An intensifying threat environment and evolving expectations about preparedness mean executives can no longer maintain a disengaged attitude toward business continuity. Today’s leaders have a duty to actively direct their companies’ continuity efforts, a duty that starts with educating themselves about BC.
Related: Continuing to Thrive: A Definition of Business Continuity
The relationship between BC practitioners and their executives has always been a bit rocky.
BC people are completely dependent on their executives for the funding and institutional support they need to do their jobs. But, historically, executives haven’t understood BC or believed in its value. Not surprisingly, most execs are more interested in pursuing their organizations’ core missions than they are in preparing for eventualities that will probably never occur, as they see it.
I experience this often as a BC consultant who regularly makes presentations to company boards. All too often, these sessions come down to me talking for my allotted 10 minutes, the board saying, “Thanks, have a great day”—and that’s it. I never hear from them again. Sometimes when I meet with executive oversight panels, they have so little to say, I suspect they only came for the lunch.
This was never a great dynamic from the BC team’s point of view. It was also a risky for the company since the inevitable result was to increase their vulnerability to disruptions.
But if an aloof attitude by the senior leadership toward BC was ill-advised in the past, nowadays it is untenable.
For one thing, the operating environment for organizations has gotten increasingly hazardous. The threats of extreme weather, supply chain instability, global turmoil, and all the rest have reached new heights. At the same time, our dependence on a computing and networking infrastructure whose vulnerability is the subject of daily news headlines has never been greater.
Another reason executives’ traditional neglect of BC no longer holds up is that society’s expectations have shifted. More and more, people believe organizations are morally and legally required to anticipate emergencies and disruptions. Organizations that are not prepared, and whose lack of readiness harms others, are increasingly being held accountable in the courts and by regulators.
Examples of this trend include the lawsuits filed against Camp Mystic in Texas, site of the tragic drowning of 25 campers and two counselors in flash flooding in July, and the proposed $1 million fine of Colonial Pipeline after it was hit by a cyberattack in 2021.
Executives can no longer give business continuity the brush-off, not if they hope to protect their companies and enjoy the respect of their communities. Senior leaders need to step up and assume their rightful place as the leaders of business continuity at their organizations.
Fortunately, some leaders are heeding the message about the need for them to get serious about BC. We are definitely seeing increasing engagement by board members at some organizations.
For example, at one client of ours, when a proposal was made to consolidate several distribution centers into one facility, one top exec pointed out that this would create a massive risk for the organization. He said that before he would go along with the proposal, he would have to see a very solid continuity plan spelling out how the company would keep its critical operations going if the new facility was hit with a disruption.
What does it mean for senior management to take a leadership role in BC?
First off, it means learning what BC is and becoming familiar with its basic methodology. The basics of BC can be grasped in 10 minutes, but you would be surprised how few executives know what they are.
I’ve written about them in extensively in other blogs, but here’s an informational starter kit for the complete novice:
Business continuity (BC) is about taking steps ahead of time to enable the organization to continue or quickly recover its mission-critical operations in the event of a disruption, such as facility damage caused by a hurricane or a network outage caused by a cyberattack.
A cornerstone of BC is the Business Impact Analysis (BIA), a review that prioritizes the organization’s business and IT processes based on how critically time sensitive they are.
The BIA determines when the various processes need to be restored after an outage in order to avoid an unacceptably high impact to the organization, for example “within the first four hours” (for a highly critical process) or “within the first week” (for a process that is less critically time sensitive). These are called Recovery Time Objectives or RTOs.
Under the guidance of the BC team, the departments create recovery plans. These often include manual workarounds to enable the department to accomplish key tasks when the normal methods of completing them are not available.
A key need in BC is to align the requirements of the business departments with the capability of the IT department.
Writing recovery plans is not enough. Plans must be regularly tested and validated to ensure they work, train staff, and identify and close gaps. Plans must be updated as the environment and organization change.
Another key aspect of business continuity is crisis management planning, the choosing of a CM leader, and the setting up of a CM team.
The process of doing BC is made significantly easier thanks to the existence of business continuity standards. These are sets of BC guidelines issued by a handful of key industry bodies and government organizations. One of the best ways an organization can improve its resilience is to choose and come into alignment with one or more of the leading BC standards.
BC is not about protecting everything at the organization equally. It’s about making rational decisions and informed trade-offs to achieve the maximum protection for an acceptable cost.
Familiarity with these fundamentals is an essential starting point for executives to understand the scope, priorities, and strategic decisions necessary to lead an effective BC program.
Once executives are familiar with the basics of BC, they can begin carrying out their role as BC leaders at their organizations. What does this mean, exactly? It means providing active oversight and strategic direction to the BC program.
Let’s get more specific.
The following are some ways execs can provide critical leadership on BC: paying attention to the requests and presentations of the BC team, requiring the business units and IT department to do their part, removing roadblocks, making time for BC exercises, choosing and aligning with one of the leading BC standards, seeking the unvarnished truth about the program’s capabilities, being realistic about threats and costs, and making the tough calls regarding organizational priorities.
By taking these actions, executives can provide their companies with the program oversight and strategic guidance that builds resilience and protects their organizations.
We previously discussed the basic BC knowledge executives need to lead the continuity effort at their organizations. Beyond the basics, there are a few other pieces of information that can be immensely useful to the engaged executive.
We find that three key metrics can be especially valuable in giving executives the insight they need to be informed BC program leaders.
1. Program Maturity
This measures how well the BC program is built and how closely it aligns with recognized standards such as ISO 22301, NFPA 1600, or the FFIEC guidelines. Quantifying program maturity—whether the program is 30 percent, 80 percent, or fully aligned—helps executives prioritize investments, direct remediation efforts, and track progress over time.
2. Residual RiskThis metric quantifies the level of risk that remains after all mitigation measures are applied. By tracking residual risk as a percentage or risk score, executives can clearly see the organization’s exposure, avoid overconfidence, and make informed decisions about resource allocation and risk tolerance.
3. VOIVOI (Value of Investment) measures the return on the resources committed to the BC program, including avoided downtime, preserved revenue, regulatory compliance, and reputational protection. Expressing VOI numerically allows executives to defend budgets, demonstrate the program’s value, and champion continuity as a strategic, board-level priority.
Obtaining and tracking these three metrics gives executives the data-driven insight they need to guide their BC programs with confidence and clarity.
Executives can no longer afford to treat business continuity as a peripheral technical issue. In today’s environment, leadership attention has become a defining factor in whether organizations are resilient—or vulnerable—when disruption hits.
Understanding the fundamentals of BC, the organization’s level of alignment with recognized standards, the true amount of residual risk, and the VOI behind the program gives leaders the clarity they need to make informed, strategic decisions. When executives embrace this role, they set the tone for accountability, preparedness, and enterprise-wide resilience.
If your organization is ready to strengthen its BC posture, obtain critical program metrics, and move toward the level of engagement and capability described in this post, we can help. Contact us to learn how MHA Consulting and BCMMetrics can support you in building a mature, aligned, and executive-led continuity program.
Further Reading