In this episode of the Managing Uncertainty Podcast, Bryghtpath Principal & Chief Executive Bryan Strawser discusses roles and responsibilities within a business continuity program. What roles should be established? What are their responsibilities?
Topics discussed include the benefits of having clear roles and responsibilities in a business continuity program, assessing the best talent for key roles in your program, and how the various proposed roles help advance and mature your business continuity program.
Related Episodes & Blog Posts
- Blog Post: Business Continuity Program Roles & Responsibilities
- Blog Post: Before the Crisis: The Value of a Trusted Business Continuity & Crisis Management Advisor
- Episode #102: The Bryghtpath Business Continuity Framework
- Episode #104: Supporting the team in a prolonged crisis
- Episode #106: Rethinking Business Continuity in the age of COVID-19
Hello, and welcome to the Managing Uncertainty podcast. This is Bryan Strawser, Principal and Chief Executive here at Bryghtpath. And in this week’s episode of our podcast, I’d like to talk about roles and responsibilities within a business continuity program.
Folks come to us all the time with questions about their business continuity program. Wondering about roles and responsibilities, if you’re wondering about roles and responsibilities, you are not alone. When we talk to businesses about their continuity planning, we get asked every time, and every thing from what is one at the most basic level. A lot of companies don’t understand about business continuity plans, or BCPs and how that’s fundamentally different from disaster recovery planning or crisis planning. Whereas, business continuity plans are about keeping your business running through a disruption. In the latter, disaster recovery plans are about resuming IT operations and bringing back critical technologies and infrastructure.
But we also get questions that are on a more granular level. Like what are the most important roles in a business continuity planner program? What do those roles and responsibilities mean? How do roles interrelate? And how do we ensure we have the right people in these roles? As risk management and continuity experts here, at Bryghtpath, we help companies cut through all this confusion and get clear about the path you need to be on for business continuity planning and program success.
When we talk about business continuity planning, we’re talking about the process of creating a framework that effectively allows you to respond to organizational disruption, minimizing the impact of that disruption on your organization, and ensuring operational continuity and resiliency.
Let’s talk about the benefits of having good continuity planning, and then we’ll transition from that to talking a little bit about the roles and responsibilities. When we take a step back and examine the why of business continuity planning and programs, if the pandemic has taught us anything it’s that the unexpected can and absolutely will happen to our organizations. One client of ours shared a debrief of their experience and how having a solid continuity plan was critical to their response. Their plan, like a lot of other continuity plans for global organizations, was really centered on the geographical redistribution of work, based upon regional or region wide disruptions. For example, if interruptions were disrupted… If operations rather were disrupted in Manila, they could shift them to India. And if things got really bad then, we can just bring the process back to our operations centers here in the United States.
Well, when the pandemic hit that didn’t work because every problem, that problem of the pandemic was shared by everybody, geographical redistribution was simply no longer a viable option. So, although their business continuity plan did not anticipate a global pandemic on the scale of what we’ve seen with COVID, our client’s process of planning and responding to other disruptions over time really had exercised the organizational muscles that they needed to quickly think about and implement new solutions. As a result, their pandemic response was swift and their business carried on despite disruptions around the world.
In debriefing the pandemic response ourselves we discovered, looking across our roster of clients, that the best-prepared clients were ones who had a mature business continuity program in place. Not necessarily because they could pull from existing plans because nobody expected their entire supply chain to be shuttered overnight, for example, but because the preparedness of the organization allowed them to build beyond that standard disruption in a calm and organized fashion. As a result, they were able to quickly react to a complex business situation, the disruption of the pandemic, and shift their responses, shift operations in response even if that situation, the pandemic, didn’t exactly fit what they thought of as potential risks.
As the pandemic response demonstrated, the value of a strong business continuity program and good business continuity plans goes far beyond responding to planet disasters and even more pedestrian objectives like aligning to ISO 22301 and other common BCP standards. It forms the foundation of organizational resilience. And that resilience is now paramount to businesses to allow them to thrive, let alone survive, in response to the unlikely disruptions of our new normal.
One of the first steps in establishing a good continuity plan and program is to define and assess key roles and responsibilities. In other words, what do these roles really mean? And does everyone have agreement about the function and responsibilities for each? Although, we usually have recommendations for what roles and responsibilities like this should look like every business will have a slightly different approach based upon their particular organization, their culture, how they operate. Against that backdrop, we typically assess each business’s current organizational structure, and who is assigned against each role. And then, we break down these into some of the most common roles and responsibilities. So, I want to talk through what we see as some of those common roles.
The first is your board of directors, or board of trustees, or your owner in a PE, private equity, situation. Every board member has a fiduciary duty to exercise, strategic level of visibility and oversight over business continuity, the planning and progress, maturity of your program. Also, importantly, the board sets the foundation for success for a continuity program by promoting a company culture that recognizes the value of managing risk effectively.
Within your board of directors, you probably have an audit or risk committee, or perhaps the responsibility for that falls to a governance committee, or a GRC committee, or an operations committee. But usually specific board oversight and strategic level of visibility for a continuity program is delegated within the board to that risk, or audit committee, or similar committee as outlined in your committee charters. Then, you have your CEO and executive management, well, every member of the management team, every member of executive management retains the ultimate oversight and responsibility for continuity planning in their specific area of operations.
And then, we tend to see, and we tend to recommend one or two persons at the executive level. Operationally, this is usually the general counsel, COO, or another C-suite appointee. On the IT side of things, this is usually the CIO, or CTO, or CSO where they act as the executive sponsor. They have direct oversight of the continuity planning program and usually chair a steering committee, which we’ll talk about in a moment, that oversees the program from a governance standpoint. These one or two folks, executive sponsors, oversee the day-to-day management of business continuity planning by leading the program at an operational strategic level. And they advocate for the program as necessary within the organization. And what I mean by all of that is that they’re sponsoring the program. They’re not doing it day-to-day, they sponsor it, they oversee the leader who actually runs tactical day-to-day operations.
Then, we have a business continuity steering committee, or perhaps a risk at governance committee. This is usually an interdisciplinary team of 6 to 8 people that meets quarterly, or biannually, or annually to ensure the business continuity program is aligned against your corporate strategies and objectives. And that the program is maturing and making forward progress towards annual goals. This is a great place to bring metrics that show not just the operational maturity of the program that you’re advancing strategies down the road, but also show compliance against the requirements of the program because no one likes to look bad. And this gives broad visibility to some of those gaps in program operations that can be addressed at this level.
Then, we have the business continuity, program manager. This is the leader who owns the continuity program on a day-to-day basis. This might be a director or vice president of business continuity. It might fall into a broader responsibility of another leader who has program staff under them or has outsourced that as in business continuity as a service. The program manager has direct oversight and responsibility for executing upon the program its operations, its reporting, its day-to-day activities. They manage and set the programmatic expectations that guide the business continuity team, the unit leaders, and business continuity planning, and writing, and maintaining exercising their continuity plans.
Then, there’s the business continuity team members. These are members within that continuity team that execute day-to-day business continuity planning activities under the direction of the program manager. Then, within the business teams, you have business continuity plan owners who are business unit leaders. Could be payroll, corporate travel, physical security, infosec, human resources. They’re responsible for creating the respective unit’s business continuity plan under the guidance of the continuity program. What’s been established for them in terms of a business impact analysis process of a business continuity planning process, this is what they have to follow.
And then, within those business teams are business continuity planners. Plan owners often delegate planning responsibilities to members of their team or, what we would call, business continuity planners, or you might call them plan designees, or plan participants. But plan owners will pull from their business unit experts and those with a lot of subject matter knowledge to actually write the continuity plan for their respective business unit. Those are the key roles that we see in business continuity programs and business continuity plans, and they represent the requirements that are in the ISO 22301 standard for organizational resilience that we typically follow.
I do want to talk a little bit about how some of these roles and responsibilities come into just overall success in your business continuity program. There’s really three things around the roles that come to mind. And I want to use this kind of wrap-up the article. The first says that board level and executive commitment is critical. Even before the pandemic, we found that many of our clients came to us because they had a clear board mandate to implement a business continuity program or improve their continuity plans. But equally important to that buy-in from the board is their demonstrated, clearly observed commitment towards having an effective business continuity program and ensuring that the program is focused on continual improvement.
Like any corporate-wide effort, the success of your program largely rests on company-wide buy-in. And that buy-in begins with a visible commitment from the top. That’s your board and your executive leadership. And it’s critical that we have those two groups, your board, and executive leadership, to have continued high-level involvement in your continuity program at a governance level. And that they make it important and they model the importance that continuity planning will play in managing risk inside of your organization.
The second is that your steering committee can be a critical part of your program success. And so, you want to have steering committee members who get the big picture. Steering committee members should understand the importance of a continuity program. They should commit to being advocates for the program and doing it effectively within the organization. Critical thinking and a big picture perspective are critical to have for members of your steering committee. They should not only just represent well their area of responsibility, but they need to be folks who can think horizontally across the organization to cut across silos and understand the interdependencies of processes, and people within the organization.
Serving on the business continuity steering committee is an excellent growth opportunity for a mid-level leader, particularly those who have senior leadership potential. It gives the opportunity for both strategic and operational involvement and insight and helps develop risk management expertise, which we need more of in the senior ranks of organizations.
And then, finally, having the business units be the owners of their plans is important. One mistake we often see is that the continuity team is tasked with writing the business continuity plans for each business unit. But it’s really the plan owners who are most directly driven by the business. So, it’s critical that the plans align well to their day-to-day direction, leadership and management, and their responsibilities as business unit owners, as business unit leaders. So, it’s important that the actual plan creation, writing, editing, and revising is done by the business unit that will have to put the plan into action in a disruption.
Ideally, every business unit leader is going to exercise direct oversight and responsibility using his or her knowledge of their department to make sure the plan is accurate, goes to the right level of detail, and is completed and carrying out. The actual doing of creating the plan is sometimes delegated to planners, business unit team members within the team. The ideal team member in that business is someone who understands their function well, is organized, and can collaborate well with others in the organization to execute upon the plan.
So, that’s our take on business continuity program and plan roles and responsibilities. I hope you found that helpful.
If we can help you in any way we believe well-defined and understood roles and responsibilities can really help you hum through your next disruption. If you have more questions than answers about business continuity planning, we would love to help. We work with the world’s leading brands, public sector agencies, and non-profit organizations to strategically navigate uncertainty and disruption. Read more about our business continuity planning services and business continuity consulting services on our website, or contact us today at firstname.lastname@example.org.
Thanks for listening to this episode of the Managing Uncertainty podcast. We’ll be back next week with another new episode. Be well.