The Board is concerned. The Audit Committee is asking questions. The external auditor is demanding more detail. The CEO has decided it needs more focus. The Leadership Team is looking to the CIO to take care of it all.
Without question, business continuity is much more important than it was a year ago. Too many unsettling things have happened recently (e.g. terrorist attacks, SARS, power blackouts, floods) for organizations to ignore business continuity any longer. And the executive most likely to be awarded responsibility for development of the program? The Chief Information Officer.
And why not? The CIO was the only one really concerned enough about the integrity and availability of computer systems to develop and implement a disaster recovery plan years ago. It’s the CIO who knows that people and resources are in place to restore critical computer applications to full service in a few hours or days. The CIO knows this because it was IT staff that crafted the formal plan and procedures, and tested them extensively, in the first place, proving that the disaster recovery plan will work when needed.
So naturally, the CIO’s peers on the Leadership Team turn to the CIO to work the same magic with a business continuity plan that covers the rest of the company – a plan that ensures critical business processes continue as required, regardless of interruption.
But is the CIO really the best person for the job? This may appear to be a logical conclusion, but there are several good reasons why the CIO should not be responsible for an organization’s business continuity program. Here are three of them:
1. Difficulty in getting commitment. Every employee of an organization is already busy. Each is dedicated to specified tasks that are designed to maximize efficiency and profit. There is precious little spare time to take on additional workload to do business continuity planning. It is therefore vital for the initiator of such a program to understand that business continuity plan development, implementation and maintenance is a net new activity for the organization. If any continuity plan is to be successful, the Leadership Team needs to understand that resources must be devoted to business continuity planning for the initial development load and subsequent, but lesser, maintenance load. It is difficult for the CIO to seek and obtain such a level of commitment. The Leadership Team may be onside, but the next level of management must also be convinced. Without the initial and continuing high-level commitment in hand, a continuity plan is all but doomed.
2. Business lines must own the plans. When a crisis or disaster happens, continuity plans will be executed by those affected. Those that will feel the impact must thoroughly understand what is in the plans and be sufficiently trained to implement and execute them successfully. Each business unit must be responsible for the content and capability of its continuity plans. Each business unit must, therefore, have complete ownership of its own plans.
The CIO’s role is to lead talented staff with skills in the management of computers, networks, applications and data. Business units expect the CIO and IT staff to manage those IT assets. Similar expectations for the CIO to take care of business continuity plans are dangerous. Business unit leaders must be accountable for their own plans and their units’ capacity to respond to any adverse business interruption.
3. Need to focus on enterprise risk. Risk management can be defined as the management process of planning, organizing, staffing, leading, and controlling an organization’s resources to minimize the possibility of loss or injury from various causes. It is not possible or desirable to eliminate all risks. The objective is to implement cost-effective processes that reduce risks to an acceptable level, eliminate unacceptable risks, and transfer other risks through insurance and other means. Business continuity planning is a risk management initiative designed to mitigate risk.
Good risk management requires an enterprise-wide perspective. Increasingly, organizations are defining a Chief Risk Officer’s role with such a perspective. Although a CIO does many things to manage risk (within his or her realm of responsibility), the CIO should not be responsible for an organization’s overall risk management program. Risk management is a specialty that is evolving quickly. The Chief Risk Officer should focus on enterprise risk. The CIO should focus on how IT can support the business.
The corporate crisis management team
So who should own the business continuity program? Before exploring that question, consider first what a well-conceived business continuity program might look like, once developed and implemented in an organization.
The key focus in developing a successful continuity program is how a crisis or disaster will be managed when it happens – the “Crisis Management Framework”. Managing a serious crisis or disaster in a complex organization requires a different organization than is used for day-to-day business. The crisis management framework is designed to respond immediately, regardless of time of day.
Key to the success of the program is the formation of teams that can act with one voice based on planned responses and known capabilities. The corporate crisis management team takes ownership of the response to the crisis. Made up of some senior executives and representatives of the crisis support teams, the corporate crisis management team is knowledgeable in the capabilities of the company that have already been developed and integrated into the crisis management program.
Every member of an effective corporate crisis management team is trained in the initial assessment, with analysis tasks identified as the first steps in any response. In the event of a crisis situation, all crisis-team members will know how to find each other, where to gather to assess and analyze the situation, and what responses can easily be deployed based on existing emergency response procedures, business continuity plans, and disaster recovery plans.
Based on the situation, the corporate crisis management team can deploy support teams that have a special role to play. For example, Facilities Management typically is tasked with damage assessment. Human Resources is responsible for ensuring the safety and comfort of staff as the situation unfolds. Corporate Communications is responsible for necessary communications with all stakeholders: staff, the Board, customers, suppliers, partners, shareholders, regulators, and the media. The Information Technology team is responsible for executing their disaster recovery plans and ensuring that critical staff can access computer applications and services as quickly as necessary from whatever alternate facilities they may be occupying.
As should now be clear, business continuity is an enterprise-wise endeavor, requiring its own specific resources and commitment. In the end, to be effective, organizations should not default the leadership of business continuity to the CIO. Nor should the responsibility be owned by Internal audit. Both are specialized functions requiring specific skills and focused objectives.
Who should be the key exec?
At Ernst & Young, we advise clients that ownership of the business continuity program should be vested in a Chief Risk Officer, who has the targeted role of managing all risk for the organization. For those organizations as yet without someone in the Chief Risk Officer’s role, we recommend that whoever is responsible for the company’s operations (often the COO) should assume the responsibilities. Failing that, business continuity should reside with the Chief Administrative Officer.
By now, it should be obvious that business continuity is so important to an organization in today’s changing business environment, that it should “live” in the c-suite and report directly to a Chief Officer of some kind.
On a related note, the disaster recovery function should remain within the IT structure, with a dotted line relationship to the person in charge of overall business continuity. It is important that disaster recovery take ultimate direction from business continuity with respect to continuity requirements, so that the appropriate disaster recovery strategies, infrastructure and plans can be developed based on the real and critical needs of the business.
In conclusion, despite the strong experience CIOs have with what are often very visible recovery plans for technology, they should resist the temptation to assume the ultimate responsibility for overall business continuity. The increasing importance of business continuity demands that it receive targeted and specific commitment within an organization. That requires an executive who can marshal appropriate levels of commitment across an enterprise; who can assume focused, wide-vision ownership of the function; and who is able to consider risk from the perspective of the entire organization’s needs.
Michael Smith is a leader in Ernst & Young’s Business Continuity practice for the Americas. For the last 18 years, he has helped organizations develop, exercise and maintain crisis management, business continuity and disaster recovery programs.