BCM is now an important feature of successful organizations, where it is recognized as a program that is ongoing, maintained, and progressively enhanced. BCM is not a one-shot project. It is also not a piece of documentation that you download off the Internet and fill in its fields, then present to the auditors and regulators once or twice a year, and then return to a dusty shelf. BCM is not rocket science, yet it is not a simple checklist task. It needs careful setup and solid foundations in order to succeed and deliver its goals and objectives.
The setup of the BCM program should be carefully thought out and implemented. History and the results from various implementations suggest several key success factors that can help the program succeed and sustain success. The interpretation and reflection of these key success factors may be different from one organization to another, yet the concept remains very similar.
The first and most important success factor is effective involvement, commitment, and support from the top management for the BCM program. Top management refers to the set of executives running the organization and controlling its direction. Top management has the ultimate responsibility for protecting the organization and they are directly accountable for performing this responsibility. Regulations, standards, and laws mandate the top management with responsibility for the effectiveness and ownership of BCM programs. Their support and involvement should be displayed and communicated to lower employee levels in order to facilitate implementation as well as performing effective reviews of the BCM program. The commitment also mandates the top management to ensure alignment of the BCM program to the organization’s strategy and direction and the allocation of sufficient resources in order to run a successful implementation. Top management is also committed to ensure effective embedding of BCM within the organizational processes and continuous enhancement and improvement to the program.
To be successful, the BCM program should be relevant to your organization. It should reflect the requirements of your environment and should be in line with the organization’s strategy and goals.
Regulations are being increasingly introduced and enforced for several industries to mandate BCM implementation in organizations. It is important that the BCM program follows the guidelines issued by the regulators. These regulations can be used as a driving force behind establishing your organization’s BCM program. With similar importance, internal and external audit reports can be very helpful in designing and setting up BCM programs as meeting audit requirements is essential for successful BCM programs.
The BCM program, like any other program in the organization, needs to be allocated sufficient resources in order to be successfully implemented. These resources include support and buy-in, budgets, infrastructure, and qualified staff. The resources allocated should by all means be sufficient, but not over-allocated. Cost-benefit analysis should always be present in all resourcing decisions made for the BCM program.
Being of an organization-wide nature, the BCM program needs be communicated across all levels of the organization and to relevant parties or stakeholders outside. Of course, various recipients need different messages, but the most important thing is to keep communication channels open and messages flowing in both directions. Effective and sufficient communication helps in managing expectations and collecting feedback and requirements. The key point here is to speak the organization’s language and keep things as clear as possible between all relevant stakeholders.
The BCM program should cover the organization’s key products and services as these are the most influential for the operations and survivability of the organization. Covering the key products and services with the BCM program ensures that threats to them are being assessed and managed proactively, thus mitigating the probability and impact of disasters.
The BCM program should be established on a clear and effective governance model in order to facilitate its implementation and success. The model should have the various policies, roles, responsibilities, and accountabilities assigned to relevant stakeholders. The fact that BCM programs are organization-wide dictates that the associated governance model should be effective, adaptive, and enforced across the organization.
Typical BCM governance models should have the following features:
The BCM governance models have three main components:
The BCM policy is the governing document for the organization-wide BCM program. The policy defines the shape and dynamics of the BCM program through its setup as well as its maintenance and enhancement phases.
The BCM policy should be owned by the BCM program owner in the organization. It should be also be communicated and distributed to relevant stakeholders.
It is important that periodic and as-required reviews to the BCM policy are conducted in order to make the policy up to date and relevant.
By devising the BCM policy, the organization sets the boundaries and the goals for its BCM program. Typically, a BCM policy would include:4
Clear and specific objectives of the BCM program should be described. The BCM program should be relevant to the organization and so should the objectives. It’s also very useful to show the links between the overall objectives of the organization and those of the BCM program.
The BCM policy uses some specific terms and vocabulary that may have little meaning to people outside BCM practice. There may also be some terms that are in a generic form and need further customizations to give them more meaning and relevance to the organization. The policy should cover these two cases within the terms and definitions section by listing all the terms that are used and their meanings using the organization’s language and vocabulary.
One important definition is the definition of a disaster. The organization may define a disaster in many different forms since what constitutes a disaster for the organization is unique to it. Nevertheless, we can give a comprehensive definition of a disaster. This definition can then be customized as per the organization’s environment. A disaster may be defined as any or all of the following:
This section of the BCM policy would focus on the main guidelines and practices of the BCM program. These guidelines and practices should be specific and categorized, covering all aspects and relevant sub-programs.
The policy should specify the scope of the BCM program and its activities. The organization may define the scope based on the products and services, geography, organizational structure, or any other aspect of the organization. It is of equal importance that the organization specifies the exceptions to the scope and the reason for such exceptions.
The resources utilized within BCM program activities should be documented within the BCM policy. The organization is recommended to list the financial, human, IT, and other resources that are allocated for the BCM program. It is also recommended to highlight the key requirements and roles of the allocated resources.
The policy should define the overseeing and supervision structure as well as the daily management structure. It should provide the necessary specifications of reporting and information flows between the different stakeholders in the BCM program.
The BCM program should be integrated and linked with relevant programs and practices within the organization. The policy should define the place of the BCM program relative to these programs as well as the information shared or flowing between the BCM program and these programs.
Establishing the BCM governance model starts with the definition of the BCM program owner, or BCM owner. The BCM owner will be responsible for the effectiveness and success of the BCM program. The owner of the BCM program should be from senior or top management and is accountable for the success or failure of the program. This stakeholder may be the CEO or chairperson/president of the organization or another senior officer or executive, such as:
There isn’t a right or wrong formula for determining which title or position is suitable and which is not. It depends on the type and structure of the organization. The key feature is to have a strong and empowered person behind the BCM program. In large organizations, the BCM owner may be helped by a group or a committee that provides assistance and supervision across the organization and would also be responsible and accountable for the effectiveness and success of the program along with the BCM owner.
After defining the owner of the BCM program, we shall give the BCM owner some help in running and implementing the program. This BCM team is headed by the BCM manager. Their main role will be to coordinate all the activities related to the BCM program across the organization.
Again, we will give some help to the BCM manager and the team; a group of coordinators across the organization is named to help the BCM manager coordinate and implement the BCM program. Being native to their areas, departments, regions, or specialties, the coordinators will act like local BCM managers in their areas. Their roles are focused on communicating requirements and helping in documenting, exercising, and maintaining the BCM plans. They will also take part in the BCM knowledge transfer process to other employees in their areas.
Now what else do we need? We talked about including all BCM-relevant programs, like IT disaster recovery and physical security, in the governance model.
Why do we need to do this? Simply put, the readiness of the organization is made up of several components. If any of these components gets affected by a disaster, then the whole of its readiness will be affected. Creating unified BCM governance across the organization would be very helpful in aligning all these programs together to serve one goal; to mitigate disasters as much as possible and be able to manage them if they occur.
Adding these to the governance model may be done in two ways. The first is by making them report to the BCM manager as a centralized coordinator for the BCM activities in the organization. This results in a high level of integration and alignment because it happens on the operational level. The second is by making them report to the BCM owner and committee as ultimate owners of the BCM program across the organization. Both ways should give similar results, yet the dynamics associated with them are different depending on the organization’s environment.
So far, we have identified a BCM owner and committee, a BCM manager and team, and the relevant programs included. What we need now are the roles and responsibilities that are assigned to various stakeholders of the BCM program.
We have three levels for which the roles and responsibilities need defining:
As mentioned earlier, the BCM owner and committee are accountable for the success and effectiveness of the organization-wide BCM program. They are the ultimate decision makers and the resource providers for the program. That’s their main role. As for the derived responsibilities, the list includes:
The BCM manager holds the role of coordinating the BCM program implementation across the organization. His/her main duty is to keep the wheels running and report on progress or problems to the BCM owner and committee. The BCM manager has an important role in times of disaster and crisis. His/her roles and responsibilities include:
The BCM manager is supported by a specialized and competent group of officers, specialists, and analysts. Reporting directly to the BCM manager, their list of responsibilities includes:
BCM coordinators are the local BCM managers within their departments, groups, or functional units. Their main role is to ensure that BCM activities and requirements are being implemented in line with the BCM policy and guidelines set at the organization level. Their list of responsibilities includes:
Running the BCM program is a full-time job. All the tasks of coordination, planning, testing, and activation are resource-hungry and require specialty knowledge and involvement.
Implementations of BCM programs across the world are shifting to the establishment of a specialized and recognizable unit of the organizational structure that is dedicated to the BCM program. The head of such a unit has the role of the BCM manager, who is supported by a team of BCM professionals.
In order to create an active BCM organizational unit, we need to answer these questions:
Answering such questions is not easy as they have no right or wrong answers. The answers are highly dependent on the nature and dynamics of the organization. There might also be a little bit of politics and negotiations existing here. We will go through each of these questions and try to find the most suitable solution for your organization.
To start answering this question, let’s first see what the BCM unit needs from its location on the organizational structure:
The best suggestion here is to place the unit so as to directly report to the BCM owner. As we discussed earlier, the BCM owner could be the chairperson, the CEO, or another executive, like the CRO, CFO, COO, CSO, or CIO.
This is the optimal case for the BCM unit location, yet it is not the most implemented. The good part of such a placement is that you get support, visibility, and sufficient authority and power. The not-so-good side, and this might be highly debatable, is that it only works in mature organizations where the environment is highly stable and governed. There is also a lot of effort needed to integrate with other programs and disciplines like risk management and quality. Nevertheless, if you have the chance to locate the BCM unit as directly reporting to the CEO, do it.
The CFO is an important executive and has an almost complete view over the financial dynamics of the organization. The CFO is usually a highly empowered person. Making the BCM unit report to the CFO would give sufficient authority and power, and access to top management and departments. Yet there are some points to consider here. Since CFOs usually deal with numbers, it would sometimes be hard for you to sell them something that is not quantified, which happens very often in the BCM program. Also, they might influence the direction of the BCM program towards financial risks and threats. Financial impacts are very important, but there are also other types of impact that need to be considered and weighed.
The COO is a good candidate to hold the role of BCM owner. Making the BCM unit part of the COO’s team would give the required level of authority and power, and easy access to departments and functions as well as top management. The only point to consider here is integration with other programs, especially that of risk management.
Risk management is getting more mature and important within organizations these days, especially in the financial sector. Locating the BCM unit within risk management is an increasingly adopted option. Risk management has easy access to top management, even at board level, with the same easy access to departments and functions. If BCM was located within risk management, it would benefit from the existing governance frameworks utilized by risk management. Integration with other relevant disciplines is easier and more effective. The point to remember here is that BCM should not dissolve within the culture of risk management and should be more active in the operational aspects.
This is the least adopted option in modern BCM program implementations. BCM is an organization-wide program that includes business, technical, and management elements. Locating the BCM unit within the technical functions would impact its organizational view and might lead to overestimating technical aspects over those that are non-technical. On another hand, technology is a facilitator and enabler of the business and management lines and BCM is not an exception. BCM is driven by business and management and therefore it should be as close as possible to business and management.
CSOs handle the security aspects of the organization’s assets and operations, covering information security and physical security. BCM is being covered as a principal element within security since they share methodologies and practices. The good thing about having the BCM unit reporting to the CSO is the integration and utilization of existing resources. The points to consider here are the existence of the CSO position and where the CSO is located in the organizational structure.
The BCM manager and his/her team play very important roles within the BCM program. They are the coordinating function across the organization. They interact with almost all stakeholders and play a significant role in times of disaster.
To lead a successful BCM program, the BCM manager should:
A BCM manager needs several years of experience to be able to lead a BCM team. Of course, this depends on the personal characteristics of the nominated candidates.
As for the BCM team, members will be helping the BCM manager in daily tasks as well as specialized initiatives and projects. They also should enjoy a group of skills and expertise and should:
BCM officers, specialists, and analysts should possess some years of experience. Yet there are some cases where juniors and fresh graduates have successfully made their way into the field.
Now we have defined the reporting lines for the BCM unit as well as the selection requirements for the BCM manager and their team, we need to define one more thing, which is the size of the BCM team.
To determine this variable, we need to consider the following points:
Again, there’s no definite size or ratio for the size of the BCM team. The suggested approach here is to start with a small number and increase it as the BCM program progresses into maturity. When sizing the team, the BCM manager should also consider covering the main areas of his/her tasks:
Special consideration should be given to the geographical distribution of the organization. For an organization that has most of its operations, market, and stakeholders within a specific area, most, if not all, of the relevant stakeholders can be involved in the program. On the other hand, when the BCM program spans borders and regions, things become relatively harder and a balance of flexibility and strictness is needed in the implementation.
The first consideration is to have a local BCM “super coordinator”. The BCM super coordinator differs from the usual BCM coordinator in that their assigned responsibilities usually cover multiple departments and, sometimes, smaller organizations. In the latter case, it is becoming more common now to have regional BCM managers and teams reporting to the global BCM manager and team. It is highly dependent on the nature of and the dynamics between the entities of the organization and the governance structures involved.
The other consideration is deciding whether you want a different BCM owner and committee at the remote location or not. There might be different regulations and laws, or impracticalities involved that make oversight and control difficult and ineffective by the original BCM owner and committee. In that case, there should be a link created between the two BCM owners and the relevant committees.
4 British Standards. BS25999-1:2006 Business Continuity Management – Part 1: Code of Practice. (2006).
3.145.2.87