Many professionals that I talk to seem to think that the Business Continuity Planner’s job is to ensure their company can recover from business interruption events. Now, this may just be an argument in semantics or me simply splitting hairs, but I don’t quite see it that way.
In my way of thinking, the Business Continuity Planner’s job is to make sure that management is informed of risks, potential impacts resulting from those risks and the costs/benefits of options available to mitigate or respond to those risks, so that management can make informed and intelligent decisions about what mitigation and recovery strategies to invest in. And, when those decisions are made, the Business Continuity Planner is responsible for helping manage and coordinate the implementation and testing of those solutions. But, it is senior management’s job to ensure that the company can recover from business interruption events.
In my mind, the worst thing that can happen to a Business Continuity Planner is not that the company cannot recover from an incident, but that senior management is justified in saying, “But no one told me that this risk existed and these implications could occur”. If the Business Continuity Planner can show that the risks were identified, the impacts clear and viable solutions presented that management chose not to invest in, then the Business Continuity Planner had done his/her job.
We cannot force management to invest in business continuity or disaster recovery solutions, but we can let them know, with no uncertainty, what is potentially at risk should they not invest in, or under-invest in, business continuity and disaster recovery solutions. Our jobs are to ensure that there are no surprises about what might occur and what the impacts might be should a business interruption event occur.
Prior to management making decisions to invest in solutions, the Business Continuity Planner’s job is to gather information, research risks and solutions, perform cost/benefits analysis and communicate our findings to the proper decision makers. We are often research analysts and salespeople. And, it is a difficult sale to make – asking management to invest capital from a limited available cache in our programs as opposed to other programs being pitched by other department managers.
Part of the risks we must inform management about, goes beyond the risk of disasters, but also includes the risk of being out of compliance with laws, contracts and industry standards. And, we must be brutally honest about our abilities to respond and recover. We do this by realistically conducting exercises and tests and reporting back the findings without a bias towards success.
Our jobs are to set expectations consistent with the risk environment and solutions in place today. It is senior management’s job to decide what risks are acceptable and how much to invest in improving our solutions. If they do not have all of the right information to make that decision, it is then that we have failed in our jobs.