Who Holds the Purse-strings on Incident Management Spending?

During the process of developing a Business Continuity Plan or strategy it is easiest to focus on the larger picture; to understand the major impacts and potential roadblocks.  But when putting that Plan on paper (figuratively or literally) it is time to think about more granular logistical needs and issues.  One that is often overlooked is where – and how – the money will come from to pay for that recovery strategy.  A good plan must document that process, or create one if it doesn’t already exist.

Even if one assumes that the organization will pay any price to recover its business operations in the most timely manner possible, questions remain:

  • Who has the authority to approve expenditures?
  • What are the limitations of that authority?
  • What is the process needed to gain approval of expenditures?
  • How will expenses be documented?
  • How will vendors and suppliers be paid?

If the Business Continuity Plan calls for moving personnel to another office many miles away, how will their transportation costs (airline or train tickets, fuel reimbursement) and lodging be paid?

If the recovery of a Facility requires the hiring of contractors and tradesmen to begin repairs, do those efforts need to go out for bid?  Who is responsible for selecting those suppliers?  And how will incremental payments be made?

If IT requires replacement of equipment, must they still follow sourcing procedures – or are those suspended during the disruption?  How will the transaction be consummated? Is there a manual Purchase Order workaround; a corporate purchase card – or must someone charge the expense to their personal credit card?

Can that same IT Recovery Team Leader buy anything she needs – or must she get approval for acquisitions over a certain amount?  Is that amount per item or cumulative?  In what form must that authorization be documented?  Who keeps track of the expenditures incurred – and how?

These are all fairly straight-forward questions.  But, surprisingly, they are questions that are often not addressed in Business Continuity Plans.  When the organization is already in a state of chaotic turmoil is precisely the wrong time to find out those answers (or worse, to find out there are no answers!).

Have your organization’s Finance, Purchasing or Accounts Payable functions already documented answers to those questions in their Business Continuity Plans?  If so, make sure they are neither contradictory nor kept a secret from the rest of the organization.

Recovery Teams who understand the limits of their purchasing authority will be able to act quickly and not risk overstepping their purchasing authority.  Asking the right questions will enable you to provide the proper guidance to all BCM Teams.

SHARE:
Jim Mitchell

Jim Mitchell

A frequent speaker at Business Continuity conferences, many of Jim Mitchell’s blogs can be found elsewhere on eBRP’s website and has published articles in DRJ, Continuity Insights and Continuity Central. Jim has more than 20 years of experience in Business Continuity; if you don’t agree with his opinions – he won’t be surprised.

Related Posts

A Toolkit to Build Enterprise Resiliency

A Toolkit to Build Enterprise Resil...

A well-rounded Enterprise Resiliency Toolkit (𝗧𝗼𝗼𝗹𝗸𝗶𝘁) would provide key tools…
Enterprise Resiliency: Navigating Through Disruptions

Enterprise Resiliency: Navigating T...

In today’s threat landscape, the ability of an organization to…
Orchestrating BC/DR Testing: Virtual – Emergency Operations Centers

Orchestrating BC/DR Testing: Virtua...

  Enhancing Planning and Logistics Management  Coordinating BC/DR tests involves…
Insights into creating a successful Disaster Recovery Test – Part 2: Preparation

Insights into creating a successful...

Insights into creating a successful Disaster Recovery exercise – Part 1: Objectives

Insights into creating a successful...

Aligning Cyber Incident Response Planning with Your BC/DR Program

Aligning Cyber Incident Response Pl...

Cyber disruptions – and their impact on both reputations and…
What Can You Do when your BCM software Relationship Falls Apart

What Can You Do when your BCM softw...

“This isn’t working.”  “I’ve changed.”  “I don’t see a future…
Aligning BC/DR to CSIRP Challenges

Aligning BC/DR to CSIRP Challenges

The immediate reaction to a cyber-security incident is the FUD…
Technology Modeling – the eBRP Way

Technology Modeling - the eBRP Way

Definition: Technology modeling is a point-in-time snapshot of an Enterprise’s…
eBIA – The eBRP Way

eBIA - The eBRP Way

Definition: A Business Impact Analysis (BIA) is the cornerstone of…