The challenging role of the ISO 22301 BCM Manager

The Business Continuity Management (BCM) manager plays a pivotal role in the implementation of a BCM approach. As such, the role faces multiple challenges, from both top management and key process owners within the organization. As BCM is considered to be a cost factor in the first place, proper funding and commitment are typical challenges. Unless key players in their organization, notably top management, have discovered the true value of the approach, the BCM manager will be struggling to make ends meet.

Multiple challenges

A BCM manager faces several challenges in his/her job. Limited by multiple constraints, this function must excel in overcoming difficulties that might result in missing major outcomes.

All relevant standards, such as ISO 22301:2012, major national BCM standards, and the “Good Practice Guidelines” published by the Business Continuity Institute (BCI), specify the paramount importance of management commitment. In this context, management commitment signifies that the organization’s leadership sufficiently supports the BCM approach (learn more about roles and responsibilities of the top management in the article Roles and responsibilities of top management in ISO 27001 and ISO 22301). If this is not the case, and the BCM approach is not supported (or only half-heartedly), the BCM manager and/or the BCM implementation team will face an uphill battle for the length of the project.

As a result, necessary resources, such as qualified BCM implementation team members and external support, will not be available in such a way that the project can advance in a fashion specified according to good practices. Consequently, adequate preparation for and reaction to business disruptions will be poor and will not serve the intended purpose.

A well-trained and experienced BCM manager knows what it takes to put together the building blocks of an adequate BCM approach. If he/she is denied appropriate funding for the BCM approach, it will remain incomplete and possibly much less efficient than envisaged.

Let us explain that using two examples:

  • If, for example, BCM training is not authorized for the project team, the project might not start at all, or in a sub-optimal fashion, with crucial steps omitted or improperly executed. Also, external resources such as consultants or implementation toolkits cannot efficiently be put to use.
  • Another example is the preparation and execution of the business impact analysis (BIA, learn more about BIA in the article How to implement business impact analysis (BIA) according to ISO 22301). If key process owners do not participate in the business impact analysis, the project simply will lack the necessary progress and success. It may remain incomplete, if necessary stages are omitted, or it will be tremendously delayed. During this period of an incomplete BCM approach, the organization will lack proper protection from business disruptions.

An uncommitted (and unconvinced) management will always try to minimize funding for the BCM approach or try not to allocate human resources, like the involvement of key process owners within the project. This will result in excessive, but unsuccessful application of resources (e.g., funds, manpower) by the BCM manager.

What can be done?

As the implementation of a BCM approach cannot be done by a single person, it is obvious that the idea will only get off the ground if there is a sufficiently broad consensus within the organization that the approach is beneficial for the organization as a whole. As a consequence, this consensus must be created and a core team of players assembled. The following examples might serve as a starting point:

  • One of the main strategies to get the project going is to obtain management commitment in the first place, for example, by convincing at least one member of the organization’s top management (learn more in the article ISO 22301 benefits: How to get your management’s approval for a business continuity project). This person would then work to convince the rest of the management team.
  • Another strategy is to approach the board of directors (they represent the owners of the organization), as they carry the ultimate responsibility for the well-being and development of the organization. They also are responsible for protecting the organization from undesirable impacts due to business interruptions.
  • A further possibility exists in teaming up with the internal and/or external auditor, as the audit function fulfills a crucial role in highlighting and mitigating risks. It is not unusual that the internal or external auditor recommends to the board of directors that a BCM approach be initiated. Advanced audit teams (both internal and external) tend to look beyond the “numbers“ and try to go for a holistic approach covering such areas as information security and business continuity. A BCM manager may very well get like-minded people on board.

Finding Allies

The conclusion for the BCM manager: find as many high-ranking and motivated allies as possible to support the BCM approach, in order to create an overwhelming insight within the top circles of the organization that a BCM approach is the ultimate assurance that even a major disruption will not irreversibly derail the organization. In other words, while a “return on investment” approach (use the tool Return on Security Investment Calculator) might be helpful, also the hearts and minds of the organization’s management need to be won. Its customers, business partners, and – in case of a larger organization – the public will be thankful.

Find more details about the BCM manager and how to approach this topic in the book  Becoming Resilient: The Definitive Guide to ISO 22301 Implementation.