Business Continuity Management

A C-level’s Guide to Business Continuity Management

What’s inside:

In today’s fast-paced and data-driven world, the ability to respond and adapt to change is more critical than ever before. While most companies are invested in improving their key business interests, few are capable of implementing a comprehensive continuity plan if something goes wrong. 

Chapter 1

What is business continuity management, and why is it critical in 2019?

What is business continuity management, and why is it critical in 2019?

Business continuity management (BCM) includes a range of measures dedicated to the protection of key business assets and the development of alternate modes of operation when business activities are interrupted. Placing a high value on BCM is a crucial aspect of long-term management and procedural sustainability.

Despite the growing importance of BCM, 75% of small businesses have no disaster recovery plan.

Modern organizations face increasingly complex business and operational challenges. With an increased reliance on data and network flows, information security and business continuity have become an important part of the risk and crisis management. BCM consists of three core components:

  • Crisis management
  • Business recovery planning
  • IT disaster recovery

Business continuity is no longer an added extra for vigilant organizations, but a must-have service in the same ballpark as cybersecurity and IT support structures. In order to ensure your full protection, it’s important to research best practices and align your BCM objectives with the goals of your organization.

By 2021, cybercrime will cost $6 trillion per year worldwide. This represents the greatest transfer of wealth in history. Are you ready?

Chapter 2

Best practices for business continuity

Every organization has to create its own business continuity plan, with the approach and scope of the overall project needing to align with specific business requirements and constraints. Despite the highly specific nature of these requirements, there are a few well-known characteristics that are known to lead to best practice outcomes.

In practice, most of these elements need to be refined over time and applied in an iterative fashion to ensure a tight feedback loop between implementation and results.

  • Policies and standards – Professional BCM requires a detailed plan of attack, with policies and standards needing to be created from the outset. Different areas of BCM need to be defined, with effective programs assigned to each area based on needs and constraints.
  • Business impact analysis (BIA) – A relevant and well prepared BIA can add value to any organization. Making policies is not enough in isolation; you also need to establish the core objectives of your recovery efforts and justify associated resources and expenses.
  • Risk identification and assessment- While anyone can benefit from BCM, the risks faced by organizations are known to differ widely. It’s important to identify and prioritize threats and failure scenarios in order to allocate your resources effectively.
  • Strategy and cost-benefit analysis – Not all continuity efforts are created equal, with a detailed cost-benefit analysis needed before you can implement specific solutions. Before you can design an effective strategy, you need to analyze your BIA and risk assessment and conduct a cost-benefit analysis.
  • Documentation – Depending on the size of your organization, extensive continuity management can get complex fast. All work needs to be documented, including risk analysis, response mechanisms, and recovery procedures.
  • Testing – Just like everything else in business, an effective BCM plan does not exist until it’s been thoroughly tested and validated within an operational context. In order to be effective, testing needs to carried out continually across development iterations.
  • Training – Your continuity efforts are useless if they’re not applied properly. Staff awareness and training are needed for general and recovery team members, both during the early days of BCM implementation and on an ongoing basis.
  • Compliance – While BCM helps to ensure compliance and promote consistency across industry sectors, you need to adhere to existing frameworks and continuity standards within the context of your organization.

Chapter 3

Overcoming the biggest challenges of BCM

Despite the overall usefulness of BCM and associated standards, organizations need to overcome a number of challenges when it comes to implementation and delivery. Understanding these complex challenges is the key to a successful operation, with each obstacle needing an equal and opposite counter-measure.

From a lack of managerial support through to budget constraints and lack of coordination between departments, let’s take a look at the biggest challenges and how to overcome them:

Lack of support

While continuity management is always challenging, it’s pretty much impossible when you don’t have support from management. Change starts from the top, with managers and executives needing to be completely on-board in order to drive change. While most executives will make appropriate moves when they need to abide by regulations, pro-active measures can be harder to instigate. One of the best ways to engage executives is to carry out a detailed vulnerability analysis that highlights the link between specific risks and loss scenarios.

Budget and timeline constraints

While most businesses are prepared to invest in efficiency measures that improve operations, few are willing to invest in mitigation measures that secure against loss or damage. This short-sighted view is a type of false economy, with companies that fail to act likely to suffer the consequences. Downtime costs money, with companies spending a minimum of $926 per minute when they experience an unplanned outage, and some companies experiencing up to $17,244.

Budget constraints and short-term profit-taking are the death of many good ideas, with continuity management need to be framed as a critical safeguard rather than an unwanted expense. Unrealistic timelines can also stop BCM in its tracks, with gradual analysis and implementation often preferred over the wholesale adoption of new procedures.

Lack of awareness and training

Like most things in business, BCM is only as strong as its weakest link. Human error accounts for 52% of all security breaches. In order to ensure a culture of readiness, it’s important to undergo training initiatives throughout your organization. Depending on the business in question, awareness and training programs should address the overall scope of the continuity program while also addressing individual procedures. Flexibility and agility are key, with training mechanisms needing to adapt and respond to technology and procedural shifts.

Too many moving pieces

Reliable continuity management demands a robust and consistent approach. Too many moving pieces can ruin the transmission and translation of knowledge, with settled companies more likely to get their message through to team members. Employee turnover can be a big problem when it comes to BCM, with changing faces often leading to a lack of procedural awareness. Inconsistent supply chains and service providers can also cause major issues, so think about developing long-term relationships and be prepared to pay a little extra for sustainable and well-coordinated business structures. 

Ongoing software development also puts additional pressure on critical systems, with most vulnerabilities taking place after software updates. There are more than 111 billion lines of new code produced each year, which creates new vulnerabilities to be exploited.

Lack of coordination

Practical coordination and efficient communication are key to all successful continuity efforts. Too many moving pieces is just one way to threaten the continuity, with organizations also likely to experience weakness due to a lack of coordination and communication between departments, suppliers, and stakeholders. It’s important to develop a contact verification tool that integrates across key assets, with a web-based management system able to save you time and money. Robust BCM needs to confirm contact information and automate changes without disrupting key business processes.

Unidentified processes

In order to be effective, a continuity plan needs to identify critical processes that may lead to disruptions. Response procedures are entirely dependent on this process, with different mechanisms put in place based on the potential impact of security and crisis situations. The ability to identify, quantify and segment business processes based on real and perceived threat levels is key. Whether it’s your internal IT systems, your employees, or your infrastructure, unidentified processes are likely to fall between the cracks.

Unidentified threats

Identifying critical processes is not enough in isolation; you also need to identify threats and vulnerabilities that could impact your organization. A hazard analysis can be beneficial during this phase, with a report needed to indicate the likeliness of specific threats and their intended impact. Whether it’s adverse weather events, cybersecurity trends, or maintenance issues, it’s always important to measure threats in relation to your existing capabilities and mitigation efforts.

Insecure supply chain

Setting up a secure alternate supply chain is both highly practical and incredibly useful. While you can manage your internal procedures and team members, it’s impossible to manage all potential disruptions that can occur outside of your domain. From power and information flows through to specific business products and services, you need to develop a plan B by researching supply options and securing new partners.

Chapter 4

Auditing existing business continuity plans

Current business continuity plans are rarely enough, with most businesses focusing on particular avenues of risk management or failing to make plans altogether. Before you move ahead with BCM, you need to be realistic about where you stand and what it’s likely to mean for your organization. It’s important to audit your existing framework, identify security and continuity gaps, and make moves to develop a more comprehensive level of coverage.

According to Gartner, 35% of organizations without a mature BCM program will experience significant problems recovering from one or more mission-critical business processes in 2019.

There are a number of technical issues to address during this stage, with crisis management, business resumption planning, and IT security and disaster programs all needing their own solutions. An internal audit helps to identify potential operational problems, improve key processes and systems, and create a sustainable and iterative relationship between specific risks and key business activities. The auditing process is integral to operational resiliency and long-term sustainability.

The scope of a BCM audit

The scope of an internal audit should reflect the operational capacity and exposure of the organization. While some companies are inherently well-protected due to a lack of critical information systems, others are open to multiple risks and vulnerabilities throughout the working week. 

When organizing an audit, it’s important to consider program governance and overall program management, along with any potential procedural changes. While an accurate snapshot of your organization is critical, a moving picture of your capabilities is also required.

  • Program governance – Does your organization place enough emphasis on continuity measures? If your company culture fails to align with the objectives of BCM, positive changes are unlikely. It’s important to identify key decision-makers, reach out to potential sponsors, and engage interested stakeholders during this phase.
  • Program management – Ongoing program management needs to balance the objectives of the program with the capabilities of the organization. During this phase, it’s important to recognize conflicting interests, balance key objectives, and change ideas on the ground, so BCM is seen as an ongoing force for good.
  • Procedural changes – The success or failure of BCM is dependent on your ability to respond if things don’t go your way. Are your systems resilient in the face of change? Does your organization have the ability to adapt and evolve in response to new threats and challenges?

Along with these three principal components, a number of technical and practical fail points are likely to present themselves during the audit process. Whether it’s incompatible IT systems, inconsistent training regimens, or a disaster recovery plan that doesn’t align with your natural environment, an audit will help to uncover any potential issues before they create a snowball effect.

An audit of your current BCM is likely to include the following elements:

  • Review of current BCM measures
  • IT systems and network analysis
  • Employee and stakeholder interviews
  • Contact and verification checks
  • Recovery time definitions and reviews
  • Training materials reviewed
  • Testing procedures reviewed
  • Service providers reviewed
  • Overall readiness efforts reviewed

If you want honest feedback, an independent assessment of your internal audit can be incredibly valuable. In the vast majority of cases, the scope and scale of response mechanisms are not aligned with the challenges of the modern world.

Chapter 5

Getting organizational buy-in for BCM

BCM program leadership comes in many forms, with ownership and sponsorship roles both common along with custodianship. Anyone with extensive knowledge and visibility of key organizational elements can provide leadership, including the chief executive officer (CEO), the chief financial officer (CFO), the chief operating officer (COO), the chief risk officer (CRO), or the chief information officer (CIO).

Anyone in the executive council can take ownership of these important programs, including the senior management team and director of human resources. In order to confirm a management buy-in, it’s important to highlight the importance of BCM in the modern world. There are many ways to do this, from new regulatory requirements and compliance standards through to audit findings, customer demands, and risk assessment reports.

The following methods are often used to drive or confirm a management buy-in:

  • New internal policy – New internal policies often highlight the need for additional continuity measures, with modern businesses increasingly unable to distract themselves from this important issue.
  • Regulatory requirements – New compliance standards are a key driver of security and continuity. When BCM becomes a legal issue, organizations are forced to respond.
  • Customer demands – The customer is always right, with more customers and other stakeholders demanding continuity in order to protect privacy, and ensure information security.
  • Lessons from high-profile companies – Organizations are often motivated to act in order to avoid the catastrophic failure experienced by other companies. High profile cases in the media are a key driver of change.
  • Public relations – Business continuity can help to differentiate companies and give them a competitive advantage. When the right plans are developed and publicized effectively, customer and staff loyalty are both likely to increase.
  • Insurance return on investment – Depending on the organization and industry sector, BCM can help to make insurance premiums less expensive.
  • Internal audit – Regular internal audits can help to identify gaps in existing continuity coverage, especially when they’re accompanied by an independent third-party assessment.
  • Risk assessment report – A risk assessment report and corresponding business impact analysis can help to identify continuity problems and educate management on the positives of BCM. 

By identifying likely procedural interruptions and estimating the potential costs of downtime, management, and executive teams will understand the real impact of not taking action. When key stakeholders understand the regulatory risk, financial risk, and reputation risk that accompany a lack of business continuity, there is only one decision left to make. Are you doing enough to ensure the long-term safety and success of your organization? If you want to learn more about business continuity management, please contact ISG to discuss your requirements.