Business Continuity Management (BCM) relation(s) to Integrated Risk Management (IRM)?

Valqe · ‎08-29-2022

Hi all,

I am scratching my head with link/relations between BCM and IRM.
I am comfortable to setting up both sides (BCM and IRM) and a silos, but and I am wondering what's the relation of utilization between two modules?

Example:

In IRM you setup: entity classes, entity types, policies, control objectives, etc etc and you drive them through their lifecycle.
In BCM you setup: Element definitions, recovery timeframes, impact categories, BIA template then you have plan which you use in case of disaster etc etc

All that works well independently, but I am wondering how can you utilize i.e. IRM entity types into BCM? What’s the link between two modules and reusability so in BCM you utilize some definitions you created in IRM?

I appreciate your comments.

Thank you

V.

Sebastien Fix · ‎09-06-2022

Remember that BCM is based on Fairchild software bought by SN 3 years ago and has been slowly integrated onto the SN platform. Even the BCM workspace is still not a standard UI Builder workspace.

BCM does not use Entities and if you look at the IRM architecture, BCM is nowhere near it. The Impact Assessment mentioned on the slide is not related to BCM but Regulatory Monitoring.

You can of course use the values from the various Assessment Instances, or other values generated by the BCM application to trigger indicators or automated factors - just like any other assessments - in order to impact risk scores or control compliance.

You can always try the Idea Portal if you have use cases where IRM+BCM could be linked closer together from an architecture point of view.

View solution in original post

Cynthia Simeone · ‎08-30-2022

Hello Valqe,

I am extremely new to ServiceNow BCM Module, however, based on over 30 years of experience in BCM/IRM, the link is through the policy definitions which drive the "quality scores" (dashboards) in the BCM module. For example, an IRM policy for BCM would require that a BIA be completed on a schedule (typically annually). If this isn't completed, the BCM dashboard would show a failure in compliance, therefore raising the overall risk rating/level for the organization.

Hope this helps.

Cynthia

Valqe · ‎08-30-2022

@Dan Minter your comment is greatly appreciated 🙂
Thanks in advance!
V.

Zind · ‎09-02-2022

Valque,

From the process perspective, the BIA contains a list of critical processes, then your Business Continuity (BC) Plan captures the critical business and IT applications, vendors and people for each critical process listed in the BIA. You may want to consider these as Entities. i.e. Business applications in IRM are linked to BCM.

Hope it helps.

Sebastien Fix · ‎09-06-2022

Remember that BCM is based on Fairchild software bought by SN 3 years ago and has been slowly integrated onto the SN platform. Even the BCM workspace is still not a standard UI Builder workspace.

BCM does not use Entities and if you look at the IRM architecture, BCM is nowhere near it. The Impact Assessment mentioned on the slide is not related to BCM but Regulatory Monitoring.

You can of course use the values from the various Assessment Instances, or other values generated by the BCM application to trigger indicators or automated factors - just like any other assessments - in order to impact risk scores or control compliance.

You can always try the Idea Portal if you have use cases where IRM+BCM could be linked closer together from an architecture point of view.