One thing Covid-19 has taught us is that companies must have provisions in place to be able to continue operating during an unplanned disruption. As we learn to live with the pandemic, many will be looking to the future and start to prepare for the next unforeseen scenario.
A business continuity plan (BCP) is an essential document for all companies looking to make provisions for unforeseen operational interruptions. Having a contingency plan that incorporates all facets of your business will be key for maintaining profits and reputation. Preparing for the unknown brings added complications, whether it be extreme weather events, cyberattacks - or perhaps most topically, a pandemic.
Following a step-by-step process can galvanise critical business functions and put into action steps for recovery. There are six key considerations:
1. The practicalities of your business
Regardless of the size of a company, it is critical to have a plan that fits within the scope of your resources and outputs. It’s important to have a fundamental understanding of the intricate needs of all aspects of your business before anything is put in place.
No two businesses are alike, and it would be fallible to produce a generic BCP that doesn’t cover key business areas. The challenges facing a transnational corporation operating across multiple service lines will be very different to a start-up with 20 employees. For example, larger organisations will require a lot more risk analysis and data back-ups that will be outlined in a comprehensive document that strategises the next steps in an unforeseen event. This wouldn’t necessarily be required for a smaller business.
Another key consideration is understanding the severity of a potential event. How long can a particular scenario go on for before your business feels major impacts? The responses will differ across an organisation, and your BCP should reflect this. Covid, for example, necessitated long periods of remote working, whereas a power cut that lasts half a day requires a different response. The longer the event disrupts operations, the greater the preparations have to be to ensure business continuation.
2. The role of analytics and threat detection
Data and analytics can play a crucial role in building a resilient BCP for unforeseen issues. Data enables business leaders to understand the complexities of their operations, including how employees are working, how customers are engaging, and how efficient operations are. Having an abundance of high-quality data is pivotal when creating a robust BCP and relies on the best practices and highly skilful analysts to extract accurate information.
Moreover, analytics can play a part in identifying potential weak points and threats. Analysts can gather information around the kind of threats that an organisation is vulnerable to as well as a probability of this happening.
From here, businesses can prepare a detailed report for any relevant threats and set in place protocols and systems to limit disruption. This includes a business impact analysis (BIA) which helps determine how the loss of different functions and processes during a crisis can impact operations.
It helps the senior management team to assess the financial impact of losing individual departments, aiding decision- making for the prioritisation of restoring key functions so that operations can be restored as efficiently as possible. The financial prioritisation of invoicing, orders, salary payments, payment of suppliers, etc. must take precedence in securing business interests and to protect profitability.
3. Data storage and back-ups
Digital back-ups are the foundation for protecting business interests from cyberattacks, hardware/natural disaster - or even human error. Having an effective remote access system, linked to numerous data centres, ensures that businesses are not reliant on a singular copy.
Where Covid has necessitated remote working, many organisations have had to improve this facet of their BCP anyway. But ensuring there are ample restoration points and digital back-ups of important data and documents for operations across a range of locations can ensure that the business can still access the necessary information to continue working.
With this brings cybersecurity concerns of remote access and unprotected networks. Basic cybersecurity practices are the best way to ensure that data is protected, and operations are not compromised by outside forces. This has become increasingly prevalent with remote working where employees are not aware of these issues and can unwittingly facilitate a data breach. As part of a BCP, features such as multifactor authentication, usage of virtual private networks (VPNs), and ‘zero trust’ solutions are the best ways to protect your business from cyber disruptions.
4. Recovery time objective and recovery point objectives
There are some clear indicators for an effective BCP. When a disruption occurs it’s essential to recover any data that is lost as a result. The RTO of a business is the maximum time allowed to restore it to a fully-functional status after an event, with the aim to keep that time as short as possible. Similarly, RPO measures how up to date recovered files must be to maintain operations. These benchmarks provide tangible metrics and offer an indication of how robust a BCP is and should be considered when implementing and updating data policy.
5. Stress testing
Stress testing your BCP is a way of ensuring you’re adequately protected from a disaster - yet not over-servicing and overpaying for protection that your size and scale does not warrant. Stress testing your plan will highlight any fragilities and allow you to reconsider and reallocate resources to this area. Having this knowledge is key, so any failures in your BCP are better off being exposed in a test rather than in a real-life scenario.
This should be done continuously as your business evolves and new challenges appear. A BCP needs to match changes within a business to sufficiently make provisions for any future incidents. A managed service provider (MSP) can help stress-test your plan and report back on any failings. As IT experts they can then offer solutions and consultancy on the best plan for you – which should be scalable and bespoke to the needs of the business.
With the considerations discussed, protocols must be implemented to ensure that the key processes continue functioning in a crisis. It is important that someone is in charge of the BCP and is able to implement it should the need arise. Its usage is often time-critical and requires expert handling. The leader should be well-trained and able to execute the BCP in the moment, acting rationally and thinking clearly in what can often be a high-pressure scenario.
By ensuring you have a clear hierarchy of responsibility for enacting your business’s BCP, you can minimise disruption and maintain operations across key business components.
This accountability is key in ensuring that procedures are followed properly and that there is ownership during an incident. Supporting this should be extensive documentation for all processes that need to be taken with an up-to-date secure contact list that is accessible so that roles and responsibilities can be shared with key personnel. Effective administration and bureaucracy is critical in ensuring that your BCP isn’t just a box-ticking exercise and is a fundamental element of your business’s development.
The role of an MSP
There are many considerations that businesses must take when creating a BCP.
With so many aspects of a business that can all be affected by a disruption, combined with the technological detail required to efficiently protect operations, it can take a lot of time and resources to create an effective BCP.
This is where an MSP can help your business maximise the potential of your BCP. As experts, they can provide a comprehensive review of your business and the threat it may face, followed by the implementation of the latest solutions, practices and training to make sure that you stay compliant with regulations and protected from unforeseen disasters. It’s important that an MSP has a thorough understanding of a business’s capabilities before creating a BCP, as there isn’t a ‘one-size-fits-all’ solution.
Ultimately, a BCP should act in the same way as insurance. You hope to never have to use it, but when you do, it’s critical that you have it and it is comprehensive enough to cover operations. There are many considerations to take into account, ranging from digital to personnel, and navigating this can be hard. However, it is imperative that you are prepared for any unexpected incidents, and your BCP is robust.
About the Author:
Roger Leyland is technical services director at ISN Solutions