Business resiliency in the simplest of terms is a systematic way to bring down silos in organizations to increase collaboration for the good of the whole organization, especially in an environment that is constantly threatened by attacks. A practical way to start the process is through process mapping synergy gains from disaster recovery (DR) and business continuity (BC) planning.
When a process map is being completed from a control perspective, it automatically accomplishes at least three objectives.
First, it determines what the process is and what can go wrong. Are there threat vectors and are they risky enough to require controls? Because the process is being analyzed, this is also a great time to look for inefficiencies, which a process map can help make clear. A somewhat outdated option is to use fishbone diagramming to break down a process to look for inefficiencies and then make suggestions to increase efficiency. A well-done process map accomplishes both of these tasks at one time much better than a fish bone diagram. An architect would not build a structure without architectural diagrams; the same goes for programs.
Second, a well-done process map can be used to build a responsibility assignment matrix, which includes determining who is responsible, accountable, consulted or informed (RACI). A process map can aid in establishing responsibility, even if it is shared, when teams cannot agree.
Third, once the process map is completed, the DR/BC concepts of recovery time objective, recovery time capability, recovery point objectives, estimated recovery time capabilities, composite recovery time capabilities, single points of failure, crown jewels and Sarbanes–Oxley (SOX) controls can be used. The matrix can also be adapted to each individual organization based on what is most important to them. The information should be easily obtainable from the DR/BC team or a centralized database in many organizations, and the goal is to extend the view beyond those teams.
Process maps should be updated on an annual basis to keep up with the constantly changing threat landscape and changes due to the adoption of new technologies and applications, as well as the development of new processes and regulatory requirements. This requires support from leadership and funding. If the leadership team does not back the effort financially, it is likely that the effort will fail. The good news is that most of the effort is used in the initial implementation. The effort to keep the process map updated should not require as much effort as getting the program off the ground.
There is a natural tendency for the business to be distrustful of the risk department when it comes to revealing their processes and gaps. Business units may sometimes not be willing to share because the incentive structure is set up to punish management when gaps are found. It would be valuable to shift this paradigm to one that rewards management for identifying gaps as long as they are accompanied by a plan to eliminate them. If we can make this change in thinking and couple it with process mapping, organizations can become more innovative, proactive, efficient, and resilient, and be in much better control of their risk environments and times of change.
Editor’s note: For further insights on this topic, read Alonzo Longshore’s recent Journal article, “Process Mapping Synergy Gains From BCP and DR,” ISACA Journal, volume 3, 2022.
ISACA Journal turns 50 this year! Celebrate with us—and do not forget you can still receive the print copy by visiting your preference center and opting in!