Business Continuity Planning: Centralized and Decentralized Approaches

Broadly speaking, there are two approaches to structuring a business continuity programme.

A centralized structure involves leading and executing the business continuity planning process within a single team and engageing the business as needed.

A decentralized structure involves leverageing a small number of centralized resources that offer consultative assistance and performance measurement while resources dispersed throughout the business execute the actual planning process.

Both approaches have pros and cons, so it’s critical that organisations select the appropriate approach that adheres to their organisation’s overall strategy, structure, culture, and priorities. In this perspective, I’ll provide an overview of each type of structure, the attributes associated with them, and additional information to help you select the most effective method of implementing a business continuity programme within your organisation.

WHAT’S THE DIFFERENCE?
The defining factor in each structure is the where business continuity knowledge and responsibilities are held within the organisation.

A centralized programme is one in which the responsibility for executing activities in support of business continuity and preparedness effort is held within a single entity or group – typically at the corporate (or headquarters) level – positioned to engage all core elements of the organisation. These centralized teams are often business continuity professionals tasked with designing, implementing, reporting on, and improving all aspects of the programme across the organisation in coordination with business and functional representatives and process owners, to varying degrees. These activities are often conducted based on guidance and direction provided by an executive programme sponsor or a business continuity steering committee (or other governing body).

In a decentralized programme, responsibility is distributed throughout the business and relies on functional leaders to execute business continuity activities themselves. These individuals bring their knowledge of their respective functions as their primary value to the programme and are situated well to flexibly respond to changes in the business. They often act semi or completely autonomously in the execution of planning activities, with little control from a centralized hub (with the possible exception of a business continuity policy statement or standard offered from the organisation’s leadership).

While either approach to business continuity listed above can be employed in a variety of ways, each tends to have a common set of “pros and cons” associated with its implementation. Let’s take a look at some typical strengths and weaknesses of each approach.

Centralized: The main strength that we see in organisations leverageing a centralized programme structure is the top-down guidance and focus that can be maintained by the business continuity group or team. These business continuity professionals can work directly with the programme sponsor, steering committee, or governing body to establish priorities and employ their knowledge and resources to implement those across the organisations. This approach lends itself to a high degree of consistency (both in terms of methodology and outcomes) throughout the programme and supports a simple reporting structure to keep management informed and provide recommendations on performance and requirements.

However, a centralized business continuity group can struggle with a lack of organisational knowledge (in particular, the value of products and services and how the customer uses them) and with how business priorities are performed by the organisation (these centralized teams tend to be overwhelmed by the number of departments or functions that may require attention). This is especially true in larger or geographically dispersed organisations. Both challenges can be mitigated by regularly engageing with a cross-functional steering committee and engageing on the purpose of the organisation and how the organisation is structured to deliver on obligations.

Conceptually, the most “centralized” type of business continuity programme is one in which a third-party that specializes in business continuity is tasked with conducting all programme activities in an outsourced capacity. This centralized approach alleviates much of the organisation’s need to continually assess staffing allocation (as that would typically fall under the responsibility of the third-party). It could, based on the nature of the relationship with the third-party, reduce the strain on the organisation during times of change. Further, third parties often have extensive experience with implementing and manageing programmes with similar organisations and in similar industries, which adds to the functional expertise and nuanced approach to your organisation.

Decentralized: A decentralized structure relies heavily on functional representatives conducting business continuity planning activities (including, but not limited to, the business impact analysis, risk assessment, strategy determination and selection, plan documentation, and exercising). The main benefit here is that these personnel resources often have deep knowledge of the organisation they are working to protect, as well an expert-level knowledge of the products/services and how the customer uses them. Due to the planner’s proximity to the organisation, this approach is better positioned to react to organisational change.

While the decentralized planning approach helps drive better programme documentation, the lack of a centralized community providing templates and guidance can often lead to inconsistency across the organisation. This concern can be true in terms of how information and captured and presented, as well as the nature in which parts of the organisations prioritize their function in relation to others. Additionally, participants in decentralized programmes can fall into the trap of planning in vacuum, that is, developing continuity plans and requirements without considering (or having adequate knowledge of) enterprise-level priorities. While this risk can be mitigated by instituting a strong reporting system that incorporates decentralized metrics into a consolidated product for the steering committee to review against its priorities, it requires that the organisation actively manage how those priorities are disseminated and integrated into programme activities. It also places additional importance on training and awareness activities to ensure that programme participants throughout the organisation have the requisite knowledge to conduct the business continuity lifecycle.

In addition, as this business continuity programme design often relies on non-business continuity professionals to conduct programme activities, some organisations struggle with ensuring that those tasked with business continuity activities allocate appropriate time to the programme. This issue can be difficult to solve as each participant’s daily or weekly priorities will be focused on their “day jobs” and understanding how much time is actually required and when can be difficult. There are a couple techniques to mitigate this, including implementing effective reporting systems (understanding when something is not being done to standard) or outsourcing the implementation of the programme to a third-party specializing in business continuity and standardizing programme maintenance activities.

WHICH APPROACH IS RIGHT FOR MY ORGANIZATION?
Implementing a business continuity programme that fits your organisation can seem like an intimidating prospect. Every organisation is different and your approach to business continuity should reflect your organisation’s unique structure, culture, and priorities. To make the process a little easier, let’s discuss some critical questions to ask when evaluating business continuity structures or the current structure of your programme.

Structure: Like other management systems, it is important to consider your organisation’s structure when determining the most effective approach for your business continuity programme. Does your organisation tend towards a hierarchy with centralized decision-making, or is it “flat” with autonomous entities responsible for self-management? Is there a regional component to the organisation’s structure wherein regions are responsible for being capable of operating independently? To be effective, business continuity programmes need to align with the current organisational structure to seamlessly integrate the programme into current workflows and responsibilities.

Culture: It is critical to understand and incorporate your organisation’s culture when developing and implementing a business continuity programme. While culture may be a difficult thing to assess quantitatively, it is among the most critical considerations for implementing the programme to ensure that it is effectively integrated within the organisation’s overall preparedness efforts. In determining how your organisation’s unique culture may impact the selection of the most effective structure for your programme, think about how your organisation tends to assign responsibility for ancillary tasks and activities. Do you tend to expect personnel across the organisation to take part in secondary activities, or is it expected that they focus on their individual functional area with supporting services provided by external, even third-party, entities?

Management Style: Management style is a critical consideration when deciding the most appropriate business continuity structure for your organisation. While this is closely related to both the structure and the culture of the organisation, it is important to bring attention to it separately. For our discussion, management style describes the nature of how individuals interact across the organisation. Do individuals within your organisation typically interact with one another cross-functionally, or is most coordination managed by direct management? Decentralized business continuity programmes often require individuals to work across functions to establish requirements or understand how their specific function fits within the “big picture”. Organisations with a strictly established siloed management style may struggle with implementing a business continuity programme that requires a lot of cross-functional coordination.

OTHER CONSIDERATIONS
Regardless of the whether your organisation gravitates to a centralized or decentralized structure, or a combination of the two, there are two key concepts to keep in mind to ensure that the programme structure successfully supports your organisation’s preparedness efforts – consistency across the programme and the importance of training and awareness.

Consistency: While large or geographically diverse organisations tend to struggle more with consistency, it is a common contributor to business continuity programmes that don’t meet management expectations. Ensuring that standards, roles and responsibilities, expectations, and outcomes are standardized within governance documentation and communicated throughout the programme is critical to developing and maintaining an effective business continuity programme. Both structures of programmes can struggle with maintaining consistency, and, to do so, requires active measures taken by programme participants.

Training and Awareness: No matter how effective your strategies, how detailed your plans, or how consistent your standards, if people in your organisation are not aware of it, it will all be for naught. Many organisations spend time and energy developing detailed governance documentation, business impact analyses, risk assessments, and recovery plans only to have them sit on a shelf untouched. Validation exercises, awareness training, and improvement efforts are absolutely vital to ensuring that your organisation can actually respond to and recovery from a disruption in accordance with management expectations.

FINAL THOUGHTS
Like many aspects of the modern world, there is no single answer or universal approach to structuring your business continuity programme. Every organisation has different priorities, requirements, culture, style, and strategy – and that is a good thing!). But, with that modern diversity in organisational attributes comes an added complexity of implementing a business continuity programme that truly fits your organisation. While this may seem daunting, it really only means that understanding your organisation is as (if not more) important to developing and implementing an effective business continuity programme as understanding business continuity itself.

We protect our clients’ business operations by building business continuity, IT disaster recovery, and information security solutions that are tightly aligned to the strategic priorities of the organisation. If you’re looking for assistance with the development of your programme, we can help! Please contact us today to learn more.