Business continuity initiatives: when to involve senior management
By Rama Satyanarayana CBCP, BCCE, CISA, CISP, PMP
The commitment and involvement of senior management are increasingly recognized as pre-requisites for any successful business continuity management (BCM) initiative. Research supports this. Gartner Research listed Executive Management Commitment for the BCM program as the number one best practice for creating and maintaining effective business continuity management plans . However, demonstration of this commitment tends to be subjective and is not up to the required level in the majority of organizations. The recently published international BCM Standard—ISO 22301:2012 highlights the role of and expectation from senior management in BCM programs. The objective of this article is to describe what the ISO 22301 Standard and COBIT 5 expect from senior management in BCM programs.
Continuous commitment by senior management helps in institutionalizing business continuity into organizational culture. The key acts of management commitment may be referred to as ‘Anchor Points,’ as they help in sustaining and securing the BCM process improvements and progressively enhance BCM maturity in an organization, as shown in the figure one below .
Figure one: Deming Cycle (PDCA) – adapted from ITIL
Senior management commitment and key anchor points
For the purpose of this article, senior management includes the top management team that directs and controls an organization at the highest level (that is, the board of directors and C-suite) as well as business unit heads that are responsible for recovery of their respective functions in the event of an interruption.
The following are the ten major anchor points of senior management involvement that provide the direction and mandate as well as visible ongoing commitment and support for the business continuity initiative.
1. Business continuity policy and objectives
2. BCM organization
3. Business impact analysis (BIA)
The BIA approach that focuses discretely on an individual business unit might result in the identification of criticalities skewed to high-availability and high-cost to the detriment of the BCM program and the organization . Since the BIA results (such as RTO, MBCO and continuity strategies, etc.) have financial implications, senior management should apply enterprise-level perspective on the relative importance of individual business functions and processes, and correct any anomalies in the BIA results.
4. Risk management
Senior management should indicate their preferred risk treatment option, considering the organization's long-term strategy. They need to approve the residual risk as acceptable. In case it is not possible to reduce risk(s) below the acceptable level (where, for instance, the cost of implementing an appropriate risk mitigation control is much greater than the impact value of the remaining risk that is outside the risk tolerance level), this residual risk must also be explicitly signed off as acceptable by senior management.
Senior management involvement in risk management also helps in strengthening the relationship between risk management and business continuity .
5. Emergency response
6. Crisis management
9. Management reviews
10. Continual improvement
COBIT 5 and BCM
A holistic BCM approach requires various resources—both technical and non-technical. COBIT 5 defined seven categories of enablers which are factors that, individually and collectively, influence the working of governance and management over enterprise IT. ISO 22301:2012 listed eight categories of resources required to implement the selected business continuity strategy options . A high-level mapping of COBIT 5’s seven categories of enablers and the BCM resource requirements listed by ISO 22301:2012 may be observed from the figure two below:
Figure two: COBIT 5’s seven categories of enablers and ISO 22301’s BCM resource requirements
Various COBIT 5 process controls  that expect management role in BCM-related processes are listed in Appendix-A of the COBIT 5 document. The PDCA process improvement cycle phase to which these process controls belong are also listed in Appendix-A.
 Roberta J. Witty et al., Gartner Best Practices for Conducting a Business Impact Analysis, Gartner ID Number: G00141260. Publication Date: 30 June 2006.
 Adapted from the Deming Quality Cycle in The Official Introduction to the ITIL Service Life Cycle
 ‘Business Continuity Management—a Standards based Approach’, Information Security Journal: A Global Perspective in March 2010.
 ISO 27005: 2008—Information Technology—Security Techniques—Information Security Risk Management.
 ISO 31000: 2009—Risk management—Principles and guidelines.
 Chris McClean et al., Strengthening The Relationship Between Risk Management And Business Continuity, Forrester Research.
 PAS 200:2011 Crisis management—Guidance and good practice.
 COBIT5—Enabling Processes, www.isaca.org/cobit
 ISO 22301:2012 - Societal security—Business continuity management systems—Requirements.
•Date: 11th Dec 2012 • World •Type: Article • Topic: BC general