Business continuity and disaster recovery professionals often ask me, “What is the best way to enforce the need for planning in our organization?” The simple answer is to let the Auditors be your enforcers.
The business continuity planner should establish and get senior management to publish policies requiring business and technology managers to create and maintain business continuity and disaster recovery plans for their specific areas of concern. Auditors, both internal and external, are responsible for ensuring all policies within an organization are adhered to. This is especially effective in organizations where a manager’s review, promotions and pay increases are somehow tied to their ability to have satisfactory audits.
In this environment, the business continuity planner then can become the hero, acting as an internal business continuity planning consultant there to help the business manager pass this portion of their audit.
Too often, the only person held responsible in an organization for ensuring the company has adequate business continuity plans is the business continuity planner. This is a fundamental flaw in the process. The manager responsible for meeting a certain business objective under normal operating conditions should be the same manager responsible for meeting those business objectives (perhaps adjusted) during times of crisis. The role of the business continuity planner should be to establish policy and then assist the business managers in performing the planning methodology and ensuring the enterprise as a whole provides cost effective solutions for a holistic recovery – but, the individual managers should be responsible for the development, content and exercising of their plans. The business continuity planner should be available to hold their hand through the process if needed and/or come to the rescue when they fail the audits.
Believe me, when helping a business manager address a failed audit tied to their ability to get a raise or promotion, they are not going to even think about the fact that you were the one who was responsible for the policy in the first place.
Befriend your auditor. And, educate them on what it is the policy is supposed to do for the organization and what they should be looking for to ensure compliance with these policies. Then, be ready to answer your phone when the calls for help start coming.