Business Continuity and Disaster Recovery Plan
Do Business Continuity and Disaster Recovery Plans naturally fit together? Where does Business Continuity sit in your organization?
There are many different options and the most important thing to consider is, what will work best for your organization.
In my experience, a well managed Business Continuity Program sits at the equivalent level of Internal Audit.
Typically Internal Audit [while they work for the company] have a boss that reports to the Board of Directors. This gives them the autonomy to do what they need and are beholden to none.
Each business line and down thru the line are really responsible for their own success. If they want a bonus for success, Business Continuity Planning should be part of that success.
Managing the folks that run the business units is enough of a task. They are responsible for their activities, plans and recovery. This was the design we had in a 110,000 worldwide 254 business unit multinational. It works.
It should be aligned with all risk disciplines and under an executive of operations (i.e. Chief Operating Officer) that also serves as the executive sponsor for the Business Continuity Management program.
The best I’ve seen so far and this again may be down to the individuals associated with it was under Risk Management.
The program was closely aligned with the Risk Program, was perceptually separated from IT and recognized by the senior leadership team as a business priority.
Buy-in, long-term support and sponsorship from top management / C-Suite is essential to give Business Continuity traction within an organization from the outset. They need to “get it”. As to where it sits, that really depends on the organization itself. On projects and programs I’ve been involved with Business Continuity always sat comfortably within risk management due to its risk reduction nature.
In my organisation it sits under second line of defense – Operational Risk Management & Governance.
In my organization Business Continuity Management reports to the Head of Governance and Control.
As far as I know there is no best practice written, but Business Continuity Management at the end is the treatment of disruption risk. In that way it is part of Enterprise Risk Management, and will be good to report to the Chief Risk Executive or it’s equivalent. In order to be part of the whole Risk Management vision.
Information Technology (IT)
In an ideal world a fully recognized, supported and properly managed Business Continuity Program should be able to sit anywhere in the organization.
I’ve been fortunate to see quite a few incarnations of Business Continuity Programs. I’ve found where a Business Continuity Program sits within an organization can impact its perception within the business sometimes negatively.
A case in point is where it’s placed under IT. The result is the delineation between a Business Continuity and Disaster Recovery Plan can become blurred.
I’ve been involved where it came under IT, but that just made everyone in the organisation think we were “looking at computers”, and so took extra effort to educate. Nonetheless, without support from – and regular reporting to (to keep it front of mind) – a C-Suite sponsor, Business Continuity’s focus can quickly and easily be lost in the mix no matter where it sits.
Disaster Recovery (technology recovery) and Information Security are within the IT division.
I’ve also seen Business Continuity under Facilitates Management and observed it lose its business priority.
Corporate Support/ Administration
I think Business Continuity aligns best with corporate support or administration – not unlike procurement, facilities or security.
In our organization, it sits under “System Operations” under the Chief Operating Officer, along with Emergency Response Management.
Business Continuity Management is a major contributor to my core process “Business Protection” and therefore, it is in my area of responsibility (Corporate Security).
Due to big interfaces with Security Risk Management/ Internal Control System (preventive activities) Crisis/Emergency Management (re-active) and holistic Information/Data/Plant Protection/Security Audits (Framework) all mentioned areas (and more) are subject to be concentrated within our security related department in order to cover the 3 Lines of Defense as best as possible.
Having aligned accordingly and interacting with other relevant departments like Production, Maintenance, IT, HR, Sales, Procurement etc. scale of effects as well as overall resilience can be outrageous.
Business Continuity sits within Emergency Planning and Protective Security also sits with us. Corporate Risk Management sits in another department although we are working hard to collaborate more closely together. IT have a Business Continuity Plan but also a Disaster Recovery Plan which sits separately.
I know of organizations where Business Continuity sits within Human Resources. Surely there is no right or wrong, just whatever works best for the organization concerned.
There is no right or wrong place for Business Continuity Management to sit in an organization. The most important thing is that they collaborate with all the other resilience units like physical security, IT, emergency planning etc etc.
There are lot of links: to Crisis Management, Risk Management, IT Security Continuity, Quality Management, Process Management. Enough links to be an own department? Wherever it sits, the key to success is collaboration & communication.
If the organization is mature enough to have a Resilience function that is where it is best placed in my opinion. Along with other areas that contribute to organisational resilience such as risk management, information security, etc. I have however seen it in various places including Facilities, Compliance, Health & Safety.
It is a sign of a mature organization to be able to adopt a resilience function. Many organizations get to grips well with the various subject matters that contribute to organizational resilience but one of the biggest challenges is pulling it all together into some kind of coherent and cohesive approach. Breaking down the silos between those areas is the key!
If you want to increase your Organizational Resilience, start with preparing a Business Continuity Plan and check out BCP Builder’s Business Continuity Planning Templates.