Guide to Securing Stakeholder Involvement in Business Continuity &Resilience Management

Business continuity management rising in popularity. But popularity doesn’t meant maturation.

Interest in business continuity management (BCM) has risen sharply in the aftermath of the pandemic. As of 2022, the worldwide business continuity management market, to cite but one salient datapoint, generated revenues of USD 536 millionⁱ . This contrasts with revenues of USD 360 million in 2018ⁱⁱ. 

Of course, COVID alone isn’t behind the surge in interest and market share. Analysts also attribute the rise in BCM to the growing dependence of companies on digitalization, increased IT expenditure, as well as emergence of operational risksⁱⁱⁱ. 

Faced with this threat picture, organizations have been opting for business continuity management programs, projects, and solutions as the best ways to maintain optimum operations or quickly restart functioning after a disaster. To this end, mainstay BCM exercises, such as the business continuity plan (BCP) and the business impact analysis (BIA), have been trending, as well, both among large enterprises and SMEs.

Reading just below the headlines, though, there’s reason to believe that this surge in interest is yielding more, not deeper BCM programs. For instance, organizations, instead of retooling their business continuity program to adjust to the new resilience threat picture, are often just re-fighting the last war, i.e., simply updating BCPs to include the public health threat scenario. 

Why does it matter?

It’s the retrofitting of business continuity and resilience management (more broadly) that’s needed to ensure businesses will be able to deliver critical products and/ or services at pre-defined acceptable levels following disruptive incidents. 

Disengaged sponsors have made getting stakeholders involved in business continuity a challenge.

So, why hasn’t this retrofitting happened already?

Well, as this guide will tease out, BCM continues to struggle from a perennial challenge. That challenge is the lack of stakeholder involvement in business continuity programs and projects.

BCM projects (not to mention programs) have long suffered from a lack of executive sponsorship. And even when executive sponsors are secured, these projects don’t necessarily garner critical mindshare among the C-suite. That’s because executive sponsors have been disengaged. Rather than taking the bull of BCM by the horns, they’ve chosen to delegate key sponsorship duties to mid-level managers.

Sure, mid-level managers might be (and typically are) quite good at running the day to day. But it’s only executive sponsors that can give BCM projects visibility across the organization.

Cross-departmental visibility is crucial for BCM to succeed. Business continuity projects necessarily touch multiple functions. Touching multiple departments as they do, these projects require a high-level of cross-business visibility to ensure that the relevant departments cooperate and collaborate effectively. 

Reasons executives aren’t more involved.

So, why have stakeholders been so reluctant to get involved?

Part of the reason is that executives, with numerous other demands on their plate already, fail to consider BCM projects worth their time.

The core of the issue, here, is that senior leaders don’t always think that disasters will happen on their watch. And so, the BCM projects that are meant to keep products and services operating at optimum levels during and after disasters aren’t considered to be worthwhile or ROI-enhancing.

This type of thinking predominated in business circles between the financial crisis and the outbreak of COVID. It also reigned between the September 11 terror attacks and the financial crisis, as crisis gave way to complacency. 

To many, COVID might signal an end to this cycle of crisis and complacency. But there’s reason to believe that complacency is creeping back, with many senior leaders considering COVID to be a Black Swan event rather than symptomatic of a deteriorating risk picture for business more generally.

This is reflected in the fact that many BCM exercises, such as the BCP, remain geared towards regulatory compliance. This compliance-driven approach to BCM only serves to exacerbate stakeholder indifference, with executives writing the enterprise off as nothing but a check-the-box exercise.

What happens, then? 

BCM projects only get conducted in silos by functional area. Too often, they happen out of context of the impact of a disaster on the entire location; as scholars have put it: “This kind of approach will ultimately skew all BIA findings to a higher availability and cost of strategies and solutions, and will lead to a significant and consistent failure of BIA efforts because the management of individual business functions will tend to overstate the importance of its function”^iv. 

Simple measures to get stakeholders involved in BCM

What can be done, instead, to get stakeholders more involved? 

Organizations might appoint relevant senior leaders to cross-functional project steering committees. These committees would then meet frequently to hammer out relevant issues in project development, execution, and maintenance.

Beyond establishing project steering committees, BCM practitioners should also create awareness campaigns targeted at their internal champions, leveraging what they know to be the reasons why senior leaders have historically been so loath to participate actively in the sponsorship of BC projects.

These campaigns would lay out the stakes of what’s involved in getting BCM (and resilience management, more broadly) right, using language that resonates with senior leaders. 

For instance, organizations have more dependencies on service delivery than ever before. And the risk of disruption has only intensified in recent years, given the widespread adoption of digital solutions and the increasing use of outsourced service providers. 

Organizations, after all, have continued to develop business services to meet growing customer expectations. And it’s this need to adapt to (and accelerate) the pace of change that increases the risk of disruption, particularly to IT-related capabilities, which are heavily susceptible to sophisticated cyber and ransomware attacks. 

Add to the mix, organizations, due to the pandemic, have been trying to manage a significantly different operating environment. That’s fundamentally changed the way businesses interact with technology, customers, and their own employees.

Add to the mix, organizations, due to the pandemic, have been trying to manage a significantly different operating environment. That’s fundamentally changed the way businesses interact with technology, customers, and their own employees.

These factors make BCM and resilience management more important than ever; for, not only do organizations have to prevent disruption, but they must also adapt to change to stay ahead.

Regulatory environment shifts increase the salience of operational resilience.

Add to that, BCM, in this compliance environment, is becoming crucial, as compliance drivers are accumulating rapidly, particularly for firms in the financial services space. 

The Bank of England (BoE) and the Australian Prudential Regulation Authority (APRA) have both issued regulations and proposals touching on business continuity. The U.S. Federal Reserve, for its part, released a joint regulatory paper on Sound Practices to Strengthen Operational Resilience. And in the EU, the Digital Operational Resilience Act (DORA) seeks to align the approach to managing ICT and cyber risk in the financial sector across all EU member states.

The policies, regulations, and proposals, by in large, seek to uplevel the operational resilience of individual firms, so that no firm can pose a systemic risk to the wider business sector. 

How is this of interest to stakeholders? In most of the above-cited cases, senior-level involvement is crucial for compliance. Mandatory senior-level involvement has been written into the regulatory language; and senior leaders are on the hook if anything goes wrong.

The business continuity statute, APRA CPS 232, for instance, places ultimate responsibility for compliance with Board members. More specifically, Board members must see to it that their institutions comply with the following requirements:

• Maintain a business continuity management policy for the institution or group, approved by the Board
• Identify, assess, and manage potential business continuity risks to ensure that the institution can meet its financial and service obligations to its depositors, policyholders, and other stakeholders
• Consider business continuity risks and controls as part of its risk management framework
• Maintain a business continuity plan documenting procedures and information that enables the institution to manage business disruptions
• Review the business continuity plan annually and periodically arrange for its review by the internal audit function or an appropriate external expert
• Notify APRA in the event of certain disruptions

Resilience management software to enhance stakeholder involvement

To comply with these statutes, senior leaders must do more than hand off BCM activities to day-to-day managers. They must be actively involved in the BCM life cycle.

BC managers have a role to play, too, to encourage their C-suite to get involved. That role involves sourcing the right resilience management tools to facilitate active participation. 

Platforms that make conducting and visualizing (the progress of) BCM tasks easier will appeal to senior leaders who don’t want to be bogged down with overly complicated tools that increase their learning curve. 

To this end, having a digital resilience workspace will bring together all the tools and information needed to do BCM and resilience work. What’s more, the centralization that these platforms facilitate only serves to enable the best possible collaboration between teams and stakeholders, with the platform providing:

• Workspaces for individuals
• Workspaces for teams to collaborate around planning, risk management, and more
• Workspaces for everyone engaged on an incident 

Having that workspace be integrated, i.e., covering resilience, BCM, risk and compliance, security operations, threat intelligence, incident and crisis management, as well as situational awareness, also provides benefit. 

For the C-suite, such an arrangement promotes financial ROI – too many companies use duplicative tools in this functional area. 

Beyond financial ROI, having an integrated platform means that all the capabilities you will need are in one place, meaning resilience and BCM data and information are consolidated, available throughout their entire lifecycle. This cuts down on information silos, consolidates reporting and analysis, while, of course, lowering the total cost of ownership. 

Users also receive a consistent experience. They can manage any type of event with familiar tools and (powerful) workflows. 

How so?

For the BIA, in particular, the platforms in question make the process, long derided as too long-winded and academic, as simple and efficient as possible, thereby helping to promote greater usability across the entire organization. 

The platforms have an easy step-by-step guide on the BIA dashboard to help guide stakeholders through the process: 

• The BIA dashboard provides a helpful snapshot of the BIA, with key information such as status, due date, and who the owner of the BIA is. 
• Adding a new prioritized activity is easy. A simple, intuitive interface guides team members, highlighting what information needs to be entered, so that users won’t find the process laborious or complicated. 
• Users can easily visualize which prioritized activities support their key product(s) and services. 
• The prioritized activities MTPD is automatically calculated for the user based upon the shortest time period from the impact assessments, where the impact reaches a critical level. 
• The RTO is also automatically calculated based on the minimum RTO of the activities’ dependencies. 
• Prioritized business activity owners are automatically sent notification whenever the RTO is changed on a business asset their activity is dependent on.
• It’s easy to record any recommendations that have arisen as part of the BIA process; Managers can assign recommendations to a specific user, with a due date and priority level, and can even specify if the recommendation would be a longor short-term resolution.
• Once the BIA process has been completed, it only takes a few clicks to create a report and easily send it off to the Approver for sign off. That Approver will automatically be notified. Reports themselves can also be given a version number for auditing purposes.

Finally, BCM might seem like it’s everywhere, but the depth of many of these post-COVID BCM endeavors leaves much to be desired. And that’s because, stakeholders still remain disengaged.

Garnering stakeholder attention, as this guide has argued, requires concerted awareness campaigns to inform stakeholders about the stakes of BCM. 

But once awareness is secured, BCM teams will still need a resilience management platform that keep users, departments, and senior decision makers engaged. Such a platform, like Noggin’s, makes performing BCM tasks easy, incentivizes collaboration, and facilitates reporting. As such, it helps companies traverse the last mile in determining disruption impacts and developing plans and recovery strategies to address risks and ensure resilience.

Sources

i. PR Newswire: Business Continuity Management Market to Surpass $1,673 Million Value in 2030, Says P&S Intelligence. Available at https://www.prnewswire.com/news-releases/business-continuity-management-market-to-surpass-1-673 million-value-in-2030--says-psintelligence-301727887.html.

ii. Globe Newswire: Global Business Continuity Management (BCM) Market was valued at USD 360.0 million in 2018, Observing a CAGR of 15.6% during 2019–2024: VynZ Research. Available at https://www.globenewswire.com/en/news release/2020/01/17/1972143/0/en/Global-Business-Continuity-Management-BCM-Marketwas-valued-at-USD-360-0-million-in-2018-Observing-a-CAGR-of-15-6-during-2019-2024-VynZ-Research.html.

iii. PR Newswire: Business Continuity Management Market to Surpass $1,673 Million Value in 2030, Says P&S Intelligence. Available at https://www.prnewswire.com/news-releases/business-continuity-management-market-to-surpass-1-673-million-value-in-2030--says-psintelligence-301727887.html.

iv. Rama Lingeswara Satyanarayana Tammineedi, ISACA Journal: Key Issues, Challenges and Resolutions in Implementing Business Continuity Projects. Available at https://www.isaca.org/Journal/archives/2012/Volume-1/Pages/Key-Issues-Challenges-and-Resolutions-in-Implementing-BusinessContinuity-Projects.aspx.