It is difficult to make an informed decision when you can’t see the whole picture. Unfortunately, many executives are forced to make critical risk management choices while only having a fragmented view of what is going on. This is the focus of an article by Chris Goodwin, Co-Founder and CTO of LockPath. Goodwin argues that the separation of business continuity management and IT support may be contributing to the cause of less than desirable risk management:
Traditionally, this separation between BCM and IT has occurred and persisted due to a lack of shared world-view. BCM teams have been employing a risk-based approach for longer than IT or their cousin information security (infosec) teams. Additionally, the data-sets used for managing each program has often had minimal overlap, for better or for worse. Similarly, reporting tools tend to have little overlap as they tend to grow independently to meet the needs of each faction, rather than coming from a common pedigree. Fortunately, IT GRC tools have now begun integrating BCM functions and reporting, allowing business leaders better, more complete insight into operational risk.
Goodwin also mentions that there is a good deal of consideration needed when using tools. What do we need? How much do we need? Do we even need anything? Goodwin notes that one must decide if a tool helps to break down silos, eliminates redundant efforts, and/or leverages expertise from IT. If your tool fails to meet even one of these requirements, it is most likely not useful for your risk management.
Goodwin reminds us that the ability to evolve to deal with business needs and risk management is one of the most critical components to success. Business continuity and risk management may never be on the same page, and everyone must be prepared for this reality. If your organization as a whole is able to adapt and resist falling into futile habits, you will surely see a return on your efforts.