Where Should Business Continuity Belong in an Organization?

The title of this article is a question that comes up often in Business Continuity Management industry LinkedIn Group Discussions.  Many planners and practitioners struggle with where BCM in situated in their organizational hierarchy – resulting in a hopeful search for a better solution.

Business Continuity Management is often the homely foster child in many organizations.  (For those not familiar with the US foster-care system, a foster child is removed from his/her natural parents and sent to live with a volunteer ‘foster family’ who receives government funds to provide their care).  Few C-level executive want responsibility for BCM.  There’s little ‘up’ side; it doesn’t make any money, and failure – in either a compliance audit or a real-life disruption – may win a one-way ticket to unemployment.

So the winner of the Business Continuity Management sweepstakes is decided by fiat or by default, depending upon the organization’s culture.

No matter what you wish for, you usually get what your organization is willing to do.  It may not be logical, it may not be optimal – but you’re probably stuck with it.  But, on the odd chance that you are given a voice in the decision, what would you say?  Be careful; better to give good reasons for where it shouldn’t reside, than to try to make a case for where it should.

What departments our business units wouldn’t you want your BCM program to fall under?

Information Technology

A Twitter-verse friend of mine – Andy Osborne at Acumen Business Services in the UK (@AndyatAcumen) – recently commented in his blog on the perils of placing Business Continuity Management under the direction of IT.  He wrote:  “All too often, inappropriate solutions are implemented by well-meaning IT Departments working from an invalid set of assumptions.”

Andy meant no disrespect; he simply pointed out that not including ‘the business’ in Business Continuity strategy ignores the fact that planning must be driven by what ‘the business’ needs – and who better to make those requirements known than ‘the business’ itself.

Without question, IT is a vital component of every Business Continuity Management program.  But IT has a somewhat myopic view of BCM.  Their ‘comfort zone’ is technology.  They lack insight – through no fault of their own – into the operational criticalities of business operations.  If ‘go with what you know’ drives the program, IT leadership will result in a heavily weighted IT-centric BCM program.  That lack of balance may lead to resilient IT systems – but probably not to a resilient organization.

Of course, if you’re an IT person charged with BCM responsibility, you certainly will want to remain under the umbrella of IT, for obvious reasons.

Finance

If financial impacts are the key drivers of your organization’s BCM program, then the Finance Department may be the best home for your program.  But if Customers or products & services are your key drivers, a boss who has both eyes fixed on the bottom line may create conflicts within your program.

You should also be aware that – if it hasn’t happened to you yet – when financial times get tough, every C-level executive will have to tighten their belt.  Because BCM doesn’t contribute to Finance’s core mission, it will be among the 1st to lose budget and headcount.

Facilities Management/Real Estate

If you’re plans include “Loss of Building” as a mandatory scenario (see our early blog about Scenarios), it might seem logical to put responsibility for the entire program in the hands of the people who manage the buildings.

I was a Facilities Manager for many years.  How I got into BCM is a long story.  But I can guarantee this:  Facilities and Real Estate may not be the last people you’d want to be responsible for BCM, but they shouldn’t be the 1st.  They possess some skills that mesh well with BCM (an ability to focus on what needs fixing, to juggle multiple tasks½) but there’s seldom a CREO (Chief Real Estate Officer).  Facilities & Real Estate should be key players in every BCM program.  But they don’t get a lot of respect within the organization.  And neither will you if you are part of their organization.
HR, Vendor Management, Legal

These administrative functions are seen as facilitators, not contributors to the bottom line.  Like Facilities, they don’t get a high level of respect.  But worse, they have a difficult time seeing a direct correlation between their day-to-day responsibilities and BCM.  You are unlikely to get much support.

Customer Service or Manufacturing

Again, although a vital player in BCM, their cooperation often comes grudgingly.   They may have high visibility in the organization, but BCM does not align well with their core strengths.  You’ll definitely be low on their organizational chart.

What does that leave?

Risk Management (if you have it) or Compliance (if you don’t have Risk Management).  There are direct correlations between their objectives and yours (unless, of course, your Risk Management Department is really just an insurance function).  In most organizations (excepting those with an intense IT focus), Risk or Compliance is the logical home for BCM.  You could do worse (reporting to Sales or Marketing!).

SHARE:
Jim Mitchell

Jim Mitchell

A frequent speaker at Business Continuity conferences, many of Jim Mitchell’s blogs can be found elsewhere on eBRP’s website and has published articles in DRJ, Continuity Insights and Continuity Central. Jim has more than 20 years of experience in Business Continuity; if you don’t agree with his opinions – he won’t be surprised.

Related Posts

Enterprise Resiliency: Navigating Through Disruptions

Enterprise Resiliency: Navigating T...

In today’s threat landscape, the ability of an organization to…
Orchestrating BC/DR Testing: Virtual – Emergency Operations Centers

Orchestrating BC/DR Testing: Virtua...

  Enhancing Planning and Logistics Management  Coordinating BC/DR tests involves…
Insights into creating a successful Disaster Recovery Test – Part 2: Preparation

Insights into creating a successful...

Insights into creating a successful Disaster Recovery exercise – Part 1: Objectives

Insights into creating a successful...

Aligning Cyber Incident Response Planning with Your BC/DR Program

Aligning Cyber Incident Response Pl...

Cyber disruptions – and their impact on both reputations and…
What Can You Do when your BCM software Relationship Falls Apart

What Can You Do when your BCM softw...

“This isn’t working.”  “I’ve changed.”  “I don’t see a future…
Aligning BC/DR to CSIRP Challenges

Aligning BC/DR to CSIRP Challenges

The immediate reaction to a cyber-security incident is the FUD…
Technology Modeling – the eBRP Way

Technology Modeling - the eBRP Way

Definition: Technology modeling is a point-in-time snapshot of an Enterprise’s…
eBIA – The eBRP Way

eBIA - The eBRP Way

Definition: A Business Impact Analysis (BIA) is the cornerstone of…
Threats, Impacts, BCPs

Threats, Impacts, BCPs

Within Business Continuity circles there is ongoing debate about the…