This document outlines a 4 step framework for creating an enterprise business continuity program with increasing levels of maturity. Step 1 is to gain executive support by making the business owners responsible for business continuity. Step 2 is to scale the program by assigning business continuity managers and leads at different organizational levels. Step 3 is the implementation, which involves delivering ownership to business leaders, training business continuity managers, and having them train leads in their organizations. Step 4 is engaging the business and maturing the program over time by building a community of practice, updating the program, and integrating with other risk areas. The goal is to increase business expertise while decreasing reliance on the corporate group.

1. Four Steps to Creating an
Enterprise Business Continuity
Program

2. Scott Baldwin, CBCP, MBCI
Scott is the Global Head of Business Continuity at eBay, where he successfully led
the effort to rebuild the enterprise BC program after the eBay/PayPal split. Since
entering the Resiliency field in 2005, Scott has had the opportunity to work in
every aspect of BCDRCM and worked in the retail, financial and technology
sectors. Before finding Resiliency, Scott was a software engineer and technology
manager, giving him a technical approach to BCM. Scott is a frequent speaker and
contributor at industry conferences, webinars and publications.

3. Basics of BC Program Building
• There is no one ‘correct’ way to build a program
• No organization is the same, so this framework will need to be
customized to yours
• Use judgement on scaling this framework – especially for smaller
organizations

4. Terminology – Program Maturity Levels
Compliance
Readiness
Resilience

5. Compliance
• Sustainable
• Updated on a regular basis
Absolute minimum requirement for a functioning enterprise program
Absence of any of these components would likely result in most audit failures
• Basic BCP Activities:
• Executive Communication
• Business Impact Assessment
• Business Continuity Plans
• Validation Exercises
• Enterprise-Wide
• All areas of the enterprise need to be accounted for

6. Readiness
• Compliance Achieved
• Ownership of Business Continuity truly in the hands of the Business
• Business owns the responsibility for recovery and are on the front line of
defense
• Realistic, Useful and regular functional exercises are taking place
• Inter-departmental, inter-disciplinary exercises conducted at an appropriate
cadence.
The ability of the business to respond to a disruption or impact

7. BC Resilience
• Compliance Achieved
• Working closely with other risk areas to identify, mitigate and avoid
impacts of risk
• Using other risk group policy and controls, conduct risk assessments and enact
proactive strategies to avoid disruptions
• Readiness Achieved
• Corporate group spending time training and mentoring, rather than
conducting actual BC activities
The ability to proactively identify & mitigate risk and avoid impact

8. Two Common Scenarios
• Program Reboot Cycle
• Compliance Lock

9. Program Reboot Cycle
Program
Initiation
Stall
Failure
Reboot 2010 2013 2016
New Management New Management
Consultants Brought In

10. Compliance Lock
• Compliance achieved, but at the
cost of 100% effort.
• Must continue to ‘swim’ or face the
possibility of sinking
• Maturity or progress impossible to
obtain without additional
headcount
• Program is not sustainable long
term

11. Two Common Scenarios
• Program Reboot Cycle
• Compliance Lock

12. Step 1. Gain executive support
The Framework

13. Gaining Executive Support…
…is in every standard,
best practices, guidelines,
etc…
…yet is consistently listed
as one of the reasons BC
programs fail.
Gap?

14. Types of Executive Support
• Count your lucky stars and take advantage – it’s rare!
• Usually the result of 1 or 2 passionate members of the board or Executive
Leadership Team
• Ask, ask ask!
• However – it probably won’t help you long term…
• Supportive leader can change focus, or even leave the organization
• Leaving you without sustained support
• Found in financial institutions, governmental bodies and other highly
regulated sectors
• Typically results in official policy approvals and, at best, compliance level
programs
• Does not typically convert to business engagement
Actual Executive Support
Official Executive Support

15. The
Thing needed for this
framework to be successful…
While ANY executive support is good..
Is agreement and official policy approval
giving total BC ownership to the business

16. • Business area BC audit results Owned by the business
• Actual disruption response Owned by the business
• Compliance responsibility Owned by the business
•All business area BC responsibility
Owned by the business

17. Arguments for Business Ownership
• True Subject Matter Experts in their Areas
• As the SMEs for their areas, the business is the only group who can truly
understand and describe the best way to conduct their business during an
adverse situation.
• Ownership Produces Motivation
• Without the feeling of ownership, the business will simply assist with BC tasks
when it is convenient, or when forced. With ownership, the relationship
between the business and corporate group changes: Instead of the Business
doing us a favor and helping us to do OUR job, WE are helping the Business
do THEIR job.

18. Step 1. Gain executive support
The Framework
Step 2. Scaling the program

19. L1 – #12
(SVP – Division)
L2 – #70
(VP – Business Unit)
L3 – #200
(Director –
Department)
L4 – #1500
(Manager – Process)
Corporate Group #4

20. C x (15 to 20) = P
Where:
C = size of the corporate team
P = number of programs supportable
This framework is scaled out by a
simple equation :

21. 4 x 15 = 60
4 x 20 = 80
Your group can support 60 to 80 programs
So, if your corporate team consists of 4 people

22. L1 – #12
(SVP – Division)
L2 – #70
(VP – Business Unit)
L3 – #200
(Director –
Department)
L4 – #1500
(Manager – Process)
Corporate Group #4
Programs at L2 level and owned by the VPs

23. 1 x 15 = 15
1 x 20 = 20
You can still support 15 to 20 programs
Now, what if you are an army of 1?
No problem…

24. L1 – #12
(SVP – Division)
L2 – #70
(VP – Business Unit)
L3 – #200
(Director –
Department)
L4 – #1500
(Manager – Process)
Corporate Group #1
Programs at L1 level and owned by the SVPs

25. • The programs and ownership level will dictate the length of time
implementation will take
• Each program will push down towards the process level, the further from that
level, the longer it will take
• Program sweet spot
• Programs should, ideally, be placed somewhere in the organization that will
provide it with enough power and authority, but not where it will be ignored
• Customize to your own organization
• Instead of reporting levels, you might define your organization by geography,
subsidiaries or other criteria that works for you.
Thoughts on Scale

26. Step 1. Gain executive support
The Framework
Step 2. Scaling the program
Step 3. Implementation

27. Implementation
• Delivering Ownership
• Program Building

28. Asking the business for support
’Asking for a favor’
Offering to support the business
‘Granting a favor’
Delivering Ownership

29. Corporate Group #4
Visit the leader of each and every group at the
selected level
Delivering Ownership

30. Delivering Ownership
• The Executive Overview
• Explain the corporate expectations
of ownership (Leveraging step 1)
1. Create the problem
• Most leaders will have no idea how to develop or manage resilience capabilities
2. Offer to solve the problem for them
• Describe the conditions
• Describe your guarantee

31. Conditions
• Provide a ‘Business Continuity Manager’ (BCM) to run their program
• Not a ‘coordinator’ or ‘champion’ – but a program ‘Manager’
• The BCM will be authorized by the leader to act in their stead
• The corporate group will train, mentor and support the BCM until they are
deemed to be experts in the basics of business continuity planning
Delivering Ownership
• Support the program
• Communicate to their organization their backing of the new program
• Enable the BCM to spend time owning their internal BC program by making it
a priority
• Add BC program management on BCM’s measurable annual performance goals

32. Guarantee
• IF the business leader provides an engaged BCM and makes the BC
program a priority, the corporate group promises:
• A compliance level, audit-ready program
• An internal group ready to respond to impacts
• Create an internal certification program
Delivering Ownership

33. • Training the BCM – Responsibilities Include:
• First line of defense for their organization
• Will work with leader and corporate group and activate any response as required
• Ensuring all BCP compliance activities are completed
• Initial Review and approval of BCP activities
• Own the BIA process
• Training the BC Leads (Planners) for each department within their organization
• Ensure appropriate validation is conducted
• Methodology
• Watch – Participate – Own
• Certification
• When BCM can manage compliance and understand departmental recovery
strategies, corporate group provides certification
Program Building

34. Corporate Group #4
Train the trainer: Each BCM will assist in
selecting and training a BC Lead from the
organization layer below.
Program Building

35. Compliance
Readiness
Resilience
AdvancedExercises
BusinessOwnership

36. Step 1. Gain executive support
The Framework
Step 2. Scaling the program
Step 3. Implementation
Step 4. Engaging the Business/Maturing the program

37. Engaging the Business
• Create a sense of Community
• Pushing programs to the business will begin the enculturation process
• Create Community of Practice meetings for BCMs and BCLs
• Develop a BCM/BCL newsletter
• Meet regularly with the organization leaders to provide status updates,
encourage the BCMs to own and lead the conversation
• Meet monthly with each BCM, weekly during update quarter

38. Maturing the Program
0
25
50
75
100
75
50
25
0
10
20
30
40
50
60
70
80
90
100
Corporate Effort & Business Expertise
BCM Expertise Corp. Effort

39. Maturing the Program
As the BCMs become experienced and begin owning the compliance
level, the corporate group will begin gaining more bandwidth.
• Develop a robust, realistic training program
• Look at and address any program gaps:
• Vendor management
• Dependency mapping
• Seating reallocation program
• Etc.

40. Risk
With the BCM/BCL program in place, the BC program has a large and
powerful network of engaged teams and individuals across the
enterprise.
• Work with other risk groups to assist with compliance and other risk
assessments
• BCM/BCL network can be leveraged
• Working with the BCM/BCL community on risk will enhance their
understanding of potential dangers and ability to plan for and
respond

41. Compliance
Readiness
Resilience
AdvancedExercises
BusinessOwnership

42. ISO 22301 Training Courses
 ISO 22301 Introduction
1 Day Course
 ISO 22301 Foundation
2 Days Course
 ISO 22301 Lead Implementer
5 Days Course
 ISO 22301 Lead Auditor
5 Days Course
Exam and certification fees are included in the training price.
https://pecb.com/iso-22301-training-courses| www.pecb.com/events

43. ?
scbaldwin@ebay.com www.ebay.comlinkedin.com/in/scott-baldwin-bcp
THANK YOU