One of the quandaries many corporations face is who should be the owner of the BCM program and who is the owner of the various plans. Many need to determine who is responsible for the various plans against who is accountable for the various program components.
A program is usually owned (the overall responsibility)a by a single individual; an Senior Executive, Vice President or a Director might even be the owner. However, when it comes to various BCM plans, you end up with the same situation. An individual can own a single department plan but a senior person may be the ultimate owner of the various division plans. Meaning, in finance (for example), the CFO might own the overall Finance BCM plan but the accounting department manager may be the owner of the accounting department plan. It folds up into the larger group of plans; the finance division plan. This is where confusion sets in, as to who owns what component. (BTW, yes, I’m aware that ultimately, the overall responsibility for department/division plans would still fall under the Senior Executive but they are rarely involved in such a detailed level.)
Then it gets even harder; who owns the overall program on the Senior Level? A finance executive doesn’t want to own plans that belong to a Servicing, Human Resources or lord forbid, the Technology department. The person(s) who has BCM in their performance review/appraisal is the owner of their plan. That simple. If you’re judged by the plans in palce for your area, then you own it. It wouldn’t be prudent for judge someone (appraise or review them) on a subject for which they have no ownership – but hopefully some level of involvement.
It has to be determined where in the organization BCM sits and who owns what components. Can you imagine what will happen if a DR occurs and there is no owner? Or worse yet, suddenly everyone becomes and owner? Yikes!! But then again, responsibility is different from accountability and maybe if that distinction is made it might be easier to determine who owns what components and plans.
- Responsible: “chargeable with being the author, cause, or occasion of something” (Dictionary.com). For example, departments are the authors of their plans and are responsible to ensure they contain accurate and up to date information. They are the one’s who would be following them during times of disasters. They understand the details (if it contains that level) and the eccentricities within the various department processes. Thus, they must be responsible for them.
- Accountable: ”subject to the obligation to report, explain, or justify something; answerable” (Dictionary.com). BCM is accountable to ensure the plans are updated, maintained and distributed because that is the role of the BCM rofessional (among many others). They must ensure the plans conform to a standard and contain a sufficient level of information that will help the corporation (or a particular department) to respond effectively in a disaster. If it’s in your job/role description, you are accountable for it; if that is a BCM plan, then you’re accountable. An executive can be accountable for those who work under them (or with them) and are responsible to make sure the right tools are provided to these individuals so they can continue to develop sufficient plans etc. Accountability is the last line of defence when something occurs. Such as the President or CEO is accountable for the entire organization; if something goes wrong, it’s their ‘neck on the line’ so-to-speak.
To put it into perspective, the higher up the ladder you go, the more responsible and accountable you become for you department / division. Responsibility and accountability expands outwards based on the level of influence one has within the organization. The newest employee has responsibilities but little accountability because the don’t usually own and processes until they begin to gain influence and move up the corporate ladder; then they gain more responsibility and accountability. So, back to the BCM program and the various plans.
BCM is the owner or the stewards if you will, of the document templates, document repositories, the review processes and development methodologies (to name but a few) to keep the program current and reflecting the organizational need. This also means ensuring that a maintenance process is in place, as well as training and awareness campaigns and opportunities. They can’t own each plan because the content is that of the various departments. The BCM representative can’t own the content of the Finance department; only the Finance department can own their own items. What BCM is not the owner or steward of is the plan content, unless it’s a pan specific to the BCM department. The contents of many of the plans should be that of the individual department leads / functional managers / or division heads. You can’t shuffle ownership to someone else the moment a disaster occurs.
If the content – and plan – is owned outside of the department, what incentive is there to maintain it? None. It would be like me being responsible/accountable to make sure keep your car running in good order. That just doesn’t make sense, does it? If that was the case people wouldn’t bother to ensure the plan (or as the example says, their car) is kept maintained because it would always be someone else’s fault should something go wrong. But if you own your business processes and procedures during normal operations, you are responsible and accountable when they a disaster occurs; you just get guidance and direction from the coordinators on when to enact you plan. Meaning, when the “DR Team” members say to implement your contingency
plan you have a plan to implement.
Another example, who better to own the Crisis Communications Plan; the BCM team or the Communications team? Should be a no brainer. The BCM team might present and develop a format that is to be followed – the document structure if you will – but the content – the detail – must be developed and owned by the Communications team. Who knows more about communications that the communications team.
When it’s ‘completed’ the BCM team is then responsible – along with the department representatives – to make sure some sort of validation exercise is scheduled to validate the plan(s) content. Then they need to ensure it is reviewed on a regular basis for updates and relevance. It should be that way for all plans.
Let’s look at it a different way, I may be the owner of an apartment building (the BCM Program) but the contents of each apartment is the owner of the tenant, not me. I, as the owner (or superintendant) is responsible to make sure the building runs effectively and efficiently and clean but I’m not responsible for what is inside the apartments, as that content is not mine. (Unless you break my fridge…ha ha).
Program Ownership is different the Plan ownership and the sooner corporations can instil that insight to team, managers and others, the better the plans will become. In some instances the Risk Officer (CRO) is the owner of the overall BCM program but will entail the Health & Safety group/team, Security (Information and Physical) and risk management. They are responsible to ensure the overall program flows while the various components are managed by another person (i.e. the director of InfoSec is responsible for InfoSec and all that it does).
It’s this high level person that present the status of the program to rest of the executives; they are the ultimate owner of it all. As owner, they expect that all the various components are maintained and validated through exercise and kept current. That is the responsibility of the component owners (or plan owners). Clear as mud??
“Heads in the Sand: What Stops Corporations From Seeing Business Continuity as a Social Responsibility”
“Made Again Volume 1 – Practical Advice for Business Continuity Programs”
by StoneRoad founder,
A.Alex Fullick, MBCI, CBCP, CBRA, ITILv3