Business resiliency in the simplest of terms is a systematic way to bring down silos in organizations to increase collaboration for the good of the whole organization, especially in an environment that is constantly threatened by attacks. A practical way to start the process is through process mapping synergy gains from disaster recovery (DR) and business continuity (BC) planning.
When a process map is being completed from a control perspective, it automatically accomplishes at least three objectives.
First, it determines what the process is and what can go wrong. Are there threat vectors and are they risky enough to require controls? Because the process is being analyzed, this is also a great time to look for inefficiencies, which a process map can help make clear. A somewhat outdated option is to use fishbone diagramming to break down a process to look for inefficiencies and then make suggestions to increase efficiency. A well-done process map accomplishes both of these tasks at one time much better than a fish bone diagram. An architect would not build a structure without architectural diagrams; the same goes for programs.
第二个, a well-done process map can be used to build a responsibility assignment matrix, which includes determining who is responsible, 负责任的, 咨询或通知(RACI). A process map can aid in establishing responsibility, even if it is shared, when teams cannot agree.
第三, 一旦流程图完成, the DR/BC concepts of recovery time objective, 恢复时间能力, 恢复点目标, estimated recovery time capabilities, composite recovery time capabilities, 单点故障, crown jewels and Sarbanes–Oxley (SOX) controls can be used. The matrix can also be adapted to each individual organization based on what is most important to them. The information should be easily obtainable from the DR/BC team or a centralized database in many organizations, and the goal is to extend the view beyond those teams.
Process maps should be updated on an annual basis to keep up with the constantly changing threat landscape and changes due to the adoption of new technologies and applications, as well as the development of new processes and regulatory requirements. This requires support from leadership and funding. If the leadership team does not back the effort financially, it is likely that the effort will fail. The good news is that most of the effort is used in the initial implementation. The effort to keep the process map updated should not require as much effort as getting the program off the ground.
There is a natural tendency for the business to be distrustful of the risk department when it comes to revealing their processes and gaps. Business units may sometimes not be willing to share because the incentive structure is set up to punish management when gaps are found. It would be valuable to shift this paradigm to one that rewards management for identifying gaps as long as they are accompanied by a plan to eliminate them. If we can make this change in thinking and couple it with process mapping, organizations can become more innovative, 积极主动的, 非常高效。, 和弹性, and be in much better control of their risk environments and times of change.
编者按: For further insights on this topic, read 西德尼沿岸’s recent Journal article, “Process Mapping Synergy Gains From BCP and DR,” ISACA杂志,第三卷,2022年.
ISACA杂志 今年满50岁! Celebrate with us—and do not forget you can still receive the print copy by visiting your 偏好中心 选择加入!
