8.5 Ways to Get Management to See the Light...Before the Power Goes Out!

william@biby.com's picture

  Often we are contacted by CIOs, HR Directors, and other personnel who want to know how they can get their senior management team to understand the importance of having a business continuity program. Others say that their company’s leaders support business continuity, but they think it only concerns the I.T. Department. Therefore, any such plans (and related budgeting) involve only recovery of systems and take little or no account of personnel, processes, or other important business needs. In addition, in many situations, the I.T. team is expected to start the Business Continuity Program (BCP) themselves. Unfortunately, technology teams are not exactly the best candidates to write Business Continuity Plans. More importantly, they do not usually have the necessary skills or experience to create a realistic, all-encompassing BCP for the company. An effective BCP includes all areas in a company and should usually involve a third party that specializes in business continuity.

Getting buy-in for Business Continuity ProgramGetting back to the original question, what can you do to influence your C-Level team on Business Continuity? Below are 8.5 ways to advance management’s understanding of what makes up a true Business Continuity Program:

1. Make sure that top management or at least a member of senior management is involved in the development of the BCP. This way they will be made aware of the true scope, costs and risks involved.

2. Make senior management aware of potential disasters and related downtime of systems, processes, and other critical functions.

3. If operating a public company, remind management that they may be held accountable if a disaster strikes and negligence can be proven (and let them know that you are trying to help ensure this does not happen).

4. Establish a BCP planning team made up of all levels of personnel including Senior Management.

5. Have a risk assessment and business impact analysis performed by a third party with the results presented to management by a respected expert in the field of BCP.

6. Real-life Examples (especially industry-specific). Stories can help to get the involvement necessary from C-level personnel. For instance, what about the x-competitor that got hit by a tornado, lost everything including single-copy paper files, and later had trouble restoring backup tapes. Or the nearby company that was experiencing high-growth and great success…until the main (and only) Network Administrator was arrested for distributing porn---from the company’s servers and Internet bandwidth. Besides the legal costs and other damages, they now have no one who understands their critical systems. In addition, make sure to stress other departments/areas of the company that are disrupted.

7. Regulatory requirements for the company or industry may call for having a risk assessment, business impact analysis, and all-encompassing BCP. Note that periodic testing and auditing of the Program may also be required.

8. Create a one-page document making the case for a company-wide business continuity program with reasons and examples (possibly including items from this list in the argument). This document should focus on non-technology issues as well as systems needs.

8.5 Lastly if all else fails and the I.T. department is given the task of handling and creating a BCP, volunteer to create a project plan to show the number of hours it will take to complete the project. This plan should show the time and details for I.T. restoration and recovery as well as critical functions, processes, and other needs with Recovery Point Objectives (RPO) for each department. If done correctly, the number of hours required plus management’s desired completion date should prove the case for making it a company-wide program and possibly getting assistance from a professional Business Continuity Planning firm.