Moving BC into the corporate mainstream: business continuity is in flux--as an industry and profession--as it seeks to find its stature, status and funding in corporate America.

• Author: Quinn, Lawrence Richter
• Position: Corporate business continuity planning

Shareholders might well expect that, 11 years after the first attack on the World Trade Center, corporate business continuity planning (BC) would be a well-oiled machine--one that is ready to kick in at a moment's notice, to handle virtually any contingency. That, unfortunately, appears to be far from the case at a vast number of companies--despite 9/11, SARS, last summer's Northeastern power outage and information technology (IT) challenges, from Y2K conversion to today's security concerns and other crises.

Today, as in years past, many corporate board members--and BC professionals themselves--don't consider BC to be a board-level and shareholder value issue. As such, it often gets just an annual review, at most. And, BC professionals don't generally consider themselves "risk managers" or part of the evolving world of "enterprise risk management."

BC remains within the corporate structure, with no agreed-upon "best practices" or up-the-ladder reporting structure. As a result, BC executives report variously to the chief counsel, chief information officer (CIO), CFO or head of security, among others. Also, there is no clear career path in place for those in BC to move up.

BC executives can't even agree on what to call themselves. In some cases, their title is "Director of Business Continuity," but it's just as common for them to be "disaster planners," among others. In short, corporate BC is frequently in turmoil, without the funding and respect being accorded its counterparts in government, whether federally through the Department of Homeland Security, or locally, at state and city agencies.

"Business continuity is perceived as an expense that doesn't necessarily have any immediate payback," says industry newsletter CPM Global Assurance editor-in-chief Paul Kivan. "BC hasn't traditionally been addressed at the CEO level; unless something happened specifically, it wasn't an issue. It's never been an easy sell within most corporations."

The result, he says, is that "BC professionals have looked for quick and dirty solutions that get management off their backs. But if that's all you do you're going to end up right back where you started."

Others agree. Charles Jones, business process owner for New Haven, Conn.-based power-provider United Illuminating Co., says BC is viewed as one of those necessary evils. "Like insurance, nobody wants to buy it. Nobody wants to do business continuity and put all the planning and resources into it, but they know they need to have something in place to mitigate BC risks."

Mike Carpenter, a partner in information risk management at KPMG in Atlanta, offers a slightly less harsh view. "Boards are generally aware of the need for comprehensive risk management and contingency planning specifically at the board level. On the other hand, I have not seen a board member come down to management and say, 'If a plane crashes into us, what do we do?'"

...