Integrating business continuity management with IT risk management

LockPath's Chris Goodwin says disconnects create risk instead of reducing it

Most organizations are transitioning, or have already transitioned, to a risk-based approach to security management. However, many of those IT risk management practices still suffer from a degree of fragmentation that hinders the ability of executives to see a reasonably complete picture and make well-informed, commercially reasonable, legally defensible decisions.

Specifically, business continuity management (BCM) teams have historically operated as separate functions, quietly laboring on, with or without much more than tacit support from IT and the business, rather than being fully integrated within IT risk and compliance ("GRC" or "IT GRC") programs.

[Also read 4 critical trends in IT business continuity | How to perform a disaster recovery business impact analysis]

Traditionally, this separation between BCM and IT has occurred and persisted due to a lack of shared world-view. BCM teams have been employing a risk-based approach for longer than IT or their cousin information security (infosec) teams. Additionally, the data-sets used for managing each program has often had minimal overlap, for better or for worse. Similarly, reporting tools tend to have little overlap as they tend to grow independently to meet the needs of each faction, rather than coming from a common pedigree. Fortunately, IT GRC tools have now begun integrating BCM functions and reporting, allowing business leaders better, more complete insight into operational risk.

Parsing the Need for Tool Integration

An inevitable question here is whether or not tool integration is important or necessary. After all, if teams have lasted this long on their respective platforms, then surely everything is ok. While this may be true to a degree, the reality is that disparate practices do not scale well, especially when considering contemporary demands and expectations for performance (such as "commercially reasonable security").

There are three main considerations in parsing the need for better tool integration between BCM and IT/infosec. First, integrating tools helps to break down silos across the organization, facilitating a better understanding of the business while improving information-sharing and connecting compliance and risk objectives with specific business continuity plans and procedures. Doing so reduces the level of effort required in building and reviewing plans by cutting down on the amount of time spent chasing down various needed datasets.

Second, tying BCM into a standard IT GRC platform used by IT and infosec helps to eliminate redundant efforts. Operations teams have a routine duty to recover from normal interruptions and failures, and infosec teams often maintain an awareness of relative system value and threat conditions. There is no reason not to leverage these, and other, routine practices within the BCM program. At the same time, there is much that IT and infosec can learn from BCM teams with regards to conducting consistent, repeatable business impact and risk assessments, as well as tying relative system value to key strategic objectives.

Finally, through integrating approaches, business continuity plan quality will improve as the BCM team can leverage expertise from IT and infosec, as well as enjoy access to operational datasets that will aid planning. Integrating BCM and IT/infosec will also improve overall operational risk awareness and management through improved risk visibility.

More on managing business risk

BCM: The Long-Tail of Operational Risk

We're quite familiar with "daily" risk factors, which tend to occur with a relatively high frequency, but often represent a low to moderate impact. However, it's rare to also include the long-tail considerations as part of a standard IT risk summary (i.e., low to very low frequency, high to very high impact events). These "long-tail" risk factors often describe unstable conditions (a key risk "qualifier" term denoting low-frequency/high-impact risks), which may not seem to neatly fold into routine IT risk analyses. Yet, accounting for the full spectrum of risk factors is important for being comprehensive, and for conducting a legally defensible, commercially reasonable security and risk management program.

Consider the following:"BCM planning is sometimes conducted with a very superficial level of risk assessment, or even with none at all. Although it has been well-understood that risk assessments are a necessary component of BCM planning, the line of business sometimes considers them to be time-consuming and too resource-intensive. This opinion has been justified, given the general lack of effective risk assessment methods and tools, and often exacerbated by the inappropriate use of such tools and methods. Furthermore, given that BCM planning is often focused on low likelihood, high-impact events, the emphasis of the risk assessment is typically on planning for the possibility of a catastrophic event, rather than the probability of the event happening."

(From "Hype Cycle for Business Continuity Management and IT Disaster Recovery Management, 2012, Risk Assessment for BCM," Analysis by: Tom Scholtz, Gartner Research)

This quote reinforces the notion that BCM addresses the long tail of risk concerns. As such, it's very important to roll BCM risk reporting up with the rest of IT and infosec risk reporting. It also highlights what could be considered a dirty little secret within BCM: that risk assessment practices may not be nearly as mature as we might have believed. Even though BCM teams have been talking about risk assessment for a long time, the reality is that many of these assessments are lacking in maturity and quality. The opportunity exists now to integrate BCM teams with IT and infosec teams by way of a common platform that provides a consistent, refined approach to risk assessment, analysis and management.

Improve ORM: Integrate BCM with IT GRC

Overall, achieving a unified vision of operational risk is achievable, but only when the full risk spectrum is considered, leading to a better understanding of the business and the risks it faces. By integrating BCM and IT GRC, planners will get a single unified risk picture to present to the board instead of assessing independently and inconsistently, ultimately leading to different priorities and confusion at the board level as they try to determine which team is right.

Also of importance is the ability to continually evolve and advance operational risk management practices with visibility into the full risk spectrum, including ensuring that long-tail risk factors are properly addressed through adequate policies and planning."Like all policies and procedures, even the best recovery plan can rapidly become obsolete. Consider the recovery plan a living document, and put in place a continuous process improvement process for regular plan reviews (annually, at a minimum) and event-triggered plan reviews (such as changes in operational risk profiles, business or IT processes, and applicable regulations, as well as exercise results showing a gap in plan actions versus current recovery needs)."

(From "Hype Cycle for Governance, Risk and Compliance Technologies, 2012, Business Continuity Management Planning Software," Analysis by Roberta J. Witty, Gartner Research)

Leveraging integration opportunities between BCM and IT GRC will provide a ready mechanism for improved policies and procedures, enhanced visibility into operational risk concerns and reduced cost through de-duplication of efforts and use of shared datasets. The end result is a better, more tightly run operation that is prepared to comfortably deal with both daily and extraordinary events as part of routine business, helping to ensure business survival through legally defensible, commercially reasonable practices.

Chris Goodwin brings 10-plus years of enterprise software design and development experience to his role as CTO of LockPath, where he is responsible for all research and development. Goodwin previously served as the product architect of the Archer SmartSuite Framework and managed the R&D team of Archer Technologies, which was acquired by RSA, the security division of EMC, in 2010.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
How much is a data breach going to cost you?