Enlightening the CEO on Business Continuity Planning

Many business continuity and disaster recovery planners complain they cannot get visibility in the boardroom. We offer advice on gaining visibility and the commitment required for effective continuity planning.

We often receive inquiries from disaster recovery and business continuity planners wanting to know how they can gain management commitment. Frequently, these individuals are "lone rangers" within their enterprises, espousing the need for disaster recovery and business continuity planning but having little authority and budget control. With the distributed nature of business processes, responsibility for business continuity must reside within business units (with policies set centrally). Senior management should understand how important its level of commitment is to the success of the program (see Note 1 for examples of why this is critical).

Senior management must understand the need for its involvement and for a corporate sponsor or oversight committee. Enterprises with best business continuity and disaster recovery practices have a corporate culture espousing availability, an understanding of the costs associated with business process outages and a realization that following a well-defined process when disaster strikes is significantly better (resulting in less downtime and costs) than chaos. Here, we provide a summary of techniques that business continuity and disaster recovery planners can use to enlighten the executive team and shore up necessary commitment.

Create Awareness: First and foremost, the CEO is aware of the year 2000 compliance problem, which should be used as leverage to fund business continuity. For many enterprises, year 2000 compliance is the best thing that ever happened to business continuity and disaster recovery funding for the following reasons. 1) It is raising awareness of potential risks (e.g., interruptions in the supply chain) and the importance of applications used in critical business processes. 2) Making the CEO aware of incidents within and outside the company will help with risk recognition and benefits of planning. Inventorying and reporting enterprisewide incidents specifically focusing on facility outages is one way to raise awareness. Showing videotapes of actual incidents and their aftermath also illustrates the importance of planning, as does talking with other regional enterprises that have experienced disasters; it also reinforces the threat of a disaster (see Note 2). 3) For publicly traded companies, the CFO, internal audit committees and external auditors can help raise awareness of risks and corporate responsibilities (see Note 3). For nonpublicly traded enterprises with high visibility (e.g., governmental agencies, hospitals and nationalized industries), training for handling the press after an incident can also raise awareness.

Perform an Informal BIA or Risk Assessment: Business continuity and disaster recovery planners should interview LOB managers to determine the impact on business processes if specific sites are unavailable for varying time periods. Business continuity and disaster recovery planners should assist LOB managers in walking through disaster scenarios and assessing costs, and should share the results with executive management. Impact will include direct costs (e.g., lost revenue and productivity) and indirect effects (e.g., relationships and reputation with customers, suppliers and business partners). Business continuity and disaster recovery planners should use these findings to get support, commitment and funding. Having business continuity responsibility in LOBs (as opposed to the IS organization) offers the best chance for adequate business continuity funding and disaster recovery funding within the IT budget. A side benefit of performing the informal BIA will be a better justification and prioritization of current expenditures for disaster recovery.

To gain greater business continuity and disaster recovery visibility as well as commitment from executive management, business continuity and disaster recovery planners should create an awareness campaign, and leverage their year 2000 compliance contingency planning efforts to ongoing business continuity and disaster recovery planning. Working with LOB executives on an informal BIA or walk-through test can also shore up support. After trying these techniques, if a business continuity or disaster recovery planner still does not obtain necessary management commitment, he or she should either accept the enterprise's apathy (and document that management has accepted the risk and potential liability) or seek a business continuity or disaster recovery position in an enterprise that cares — before a disaster strikes and removes that option.

This research is part of a set of related research pieces. See AV-14-5138 for an overview.