Where Should BCP Report and to Whom?

As a consultant, I get asked this question a lot. Either when a client is in the process of establishing a new function, or they have become disenchanted with the results they are getting, or they are having problems getting cooperation or visibility for the Program. Usually, however, they ask the question wrong. They ask where it should report, or who it should report to, but miss the fact that it is really a two part question. As with any business function, where BCP reports can be as problematic as having the wrong management overseeing it, so it’s both where and to whom. Allow me to discuss some of the pros and cons and offer some general guidance on the proper placement of the BCP function which will help ensure its best opportunity for success.

Where should BCP report? I’ve encountered successful BCP functions reporting at numerous places in the organization. Frequently, it resides in the technology department, but quite often it sits under other more general business functions, such as administration, treasury, project management, physical security, or facilities.   Wherever it sits, it must have the following to be successful:

  • It should report somewhere where it won’t get lost. In highly complex organizations where there a multitude of foci, it is more difficult to bubble up the important BCP issues to the top for proper attention to detail. So much noise is generated with everyone else’s issues that the voice of one crying in the wilderness receives little or no attention. Meeting agendas are so clogged that BCP issues are saved for last and often get short shrift, or they run out of time before they can be even addressed.
  • It should not report too high in any organization. I’ve seen it report to the CIO, the CFO, or the COO and watched as those busy managers just had too much on their plates to give BCP any but the slightest attention. Better to have a reasonable chain of command that can get on their calendar when necessary with an agenda properly focused on what BCP needs.
  • It should not report too low in any organization. If BCP sits too far down the chain the relevant issues won’t ever bubble up and the decision process will become overly onerous and long. Sitting too low says to the rest of the organization that BCP isn’t very important and the BC manager doesn’t rate as someone they should listen to. What you’re looking for is “just right”, like in the story of the three bears. Close enough to decision makers to get the right amount of attention but not so low that BCP gets drowned out by everything else. And “just right” is different in every organization. Like Goldilocks, you’ll figure it out.
  • It should not report to the audit department. Audit’s role is to ensure an organization’s processes and documentation comply with internal and external policies and requirements. In effect, they check the work of others. Implementing the BC Program themselves removes their ability to objectively review the content and procedures of the BCP. While they might have some great ideas and tribal knowledge to offer, they should refrain from direct responsibility for implementation, freeing them to fulfill their charter. Any smart BC Manager will maintain open communication and cooperation with audit, but it is my opinion that the reporting of BCP should be placed elsewhere in the organization.
  • The reporting structure should include BCP accountability. Most organizations use a management by objective (MBO) accountability for managers that will be used to measure personal success for the year. Having a personal MBO for the success of the BCP function reporting to them does wonders to focus attention and provides incentive to ensure BCP gets the cooperation it needs both inside their realm and across the company.
  • Reporting to Technology is sometimes problematic. Sometimes locating BCP in Technology sends the message to the rest of the organization that BCP is primarily, maybe completely, a technology problem, in effect just disaster recovery. Get the systems up and running and everything will be fine. Not. Years ago, getting the lights blinking at the recovery center in Philadelphia was all we in disaster recovery had to worry about. In the years since, especially after 9/11, the mission has expanded to include everything else.   A correctly implemented BCP must address outage issues residing in the business functions, facilities, remote locations, assembly lines, and on and on. Locating the BCP in Technology sometimes clouds organization thinking about extending disaster recovery beyond the data center to include true business continuity.
  • Not reporting to Technology is sometimes problematic. Contrarily, reporting to a non-technology area can lead to barriers in communicating with the technical staff and management. (I’ve had sys admins and DBA’s talk slow to me like English was my second language until I explained I was one of them once, before I went over to the dark side.) BCP can be viewed as an outside organization that really couldn’t understand the massive undertaking of recovery and is there to lay more burdens on an already over worked and underfunded technology group. If it reports elsewhere, the BCP group must work hard to build relationships and earn respect to gain cooperation. They should acknowledge what they don’t know, ask good questions and listen to the answers, and show appreciation when they ask already busy people to do one more damned thing, for them.


To whom should BCP report? Now we’re getting to the other side of the equation. In all honesty, I’d rather have BCP report to the right person in almost any area in the company than the “right” organization with the “wrong” person in charge. Why? Because the right manager can accomplish BCP initiatives wherever he or she sits in the organization. He knows how to get things done, has a solid reputation, knows and is known by the right people, and knows how to manage for success. Here are some things to consider when choosing who should manage BCP reporting (I’ll be using “he” instead of he/she for convenience, but I have seen and worked for great managers of both sexes):

  • He should understand the importance of BCP. Having had the additional function plopped on his plate, he should endeavor to educate himself in the BCP mission and issues. He must learn to recognize the critical importance of BCP and be prepared to devote as much time and effort as necessary to accomplish success for his new reports. The “wrong” manager will think little of the importance of his new function and won’t even learn how to spell BCP, much less acquire the knowledge to speak intelligently to senior management about it.
  • He should be well versed in the corporate tribal knowledge. Knowing the inner workings of the organization as a whole will enable him to guide the BCP staff in accomplishing their mission. He will know how things are supposed to work, how they really work, and understands the difference. Each company is unique and speaks their own language (I once was corrected at MBNA that they referred to employees as their “people”, not “staff”). He will also know who the right decision makers are, how to approach them, how and when to report status to them, etc.
  • He must be able to open the right doors for BCP. A successful BCP requires access to highly placed decision makers and the new reporting manager must be able to open doors to the executive suite at appropriate times and with actionable information they need to see. He should command their respect and use that influence to garner a spot on their calendar. He will also know what BCP needs to attain visibility, such as which meetings to be invited to, which email lists to be included on, what memos to read, and how to acquire a place on other managers’ agendas. He should be able to smooth the way for his new staff to interact with senior leaders of other areas that are important to the success of their mission. Sort of virtue by association.
  • He should be a good manager and coach. He will have to evaluate the strengths and weaknesses of his new staff and determine how best to deploy them. In some, he will recognize their ability to interface successfully with senior management. Others he will determine are better suited to background roles. He should also evaluate their technology knowledge, writing ability, and company business awareness and make plans to fill in the blanks, perhaps using his education budget. As a coach, he should be an encourager to keep spirits up in the face of the adversity they will face and keep the focus sharp on the objectives that will make BCP successful.


Placing a BCP function in the right reporting structure and under the right manager is worth the time and effort and will go a long way toward enabling their success. Both where, and to whom, should be equally considered, and every company is different. I wish you success as you make your determination and welcome any comments on this blog. My contact information is also on this site and I welcome any opportunity to help create world class BCP organizations.


BCP function: staff from within or hire from outside?

As usual, my answer is: it depends. Are you looking for a manager to build a new BCP function from the ground up, or are you looking for someone to take an existing function to the next level? If it is a new function, prior BCP experience can be very important. A good outside candidate will have a proven track record you can verify. He should have professional credentials, like a CBCP (Certified Business Continuity Planner), and solid references from their experience at building and managing a successful program. If, however, you are looking for someone to raise the existing function’s game to a higher effectiveness, I would first want to know what management thinks are the shortcomings they want to improve. So let’s noodle this thing through and see what we can come up with.

The benefits of hiring from within. First on the list of pros is the fact that the candidate is a known quantity with a proven track record. Check out my previous blog on where and to whom BCP should report for guidance, but a good start is finding a good manager. Frederick Drucker, my all time favorite management consulting expert, once opined, “A manager is a manager is a manager”. His point was an excellent manager can manage brain surgeons or engineers or human resources. They may be different fields, but the mechanics of good management are transferrable. A good manager will figure out the skill sets and knowledge required and create an atmosphere where his staff can shine. His job is to always keep in mind the big picture and understand the underlying requirements for a successful implementation. Second on my list of pros is someone who possesses deep company tribal knowledge. As outlined in my previous blog, every company operates differently and has their own tribal language. An experienced manager will understand how decisions are made and by whom, how things really get done, and can make sure the BCP vision is properly communicated at all levels of the organization. All this can be hard to discern for an outsider, valuable time can be lost, and mistakes that hinder success will be made. Lastly, I would look for someone who is a quick study. BCP is not rocket science, but there are many things to learn concerning methodology, priorities, tools, and raising awareness of the importance of BCP to the company’s overall risk management activities. Finding the right candidate internally can go a long way toward starting on the right foot and propelling the BCP function toward success. These points are especially true when taking over an existing, underperforming function. However, if BCP is a new effort, hiring inside has some downsides.

The cons of hiring from within. For a new function, a major hindrance would be if the candidate lacks any BCP background. At the risk of negating what I said above, being thrown into the BCP pool without prior experience can be daunting, however quick a study the candidate is. Creating a new BCP function from the ground up requires vision and a deep understanding of how to address the recovery requirements of the organization in the right priority and with the right solution set. Navigating the mine fields without significant BCP knowledge can be difficult, at best. In this situation, I would suggest buying a block of hours from an experienced consultant to help develop the Program. (Big surprise, coming from someone who makes a living doing just that, huh?) For existing functions, the cons are a little different. If the internal candidate continues to maintain significant responsibilities for other functions, as is too often the case, his efforts will be diluted and success will be harder to achieve. BCP is a big hat to wear and unless he is given the freedom to focus on the issues, the improvements of the Program’s effectiveness that management is looking for may be long in coming, if they show up at all.   Also, if the candidate has spent all his time in only one silo at the company, such as the data center, he may have trouble expanding the BCP function corporate-wide, taking it from mere disaster recovery to true business continuity.

The benefits of hiring from outside. If there are no suitable internal candidates readily available, then going to the marketplace to obtain outside talent can be the right move. Obviously, the first benefit is you are able to buy experience that someone else has paid for. You have resumes and references to check out and thorough interviews to conduct, but if you do your vetting correctly, you can hire someone who has exactly the right background and ability to be successful, whether it is a new function or for a BCP Program that is in trouble. It’s important to set up mentoring to teach the new employee the lay of the land, but the right candidate will find his way. A second important benefit with an outside hire is the new set of eyes he brings to the situation. The outsider is exactly that, someone who should not be limited to “We’ve always done it that way.” A fresh approach may be just what the doctor ordered. Lastly, a new hire starts with a clean slate. Having no prior history with the company, he will benefit from being given a chance to prove himself without the limitations of past performance. Most employees will give the new guy or gal the chance to be successful and some will actually be rooting for them.

The cons of hiring from the outside. All the benefits of hiring from within, as discussed above, are flipped with an outside hire. The new hire has no tribal knowledge, no proven in house connections, and no broad understanding of corporate functions and priorities. It’s all new to them and they may have problems navigating toward success. Also, despite all your efforts to properly vet the candidate, some surprises may be in store. Unfortunately, you may soon figure out why he was looking for a new job in the first place, and for reasons that didn’t come up in the interview process. However, if you’ve done your job vetting the candidate, any problems should be easy to correct and the new hire can be a great boon to the organization. Access to a good mentor should make for a smooth transition and produce the right environment for success, but it doesn’t always work out the way it was intended. You pay your money and you take your chances.

Hiring the right candidate for any position is always an involved and sometimes difficult process. Finding the right person to be responsible for creating or improving the corporate BCP Program is definitely worth the effort. Hopefully, this blog has been helpful. As always, feel free to leave comments or contact me directly. Happy hiring.



© Copyright and All Rights Reserved Howard M. Peace


The Business Impact Analysis (BIA): Building the Business Case for BC/DR

I admit it, I’m a BIA bigot. I’ve been doing them since 1980 and I’ve never found a more effective tool in building the business case that convinces senior management that BC/DR is important, worth the investment, and essential to corporate survival. A properly conducted BIA will provide the following business case data:

  • A more thorough understanding of the business and all of its components. Think of it as stepladder in the cubicle farm. Most organizations are fairly complex and consist of silos of business and technical activity. The BIA should include interviews with each component and will provide an overview of essential activities that will need to continue in the face of an unexpected outage. It will also gather in one place, sometimes for the first time ever, the identification of the complete technical resources required to support ongoing business processes, the interrelationships between business functions, and an understanding of the progressive degradation of critical functionality over time.


  • The impacts of outages on critical business functions. The BIA should be used to measure how well a business area can continue operating with the loss of some or all of its critical resources. The impacts should be estimated using parameters on operations, revenue, costs, obligations, customer impact, and corporate reputation. The effects should be measured over time so the impacts can be graphed and presented to management.


  • The identification of critical business processes. Every department has a mix of critical and non-essential or deferrable functions. The BIA interviews should be used to separate out those activities which support the most critical activities from those that a delay would have little or no impact. Once the most critical activities have bubbled to the surface, a recovery strategy to address those in a timely fashion can be developed. These critical activities are usually the ones which have the highest level of impact, whether it be financial, operations, or negative customer effects.


  • Recovery time objectives (RTO). A general rule of thumb is the more immediate the recovery, the more it costs and the more complicated recovery becomes. The BIA should identify the timeframes in which the outage increases the impact on critical functions to an unacceptable level. In the BIA methodology I have developed over the years I use an impact scale that rises from a score of zero (no impact at all) to a five (OMG, hair on fire, this is really, really bad). A good interviewer tries to talk the business representative off the ledge (Is it really a 5 at a half day of outage, or maybe only a 3?), but there will be activities that rise to the highest level of impact in a very short time. This information allows me to draw a pie chart that shows which functions require, in effect, immediate failover recovery and those that need to be recovered in the 24, 48, 72, and 96 plus hours timeframe. The chart becomes a great tool to use in the development of recovery strategies to meet the timeframe requirements, perhaps using different options for each slice.


  • Identification of gaps in the current state recovery capabilities. By now we know how fast the various critical functions need to recovered to reduce the effect of an outage. It’s time now to examine the infrastructure’s ability to meet those demands. For example, let’s say you discover a critical function must be recovered at an offsite location in 4 hours or less, but there is no server available there to support such a quick recovery. Or you uncover the fact that the database needed to support the application will take 96 hours to recover from tape, blowing your RTO out of the water if the most current data is not already there. Or you discover that failing over critical calls to another call center would extend wait times to an unacceptable level, thereby violating contract agreements. The good news is the BIA has identified gaps in the recovery capability that can be addressed. The Gap Analysis section of the BIA should include the costs and implementation efforts for the remedy and will provide the business case for doing so in a timely fashion.


  • Input for the development of future state recovery. This is the part where a good BIA marries the critical business activities and outage information, the RTO’s, and the Gap Analysis to create a high level roadmap of where the organization should be heading if they want to increase their recovery capabilities to an acceptable level. The data from the BIA can be used to influence both infrastructure and business planning. For example, the shortfalls in the Gap Analysis might be addressed by an upgrade in the offsite capabilities, a change in the timing and content of backups of critical data, or a move to virtual servers. It’s possible an organization could now justify splitting the data center between two locations with the capability of mutual recovery for critical resources. Or they could decide to use the pie chart to plan to provide for immediate failover needs in a co-location space while using a cloud arrangement for the more deferrable recovery requirements, thereby saving cost without increasing risks. Likewise, the BIA data can influence business planning to support decisions to outsource certain functions, split physical locations to reduce risk, or to simplify certain business processes.

With all the data collected, analyzed, and digested, a business case can be developed that outlines the threat, presents the business impacts over time, details the timeframes for recovery of critical functionality, identifies the gaps in recovery capabilities, and provides the makings of a high level roadmap that includes the effort and expense of increasing recovery capabilities to an acceptable risk posture. If you’ve done an effective BIA, the way forward should be much clearer and you’ve been able to build a persuasive business case that gives senior management the data it needs to make a good technical, business, and financial decisions.

Please feel free to leave comments on this blog or contact me at the number and email address above. Enjoy doing a BIA!