Safeguarding Your Operations from Unexpected Events with a Business Continuity Plan

Much earlier in my career, I presented a seminar on the importance of business continuity. Perhaps it was naïve of me to expect the message to be greeted with universal enthusiasm. And all these years later, one comment still lingers.

“We don’t need this. If something goes wrong, we’ll just deal with it.”

I am certain that after the last few weeks, we will see the end of comments such as these, as COVID-19 changes business operations in ways that would be unimaginable at the start of 2020. Some of these changes will be permanent, others are just for now, until our ‘new normal’ emerges from the uncertainty of 2020.

One change that is certain, is the importance of business continuity and the need to clearly understand and document your business in a way that supports rapid changes of operation. Seeing business continuity as a “make it up on the fly” activity is a risky strategy, given that successful business continuity can make the difference between business survival and failure.

Here are my key action points to an effective business continuity plan, many of which are founded in good, basic, cyber hygiene.

Know your assets

Develop a comprehensive information asset register that includes all relevant items, which are likely to include:

  • Data and information
  • Processes
  • Systems
  • Hardware
  • Software
  • People.

People are often forgotten when developing an asset register, however they are your key asset in delivering your business objectives – and the pandemic has illustrated the need to think about how you might function without key staff.

Know your stakeholders

Consider both internal and external stakeholders. Without understanding who they are, nor their primary needs, it’s difficult to fully appreciate the value of your assets. Stakeholders are likely to include:

  • Business owners
  • Process owners
  • System owners
  • Information asset owners
  • Risk owners
  • Customers
  • Partners.

Know the value of your assets

Your business continuity plans should always prioritise your critical assets and reflect how long your business can function without them. A business impact assessment is important here – supported by risk assessments – so that you fully understand the likelihood of an incident occurring and its possible impact. These assessments will also ensure that you understand your threats and vulnerabilities; you may be able to reduce some of your vulnerabilities to make it less likely that an incident will occur. Not having to invoke your business continuity plan in the first place is always preferable to managing an incident!

Writing your plan

To write your plan, you need to involve relevant stakeholders. You will need to engage those that understand the asset well enough to contribute fully, typically from across the business. It is important to base your plans on realistic scenarios – based on your risk assessments – of possible disasters.

Definite roles and responsibilities of working groups or committees. Be clear and concise yet detailed enough to make sense – using bullet points, if possible.

Using the context provided by your business impact assessments (BIA), you may need to consider alternative facilities for critical business processes or systems. This may include hot, warm, or cold sites, depending on what your business requirements are. However, these options come with a price. Your BIA and risk assessments will help you decide whether this is money well spent.

It’s important to detail when the plan will be invoked, and under what conditions. Invoking a business continuity plan tends to generate disruption, so deciding when to invoke it is an important decision. It’s not something to do lightly, however neither is it something to put off until the situation has deteriorated. The decision to invoke should be taken by senior management, taking guidance from relevant subject matter experts.

The plan should set out a clear scope, whether it be systems, processes, information, etc. Crafting this is especially important as any ambiguity will undermine the core purpose of the plan when it is invoked.

Plans should also state:

  • The timescale required for the business to return to full operation – the Recovery Time Objective (RTO)
  • The maximum amount of information loss the business will tolerate – the Recovery Point Objective (RPO)
  • The maximum amount of time the business can accept the unavailability of the subject of the plan – the Maximum Acceptable Outage (MAO)
  • The minimum level of performance that the organization can accept – the Minimum Acceptable Service Level (MASL).

The plans also need to cover important activities that need to be undertaken, remembering that when the BCP is invoked, stress levels are likely be high, and people will be making decisions under increased pressure. Consider:

  • What tasks are needed to recover and who is responsible for them
  • Information security controls that need to be deployed and by whom
  • Tasks that need to be undertaken once the organization returns to its “normal” state.

A business continuity plan cannot stand alone, and you may need to consider related plans for communication to stakeholders, staff, customers, and the media, where relevant. Nothing will increase pressure more than an influx of uncontrolled communications from multiple sources.

The plan should be approved by the senior management team.

Promote your plan

After spending all this time on your plan, it would be a waste to keep it to yourself. Often, organisations omit to tell the right people that a plan exists, or worse, store the plan somewhere that no one can find it. I have heard about organisations keeping their business continuity plans on servers – the very servers the plans are supposed to recover in the event of a major incident!

Promoting the plan should not be a one-off activity; you should promote it regularly through avenues appropriate for your organization – please do not assume that a message popped on the corporate intranet once a year will be sufficient.

Test your plan

Regular testing of the plans is vital to ensure they will work when needed most. At a minimum, I would suggest once a year, however this will vary dependent on the criticality of your processes, systems, or information. If unavailability would cause your business to fail, then more regular testing may well be appropriate. Equally, a less critical system may need to be tested perhaps every two or three years. Your business impact assessments will help you decide what is appropriate, however the general rule is to ‘over test’, rather than ‘under test’.

The nature of testing is also variable, from step throughs, tabletop exercises to full blown exercises.  They are all available and have their part to play.

I would also suggest engaging a third party to support testing, as an objective pair of eyes can be extremely useful in helping you pick up areas that may have escaped your notice.

Review your plan

The last few months have shown how fluid business needs to be and how things can change. A plan is only useful if it is up-to-date and relevant. Again, this can be flexible. However, I would suggest an annual review is a good place to start. Following a test, however, leave room to review more frequently should there be changes to either the business or technology.

Conclusions

There are some necessary complexities surrounding business continuity, however the steps needed to arrive at a sensible, pragmatic plan do not need to be overwhelming. Bear in mind that the benefits can be vast – and potentially business-saving.

About the author

Simon Lacey
Principal Consultant, CRMG
Former Cyber Security Policy Manager, Bank of England
Industry of Expertise: Banking, Healthcare
Areas of Specialism: Cyber Security Governance & Policy Management