Business Continuity Planning (BCP), meet GRC

Having spoken frequently on how organizations can address Business Continuity Planning (BCP) more effectively using the principles and processes of GRC at a speaking engagement with the Business Continuity Planners Association last year, I facilitated an exploration of the concepts and characteristics of GRC allowing the attendees an opportunity to simulate and acknowledge how a GRC approach could be applied to managing the BCP process. I more recently read with interest a statistic from Stephanie Balaouras at Forrester Research that of the companies actually having formal BCP processes, only 50 percent use applications of some kind to manage their plans while 50 percent use general software such as Excel spreadsheets.

It’s maybe a little ironic but understandable that the processes and tools to do BCP are often less than resilient themselves. As companies struggle to develop and maintain working plans with limited budgets and resources, it’s easy to see how a “making the best of it” approach could be applied.

With boards, investors and regulatory bodies wanting more visibility to the kinds of governance processes, infrastructures and supply chain risks that are low probability but high impact, such as the recent Internet outages for major parts of India and the Middle East, I propose that it is a good time to review what we have learned from SOX and other GRC practices and apply good principles and processes, and yes software, to BCP.

If you are currently or planning to use a GRC platforms, take a look at what you do for your current approach to BCP, and see if it doesn’t fit well into your GRC processes.

What are some of the things you do in a BCP?
1. Utilize targeted assessments to identify critical assets and priorities
2. Defining and communicating policies and procedures
3. Managing roles and responsibilities
4. Managing program change control activities
5. Manage the periodic testing and remediation activities
6. Maintain auditable evidence of a sound program

Sound familiar? Mature GRC management applications like Axentis support these activities quite well. If you’d like to explore how GRC practices and the United States Sentencing Guidelines can be applied to your BCP processes, send me an email at bcurran@axentis.com Maybe its time to apply a little GRC to BCP.