In the early days of the contingency planning industry, disaster recovery – as it came to be known – was housed exclusively within the confines of the data center. Executives concluded the corporation’s most vital asset was information – information that was stored electronically on computers. The Office of the Comptroller of the Currency essentially echoed this sentiment when it released Bank Circular 177, which mandated the creation of technology recovery plans for all financial institutions, nearly 20 years ago.
Even today, most institutions, regardless of their industry, embark upon the contingency planning journey by addressing technology recovery, or disaster recovery first. This is the area where the most perceived risk exists (rightfully so in many cases); thus, accordingly, it is also where the programs are usually housed. Most begin as projects which are temporary and have an “end” (versus a program, which does not) – a disaster recovery plan. By addressing only the risks brought about by technology failure, an organization is short-sighting itself and not properly managing all the potential risks facing the entity. In this technology-focused effort, most everything has a technology slant and solution, or so it appears. This leads one to believe that technology drives business, rather than the reality that business drives technology.
Compare this to a more mature program where business continuity is housed on the corporate side of the organizational chart. There is still a linkage to the technology piece (disaster recovery) and, typically, to the crisis management organization as well. While this practitioner has seen it report to many different areas, including audit, accounting and finance, engineering, facilities, general services (mail, transportation, purchasing, etc), human resources, legal, marketing, operations, risk management (insurance) and security (logical and/or information), each company is vastly different structurally and organizationally and can make the process work without much regard as to whom owns the overall process.
Regardless of which area “owns” business continuity management responsibility, one must understand the importance of having that accessibility to key decision makers, process owners, logistical support, and technology capabilities. Given that the key infrastructure support pieces are business process-based, it would behoove a company to place this cross-functional operative amidst these areas.
So where does it belong? The last few years have seen leading organizations begin to integrate business continuity with risk management. The rationale behind this move is that business continuity – in its core being – is simply a component of an overall enterprise risk management program, much like information security and insurance.
The good news is that such programs typically report up through the chief financial officer, thus providing an in-your-face visibility with executives and board members. Through the creation of either a chief risk officer or a risk oversight committee, this process’ sole intent is to review and manage all risks – financial, compliance, strategic, operational, and technical – facing the organization and determining how best to address them. From hacking incidents and regulatory compliance issues to handling derivatives and large complex projects, risk is inherent in every organization. One may get the sensation that business continuity is actually a core competency of the firm and maintains strong ties to other key risk processes within the corporation.
Risk Management 101
The “basic” rule of risk managers, like “(offsite) backup, backup and backup” is a foundation of the contingency planning industry – endorses that there are only four things one can do with “risk.” These four things include: accept, mitigate, insure, or plan. All risks can be addressed with a combination of these four actions. One of the actions is “to plan.” When one considers that “to mitigate” can include items such as information and logical security, facilities (i.e. generators) and audit (controls) and insurance covers the “to insure” portion, the inclusion of business continuity in this group does not seem so farfetched.
Regardless of where your organization chooses to house the business continuity/disaster recovery/crisis management function, remember the following:
• Ensure the positioning allows accessibility to those key areas which will maximize the amount of risk managed by the corporation;
• Push for integration on the corporate-side of the organizational chart, especially with the risk management group (if one exists) and;
• If technology is where the function is ultimately placed, work diligently with your key “access” areas to ensure all aspects of the planning process, including the independencies with the logistical pieces, are addressed within your efforts.
Jeff Dato, MBCP, is an Atlanta-based senior manager within the Risk & Advisory Services practice of KPMG, LLP, with primary responsibility for business continuity management for the southeast region. He has been involved in the business continuity industry for the last 14 years, evenly splitting his career between banking and consulting, and is the chairman of the Disaster Recovery Journal Editorial Advisory Board. Dato welcomes any comments and questions regarding this article and can be reached via either phone (404) 222-7378 or e-mail: jdato@kpmg.com.
