One of the most persistent myths in Business Continuity is that top management buy-in is the hard part. It isn’t.

In most organizations, senior leaders will readily agree that Business Continuity — resilience, emergency response, crisis preparedness, whatever label we apply — is “important”.

They will endorse the program. Approve the policy. Ask for assurance that the organization is prepared.  And then expect the system to take care of the rest.

The real problem is not buy-in.  It is ownership.  And the cost of confusing the two is quietly carried by middle management.

The standards are not subtle about this.

The BCI Good Practice Guidelines and ISO 22301 are unambiguous: Business Continuity is a leadership responsibility, not a technical one.

Top management is expected to sponsor the program, set scope and scale relative to organizational strategy, make explicit decisions about acceptable disruption, consciously accept residual risk, and allocate resources accordingly.

This is not optional. It is foundational.

Business Continuity is meant to be an expression of strategic intent under stress — a translation of what the organization truly values when normal operations are no longer possible.

Yet in practice, leadership responsibility is often reduced to endorsement.

Accountability is felt — even when it’s unspoken.

Senior leaders do not need to be convinced that disruption matters.  They feel it intuitively.

History is clear: when disruption is mismanaged, it is rarely middle management who lose their roles. It is CEOs. It is Board Chairs. It is senior executives whose names become permanently attached to the event.

We have seen this across sectors and jurisdictions. Major disruptions don’t just damage organizations — they end careers and redefine legacies.

WIIFM (What’s in it for me?)for top management is tangible, even if it is never said out loud.

Access to credible plans, clear trade-offs, and real decision support under pressure directly affects personal performance in a crisis, Board confidence, reputational survival, and career longevity.

Accountability already exists. It always has.

What often happens instead is that accountability is psychologically deferred — displaced into programs, functions, committees, and reports.

Until the moment it snaps back.

What “buy-in” looks like in the real world

Instead of ownership, many organizations default to familiar patterns:

💡 BC sits in Risk / IT / Operations”

💥 “The Board asked for it”

😂“We’ve delegated it to the experts”

✅ “We’ll get an update once a year”

On paper, this looks like commitment.  In reality, it is delegation without accountability. The program exists. The policy is signed. The reports are received.

But the leadership work — the decisions that actually shape resilience — is absent. What emerges is governance theatre: the appearance of control without the discomfort of ownership.

Why delegation feels so reasonable (and is so dangerous)

Delegation is seductive because Business Continuity is genuinely hard work. That requires not just $$$ but critical thinking.

Ownership requires leaders to make trade-offs between resilience, cost, and growth. It requires acknowledging that not everything will recover quickly. It requires naming where the organization is deliberately exposed. And it requires accepting that some disruption scenarios will hurt — by choice.

These are not comfortable conversations.  They challenge narratives of control, competence, and preparedness. So the work is pushed down the organization.  And this is where the real risk accumulates.

Middle management: responsibility without authority

The hard graft of most Business Continuity programs ultimately lands with middle management. The same people already responsible for operational delivery, people leadership, change initiatives, cost control, and regulatory compliance. BC is added on top — rarely taken off anything else.

Crucially, these managers are often responsible for delivering continuity outcomes, but not accountable for the strategic decisions that define them. They do not set disruption tolerance. They do not shape organizational culture. They do not determine enterprise recovery priorities. They do not decide investment trade-offs or accept residual risk.

Yet they are expected to design plans that reconcile all of those assumptions.

This is not empowerment.  It is exposure.

The illusion of buy-in

When leadership engagement is shallow, several predictable things happen.

Scope is inherited rather than interrogated. Recovery expectations become optimistic and unchallenged. “Everything is critical” becomes the default. Metrics focus on completion rather than risk reduction.

From the top, this can look like progress. From the middle, it feels like managing contradictions:

💥 Be resilient, but don’t disrupt delivery

✨Surface risks that can be solved, but don’t alarm anyone

✅ Challenge assumptions, but don’t slow momentum

The safest response is compliance. And so the program becomes “good enough”. Not because people don’t care — but because the system quietly rewards smooth delivery over uncomfortable truth.

Why this matters more than any plan

When top management do not actively own Business Continuity, middle management inherit an impossible task. Plans become compliance artefacts. Exercises rehearse optimism rather than reality. Metrics soothe anxiety without reducing exposure.

The organization feels reassured.  But that reassurance is fragile. Because when disruption hits, the gap between assumed preparedness and lived reality is exposed — and it is exposed brutally.

What real ownership looks like (and why it’s uncomfortable)

Strong Business Continuity does not start with consensus.  It starts with explicit executive tension.

Leaders must be willing to ask — and answer — questions such as:

• What disruption are we prepared to absorb?
• Where are we deliberately exposed, and why?
• What outcomes matter more than continuity itself?
• What will we not recover quickly — by choice?

Until these questions are owned at the top, everything downstream is cosmetic. Frameworks can guide. Specialists can advise. Middle managers can design and implement.

But leadership accountability cannot be delegated.

The hard truth

If Business Continuity is treated as something leaders sponsor rather than own, buy-in will look strong, assurance will feel comforting, and resilience will quietly erode.

That is not a failure of standards ➡️It is a failure of leadership intent.

In the next article, I’ll tackle where the real work of Business Continuity actually sits — and why it is routinely undervalued, under-resourced, and misunderstood, even in organizations that genuinely care about resilience.