C-level executives have rarely appreciated their business continuity leaders as much as they have in this last year. At the onset of the COVID-19 pandemic, the robustness of a company's business continuity plan often decided whether it would thrive, survive, or sink. And as we move forward from this crisis, executive management won't forget that. They will continue to push for assurances that the company will be prepared to meet the next disaster.
Security directors must be ready to show the C-suite what a strong comprehensive business continuity program looks like and how their program measures up. The Security Executive Council compiled the following baseline elements and characteristics of a comprehensive business continuity program to help security leaders do just that.
These elements were identified by SEC subject matter experts as they observed leading business continuity programs (BCP). You can use them to help benchmark your BCP or educate management on the direction you'd like to take it.
Baseline Program Elements
- The program is organized and formalized, with a defined team and assigned responsibilities.
- Assigned cross-functional representation and responsibilities.
- Program includes
- testing, training, evaluation and maintenance
- risk mitigation
- response plan
- Business impact assessments.
- A corporate response plan that identifies risks and resources and that is communicated through the organization.
- Community impact analysis and response coordination.
- Documentation of training, testing and KPIs.
- Formalized plans for the disruption of communication or networks.
- Crisis management center with built-in redundancies.
- Tabletop exercises and simulations.
Elements for Enhancement
- Global program elements.
- Corporate Unified Risk Oversight™ (URO). URO is a method of centralized risk oversight whereby corporate risk is identified by a team of executives or managers who represent the company's various business units, then managed with the best interests of the business and its goals in mind. For more on URO, watch our video on the concept on YouTube
- Corporate image/brand protection.
- Supply-chain coordination.
- Outsourced services vetting and coordination.
- Board level risk (BLR) concerns aligned with security mitigation strategies. For information on this concept, watch our video on how aligning with BLR can effectively communicate value on YouTube.
- M&A change management process.
These are elements typically found in successful programs.
- Identify and monitor emerging continuity issues; develop strategies to mitigate their impact.
- Communicate to executive management the level of residual risk they are accepting if the risks are not mitigated or transferred.
- Program is periodically validated through peer review.
- Program leaders have access to and support from executive management and the Board of Directors.
- Consistent delivery in all markets, business units, and functions.
- Understand which corporate drivers (examples below) are important to senior management to build the business continuity plans around.
- Regulation driven
- Product driven
- Brand protection driven
- Incident driven
- Sponsor driven
- Geographically driven
- Corporate culture driven
- ROI/value driven
Of course, as is often the case, the path to program success is also dependent on factors that are specific to the organization. There will be different needs and requirements in different sectors, for example, and your ideal plan will be impacted by the specific requests of your internal leadership, your corporate culture, and your organization's risk appetite.
Looking for more on developing or enhancing a business continuity program? The SEC is currently offering a chapter from its Business Continuity Playbook entitled How Do I Implement the Four Pillars of a Business Continuity Program?
The playbook serves as a framework for the creation and enhancement of a BCP. It is adaptable to companies of all sizes from all industries, and its appendices include templates, job descriptions, structural diagrams, sample meeting agendas, decision matrices, and more.