Business Continuity Management (BCM) is vital in preparing and protecting business operations from disruptions caused by threats stemming from cyber attack and natural disasters, as well as resource unavailability such as building loss, staff absenteeism, and supply chain failure etc. A robust business continuity programme manages the likelihood and impact stemming from disruptive incidents through proactive response and recovery planning, with the objective of reducing operational downtime.
As a global leader in BCM, Avalution Consulting, which provides business continuity, IT disaster recovery, and information security services to profit, not-for-profit, and government organisations of all sizes across all sectors, compiled their top tips for 2018 to ensure organisations protect themselves from major risks.
1. Business continuity plan – make sure you have one!
Taking the time to develop and invest in business continuity strategies and plans is an opportunity to protect staff, clients, operations, profits and brand. It’s important to understand and identify critical processes, gaps and risks to ensure the organisation can develop effective response and recovery plans to address stakeholder expectations.
2. Who does what, when?
If your key staff are aware of their responsibilities during a major incident (i.e. if they know what to do, how to do it and when to do it), there is a high likelihood that your organisation will recover your business activities and will help minimise negative impacts in a more timely manner, especially in relation to potential operational, financial and reputational losses and damages.
3. Ensure recovery support staff are fully accountable – own it!
Choose those accountable for business continuity performance (recovery support teams) carefully. Senior staff with strong oversight and knowledge of critical processes, systems and interdependencies, will be most effective during a major incident and will ensure staff are fully accountable for their recovery roles. They will require appropriate business continuity and recovery training and their recovery accountability’s should be noted within their personal scorecard / performance objectives.
4. How to manage risks… What risks?
Identify what types of threats and risks are likely to impact your business. Explore each threat and risk, aim to understand how each impacts your business, and then consider what controls or preventative measures you may already have in place which can minimise the risk (e.g. a secondary office location, multiple suppliers, etc.). Where there are no controls or preventative measures in place, consider planning to mitigate/reduce, remove or accept these risks. Document all identified risks as part of a risk register, which will help you take control and manage risks effectively. Many identified risks can be addressed through a well thought out business continuity plan.
5. Recovery Strategies – plan for four key business disruptions!
You can’t plan or have a recovery strategy for every eventuality, but you can develop strategies and plans for four key disruptions that will cover the outcome stemming from most threats. Ensure you prepare and have a plan to recover from:
a. denial of access to your building (building damage, Health & Safety, etc.)
b. denial of staff availability (strike, severe weather, etc.)
c. denial of technology
d. denial of supply chain (loss of a dependent supplier)
6. Business recovery – It is about more than just technology recovery!
The information technology team is not responsible for the recovery of business operations from all causes, they are only responsible technology recovery! While it is essential to have IT disaster recovery strategies and plans this is only part of the story. The business, outside of the IT organisation, should take responsibility and ownership for a wider operational recovery (non-technical). Technical teams support an operational recovery as part of a suite of services they provide to the business. The business need to plan for multiple potential interruptions to services causes by the unavailability of staff, workplaces, and third parties.
7. If you have a business continuity plan – test it!
If you don’t test or exercise your business continuity plan, you don’t know if it works. There are always plan gaps and performance issues that have not been considered. Testing and exercising helps to identify the gaps and therefore provide you with an opportunity to identify, address and close these corrective actions over time.
8. Crisis/Incident Management – agree on the recovery protocols!
Have clear and well-understood crisis/incident management protocols. Identify what information and how information about an incident should be managed and communicated both internally and externally. Incident management will require an understanding of who the key stakeholders are, what the timeframes for escalation are, who information should be shared with, how information should flow between teams (such as the board and executive management, the crisis/incident management teams, technology teams, BCM teams, facility teams, human resources teams, marketing and communications teams, customers, and essentially all staff). It is important to have clear documented indicators to support quick escalation, actions, and stakeholder engagement.
9. When does a standard or normal interruption to service – become unacceptable (an incident)!
Take all interruptions to normal business processing seriously as small incidents have the potential to grow and creep significantly. However, some business processes are more important than others due to their time sensitivity (short-time to impact) and their high potential impact to the long-term viability of the organisation. The impact of not being able to deliver a product/service or complete a critical process could give rise to penalties, regulation issues, client impact, financial losses, and reputational impairment. These factors should be considered within the incident management protocols and escalation paths.
Elaine Tomlin is Managing Consultant of Avalution Consulting and heads up Avalution’s EMEA HQ in Dublin. Elaine specialises in analysis and creating customised, strategy-connected risk management and compliance solutions, and assists organisations with validation and maintenance of their business continuity management (BCM) and recovery programmes.