I recently had the pleasure of presenting with a panel of RSA Archer customers on the topic of "Building Resiliency Across the Value Chain" for a Disaster Recovery Journal webinar.
Two key questions were posed to the attendees. The first question was: "Where is your organization on the business resilience scale?" The responses were:
- Recovery only (5%)
- Mainly recovery with some focus on resiliency (53%)
- Mainly resiliency with some focus on recovery (18%)
- Very resiliency-oriented (18%)
- Other (5%)
The second question was: "How closely do your business continuity/IT disaster recover/crisis management teams work with or integrate with operational risk teams?" The responses were:
- Not at all (2%)
- Sporadic discussions when required (32%)
- We are working with ORM more and more (28%)
- BC/DR/CM is well aligned with or a part of ORM (32%)
- Other (6%)
90% of respondents indicated they are addressing resiliency at some level, and 92% have BC/DR/CM teams integrated with operational risk management (ORM) teams. The alignment of responses to these two questions is not a coincidence. There is a direct correlation between business resiliency and effective risk management that more and more organizations are benefitting from as they continue to mature their operational risk management and business continuity or resiliency programs.
What does GRC maturity look like? The RSA Archer maturity model defines three stages for GRC maturity:
Diagram 1 - RSA Archer Maturity Model
As organizations mature their operational risk management programs, their business resiliency capabilities grow as well, often due to three factors:
- Methodologies - deploying risk assessment and treatment approaches (e.g., ISO 31000) and common business impact analyses (BIA) consistently across the organization
- Priorities - consistently applying common methodologies drives more aligned priorities and higher consensus
- Actions - clear priorities drive better understanding, prioritization, and execution
These three factors initiate proactivity, consistency, and alignment in both the risk management and resiliency practices and culture of the organization.
Risk management is, by its very nature, a proactive practice, as is business resiliency. The two go hand in hand.
For comments, contact me at Patrick.firstname.lastname@example.org or @pnpotter1017.