Where does the Business Continuity Management team sit within your organization? Is it acceptable for it to sit under the Chief Audit Executive's org?
Sort By:
Oldest
Director of Finance2 months ago
Business Continuity sits with IT in our current org, but is realistically everybody's responsibility. IT often inherits it because so many key processes depend on technology, but it is still a joint effort. Having it roll to Chief Audit Executive makes sense from a "raising the risk profile" perspective, but may create disconnects and confusion if the people leading the effort to restore operations are not fully embedded within the relevant systems and processes (and likely far more accountable for making sure the business goes on than checking the business continuity box on an audit plan).Vice President - Internal Audit and Enterprise Risk Management in Healthcare and Biotech2 months ago
Business Continuity sits with IT at my company, as part of the CISO's organization. There is direct linkage to the DR function (also in IT) and it also serves as the central coordinating function for the cross-functional crisis management team.Regarding functional alignment with the Chief Audit Executive, I would typically avoid in cases where the CAE only has responsibility for IA. Aligning BC under the CAE in this model would likely create potential independence concerns, at least in appearance.
In organizations where the CAE also has responsibility for broader risk-oriented functions (such as ERM), I think BC can effectively roll up under one of those functions, if structured appropriately. The independence concerns can be addressed by resourcing and managing related audits appropriately, including through the use of co-sourced audits.