Paul Kirvan, CISA, CSSP, FBCI, CBCP, board member of the Business Continuity Institute’s (BCI) U.S. chapter, offers some insight into how to convince senior management that developing a disaster recovery strategy is critical to your organization in this podcast. Getting management buy-in for a disaster recovery policy is often a struggle, but it doesn't have to be that way.
In this podcast, learn about why selling your disaster recovery policy is such a challenge; discover the most important things to address when presenting your business continuity (BC)/DR strategy to management; and get advice on getting stakeholders on the same page.
This is the first in an ongoing series of podcasts we'll be recording with the BCI, which will cover a wide array of topics of interest to BC/DR professionals.
Click here to listen to the podcast on getting management buy-in for your disaster recovery policy, or read the transcript below.
One of the biggest challenges we hear about from our readers is selling business continuity and disaster recovery planning to management. First off, why is that? With disasters all over the news, wouldn’t you think it’d be an easy sell?
Somehow, over the years, business continuity and disaster recovery have acquired the reputation of being investments with minimal or no real return. I’m still trying to figure those things out myself. But, for example, it’s not uncommon for organizations to make significant investments in programs and plans that may never actually be used—that is a real issue. But you can make a claim that companies buy insurance to protect them, shouldn’t business continuity perhaps be considered a type of insurance?
Disaster recovery evolved from the IT world, and it is perceived as an IT activity, although it can very easily reside in other departments in the organization, such as an audit function, a risk management function (or) even part of a management department. Business continuity evolved from DR, and differentiates itself (because) DR takes a larger, more holistic view of the entire enterprise—not just systems, networks, data and people, as disaster recovery would do.
Both are important business activities. So we have an interesting dilemma: Business continuity professionals are rarely both experts in the profession and salespeople. So we are good at what we do, but not necessarily good at making that known to the right people in an organization. And our difficulties selling business continuity and disaster recovery is probably one reason that we have difficulty getting senior management to agree to business continuity/disaster recovery programs.
What are the most important things to address when presenting the need for BC/DR investment to management?
Once you’ve been able to get an audience with a senior executive or a group of senior executives, perhaps a steering group or something like that, business continuity professionals have to fully understand the organization, how it operates, the risks the organization faces, the vulnerabilities that may exist, both internally and externally, and the organization’s fundamental strengths and weaknesses.
Business continuity people need to be able to communicate that knowledge to senior management, and do it in such a way that management can acknowledge and accept the risks as well as the potential remedies available to them, such as a business continuity activity. Once they accept this, they ought to be better prepared to approve investments in business continuity and disaster recovery activities. Senior management must be aware that risks exist, threats and vulnerabilities exist, and they are ultimately responsible for ensuring the organization can what I like to call anticipate, prevent, mitigate and recover from unplanned events. And the better that we—as business continuity professionals—are able to help senior management understand those situations, the better our chances are of getting our programs approved.
Are there any overlaps with other aspects of business where BC/DR can be addressed in a streamlined manner?
One of the things I’ve learned over the years is that when you present business continuity to management, you got to make sure it’s defined in the context of the entire organization. Don’t be too focused on one piece of it, (such as) the IT organization, or whatever.
It is also important to align BC with governance, risk and compliance (GRC) activities, because these activities, among others, are also the responsibility of senior management. And again, this is one of those situations that sometimes doesn’t happen with business continuity. GRC are recognized and accepted—by and large—by senior management. So business continuity probably should position itself as a fourth issue, to address with GRC. At some point in time, an unplanned disruptive event can occur, and GRC activities will not necessarily be able to respond to such an incident, whereas a business continuity program will be able to respond. So that’s why we like to think that business continuity is yet another important part of the overall GRC activity.
Do you have any tips for getting additional stakeholders on the same page?
One of the things that seem to work if you can make it happen is to somehow get people throughout the organization to think about business continuity, what we like to think of as embedding business continuity into the corporate culture of an organization.
Most organizations—whether they’re two or three people, or 100,000 people—have some sort of fundamental culture in terms of how the company operates and how people interact with each other. So given that, business continuity professionals need to reach out to all members of the enterprise, especially enterprise management team members. Now, doing this requires not only outreach to internal management, but also to external stakeholders such as investors and key vendors.
Business continuity professionals need to have a clear, concise message about the risks facing the enterprise and, stepping forward, how a business continuity program can prevent, mitigate and recover the enterprise from disruptive events. Now if we take that to a technology perspective, a business continuity professional’s message can include—and should specify—proactive measures in place that protect and recover critical systems and data. But ultimately, business continuity people need to be a visible, active, engaged part of the enterprise so that they can continually send out and reinforce the message that business continuity is an important part of the organization and its culture.
The Business Continuity Institute (BCI) was established in 1994 to help individual members obtain guidance and support from fellow business continuity practitioners. The BCI currently has 5000+ members in 90 countries. Professional membership of the BCI provides internationally recognized status as this valued certification demonstrates a member’s competence to carry out business continuity management (BCM) to a consistent high standard. The wider role of the BCI, and the BCI's USA Chapter, is to promote the highest standards of professional competence and commercial ethics in the provision and maintenance of business continuity planning and professional services.