June 2008 Archives

How does Business Continuity Planning and Risk Management Work Together?

By PAMELA SUE DOWNS on June 22, 2008 7:10 PM | | Comments (0) | TrackBacks (0)

After reading an article from the Disaster Resource Guide - Executive Issue (Volume 12, Issue 3), I wanted to comment on one of the articles in the guide.  The article, "Business Continuity Planning and Enterprise Risk Management", by John R Phelps, gave an account of how Blue Cross and Blue Shield of Florida, Inc is allowing Business Continuity Management (BCM) and Enterprise Risk Management (ERM) programs to collaborate and integrate together.

Usually, Risk Management (RM) and Business Continuity (BC) plan in silos, meaning they work with business units towards a goal, however, the goal for BC and RM may not a common goal. This causes frustration and long term planning gaps for the business units because they do not see how Risk Management and Business Continuity can work together to make their plans more viable, usable and realistic.

Risk Management assists business units in identifying the vulnerabilities to the business processes.  Like Business Continuity, Risk Management does not own the business process, nor the vulnerabilities.  They are just responsible for assisting the business unit in identifying them and providing information on how to mitigate them within acceptable means. The business units are still responsible for the continuity of critical processes and mitigating potential risks.

It makes sense that Business Continuity and Disaster Recovery are components of Risk Management.  By using information from the risk analysis, recovery plans can be written for critical applications, services or systems. These critical processes can be determined by completing a Business Impact Analysis (BIA), but the BIA will only help determine the impact of an outage not the likelihood of it.  So a Risk Assessment should be completed by the business units.  The Risk Assessment helps identify the local vulnerabilities, but an Enterprise Risk Management analysis should be able to see the big picture and determine what the likelihood of an event occurring would be and how that may affect various business processes.

Within the article, John Phelps refers to three models of how BCM and ERM can work together:

1.     Having a central management for both BCM and ERM.  This is the model Blue Cross and Blue Shields of Florida, Inc. uses.

2.     Create a shared responsibility with BCM and integrate the functionality into ERM.

3.     Maintain BCM and ERM programs in separate silos. This is the model Penn State uses. According to John Phelps, this model is the least effective and efficient.

 

How can we move in this direction?  All groups working on any type of recovery at Penn State are meeting on a regular basis to ensure we all understand the objectives of the type of recovery we are working towards.  At some point, it would be beneficial for Penn State to integrate some of this recovery planning effort so that we are all working towards the same goal to ensure Penn State will be able to instruct students, provide research and outreach.  "We" (all Penn State employees, faculty and staff) need to ensure we will continue Penn State's mission in the event an outage occurs which could risk that mission and still maintain a safe environment for all. That is what we are all working towards and hopefully we will begin to align our efforts so that we can accomplish that.   

 

 

« April 2008 | Main Index | Archives

About this Archive

This page is an archive of entries from June 2008 listed from newest to oldest.

April 2008 is the previous archive.

Find recent content on the main index or look in the archives to find all content.

Monthly Archives

Powered by Movable Type 4.01

Search