Getting upper management buy in for business continuity!

From an ICT perspective, how hard is it to get buy in from management when it comes to a business continuity program?   If you are finding it hard then you may not be explaining the situation correctly.   A large failing with ICT people is the concept that when you try to sell projects to management that you focus on the technology, not the benefits and solutions that a good project will deliver to the businesses bottom line.

When it comes to any ICT project there is a predominant focus on the Bright Shiny Object Syndrome (BSOS).    This can be a total failure when it comes to getting the project through management and on to board level approval.   So how do you ensure that your business continuity plan, disaster recovery plan and risk assessment get the required support from that level of the business?

Any project that has to be put up for approval has to do one of two things for the business, it has to have a noticeable impact on the bottom line preferably positive and it has to deliver on its promises.   So how do you do that?


These are a great way to get a project noticed.   It does not have to be all doom and gloom but it does have to peak the interest of the reader and keep them reading to the final page.   Like a good novel you need to get the reader hooked and keep them hooked till they see your point of view, and believe in the proposal that you have put forward.

Most ICT proposals are full of the technology and the mumbo jumbo that puts normal people to sleep.   Yes they have a place in the proposal but it should always be restricted to one or two sections of the proposal.    But do not go the other way and fill the proposal with sales speak with no substance.    You have to find the line between technological information and the salesey spin to get the proposal to the level where the management team will agree with it.

Disaster recovery and business continuity plans, if not done correctly have major consequences for ANY business.   If you combine that with the fact that a disaster, security breach or data theft can cripple the business and put everyone out of a job you have a relatively good way of emphasizing the importance of such a plan.


You have got your proposal to the right people, or have you?  To get through the levels of management in the business your proposal also has to have a level of assertiveness.   You have done away with the sales spin, you have emphasized the business benefits and you have shown how it will improve the bottom line.   Assertiveness is the hard sell that you have to do to get management to spend money on your recommended proposal.

Management are always faced with increasing pressure from the bottom line.   There is always a fight for the different sections in the business wanting the limited funds to be spent in their area.   HR want to send people on an OH & S course, sales want to increase their staff levels, management are looking to add people to the board and there is you, with a critical proposal that will keep all of these areas working, who have to go cap in hand to management to get funding.

It’s just not fair is it?

Well suck it up princess, this is the way of the real world!!

Your proposal has to be more persuasive than the others proposals put up by other areas of the business.   Get assertive, explain the problems and give solutions, tell them, as politely as possible, that their business requires a decent BC & DR plan because without it they could all be looking for new jobs.


So you have detailed the consequences and you have asserted you reasoning on management.  You have now got to ensure that no matter what management need to spend money on for your project the may never have a reason to be deployed.   If you are doing your job correctly as an IT manager, CIO or the like then a disaster may never come to pass.   But we pay for insurance without a return, that is what the DR and BC plan is all about.

A good BC or DR plan may never be put into effect, you may never experience a total melt down of the system or be the target of a cyber criminal attack but without the knowledge that it is in place business could suffer.

This is where communication comes to the fore in regards to selling the requirements of a good plan.   Although it is not all doom and gloom, the communication of the business requirements and the consequences of something happening have to be known and explained in detail.  To make them all known you have to communicate.

This can be a lot easier if you can develop some level of sponsor at management and board level.   Someone who understands your requirements and reasoning, because you have explained it to them, and will now go forward and explain it, with your help, in business terms to the next level of corporate structure.

Test the plan

You have done all of the sales pitch and your proposal has gone through, been funded and is now in place.   To ensure that everyone knows what to do you have to test it regularly.   It also needs to be updated as required with technological changes and changes to business directions.   Going to the cloud for some business reason then you DR and BC plans have to reflect those changes.

To test it requires the implementation of a testing regime.   A full blown DR test should be done at least once every 12 months.  this test should have involvement and inclusions from every part of the business.    If a major disaster happens you need to ensure that you do not have everyone running around bumping into each other.

These tests should be conducted with some level of adjudication, for instance, there is a fire in the building next door but your staff cannot get to the office – what is your process to ensure that your business has included this risk.    The adjudicator can make decisions of what is feasible and what is not, what is possible and what is not and most importantly if it was included in the plan and if not why not.

Smaller test should be carried out every quarter to ensure that smaller components are tested.  Again for instance – your Internet is down how do you access you cloud based system, your server has failed where is the backup data and where do we restore it to, your phone systems have failed how are your customers going to get to you.

These are small but critical tests.   These smaller tests also find other problems.   HR have instigated a new system that has not gone through the IT section but it stops working when you are testing something else, you can now apply the DR and BC plan to this new system and make sure that it is included.

The best thing is that it is a test, your solution doesn’t work, Then change it and retest, still doesn’t work then change it again and retest it.   As long as you have this attitude then when that real disaster happens you will not be the one in the firing line and on top of that your business will flourish no matter what the obstacles.

This whole process is about changing the culture of the business, ensuring that the business is sustainable.   If you are communicating these tests to the rest of the company then the role of ICT will be viewed totally differently.   You will be seen as having a finger on the pulse of the business and your knowledge of the business culture will be forever cemented in their ideas.

Roger Smith, is an educator. Teaching students at ADFA (UNSW) and showing them how vulnerable they are to cybercrime.

He is also CEO at R & I ICT Consulting Services Pty Ltd, an Amazon #1 author on Cybercrime and founder of the SME Security Framework. He is a Consultant who specialises in inexpensive and highly effective security strategies for small and medium businesses and not for profit organisations.

He has developed and authored the SME Security Framework and the Security Policy Training Course which are considered to be the definitive guides to helping SME's protect their organisation using the principles of Technology, Management, Adaptability and Compliance.