- Security TWENTY
- Women in Security Awards
Sandra Bell, Head of Resilience Consulting EMEA at the data centre and IT services firm Sungard AS, covers six business continuity strategy planning mistakes to avoid.
Any organisation can face significant downtime, data loss and employee displacement if unprepared when a disaster strikes. All of these can have a serious and detrimental impact on the viability of a business. So, planning for them can help companies identify risks and take relevant steps to manage them.
Business continuity supports the strategic objectives of an organisation by identifying its priorities and proactively building the capability to continue activities that support those priorities in the event of a disruption. It is an on-going process of continuous improvement that reflects the internal and external operating environment. If implemented and maintained correctly, is not simply a tick-box compliance exercise or a rainy-day insurance policy, but something that can deliver day-to-day measurable value to an organisation.
Managing risk is a normal part of doing business and one of the roles of the executive is to make sure that the organisation is best placed to reap the opportunities from any uncertain situation rather than suffer disruption because of it. This requires understanding the threats that the business faces, the vulnerabilities of the organisation and the business impact that could result if the threats coincided with the vulnerabilities and then taking action to reduce the potential downside of the risk without compromising the upside. For example, it may be logistically or economically advantageous to locate business operations near a river or rely on a migrant workforce for seasonal work.
However, in such cases it would be negligent not to take steps to minimise the probability of flooding by ensuring essential services were not on the ground floor or ensure that there was a ready pool of seasonal workers so that issues such as Brexit did not adversely impact the business. Likewise, cyber criminality is rapidly increasing at the same time that businesses are becoming more and more reliant on information technology and therefore technical security measures are a necessity. Although, such measures will undoubtedly reduce the probability of disruption, they will never eliminate it completely and therefore organisations needs to be prepared to respond to both disruptions that they can anticipate and those that they don’t.
However, implementing a business continuity programme is only half the battle though, and there are certain things organisations should avoid doing to ensure their responses to disruptions aren’t rendered ineffective.
1. Managing the wrong risks
Human risk perception is notoriously flawed. We are pre-programmed to fear risks with the largest negative impact and are more accepting of risks that we have most control over. For example air travel is one of the safest forms of transport, yet more people fear it than travelling by car. We apply the same biases to our businesses. However, there are two dimensions to risk: likelihood and impact and when assessing what may disrupt our business and what to invest in to prevent it happening we need to take both dimensions into account. For example, Sungard AS invocation statistics show that power outages, network issues and hardware failures account for nearly two thirds of all business interruptions yet organisations often ignore these risks and invest in measures for the more exotic risks such as terrorism and targeted cyber attacks. Therefore, don’t fall into the trap of concentrating on a narrow set of extreme risks: employ a formal risk assessment method and be clinical, as opposed to emotional, about what you protect.
2. Failing to update
If organisations already have business continuity measures in place, then they’re ahead of the game but they still need to be reviewed and maintained on a regular basis. The risk landscape is constantly changing,. Out of date measures will almost certainly leave a company vulnerable and unable to effectively respond and recover to a disruption.
3. Lack of testing and exercising
As well as keeping the business continuity measures up to date, it’s also important to practice implementing them through frequent exercising and testing. Several times a year will allow businesses to see if the business continuity programme is working and if there are areas of weakness that need modification. Threats change and evolve, becoming more sophisticated every year, therefore testing the measures often will ensure your staff remain aware of the risks that the business faces and what to do if they materialise.
4. Not backing up
In the event of a business disruption, organisations may be reliant on backup data, which could be stored at a different secure location. This practice is a frontline weapon when it comes to defending against threats such as cyberattacks and should form a central pillar of any business continuity programme. If backups of data that is necessary for business recovery do not happen regularly, companies could find that data is rendered useless because it’s out of date. Make sure to keep backed up data secure and look out for any errors and risks. Finally, backup data is only of any use if you have an alternative means to process it and therefore measures should be put in place to recover priority applications and systems or have alternatives in place should recover take too long.
5. Not training the whole organisation on continuity
Failure to make everyone aware of the risks that the business faces, what to do in the event of disruption and the priorities of the business can leave companies vulnerable no matter how comprehensive their business continuity capability is. It’s vital for everyone to know what to do in an emergency – whether it’s a natural disaster or a massive data breach. An organisations staff are the first line of defence. They are the first to identify when things are going wrong and they are the experts in knowing how to prevent disruptions escalating to crisis situations. A successful continuity programme is one involves everyone in the organisation and harnesses their expertise.
6. Not identifying the priority activities
Everything that a business does is important. Some activities contribute directly to the creation of products and services that are sold to create profit, whilst some are associated with corporate social responsibility or staff and community welfare. Unfortunately, at the time of disruption an organisation needs to prioritise its activities. Failure to prioritise, or agree those priorities will result on people pulling in different directions. An integral part of any business continuity programme is the Business Impact Analysis (BIA) that identifies the business processes associated with the priority products and services together with their dependencies such as IT applications and people. This analysis allows organisations map which systems are critical to the continued operation and which should be prioritised in terms of risk-management and budget allocation. This is an instance of working smarter, not harder and ensuring that key systems are effectively protected and swiftly recoverable following disruption to restore normal business function.
Implementing and maintaining business continuity to cope with cyber-attacks or other disasters within an organisation is no easy task. While the theory is reasonably straightforward, the practice is frequently beset by conflicting priorities and agendas as well as resource and time constraints.
Being able to rely on a consulting practice that has experience of successfully implementing and managing disaster recovery and business continuity programmes means that achieving effective continuity capabilities in line with corporate policy and regulatory requirements can be achieved effectively, efficiently and in line with industry good practice.