Question:
I am an employee of a large financial services organization (1500 employees, $12+ billion assets). Several years ago we moved the responsibility for our BCP from Information Systems to the Business Operations side of the house. From a best practices point of view, where should BCP report? Information Systems? Business Operations? Internal Audit? How are other companies our size structured?
Answer 1:
My name is Jeff Dato and I am Vice Chairman of the Editorial Advisory Board for DRJ. I am responding to your inquiry regarding BCP organizational structure and reporting. Having done this for 13 years, with experience on both the consulting and industry (banking) sides, I have seen quite a few perspectives.
In reviewing your note, I applaud your efforts to move BCP from under the IT wing. On the business side, I have seen BCP report up through Audit, Facilities, Physical Security, Legal, Finance, Human Resources and Risk Management. Of these, I would wholeheartedly recommend Risk Management.
During my banking days, I always had a direct reporting line to the Risk Manager and a dotted line to the CFO and/or CAO (Chief Administrative Officer). This placed me strategically in that I was able to utilize the CFO's business "power" to corral the process-side of the house and, since the CIO reported to the CFO/CAO in each case, preside over the IT support world and the DR/technical efforts.
"Leading Practices" are placing BCP (and its relatives) under the Risk Management umbrella. Today, many of the top organizations are creating Chief Risk Officer (CRO) positions who are responsible for managing all types of risk - financial, operational, strategic, compliance, and technological. The functional lines may finalize the day-to-day risk operations (i.e. credit risk scoring for Visa/MC), overall responsibility for implementing the risk strategy(ies)) is the CRO. The industry moniker for this philosophy is "Enterprise Risk Management" (ERM). I know a majority of the ten largest financial institutions have employed this organizational model, as have several of the leading manufacturing organizations. It is incredibly detailed, when implemented fully, but is worth the effort once in place. Imagine (!) - an individual (or group) dedicated to monitoring and managing all the risk aspects within an organization! In theory, this centralized process eliminates the "I didn't know <fill in name here> was doing that - I'm trying to mitigate that risk as well!" problems that so many companies are facing.
:::Getting off my soapbox:::
I hope this
is a sufficient answer to your question. If you wish to discuss
this further, please do not hesitate to call me directly (my contact
information is located below). Take care and best of luck in your planning
endeavors!
Jeffrey M. Dato, MBCP
Answer 2:
I've seen BCP
reporting in a number of ways, but what I found worked the
best was when it reported directly to a VERY senior executive (i.e., CEO,
COO, or General Auditor). There may be conflicts regarding criticality
and
what is/is not important/needed between the business units (BCP side)
and the IT folks. However, these two functions need to have compatible
recovery strategies. Therefore, the function should ultimately report
ABOVE those two departments. Internal Audit can be effective as it is
"neutral" from a business standpoint. Another possibility would
be to collocate it with the Information Assurance group.
Debbie Dix
Answer 3:
In our organization
and working with many of our customers, it seems to
work best if responsibility belongs to an office the has a wide span of
control and tacit authority across all of the organizations in an
enterprise. The most common offices or positions that I see are corporate
risk management, security, and COO. The key is to identify the area that
has an understanding of the business functions and has a stake in the
security and continuance of those business functions.
History is usually
the reason why IS is responsible for business
continuity. It is common that IS was the first organization to address
disaster recovery of the technology and as a natural consequence ended
up with the corporate continuity program. The potential risk to IS ownership
is that business continuity might be viewed as a "technology issue".
The consequence is that higher probability risks like employee error,
supply chain disruption, bad publicity or product liability issues may
not be planned for.
Any structure
can work as long as there is a good steering committee that
represents the enterprise.
Dave Ziev
Answer 4:
I agree with Debby on the high level officer. In my experience, reporting to the CFO or to a high level Steering Committee is most effective. When you have it reporting even to the CIO there are adjustments made to the recovery to reflect the needs and budgets of the CIO. The business operations area would get my vote for second choice but it needs to be a high level position with authority over technology requirements.
Richard Rehak
Answer 5:
Well I work
for a slightly larger FI (40000 plus employees, assets around
$300 billion) and we, BCM, report out of the Risk Management Division
which in turn reports to the Chief Risk Officer of the Bank. We do also
have reporting from both the Technology and Business areas.
Mohammad Dhooma
Answer 6:
The responses reflect the views of the individual EAB member, and do not necessarily reflect the views of their employers, the DRJ, or the EAB as a whole.