DRJ's Spring 2019

Conference & Exhibit

Attend The #1 BC/DR Event!

Summer Journal

Volume 31, Issue 2

Full Contents Now Available!

It is 3 a.m. Saturday and the CEO of a large corporation gets a call. The voice on the other end of the phone says, “The downtown headquarters building is on fire. It looks like a total loss.”

After assembling the senior staff, the CEO tries to navigate a path to getting the organization productive again. But over and over, the CEO is met with, “We can’t get in touch with Charles,” or “Our broker wants us to commit to a five-year lease before he’ll even talk to us.”

It is this level of frustration, the result of not having a plan, that you want to get into the mind of your CEO. Why? Because if you can do that, you are well on your way to having an effective business continuity planning program.

We have all been told, time and again, that it is important to have senior level commitment, but why. The answer is so that our plans can be built on information that resembles reality.

Take, for instance, the process of determining the recovery time objective. If we ask the question, “How long can this function be down before there is severe financial damage to the organization?” to a person too junior, the answer we get will reflect an inflated perspective. It seems like the further you go down into an organization, the more inflated the perceived importance of a function gets. The higher up in the organization you go, the the better the perspective is of a function’s overall contribution to the financial well-being of the organization. If you do not get the blessing of the CEO, you will only get access to junior level folks.

You will also experience the need for CEO commitment and support when you try to organize teams for the recovery effort. To be effective, team composition should reflect the hierarchy structure of the organization. During a disaster situation, the team reporting structure is going to reflect the day-to-day power structure of the organization. So, to avoid having the plan discarded during the recovery process, it is best to have the recovery team structure reflect the normal reporting structure.

This is where the problem lies. Many of the senior managers I have known do not want to get involved in preparing for disaster. It is not something they are familiar with and it generally will do nothing to contribute to their corporate scorecard. If the CEO makes it part of that scorecard, senior manager cooperation will be secured and effective teams can be created.

In trying to amass information for the construction of a plan, the plan administrator will be competing for the time of subject matter experts (SME). The SME will many times have more on his/her plate than they can say grace over. They have to choose what is important and what to let slide. Unless it is clear that the CEO is behind the process, BCP ends up in the “let slide” category. Too often, the solution chosen by the planner is to be satisfied getting information at a lower level of the organizational hierarchy. This may be the easy way out, but the quality and effectiveness of the final plan tends to suffer.

For those who have been putting together plans for a while, I apologize for preaching to the choir. The above was meant to get everyone up to speed. The real question is how do you get the “buy-in” of senior management and specifically the CEO? Personally, I have had successes and failures in trying to accomplish this. The primary determining factor in achieving success is the initial predisposition of the CEO to business continuity planning. It really helps if the organization happens to be situated in an industry that requires BCP such as healthcare or financial institutions. Other than those two situations, the effectiveness of the BCP program will depend on how the CEO feels about planning.

For those situations where the CEO is amenable to business continuity planning but needs a little push to become the type of proponent necessary, here are some things that will help the cause.

First, and foremost, work with the chief auditor of the organization. With this person on your side, you can make a persuasive argument for the need for an effective business continuity program. To solidify this position, work with the auditor to draft a BCP policy statement. If crafted well and approved by the CEO and board of directors, the foundation of an institutionalized BCP program has been established.

Sometimes you will be asked where the position of BCP administrator belongs.

The ideal position is reporting to a champion who has the CEO’s ear. In my career, I have reported to the CIO, CFO, CHRO, and the corporate attorney. The thing they had in common was that they all reported to the CEO, they had his ear, and they were a champion for BCP. In those cases implementing and managing the plan were done without unnecessary road blocks.

Once you get access to the CEO you’ve got one shot to make your point. My first recommendation would be to dress the part. Check out what the CEO’s direct reports are wearing and emulate their style. Next, make your points in terms the CEO deals in on a day-to-day basis. CEOs think in terms of financial consequences, market share, and stockholder reaction. If you start talking about bits and bites and communication redundancy, the bobber is probably not going to go down.

If you can create the business case you are trying to minimize the sum of the cost of being down and the cost of an alternate solution over time then you are talking in the language of the CEO. The diagram below is a depiction of that concept. While difficult to quantify, the concept itself is a very business-like approach to BCP that will catch the eye of most senior executives.

 



Once you establish a business need for the program, you might want to create a mindset as I did in the beginning of the article and work backward to how these eventualities might have been anticipated.

Even if you are successful in gaining critical support for your BCP program, your victory may be fleeting. I know of a company that had a CEO who sat in the board room of his Midwest headquarters and was repeatedly frustrated in his attempts to execute an effective response to the crisis that was unfolding in the company’s Manhattan office on Sept. 11, 2001. It was that experience that led to a resolve to have plans in place to deal with crises and the recovery of productive capabilities. That experience spawned a very active and committed business continuity planning program.

Soon after that, a new CEO having been appointed, the internalization of the importance of having an effective business continuity plan was lost. Within weeks of the transition, BCP data gathering interviews went from days to weeks to schedule, decision-makers became inaccessible, and the BCP program was reduced to insignificance.

The point of the story is, if you don’t get the buy-in from the CEO, your main focus should be to remove yourself from ground zero.

 


Jim Barnes, CRP, MBCI, is CEO and founder of Barnes Continuity Planners, Inc. He has spent 16 years in business continuity planning and is the author of “A Guide to Business Continuity Planning,” the best selling book in the category for the last two years on Amazon.com. Barnes also co-authored “E-Commerce Security – Business Continuity Planning: A Technical Reference Guide,” and the newly published “Business Continuity Planning and HIPAA.”