What is Business Continuity?

    November 13, 2019

    By Dr Sandra Bell, Head of Resilience Consulting - Sungard AS

    Why Business Continuity?

    If you had to imagine a worst-case scenario event for your business, what would it look like? It could be a major data breach, which is becoming more frequent across different industries, a malware attack, or perhaps even a natural disaster - all potentially catastrophic and certainly disruption-causing scenarios that any business owner would want to keep at bay.

    The truth is that while catastrophic incidents are thankfully rare, operational disruptions, caused by incidents such as power outages, hardware failures, floods and fire happen all too frequently in the business world. Businesses that don't plan ahead risk facing anything ranging from operational disruption to significant financial losses, and even business closure. Therefore, an organization's overall approach to managing risks and threats should include Business Continuity.

    Business Continuity is a tried and tested methodology that allows an organization to protect and continue value creating operations in the event of a disruption and is a key discipline that sits at the heart of being able to survive and thrive despite incidents large and small.

    Breaking Down Business Continuity Planning

    Business continuity supports the strategic objectives of an organization by identifying its priorities and proactively building the capability to continue activities that support those priorities in the event of a disruption. It is an on-going process of continuous improvement that reflects the internal and external operating environment and, if implemented and maintained correctly, is not simply a tick-box compliance exercise or a rainy-day insurance policy but something that delivers day-to-day measurable value to an organization.

    A Business Continuity programme typically contains a lifecycle implementation phase followed by a maintenance phase.

    The lifecycle implementation phase focusses on setting up the management structures, plans, processes and solutions required to address disruptive threats and includes the following activities:

    • Business Impact and Risk Assessment (BIRA) to determine the critical activities undertaken in support of the organization's key products and services, the impacts associated with their interruption, their vulnerabilities and the timescales for their resumption together with required resources and the major risks to those activities.
    • BC Strategy Development, namely the exploration of options to implement risk controls and mitigate negative impacts. There are many well established business continuity solutions but the main four are:
      • Diversification: for example having a separate location where the activity occurs in parallel so if one location is lost the work can carry on at another location.
      • Replication: for example having an operational copy of an IT system and its data held in a separate location that is periodically synchronized with the live version and needs switching to be made live.
      • Standby: a separate premises that has some of the facilities required to undertake an activity, but additional facilities will be required before the activity can be undertaken. For example, a physical premises but where an operational copy of the IT system to support the activities of the people is held in together with a backup of its data that needs to be loaded and tested with manual switching to be made live.
      • Post-incident acquisition: where suitable premises can be acquired which may or may not already have the facilities required to undertake an activity.
    • BC Plans that provide a clear framework for decision-making and the implementation of recovery activities following a disruption (including plans for disruption due to cyber-attacks). The structure and framework of the plans should be tailored to the specific needs of the organization but should abide by the following principles:
      • Direct: Providing clear, action orientated and time-based direction. Provide quick access to vital information.
      • Adaptable: Enable the organization to respond to a wide range of incidents, including those that have not been anticipated.
      • Concise: Contain only guidance, information and tools that are likely to be used by the team during an incident.
      • Relevant: Provide information that is current and useful to the team using the plan.

    Implementing and maintaining business continuity (BC) within an organization is no easy task. While the theory is reasonably straightforward, the practice is frequently beset by conflicting priorities and agendas as well as resource and time constraints. Being able to rely on a consulting practice that has experience of successfully implementing and managing disaster recovery (DR) and BC programs means that achieving effective continuity capabilities in line with corporate policy and regulatory requirements can be achieved effectively, efficiently and in line with industry good practice.

    Bringing in independent consultants to carry out a Business Impact Analysis (BIA) can reveal the areas where you are most vulnerable and what measures you need to implement to ensure that your organization is prepared. It will give you confidence that your company's operational risk and resilience strategies will work effectively if they are activated at a time of need.

    Why Your Organization Needs A Business Continuity Program

    Events can have devastating effects on businesses of any size but for some, this translates to ceasing trading altogether as the disruption proves too big to recover from.

    In 2014, the Federal Emergency Management Agency (FEMA) found that more than 40% of businesses never reopen following a disaster and from those that do, only 29% were still operational after two years. The predicted prospects for businesses that lose information technology for nine days or more following a disaster are even bleaker: bankruptcy within a year.

    Digital disruptions and malicious cyber-attacks are devastating ever more businesses and organizations globally. In 2017 WannaCry, the ransomware virus, crippled over 200,000 computers in 150 countries, encrypting files and making them impossible to access. A bitcoin ransomware payment was demanded to restore full access. WannaCry was eventually curtailed but it's just one example of what is now becoming a more frequent cyber-occurrence.

    More sophisticated cyber-attacks have occurred and their rate is predicted to increase, and cyber criminals will go after the easiest targets, or simply put, organizations that have failed to identify and repair their digital security gaps. This is also more formally known as the 'resiliency perception gap' whereby the perception of an organization's resilience strategies towards disruptions doesn't match how successful these strategies actually are at preventing or deterring them.

    It is therefore essential to conduct comprehensive risk assessments frequently and have a robust business continuity plan in place to protect your business. No business can afford to operate at reduced capacity for long periods of time following a disruption or disaster - a business continuity plan will provide support in restoring function, addressing board and stakeholders as well as reassuring customers. Business continuity planning is then further exemplary of effective risk management.

    Insurance companies and auditors across multiple industries often require evidence of a business continuity program. Having a robust continuity strategy will address any compliance requirements, catering to shareholders who expect to see some affirmations of a continuity plan in place as part of your organization's due diligence.

    Planning is key if you wish to dramatically increase the odds of business continuity when facing a disruption that's why the core of every good continuity plan is frequent training and annual plan testing.

    From training videos to relocation exercises that will test your off-site recovery capabilities, your business needs to take a risk-based approach to ensure resiliency. Staff and stakeholders should know their roles and responsibilities, so if a catastrophe does occur, they'll be able to respond quickly and accurately.

    Other Posts You Might Be Interested In