Maybe it’s just me, but over the last few years I’ve seen a grey cloud slowly descend upon Business Continuity Management (BCM) or Disaster Planning or Business Continuity Planning or Crisis Management or…or…whatever name corporations are calling their programs. By this I mean who is accountable for the program overall and where, does it sit within the organization? It seems that no matter where a BCM program sits, the BCM professional and/or practitioner can be pulled in multiple directions; reporting to many yet accountable to no one.
With such a major component to a corporation, you’d think BCM would sit prominently in a single location that everyone in the corporation would know about and see. Instead, it seems to be shuffled about depending on the situation de-jour and other departments seem to want their own slice of the BCM pie. Better yet, different departments claim they have key pieces of the BCM puzzle yet no one has a full understanding of how all the pieces fit together
With pandemic influenza initiatives having made the headlines over previous months, I’ve found that many in Human Resources have suddenly become business continuity aware. This is great but I’ve also found that the focus seems to on people availability only and there is not real understanding about Technology Recovery or strategy development. In fact I’ve spoken with some HR representatives who literally were recreating the wheel within their organizations (and probably driving their BCM person insane in the process) instead of building upon what they already have. Since when did HR become technology savvy? That’s not to say that any HR people aren’t, it’s just that in this case they were trying to take ownership of something (technology recovery plans) that they didn’t have ownership of during daily operations or even when a disaster strikes but if a pandemic occurred, they were trying to take responsibility for it. Personally, I don’t think they really understood what it was they were actually getting at.
The next group that seemed to be taking responsible for all of the BCM program is the technology group. Now, this isn’t unfamiliar territory since technology recovery / business recovery / disaster planning has sat within this area for years and years. In fact, when there seems to be questions about any sort of contingency planning everyone in an organization seems to default to the IT group as the guru’s in all things BCM related. Not necessarily the case.
Technology focuses on technology…and rightly so. They don’t build plans for the finance team and what the finance teams checklist should be. The finance team should be able to do that; who know better what finance does anyway; IT or finance? It think the answer is pretty easy there.
The other issue here is the technology team tends to focus less on other aspects of the BCM realm than they do on the technology aspects. Well, duh!! By this mean, I’ve worked with many IT professionals who are part of disaster teams or crisis teams and they really don’t worry to much about the media communication aspects or the continuity strategy development for departments; they focus on IT. In the (paraphrased) words of one colleague, ‘I work in IT, not the business. I’m not worried what the business units do, I just make sure IT is up and running.’ If that’s true of some IT people responsible for BCM, will the program really suit the needs of the organization or just the needs of the technology department? Not all IT people assigned have this thought but it’s interesting that I’ve come across it in many corporations.
There have also been some interesting comments made by Health & Safety committees. For the most part H&S committees are volunteer-driven, unless an organization has an assigned fulltime H&S person within the organization. It’s been my experience (to date) that no one has had the fulltime position of H&S, it’s just part of their existing operational role.
Still, as with the HR comments noted above, the pandemic initiative has made some H&S people believe they are BCM experts too. I do think H&S is a missing piece of the BCM realm, or at least, should be more involved with BCM (See a previous blog on this subject). Again, many became communication experts and contingency experts but from experience, it was far from reality. Because people were involved or were the focus of pandemic planning, H&S (in some cases) thought they were responsible for BCM. They could still help build specific aspects of the program but once again, their current view is limited to the people availability aspect and not the other situations that call for – and are part of – the BCM program. Just another group wanting a piece of the BCM pie.
Finally, Ken Simpson had a great post sometime back explaining how Security teams now believe that BCM should fall into their realm. Well, there certainly is a link between the two, as security issues can cause the activation of Crisis Teams and department contingencies etc but would they have a full understanding of all the other aspects of BCM? Would they understand a BIA? Testing & Exercising? I’m not going to go over Ken’s material, I’ll let you read his comments and input but suffice to say, security is another area wanting a slice of the BCM pie.
So where should it sit? Where should BCM reside within an organization? There can be pros and cons to having it sit within Technology and pros and cons with it sitting in non-technology areas (commonly referred to as “The Business”). It might be better positioned to be in the middle of the two so that it can act as a bridge; a way to bring both technology and non-technology teams together. Some places have put it under Risk Management, ironically enough, along side such things as Health & Safety and Security groups.
Overall though, if a program is to be successful on an ongoing basis, the ownership, responsibility and accountability must be with a senior member of management; someone with authority and has decision influence. If not, what’s the point? If the program doesn’t meet anyone’s needs and isn’t something that can be utilized when a crisis or disaster strikes, then the person accountable should take a hit on their score card or performance review. Hey, when we don’t’ do something well with our job functions or miss out targets (i.e. sales etc) then the same should be the case for the effectiveness and relevancy of the BCM program. It’s one thing to have a program in place but if it isn’t assigned an owner or someone at a high level who is accountable for it, there’s a chance other initiatives will gain the focus and resources. Oddly enough, those other initiatives will need to be incorporated into the BCM program but because it gets no focus or has not real owner, the program won’t reflect those new needs.
If the responsibility is given to a single individual way down the management hierarchy ladder – and sometimes not even a member of the management team – that person should be held a hero, in my opinion. They have the weight of the entire organization on their shoulders when something goes wrong because no one else is there to take responsibility (I know…I’ve seen a CEO suddenly refer to a employee for some direction). That means this person – who is not part of management – has the same level of influence as the CEO / President. Not bad.
Still, BCM must reside someplace that appears clearly on a corporations org chart and be an accountability of a high ranking management representative that way it will always – or nearly always – get the right amount of support.
Really, anyone doing an internet search can learn many things about BCM but does that really make them an expert in the field? Unless, they put into practice the things they are learning, I doubt it. It’s kind of like an armchair quarterback who sits and complains about what their football team is doing (or not doing) but has never played a single game in their life.
Is your BCM pie big enough to slice and dice and divvy up various components to all those who want to dip their fingers into the BCM realm? Or, do you have someone specific who is accountable for the program and makes sure that it meets the needs of the organization?
The new book by StoneRoad founder, A.Alex Fullick, MBCI, CBCP, CBRA, ITILv3, “Heads in the Sand: What Stops Corporations From Seeing Business Continuity as a Social Responsibility.” Available at www.stone-road.com **