Broadly speaking, there are two approaches to structuring a business continuity program.
A centralized structure involves leading and executing the business continuity planning process within a single team and engaging the business as needed.
A decentralized structure involves leveraging a small number of centralized resources that offer consultative assistance and performance measurement while resources dispersed throughout the business execute the actual planning process.
Both approaches have pros and cons, so it’s critical that organizations select the appropriate approach that adheres to their organization’s overall strategy, structure, culture, and priorities. In this perspective, I’ll provide an overview of each type of structure, the attributes associated with them, and additional information to help you select the most effective method of implementing a business continuity program within your organization.
WHAT’S THE DIFFERENCE?
The defining factor in each structure is the where business continuity knowledge and responsibilities are held within the organization.
A centralized program is one in which the responsibility for executing activities in support of business continuity and preparedness effort is held within a single entity or group – typically at the corporate (or headquarters) level – positioned to engage all core elements of the organization. These centralized teams are often business continuity professionals tasked with designing, implementing, reporting on, and improving all aspects of the program across the organization in coordination with business and functional representatives and process owners, to varying degrees. These activities are often conducted based on guidance and direction provided by an executive program sponsor or a business continuity steering committee (or other governing body).
In a decentralized program, responsibility is distributed throughout the business and relies on functional leaders to execute business continuity activities themselves. These individuals bring their knowledge of their respective functions as their primary value to the program and are situated well to flexibly respond to changes in the business. They often act semi or completely autonomously in the execution of planning activities, with little control from a centralized hub (with the possible exception of a business continuity policy statement or standard offered from the organization’s leadership).
PROS AND CONS OF EACH APPROACH
While either approach to business continuity listed above can be employed in a variety of ways, each tends to have a common set of “pros and cons” associated with its implementation. Let’s take a look at some typical strengths and weaknesses of each approach.
Centralized: The main strength that we see in organizations leveraging a centralized program structure is the top-down guidance and focus that can be maintained by the business continuity group or team. These business continuity professionals can work directly with the program sponsor, steering committee, or governing body to establish priorities and employ their knowledge and resources to implement those across the organizations. This approach lends itself to a high degree of consistency (both in terms of methodology and outcomes) throughout the program and supports a simple reporting structure to keep management informed and provide recommendations on performance and requirements.
However, a centralized business continuity group can struggle with a lack of organizational knowledge (in particular, the value of products and services and how the customer uses them) and with how business priorities are performed by the organization (these centralized teams tend to be overwhelmed by the number of departments or functions that may require attention). This is especially true in larger or geographically dispersed organizations. Both challenges can be mitigated by regularly engaging with a cross-functional steering committee and engaging on the purpose of the organization and how the organization is structured to deliver on obligations.
Conceptually, the most “centralized” type of business continuity program is one in which a third-party that specializes in business continuity is tasked with conducting all program activities in an outsourced capacity. This centralized approach alleviates much of the organization’s need to continually assess staffing allocation (as that would typically fall under the responsibility of the third-party). It could, based on the nature of the relationship with the third-party, reduce the strain on the organization during times of change. Further, third parties often have extensive experience with implementing and managing programs with similar organizations and in similar industries, which adds to the functional expertise and nuanced approach to your organization.
Decentralized: A decentralized structure relies heavily on functional representatives conducting business continuity planning activities (including, but not limited to, the business impact analysis, risk assessment, strategy determination and selection, plan documentation, and exercising). The main benefit here is that these personnel resources often have deep knowledge of the organization they are working to protect, as well an expert-level knowledge of the products/services and how the customer uses them. Due to the planner’s proximity to the organization, this approach is better positioned to react to organizational change.
While the decentralized planning approach helps drive better program documentation, the lack of a centralized community providing templates and guidance can often lead to inconsistency across the organization. This concern can be true in terms of how information and captured and presented, as well as the nature in which parts of the organizations prioritize their function in relation to others. Additionally, participants in decentralized programs can fall into the trap of planning in vacuum, that is, developing continuity plans and requirements without considering (or having adequate knowledge of) enterprise-level priorities. While this risk can be mitigated by instituting a strong reporting system that incorporates decentralized metrics into a consolidated product for the steering committee to review against its priorities, it requires that the organization actively manage how those priorities are disseminated and integrated into program activities. It also places additional importance on training and awareness activities to ensure that program participants throughout the organization have the requisite knowledge to conduct the business continuity lifecycle.
In addition, as this business continuity program design often relies on non-business continuity professionals to conduct program activities, some organizations struggle with ensuring that those tasked with business continuity activities allocate appropriate time to the program. This issue can be difficult to solve as each participant’s daily or weekly priorities will be focused on their “day jobs” and understanding how much time is actually required and when can be difficult. There are a couple techniques to mitigate this, including implementing effective reporting systems (understanding when something is not being done to standard) or outsourcing the implementation of the program to a third-party specializing in business continuity and standardizing program maintenance activities.
WHICH APPROACH IS RIGHT FOR MY ORGANIZATION?
Implementing a business continuity program that fits your organization can seem like an intimidating prospect. Every organization is different and your approach to business continuity should reflect your organization’s unique structure, culture, and priorities. To make the process a little easier, let’s discuss some critical questions to ask when evaluating business continuity structures or the current structure of your program.
Structure: Like other management systems, it is important to consider your organization’s structure when determining the most effective approach for your business continuity program. Does your organization tend towards a hierarchy with centralized decision-making, or is it “flat” with autonomous entities responsible for self-management? Is there a regional component to the organization’s structure wherein regions are responsible for being capable of operating independently? To be effective, business continuity programs need to align with the current organizational structure to seamlessly integrate the program into current workflows and responsibilities.
Culture: It is critical to understand and incorporate your organization’s culture when developing and implementing a business continuity program. While culture may be a difficult thing to assess quantitatively, it is among the most critical considerations for implementing the program to ensure that it is effectively integrated within the organization’s overall preparedness efforts. In determining how your organization’s unique culture may impact the selection of the most effective structure for your program, think about how your organization tends to assign responsibility for ancillary tasks and activities. Do you tend to expect personnel across the organization to take part in secondary activities, or is it expected that they focus on their individual functional area with supporting services provided by external, even third-party, entities?
Management Style: Management style is a critical consideration when deciding the most appropriate business continuity structure for your organization. While this is closely related to both the structure and the culture of the organization, it is important to bring attention to it separately. For our discussion, management style describes the nature of how individuals interact across the organization. Do individuals within your organization typically interact with one another cross-functionally, or is most coordination managed by direct management? Decentralized business continuity programs often require individuals to work across functions to establish requirements or understand how their specific function fits within the “big picture”. Organizations with a strictly established siloed management style may struggle with implementing a business continuity program that requires a lot of cross-functional coordination.
Regardless of the whether your organization gravitates to a centralized or decentralized structure, or a combination of the two, there are two key concepts to keep in mind to ensure that the program structure successfully supports your organization’s preparedness efforts – consistency across the program and the importance of training and awareness.
Consistency: While large or geographically diverse organizations tend to struggle more with consistency, it is a common contributor to business continuity programs that don’t meet management expectations. Ensuring that standards, roles and responsibilities, expectations, and outcomes are standardized within governance documentation and communicated throughout the program is critical to developing and maintaining an effective business continuity program. Both structures of programs can struggle with maintaining consistency, and, to do so, requires active measures taken by program participants.
Training and Awareness: No matter how effective your strategies, how detailed your plans, or how consistent your standards, if people in your organization are not aware of it, it will all be for naught. Many organizations spend time and energy developing detailed governance documentation, business impact analyses, risk assessments, and recovery plans only to have them sit on a shelf untouched. Validation exercises, awareness training, and improvement efforts are absolutely vital to ensuring that your organization can actually respond to and recovery from a disruption in accordance with management expectations.
Like many aspects of the modern world, there is no single answer or universal approach to structuring your business continuity program. Every organization has different priorities, requirements, culture, style, and strategy – and that is a good thing!). But, with that modern diversity in organizational attributes comes an added complexity of implementing a business continuity program that truly fits your organization. While this may seem daunting, it really only means that understanding your organization is as (if not more) important to developing and implementing an effective business continuity program as understanding business continuity itself.
We protect our clients’ business operations by building business continuity, IT disaster recovery, and information security solutions that are tightly aligned to the strategic priorities of the organization. If you’re looking for assistance with the development of your program, we can help! Please contact us today to learn more.