Business Continuity Strategy Planning: The Six Mistakes to Avoid

Any organisation can face significant downtime, data loss and employee displacement if unprepared when a disaster strikes. All of these scenarios can have a serious and detrimental impact on the viability of a business. On that basis, detailed and thorough planning for them can help companies identify risks and take relevant steps to manage them, as Dr Sandra Bell describes.

Business continuity supports the strategic objectives of an organisation by identifying its priorities and proactively building the capability to continue activities that support those priorities in the event of a disruption. It’s an ongoing process of continuous improvement that reflects the internal and external operating environment. If implemented and maintained correctly, business continuity isn’t simply a ‘tick-box’ compliance exercise or a rainy day insurance policy, but rather something that can deliver day-to-day measurable value to an organisation.

Managing risk is a normal part of doing business. One of the roles of the executive is to make sure that the organisation is best placed to reap the opportunities from any uncertain situation rather than suffer disruption because of it. This requires understanding the threats that the business faces, the vulnerabilities of the organisation and the business impact that could result if the threats coincided with the vulnerabilities and then taking action to reduce the potential downside of the risk without compromising the upside.

For example, it may be logistically or economically advantageous to locate business operations near a river or rely on a migrant workforce for seasonal work. However, in such cases it would be negligent not to take steps to minimise the probability of flooding by ensuring essential services were not on the ground floor or ensure that there was a ready pool of seasonal workers so that issues such as Brexit didn’t adversely impact the business.

Likewise, cyber criminality is rapidly increasing at the same time that businesses are becoming more and more reliant on IT and, therefore, technical security measures are a necessity.

Although such measures will undoubtedly reduce the probability of disruption, they will never eliminate it completely and, therefore, organisations need to be prepared to respond to both disruptions that they can anticipate and those that they don’t.

However, implementing a business continuity programme is only half the battle, though, and there are certain things organisations should avoid doing in order to ensure their responses to disruptions are not rendered ineffective.

Managing the wrong risks

Human risk perception is notoriously flawed. We’re pre-programmed to fear risks with the largest negative impact and are more accepting of risks that we have most control over. For example, air travel is one of the safest forms of transport, yet more people fear it than travelling by car. We apply the same biases to our businesses.

However, there are two dimensions to risk: likelihood and impact. When assessing what may disrupt our business and what to invest in to prevent it happening we need to take both dimensions into account. For example, Sungard Availability Services’ invocation statistics show that power outages, network issues and hardware failures account for nearly two-thirds of all business interruptions, yet organisations often ignore these risks and invest in measures for the more exotic risks such as terrorism and targeted cyber attacks.

Therefore, don’t fall into the trap of concentrating on a narrow set of extreme risks. Rather, employ a formal risk assessment method and be clinical, as opposed to emotional, about what you protect.

Failing to update

If organisations already have business continuity measures in place, then they’re ahead of the game, but they still need to be reviewed and maintained on a regular basis.

The risk landscape is constantly changing. Out-of-date measures will almost certainly leave a company vulnerable and unable to effectively respond and recover to a disruption.

Lack of testing and exercising

As well as keeping the business continuity measures up-to-date, it’s also important to practice implementing them through frequent exercising and testing. Several times each year will allow businesses to see if the business continuity programme is working and if there are areas of weakness that need modification.

Threats change and evolve, becoming more sophisticated every year. Therefore, testing the measures often will ensure your members of staff remain aware of the risks that the business faces and what to do if they materialise.

Not backing up

In the event of a business disruption, organisations may be reliant on back-up data, which could be stored at a different secure location. This practice is a front line weapon when it comes to defending against threats such as cyber attacks and should form a central pillar of any business continuity programme.

If back-ups of data that’s necessary for business recovery do not happen regularly, companies could find that data is rendered useless because it’s out-of-date. Make sure to keep backed-up data secure and always look out for any errors and risks.

Finally, back-up data is only of any use if you have an alternative means to process it. Therefore, measures should be put in place to recover priority applications and systems or have alternatives in place should recover take too long.

Not training the whole organisation on continuity

Failure to make everyone aware of the risks that the business faces, what to do in the event of disruption and the priorities of the business can leave companies vulnerable no matter how comprehensive their business continuity capability is in the real world.

It’s vital for everyone to know what to do in an emergency, whether it’s a natural disaster or a massive data breach. An organisation’s staff are the first line of defence. They are the first to identify when things are going wrong and they’re the experts in knowing how to prevent disruptions escalating to crisis situations.

A successful continuity programme is one involving everyone in the organisation and harnesses their expertise.

Not identifying the priority activities

Everything that a business does is important. Some activities contribute directly to the creation of products and services that are sold to create profit, while some are associated with Corporate Social Responsibility or staff and community welfare.

Unfortunately, at the time of disruption an organisation needs to prioritise its activities. Failure to prioritise, or otherwise agree those priorities, will result on people pulling in different directions.

Dr Sandra Bell

Dr Sandra Bell

An integral part of any business continuity programme is the business impact analysis that identifies the business processes associated with the priority products and services together with their dependencies (such as IT applications and people). This analysis allows organisations to map which systems are critical to the continued operation and which should be prioritised in terms of risk management and budget allocation. This is an instance of working smarter, not harder and ensuring that key systems are effectively protected and swiftly recoverable following disruption so as to restore normal business function.

Implementing and maintaining business continuity to cope with cyber attacks or other disasters within an organisation is no easy task. While the theory is reasonably straightforward, the practice is frequently beset by conflicting priorities and agendas as well as resource and time constraints.

Being able to rely on a consulting practice that has experience of successfully implementing and managing disaster recovery and business continuity programmes means that achieving effective continuity capabilities in line with corporate policy and regulatory requirements can be achieved effectively and efficiently and, importantly, in line with industry good practice.

Dr Sandra Bell is Head of Resilience Consulting (EMEA) at Sungard Availability Services

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts