Building Blocks: Stakeholders and Drivers

Business Continuity Planning: Overview provided  an overview of business continuity planning and its benefits and challenges. This article will look at the stakeholders and drivers for business continuity planning. For an optimized business continuity plan, it is important to understand the stakeholders  and their interests, as well as the business’ drivers to plan for business continuity. 

Stakeholders

The stakeholders of an organization’s business continuity planning are both internal and external. However, like with many aspects of the business, the business continuity planning compliance requirements are managed by internal stakeholders and they vary greatly depending on the ownership type of the organization and the industry:

  • For the public organizations, business continuity planning is mandated by local regulators such as the SEC in the US. 

  • For the government sector, the government mandates business continuity planning for its critical business functions. 

  • For the private sector, the mandate is directed by industry-specific regulators or the organization’s board of directors.

  • For a private sector organization operating in a non-regulated industry, the mandate comes from the board of directors, partners, clients or customers and private investors. Product reach within the market, organization size and the geographic spread of the organization also determine the level of need for business continuity planning for such companies.

Generally, private corporations in a non-regulated industry do not have a mature business continuity plan, due to lack of resources to allocate to one and a general and a lack of regulatory oversight.The COVID-19 pandemic has highlighted the importance of business continuity planning for organizations in a non regulated industry though, and hence, their approach to business continuity may change in the coming years.. Unfortunately, many small to medium businesses and debt-ridden companies will shut down in this pandemic environment, even if business continuity planning is in place, simply due to their recovery time and insufficient cash flow.  On the flip side, many organizations will continue to operate due to their good business practices and well-tested business continuity planning.

Figure 01: Stakeholders for the business continuity planning

After this pandemic, business continuity planning will be considered a critical need, even for private companies in a non regulated field. Thus, it is important for every organization to understand its stakeholders and how their interests affect business continuity planning. With this knowledge, organizations can present proper proposals or business cases for business continuity plan implementation.

Board of Directors

An organization’s board is expected to provide both advice and oversight. In its advisory function, the board works with management to lay out the strategic and operational direction of the organization. In its oversight capacity, the board is expected to monitor management and ensure it is acting in the interests of internal and external stakeholders. 

Regardless of the industry, under its advisory function, the board has to ensure the company takes reasonable measures to prepare for disasters. If having a business continuity plan is a regulatory or legislative mandate, it is the board’s responsibility to advise the organization. However, if there is no regulatory or legislative mandate, then the GRC or Auditors play an important role in highlighting a lack of business continuity planning and ask the board to commit to a plan that suits the organization’s needs.

The chairman of the board might be part of the business continuity planning committee and provide advisory in some organizations. In many organizations, the CEO, who is a member or chair of the board, provides his/her inputs to prioritize business processes that are deemed necessary during a crisis.

Governance, Risk and Compliance (GRC)

GRCis an oversight function that exists to keep the organization on track. Generally, it is a set of processes and practices that runs across departments and functions. However, in some medium to large organizations, oversight is assigned to a dedicated department that assesses the maturity of the organization’s cybersecurity controls and provides reporting. For most smaller businesses, these tasks are handled by an enterprise risk management team or legal services.

When business continuity planning is advised by the board of directors, regulators or legislation, it is the GRC’s responsibility to ensure its implementation and complies with regulatory standards. When an organization is not being advised by an external part to develop its continuity plan, its GRC team should highlight the risks of not having one and advise that it be developed. In this scenario, once the board of directors  has allocated resources, GRC must ensure that an effective business continuity plan is in place.

Business Executives

These are the heads of departments within the organization. They are asked to provide support to develop business continuity plans, which includes providing sufficient manpower to conduct business impact analysis and risk assessments, and develop business recovery strategy. They are also responsible for implementing some aspects of the business continuity plan within their respective business functions, including cross-skilled training and testing and updating the completed continuity strategy within their function. 

IT Executive and senior management

As a custodian of business information and business services enablers, the IT team is responsible for keeping the business continuity stakeholders up-to-date with relevant information and providing a disaster recovery plan. The disaster recovery plan must be developed or revised to ensure it aligns with the business continuity plan.

For heavily automated organizations, the majority of the business continuity planning is related to its information systems and therefore, IT covers 60-80% of the business continuity planning. Hence, the disaster recovery plan must be aligned with the business recovery strategy and business continuity plan.

Staff

Staff members that aren’t actively involved in any of the above planning are still nonetheless, a very important part of the big picture. The resiliency of the organization depends on its staff being aware of their responsibilities towards business continuity such as ensuring critical information that is required during a disaster is stored according to the availability and accessibility requirements of the recovery strategy. 

Generally there is a common misconception among staff that the information collection during the business impact analysis will be used against them during future organizational downsizing. While to a small extent, this could be true in some organizations, the management must provide an adequate explanation to the staff if such a concern is asked. The main purpose of business continuity is to ensure that the business continues operation during a disaster and can eventually return to normalcy. In mature organizations, downsizing is usually influenced by  HR performance appraisals and related metrics, not by the business impact analysis exercise.

Business drivers 

A business driver is a measurable resource that drives a business’ performance to achieve maximum profits. Regulatory and legislative compliance are the leading drivers for business continuity planning. For a publicly listed company, compliance satisfies stock exchanges and hence, eases the anxiety of investors, which in turn brings more capital into the business. Some of the drivers for business continuity planning are listed below:

  • Regulatory and legislative compliance - Maintaining compliance helps businesses find favor with regulators and authorities, which keeps investors happy and sometimes, brings financial and competitive advantages 

  • Business resilience - depending on the ownership and cash reserve, when a business is resilient, it is less likely to lead to bankruptcy due to a disaster.

  • Capacity to survive a disaster and restore the business to normalcy - when a disaster occurs, a business wants to get through hardship, ensure the critical services of the business continue and then eventually restore the business to its previous state.

  • Business process optimization - the process of developing a business continuity plan inevitably leads to the discovery of organizational processes, interdependencies, resource requirements and single points of failure. Preparing a continuity plan helps organizational strategists to optimize resources, eliminate weakness and increase resiliency.

  • Understanding the business impact - businesses understand quantitative and qualitative impacts to their business over a period of time when they go through the process of Business Impact Analysis. This assists them to improve processes that are critical financially and otherwise. Sometimes the process of conducting a business impact analysis helps businesses realize their potential breaking point before a disaster strikes, which gives them a much needed lifeline ahead of time

The business drivers listed above are generic and apply to most businesses. Each business must ask their stakeholders especially the ones that are responsible for organizational resiliency executives and owners about their expectations and then tailor the business continuity plan accordingly.

Figure 02: Drivers for the business continuity planning

For a nonprofit organization operating in a non regulated industry, the key driver could be merely surviving during a crisis. In such cases, regulatory compliance sits in the background and other drivers such as business process optimization and extending its business impact threshold could be better key drivers. For nonprofits, ensuring the plan addresses all aspects of the business continuity standard is not essential and hence, they can have their own standard, which is a smaller subset of the international standards, but very well-suited to their business needs.

Conclusion

Stakeholders and the extent of their need for a business continuity plan depends on their ownership type and industry. In all scenarios, It is important to understand stakeholders that have an interest in the survivability of the business. Once that is understood, the key business drivers can be developed with inputs from the right stakeholders.

Previous
Previous

Security Data Analytics and Reporting: Business Expectations and value - Part 2

Next
Next

Security Data Analytics and Reporting: Monitoring and reporting domains