One thing COVID 19 has taught us is that companies must have provisions in place to be able to continue operating during an unplanned disruption. As we learn to live with the pandemic, many will be looking to the future, and start to prepare for the next unforeseen scenario. A business continuity plan (BCP) is an essential document for all companies looking to make provisions for unforeseen operational interruptions. Having a contingency plan that incorporates all facets of your business’s function will be key for maintaining profits and reputation.
Preparing for the unknown brings added complications, whether it be extreme weather events, cyber-attacks, or perhaps most topically, a pandemic. Following a step-by-step process of what should be done to prevent having to cease operations can galvanise critical business functions and put into action steps for recovery. Here, our technical services director, Roger Leyland, examines six key considerations that must be taken when formulating a robust and effective BCP.
1. The practicalities of your business
The first thing to consider before you even lay pen to paper are the capabilities of your business. Regardless of the size of a company, it is critical to have a plan that fits within the scope of your resources and outputs. It’s important to have a fundamental understanding of the intricate needs of all aspects of your business before anything is put in place.
No two businesses are alike, and it would be fallible to produce a generic BCP that doesn’t cover key business areas. The challenges facing a transnational corporation operating across multiple service lines will have very different needs to a start up with 20 employees, and that should be reflected. For example, larger organisations will require a lot more risk analysis and data backups that will be outlined in a comprehensive document that strategises the next steps in an unforeseen event.
This wouldn’t necessarily be required for a smaller business.
Another key consideration is understanding the severity of a potential event. How long can a particular scenario go on for before your business feels major impacts? The responses will differ across an organisation, and your BCP should reflect this. COVID, for example, necessitated long periods of remote working, whereas a power cut that lasts half a day requires a different response. The longer the event disrupts operations, the greater the preparations have to be to ensure business continuation.
2. The role of analytics and threat detection
Data and analytics can play a crucial role in building a resilient BCP for unforeseen issues. Data enables business leaders to understand the complexities of their business’s operations including how employees are working, how customers are engaging, and how efficient operations are. Having an abundance of high-quality data is pivotal when creating a robust BCP and relies on the best practices and highly skilful analysts to extract accurate information.
Moreover, analytics can play a part in identifying potential weak points and threats. Analysts can gather information around the kind of threats that an organisation is vulnerable to as well as a probability of this happening. From here businesses can prepare a detailed report for any relevant threats and set in place protocols and systems to limit disruption. This includes a business impact analysis (BIA) which helps determine how the loss of different functions and processes during a crisis can impact operations. It helps the senior management team to assess the financial impact of losing individual departments, aiding decision making for the prioritisation of restoring key functions so that operations can be restored as efficiently as possible. The financial prioritisation of invoicing, orders, salary payments, payment of suppliers etc must take precedent in securing business interests and to protect profitability
3. Data Storage and back ups
With the importance of data growing in our digitalised world, ensuring this remains secure and accessible is very important. Digital backups are the foundation for protecting business interests from cyber-attacks, hardware/natural disaster, or even human error. Having an effective remote access system, linked to numerous data centres ensures that businesses are not reliant on a singular copy. Where the pandemic has necessitated remote working, many organisations have had to improve this facet of their BCP anyway. But, ensuring there are ample restoration points and digital back-ups of important data and documents for operations across a range of locations can ensure that the business can still access the necessary information to continue working.
With this brings cyber security concerns of remote access and unprotected networks. Basic cybersecurity practices are the best way to ensure that data is protected, and operations are not compromised by outside forces. This has become increasingly prevalent with remote working where employees are not aware of these issues and can unwittingly facilitate a data breach. As part of a BCP, features such as multifactor authentication, usage of Virtual Private Networks (VPN’s), and ‘Zero Trust’ solutions are the best ways to protect your business from cyber disruptions.
4. Recovery Time Objective (RTO) and Recovery Point Objectives (RPO)
There are some clear indicators for an effective BCP. When a disruption occurs it’s essential to recover any data that is lost as a result. A business’s RTO is the maximum time allowed to restore a business to a fully functional status after an event, with the aim to keep it as low as possible. Similarly, RPO measures how up-to-date recovered files must be to maintain operations. These benchmarks provide tangible metrics and offer an indication of how robust a business’s BCP is and should be considered when implementing and updating data policy.
5. Stress testing
Stress testing your BCP is a way of ensuring you’re adequately protected from a disaster, yet not over servicing and overpaying for protection that is not necessary for your business’s size and scale. Stress testing your plan will highlight any fragilities and allow you to reconsider and reallocate resources to this area. Having this knowledge is key, so any failures in your BCP are better off being exposed in a test rather than in a real-life scenario.
This should be done continuously as your business evolves and new challenges appear. A BCP needs to match changes within a business to sufficiently make provisions for any future incidents. A Managed Service Provider (MSP) can help stress test your plan and report back on any failings. As IT experts they can then offer solutions and consultancy on the best plan for you, and as previously mentioned it should be scalable and bespoke to the business’s needs.
6. Accountability
With the considerations discussed, protocols must be implemented to ensure that the key processes continue functioning in a crisis. It is important that someone is in charge of the BCP and is able to implement it should the need arise. Its usage is often time critical and requires expert handling. The leader should be well trained and able to execute the BCP in the moment, acting rationally and thinking clearly in what can often be a high-pressure scenario.
By ensuring you have a clear hierarchy of responsibility for enacting your business’s BCP, your business can minimise disruption and maintain operations across key business components.
This accountability is key in ensuring that procedures are followed properly and that there is ownership during an incident. Supporting this should be extensive documentation for all processes that need to be taken with an up-to-date secure contact list that is accessible so that roles and responsibilities can be shared with key personnel. Effective administration and bureaucracy is critical in ensuring that your BCP isn’t just a box-ticking exercise and is a fundamental element of your business’s development.
Moreover, it is imperative that your BCP complies with the International Organisation for Standardisation (ISO). ISO 22301:2019, Security and resilience – Business continuity management systems, “specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise”. Businesses can receive accreditation for meeting these standards and demonstrating good practice in your BCP.
The role of an MSP
There are many considerations that businesses must take when creating a BCP. With so many aspects of a business that can all be affected by a disruption, combined with the technological detail required to efficiently yet comprehensively protect operations, it can take a lot of time and resources to create an effective BCP.
This is where an MSP can help your business maximise the potential of your BCP. As experts, they can provide a comprehensive review of your business and the threat it may face. Followed by the implementation of the latest solutions, practices, and training to make sure that you stay compliant with regulations and protected from unforeseen disasters. It’s important that an MSP has a thorough understanding of a business’s capabilities before creating a BCP, as there isn’t a ‘one size fits all’ solution. From my experience, each business has very different needs, challenges, and resources, and a BCP should reflect the bespoke nature of operations.
Ultimately, a BCP should act in the same way as insurance. You hope to never have to use it, but when you do, it’s critical that you have it and it is comprehensive enough to cover operations. There are many considerations to take into account ranging from digital to personnel and navigating this can be hard. However, it is imperative that you are prepared for any unexpected incidents, and your BCP is robust.
Roger Leyland. Technical Services Director. ISN Solutions
