The hardest part of business continuity has never been the documentation, the testing, or even the budget. The hardest part is getting the people at the top of the organization to treat it like it matters. After two decades of doing this work across industries and geographies, I've learned what actually works.
I've sat in boardrooms in London and Singapore, community bank offices in the American Midwest, manufacturing floors in the Southeast, and hospital executive suites trying to have the same fundamental conversation: your organization is not as prepared for disruption as you think it is, and here is what we need to do about it.
Sometimes it went well from the start. More often, it took time, the right framing, and a few hard-won lessons about how executives actually think about risk. What follows are those lessons, shared plainly, because if you're trying to build a real BCP program and you don't have leadership behind you, nothing else you do will stick.
"You can build the most technically sound business continuity program in the world. If it doesn't have a champion at the executive level, it will be underfunded, undertested, and forgotten until something goes wrong."
Shawn Davidson, Founder & President, Reactforce
First, Understand What Executives Actually Worry About
The most common mistake I see from people trying to get executive buy-in for business continuity is leading with the technical problem. They walk into the boardroom with a gap analysis, a list of missing controls, and a budget request. The executives nod politely and ask for more information. Nothing happens.
This approach fails because it answers a question nobody at that table is asking. Executives are not thinking about your NIST framework alignment. They are thinking about revenue, reputation, regulatory relationships, and the things that keep them up at night personally.
I've had this conversation in banks that were terrified of their next FFIEC exam. In hospitals where the CEO had personally witnessed a peer institution's ransomware attack and couldn't stop thinking about it. In manufacturing firms where a single production line failure had cost them a customer relationship worth millions. In each case, the way in: not the technical vulnerability, but the business consequence that was already keeping them awake.
Before you walk into that room, do the work to understand what your executive team is actually worried about. Then show them, clearly and in their language, how a mature business continuity program addresses exactly that.
My Tips for Getting Leadership Across the Line
I have opened more executive conversations with a real story than with any slide deck. Not hypothetical scenarios, not industry statistics, but something that actually happened to an organization their size, in their industry, in their region. A community bank in their state that lost access to core systems for four days. A healthcare network that had to divert patients because their EMR was encrypted. A manufacturer that lost a major contract because they couldn't demonstrate recovery capability during a vendor assessment. Real stories make abstract risk concrete. Concrete risk gets budgets approved.
Executives make decisions in two currencies: money and reputation. Every risk you present needs to be expressed in both. Not "we lack a tested recovery plan for our core banking system" but "if our core banking system is unavailable for 72 hours, we are looking at approximately $X in lost revenue, $Y in regulatory penalties, and a front-page story we do not want to be in." I've seen this reframe unlock budget in a single meeting that had been stalled for two years. The risk didn't change. The language did.
Before any major executive presentation, I spend time talking to the people in the room individually. I ask them what keeps them up at night. I ask what they'd want to tell the board if something went wrong. I ask what they think their biggest operational vulnerability is. Then I go into the presentation and say, "You told me you worry about X. Here's what that looks like as a risk, and here's what a mature continuity program does about it." People support solutions to problems they described themselves. It's not manipulation, it's listening.
Every organization has someone at or near the executive level who already gets it. Maybe they've lived through an incident. Maybe they came from a larger organization with a mature program. Maybe they've just been reading the news. Find that person. Brief them before the meeting. Give them the language, the data, and the framing to advocate from inside the room. An internal champion who says "I've been thinking about this for a while and I think we need to act" carries more weight with their peers than any outside advisor. I've spent entire engagements essentially staffing and enabling that person to win the internal argument.
For executives in regulated industries, regulatory risk is often the fastest path to a yes. Not because they're purely compliance-driven, but because exam findings, enforcement actions, and consent orders have direct consequences for their careers and the organization's reputation. I've walked into rooms with a copy of the relevant FFIEC booklet, HIPAA guidance, or NCUA regulation open to the specific paragraph that describes what they're required to have, and then shown them the gap between that requirement and their current state. That conversation tends to go differently than a general risk presentation.
One of the most effective approaches I've used with skeptical leadership is the tabletop exercise. Instead of asking for budget and buy-in for a full BCP program overhaul, I ask for two hours of executive time to run a scenario. I design the scenario around the specific risks that leadership has told me they worry about. Then I let the exercise do the work. I've never run a tabletop with a senior leadership team that didn't surface at least two or three moments where people looked at each other and said "we don't actually know what we'd do here." Those moments are worth more than any presentation. They create the internal appetite that makes the program approval straightforward.
Vague asks get vague responses. "We need more investment in business continuity" is easy to agree with in principle and equally easy to defer. "I need your approval for this specific scope, this budget, and a standing agenda item on the quarterly board report" is a concrete commitment that forces a real decision. I also recommend making the executive's sponsorship visible inside the organization. Their name on the program policy. Their presence at the annual tabletop. A brief comment in an all-staff communication. When the organization sees that leadership owns this, participation and seriousness increase dramatically.
This one has become increasingly powerful in the last few years as cyber insurance premiums have risen and coverage has tightened. Carriers are now asking detailed questions about business continuity programs, testing cadences, backup integrity, and recovery time objectives. They are declining to renew policies or imposing significant premium increases for organizations that can't demonstrate a mature BCP. When I can show a CFO or CEO that a documented, tested continuity program directly affects their coverage terms and premium, the conversation shifts from "should we invest in this" to "what do we need to do and when." That's a much easier conversation.
What Consistently Fails
I'd be doing you a disservice if I only shared what works. After seeing hundreds of these conversations across industries and cultures, certain approaches fail so consistently that they're worth naming directly.
- Leading with technical jargon. RTO, RPO, BIA, MTPD. These mean nothing to a CEO or CFO who hasn't lived inside a security program. Translate everything into business language before you walk in the room.
- Presenting risk without a recommended action. Executives don't want a comprehensive list of everything that could go wrong. They want to know what you recommend and what it will cost. Come with a proposal, not just a problem.
- Going directly to the board without building internal alignment first. If you go to the board with a request that surprises the CEO or CFO, you've created an adversarial dynamic before the conversation starts. Build internal consensus first.
- Crying wolf. If every risk is catastrophic and every gap is critical, nothing is. Calibrate your urgency carefully. The risks that genuinely warrant immediate action need to be distinguishable from the ones that can be addressed over time.
- Treating this as a one-time ask. Executive sponsorship for BCP isn't won in a single meeting. It's built over time through consistent reporting, visible testing, honest communication about gaps, and the credibility that comes from following through on what you say you'll do.
What I've Learned Working Across Every Industry and Culture
I've had these conversations on six continents, in organizations ranging from regional community banks to global manufacturers, from single-hospital health systems to large integrated delivery networks, from government contractors to family-owned professional services firms. A few things hold true everywhere.
The universal language of executive leadership is consequence. Not technical consequence, but business consequence. Revenue at risk. Reputation at stake. Regulatory relationships on the line. Employees and customers depending on the organization's ability to function. Frame your argument in those terms and you will be heard in any boardroom, in any language, in any culture.
The second universal truth is that credibility is the only currency that matters in the long run. Executives who have been oversold on security investments and seen them underdeliver are skeptical for good reason. The way you earn their trust is to be honest about what you know and what you don't, to deliver on what you commit to, and to report bad news as directly as good news. I've had clients for ten years because I told them the truth when it was uncomfortable. I've lost engagements because I couldn't bring myself to tell a leadership team something they didn't want to hear. The honest path is always the right one, and it's almost always the more effective one too.
And the third: urgency without panic. You're not trying to frighten anyone into action. Fear-based selling might work once, but it builds a relationship founded on anxiety rather than trust. Your goal is to help leadership understand their real risk posture clearly enough to make good decisions about it. That's a fundamentally different posture from "let me show you how bad things could get." The former builds a partnership. The latter builds defensiveness.
The organizations with the best business continuity programs aren't the ones that had the most technical talent or the biggest budgets. They're the ones where someone, somewhere, had the patience and the communication skills to bring leadership along. That's a skill worth developing, and it's one of the most valuable things a security leader can build.
The Ask That Always Works
After all of this, if I could give you one concrete thing to do right now, it would be this: don't ask for budget approval for a BCP program. Ask for two hours with the executive team for a tabletop exercise.
Pick a scenario that is realistic and specific to your organization. Ransomware encrypting your core systems on the Friday before a major quarter-close. A key operations vendor failing with 24 hours' notice. A significant data breach discovered at 6pm on a Thursday. Run them through it. Let them feel the gaps. Let them experience the ambiguity of not knowing who makes decisions, who communicates what to whom, and what the priorities are when everything is failing at once.
Then, in the debrief, lay out what a mature program would have given them: clear decision trees, pre-approved communication templates, tested recovery procedures, a team that knows their roles. Show them the difference between where they are and where they need to be, in terms they just experienced firsthand.
I have never run that exercise with an executive team that didn't come out of it ready to have the real conversation about investment. The experience does the work that no presentation can.
Shawn Davidson is the Founder and President of Reactforce. He has spent two decades working with organizations across financial services, healthcare, manufacturing, and the public sector to build resilient security and business continuity programs. He has conducted engagements on six continents and advised organizations ranging from community banks to global enterprises on how to translate risk into decisions that leadership can act on.