 RSA Conference in San Francisco. The conference focuses on information security and related topics, and there have been an amazing array of speakers, excellent sessions and partner presentations. I mention this because I'm learning so much more about how seemingly unrelated topics to BCM are indeed related and represent risks we either choose to mitigate or ignore.
Finally, let's talk about BCI's statement of focusing on risks that are most urgent and of highest priority. This is absolutely critical, but the challenge is how to do this proactively before you're in that dreaded "knee-jerk reaction" mode. Just as every good BC professional or risk manager knows, some of that inevitably happens, but there are ways to plan ahead. One way is to really understand your priorities, again not just for BC but for the organization. What's important from a strategic standpoint to the organization should be what's important to the BC program, and should drive your risk planning and recovery priorities. Often, in the heat of the moment you're pressured to throw what you've done and planned for out the window. It's always important to be flexible and adaptive, but also have confidence in your decisions and planning.
Hopefully this has given you some food for thought. So, for this upcoming Business Continuity Awareness Week, take the time to evaluate your BC program and approach. Strengthen BC by making it an integral part of your larger ERM approach.
PS, I'm looking forward to attending DRJ Spring World in Orlando, Florida from March 17-20. If you're going to be there let me know - I'd love to connect with you.