Continuity Program Buy-in
EVEN THOUGH EVERY BUSINESS must ensure the continuity of its operations, top executives often don’t want to allocate the necessary financial and other support to make a program successful, according to business continuity professionals who spoke on a panel at a Gartner Security and Risk Management Summit in Washington, D.C. But continuity executives can improve their chances of getting funding by better demonstrating how continuity is important to the bottom line.
Management wants to see solid evidence, or metrics, on how business continuity is important to the business, said Marcus Pollock, chief of the Federal Emergency Management Agency’s Standards and Technology Branch. One way is to show its value in bidding for government contracts, where there is often a requirement to show how a business would continue when a disruption occurs.
It also helps to speak the language of business, said Roberta Witty, a Gartner vice president. Areas such as the supply chain and product fulfillment are familiar to many top executives, she said. So business continuity professionals should discuss continuity metrics as they relate to the reliability of product fulfillment, she said, and as they relate to any backup plans in case a third party were to have an incident such as a fire. Many executives “understand when they’re not meeting revenue numbers every quarter…so you can see how continuity examples can lead into a business conversation.”
It’s also helpful to follow standards. At least half of medium- and large-sized businesses do not follow one of the many available standards on business continuity, she said, but this can be one of the more effective ways to establish an effective program. Following standards can help companies benchmark how they are doing compared to other organizations. Standards can facilitate audits, which can help to show clear progress. By focusing on major standards, the Southern Company has been able to make steady, well-rounded improvements in business continuity, said Michele Guido, Southern’s business assurance principal.
It can also be helpful to change the language of business continuity to better reflect overall business goals, Guido said. At Southern, she said, the continuity program is referred to as “business assurance.” In a company where one of the main goals is to keep customers’ lights on, such language can be more acceptable to top management, she said. “We’re also working the word ‘resilience’ into our vocabulary.”
She added that it has been helpful to approach assurance goals as if they encompass many types of business interruptions, as opposed to focusing on rarer events that may not be as tangible to managers. “We stopped using the word ‘disaster’ and started using the word ‘incident.’” That takes the focus away from events that only happen every 50 to 100 years and puts it more on common disruptions.
It can also be important to document ongoing efforts, according to Witty, as well as to show “reasonableness in best practices.” This can be helpful in cases where future lawsuits might arise, for example, she said.