In this episode of the Managing Uncertainty Podcast, Bryghtpath Principal & Chief Executive Bryan Strawser along with Consultant Bray Wheeler, discuss roles and responsibilities in a business continuity program.
Topics discussed include ISO 22301, Business Continuity Governance, roles and responsibilities, executive sponsors, program managers, program management, business continuity leadership, boards of directors, and many more.
Related Episodes & Blog Posts
- Blog Post: 8 Things to consider when choosing a business continuity consultant
- Blog Post: Using ISO 22301 to evaluate your business continuity program
- Blog Post: Why invest in business continuity?
- Blog Post: A look at the new ISO 22317 Standard for Business Impact Analysis (BIA)
- Blog Post: Rethinking Business Continuity – Applying ISO 22301 to improve resiliency, managing risk, and drive profitability in your organization
- Blog Post: Presentation – A program management approach for business continuity management
Episode Transcript
Bryan Strawser: Hello and welcome to the Managing Uncertainty Podcast. This is Bryan Strawser, principal and chief executive here at Bryghtpath.
Bray Wheeler: And this is Bray Wheeler consultant here at Bryghtpath.
Bryan Strawser: And for today’s episode we’re going to talk a little bit about the roles and responsibilities within a business continuity program. Or if you want to use the ISO 22301 specific definition. We’re going to talk about roles and responsibilities in a business continuity management system.
Bray Wheeler: Fancy.
Bryan Strawser: Very fancy. A BCMs. But business continuity program, like what are the roles inside of a business continuity program?
Bray Wheeler: Well if we want to probably start at the kind of the very top, because we’ll probably spend the least amount of time there is that kind of steering committee, kind of the overall kind of governance structure of the program and the process within the organization.
Bryan Strawser: And I think we’re going to dive more specifically into governance and a steering committee in a future episode. But when we’re talking about a steering committee, we’re really talking about an interdisciplinary group of leaders probably just below the executive level. But it depends on how your company’s size and structure come into play. But it’s a group of folks who, if you read the Standards definition right, their role is to make sure that the program is aligned to the strategic objectives of the organization and that the program is achieving its goals and objectives that had been outlined and approved through this governance process. So they’re almost at the top. They’re not at the executive level, but they could be in your organization, but they’re really up here. You can’t see me. I’ve got my hands up in the air.
Bray Wheeler: They’re taking the proverbial 50,000-foot view of-
Bryan Strawser: That’s right.
Bray Wheeler: … the program within the organization to make sure that it’s not just some kind of sideshow or it’s not minimized or that there is that connectivity throughout the organization.
Bryan Strawser: And although we’ll get into this in another episode as a deep dive. I think it is important to think about this is not just a proforma body that you’re going to get in front of and give updates. It needs to be an actual governance body where there’s good give and take. Where they’re holding the program accountable to the goals and objectives of the program and ensuring that they’re aligned against the direction of the company is going. What are the strategic objectives of your organization?
Bray Wheeler: So it’s not quite like the capital funds committee that you have to go present in front of that we’ve talked about in past podcasts where it’s a thumbs up, thumbs down, Caesar kind of moment. It really is that, does this make sense? Tell me a little bit more about it. Giving that kind of different perspectives on ways that the program could evolve or change or meet.
Bryan Strawser: I also think it’s a place that takes your kind of intractable challenges that we’ve talked about related to business continuity and disaster recovery. Crisis management, perhaps if that’s the way your governance structure is set up. But we often have this resource competition between, hey, I’ve got all these things the business says I need to have and then I’ve got all of these recovery strategies that sit in continuity or DR. I don’t have the money to do all of them. So what is the prioritization of strategy here? Or another just more tactical example is the business impact analysis. Not everybody’s going to have a high availability under one-hour recovery. There has to be some balancing of this across the organization and this might be the final arbiter of that based upon the various arguments put up by the business teams or the BC program. So we’re going to get, we’re going to get more into this in a future episode. But I think that’s important to consider with this is if you really want to have an effective steering committee and not some kind of rubber stamp, a not challenge kind of situation.
Bray Wheeler: Yeah. The next role kind of one layer down from that, that’s probably a little bit more tactical within kind of the BC process. And I say tactical, very reserved, but it’s more around kind of overseeing the day to day management kind of of the program itself. But it’s also that kind of program sponsor has some decision making authority. Has some weight and some clout, within the organization in that role, in order to kind of be that person that can say you have to get this done. It’s like it’s not an option. Or to be able to describe that value. Or for the program kind of team to be able to go up to say, “Hey, we’re, we’re having challenges here. How do we need to address it?” And so kind of be that advocate for the program within the organization.
Bryan Strawser: Yeah, you might call this the executive sponsor in your organization or the program sponsor, the Standard calls for it is the program sponsor. This is usually a senior executive or someone who reports into the C-suite. For example, in our former employer, this role was held jointly between the general counsel, which is where I reported into and the chief information officer, which is where the DR or technology continuity team reported into. They were the co-sponsors of this. They had equal responsibility from the CEO in terms of being the program sponsor and ensuring that the program was out to achieve its objectives and ensuring proper supervision of the two teams. Two teams, one dream, as we kind of refer to it.
Bryan Strawser: But like there was one programmatic approach across two very different organizations and the program sponsors were the ones that not only just made sure that was aligned properly, but they also, I mean they were the connectivity to the executive committee and the board in that environment. But I also made sure that the right level of talent was in the leadership roles that actually oversaw and managed the program both in IT and in the legal department where we reported into.
Bray Wheeler: What challenges have you seen or did you experience kind of observing that between kind of a co-sponsor rather than a single sponsor in there? Were there any?
Bryan Strawser: I don’t, well-
Bray Wheeler: Or was it just culturally?
Bryan Strawser: I think culturally that was just accepted in that environment. That actually is not what I inherited going into that role 10 years ago, well, 11 years ago now. What I inherited was a single sponsor and there was no connectivity at all on paper to the technology disaster recovery elements of the program. We had to bring that into a programmatic approach and then start to put more onus on the information technology team to accept responsibility for delivering, like, this is your box. Right. Continuity is our box.
Bray Wheeler: Sure.
Bryan Strawser: Program management is our box. Your job is to deliver these technology components. And so it took a few years to get that to be kind of accepted. And honestly, it did require a change in the level of talent that was leading my peer organization over in the technology environment. I don’t think that’s unusual though. I think we’ve seen even last year, you and I, on some consulting engagements where there wasn’t a great relationship. Not only was there not a good relationship between leaders, business, and IT around continuity and disaster recovery. But also not good programmatic material in terms of framework, standards, policies, that at least put some governance authority or some expectations in play that these two functions needed to work together.
Bray Wheeler: Yeah, it was almost, and not to pick on the organization, but it was, you get into situations where just because it’s one line in a document or something like that somewhere, it’s not enough. It’s enough to cause trouble is what it ends up being is because all it does is kind of force a relationship that doesn’t have anything else substantial behind it. So to your point, there is no policies or program documents or process components to this. There’s nothing culturally or kind of organically set up for those things that kind of coexist and talk to each other. Except for a line or two somewhere in a document or two that says, “Hey, you do have connectivity. Make it work.”
Bryan Strawser: Yeah. I think where we see challenges with this beyond what we’ve talked about, is when just the program sponsor’s just not engaged. Or the team, the business continuity program team, the BCMS team according to the Standard, wasn’t engaging with the sponsor in a way that made for a very productive and healthy relationship like the Standard calls for, and what an organization will want. So I think that’s where you see the breakdown here.
Bryan Strawser: I do feel pretty strongly, it needs to be a member of top management, the way the Standard calls. You know, the senior leaders, executive-level leaders of an organization, it needs to be sponsored from there because it’s that important. Otherwise, it gets lost in everything else. The program manager could be two or three levels down from that executive sponsor. But you need that executive sponsor’s oomph, so to speak, to help make this important in your organization.
Bray Wheeler: Because when it’s important, it’s very important. And everybody starts taking it seriously. But before the boom, as we call it or the-
Bryan Strawser: Preboom.
Bray Wheeler: … leak or flu or whatever it is.
Bryan Strawser: Whatever the bang is.
Bray Wheeler: Nobody finds it inherently interesting necessarily. Because everybody’s often running on their areas of the business.
Bryan Strawser: Yeah. When you’re left of the boom, sometimes there’s just not a lot of interest in some of this. So, executive sponsor, I think you’ve outlined that. The next position we talk about is the program manager. And there are all kinds of titles for this. I mean you could be the manager, senior manager, director, VP of business continuity, or resilience or resiliency or I’ve seen all kinds of titles involving the word resilience lately. But what the Standard defines is a program manager who is responsible. They are the person responsible for the management, the day to day operations of a business continuity management program. And it’s that simple. They own all of the operational responsibilities for making the program go round.
Bryan Strawser: It doesn’t mean they’re doing all of the business continuity work.
Bray Wheeler: No.
Bryan Strawser: Their job is to manage and set programmatic expectations. And then manage to those expectations that they’ve established with their executive sponsor and with the steering committee. Not to write everyone’s plan.
Bray Wheeler: No. And I don’t think we can emphasize that point enough. You especially having been in that role, a similar role. You’re not writing a plan.
Bryan Strawser: I didn’t write anybody’s plan.
Bray Wheeler: No. And nor should that position because they’re not best suited. And the reason is they’re not best suited to be able to speak on behalf of that process or that teams or that function’s kind of responsibilities and what needs to happen in order for them to from normal state to kind of secondary continuity state, to what’s important.
Bryan Strawser: Yeah. They’re running the program. They’re setting the programmatic expectations. Like it is this person’s job to work with other stakeholders and say, “Here’s the required content of a business continuity plan according to our program.” But it’s the business owners, it’s the plan owners, which we’ll talk about a moment, it’s their job to take that guidance. They might be walked through it by the program manager or someone on the team.
Bray Wheeler: They’re a wise resource.
Bryan Strawser: They’re a wise resource, and they’re accountable for the program. But the plan owner, the business owner is responsible for the plan. And so I think in new programs, this is something that gets struggled with a lot over, who’s doing this, who’s writing in the plan? Well, you are, but you’re going to write it to the format using that I specify, the template that we’ve specified for the program and I’m going to help you get there. You’re going to do it.
Bray Wheeler: But you’re going to do it.
Bryan Strawser: Right.
Bray Wheeler: So kind of those three positions that we outlined the kind of from steering committee to executive sponsor to kind of program manager, insert your business continuity slash resiliency, words of choice-
Bryan Strawser: Insert your title here.
Bray Wheeler: … position. Those all have an organizational kind of programmatic view on the strategy of business continuity and the program of business continuity within the organization. Kind of this next role, I think we can even kind of parse it out just a little bit with some different nuances we’ve seen it play out in some different roles. But this is really, these are the people that are responsible for drafting, writing, reviewing-
Bryan Strawser: Approving.
Bray Wheeler: … approving-
Bryan Strawser: Attesting.
Bray Wheeler: … kind of, it’s on the other half of the plan. It’s the plan kind of creative team that has accountability and responsibility to that business process that needs to resume activity.
Bryan Strawser: Right. So here we’re talking about, well Standard just describes a business continuity planner as being a person who’s responsible for using their knowledge of the business to create and maintain and exercise a business continuity plan. But when we work with clients, we like to break this into two roles. One is that you’re dealing with a critical business process or a set of processes that are part of a team. That business leader, whatever level that team’s organized at, that you’re writing the plan to, they’re the plan owner. They own the business, they, therefore, own the business continuity plan that supports and helps them work through disruption to that business. They’re the one who ultimately approves the plan. We do require next level approval when we’re creating systems. But in the end, they’re the one that’s directly responsible for the business continuity plan.
Bryan Strawser: So we want to capture it in that way that they’re the owner of the plan. And then if they have other folks involved, we might call them planners or plan designees. But they’re the hands-on experts. At usually the lower level, their managers or some position like that. Coordinators. Where they’re writing the plan and they’re working with their boss, the plan owner, to make sure that this plan is right. But they likely do a lot of the day to day work on creating the plan.
Bray Wheeler: They’re likely the ones that are engaging with kind of the business continuity team or function to kind of get questions answered, to kind of walkthrough and review the details to make sure they’re aligning within the broader organization. But yeah, to your point, they’re the doers of-
Bryan Strawser: They are the doers.
Bray Wheeler: … creating the plan and making sure that it’s workable.
Bryan Strawser: And as we said before, the program manager, again, they’re doing this to a template and a process and a set of expectations that you have established as the program manager for the overall program. You’re looking for that level of consistency in what they’re doing. You’re not the one going in and creating their plan for them. They’re following this direction that you have hopefully put it in writing. And kind of going through with them what needs to be done. So those are the roles as I think we think about them, just programmatically. The steering committee, the program sponsor or executive sponsor. A business candidate program manager overseeing the day to day operations of the program. And then plan owners and planners or plan designees, whatever you want to call that.
Bryan Strawser: I would point out too that although we were not going to go much into this, the ISO Standard also defines a role for what it calls top management. The senior-most management in an organization. And that role that they defined for them is essentially about being an example for the rest of the organization by demonstrating a visible commitment to the success and the goals and objectives of the business continuity management program, business continuity management system in the Standard.
Bray Wheeler: Interesting.
Bryan Strawser: Set the example.
Bray Wheeler: Set the example.
Bryan Strawser: Set the example. Yeah. When we do the maturity assessments that we do here at Bryghtpath, one of the factors that we’re looking at in scoring is demonstration of that visible. Can you visibly see that there has been commitment from senior leaders to participate? It could be as simple as they’re on their team call and the minutes of the team call reflect that they talked about the importance of business continuity. Or like next week the business continuity update cycle begins and I expect all of you to do X, Y, Z. Those are the kinds of things that the Standard looks for them to do.
Bray Wheeler: Which is good because again, like we’ve talked about the kind of earlier in this podcast and we’ve talked on other podcasts. And not to minimize, because business continuity obviously is very important and can be very interesting and can be kind of fun mental problems to try and kind of work through how different things work. At the same time, it is not an everyday task within the organization. And so to have that reinforcement of it is important to do these things. It is important to talk about these things. It is important to have these things in place. And that’s my expectation as a top leader is that these things are in place, that should boom happen we’re not guessing. I want business back running as quickly as possible. And that should be everybody’s expectation is let’s get this thing back going.
Bryan Strawser: So that’s our take on the top roles or the, I’m sorry, that’s our take on the roles and responsibilities in a business continuity management program. I think briefly it would be important to point out, some of these roles they’re held by the fact that you’re leading something else. Like if you’re the leader of a critical business function or team, then you’re going to be the plan owner for that plan. You’re not raising your hand and volunteering. But there might be a choice involved in picking your steering committee members, your program sponsor. Or if you’re managing that team, you might be picking your planners that are going to work on this for you.
Bryan Strawser: And I think there’s a couple of factors to keep in mind as you’re choosing those folks. And the first one is you want to make sure that you’re choosing people who understand that this is important. That they grasp that this is not a check the box kind of thing, that they need to be committed to doing this right and doing it effectively because it matters. It might not matter today, but at some point, the boom will happen and you’re going to be right of that and now you’re going to have to act and man, if your plan is not ready, that’s a bad place to be.
Bray Wheeler: A very bad place to be.
Bryan Strawser: It’s a very bad place to be because you may not have time to think about alternative solutions to what you’re going to do because your plan’s inadequate. It’s also important, I think just to get folks that have the capacity to be able to do this work. It does require, I’m not going to pretend it’s always the sexiest thing in the world to write a business continuity plan. But it does require someone who has some good critical thinking skills to think about how do I mitigate the risk of something happening? How do I respond when something happens? How do I innovate a solution at the moment when the main elements of my plan aren’t working?
Bray Wheeler: How are things connected?
Bryan Strawser: And how are things connected?
Bray Wheeler: Because that’s usually a pretty common trip point. It’s pretty easy to say, “Okay, let’s draft a contact list and this is how we’re going to do it.” But what are those kinds of secondary and tertiary things that are happening if we make this choice or we enact this option in our business continuity plan? What ripple effects does that have? Or what partners do we need to make sure that that happens? So good visibility, a good kind of organizational awareness is always a nice bonus.
Bryan Strawser: Yeah. Good strategic understanding of how your company works and the interdependencies of processes and people are a really important part to making this world go round. So for reference, if you want to learn more about the roles and responsibilities that are in the ISO Standard, I’m going to encourage you to get a copy of the ISO 22301 Standard. I think they do a pretty good job of breaking down roles and responsibilities into some simple bullet points. You do kind of have to read between the lines sometimes to understand what’s the strategic intent of the role that you’re getting at. But it doesn’t get much simpler than the way that they’re outlined within the Standard.
Bray Wheeler: Yeah. That’s it for this episode of the Managing Uncertainty Podcast. We’ll be back next week with another new episode. Thanks for listening.
