If you think that having good governance for your business continuity and crisis management program is just an exercise in bureaucratic box-checking, you’re missing the point.
Like most people who come to us with a problem, you might have issues:
- Getting your executives to care about your business continuity and crisis management program
- Getting other teams to participate in business continuity activities
- Getting IT to build the availability and disaster recovery strategies that you need to ensure continuity of operations for business teams
Good governance—i.e. having the right people, policies, and practices to direct and control your business continuity and crisis management program—is the answer to all three of these problems.
Having an effective governance approach for your business continuity and crisis management program can help your program on multiple fronts. It creates opportunities to advance your program with executive and board leaders, facilitates cross-departmental coordination and buy-in, and ensures a forum to have the conversations that are important to improving and maturing your program.
Here’s our best advice on how to make sure your governance approach helps you reach your resilience objectives.
Want to learn more about Business Continuity?
Our Ultimate Guide to Business Continuity contains everything you need to know about business continuity.
You’ll learn what it is, why it’s important to your organization, how to develop a business continuity program, how to establish roles & responsibilities for your program, how to get buy-in from your executives, how to execute your Business Impact Analysis (BIA) and Business Continuity Plans, and how to integrate with your Crisis Management strategy.
We’ll also provide some perspectives on how to get help with your program and where to go to learn more about Business Continuity.
Key benefits of good business continuity governance
Builds visibility and awareness for your business continuity program
Most people still don’t understand what business continuity and crisis management are, let alone their value to their organization. As a business continuity leader in your organization, you need to be prepared to educate and champion your program to others at every opportunity.
Good business continuity governance is one of the best ways to do this.
Steering committee meetings provide an important forum for you to discuss how your business continuity program aligns with key departmental and company objectives and build buy-in among your stakeholders. Requiring annual or semiannual reporting to your board and executive management is also an effective way to ensure you have the opportunity to regularly champion your program to company leaders.
Helps identify and address gaps in your business continuity program
Steering committee meetings are an important forum for measuring progress and addressing program challenges. With this information in hand, you can then prioritize actions to resolve, mitigate, or accept identified gaps in your program, like recovery capabilities that may still fall short of your requested technology RTOs.
Your business continuity & crisis management steering committee—usually an interdisciplinary team of six to eight people—should meet at least quarterly to ensure your program is aligned to corporate strategy and objectives and is maturing and making forward progress towards annual goals.
Provides a mechanism for accountability
Putting your business continuity program’s performance into operational metrics is a guaranteed way to get business continuity stragglers on board. No one wants to be the department highlighted in red in your business continuity program metrics.
And while I always advocate the carrot over the stick, creating metrics around your program’s performance—and highlighting who is falling short—is a guaranteed way to get their attention.
Ensures compliance with ISO 22301
We highly recommend the International Standards Organization’s standards as a starting framework for your business continuity program and plans ( ISO 22301). While conforming to ISO standards is completely voluntary, it’s an important industry benchmark that’s important to most boards, and compliance frameworks, & investors. And because ISO standards are based on a proven process for program improvement, conforming with ISO 22301 is one way to guarantee that your business continuity and crisis management program improves and matures over time.
While ISO 22301 does not establish a prescriptive governance approach, it does require a process for establishing business continuity objectives, ensuring leadership oversight and accountability, and a framework for measuring and improving upon program objectives. This implicitly requires that there is some sort of governance process, such as a business continuity steering committee, which sets and monitors these objectives.
With this in mind, every business continuity policy that we create for our clients includes governance and accountability requirements, including roles and responsibilities of the executive sponsor, steering committee, and others in the governance process.
How to implement effective business continuity governance
1. Get your policy in place
Creating a business continuity policy that aligns with ISO 22301 standards is an important first step to standing up your governance approach. It will guide you in:
- Setting a strategic approach for your business continuity and crisis management program,
- Getting agreement on key definitions and objectives,
- Establishing key roles and responsibilities, and
- Defining governance and accountability requirements.
Ideally, this policy should be created at the outset of starting your business continuity program. If you already have a program in place but no policy, it’s never too late to start.
2. Set clear roles and responsibilities
Your business continuity policy should include clear roles and responsibilities for various aspects of your resilience program. The board, executive team, executive sponsor, and especially the steering committee, all have key roles to play in ensuring your program’s success.
It’s equally important to make sure that you place the right person in each role. This is especially important for your executive sponsor(s)—your program’s champion(s) within the organization—and your steering committee members.
3. Build a strong steering committee
The steering committee is the primary governance body for your resilience program. On a practical level, this is where and when things get done.
Your steering committee meetings are the time and place to talk through program challenges, obstacles, and key areas of opportunity to improve resilience.
To make sure you get the most out of your steering committee, your business continuity policy or steering committee charter should include the following:
Roles and Responsibilities—Ideally, your steering committee should include management representatives from select teams across the organization. This includes your business’s main lines of operation and anyone critical to supporting those operations.
Meeting Frequency—We recommend that most steering committees meet at least quarterly, if not monthly, depending on the maturity of your program and the complexity of your organization. As your program matures, you can adjust your meeting frequency as needed.
Meeting Agenda—Every organization is different, but most standing agendas should include:
- A discussion of program status, including operational metrics and any strategic initiatives or projects important to your IT disaster recovery, crisis management, and business continuity programs
- Review and discussion of program gap findings from incidents or exercises and plans to close those gaps
Your standing agenda should also make provisions for an annual review of your program structure, framework, and policy.
It’s also a good idea to make sure your policy includes an annual briefing to both your board (or the board risk and audit committee) and your executive management team.
Want to work with us or learn more about Business Continuity Governance?
- Our proprietary Resiliency Diagnosis process is the perfect way to advance your business continuity & crisis management program. Our thorough standards-based review culminates in a full report, maturity model scoring, and a clear set of recommendations for improvement.
- Our Business Continuity (including effective Business Continuity Governance) & Crisis Management services help you rapidly grow and mature your program to ensure your organization is prepared for the storms that lie ahead.
- Our Ultimate Guide to Business Continuity contains everything you need to know about Business Continuity
- Our free Business Continuity 101 Introductory Course may help you with an introduction to the world of business continuity – and help prepare your organization for your next disruption.
- Learn about our Free Resources, including articles, a resource library, white papers, reports, free introductory courses, webinars, and more.
- Set up an initial call with us to chat further about how we might be able to work together.
How to set up a crisis management team in your organization