Ownership – Where Do Our Responsibilities Begin and End as Business Continuity Professionals?

Brian Zawada, FBCI Brian Zawada, FBCI | Aug 15, 2016

Ownership – Where Do Our Responsibilities Begin and End as Business Continuity ProfessionalsAs published in the Summer 2016 Issue of the Disaster Recovery Journal – Volume 29, Number 3.

One of the latest threats to organizations is something termed “ransomware”.  Commonly defined as a type of malware that blocks access to an application and its data until the victim pays a predetermined amount of money.  You may have read about two recent attacks, one targeting the Hollywood Presbyterian Medical Center and the other targeting MedStar.  If you haven’t heard about these two attacks, perhaps you can pause for a minute and do a quick Google search to learn more.  And, after you do, I have a question for you to consider:

If your organization hasn’t already prepared for this type of threat (ransomware or malware in general), who owns planning for it or preparing contingencies addressing the affected resources?

This article discusses some of the threats and risks that are currently top-of-mind for executive managers and why resilience-related thinking is so important, as well as the different roles that the business continuity professional can perform to add value.

Ransomware is just one threat that’s making the news and causing concern in the boardroom.  According the 2016 Business Continuity Institute (BCI)-sponsored Horizon Scan report, the following threats made the “top ten threats to businesses worldwide” listing, based on responses from 568 organizations representing 74 countries:

  1. Cyber attack
  2. Data breach
  3. Unplanned IT and telecom outages
  4. Act of terrorism
  5. Security incident
  6. Interruption to utility supply
  7. Supply chain disruption
  8. Adverse weather
  9. Availability of talents/key skills
  10. Health and safety incident

BCI 2016 Horizon Scan Report - Top 10 Threats

During a session at DRJ Spring where John Jackson and I discussed the 2016 Horizon Scan report, I was struck by the diversity of these threats, as well as how a diverse set of management disciplines need to participate in effectively mitigating these risks and preparing appropriate responses.

This DRJ Spring session also led me to reconsider a recent position paper authored by the BCI that clarifies the term “resilience” and its relationship to business continuity.

I’d like to note five specific conclusions from this paper that I agree with:

  1. Business continuity is not the same as organizational resilience (which ISO 22316 defines as the ‘adaptive capacity of an organization in a complex and changing environment’).
  2. The effective enhancement of organizational resilience requires a collaborative effort between many management disciplines.
  3. No single management discipline can credibly claim ‘ownership’ of organizational resilience, and organizational resilience cannot be described as a subset of another management discipline or standard.
  4. Business continuity principles and practices are an essential contribution for an organization seeking to develop and enhance effective resilience capabilities.
  5. The wide range of activities required to develop and enhance organizational resilience capabilities provide an opportunity for business continuity practitioners to broaden their skills and knowledge, building on the foundation of their business continuity experience and credentials.

So I’d like to end this background section with a problem statement:

Given the multitude of threats and their corresponding risks that could lead to bad outcomes for organizations, who should take ownership of mitigating the risk associated with the ten threats noted above or, more broadly, the risks that make an organization less resilient? 

The business continuity professional clearly owns the responsibility to address “availability” related risks – risk mitigation, response and recovery – that may disrupt the continued delivery of critical products/services and lead to missed expectations.  But, what about other risks and threats?  Take, for example, the first issue from the Horizon Scan report, Cyber Attack.  What’s the business continuity professional’s role?  In my opinion, there’s three options:

  1. OWNER: Own and execute risk mitigation and the development of an appropriate response;
  2. FACILITATOR: Facilitate and organize the risk mitigation and response development effort; or
  3. PARTICIPANT: Participate as a team member charged with mitigating risk.

In this case, especially when the organization employs an information security team, and when the business continuity professional doesn’t double as an information security expert, perhaps it’s the third option above.  As a participant, the business continuity professional can assist with identifying the following:

  1. Key users and the customers impacted by the loss of the application and its data
  2. The business impact associated with the loss of specific applications and data
  3. A process to manage the response to a disruptive and make effective decisions
  4. An understanding of manual workarounds and alternate procedures associated with the absence of the application and its data

What the business continuity professional is unlikely to offer includes:

  1. Techniques to ensure the malware is unable to encrypt application data
  2. Methods to restore data to a point in time where the data was unaffected

This is just one example, and it’s one example that highlights the fact that the business continuity profession should never be positioned to own the mitigation of all risks.  I’m unaware of anyone with the technical skills and experiences to offer solutions for security, information security, human resources, compliance, credit, and marketing-related risks (just to name a few).  But, with exposure to the common issues faced by each of these management disciplines, combined with the knowledge gained by being a business continuity leader, look out!  The business continuity professional is well positioned to offer value beyond what’s traditionally associated with business continuity planning.  So let’s talk about what the business continuity professional brings to organizational resilience and risk mitigation in general.

Assuming you’ve led the execution of a business impact analysis process, very few professionals know the organization’s strategy, products, services, customers, and value streams better than you.  Beyond this knowledge, the business continuity professional also brings the following:

  • Organizational structure knowledge and relationships (the organizational chart, locations, supply chains)
  • Team facilitation techniques
  • Sales techniques, specifically the skills and experiences necessary to sell recommendations to mitigate risk
  • An ability to navigate different levels of thinking, ranging from the strategic to the tactical

With all this knowledge, as well as the skills and experiences developed over time, the business continuity professional has a unique opportunity to effectively own, facilitate, or participate in the mitigation of a wide range of organizational resilience-related risks.

The following table revisits the top ten threats noted in the 2016 Horizon Scan Report and provides some insight on when a business continuity professional should Own, Facilitate, or Participate (keeping in mind that all organizations are different, so this will vary).

Business Continuity Ownership

Bottom line, in many organizations, there’s a void to be filled in driving risk mitigation to closure.  For business continuity professionals looking for more, consider getting involved in more than facilities, people, equipment, technology, and supply chain availability risks – be a risk solutions facilitator or a member of the team charged with mitigating resilience-related risk.


Brian Zawada (FBCI, MBCP) is the Director of Consulting at Avalution, a leading provider of business continuity and IT disaster recovery consulting, outsourcing, and software solutions. Zawada is an elected board member and President of the USA Chapter of the Business Continuity Institute (BCI) and the former Chairman and Head of the U.S. Delegation to ISO 292, the group charged with developing ISO 22301 and other related standards.  Zawada is a frequent author and speaker.