As published in the Summer 2010 Issue of the Disaster Recovery Journal – Volume 23, Number 3.
As business continuity professionals, we are often asked to “lead the charge” in establishing a business continuity capability throughout our organization. It’s a task we take seriously because we know the result should we fail. We’ve studied everything from hurricanes and fires to workplace violence and pandemics. However, in our passion for business continuity, it’s very easy to lose sight of what we’re trying to protect: an organization that must take risks to deliver value to its stakeholders.
When an executive thinks about business continuity, only one of the 50 things currently on his/her mind, most likely, he/she wants to achieve maximum protection for the minimum cost. When presented with requests or proposals, the executive must assess what these costs will be and what organizational protection this request will provide.
Try applying that reasoning to a request to purchase a generator for a key building for $50,000 (a frequent request in my past experiences). The cost component is pretty straightforward, but the protection component isn’t!
For your executive to understand how much protection a $50,000 generator will provide the organization, they must first understand the criticality of the teams that use that building, deferred or permanent impact should the location be unusable, the frequency of power interruptions, and the viability of alternate workspaces.
So let me ask you, do your requests address all of these issues? If not, you are likely appearing as if your primary goal is redundancy and “blanket” availability, not managing risk. In the eyes of your most important stakeholders, you’ve become a business continuity zealot.
Executives can’t rely on a zealot for a balanced cost-benefit analysis, because they see you as only focused on blindly improving availability and adding redundancy.
Once the perception of a zealot is established, it’s hard to lose. Your participation in determining organizational strategy related to business continuity will quickly disappear. Why? Because the executives already know your perspective and don’t trust your ability to evaluate risk and reward objectively.
However, you have the power to stop being perceived as a zealot! The solution is simple, yet challenging to implement: forget about “leading the charge.” Instead, define your role as having two parts:
- Understand the risk tolerance of your executives (risk takers, risk averse, or somewhere in between)
- Build a business continuity program that seeks to align business continuity capability with your executives’ risk tolerance
In short, your role is to manage availability-related risk, not eliminate it! Instead of just summarizing the results of a business impact analysis survey, get out of your office and have a discussion with your department contacts about their requirements – and push back on them when you think they are unreasonable.
Your work may include reducing the likelihood of key risks (like a generator to improve the availability of a facility) and developing the processes to react when events occur. But remember, some risks must be accepted based on a cost-benefit analysis. Also remember, your executive sponsor thinks about risk as an effect on objectives, not just events. So plan your messaging appropriately. When you apply this perspective to your work, you will begin to be perceived as “strategic” and “speaking the language of an executive.”
Robert Giffin, Director of Technology
Avalution Consulting: Business Continuity Consulting