The World Congress on Disaster Management (WCDM) kicked off in Toronto Monday with delegates from around the globe coming together to discuss emergency management and, to a lesser extent, business continuity. Continuity Insights caught up with Gayle Mitcham, Vice President, Risk Consulting -- Business Continuity Practice at Marsh Canada Limited, to discuss how BCM governance is layered on top of existing BCM programs.

Continuity Insights: You spoke about the inputs and outputs for a BCM governance program and the need to layer BCM governance on top of the BCM layer. Please explain how this process works.

Gayle Mitcham: An effective BCM governance program has to be simple, effective, flexible and robust, and it’s hard to get the right balance. If it’s too complex it won’t be maintained; if it’s not flexible it won’t be able to respond to the needs of the business.

For whatever tools we’re using -- exercises, management review or formal assessment -- a BCM governance program looks at the threats and risks faced by the organization and makes sure they are covered by the BCM program.

By layering the governance on top of the BCM program you come up with a better risk mitigation, you build stakeholder confidence because you can give them KPIs and statistics that show you can respond effectively, and provide support to the operational and strategic sides of the house.

BCM governance inputs and outputs.

CI: You emphasized the need for the integration of BCM and governance across the organization. What advice do you have for integrating BCM governance across the organization and where do you start?

You need to start gradually. There are very few organizations that are fully integrated. If you start small and put risk assessment and business continuity together, for example, that’s good.

If business continuity is sitting in an IT environment then merging it with information security might be easier. If you’re in the finance area then merging BC with risk might be easier.

Do whatever your organization is receptive to.

CI: You said that a governance program can help an organization identify BCM program gaps. How does it do that?

GM: Using the governance tools, such as exercises, you will find gaps. At the end of an exercise you will find your exercise wasn’t as successful as you’d like because of certain gaps in the program or your KPIs will show the program isn’t being maintained as it should.

CI: You also mentioned that a BCM governance program should be auditable. How does a BCM governance program audit differ from a BCM program audit?

Someone from internal audit should be able to come in and see that there is oversight to the BCM program. They’re not necessarily looking at your BCM program.

CI: Any last words of advice for our readers?

GM: Governance is becoming one of the most important parts of a business continuity program. Even if you start off small and gradually work towards something bigger then you will be better off.

Stay tuned to the Continuity Insights twitter feed, @ContinuityMag, for more updates from WCDM.