Selling Business Continuity Planning to the Modern C-Suite

When talking about the benefits of business continuity planning, industry vendors and business continuity planners typically tout one overarching benefit: When affected by a business interruption, having a plan drastically increases your odds of preserving revenue and keeping your doors open.

We’ve talked before about how to get buy-in by presenting business continuity as a tool for business growth. However, it’s also important to get support from each individual member of the C-suite by speaking their language. Keep in mind, though, that each member of today’s C-suite has different priorities than they did a decade ago. To make a compelling case for the diverse benefits of business continuity, emphasize how it helps each executive meet their specific goals and alleviates their pain points.

Below you’ll learn about the major concerns each member of the C-suite is facing, as well as how you can position business continuity in a way that resonates with them.

Chief Executive Officer (CEO)

Business Continuity Benefits for CEOsWhat They’re Facing

The CEO is under enormous pressure to promote the company’s vision and outrank the competition in a marketplace fueled by rapid technology changes and compliance issues, all while achieving the desired financial results. On top of that, today’s CEO is struggling to overcome a disconnect with employees, who want the CEO to communicate more often, criticize less and celebrate successes consistently.

How Business Continuity Helps

  • Encourages communication between the CEO and staff by requiring interdepartmental coordination.
  • Helps unite various departments and locations for a common purpose.
  • Gives the CEO a chance to evaluate whether the business’s operations reflect the company’s overall vision.
  • Creates a competitive advantage for the organization.
  • Identifies opportunities for improving process efficiencies and revenue streams.

Chief Operations Officer (COO)

What They’re Facing

Business Continuity Benefits for COOs"Work smarter, not harder" is the COO’s motto. As the person responsible for doing things more efficiently and profitably, the COO is challenged with staying abreast of rapidly evolving technologies, processes, security concerns and compliance requirements. As if these responsibilities aren’t stressful enough, the COO is fighting for a place in the C-suite.

How Business Continuity Helps

  • Allows the COO to become more familiar with critical business processes, products and services, supply chains, employee roles and technology.
  • Improves business resiliency by allowing the COO to identify interdependencies and single points of failure.
  • Allows for innovation in everyday business activities and quick decision-making during an interruption, which gives the COO a chance to prove their value to the organization.
  • Satisfies federal and industry regulatory requirements.

Chief Financial Officer (CFO)

Business Continuity Benefits for CFOs
What They’re Facing

The CFO role is changing, thanks to the influence of the global financial crisis, big data explosion and widespread social media adoption. In addition to managing stakeholders and overseeing financial management and reporting processes, the CFO is becoming more active in working with the CEO on the company’s strategic planning initiatives. In these different capacities, the CFO has to balance innovation with making sound decisions that protect the bottom line.

How Business Continuity Helps

  • Protects the bottom line by reducing downtime and showing stakeholders the business will do what it takes to protect their interests.
  • Helps mitigate property and profit losses. (Some insurance providers will even reduce business interruption insurance premiums for having a demonstrable business continuity strategy.)
  • Provides an overall picture of business data and processes, which helps the CFO make business recommendations for improving day-to-day operations and avoiding lost revenue in the event of an interruption.

Chief Information Officer (CIO)

What They’re Facing

Business Continuity Benefits for CIOsRapidly changing mobile, social and cloud technology is transforming modern businesses. As a result, the CIO has to think on their feet and collaborate with other executives to see how they can use technology to increase business performance while managing cybersecurity risks and mitigating downtime. The CIO has to be skilled in ensuring that employees are kept informed and productivity isn't impacted.

How Business Continuity Helps

  • Gains other departments’ cooperation in identifying key applications and interdependencies.
  • Helps resolve both small- and large-scale IT threats.
  • Improves efficiency and security of day-to-day operations.
  • Decreases frequency of outages and length of downtime.
  • Improves response to cyber threats.

Chief Marketing Officer (CMO)

Business Continuity Benefits for CMOs
What They’re Facing

As the driving force behind the organization’s brand image, the CMO has to learn to align the company with the end customer and bring in the number of qualified leads and conversions required to meet projected revenue goals. This task requires them to be knowledgeable and adaptable with the growth of big data, social media and the mobile movement.

How Business Continuity Helps

  • Assists the CMO in identifying new marketing angles by giving them the opportunity to collaborate with other teams, such as the customer service department, to pinpoint clients’ pain points.
  • Reassures customers of the organization’s ability to provide uninterrupted service, giving the business a competitive advantage and even gaining more conversions.
  • Preserves revenue stream during an event, minimizing the likelihood of the marketing budget being cut.
  • Protects against reputation damage resulting from an interruption that would otherwise require remedial marketing efforts.

Chief Customer Officer (CCO)

What They’re Facing

Business Continuity Benefits for CCOsAs one of the newest members of the C-suite, the CCO is tasked with proving the value of their position to stakeholders and the rest of the executive team. They’re also responsible for managing customer satisfaction and retention in a market where customers expect on-demand service. To do so, the CCO must encourage profitable customer behavior, find new ways to serve customers efficiently and cost effectively, and work with the sales and marketing departments to bring in more of the right customers.

How Business Continuity Helps

  • Preserves the customer experience during an interruption, helping retention and even bringing in new customers.
  • Maintains customer trust as a result of the organization having a plan for communicating key details about an event.
  • Helps protect the business’s reputation.
  • Gives the CCO a framework for efficiently navigating a disruption, which in turn helps demonstrate the importance of the CCO role to the organization.

The benefits of business continuity extend beyond surviving an event (though that’s part of it). By showing individual members of the C-suite that business continuity can help them meet their unique objectives, your organization as a whole can reap the benefits.

Why Business Continuity Is Personal for Banking Execs

Businessman taking money out of walletA business continuity planner once introduced himself to an executive as the business continuity manager. The executive responded, “No, I’m the business continuity manager.” Sound strange? Actually, that executive had the right idea.

There’s a lot of debate about who is responsible for disaster recovery, business continuity, infosecurity, etc. There are a lot of different answers about who handles the day-to-day tasks. But who’s ultimately responsible for all of these functions? If you’re a business executive, you are. And your reputation and career depend on it.

Why Are You Responsible for Business Continuity?

The FFIEC places the responsibility for business continuity on management’s shoulders. The Business Continuity Planning booklet says:

"The board and senior management should assign knowledgeable personnel and allocate sufficient financial resources to properly implement an enterprise-wide BCP."

You might assume that assigning knowledgeable personnel (IT, risk management, infosecurity, etc.) is all you need to do to meet your obligations. However, in the Operations booklet, it’s clear who has ultimate responsibility:

"Senior management and the board of directors are responsible for ensuring IT operates in a safe, sound, and efficient manner throughout the institution."

Imagine your institution facing a failure of systems or operations. Maybe a fire wipes out a branch. Or maybe a ransomware attack encrypts all your systems — and your data backups. Can you state without hesitation that your business continuity strategy is adequate in situations like these? If it’s not, could you prove that you showed due diligence and were not negligent? Or would you, like Equifax’s ex-CEO, blame the failure on a single employee’s human error?

How Does Inadequate Business Continuity Affect You?

Your institution has given you responsibilities with the understanding that your successes and failures reflect on the bank. That includes failures related to business continuity that result in losses to the bank. These failures lead to bad publicity for the company and could possibly lead to Civil Money Penalties (CMPs) against you personally.
Graph of issues related to board/management oversightIn an article on matters requiring board attention (MRBA), the FDIC says the most common issues over the past few years have been board and management related. The article states that evaluating a bank’s risk profile includes “the potential impact external threats could have on the bank’s operating environment.” It further notes that “the information technology (IT) environment remains a challenging area of business risk and warrants bank management’s oversight and continuing due diligence.”

One such case of an enforcement action against an individual for lack of oversight is a former executive vice president who received a $30,000 CMP. The FDIC determined that he’d breached his fiduciary duty by “failing to ensure his staff fully complied with the Bank Secrecy Act and regulations.”

If your bank is unable to appropriately respond to a disaster or other business interruption, you could be held legally responsible, according to Neil H. Kaufman, SVP and national BCP practice leader for a risk consulting firm. Kaufman says courts can use certain statutes as legal precedents. As an example, he cites an FFIEC circular stating that contingency planning requires an institution-wide emphasis.

If you’re found liable for a breach of fiduciary duty that causes a loss to the bank, you could be personally fined and have a blemish on your name for the rest of your career. Is that a risk you’re willing to blindly entrust to your personnel? Even the most talented employees are prone to error — especially if they aren’t accustomed to dealing with significant business interruptions day in and day out.

How to Protect Yourself and Your Bank

To protect your bank, career and reputation, start by following these steps:

  • Get involved in your business continuity planning process.
  • Familiarize yourself with the risks facing your business.
  • Make sure you’ve assigned roles and responsibilities to the right people.
  • Participate in business continuity tests and/or request a report of the test results and recommended remedial actions.

As you walk through these steps, you might find that it makes sense to outsource certain business continuity functions. A trusted technology service provider (TSP) can give you access to resources and expertise not available in-house. Additionally, a TSP that is experienced in handling business continuity events can help you mitigate areas of risk you might not have considered. You’ll also maximize your resources and allow your personnel to focus on their areas of expertise.

If your bank experienced an interruption, would you bet your reputation on the quality of your institution's business continuity response?

Invest in Cybersecurity Now to Save Money Later

Spend Now to Save Later Graphic
Spend now to save later. This concept sounds counterintuitive, but think about the situations where you take it for granted: You spend a couple hundred dollars to change your brake pads now so you don’t have to fork over several hundred for repairs when the braking system fails. You shell out a copay for a trip to the dentist so you don’t have to spend several hundred dollars (or even a couple thousand) on a root canal later. You pay a few thousand dollars to fix a crack in your home’s foundation so you don’t have to spend tens of thousands to repair a sunken house a few years down the road. The same concept applies to cybersecurity. By investing in cybersecurity preparedness now, you could reduce — or even avoid — remediation costs later.

The Cost of Cybersecurity Response vs. Prevention

Experts generally agree that global total cyber crime damage costs will surpass $6 trillion annually by 2021. That’s about a third of the current U.S. national debt and a 100 percent increase from 2015. The cumulative cost of cyber crime dwarfs the corresponding amount that will be spent on cybersecurity from now until 2021 — about $1 trillion. Clearly, there’s been a greater emphasis on detection and response than preparedness and prevention. Are you guilty of the same thing?

What Target and Equifax Teach Us

Target’s infamous breach from 2013 is instructive here. In early 2015, the company agreed to pay individual victims up to $10,000 in damages and was forced to adopt long-overdue, basic data security measures. Many people thought the company got off relatively light (despite sacrificing its CIO and CEO in the process).

From a financial perspective, you might have concluded from Target’s experience that investing in cybersecurity really was a waste of money compared to saving the extra resources, perhaps to cover the cost of a breach should one ever occur. (For most companies, particularly smaller ones, this is a luxury they cannot afford.)

Now an additional three years removed, we know that the lingering costs of the breach continued to balloon, eventually surpassing $300 million. Not only that, but the brand experiences several harder-to-quantify costs: damaged brand equity, loss of customer loyalty and diminished company reputation. As the public becomes more cognizant of the role played by companies in their success or failure at safeguarding consumer data, expect the impact of these intangible costs to increase exponentially.

Finally, fast-forward to 2017. The infamous Equifax data breach drew considerably more public ire than the Target case just four years prior, reflecting increasing awareness on the part of the individuals affected. It would also prove to be the most expensive data breach in history, with costs exceeding $439 million through the end of 2017 and expected to climb as high as $600 million before the dust settles. The Equifax case demonstrates that:

  • The cost, in real dollars, of data breaches is climbing quickly.
  • The cost in terms of reputational damage and consumer backlash is becoming more real.

How to Respond Rather Than React

Put yourself in the place of these companies. If you suffered a massive breach, would your actions and resource allocation before the fact indicate that you had taken data security seriously? If the answer is no, consider the lasting costs inflicted on your company: lost revenue, damaged brand equity, loss of customer loyalty and diminished company reputation. That’s not to mention the very real impact on those individuals directly affected by the data breach itself.

Over the long term, the cost of prevention far outweighs the cost of response. Because cyber attacks are inevitable, both prevention and response are ultimately necessary, but the key to reduced costs is understanding the long-term risk to your businesses and allocating your resources accordingly. These steps are a good starting point:

Rather than waiting for a crisis to hit and reacting in the moment, take proactive steps to prepare your business for a cyber attack. Invest in proven prevention methods, tools and services now so it doesn’t cost you later.

[Webinar Recap] The Public Cloud Is Transforming DR

Public Cloud Market GraphicsFrom 2017, the public cloud market jumped from $146 billion to $178 billion and continues to grow at a rate of 22 percent. With half of global enterprises that will rely on at least one public cloud platform to drive transformation in 2018, there are clear implications for disaster recovery (DR).

In a recent Disaster Recovery Journal webinar, Jim Olson of Iron Mountain Data Centers and our own Brandon Tanner discussed the rapid rise of the public cloud and explored two DR scenarios:

  • Recovery to public cloud-based IT
  • Recovery to colo or hybrid IT

To see what they had to say, view the webinar on demand here.

Is Your Business Prepared for a Tornado?

2017 was a record-setting year in terms of the cost of severe weather damage. With that fact top of mind since we’re in the peak of tornado season, it’s important to make sure your business is prepared for a natural disaster.

Here are some steps you can take to protect your business before a tornado strikes:

  • Have medical supplies on hand. 
  • Purchase a portable AM/FM radio and spare batteries to ensure you’ll have a way to follow weather updates if the power goes out. 
  • Look for the following danger signs: dark, often greenish sky, large hail, low-lying clouds (particularly if rotating) and a loud roar similar to a freight train. 
  • Vault your data off-site and test your disaster recovery systems regularly. 
  • Plan how you’ll reroute phone calls. Consider the possibility that you might not have cellular service in the event of a widespread blackout. 
  • Test your business continuity and disaster recovery (BC/DR) plan and gather employee feedback.

To further prepare your business for the damage a tornado can cause, download our full Tornado Preparedness Checklist.

Millennials Are Tech-Savvy. Can Your Financial Institution Keep Up?

Millennials using technology
Millennials are now the largest consumer segment in the United States, and their buying behaviors are shaping every segment of the marketplace. Millennials’ expectations are influenced by technology giants like Apple, Google and Amazon. Even industries that have traditionally relied on face-to-face interactions — like education and healthcare — are being transformed by technology.

The financial industry is not immune. Financial institutions are being forced to adopt new technology that provides alternative financial models emphasizing automation and speed. As one article put it, banking for millennials is all about the apps. While big banks might have the wherewithal to adapt their service models to appeal to this tech-savvy generation, you’re having a harder go of it if you’re a small or midsized institution.

Part of the problem is that small IT teams tend to focus more on maintaining back-office technology rather than on new technology to drive the business forward. Sometimes this is out of necessity — compliance and cybersecurity challenges are also a priority, so IT spends time securing systems, servers and sensitive data.

If you don’t adapt to customer demands, however, you’ll lose market share to other, more tech-oriented companies. How do you keep up?

Bimodal IT

In 2014, Gartner coined the controversial concept of bimodal IT. It’s an IT service delivery model in which IT is divided into two separate, coherent modes:
Bimodal IT graphic

  • Stability: This mode involves the operational side of IT, including user support, data backup, etc.
  • Agility: This mode is focused on innovation. It involves experimentation with new technology.

The idea is that by having personnel dedicated to innovation, the business can keep the lights on with stable IT while developing new technology-driven products and services.

Fast and Innovative Business Technology

The concept of bimodal IT set the IT industry abuzz, but not everyone is singing its praises. Forrester, for example, did its own research that says bimodal IT can’t keep up with fast-changing customer and product life cycles. “There is no longer a place for slow IT,” said the principal analyst for the project. To support rapid innovation, everything must be up to date and fast: platforms, processes and personnel.

Gartner or Forrester: Who Has the Best Answer?

There will always be different perspectives on IT management, but in today’s world, there are a couple of principles that ring true across the board:

  • Customer needs must shape the business’s products and services on an ongoing basis.
  • Stable, or slow, IT should not interfere with responding to those needs.

As a smaller institution with limited IT staff, ensuring that technology keeps pace with customer demands is a challenge. Outsourcing basic maintenance functions such as data backup and recovery can help you prioritize meeting industry demands.

For example, a CIO in Spokane, WA realized that by outsourcing data vaulting and recovery, he could keep up with evolving technology, reduce cyber risk, meet his recovery time objectives and reduce costs. In fact, after doing a cost analysis of in-house management versus outsourcing, he found that keeping this function in-house was more expensive due to hiring, benefits, training, PTO and day-to-day maintenance. He also found that it was less efficient — he’d need 1.5 people to perform the outsourced functions.

As millennials continue to influence service delivery models, the question is not if you’ll respond to their demands, but how.

To read more about how millennials are impacting your business, read this post.

BCAW 2018: [INFOGRAPHIC] 10 Questions to Improve Organizational Resilience

A business continuity plan is only as good as its execution, right? But what happens when everyone is so immersed in their own worlds that your organization’s priorities aren’t clearly communicated and, as a result, aren’t reflected in the recovery strategy? What if everyone has different ideas about what organizational resilience means? What if they only care about the areas of your strategy that pertain directly to them?

The Business Continuity Institute is calling for a solution to these issues with the theme of Business Continuity Awareness Week 2018: “Working Together to Improve Organizational Resilience.” In keeping with that theme, we’ve created the infographic below to help you break down barriers within your organization. Use the 10 questions to start important conversations on how your business continuity strategy meets and reflects your organization’s goals and mission.

[INFOGRAPHIC] Breaking Down Silos: 10 Questions to Improve Organizational Resilience

Did you find the infographic helpful? If so, please share it on social media with the hashtag #BCAW2018.

Hurricane Preparedness: Has Your Business Done These Things?

Hurricane season starts June 1. Last year’s season proved to be the costliest one to date, and experts say the 2018 season is shaping up to be more active than usual. To make sure your business is ready, follow the tips below.

Involve Your Community

Business continuity isn’t just about your business. It’s about your community. That was especially evident after hurricanes Harvey and Irma, when businesses and private citizens alike banded together to help each other.

Check out the CDC infographic below for advice on making sure you and your community are prepared for a disaster.

Neighborhood Preparedness Infographic

Think About Your Employees’ Needs

Is your business continuity plan compatible with your employees’ and community’s needs? Employees who take pride in their employer are more likely to work hard and stick around for the long term. Similarly, customers are more likely to remain loyal to a business they trust. When planning for major disasters like hurricanes Harvey and Irma, remember the human side of business continuity.

Take First Community Bank, for example. After Hurricane Harvey last year, the bank’s employees jumped on board with serving their devastated community because they believed in their employer’s mission. Watch the video below to see how they responded to the aftermath of the hurricane.

Learn From Past Storms

Hurricane season 2017 is proof that you never really know what to expect from Mother Nature. Here are three business continuity lessons we learned from the storms that year:

  • Public-private sector cooperation is critical. Participating in cross-sector preparedness initiatives helps you familiarize yourself with first responder procedures and improve your disaster response protocol. Joining an LEPC is a good first step.
  • Little details make a big difference. No plumbing. Power outages. Permits not approved for alternate workspaces. Lack of fuel for generators. After Harvey, these are a just a few of the challenges affected businesses faced. Make sure to address these logistical issues in your business continuity plan.
  • People need food, water, shelter… and internet access. After a disaster, internet connectivity and cell service are often impacted, so providing internet access is an important way to help your employees and customers. For an idea of what technology you’ll need, check out the American Red Cross’s Disaster Relief Operation (DRO) Push Kit (flip to page 15).

By using lessons learned from past disasters, you increase your ability to successfully weather future disaster declarations.

For more tips, download our Hurricane Preparedness Checklist from our resources page.

Millennials and Business Continuity: Risks and Opportunities

Busy people graphic
Back in 2015, Pew Research found that millennials had surpassed Gen Xers as the largest generation in the U.S. workforce. By next year, millennials are expected to meet a new milestone: the nation’s largest living generation in terms of population.

With that being the case, it’s time to think about how the rise of millennials in the workforce affects your business continuity strategy. Below we’ll explore the risks and opportunities this generation presents.


Susceptibility to Fraud

Anyone with aging loved ones has likely worried about them falling victim to scams. They didn’t grow up with technology, so they’re more likely than young people to get taken advantage of, right? According to a report from the FTC, this belief isn’t as accurate as you might think. In fact, adults ages 20-29 were twice as likely to lose money to fraud than adults over the age of 70.

With the threat of sophisticated phishing and social engineering scams, you need to ensure you frequently train your employees on cybersecurity best practices. To keep millennials engaged in training, incorporate stories and include graphics among large amounts of text. Some companies are even gamifying their cybersecurity training.

High Turnover

A Gallup report reinforced the common stereotype of millennials being known as the “job-hopping generation.” The report found that 60 percent of millennials are open to new jobs, and only half strongly agree that they’ll be with their current company a year down the road. This high turnover comes at a high price to the U.S. economy: $30.5 billion each year.

High turnover is also a problem because it disrupts processes internally, as knowledge has to be relearned and processes have to be re-established. To reduce the impact of turnover, make sure critical processes are documented and stored in a central location that’s easily accessible to employees.

Pro tip: If the turnover is happening with business continuity and disaster recovery (BC/DR) roles, having a business continuity vendor who is familiar with your BC/DR plan helps reduce the impact of knowledge loss.


Desire for Corporate Social Responsibility

Most millennials (just over 92 percent) want to work for a company that is environmentally and socially responsible. As severe weather events and other business continuity threats expand their reach, businesses will need to consider how they can contribute to the community’s resilience. Help your employees see that your business continuity strategy is not just a way to protect your business but a way to preserve the community where employees and customers live and work. Once millennials understand how your business continuity plan impacts the community, they’re more likely to be more enthusiastic about engaging in business continuity tests and suggesting new ideas.

Fresh Perspectives

The Disaster Recovery Journal (DRJ) views the rise of millennials in the BC/DR profession as a resource, not just a challenge. The organization is specifically asking for the opinions of young business continuity professionals to help the DRJ team better understand the latest communication technology (e.g., Slack) and issues facing young professionals. They can then use this knowledge to foster positive growth and change within the industry. Consider a similar approach within your own business.

Although millennials change jobs frequently, they can bring with them new perspectives gleaned from the different industries, positions and departments they’ve worked in. They might even have some insight you can use to update a stale business continuity strategy. Plus, despite being more likely to fall for fraud, millennials tend to be up to date on the latest technology. Leveraging this knowledge can help you streamline your response during a disaster.

Whether you’re prepared for it or not, millennials are already affecting business continuity. After all, they are your business (or at least a large percentage of it). How will you respond?

FFIEC Update: Statement on Cyber Insurance and Risk Management

FFIEC Update graphicAs cyber attacks increase in volume and sophistication, does your financial institution need cyber insurance to reduce its risk? According to a statement from the Federal Financial Institutions Examination Council (FFIEC), financial institutions are not required to maintain cyber insurance. However, considering that traditional insurance policies might not cover data breaches, your institution might find value in a cyber insurance policy. Bear in mind, though, that insurance doesn't replace an effective risk management program.

For more information, read the FFIEC press release and get our take on how cyber insurance affects business continuity planning.

Popular Posts