Disaster Recovery Journal Spring 2025

Organizations Will Morph Depending on Program Goals Resilience is a multidisciplinary program whether the goals are business continuity, operational resilience, or business resil ience. However, the goals of the program have direct effects on the organization. Reporting To the COO Is an Emerging Best Practice Some mandates, like APRA Op Res, require programs to report to the COO or a similar role. For respondents who primar ily work in operational resilience programs, this holds true: 24% said programs report to the COO. Those with programs that report elsewhere, such as the CISO (21%) or CIO (10%), will need to reorganize to match these mandates. Respondents who primarily work in a BC program and those who primarily work in business resilience are most likely to report to the CISO (22%). But that’s the only commonality for these programs. After the CISO, those who primarily work in business resilience report into “other” (17%) or the COO (14%), while those who primarily work in BC report to the COO (16%), CRO (16%), and CEO (14%). Across all programs, the prominence of programs that report to the COO indicates an emerging best practice. The COO knows how the business runs, can support a shared practice with common tools, and can remain objective and independent of the lines of business (which have a personal stake in the prioritization of services). Most Programs Lean Toward Centralization Resilience programs must understand what is worth protect ing. For operational resilience, the mandates have dictated any customer-facing service is important/critical. However, an orga nization must first decide what these services are. Some organi zations will decide based on a formal business impact analysis. Others will negotiate with the lines of business or executives to decide on the list annually. In any case, this process depends on centralized efforts. This is why 41% of respondents said

their teams have some centralized, dedi cated members – with others decentralized throughout business functions or depart ments (see Figure 2). This type of feder ated organization balances the need for centralized prioritization of services while keeping close ties to the business that resil ience programs are meant to keep running. Thirty-five percent of respondents said their team was centralized; this type of organiza tion allows for coordinated resilience efforts around a common purpose. Practices Must Finally Evolve to Meet Operational Resilience Mandates Some practices, such as testing frequency and type, have not significantly changed since our survey began more than 15 years

10 DISASTER RECOVERY JOURNAL | SPRING 2025