Getting Buy-In for a Business Continuity Management System
Written by John A. DiMaria, CSSBB, HISP, MHISP, AMBCIApril 24, 2014
Organizational buy-in is critical to the success of your business continuity management system (BCMS) implementation efforts. Getting all stakeholders on board at the outset will help gain the support to conduct research and follow up on findings collected. Support from senior leadership will especially lend authority to your BCMS project and help you to:
- Ensure you have the budget and resources you need
- Understand relevant business, program, and customer priorities
- Overcome organizational silos; and
- Support follow-up activities to take action on findings and make improvements.
Top Management Buy-in:
The Challenge
The adoption of a BCMS should be a strategic decision of an organization. This is because the importance of ensuring the ongoing availability of vital business assets, the benefit of attracting new clients, and the essential need to protect your organization from a legal and compliance standpoint are all strategic issues. However, it can be difficult to get buy-in at the very top of organizations because BCM may be seen more as an operational issue. Disasters and other business disruptions may be seen as low probability, catastrophic events. In many minds, business continuity planning is a cost of doing business that should be kept as low as possible.
Senior leadership needs to be involved in all stages of the project to make informed decisions on behalf of the organization. This could involve both strategic and tactical guidance: from outlining the scope of the BCMS to more operational considerations such as a decision to build or lease a second data center or to divide a critical business unit across two different sites to make them more resilient.
Project requests to top management must be based on solid objectives and data. How will the performance be measured? How will one communicate that performance to top management? How will the quality of the data be assured? These questions will help one ensure that the BCMS takes into account the objectives and culture of the organization.
When presenting your BCMS project request to management, provide the recommended scope with detailed objectives regarding:
- Requirements for business continuity
- Organizational objectives and obligations
- Key products and services within the scope of the business continuity management system (BCMS)
- Acceptable level of risk
- Statutory, regulatory, and contractual duties; and
- Interests of key stakeholders.
You may do the legwork, but the strategic vision, objectives, and plan must be communicated and championed by top management. For example, management plays a key role in quality assurance of the data. Quality assurance is critical throughout the project as each step builds on the next. Poor quality data at the beginning of the project can lead to failure to meet the requirements of the organization.
Communicating a Return on Investment (ROI)
Top management must ensure the direction of the BCMS is in line with the strategic objectives, and it must be measurable; you must agree on key performance indicators (KPIs). Project managers must then ensure they communicate performance so top management can see alignment with these KPIs. This two-way communication is important to the success of the project.
Communicating the return on investment is critical but sometimes challenging. However, we must understand that showing costs without ROI can jeopardize getting approval of the project. Establishing ROI from implementing a BCMS can be difficult, but it is not impossible. Keep in mind that most high-level business decisions are not solely made with a calculated ROI. Other decisive factors are:
- Regulatory issues
- Market competition
- Impacts to existing and future customers
- And impacts upon existing and future investors.
Business continuity planning is a perpetual work effort that is weaved into business operations over the lifetime of the business. Therefore, the traditional financial ROI model does not work.
While an organization cannot prevent a business disruption from occurring, it can prevent or reduce the risk of damage and possibly eliminate it altogether, by leveraging proven solutions based on sound research and testing that will help to ensure business continuity. According to Flirting with Disaster, Why Companies Risk It All, a 2010 research report sponsored by FM Global, “The consequences of inaction — business disruption, a loss of competitiveness, reduced shareholder value and market share, and poor reputation — demand greater understanding of the perceived impediments to natural disaster preparedness.”
Present the Benefits
When presenting your BCMS project plan, be prepared to present the benefits. Get your stakeholders to look beyond the simple insurance view of mitigating losses from potential disasters. Communicate that building multi-functional elements and cross-functionality into your BCM program will pay off prior to any catastrophe.
Your BCMS investment should not be a standalone document or simply a cost to your operations. Instead, a strong BCMS supports business operational value:
- Ability to leverage existing infrastructure, data storage, and technology to reduce costs of building or purchasing
- Attracts new clients due to the effective and efficient way operational risks are being managed
- Protects and ensures the ongoing availability critical business assets: people, supply chain, customers, investors, systems, applications cash flow
- Protects your organization from legal ramifications
Support the efforts of management to make sound financial decisions based on sound risk management. You can show an immediate ROI when resiliency and reliability are weaved throughout the design of a system or process instead of adding a business continuity plan as solely a disaster element. Multipurpose solutions as mentioned above increase both reliability and functionality and further justify the BCMS investment:
Management will usually acknowledge the need for at least a business continuity plan, so positioning a BCMS as a process improvement tool with a potential ROI can be very intriguing and get you the buy-in you need. Every time a system or business process is changed, it’s an opportunity to review the process from the standpoint of reliability. Improved, integrated systems and leaner processes contribute to the bottom line.
Be Prepared for Objections
Try to anticipate what objections may come up. For example, if you know budget is a possible question, come prepared to itemize and justify your costs.
One of the frequent misconceptions concerning the implementation of a BCMS is that it must be applied to the whole organization. Address this potential concerns by making it clear that a BCMS like ISO 22301 allows for the scope of compliance to apply to specific critical products, services, or geographic locations. This will allow your organization to implement a BCMS in some parts of the organization initially and then extend it to the entire organization over time.
Be Willing to Compromise
Be flexible on the objectives of your program. If there are certain negotiating points that will not provide all that you want, but at least give you the green light, you might want to consider taking them. Once the system is in place, you can make your case for improvement with real data. Getting the structure in place is the first step. That’s why it is called “continual” improvement. For example, if your proposal calls for a two-hour recovery time objective (RTO) and management is only willing to commit to achieving an eight-hour RTO, this may be a reasonable compromise. You can set an objective to improve over time. However, if there are regulatory or contractual requirements involved, communicate those clearly to your stakeholders.
Research Your Competition
Nothing gets the attention of management more than if your top competitors are investing in business continuity and you’re not. If you can’t provide your product or service soon after a disaster hits, then your competition will. Provide information to top management on what your competitors are doing in this area and estimate their investment, if possible. This is one more data point that may help sway the decision. Make management aware of the legal ramifications.
Implementing a business continuity/disaster recovery plan is a strategic, moral, and, in some cases, a legal obligation for companies. Failing to implement a disaster recovery plan could be an indication of corporate negligence. Certain standards of care and due diligence are required of all corporations. Not having a disaster recovery plan could, under certain circumstances, violate that fiduciary standard of care.
Plaintiffs’ attorneys can avail themselves of legal precedent along with generally accepted standards, best practices, and industry requirements to hold companies and possibly even employees within the company responsible for damages due to the company’s inability to properly handle and/or recover from a disaster.
Jeffrey Ritter, Esq. is recognized globally as one of the most influential voices at the intersection of law and technology. He explains that “the law measures responsibility for losses or damages by evaluating the conduct in question against established norms. Standards are more and more important to judging liability. They represent an expression of the level of conduct that should be expected and often are the litmus test for lawyers to use.”
Furthermore, as the consequences of a damaging incident unfold, new stakeholders emerge and have a direct impact on the eventual extent of the damage. Examples of these include competitors, regulators, and the media. In some cases, special interest groups, even employees, may attempt to apply negative pressure on the organization facing an interruption.
Making sure top management is aware of the legal risks involved should be part of your business case. Present solid research data and include case law examples, if possible.
Conclusion
Most organizations are led by reasonable and logical executives who are willing to do the right thing. With the plethora of issues they must address on a daily basis, and their obligations to shareholders and investors, they will expect you to do your homework and present a solid business case they can use to justify their affirmative decision. If you follow these guidelines, you will have a better chance of effectively making your case. To recap:
- Present a logical scope with specific objectives.
- Instill ownership within top management.
- Make the ROI case.
- Present the benefits.
- Be prepared for possible objections.
- Be willing to compromise research your competition.
- Make top mgmt. aware of legal ramifications.
John A. DiMaria, CSSBB, HISP, MHISP, AMBCI, is the product marketing manager for BSI Group America Inc.