|
|
|
Where does Business Continuity Planning Belong in an Organization? Industry insiders say the need for a change in the reporting structure for BC is still not being recognized. When asked in a recent survey where Business Continuity belongs (or to whom it should report) in an organization, the field was split almost 50/50 between Risk Management and the CEO. That said, even those who suggested Risk Management felt that the person who is responsible for the BCP should have direct access to senior management or report to a C-level executive in an organization. This suggests that Business Continuity is not receiving the endorsement it needs from the executive suite. So where does Business Continuity currently reside? The responsibility of BC often falls under the jurisdiction of Information Technology, with BC reporting to IT three times as often as reporting to the President or CEO of an organization. What are the Roots of BC? Ted Brown, President and CEO of Ketch Consulting, has 20 years of BCP experience and offers the following insight, “Business Continuity Planning is the preparation of plans to allow a business to continue its operation in spite of an outage of any kind. Of course, this includes technology recovery, an absolutely critical part of any plan. But it also includes people recovery and business operations recovery. What good is a great technology recovery plan if the business has no place for the user departments to operate? What if the data center is fine, but the headquarters, plant, mill, factory, lab, distribution center, call center, classroom, or branch is not. Therefore, BCP should not report to IT. BCP should be a peer to IT.” Richard Gagnon, a VP at Baric Continuity Services, adds, “As Continuity is now a corporate issue and crosses departmental boundaries, the reporting structure has to reflect that reality. In a sense IT could still sponsor the corporate continuity program, however IT would have to be a direct report to the CEO, perhaps in the capacity of CIO. The importance of continuity has grown dramatically in the past few years and should now be a Board Room issue.” Without the support of the CEO, many respondents felt that the BCP was lost in the shuffle, with deadlines not adhered to, and lip service paid, but resources not provided to make it effective. In cases where the CEO is involved, the opposite is true. Albert Wood, who is a director of security and BC, reports to a senior executive that works very closely with the CEO, and stated that, “He [sponsor] regularly updates the CEO on BC issues we are facing, and the two of us meet with the CEO as needed to gain his support on critical decisions. The CEO has cleared the way on several occasions to move the process along.” Ian Clark, FBCI from New Zealand, has also had the support of executives with positive results. “Personally I have had success when engagements have had active sponsorship from the “C” suite; one by a CFO, one by a COO and one by a CEO. Because of their support and mandate, others in the company responded and the (table top) exercise took a much shorter time and lower cost to complete,” said Clark. Is a Trend Emerging? Cheyene Haase, president of BC Management, an executive placement firm specializing in BC professionals, recognizes a change in business continuity reporting. Haase says that an integrated BC/DR is becoming most prevalent, with a shift in reporting to Risk Management, an independent BC/DR Office, or to Corporate. Betty Kildow, of Kildow Consulting, believes that executives are slow to realize that their endorsement is crucial to the success of BCP. “A very slow building trend in recent years, particularly in larger corporations, is to combine business continuity, disaster recovery, security, risk management/insurance, safety, etc. under one department. The head of this department reports to an upper level executive, for example, CEO, COO, CFO,” says Kildow. The battle to continually sell the organization on the value of BCP is one that many respondents knew as all too familiar. “It is my opinion that the majority of planners face huge struggles gaining and maintaining support from the appropriate sponsors,” sites Larry Marler, a CFCP with Southern Farm Bureau Casualty Insurance Company. According to Ted Brown, BCP needs to involve all aspects of the organization. This includes technology, people, and the business operations. IT, HR, Risk Management, Security all need to be involved for a complete plan. Brown says, “the Director of BCP, the Director of Security, and the Director of Risk Management should report to the CRO, the Chief Risk Officer who reports to the President.” Ian Clark has a similar suggestion, “I advocate the approach that Risk and Business Continuity Management disciplines are the two pillars supporting the necessary good corporate governance effort. If the Risk Manager reports to the CFO and the BC Manager reports to the COO, then the organization can aspire to a state of pragmatic balance between Risk, Opportunity and Reward.” John Glenn, a 13 year veteran in Business Continuity & Risk Management sums up the sentiment. “If top management is luke warm to the idea, lower managers will perceive that, when it comes to setting priorities, Business Continuity can be pushed aside. Business Continuity, then, needs a stratospheric sponsor. Someone with a “C” in front of the title, such as CEO, COO, or perhaps CFO. Each of these “C”s has one thing in common: they are charged with protecting the organizational bottom line. Which, after all, is what Business Continuity is all about.” Jeff Dato is the Vice President of Risk Management and Information Technology at Pinnacle Airlines. Dato says that there is no one “silver bullet” in determining the correct Business Continuity reporting hierarchy. He says, “Though I have seen it report to many departments - Audit, Finance, Human Resources, Information Technology (IT), Legal, Safety/Facilities to name a few - over my 20 years in the industry, the most successful programs have been molded around the business model and have been held accountable to ensure ongoing resiliency to support promises within the entity’s mission statement. Industry “leading practices” have the program reporting to a business owner with key access to strategic planning, resources (people, funding), and executive influence. The most recent trend places Business Continuity under the auspices of Risk Management - especially those within critical infrastructure industries (i.e. financial institutions, transportation, utilities). In fact, at Pinnacle Airlines Corp., my employer, we have chosen to follow that philosophy. It works for our organization, as responsibility is centralized at the enterprise level and is considered a strategic initiative. An exception to the non-IT reporting structure would be for those companies in the Technology industry sector - those companies which provide technology services and products. In those specific cases, IT is the strategic business driver, thus, following the premise that leading programs support a business’ mission.” Dato adds, “Business Continuity should be treated as a driver of change, process improvement and operational efficiency rather than a compliance checkbox. To be truly effective, it should feed the Enterprise Risk Management (ERM) initiative, fulfilling an important role within the program. Risk Management 101 teaches several avenues to handle risk: Mitigate (including Transfer/Eliminate), Insure, Plan, or Accept. BCM can support ERM by assessing risk, assist with mitigation and lead the planning aspects. Since ERM focuses upon Compliance, Financial, Operational and Strategic risks, it is imperative that BCM professionals acknowledge and work to address all risk. Unfortunately, in many organizations, Risk Management is primarily focused on financial risk and serves as the insurance manager. This narrow focus can lead to tremendous exposure to the organization. In a similar way, many organizations see business continuity focused too narrowly, especially if BC is reporting to an audit or compliance officer of the company (BCM is being used to meet compliance or standards) or technology risk when reporting to IT. But BC shouldn’t be done for compliance; BC should be done because it is the right thing to do.” Many respondents felt that since there is no real “return on investment” for a BCP, it is seen as a low-priority insurance policy for an unlikely event. That is one of the reasons many companies don’t give BCP the visibility and funding that it requires to be effective. Yet, not everyone would agree. Brian Zawada, President of Avalution Consulting, sees a real competitive advantage for a good Business Continuity program. Customers that know a company has a good BC program will value that company more highly, since a well prepared organization will be more likely to be around in the event of a disaster. Therefore, promoting that a company has an excellent Business Continuity Plan and an Enterprise Risk Management program will entice customers, and the company will receive more business. “The promise of competitive advantage through effective risk management has captured the attention of executive managers worldwide,” states Zawada. Frans van Anraat is the Global Head of BCM for a unit of ABN AMRO Bank, headquartered in The Netherlands, and one of the largest banks in the world. He agrees with Dato and offered this explanation: “10 years ago, BCM started within the finance industry as a ‘compliance’ function for regulatory requirements. This resulted in a low priority within the organization from Senior Management. Now, BCM is a commercial advantage. The reason is quite simple. Customers (e.g. our Financial In/Out-sourcing partners, or institutions for which we execute financial transactions) request, as part of their RFPs, that our bank clarify and provide evidence of a good working Business Continuity Plan. We have developed ‘standard text blocks’ for all RFPs in order to explain our BCP.” Another large financial institution has made BC / DR a direct report to the CEO, with a working relationship with the Operating Committee, which reports directly to the Board. So whether the BCP resides with Risk Management or the CEO, it is clear that unless senior executives endorse the Business Continuity Plan, a BCP will not be effective. As Business Continuity continues to change and evolve, to include all functions of a company to keep it operational in the event of a disaster, it has moved away from an IT function. As one consultant stated, “Business Continuity is not a finance operation, nor is it an IT operation. It’s a business operation.” By having the BCM report to a high level executive in an organization, it will increase its visibility and funding, and therefore be more effective. What Should the Question Be? For other important issues related to this article, you can read about Enterprise Risk Management on page 22 of the printed 2008/09 Disaster Resource GUIDE, available at www.disaster-resource.com/freeguide. Also, the article on certifications and standards (page 26) discusses the movement to have BCP be certifiable, so stakeholders can better understand how an organization is handling the issue of business continuity.
Acknowledgements  |