What is a Business Continuity Plan?
Have you ever considered what would happen to your business in an IT Or Cyber Security Emergency? How would you respond? What plans do you currently have in place so that you know exactly what to do when it happens, without having to think through a plan? That’s essentially what a Business Continuity Plan is; how your business will handle different situations that can affect your daily operations.
This is not meant to be an exhaustive framework for an Enterprise level Business Continuity Plan (BCP in industry terms), but rather a helpful primer on how to begin putting in place some basic contingencies for critical incident and disaster recovery. Having conducted many IT & Cyber Security Assessments and Audits, we see that most clients have some basic semblance of a plan in place to deal with force majeure incidents, often these are derived from other sources such as the building they’re in and what that mandates, but rarely is anything written down in a set of comprehensive instructions for staff to follow.
How to Start a Business Continuity Plan
While it’s imperative to start to build a basic, but formal BCP, the best place to start is to have a conversation with a team of key internal stakeholders. The conversation should go as follows:
Question 1.) “Team – what kinds of things can happen that could cause us to lose clients or have to go out of business?”
Brainstorm a list, then vote on the top 3-5.
Question 2.) “Team, what if we can’t get into the building for an extended period of time?”
and see what the responses around the table are. It’s well documented that just having this conversion puts teams on a much better footing to respond effectively, often cutting the time to recover and losses/damages down significantly.
A quote from the fine folks at Armanino LLP on this topic: “Unlike a natural disaster with immediate effects that tend to last a few days, a virus pandemic can cause disruptions for weeks and months. This extended period makes short-term planning difficult and reinforces the importance of building adaptability into your plans. But note, you shouldn’t let this adaptability lead to inaction. A common mistake that many companies make when faced with several choices, none of which may be optimal, is not deciding anything. This indecision costs valuable time in the earliest stages of a potential crisis.” As this is written at the time of the COVID-19 unraveling, it’s worth noting, that while most firms are now temporarily forced to work remotely, they can still get into the building if need be; our planning discussion centers on more severe situations.
Question 3: “Team, what if email and or our file repository is down for an extended period of time, or we have a RansomWare incident?”
What the question is driving at are two things: 1. “How long can we go without this critical asset before we start losing clients and it becomes terminal to our ability to stay in business?” Is that period of time a week or a month? The answer becomes your Recovery Time Objective or RTO. 2.“How much of our data can we afford to go without, or lose, before we start losing clients and before it becomes terminal to our ability to stay in business? What is that amount of data, e.g. all client data for the current year?” This unit of measurement becomes your Recovery Point Objective or RPO (More on RPO/RTO in a separate article later) Once you have talked through the scenarios you wrote down in question 1, use the chart below to prioritize the items based on probability and severity. The ones that fall into the medium and high squares are the ones you should have contingency plans for.
A helpful rubric below to be used for each type of incident:
- Critical Assets Affected: what? who?
- Consequence/s:
- Contingency Plan/Mitigation Strategies & Workarounds:
- Pre-incident preparation:
- Action to be taken post-incident:
- Status:
- Notes:
For example, when we begin working with a client, we always ask: “who do we call first in an emergency? If they’re not available, who do we try second? If they’re also not available who do we call third?” We often know before the client does that one of the systems is experiencing trouble, in the event of a serious incident, we may need to go on-site after hours to begin troubleshooting that which cannot be resolved remotely. Will we have a way to enter the premises off-hours?, etc. etc. Be prepared to think through how this would work in your organization.
If you’d like our help with any of the above, please reach out to start a conversation: alex@p20inc.com or contact us. We also have several free guides and books available on our Resources page.