Weaving Business Continuity into the Fabric of Enterprise Risk Management
Deloitte Insights video
Many organizations have invested in business continuity programs over the past few years, but when push comes to shove, are they actionable? Learn about key elements needed to develop effective programs for business continuity, and leading practices for weaving these programs into your enterprise risk management strategy. Watch this episode of Deloitte Insights to learn more.
Martin Goulet, Director - GRC Product Marketing, RSA Archer, EMC Corporation
David Sarabacha, Principal, Deloitte & Touche LLP
Sean O’Grady (Sean): Continuity of business processes, infrastructure, and employee productivity in the face of a destructive event may be a challenging task for businesses of all sizes. That is why on this episode of Insights, we will be evaluating the elements needed to help develop effective and sustainable programs for crisis management, emergency response, business continuity, and disaster recovery. Joining us in the studio for this conversation is Martin Goulet, Director of GRC Product Marketing at RSA Archer, the Massachusetts-based security division of EMC Corporation. And we also have with us David Sarabacha, a principal from Deloitte & Touche LLP, who is also the global and U.S. leader of Resilience Services, a key element of our Security and Privacy practice. Gentlemen, so over the years there has been varying degrees of effort put forth in this area, how would you summarize the confidence level that managers have in their current plans and ultimately the readiness of those plans.
David Sarabacha (David): Well Sean, I believe that many organizations over the last few years have invested money in these various disciplines really thinking they are making progress toward an achievable end, really being able to recover the business in the event something unusual happens. The challenge really becomes — are those actionable, can they really be used in the event a bad situation hits, and what we found through many different assessments is that the testing and the validation of these capabilities just aren’t there. The individuals do not understand what their roles are, and in fact, many of them are worried about their families and their personal assets first and aren’t anywhere prepared to start working with the company to get the action starting in a timely way.
Sean: So the plan might be in place but maybe not as effective as you might hope. How do you feel about that Martin, would you agree?
Martin Goulet (Martin): I think David has hit on some key points. I think the only thing I would add is the degree to which there is comfort in executive teams around their ability to respond to a crisis event is largely driven by a number of things — the maturity of their programs, their readiness, the extent to which they have done thoughtful planning from the top of the organization to the bottom, and in some cases it is driven by their experiences with handling crisis events. There is nothing like surviving a difficult situation for an organization to make them feel like they can go through that again, but not everyone has the opportunity nor would anyone want to have the opportunity to go through that event. I agree very strongly that testing at the process level, at a granular enough level where you can see the elements of the plan in action in your test environment will give the executive team confidence that the plans that they have weighed will be well executed in the event of a crisis.
David: I also believe that a lot of folks see this as a technology problem, regardless of whether you are a technology company or just reliant upon technology for your everyday transactions. The history of this particular discipline has really been centered around the ability to recover your datacenter and your communication capabilities through that data. Things have evolved dramatically over the last several years, and people realize and appreciate the fact that the people, the vendors, the facilities play a key role as well. So thinking about this very holistically as something that some have done a great job, some have focused through a compliance initiative, some have done it more through a customer mandate, others do it just because it is the right thing to do and protect the organization, but whatever drives it, it needs to be actionable, and I think that really is the key to this as when some organizations focus on compliance, what they get is a paper exercise that is not really something they can use when the time comes.
Martin: I think one of the factors that is involved is almost half of the people that we have surveyed recently say that they can’t quantify the risks involved in their business continuity and disaster recovery plans, and if they can’t quantify the risks that they are facing in advance of a threat, then they don’t know where to apply the resources to prepare for those contingencies which might occur.
David: The other element I would add to that is one of the primary focuses has been what you can control. So your own assets within your own organization and right now I see a large push toward the supply chain focus. You can imagine from the events of 3/11 and others globally that raw materials and supply chain interruptions have created a ripple effect that organizations haven’t really adequately planned for. We have worked with several different organizations that do a supply chain management program, but those tend to go to only a tier-1, tier-2 level, meaning the closest to the finished product and don’t go deep enough or back into the raw materials to really understand what the implications could be at the very elementary level, especially with a lot of the global suppliers that they have.
Sean: You are talking a little bit about supply chains and I am wondering are there other leading practices in the marketplace that are currently going on, what are we seeing out there?
David: With respect to supply chain, there are some industry groups that are getting together in an effort to not have every large end producer, whether that be health care or consumer products coming after every supplier in the supply chain and asking them about their level of preparedness. They are coming at it from an industry group perspective and so what we are doing is helping some of those industry groups gather that data, look at it in a noncompetitive way, but in a resilient way for the industries that would include financial services, automotive, and health care to be able to know that a lot of them share the same suppliers and so in order to not put a burden on those suppliers in terms of gathering data in this discipline, doing it once, collecting it, and then sharing it in a kind of a neutral fashion protects everyone. The consumers as well especially as it relates to health care and mandatory drugs.
Martin: There is the ask once answer many aspect that David hits up on there and there is also the trusted third-party assessor element I think that you also hit on. Underpinning that, as far as the leading practice goes, though is the integration required between the business continuity planning and other key disciplines in the organization like enterprise risk management, vendor risk management, compliance that we are seeing. Some of the our leading clients involved in this that feel the most confident in their ability to respond are doing an effective job at integrating those disciplines through the planning process and through the testing so that when they hit crisis phase, if they are to hit it, then they are ready for it.
David: I think it is important to point out too that this is not just a reactive game. A lot of folks think about this and go over what I am trying to do is prepare for another earthquake, another flood, another terrorist act. Although that is important obviously, that is not necessarily the driver for this. The idea is that you build resiliency in. So you are trying to eliminate single points of failure, you are trying to reduce and control as much of the risk and the impact as you can before it ever happens, and that is really where the value of this is because if you do this planning properly instead of it being perceived as an insurance program, it could be an operational enhancement. I can actually do things in the day-to-day operation of my organization that minimize my risk, so if something does happen outside of my control or otherwise, I will have lesser impact and be able to potentially just roll right through it with minor indicators to the general public or to my customers.
Sean: So that moved from reactive to proactive.
Martin: And the other aspect of that is the move from thinking about the business continuity process as a periodic or episodic event and more as an ongoing process of both the plan refinement as well as the testing and changing the plan based on the results of the test. So I think there are several key dimensions that we are seeing as leading practices of moving from fixed point in time thought to an ongoing process thought.
Sean: Continual progression as opposed to create it and then shelve it and walk away from it. You in your previous answer had also talked about some technologies, how are those technologies framing the future of the suggested strategies that you are speaking about with some of your clients.
Martin: So, really the way we are seeing the discussion about how to apply technology in this space. It really starts with how do I automate some of the, what we call the drudgery, how do we get rid of some of the work that is too manual intensive, too difficult, too time consuming, especially for the business stakeholders who need to be involved, so that is where the notion of ask once and answer many is so critical because we can’t involve the business stakeholders and waste their time in the business continuity planning process, so that is one of the key factors. Interestingly, we have done some research recently and only around 20% of the respondents say that they have got processes that are automated with a tool across their enterprise today. So clearly, there is some opportunity for improvement there and another key aspect we are seeing in terms of the application and successful adoption of technology is in the theme that we hit on earlier which is the integration. Integration across the enterprise with the key functions that are impacted by the business continuity plan, whether they be the operational processes, whether they be the risk management or the compliance processes all of those are being much more integrated with the technologies that we are seeing our customers adopt today.
Sean: David same thoughts over to you.
David: I think that the compilation of data, we are in an environment where compliance is ever growing. There is more and more regulations coming out, more and more mandates whether it is industry specific or geographically driven, the necessary collection of data from a risk and reactionary perspective is growing and growing and we have own programs in our enterprise risk management, governance risk and compliance, resiliency, business continuity, all these different named programs that are out there, all in effect trying to do the same thing really which is proactively and then reactively manage and react to an event. And by bringing all that data together in one repository really saves you time obviously, it would give you better results because everybody is looking and working from the same set of data and you will be able to create more actionable plans and then certainly maintain it going forward. A lot easier than you would, say with an attempt at SharePoint sites and large Word documents, that yes you can cut and paste but practically do people do that — no.
Martin: The real surprise that some of our leading companies that we have engaged with on this topic have found is that if you effectively automate the processes and you effectively integrate at least across the key disciplines, then you can actually do a better job by spending less money.
David: I think that also by having the tools set up properly, the analytical aspects of this are very important. What I mean by that — typically when people go out and gather risk management information, they do it during interview process or a survey process, they put it somewhere, that kind of just sits, and the only objective is to put out a report, maybe take a couple of action items and go. By having the proper tools and the data collected and then having it maintainable so that as sales change in a particular region or product mix changes, you can run different queries against that and a lot of people can do it. We are not talking about a massive training exercise, a whole another large ERP like training exercise for your company, but something that really everyday operational folks can go in and use and come up with good strategies to manage their risk day in and day out, so that again you are moving it to the proactive operational side of the house and not so much this necessary evil.
Sean: Gentlemen thank you both for your time today.
Martin: Thank you Sean.
Sean: We have been discussing business continuity and enterprise risk management with Martin Goulet, Director of GRC Product Marketing at RSA Archer and with David Sarabacha, a principal from Deloitte & Touche LLP.
If you would like to learn more about Martin, David, or any of the topics discussed on today’s broadcast, you can find that information on our website. It is www.deloitte.com/insightsus.
For all the good folks here at Insights, I am Sean O’Grady, we will see you next time.
Join the Conversation