Assigning Accountability for Business Continuity Programs

C.

The accountability for a business continuity program for business-critical systems should be assigned to a person or function that has the necessary authority, expertise, and responsibility to ensure the program's effectiveness. The following are the explanations for each option provided:

A. Director of internal audit: The director of internal audit is responsible for evaluating the effectiveness of internal controls and risk management processes. While they may have expertise in evaluating the adequacy of business continuity plans, they do not have the necessary authority to ensure the program's effectiveness. Assigning accountability to the director of internal audit may also create a conflict of interest since they may have audited the same program, which they are now responsible for.

B. Enterprise risk manager: The enterprise risk manager is responsible for identifying, assessing, and managing risks to the organization. Business continuity is a critical aspect of risk management, and the enterprise risk manager may have the necessary expertise and authority to ensure the program's effectiveness. However, assigning accountability solely to the enterprise risk manager may create a siloed approach to business continuity, and the program may not receive adequate attention and support from other stakeholders.

C. Chief information officer: The chief information officer (CIO) is responsible for the organization's information technology (IT) function and may have a significant role in ensuring the effectiveness of the business continuity program for business-critical systems. The CIO is familiar with the IT infrastructure and systems that support critical business processes and can ensure that the business continuity plans are aligned with IT strategies and priorities. However, assigning accountability solely to the CIO may create a narrow focus on IT aspects of business continuity, and other critical aspects such as people, facilities, and communication may not receive adequate attention.

D. Chief executive officer: The chief executive officer (CEO) is responsible for the overall performance of the organization and is ultimately accountable for the success or failure of the business continuity program. The CEO has the necessary authority and responsibility to ensure that the program receives adequate attention and support from all stakeholders, including the board of directors, senior management, and operational staff. Assigning accountability to the CEO also ensures that business continuity is integrated into the organization's strategic priorities and risk management practices.

In conclusion, the BEST option for assigning accountability for a business continuity program for business-critical systems is the chief executive officer (CEO). While the other options may have some expertise and authority in business continuity, assigning accountability solely to them may create a siloed or narrow focus that may not adequately address the program's complexities and risks.