This is not a Drill
With the COVID-19 global pandemic now in full effect, the execution of Business Continuity Plans (BCP) have taken the forefront in the past few months. Organizations are having to rely heavily on the effectiveness of their BCPs. For companies, business continuity plans are like the insurance you hope to never claim, yet it’s importance can never be overstated. The truth is, even with the best run drills and rehearsals, nothing can really prepare us for the real thing. The chaos and panic induced by the need to activate BCPs can sometimes distract us from initiating an effective plan.
There are some essential elements that must be completed to ensure reasonable assurance of your BCP effectiveness, these include the following:
Risk Assessment - involves the process of identifying the potential risks to the organization, assessing the critical functions necessary for the organization to continue business operations, defining controls in place to reduce exposure and evaluating the cost of such controls.
Business Impact Assessment - must be performed to assess the overall financial exposures and operational effects resulting from a disruption in business activities. The BIA should identify and help to prioritize the critical business processes supported by the IS infrastructure including, but not limited to, a cost-benefit analysis of controls in different disruption scenarios.
There are other factors contributing to the overall effectiveness of a Business Continuity Plan and as such a BCP must:
Be understandable, easy to use and maintain.
Identify critical information resources related to core business processes.
Assess each business process to determine its criticality. Indications of criticality include:
The process supports lives or people’s health and safety.
The process is required to meet legal or statutory requirements.
Disruption of the process would affect revenue.
There is a potential impact to business reputation, including that of the customers.
Validate recovery time objectives (RTOs) and recovery point objectives (RPOs) for various systems and their conformance to business objectives.
Identify the conditions that activate the contingency plan.
Identify which resources will be available in the contingency stage and the order in which they will be recovered.
Identify the enablers (people and resources) required for recovery.
Select project teams in accordance with technological and business environments to provide reasonable representation of core and critical functional areas to develop the plan.
Identify the methods of communication between enablers, support staff and employees.
Identify geographical conditions related to the recovery of operations.
Define recovery requirements from the perspective of business functions.
Develop a comprehensive BCP test approach that includes management, operational and technical testing.
Identify mechanisms and decision makers for changing recovery priorities resulting from additional or reduced resources as compared to the original plan.
The aforementioned factors being covered within your business continuity plan are no indication of how effective execution will be, however it does provide a solid basis for BCP development.
So are we covered?
With all the focus on cybersecurity, it is ironic that an influenza virus is the threat that is causing such adverse impact on people and businesses worldwide. I mean, how do you firewall the flu? For now, the world will travel to work digitally via video/audio conferencing or Virtual Private Network (VPN). As a result, the demand and dependence on IT infrastructure across the globe has increased significantly over the past few weeks.
Meanwhile, the benefits of cloud computing are even more evident considering recent events. With two of its main features being availability and scalability, businesses can now place critical processes in cloud environments, while improving BCP effectiveness. Whichever BCP strategy is adopted by your organization, it is pertinent to ensure that the strategy being employed is best suited for the business and it's operating environment.