GRC for Business Continuity Professionals

Rob Giffin Rob Giffin | Sep 16, 2011

Many business continuity professionals have expressed concern and uncertainty regarding the future of business continuity and how it will ‘fit’ with newer concepts like GRC (Governance, Risk and Compliance) and ERM (Enterprise Risk Management). In truth, these different ways of managing risk and optimizing business performance could significantly affect how business continuity programs are run. But, in the end, the importance lies in managing obligations and risk in the most efficient and cost-effective manner possible so the organization can thrive and meet stakeholder expectations. This article dissects the current state of GRC and what business continuity professionals need to know and do about it.

Background and Definitions
Let’s define each of these terms based on their age (oldest to youngest).

  • Business Continuity Management (BCM): Strategic and tactical capability of the organization to plan for and response to incidents and business disruptions in order to continue business operations at an acceptable predefined level.  (BSI/ASIS)
  • Enterprise Risk Management (ERM): A process, effected by an entity’s board of directors, management and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.  (COSO)
  • Governance, Risk and Compliance (GRC): A coordinated set of functions that support strategic decisions and actions to maximize business performance within acceptable risk thresholds and increased control. (Forrester)

It’s important to note the word coordinated in the GRC definition.  Not consolidated or centralized, just coordinated. This is the first indication that GRC isn’t about rebuilding or even absorbing risk management efforts such as business continuity, information security and compliance. Rather,  it’s about integrating assessment-related processes, sharing information and coordinating outcomes to avoid overlap and gaps.

Why Implement GRC?
Unfortunately, MANY modern organizations have little or no coordination between risk-related groups such as:

  • Information Security
  • Physical Security
  • Business Continuity
  • (Enterprise) Risk Management
  • Quality
  • Legal
  • Compliance
  • Human Resources
  • Internal Audit
  • Insurance
  • Contracts/Sales/Business Development

In many cases, these groups have their own language, processes, and technology and don’t share results. What would happen if they did?

An organization that leverages each group’s talents and coordinates among them could receive a number of benefits, including:

  • Cost Savings
    – Host a single, centralized repository or understanding of obligations (legal, regulatory, contractual)
    – Lower compliance costs by documenting controls once and then leveraging them and their associated documentation for a variety of obligations
    – Reduce incidents and penalties by understanding how risks affect various groups and aspects of the business
  • Enhanced View of Risk
    Seeing critical risks and compliance obligations/challenges across the business, with the ability to prioritize risk treatments and assign actions to the appropriate subject matter expert(s) for closure
  • “Optimized” Risk Taking
    When an organization invests in mitigating unreasonable/unacceptable risks, it frees the organization to take larger risks in areas that contribute to  growing shareholder value

As you can see, GRC is an interesting idea with great potential!  Thus far, the most visible examples of GRC in action come from GRC software vendors and the work they have done to enable the sharing of information through reports and metrics among all entities that share a responsibility in managing risk.

GRC Software
Sometimes, it seems like the only people pushing GRC are software providers, but the a key reason for this is because technology can, and will,  play an important role in bringing disparate groups together, mainly by:

  1. Enabling structured sharing of information that can be documented once and shared with many groups.  Examples include: management strategy, objectives, expectations (governance), threats/vulnerabilities (risk), obligations (compliance) and the controls the organization employs to handle each.
  2. Reporting up-to-date results of assessments and actions across the organization.

So, is GRC nothing more than a tool?  No, absolutely not (unless the organization buys a tool and stops there).  Instead, the technology is a core element needed to enable people charged with risk management to efficiently execute GRC process (assessment, decision-making, action and continuous improvement).

While GRC software is often an enabler of an organization’s GRC effort, unfortunately, today’s market-leading GRC software packages do not support the type of lifecycle business continuity management system (BCMS) that most continuity professionals expect.  In fact, many GRC packages focus exclusively on Compliance, Audit and Risk Management – omitting quality, security or business continuity altogether.

The Role for Business Continuity
If GRC is all about coordination among a broad set of risk-oriented groups, but GRC software doesn’t yet provide the foundation to fully integrate them all, how does business continuity fit in?

This question speaks to the overall immaturity of GRC frameworks. While the technology has matured in many areas, the process model is still in its infancy.   Further, there are no formal standards on GRC at this point, and the only independent non-profit group working on a framework is OCEG. Nearly all other information on GRC is coming from software providers and consulting organizations with proprietary approaches.

Despite the fact that GRC is still maturing, there are some things you can do today!

  • Stay current on GRC and Risk topics
    While you may see yourself as a business continuity professional, you are actually part of the broader risk management community and have an important view to provide – so, stay up to date with the latest ideas!
  • Informally ‘coordinate’ with peer risk and compliance groups
    GRC doesn’t have to be in the organization’s strategic goals for you to get out there and talk to your peers in other risk and compliance-related groups! Think about forming a risk committee that shares information and discusses how each group can help the others. Simply talking on a regular basis is a great way to break down barriers to coordination.
  • Expose executives to a culture of risk management
    If your organization doesn’t have an ERM or compliance group and doesn’t ‘think’ regularly in terms of risk and reward, then you may be the key to exposing them to that perspective. A business continuity steering committee, for example, is a great place to start discussing how business continuity fits and supports broader risk management efforts.
  • Align business continuity outcomes with GRC concepts
    If you know your organization is pursuing GRC, get involved! Talk with GRC team members about ways you can align the business continuity program to provide input into the GRC effort and receive guidance from it.

An Uncertain Future
It’s important to note that the relationship between ERM and GRC is one that is still evolving.  Many organizations have become comfortable with the concept of ERM since its introduction in 2005.  An ISO standard on Risk Management has helped to evolve ERM into a simpler, more accessible approach.  However, GRC may eventually replace ERM as a more comprehensive way to drive cohesion among risk and compliance efforts.

How Avalution Fits
At Avalution, we regularly help organizations incorporate organizational change into their continuity programs. Every organization is different and faces unique challenges – we’re passionate about helping business continuity programs navigate those challenges and develop into their full potential. If you’d like our perspective on your particular situation, feel free to contact us to discuss further.

Every business continuity professional needs to know that business continuity isn’t going to get consumed by GRC! GRC represents a new view of how a broad set of risk and compliance functions can work together to improve business performance. As it evolves, business continuity professionals can play a key role in shaping the future of risk management and the way business continuity fits into that future.


Robert Giffin
Avalution Consulting: Business Continuity Consulting