SUCCESSION PLANNING AND TALENT REVIEW FRAMEWORK

Heat Maps · Readiness Ratings · Emergency Succession · Development Plans

Table of Contents

1. Purpose and Scope
2. The Single-Point-of-Failure Problem
3. Annual Talent Review
4. The Succession Heat Map
5. Emergency Succession
6. Successor Development Plans
7. Cross-Pillar Succession
8. Confidentiality and Access
9. Document Control

1. Purpose and Scope

The CERG Framework (FRM-001 §9.2) states that the left-right knowledge model provides “talent resilience.” A team where every member understands the other two pillars is more resilient than one where knowledge is siloed. But cross-pillar understanding is not a succession plan. Knowing how the Risk pillar operates does not make a Cloud Security Engineer ready to lead it. Knowing where the evidence library lives does not make a Detection Engineer ready to represent the organization to a NERC-CIP auditor.

This document closes that gap. It establishes a formal succession planning framework: an annual talent review cadence, a succession heat map for every critical CERG role, readiness ratings for identified successors (Ready Now, Ready in 1-2 Years, Ready in 3-5 Years, No Identified Successor), development plans for closing successor readiness gaps, an emergency succession protocol defining who steps in on 24 hours’ notice, and cross-pillar succession requirements that ensure no pillar leader’s only potential successor comes from the same pillar.

It applies to every critical CERG role: the CISO, pillar leaders, domain leads, and any role whose sudden vacancy would create a material operational risk. It does not apply to contractor or consultant roles, which are addressed by the knowledge retention requirements in CERG-GOV-CON-001.

This Document Is Confidential

Succession planning is among the most sensitive activities a leadership team undertakes. A person identified as “Ready in 3-5 Years” who learns they are not “Ready Now” may feel passed over. A person not identified as a successor at all may feel their career has plateaued. This document and the heat maps it produces are restricted to the CISO and pillar leaders. Individual development conversations draw from the succession analysis without revealing the analysis itself, the same way a manager uses calibration session output to inform a promotion conversation without naming the people who were rated higher.

2. The Single-Point-of-Failure Problem

2.1 Why Cybersecurity Is Especially Vulnerable

Cybersecurity teams have a single-point-of-failure problem that is worse than most knowledge-work functions for three reasons:

1. Deep specialization resists documentation. A Cryptography Engineer who has managed the PKI hierarchy for seven years carries knowledge that lives in their head: which certificates have quirks, which CAs have trust-chain issues with which vendors, which renewal processes have undocumented manual steps. That knowledge is partially documented and partially not. The person who leaves takes both halves.

2. Regulatory relationships are personal. A NERC-CIP Compliance Manager who has been the organization’s face to its regional entity for a decade has a relationship with the auditors that a replacement cannot replicate on day one. The auditor who trusts the Compliance Manager’s evidence because of a decade of demonstrated rigor will not extend that trust automatically to a replacement.

3. Small teams have no bench. A 5-person CERG team cannot afford a dedicated understudy for every role. When the person who runs Exposure Management leaves, someone else absorbs that work on top of their own. If that person also leaves, the function stops.

2.2 What the Left-Right Model Does and Does Not Solve

The left-right knowledge model reduces the SPOF risk by ensuring that: - Every person knows enough about the other two pillars to collaborate effectively - Documentation is consumed cross-pillar, not just within the pillar that authored it - The evidence library, risk register, and document library are structured to survive any single person’s departure

It does not solve: - Leadership succession. Cross-pillar understanding is not cross-pillar leadership readiness. The Governance Pillar Leader has a specific set of management, regulatory, and stakeholder skills that are not developed by reading Engineering standards. - Deep domain succession. Understanding what a Cryptography Engineer does is not the same as being able to do it. The left-right model provides awareness; succession requires capability. - Emergency succession. If the Risk Pillar Leader resigns effective immediately, the left-right model provides nobody who can step into the role on 24 hours’ notice unless that person has been deliberately developed for it.

3. Annual Talent Review

3.1 Cadence

The talent review occurs annually, within four weeks of the year-end calibration session (PERF-001 §6). It consumes calibrated performance ratings and promotion decisions as input and produces the succession heat map as output. The sequence ensures that succession decisions are based on current, calibrated assessments, not on reputation from two years ago.

3.2 Participants

3.3 Agenda

The talent review addresses each critical role in sequence:

1. Role: [Canonical role name]
2. Incumbent: [Name and current grade]
3. Retention risk: Low / Medium / High. Is the incumbent a flight risk? Why?
4. Succession status: Review the current heat map ratings for identified successors.
5. Successor development progress: What development actions were planned at the last review? What progress was made?
6. New successors? Has anyone emerged as a potential successor since the last review?
7. Emergency successor: Is the emergency successor still current? Any changes?
8. Actions: What will be done in the next 12 months to improve succession readiness for this role?

3.4 Output

The talent review produces:

1. Updated succession heat map for every critical role (§4)
2. Updated successor development plans (§6)
3. Updated emergency succession list (§5)
4. Retention risk register: roles where the incumbent is a flight risk, with mitigation actions
5. Succession gaps report: roles with No Identified Successor, with a timeline and plan for developing one

4. The Succession Heat Map

4.1 Critical Roles

Not every canonical CERG role is critical for succession planning. A role is critical if its sudden vacancy would cause a material operational disruption that cannot be absorbed by the existing team within 30 days. The minimum set of critical roles includes:

The CISO and pillar leaders may add or remove roles from the critical list at each annual talent review based on current organizational context.

4.2 Readiness Ratings

Each identified successor for a critical role receives a readiness rating:

4.3 The Heat Map Format

For each critical role, the heat map records:

Role: [Canonical Role]
Incumbent: [Name]
Retention Risk: [Low/Medium/High]

Successors:
| Name | Current Role | Readiness | Development Priorities |
|---|---|---|---|
| [Name] | [Current role] | Ready Now | N/A |
| [Name] | [Current role] | Ready in 1-2 Yrs | [2-3 specific gaps] |
| No Identified Successor | - | - | [Plan to address] |

Emergency Successor: [Name] or [None]
Cross-Pillar Successor: [Name] or [None]

“Ready Now” Does Not Mean “Will Get the Role”

Identifying someone as Ready Now is a statement about their capability, not a promise of succession. The incumbent may stay for another decade. The organization’s needs may change. Another candidate may emerge. The Ready Now rating means that if the role became vacant tomorrow, this person is the credible internal candidate. It does not mean the role is theirs.

5. Emergency Succession

5.1 The 24-Hour List

For every Tier 1 critical role (CISO, pillar leaders), an emergency successor is designated. The emergency successor is the person who steps into the role on 24 hours’ notice if the incumbent is suddenly unavailable (resignation, illness, termination, or any other sudden departure). The emergency successor is not necessarily the long-term successor. They are the person who keeps the function operating while a permanent replacement is found.

5.2 Emergency Successor Requirements

The emergency successor must:

• Be a current CERG team member (not a contractor, not an external party)
• Have sufficient organizational knowledge to perform the role’s most critical functions: approve urgent decisions, represent the function to executive leadership, and ensure standing operations continue
• Know they are the emergency successor and have accepted the responsibility
• Have documented access to the systems, contacts, and decision authorities they will need
• Be reviewed semi-annually (not just at the annual talent review) to confirm they are still with the organization and still willing

5.3 Emergency Succession by Tier

5.4 Emergency Succession Documentation

For each emergency successor, the following documentation is maintained and reviewed semi-annually:

1. Delegation of authority: A signed document from the CISO (or board, for CISO succession) delegating specific decision authorities to the emergency successor during the interim period.
2. Access verification: Confirmation that the emergency successor has (or can rapidly obtain) access to all systems, accounts, and physical spaces needed to perform the role.
3. Key contacts list: The 10-15 people the emergency successor needs to contact in the first 24 hours: executive leadership, pillar leaders, key business stakeholders, regulators, critical vendors, the IR team lead.
4. Standing decisions and deadlines: A current list of pending decisions, upcoming deadlines, and active escalations that the emergency successor will inherit.
5. Transition checklist: Step-by-step actions for the first 24 hours, first week, and first month.

Emergency Succession Is Not Optional

An organization that cannot name who runs Engineering if the Engineering Pillar Leader is hit by a bus tomorrow has not planned; it has hoped. The emergency succession list must exist at all times. A blank emergency successor field for any Tier 1 role is a risk that should be reported to the CISO and recorded in the risk register.

6. Successor Development Plans

6.1 The Development Plan Format

For each successor rated “Ready in 1-2 Years” or “Ready in 3-5 Years,” a development plan addresses the specific gaps preventing a “Ready Now” rating. The plan is owned by the successor’s manager (or the incumbent, if the successor reports to a different manager) and reviewed at each quarterly check-in.

The development plan contains:

1. Target role and target readiness timeline
2. Gap assessment: Which CMP-001 competency domains are not yet at the target level? Which JA-001 management dimensions, if the target is a management role?
3. Development actions for each gap: - Experiential: Specific stretch assignments, interim role coverage, cross-pillar initiatives, or acting-manager rotations - Educational: Specific training, certification, or conference attendance per TRN-001 - Relational: Specific exposure to the stakeholders, regulators, or executive forums the person would need to navigate in the target role
4. Milestones: Observable demonstrations that would indicate readiness progress (e.g., “led a CISO Risk & Posture Review presentation,” “represented Engineering to a regulator walkthrough,” “managed the team for two weeks during the incumbent’s leave”)
5. Timeline: When each action is planned and when readiness will be reassessed

6.2 Development by Readiness Gap

6.3 Tracking and Accountability

Successor development plan progress is reviewed at: - Quarterly check-ins (PERF-001 §3.2): Progress against planned actions - Annual talent review: Readiness re-rating based on demonstrated progress - CISO quarterly review: The CISO reviews succession readiness for Tier 1 roles at each CISO Risk & Posture Review

A successor whose development plan shows no progress for two consecutive quarters is either not motivated, not capable, or not receiving the promised development support. The talent review addresses which it is and adjusts the plan or the readiness rating accordingly.

7. Cross-Pillar Succession

7.1 The Principle

Every Tier 1 critical role (CISO and pillar leaders) should have at least one potential successor who comes from a different pillar. The principle is an extension of the left-right knowledge model: a person who has led only Engineering their entire career will struggle to lead Risk or Governance without a deliberate development investment. But a person who knows two pillars deeply and the third well enough to collaborate is a stronger candidate for any pillar leadership role than someone who knows only one.

7.2 Cross-Pillar Successor Development

7.3 Not a Requirement, a Direction

A Tier 1 role with no cross-pillar successor is not a crisis. It is a development priority for the next 2-3 years. The talent review identifies which pillar leaders have cross-pillar successor potential and adds cross-pillar development actions to their plans. Over multiple cycles, the succession bench becomes cross-pillar by development, not by coincidence.

8. Confidentiality and Access

8.1 Access Controls

The succession heat map, emergency succession list, and successor development plans are confidential. Access is restricted to:

• CISO: Full access to all succession materials
• Pillar Leaders: Access to succession materials for their pillar and cross-pillar successors from their pillar to other Tier 1 roles. A pillar leader does not see the succession plan for their own role (that is held by the CISO).
• Board or designated board committee: Access to CISO succession plan and summary of Tier 1 succession readiness (not individual names unless requested)
• HR Business Partner: Access to development plans (not heat maps) for coordination of training, budget, and personnel actions

8.2 Communication Guidelines

Succession information is communicated on a need-to-know basis:

Do Not Promise Roles You May Not Be Able to Deliver

A manager who tells a team member “you are my successor” has made a promise that organizational changes, hiring decisions, or the person’s own career choices may break. The succession framework identifies readiness and develops capability. It does not make commitments. A Ready Now rating is a professional assessment, not a job offer.

9. Document Control

Revision History

Review Triggers

• Annual talent review (mandatory annual refresh)
• Any Tier 1 role incumbent departure, resignation notice, or extended leave
• Material change to organizational structure affecting role definitions
• CISO direction

Related Documents

Governance owns the framework. The CISO owns the succession plans and heat maps produced under it. The CISO is responsible for initiating the annual talent review, maintaining the emergency succession list, and ensuring successor development plans are resourced and tracked.

Source: governance/CERG-GOV-SUCC-001_Succession_Planning_and_Talent_Review_Framework.md · Download .md · View on GitHub