2013 GRC Value Award: Business Continuity Management
GRC 20/20 Research awarded RSA® and Equifax its 2013 GRC Value award in the Business Continuity Management category. After implementing RSA Archer’s Business Continuity Management solution, U.S. consumer credit reporting agency Equifax experienced an immediate 60 percent reduction in time to create business continuity and disaster recovery plans, and a 20 percent OPEX savings for 2013.
Equifax expanded its use of the RSA® Archer solution in 2012 to include the Business Continuity Management (BCM) functionality, and it now also manages business impact analysis, business continuity planning and IT disaster recovery planning on a global scale. RSA Archer helps Equifax drive new initiatives on revenue and risk analysis; cross-reference business process related risk with the associated IT applications and service delivery to customers; and understand how each customer is potentially affected by long-term Equifax operations and systems outages.
Immediate and continued benefits of the RSA Archer solution include a standardized business process terminology that follows the ITIL model and allows Equifax to tie each process to an associated IT managed application; clean executive-level dashboards that show risk exposure and opportunities for investment; comprehensive impact analyses and plans; and risk data reports that the CFO can use to make informed decisions on risk management and risk investment.
During the next five years, Equifax projects additional benefits from the RSA Archer solution, including 20 percent OPEX depreciation and amortization savings from 2013 to 2016, 30 percent reduction in time to create business impact analysis reports (BIAs), business continuity planning reports (BCPs) and DR plans through ease of use of RSA Archer Business Continuity Management, and a substantial increase in overall maturity level of both BC and DR programs as measured by COBIT model against DRII 10 Professional Practices.
A mix of industry tools and spreadsheets
Before the RSA Archer solution was implemented in 2012, BCPs and BIAs were done with another industry tool. DR planning was performed in spreadsheets and word documents. In-depth analysis on the BCM program maturity was performed by an independent auditor in Q4 2010, and was followed up internally in 2011. The following challenges with the former BCM tool were documented in the findings:
- BC/DR tool could not scale to meet Enterprise Risk Management objectives
- No cross departmental standardization of BC/DR program or documentation existed
- No alignment of business process risk with IT application risk existed
- Overall BC/DR program maturity was not visible or measurable within the existing functionality
The RSA Archer Business Continuity solution has helped Equifax to reduce projected annual operational costs by $400,000.
New BCM efficiencies radiate through other processes
The RSA Archer Business Continuity Management process at Equifax is now sharing information from its BIA Risk assessments back to other GRC processes, which has had a positive impact on other organizational risk aversion efforts. Equifax is able to make risk decisions based on real risk assessment and BIA data rather than subjective input from business units, and business leaders can refer to dashboards in RSA Archer to get real-time status on the maturity of their respective BC and DR responsibilities within the enterprise BC framework, making processes simpler and less time-consuming. Consistent, intuitive layouts and workflows also minimize training efforts year-over-year, which have resulted in broader engagement and buy-in from business users.
Risk decisions are based on objective data that connect with BC and DR investments in the U.S., Argentina, Chile, and Canada with pending decisions in Russia and India. Users of the RSA Archer Business Continuity Management solution are complimentary of the process because it is far less time consuming for them to create plans and BIAs than in previous years. BC and DR teams are working more efficiently and now feel that they have more control over their own destiny due to a marked reduction in operational overhead.
To learn more about the GRC 20/20 2013 GRC Value Awards and other recipients, please visit this post: GRC 20/20 Announces 2013 GRC Value Award Recipients