Obtaining executive management commitment to business continuity program support
Statistics and scare tactics don’t work; instead the starting point is ensuring that you have a deep understanding of the business landscape, strategies and risks.
By Larry Robert.
There are many approaches that business continuity practitioners can take in convincing executive management to allocate funds and resources to a robust business continuity program. Many try to overwhelm with statistics and scare tactics. I believe these actually detract from the program by making sweeping examples that are typically outdated, untrue, and not applicable. Industry statistics, in many cases are either unverifiable, or can be traced back to a vendor that may benefit from the negative information. We owe it to our profession to always strive for accurate, verifiable information when citing examples in support of developing and maintaining a program.
As you will see below, the only way to bring an awareness to senior leaders is to discuss the specific risks to their particular business. Simple, yet very effective. As you develop yourself as a mature business continuity professional, you can bring into the conversation some of your own experiences from actual events and how various solutions either contributed to a quick recovery or further complicated the recovery process.
As you know, many times it is not about having one solution, but solutions with different ‘value added’ attributes that collectively, give us a ‘tool box’ to pick from, depending on the type and severity of a specific event. This is a key point in collaborative discussions with senior leadership. Displaying how a solution can be used by different departments, at different locations, and is expandable as the business grows, shows that you are not only being effective in your approach to building a solution, but are aware of keeping the overall program spend to a minimum. Program building should be viewed as a partnership with the business.
The initial conversation - this is assuming that you are at a starting point discussion with a company about developing, building, or maintaining a program. Different business continuity practitioners may be better suited for each of these varying phases of a program. An important question to ask about an existing program is “What were the last three year’s budgets allocated to business continuity, disaster recovery and crisis management?” This is a telling question about commitment to an existing program. If you are being asked to build a program, ascertain what the current year budget is, or if you are in discussions later in a yearly budget cycle ask: “What is next year’s budget?” The answers to these questions can be an indicator as to how committed a company is to truly building and/or maintaining a program.
The main approach in garnering senior leadership commitment is to have an open, collaborative conversion about ‘risk vs. cost’ as it relates to solutions to mitigate risk, assume risk, or transfer risk. This is not a quick discussion when you are developing a long term, self-sustaining, actionable program. What is the company strategy both short and long term? This will give you an indication as to the type and longevity of the solutions you build. If your company is expanding internationally, then look for recovery partners that have an international presence and leverage contracts that can be amended and enhanced without new negotiations. Be sure to discuss expansion and possible future business opportunities with recovery partners. This may lead to lower initial costs with hopes of future business.
Another important aspect is to understand the existing risks to business departments. Financial, operational, and reputation risks are a cornerstone in every business continuity program. Once identified, look at solutions that will fit the current business landscape as well as alignment with future strategies. This is where having a robust ‘tool box’ comes in. Focus on ‘tools’ that can have repetitive uses across departments. This will be money well spent as the program matures. Remember, solutions and tools should reflect the overall business strategy. If there are plans to change the business model in a way that impacts the direction of the company, then look at contract terms that fit those business timeframes. An example would be, if there are outsourcing initiatives that would be fully implemented in two years, then look at recovery services contracts that are no longer than a three year term. This is one example of proper business alignment with the business continuity program lifecycle.
As you can see, the depth needed to truly understand a complete business model from a standpoint of existing and future risks, to dialog surrounding mitigation, acceptance, or assuming risks, is a conversation that has a better probability of senior management agreement than throwing up industry statistics on a PowerPoint slide. The question is, ‘Are you ready for the challenge?’ Next time you want to do a Google search on statistics thinking this will convince senior leaders, shut the browser down and get out and talk with the business. Only then will you be ready for the right conversation with senior leaders that lead to program commitment. The communications should point to alignment with current and future business direction, prudent financial implementation costs, and a true business continuity program alignment with business specific risks identified. Implementing a complete program could take three-four years before a maturity level is realized and ingrained in the business. Build the foundation, then expand accordingly. By taking a methodical approach, tracking solid metrics, and committing to ongoing communications with enterprise risk management and senior management, you will ensure your program will have all the critical components to address current and future needs.
As a Certified Business Continuity Professional (CBCP) as well as a Certified Business Continuity Lead Auditor (CBCLA), Larry has served as a Board member for the Association of Contingency Planners – Boston Chapter as well as NEDRIX-New England Disaster Recovery Information Exchange.
•Date: 21st January 2014 • US/World •Type: Article • Topic: BC general