The very first objective to ensure success of this program is to have the right resiliency policy in place. It is critical that the policy clearly states that it is the business who owns their own ‘Resiliency Risk’. Additionally, this policy should be approved at the board of directors or similar level to achieve the greatest utility from it. To be clear, the corporate resiliency/BCM group can be tasked with training, support, oversight, etc., but the actual risk ownership must be with the business units themselves. This is called the ‘Golden Ticket’ because it will open doors for you when implementing your program.

You might receive some pushback on this risk ownership, however, it is a relatively easy argument to explain that the BCM group is in no way qualified to understand how each and every business/technology department within the organization operates, let alone how they would be able to continue operations in the face of a crisis. We know resiliency – and we can provide training and support to enable the business to implement it – but we cannot be expected to have the level of expertise that someone within a given area has, and needs, to understand the risks and their specific operational response.

To be clear, the policy should clearly state that the business owns their own resiliency risk, and should be approved by an executive level officer or the board of directors.