Engagement with C-level execs in business continuity planning is on the rise, but IT staff are still too heavily involved. This is according to the a study conducted by Databarracks, which asked over 400 IT decision-makers in the UK a series of questions surrounding critical issues relating to IT, security, disaster recovery and business continuity practices.

Senior leadership (CEO, CFO, MD or FD) are increasingly in charge of business continuity plans, with 25% of the sample falling into this category (up 4% from the previous year). Meanwhile, IT is in charge at 42% of organisations.

Managing director at Databarracks, Peter Groucutt said IT should indeed be involved, but they should not be directing the whole show.

“Business continuity is a consideration for leaders across the entire business, not just the IT department. It’s fine for IT to be involved, but the overall direction should come from management in the wider business. This is the best way to ensure that BC plans are effectively implemented and embedded throughout the business.

“We’re seeing signs that more C-suite executives and other business leaders are taking control, but the pace of change remains slow.”

“It’s important that a wide range of people – including IT leaders – are involved in writing BC plans. But we’re still not seeing enough buy-in from the C-suite. The largest companies generally have a business continuity manager (or even team) in place, but SMEs won’t normally have a dedicated member of staff for business continuity. For those that don’t, business continuity tends to be pushed to IT, rather than being handled by senior management.”

“IT is actually a very good department to be involved in business continuity planning. Technology is now central to all aspects of operations so IT understands the impact of interruption better than most. If IT is provided with sufficient resource, budget and support from the top levels of the business it will do a great job. In practice, it tends not to be a deliberate, considered choice. It’s handed-off to IT to do as an addition to IT resilience and recovery, without an appreciation of the additional workload and without the support to embed business continuity across the business," he added. “Like cyber security, risk and governance, business resilience is an issue that must be addressed at the board level.”

Dr David Hitchen, who has spent the last 12 years auditing organisations across the UK, Europe and the Far East, concurs. "A common strategy is to delegate oversight of business continuity to the IT department due to the critical dependencies and often 'zero' maximum tolerable period of disruption of IT services," he explains.

"However, this can lead to insufficient attention to other human and physical factors in maintaining resilience and providing continuity of an organisation's other critical activities, including those with critical suppliers."

Share Story: