Nearly every business continuity standard and regulation require clearly articulated roles and responsibilities. This includes ISO 22301, the Business Continuity Institute’s Good Practice Guidelines, Disaster Recovery Institute, FFIEC requirements on business continuity, and NFPA 1600.

For example, ISO 22301’s requirements say the following about business continuity and IT disaster recovery program roles and responsibilities:

  • “To achieve its business continuity objectives, the organization shall determine who will be responsible, what will be done, what resources will be required, when it will be completed, and how the results will be evaluated” (Clause 6.2)
  • “The organization shall determine the necessary competence of person(s) doing work under its control that affects its performance; ensure that these persons are competent on the basis of appropriate education, training, and experience; where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken; and retain appropriate documented information as evidence of competence.” (Clause 7.2)


Beyond aligning to ISO 22301, and other industry-approved business continuity standards, there are four main benefits to defining roles and responsibilities, including:

  1. Ensuring the right individuals are in the right roles to maximize business continuity performance;
  2. Assisting organizational leaders with assigning the best individuals to each role;
  3. Ensuring that all business continuity planning participants understand what is expected of them;
  4. Helping to clearly identify any gaps in knowledge, skills, and abilities for individuals assigned to business continuity roles and responsibilities.

Often, when roles and responsibilities are not defined effectively, the wrong individuals (typically with the wrong skills, experiences, and credentials) are engaged in a specific task – usually resulting in poor performance or missed expectations.  For example, we see this when department-level managers assign a newer employee or an administrative assistant to develop a response and recovery plan for the department.  Many times, these individuals may not have the depth of knowledge about department operations or the authority to engage the right individuals to effectively plan for response and recovery.  Conversely, programs that attempt to have senior-level individuals complete a recovery plan for one of their several business units, typically struggle to capture the right level of detail. Both of these issues can result in an ineffective or incomplete plan.


Although roles vary from organization to organization, some are common among business continuity programs.  The following tables highlight some of the common roles for managing the program.



Steering Committee participation often varies based on the organization. Typical Steering Committee members include the COO, CFO, CIO, general counsel, and internal auditors. However, regardless of title, participants on the Steering Committee should be able to:

  • Provide strategic input for the program
  • Have a pulse on the business – he or she understands the organization’s strategic goals and can see when a change in the business can affect the program
  • Assist in validating the scope, products/services, key findings, and strategies for his or her business area
  • Ensure direct-reports and subordinates perform required business continuity activities
  • Possess strong leadership and verbal communication skills
  • Sees the value in having business continuity capabilities for their respective areas.


Business Continuity response team structures vary widely, but the following roles are common on most business continuity teams:


A simple process can help you define roles and responsibilities for your program.


Start by being clear about what you need from each role in the program. Make a list of all the roles in the program and then for each role, start a bulleted list of the role-specific requirements. This list should contain anything from time commitment to knowledge of the business to responsibilities for updating plans. But keep it focused on the most important things. We find most roles can be described in five to ten requirements.

Once the role is clearly defined, then it’s a question of finding the right person to fill it.


At Castellan, we talk about “GWC” when it comes time to clarify roles and responsibilities (we learned of this three-letter acronym from the book Traction by Gino Wickman, who described a business operating model called the Entrepreneurial Operating System). The person assigned to each role should be able to respond positively to the following questions:

  1. Do they Get it (understand the role and responsibilities)?
  2. Do they Want it (are they motivated to take on the responsibility)?
  3. Do they have the Capacity to perform it (ability and time to perform the responsibilities)?

Once the candidates are clearly defined, then it’s a question of deciding which candidate is the best fit.


  • Get It:

This is a gut feeling type of question – does the person understand what the role is about and how it all comes together to help the organization? Do they see why it’s important? For some people, it just doesn’t click.

  • Want it

Does the person honestly want to do the job? Or are they just going through the motions because they’ve been ‘assigned’ it. We often feel the need to ‘motivate’ or ‘energize’ people in their roles – and that’s one of the warning signs that the person just doesn’t want to participate or do the work. In those cases, you should stop banging your head against the wall and find someone who actually wants it.

  • Capacity

Capacity encompasses the skills, resources and time needed to perform the role well. Use the role definition created above to ask yourself if a person has the mental capacity for the role, the skills and the time available to perform it. While Get it and Want it are mandatory, those who don’t fully have the Capacity for the role should still be considered if you believe they can develop the capacity with coaching or training in the next six months.

  • When GWC is missing

If you’ve been assigned people that you believe don’t have GWC for the role – this section is for you! First – you must believe that you do not have to tolerate GWC issues in your program. Until you believe that, nothing will change. Even if it takes a year or more to fix – please know that you CAN have a program filled with people who Get it, Want it and have the Capacity to do the work! When that happens – EVERYTHING gets easier.

So how should a program manager address “GWC” problems? The first step is always to talk to the person one-on-one. During the conversation, you can ask them if they “get it, want it and have the capacity” for their role. 90% of the time, they know this is a problem and they’ll tell you all about it! 10% of the time, you’ll need to help them see your concerns. In either case, the first step is to talk to the person and get on the same page that the GWC is a problem. The second step is to ask them what we should do about it. Often, they can find or suggest someone who is a better GWC fit and you can move the program forward quickly. Sometimes though, you just can’t find the right GWC fit. In these cases, you must add it to an issue list as a long-term problem to be monitored and addressed. In some cases, particularly for people with limited capacity, you can put in place workarounds that still allow the program to accomplish its goals. However, if no solutions can be found, present the issue to the steering committee to get their help in problem-solving. Using clear roles and the GWC tool, over time, you can have a team comprised of the right people to help achieve the right level of resiliency. Additional considerations for determining business continuity team participation can be found in the chart below.


Documenting and communicating roles and responsibilities effectively has two key benefits for an organization:

  1. The organization will have “the right people in the right seats“. This will help to ensure that the program continues to grow and develop by having competent individuals who are engaged in driving the program forward.
  2. Individuals filling each role will clearly understand their given responsibilities and expectations. This will help ensure that program actions are completed, the program is maintained, and, holistically, individuals are seeking to reduce gaps and improve organizational resilience.

Castellan has helped to develop business continuity and IT disaster recovery programs for organizations of all sizes in nearly every industry. Over the 15 years that Castellan has been developing world-class programs, one of the six core elements that we have identified as a key driver of program success is Participation.  


If you want to accelerate management’s support for business continuity – you need to check our free guide to building executive support: the Executive Support Amplifier.  It provides the 5 easy steps to build support without having to ‘sell’ anyone!

If you’re ready to get hands-on help to quickly get results, please book a strategy session with a member of my team today to:

  • Discuss your program goals
  • Explore your current challenges
  • Discuss how to achieve your goals

For more on integrated risk management, download our e-book, Conquering the New World of Risk with Intgrated Risk Management.