This perspective is the seventh in a series to discuss key elements of the ISO 22301 business continuity management system, including value-adding elements of the standard or requirements that could “trip up” an organization during the certification process. This article addresses assigning Business Continuity Roles and Responsibilities.
Today we’re going to take a look at ISO 22301’s requirements to define roles and responsibilities:
- “To achieve its business continuity objectives, the organization shall determine who will be responsible, what will be done, what resources will be required, when it will be completed, and how the results will be evaluated” (Clause 6.2)
- “The organization shall determine the necessary competence of person(s) doing work under its control that affects its performance; ensure that these persons are competent on the basis of appropriate education, training, and experience; where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken; and retain appropriate documented information as evidence of competence.” (Clause 7.2)
ISO 22301 requires business continuity programs to define roles and responsibilities for program management, as well as for all participants in the business continuity planning process (including roles that lead or execute the response and recovery effort following a disruptive incident). Beyond aligning to ISO 22301, there are four benefits to defining roles and responsibilities:
- Ensures the right individuals are in the right roles to maximize business continuity performance;
- Assists organizational leaders with assigning the best individuals to roles and responsibilities;
- Ensures that all business continuity planning participants understand what is expected of them; and
- Helps to clearly identify any gaps in knowledge, skills, and abilities for individuals assigned to business continuity roles and responsibilities.
Often, when roles and responsibilities are not defined effectively, the wrong individuals (typically with the wrong skills, experiences, and credentials) are engaged in a specific task – usually resulting in poor performance or missed expectations. For example, we see this when department-level managers assign a newer employee or an administrative assistant to develop a response and recovery plan for the department. Many times, these individuals may not have the depth of knowledge about department operations or the authority to engage the right individuals to effectively plan for response and recovery, resulting in an ineffective or incomplete plan.
Although roles vary from organization to organization, some are common among business continuity programs. The following tables highlight some of the common roles for managing the planning effort, as well as roles in responding to a disruptive incident.
In our experience, roles and responsibilities vary from organization to organization; however, a simple process can help you define roles and responsibilities for your organization and program.
First, for each role (both program management and response and recovery roles), identify what the individual in the role will need to do to be successful. Ask “What is it that we want from this person?” From that list you can create the responsibilities for the role by grouping similar/common answers into themes, and then drafting responsibilities that are clear and concise.
Second, identify the skills and abilities that an individual will need to fulfill the role effectively. Ask “What skills does this person need to possess to be effective in this role?” and “What does this person need to be able to accomplish to be effective in this role?” The answers to these questions will identify the skills and abilities for the role. Skills and abilities can include the ability to allocate resources for their department or technical skills that are necessary to ensure that current or future-state IT disaster recovery arrangements meet requirements established by the organization. In addition, some roles require significant inter-personal communication, writing, or analytic abilities, so the necessary “soft” skills should be considered.
Third, identify the knowledge and experiences an individual must possess to be effective in the role. Ask “What knowledge and/or experience does this person need to be effective in this role?” When you identify what specific knowledge and/or experience is needed to fulfill the role, you will find it easier to identify individuals to perform the role. Knowledge and experience requirements could be defined in terms of a thorough understanding of the organization’s strategy (for business continuity steering committee members) or knowledge of IT replication technologies and three years of experience in implementation of disaster recovery arrangements.
Finally, you should document the roles and responsibilities (as well as the relevant knowledge/experience, skills, and abilities). You can document roles and responsibilities in many ways, but, typically, program and response roles are defined in the procedures document for the business continuity program. The example table below can help you as you move through the steps we’ve outlined:
Consider working with each of the individuals filling the roles through one-on-one meetings or broader trainings such as web based or group trainings to ensure that they understand their role and responsibilities. The outcome of any meeting or training on roles and responsibilities should be a clear understanding by participants of their role in the program; what they will be expected to do; and what skills, abilities, and knowledge and/or experience they should have to enable effective performance in their roles.
When you document and communicate roles and responsibilities effectively, the organization will benefit in many ways including:
- The right individuals are assigned/nominated to program management, planning, and response/recovery roles ensuring effective performance in that role;
- The individuals fulfilling a role will have a clear understanding of what is expected of them and are not surprised when asked to perform additional tasks; and
- The program manager and those assigned to specific roles can jointly identify and develop a training program to close any gaps in the individuals’ skills, abilities, and knowledge/experience.
Once you have identified and documented responsibilities, you will find it is easier to get the right people into the right roles – resulting in the benefits described above. But remember, roles and responsibilities can be dynamic just like business continuity programs and the organizations they protect. To ensure the roles and responsibilities remain relevant to the program and organization, you should revisit them on a regular basis and make any necessary changes.
In the meantime, don’t hesitate to reach out to us to discuss aligning to the ISO 22301 standard or pursuing certification. We look forward to hearing from you!
Implementing ISO 22301: The Business Continuity Management Systems Standard
Avalution Consulting: Business Continuity Consulting