Five Answers to the Most Frequently Asked Questions in Business Continuity Management
Many organizations wonder about the ideal size and the responsibilities of their business continuity teams.
To answer these questions, Premier Continuum, a pioneer in business continuity for 25 years, conducted a flash survey in the summer of 2022 to find out about the size of its clients and professional continuity partners’ teams and their responsibilities.
Here are the answers to the five most frequently asked questions, based on experience, best practices and the results of the survey in which 17 organizations of various sizes and sectors participated.
Should my organization have a continuity program?
Today's organizations know that they face an ever-increasing number of disruptive events. That's why each of the 17 organizations surveyed not only had business continuity plans, but also a comprehensive and structured business continuity program.
Indeed, there are many reasons for organizations to implement this type of program, such as regulatory or compliance requirements, customer requests or the application of sound management practices.
A continuity program allows for a structured approach, clearly establishing the scope, the requirements as well as the roles and responsibilities of the various stakeholders in the organization. It also implements continuous improvement and accountability processes.
We strongly recommend implementing a continuity program in all organizations that wish to improve their organizational resilience maturity.
How many plans should my organization have?
There is no magic number as to how many continuity plans an organization should have. Our flash survey tells us that organizations with more than 3,000 employees and 10 work sites have more than 40 continuity plans. For medium and small organizations, the number of plans varies greatly depending on several very important criteria to consider.
Experience and best practices show that the number of plans needed and the scope of a program are based on:
- the number of business units, departments or processes;
- disruption tolerance thresholds (e.g., anything with a disruption tolerance of one week or less);
- regulatory requirements;
- geopolitical issues;
- business requirements;
- any other priority consideration for the organization.
Thus, the number of business continuity plans must be considered and adapted to the different realities of the organizations.
How many business continuity professionals should my organization have?
The number of continuity professionals in an organization should depend entirely on the role that will be assigned to these resources:
- Will they be responsible for plans or responsible for the practice of business continuity?
- What is the expected level of involvement in the coordination, monitoring and development of the program and its elements (BIA, plans, exercises, reports)?
- Will these professionals have other responsibilities such as crisis management, monitoring of critical suppliers or technological succession?
Notwithstanding all these questions, the most common approach is that the continuity team is comprised of subject matter experts, which are custodians of the practice. They also are responsible for supporting continuity plan owners and developing and conducting exercises.
The expertise sought within this team will also be heavily influenced by the mandates assigned. Emergency preparedness and technology succession are obviously areas where specific knowledge is required.
Based on the results of our flash survey, but also on the experience of the Premier Continuum team, our recommendation is to mobilize one resource per approximately 35 continuity plans to achieve a functional minimum.
Please note that this ratio could change if the team was tasked with additional business continuity responsibilities.
Should my program be automated?
Continuity program automation has undeniably gained popularity in the last decade. Of the 17 organizations surveyed, half use software to automate their continuity program. In addition to dedicated software, the main alternative approaches to continuity management rely on tools such as SharePoint, Excel and databases for which the correlation of information relies more on manual processes.
There are several reasons why organizations are looking to implement automation software. The survey results show that 63% of organizations that use software have more than 3,000 employees and more than 40 plans.
The size and complexity of operations are important factors motivating automation, as "manual" information management quickly reaches its limits. Updating documents, monitoring the various processes, consolidating, processing and reporting information can quickly become energy consuming for the resources assigned to program management.
We therefore specifically recommend that medium and large companies automate their continuity program.
Should the business continuity team also be responsible for other elements such as emergency management and disaster recovery?
There is no question that the continuity, the emergency response and the IT disaster recovery teams must work together to increase organizational resilience.
Generally, continuity teams in the surveyed organizations are responsible for the following five elements:
- Developing and maintaining the business continuity methodology
- Developing or supporting the development and maintenance of BIAs and continuity plans
- Develop and maintain crisis management plans/response structure
- Develop and conduct exercises in continuity
- Ensure accountability for the status of program documentation and organizational readiness
In most cases, the continuity team is also responsible for the incident management practice, although its level of involvement during an incident varies greatly. Some teams do not play a part in the management of incidents while others play an advisory or even a coordination role.
Other continuity team responsibilities
According to the data, the following mandates were also assigned to continuity teams:
- 60% are responsible for incident coordination and management
- 40% are also responsible for vendor risk management
- 35% are accountable for emergency management
- 30% are also responsible for IT disaster recovery
In conclusion, the larger the organization, the more relevant it will be to designate professionals or specialized teams to emergency management and IT recovery.
Interested in discussing more good practice with our experts?
Premier Continuum is proud to release the results of this flash survey as well as our expert advice backed by 25 years of experience.