Having BCP report to risk management is a pretty good choice. Risk management, in its broadest sense, usually addresses far more than just the purchase of insurance or the management of claims. Risk management is usually involved with the protection of corporate assets, usually through insurance, but often through mitigation efforts associated with real estate, construction, and the selection of office space.
In addition, risk management takes on the purview of the entire corporation, has connections to safety, security, facilities, and has many other relationships within the corporation that BCP will need to develop.
Other locations within the corporate structure that could work for BCP would include the legal department, the audit department, and sometimes, human resources. These functional areas all have a broad corporate perspective. Each can carry some risk to BCP though, especially considering the potential for compromising BCP decisions.
Having the BCP program report to the technology or computer department severely limits the visibility of BCP within the corporation, and forces the company to see BCP issues and activities as only a technology problem. It forces BCP to compete with internal technology projects and maintenance. Several other conflicts are likely to result, including:
• IT organizations are equipped to address complicated technical issues and problems, but are usually not knowledgeable about business issues. In the majority of cases, IT sees BCP as recovery of complex technology, and often staffs BCP with technicians, not individuals with broad based business skills. Business department heads and personnel sometimes discount the credibility of BCP.
• Critical to the success of a BCP program is the ability to manage through a business disruption. When BCP is located within the IT department, the event management team(s) become more focused on technical issues, and not how to manage the business. Except in rare cases, IT has typically not been accepted as a source of business management expertise, but of support for the technical requirements and resources to facilitate business operations.
• In situations where implementation of a technology solution is in competition with BCP, the technology solution can override any risk factors supporting BCP.
• Testing activities and results are likely to be skewed in favor of the technology side, not the business continuity side. Design choices that result in reduced implementation or operations costs will usually be chosen simply because the impact on the IT budget will not be as great or will be more operationally manageable.
• Allocation of resources, both financial and human, will be used to protect the technical recovery processes, not business processes. Business areas will not be given adequate levels of support to define, understand, identify, and implement solutions to mitigate risk.
Last, but not least, ideally the BCP program will be granted authority over continuity issues for the entire corporation and not just a branch or division. Certain BCP issues need to be seen from a consistent perspective, and not from a local one. Independent BCP spheres of authority will complicate the ability to share common templates for plan structures, recovery concepts and strategies, and commonly negotiated contracts and resource agreements.
As in all cases, certainly there will be exceptions that break the rules cited above. At the same time, BCP is somewhat of a political activity, which best operates within a company when there is little confusion and even less chance that strongly differing positions on critical issues will affect recoverability. Strive to place BCP into an environment where authority lines are clearly defined and needed decisions are not hampered by complex, confusing reporting relationships.
In cases where divisional structure is required, clearly identify and assign accountability over areas and divisions to reduce conflict and eliminate redundancy.
Dealing with Reality
So, what do you do if you find yourself reporting someplace other than an optimal situation?
First, considering your responsibilities within the corporation, determine if and how the reporting relationship is limiting your effectiveness. If you report inside the IT department and your job is to recover the data center, then you really don’t have a problem. But, if you’ve been charged with the responsibility to develop the corporation’s BCP program, including business department recovery, then you’ll need to know what’s working and what isn’t.
It’s almost impossible to have an effective BCP program without a steering committee or cross-functional team, made up of key leaders from the corporation. You can use this team to help facilitate the implementation of BCP throughout the corporation. Through a continuing relationship with them, you’ll come to have a much better grasp of the corporate issues that will likely arise within the BCP program. They can also be allies to ensure that the program is getting the resources and support it needs.
Next, understand the limitations under which you will be working. Perhaps, with the support of those above you, you can work to overcome some of the issues outlined above, especially as they relate to competition for financial resources needed for the BCP program.
At a minimum, you’ll want your business department customers to know that you’re working to support their needs. They can help you learn more about their business functions and the issues and challenges they’ll face in building plans and strategies. Ultimately they’ll need to know how to execute their plans during a business disruption.
Lastly, you can help management understand how the positioning of BCP can have an impact on the program’s effectiveness. They may come to realize the risk the company runs if the program can’t get the support it needs to put the needed resources, strategies, and plans into place.
Regardless of where BCP reports, it’s possible to have a successful program. But like everything else in business, you have to understand the limitations under which you have to work. Knowledge, combined with perseverance and strong allies, make the difference.
Lee Milligan is a senior project leader for Strohl Systems, the global leader in business continuity software and services. Previously, he was the director, business continuity planning for Gap, Inc., director of emergency contingency planning and information security for Charles Schwab, and in the technology field for Apple Computer, Bank of America, and State Farm Insurance. He has more than 43 years of experience in business, with a major focus on technology, information security, and business continuity/recovery. In addition, he has served as chairman of the Strohl User Group Advisory Board and chairman of the Northern California Disaster Preparedness Network with the Red Cross.