“The commitment and involvement of senior management are increasingly recognized as pre-requisites for any successful business continuity management (BCM) initiative.”…Business Continuity Initiatives: When to Involve Senior Management, by Rama Satayanarayana
Senior executives have a lot on their plate. They tend to view business continuity in terms of growth, competitiveness, and profits for shareholders. Yes, the unavoidable capital and workforce investments are factors in keeping everything going, but who wants to spend more money and resources to recover from something that may never happen? Isn’t a business continuity plan just another insurance expense?
Anyway, that may be the consensus of opinion among your company’s senior executives. One day, however, the CEO tells you she wants you not only to set up a formal business continuity plan, but also to sell it to her cost-conscious board of directors.
So here’s your challenge: as a security specialist you know all about the importance of business continuity planning. You’ve done your homework and have read up on ISO 22317, the Standard for Business Impact Analysis (BIA). You have analyzed, documented, and identified all the things your organization must do to achieve the outcomes that will keep your company going in case of a disaster, and you have your CEO’s backing to get moving.
So how do you sell the plan and get the management buy-in that is so critical to business continuity? The problem is, according to the author cited at the beginning of this piece, “demonstration of this commitment tends to be subjective and is not up to the required level in the majority of organizations.” So getting the executive leadership’s mindset from “Good idea. Carry on!” to “I need to get behind this and ensure my people support it” is the key to success.
Katherine Walsh wrote a piece for CSO online back in 2008. Her 5 Ways to Build a Business Case for Business Continuity is still great advice. Here is a brief summary:
1. Leverage regulatory compliance.
Chances are that the call you got from your CEO was motivated by due diligence and a desire to avoid all kinds of trouble, litigation and penalties for non-compliance. Locate and summarize the regulations that apply to your company.
2. Demonstrate how your business continuity plan reflects the culture of your company.
Your organization runs on processes and a structure where business continuity has varying degrees of importance and applicability, depending on a variety of factors. Your leadership and their people will ask, “What’s in it for me?” Your job is to tell them and in terms of how important they are to the overall business function and their role in disaster recovery.
3. Get grassroots support and spread the word through personal contact.
A good business continuity plan, according to Walsh, “creates alignment among security, IT and corporate strategies and policies.” To overcome the natural disconnect between those who do the business and those who oversee security and IT, you must understand everyone’s expectations when it comes to business continuity.
4. Be and stay flexible–It’s all about proportion.
Your job, according to Walsh, is to both “encourage and teach executives that business continuity plans are not one-size-fits all.” You’re not seeking total coverage and absolute protection of every piece of infrastructure at the same level.
As you are developing the plan, you have wisely, through the aforementioned consultations, south and incorporated the input your need to sell your plan. The old adage, “Those who plan the battle, don’t battle the plan,” applies here.
5. Find, show, and tell how business continuity adds to the bottom line.
Your job is to demonstrate that business continuity is a way of doing business that protects the bottom line and is not just another add-on. If you can tie the plan to the firm’s strategic objectives and promote an understanding that the BIA process is like an insurance policy on steroids, business continuity will become both a safeguard and a sentinel. It’s all about process, priorities, and continuing past the unpredictable.
More expert advice
Next, here’s some advice from Paul Kirvan, board member of the Business Continuity Institute’s U.S. Chapter, whose 2011 podcast advised:
The most important things to address when presenting the business continuity plan
Once you get that audience–with the executive group or steering committee, etc.–you have to demonstrate a detailed knowledge of your organization, its culture, risks and vulnerabilities, along with its basic strengths and weaknesses. You need to communicate that knowledge and convince your listeners that they have a direct role in business continuity.
Focus on the entire organization and stress GRC
In your presentation, to senior management, it’s all about context. One lesson Kirvan learned over the years is that when presenting business continuity to management, it has to be “defined in the context of the entire organization,” and not focused on just one piece of it–the IT organization, for example.
Kirvan also points out that it is very important to align your business continuity plan with what senior managers focus on: governance, risk, and compliance (GRC). Kirvan advises positioning business continuity as the number 4 on senior management’s plate of direct responsibility.
Here’s why: disaster can strike and GRC might not be able to respond. A well-crafted business continuity plan will be able to respond.
Getting everyone, including additional stakeholders on the same page
This relates to getting business continuity embedded, as previously discussed, into the corporate culture. Kirvan likewise recognizes that business continuity professionals “need to reach out to all members of the enterprise.” That especially includes management, “but also to external stakeholders such as investors and key vendors.”
So in presenting your case to senior management, you need the clearest, and most concise message about the risks your organization faces and how your plan can mitigate (if not prevent) the consequences of disruptive events.
But between Chicken Little’s falling sky and what’s in it for your senior management are the true benefits of a well designed business continuity plan: real business value, well worth the time, resources and money.
Can we help you?
We’ve developed the business continuity programs used by many members of the Fortune 500 – and we’ve been able to sell those programs to senior executives and boards of directors successfully many times over.