Emergency Risk Management (ERM), Business Continuity (BC), and Continuation Of OPerations programs need to be structured similar to the military.
At the very top is the Commander-in-Chief; in the Several States, the nation's president.
The CinC's top military person is the Defense Secretary, the SecDef, who holds a Cabinet-level position.
Reporting to SecDef is the Chairman of the Joint Chiefs of Staff; the chiefs of staff are the top managers of each service.
In the risk management world, the CinC is the corporate executive, either an individual (CEO) or executive team where, hopefully, one person is "more equal" than the others; someone has to be where the buck stops.
SecDef equates to the risk management sponsor, ideally a "C" title (CEO, CFO, CLO*, COO).
The Joint Chief's chair is the Enterprise Risk Management Director - it would be great if this person was at the SecDef/"C" level, but given the state of recognition for ERM, this is pretty much wishful thinking.
The other Chiefs of the Joint Chiefs are functional unit heads on the Enterprise Risk Management Director's level but outside this person's authority. There is a "dotted line" relationship of peers.
The Enterprise Risk Management Director is responsible for, among other things,
- Business Continuity (proactive functions)
- Contracts (review of critical vendor plans)
- Contracts (with ERM vendors)
- Crisis Management (including Communication)
- Disaster Recovery (reactive functions)
- Documentation creation and maintenance (with Tech Pubs)
- Personnel Awareness & Safety (with HR input)
- Policies & Procedures (as they relate to ERM)
- Training and exercises (disaster response)
The ERM director has all the usual management functions such as budgets, staffing, etc.
Depending on the size of the organization, the ERM director may departmentalize some of the functions and anoint - sorry, appoint - managers to be responsible for the day-to-day operation of the various functions.
The ERM director is the Risk Czar, the King of Continuity. The "director" title is appropriate since, if an event occurs, the ERM director (or alternate - even a director needs an alternate) "directs" operations - and assures that all responders have what they need to succeed; the technical name for this activity is Gofer as in "go for this" and "go for that." (The "gofer" may the director's most important job if all responders are capable.)
The bottom line is that there must be a "supreme commander" with the knowledge and authority to coordinate all activities; to assure that, if Business Continuity is separate from Disaster Recovery that both groups' efforts dovetail to a common goal; that there is a smooth hand-off from Crisis Management to Disaster Recovery to Business Continuity and so that everyone not only knows what is expected but by whom.
Picture a relay race.
The fellow with the baton comes charging up to a group of three other fellows standing around; only one is eligible to receive the baton, but the current baton wielder doesn't know which one is THE one.
The ERM Director needs to know - and share with all the troops - who hands off what to whom.
* CLO = Chief Legal (Law) Officer
John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
Planner @ JohnGlennMBCI.com