Business Continuity: Planning for the Next Pandemic
Writing a business continuity plan will help safeguard your operations from unexpected events
COVID-19 continues to change business operations in ways that would have been unimaginable at the start of 2020. Some of these changes will be permanent, while others are just for now until our “new normal” emerges.
One change that is certain is the importance of business continuity and the need to clearly understand and document your business in a way that supports rapid changes of operation. Seeing business continuity as a “make it up on the fly” activity is a risky strategy, given that successful business continuity can make the difference between business survival and failure.
Here are key action points to an effective business continuity plan, many of which are founded in good, basic, cyber-hygiene.
Know Your Assets
Develop a comprehensive information asset register that includes all relevant items, which are likely to include:
- Data and information
- Processes
- Systems
- Hardware
- Software
- People
People are often forgotten when developing an asset register; however they are your key asset in delivering your business objectives—and the pandemic has illustrated the need to think about how you might function without key staff.
Know Your Stakeholders
Consider both internal and external stakeholders. Without understanding who they are, nor their primary needs, it’s difficult to fully appreciate the value of your assets. Stakeholders are likely to include:
- Business owners
- Process owners
- System owners
- Information asset owners
- Risk owners
- Customers
- Partners
Know the Value of Your Assets
Your business continuity plans should always prioritize your critical assets and reflect how long your business can function without them. A business impact assessment is important here, supported by risk assessments, so that you fully understand the likelihood of an incident occurring and its possible impact. These assessments will also ensure that you understand your threats and vulnerabilities; you may be able to reduce some of your vulnerabilities to make it less likely that an incident will occur.
Writing Your Plan
To write your plan, you need to involve relevant stakeholders. You will need to engage those that understand the asset well enough to contribute fully, typically from across the business. It is important to base your plans on realistic scenarios, based on your risk assessments, of possible disasters.
Define the roles and responsibilities of working groups or committees. Be clear and concise yet detailed enough to make sense, using bullet points, if possible.
Using the context provided by your business impact assessments (BIA), you may need to consider alternative facilities for critical business processes or systems. This may include hot (fully equipped to resume operations), warm (able to resume some operations) or cold (unable to resume any operations) sites, depending on what your business requirements are. However, these options come with a price; your BIA and risk assessments will help you decide whether this is money well-spent.
It’s important to detail when the plan will be invoked and under what conditions. Invoking a business continuity plan tends to generate disruption, so deciding when to invoke it is an important decision. It’s not something to do lightly; however, neither is it something to put off until the situation has deteriorated. The decision to invoke should be taken by senior management, taking guidance from relevant subject matter experts.
The plan should set out a clear scope, whether it be systems, processes, information or other. Crafting this is especially important, as any ambiguity will undermine the core purpose of the plan when it is invoked.
Plans should also state:
- The time scale required for the business to return to full operation—the Recovery Time Objective (RTO).
- The maximum amount of information loss the business will tolerate—the Recovery Point Objective (RPO).
- The maximum amount of time the business can accept the unavailability of the subject of the plan—the Maximum Acceptable Outage (MAO).
- The minimum level of performance that the organization can accept—the Minimum Acceptable Service Level (MASL).
The plans also need to cover important activities that need to be undertaken, remembering that when the BCP is invoked, stress levels are likely to be high and people will be making decisions under increased pressure. Consider:
- What tasks are needed to recover and who is responsible for them.
- Information security controls that need to be deployed and by whom.
- Tasks that need to be undertaken once the organization returns to its “normal” state.
A business continuity plan cannot stand alone and you may need to consider related plans for communication to stakeholders, staff, customers and the media, where relevant. Nothing will increase pressure more than an influx of uncontrolled communications from multiple sources.
The plan should be approved by the senior management team.
Promote Your Plan
After spending all this time on your plan, it would be a waste to keep it to yourself. Often, organizations omit to tell the right people that a plan exists—or, worse, store the plan somewhere that no one can find it. Some organizations keep their business continuity plans on servers—the very servers the plans are supposed to recover in the event of a major incident!
Promoting the plan should not be a one-off activity; it should be promoted regularly through avenues appropriate for your organization. Do not assume that a message on the corporate intranet once a year will be sufficient.
Test Your Plan
Regular testing of the business continuity plan is vital to ensure it will work when needed most—once yearly, at a minimum. However, this will vary depending on the criticality of your processes, systems or information. If your business would fail because certain processes, systems or information is unavailable, then more regular testing may well be appropriate. Equally, a less critical system may need to be tested perhaps every two or three years. Your business impact assessments will help you decide what is appropriate; however, as a rule, overtest rather than undertest.
The nature of testing is also variable, from step-throughs and tabletop exercises to full-blown exercises. They are all available and have their part to play.
It is recommended to engage a third party to support testing, as an objective pair of eyes can be extremely useful in uncovering areas that may have escaped your notice.
Review Your Plan
The last few months have shown how fluid business needs to be and how things can change. A plan is only useful if it is up to date and relevant. Again, this can be flexible. However, an annual review is a good place to start. Following a test, however, leave room to review more frequently should there be changes to either the business or technology.
Conclusions
There are some necessary complexities surrounding business continuity; however, the steps needed to arrive at a sensible, pragmatic plan do not need to be overwhelming. Bear in mind that the benefits can be vast—and potentially business-saving.
