IS/IT Risk Assessment in the Implementation of a Business Continuity Plan : An integrated approach based on Enterprise Risk Management and Governance of Enterprise IT

Abstract: Business continuity is an area of research that ensure continuity of enterprise operations. Business continuity requires knowledge and input from business and IT leaders to assess and manage risks associated with critical business processes to develop a plan that can allow the organization to resume operations. Organizations that have a holistic enterprise risk management approach can better manage business and technology risks. The increasing dependency on technological resources asserts the need to assess business and technology risks to develop business continuity. Nevertheless, governance and enterprise leaders find difficult to determine the scope and impact of risks associated with enterprise operations. In organizational contexts, business continuity planning is perceived as an element of contingency instead of an opportunity for improvement. In addition, there is a lack of academic literature related to the organizational implementation of a business continuity plan. For this reason, there is a need to merge enterprise risk management and governance of enterprise IT views to provide an integrated perspective of business and technological risk in the im-plementation of a business continuity plan.The objective of the study relies on assessing how the implementation of a business continuity plan is conducted, together with its challenges and benefits, to provide insights on the elements that facilitates a business continuity plan implementation. The study focuses on the preparation phase of a business continuity plan, where enterprise risks are identified, evalu-ated and mitigated. The study results are based on a case study performed at a multination retail and manufacturing enterprise in Spain. The results indicates that awareness from the higher governance body and senior management on the dependency that enterprises have developed on IS/IT key resources is a factor that influence how risk management and technology risk is perceived in organizations. This influence how the higher governance body views the need to implement enterprise risk management, governance of enterprise IT and business continuity initiatives. Likewise, the elements facilitating a business continuity imple-mentation are associated with the sponsorship and leadership from organizational actors, the involvement of an external organizational agent that can bring expertise and methodology related to business continuity planning, identification of enterprise critical areas and processes and the creation of business and IT risk scenarios to depict threats to the organization operations and processes. This internal reflection brings challenges and benefits to the or-ganization and both are addressed in the study.The study concludes with the presentation of two high level frameworks that can aid enter-prise leaders to visualize and understand the influence that enterprise risk management and governance of enterprise IT has on the implementation of a business continuity plan and the underlying elements that facilitate a business continuity plan implementation in organizations.