Business Continuity Employees
How many dedicated Business Continuity employees should an organization have?
The closest measure I could find was Kelly McKinney’s “All Disasters are Local Index” from his book Moment of Truth. That Index recommends 20 Emergency Managers per 1 million residents.
Feedback from BCP Builder Community on LinkedIn:
- 20% time of 1 FTE for Small companies (less than 50 people)
- 40% time of 1 FTE for up to 200 employees
- 1 FTE above 200 employees
- 1 Business Continuity Manager per 1,000 employees
Many people have asked me how the All Disasters Are Local Index applies to the hundreds of thousands of organizations that are not big cities. My answer is that only dedicated, full-time staff can do the things an Emergency Management/ Business Continuity professional must do, including:
- Keep watch for external human-caused, natural and technological threats
- Build sustained connections to all of the critical business (or line) units of the organization
- Plan, train and (especially) exercise with representatives from each of these units
Only focused energy, applied by disaster professionals, can create the momentum needed for true resilience. If that energy gets delayed or disrupted, the momentum is lost, and resilience evaporates.
For any regional or national private-sector, not-for-profit or non-profit organization, the minimum number of these disaster professionals is six:
- Deputy Director
- Planning Manager
- Training Manager
- Exercise Manager
- Administrative/Grants Manager
This team of six requirement assumes that the Emergency Management/ Business Continuity Planning department can rely on other departments within the organization to support critical missions such as disaster mapping, logistics, and information technology.
Things to Consider
- Do you run a full Business Continuity Plan? (Risk and Threat Assessment, Business Impact Analysis, Strategies, Business Continuity Plans, Testing)?
- The above calculations do not take into consideration additional temporary resources needed such as tactical leaders, or functional leaders that will provide input on critical processes.
- If you do not wish to run the full Business Continuity process, you can decide to focus only on Incident Notification and Management. In that case you will do with much less, but your organization will be far away from resilient, and recovery will depend on the strength of your Crisis Manager.
- What you choose depends on the Risk Appetite of your organization. The more an organization is engaged in assigning dedicated resources to run the process and be able to manage major incidents, the more resources will be needed.
- Drawing a line between number of employees and how many Business Continuity employees is needed, is difficult. As more parameters influences the need for resources:
- How many critical processes do you have?
- Are there many locations or only one?
- What’s the nature of your operations?
- You will need enough people to accomplish the programs goals, complete the Business Continuity and Disaster Recovery Plans and review them on an annual basis. Everyone has a pace and it should be one that never conflicts with day to day business.
- Do not cause a disaster while testing the processes required to recover from one.
- Some Business Continuity staff can do the job of three people. People have different personal energy and understanding of the methods and technology. Their effectiveness is dependent on the type of support the Business Continuity Planning/ Disaster Recovery team get from the rest of the organization.
- The most important thing is getting a person, or people that know what they are doing and are working with the organization to help achieve its objectives.
- In the healthcare provider space, very often, the already heavily loaded Emergency Management team has to support Business Continuity. This is becoming even more prevalent as healthcare providers prepare to be compliant with ASPR 2017-2022 guidelines which call for all healthcare providers to have Business Continuity Plans for institutional critical departments, including revenue cycle and other administrative functions. This is a real departure from the historic focus on Emergency Management alone.
- In a FTSE 100 environment, one example with 22,000 employees globally and a presence in 7 countries, had only 2 full time Business Continuity professionals. There were also many roles with shared Business Continuity Management elements in the overall structure.
- There are also smaller organizations with up to 60 CBCI qualified staff, plus every size and ratio in between.
- Some organizations have a department for business continuity and some have a team for business continuity. There could be two teams, one as the main business continuity team and other as deputy.
- It’s about complexity and magnitude, not number of employees. An organization with 8,000 people, but 2,000 of them in a call center or warehouse is different from an organization with 8,000 people all participating in small teams doing complex work. 33% more complex. It’s also about depth. What does the organization want to accomplish with Resiliency? One organization with a team of three or more can do a basic minimally adequate job, and others with a single contributor or team of two, can do very deep and broad work. It’s about the person/people on the team. People are not interchangeable. One person can take an organization three times further than three people… if they’re the right person. This is one reason why an hourly rate is not always appropriate.
- Expedia was participating in a forum with a London-based public/private partnership on City preparedness. After explaining their resiliency strategy, a bank and a government agency came up and said, “This is brilliant! Glad to see you blokes are taking it seriously. What’s your team size and budget?” They were gobsmacked when told “our budget is minimal and the team is a guy named Michael.”
- One organization had Business Continuity Plans across 12 locations in North American and Europe incorporating over 100 playbooks. They had managed vendor-run Emergency Work Centers for Seattle, San Francisco, Dallas, London, and Paris. They also had Mass Emergency Notification, enterprise Crisis Management, in-house SharePoint to manage and report on it. There was an Executive Steering Committee, matrix/integration with Facilities for fire wardens/searchers/etc., and they held over 16 exercises per year, across the globe – ranging from tabletops to functional simulations and deployments to the Emergency Work Centers, to full controlled business closures. Plus informal advisory for Travel Safety intelligence. This was with a very small budget and a team that was never larger than two. It all depends on the remit, the team, the approach, the innovation, and how much you can engage business areas to own their own resiliency. And yes, on the culture.
- A company who is traded in stocks can easily lose millions to billions during a Business Continuity Crisis, particularly in respect to their brand or image. Most companies spend millions on marketing to raise their brand image. This can also be used to calculate the question of “How Much should an organization invest in effective Business Continuity Management or Crisis Management. If you also factor in penalties from government, then it can help give a more realistic picture for management. There is no one size fits all answer as each company or business is not exactly alike.
Support of Top Management
- Top Management commitment is often the driver.
- The key is having leadership support – top down – and then have the ability to sell it. Many people (especially in medium to large companies) get Business Continuity Planning related work as a second and sometimes third job. You cannot blame someone for not being happy with the additional work, often viewed as wasted time.
- Organizations often look at numbers/headcount, but with Business Continuity Planning, buy-in is essential and directly impacts the individuals passion for doing the work. Sell it well and you will have a great program. Sell it poorly… you may just have the numbers.
- The Business Continuity/ Disaster Recovery team should identify a Single Point of Contact in each Business unit or department, build a Business Continuity community, organize regular meetings to keep the Business Continuity processes alive. Every person within the organization should be aware of the Business Continuity policy and its objectives. This could be achieved by organizing regular awareness campaigns.
If you want to increase your Organizational Resilience, start with preparing a Business Continuity Plan and check out BCP Builder’s Business Continuity Planning Templates.