Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

Business continuity initiatives: when to involve senior management

By Rama Satyanarayana CBCP, BCCE, CISA, CISP, PMP

The commitment and involvement of senior management are increasingly recognized as pre-requisites for any successful business continuity management (BCM) initiative. Research supports this. Gartner Research listed Executive Management Commitment for the BCM program as the number one best practice for creating and maintaining effective business continuity management plans [1]. However, demonstration of this commitment tends to be subjective and is not up to the required level in the majority of organizations. The recently published international BCM Standard—ISO 22301:2012 highlights the role of and expectation from senior management in BCM programs. The objective of this article is to describe what the ISO 22301 Standard and COBIT 5 expect from senior management in BCM programs.

Continuous commitment by senior management helps in institutionalizing business continuity into organizational culture. The key acts of management commitment may be referred to as ‘Anchor Points,’ as they help in sustaining and securing the BCM process improvements and progressively enhance BCM maturity in an organization, as shown in the figure one below [2].

Figure one: Deming Cycle (PDCA) – adapted from ITIL

Figure one: Deming Cycle (PDCA) – adapted from ITIL

Senior management commitment and key anchor points

For the purpose of this article, senior management includes the top management team that directs and controls an organization at the highest level (that is, the board of directors and C-suite) as well as business unit heads that are responsible for recovery of their respective functions in the event of an interruption.

The following are the ten major anchor points of senior management involvement that provide the direction and mandate as well as visible ongoing commitment and support for the business continuity initiative.

1. Business continuity policy and objectives
As senior management have visibility into the organization’s strategic plans, regulatory requirements and stakeholders’ expectations, they should define business continuity policy and objectives and align them with the organization’s business objectives and strategic plans.

2. BCM organization
Senior management should equip a BCM organization with a cross-functional team with appropriate competencies and defined roles and responsibilities at strategic, tactical and operational levels. Senior management should empower the team and make them responsible for effective operation of the business continuity management system (BCMS).

3. Business impact analysis (BIA)
Senior management should determine the maximum acceptable outage (MAO) and the minimum business continuity objective (MBCO) for the products and services of the organization and respective functions that support the delivery of the products and services. The business unit (BU) heads should use these MAO values to determine BU specific recovery parameters — recovery time objective (RTO) and recovery point objective (RPO).
Senior management support is key to achieving buy-in throughout the rest of the organization [3].

The BIA approach that focuses discretely on an individual business unit might result in the identification of criticalities skewed to high-availability and high-cost to the detriment of the BCM program and the organization [4]. Since the BIA results (such as RTO, MBCO and continuity strategies, etc.) have financial implications, senior management should apply enterprise-level perspective on the relative importance of individual business functions and processes, and correct any anomalies in the BIA results.

4. Risk management
Senior management are aware of the top risks that cause them sleepless nights. Their risk perception is developed by stakeholders’ concerns, regulatory requirements and constraints affecting the organization [5]. Their tacit or explicit buy-in for the risk assessment methodology is necessary for successful outcome of risk assessment exercise. They should define and endorse the risk management policy in alignment with the organization's culture [6]. They need to define ‘acceptable level of risk.’

Senior management should indicate their preferred risk treatment option, considering the organization's long-term strategy. They need to approve the residual risk as acceptable. In case it is not possible to reduce risk(s) below the acceptable level (where, for instance, the cost of implementing an appropriate risk mitigation control is much greater than the impact value of the remaining risk that is outside the risk tolerance level), this residual risk must also be explicitly signed off as acceptable by senior management.

Senior management involvement in risk management also helps in strengthening the relationship between risk management and business continuity [7].

5. Emergency response
The first few hours of a serious incident are critical and sometimes require unfamiliar and swift decision-making based on inadequate information. Senior management involvement at this stage is crucial to ensure appropriate incident response that is typically beset with strategic dilemmas and trade-offs.

6. Crisis management
Senior management have a direct role in shaping, directing and developing the crisis management capability to suit the unique context of their organization. While senior management champion, endorse and support business continuity, they tend to implement, lead and direct crisis management [8]. The senior management should also handle the crisis communications and use of social media.

7. Competence
Senior management should determine the competences required for all business continuity roles and responsibilities and provide appropriate awareness and training needed to fulfil them effectively.

8. Testing
Senior management should demonstrate their commitment by active participation in testing and other exercises.

9. Management reviews
Senior management should review the organization’s BCMS at planned intervals to ensure its continuing suitability, adequacy and effectiveness of the business continuity arrangements and their implementation. Senior management can also demonstrate their commitment by operational involvement through steering groups and inclusion of BCM as an agenda item at management meetings.

10. Continual improvement
Senior management should drive continual improvement through the business continuity policy, objectives, internal audit, independent review of business continuity arrangements, testing and exercising and management review.

COBIT is an umbrella framework for governance and management of enterprise IT. COBIT 5 defines 17 IT-related goals that can be adopted to improve operational excellence in an organization [9]. BCM is an extension of business process excellence. The best practices of COBIT 5 can be effectively used in the implementation of business continuity initiatives.

A holistic BCM approach requires various resources—both technical and non-technical. COBIT 5 defined seven categories of enablers which are factors that, individually and collectively, influence the working of governance and management over enterprise IT. ISO 22301:2012 listed eight categories of resources required to implement the selected business continuity strategy options [10]. A high-level mapping of COBIT 5’s seven categories of enablers and the BCM resource requirements listed by ISO 22301:2012 may be observed from the figure two below:

Figure two: COBIT 5’s seven categories of enablers and ISO 22301’s BCM resource requirements

Figure two: COBIT 5’s seven categories of enablers and ISO 22301’s BCM resource requirements

Various COBIT 5 process controls [9] that expect management role in BCM-related processes are listed in Appendix-A of the COBIT 5 document. The PDCA process improvement cycle phase to which these process controls belong are also listed in Appendix-A.

COBIT has gained significance for governance and management of enterprise IT, and has become a de-facto umbrella framework. Since the new BCM standard envisages a holistic approach, harmonizing other standards and frameworks (such as ISO 31000 for risk management and PAS 200:2011 for crisis management) with COBIT 5 and ISO 22301:2012 would result in a robust BCM program with senior management oversight.

[1] Ten Best Practices for Creating and Maintaining Effective Business Continuity Management Plans. Gartner Research ID Number: G00174201. Publication Date: 8 February 2010.

[2] Roberta J. Witty et al., Gartner Best Practices for Conducting a Business Impact Analysis, Gartner ID Number: G00141260. Publication Date: 30 June 2006.

[3] Adapted from the Deming Quality Cycle in The Official Introduction to the ITIL Service Life Cycle

[4] ‘Business Continuity Management—a Standards based Approach’, Information Security Journal: A Global Perspective in March 2010.

[5] ISO 27005: 2008—Information Technology—Security Techniques—Information Security Risk Management.

[6] ISO 31000: 2009—Risk management—Principles and guidelines.

[7] Chris McClean et al., Strengthening The Relationship Between Risk Management And Business Continuity, Forrester Research.

[8] PAS 200:2011 Crisis management—Guidance and good practice.

[9] COBIT5—Enabling Processes, www.isaca.org/cobit

[10] ISO 22301:2012 - Societal security—Business continuity management systems—Requirements.

The author
Rama Lingeswara Satyanarayana Tammineedi (Rama) is a member of ISACA and Lead, Business Continuity Management Services, in the Global Consulting Practice of Tata Consultancy Services (TCS), India. Rama has 25 years of overall IT experience including 10 years in information risk management consulting in diverse organizations - business and technology. Rama possesses various professional certifications including CISSP, CISA, CBCP, PMP, ISO 27001 and ITIL.

•Date: 11th Dec 2012 • World •Type: Article • Topic: BC general

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here