How-to get executive buy-in for your business continuity program
Let’s face it, investing in resilience business continuity & disaster recovery program management requires buy-in from the entire organization, from the top down, across all departments & across external service partners & providers. Everyone needs to understand how they fit into organizational operations during normal day-to-day operations & also during a disruptive event. Without buy-in, even the best laid resilience plan won’t work.
Ok. So now how do you get buy-in? I suggest these five for building executive buy-in of your organizational resilience management program:
- Step 1: Define Organizational Resilience specific to your industry/organization
- Step 2: Determine a baseline
- Step 3: Play by the rules! (Know your regulations)
- Step 4: Conduct a business impact analysis
- Step 5: Money talks! Quantify the financial impact
Step 1: Define Organizational Resilience or Business Continuity specific to your organization or industry.
Why? Every organization has unique needs & priorities that vary based on the industry, physical location, reliance on resources such as data & supplies, or other aspects. For example, a hospital has an immediate focus on their customers (patients) which a manufacturing company clearly doesn’t need to consider. Just as a manufacturing company may need to take a look at supply chain management more aggressively than a consulting organization does.
"Simply put this is the ability of an organization to plan for & adapt to change or disruption."
How? Take a basic definition & expand on it. The Business Continuity Institute, defines organizational resilience as “the adaptive capacity of an organization in a complex & changing environment.” Simply put this is the ability of an organization to plan for & adapt to change or disruption. Now add to the definition from the perspective of your industry, policies, procedures, capabilities & training that go into to keep your organization resilient. This will become part of your executive summary for investing in resilience business continuity.
Step 2: Determine a baseline
Why? The best place to start is to determine where you are today. Whether you are just beginning your continuity program or have an organizational resilience plan in place, it is always a good idea to establish a baseline to measure against.
How? We recommend using the free Business Continuity Maturity Model tool. New standards for business continuity are continuously emerging, pressuring BC managers to find a business continuity program diagnostic tool that is objective, consistent & repeatable. Unlike published standards that define program criteria, the BCMM® provides you with the steps to take on the path toward resilience & compliance with standards.
Step 3: Play by the rules! (Know your regulations)
Why: It is important for your executive team to understand investing in resilience business continuity and the regulatory demands that must be met via a business continuity or disaster recovery program. Regulatory compliance can have a significant impact on the development of your business continuity strategy & the buy-in of the executive team. Some organizations will have regulations specific to the industry in which they operate. While Business Continuity or Disaster Recovery regulations may not apply in every business situation, a general understanding of legislation governing data integrity, availability & compliance is helpful for any organization developing an organizational resilience strategy. It is important to know:
- Standards & requirements that must be met in order to become a member of an organization (eg. ISO).
- Government regulations imposed on specific industries must be adhered to in order to do business. These regulations are created to protect the security of individuals, & create national standards of uniformity. (ex. for Healthcare, HIPAA applies & for the financial industry, Federal Financial Institutions Examination Council (FFIEC))
How: Check with the varying federal, industry & local governing bodies that may have oversight of your business. The internet is a great place to start. Be sure to include state-specific requirements in addition to Federal, as these do vary. Here is a list of websites that can be helpful in your search.
Step 4: Conduct a business impact analysis
Why? A business impact analysis (BIA) helps to paint a picture of the consequences of disruption of business functions & processes. It helps you better identify the information needed to develop recovery strategies. Identifying & evaluating the impact of disasters on your organization provides the basis for executive & organizational investment in recovery strategies, as well as, investment in prevention & mitigation strategies. This is crucial in gaining executive buy-in for investing in resilience business continuity. Deal in data, not anecdote.
"There are many possible scenarios which should be considered. Quantify the impact for your executive team."
How? You can approach this on your own using various free manual tools such as FEMA’s risk assessment tool. You might also bring in a continuity consultant, as the process has many moving parts that may be more easily assessed with outside help. There are also software tools that can help you understand the impact across the enterprise & even down to the department level. Whichever way you choose, potential loss scenarios should be identified during a risk assessment. Consider which operations may be interrupted by weather, the failure of a supplier of goods or services or delayed deliveries, environmental hazard, or natural disaster. There are many possible scenarios that should be considered. Quantify the impact on your executive team.
Step 5: Money talks: Quantify the financial impact
Why? The reason for this is simple. Money matters to executives, so assign a financial value to what the business impact of investing in resilience business continuity might be.
How? This part is not as simple. Calculating the damages of a disruptive event or natural disaster can be an onerous task because the cost is connected to several factors, and—more importantly—varies by type of disaster. Among the key influences are the magnitude & duration of the event, the structure of the local economy, the geographical area affected, the population base & the time of day it occurred. Consider operational costs, loss in revenue, reputational loss, & loss of physical & data infrastructure. All of this should be quantified into a financial value. This can help prioritize aspects of your planning & may be the biggest impact for you in gaining executive buy-in.
Executive buy-in is a big step in optimizing your organizational resilience program across your enterprise. Once sanctioned by the organization’s leadership, it will be much easier to build departmental engagement across the entire organization.