Any organisation can face significant downtime, data loss and employee displacement if unprepared when a disaster strikes. All of these scenarios can have a serious and detrimental impact on the viability of a business. On that basis, detailed and thorough planning for them can help companies identify risks and take relevant steps to manage them, as Dr Sandra Bell describes.
Business continuity supports the strategic objectives of an organisation by identifying its priorities and proactively building the capability to continue activities that support those priorities in the event of a disruption. It’s an ongoing process of continuous improvement that reflects the internal and external operating environment. If implemented and maintained correctly, business continuity isn’t simply a ‘tick-box’ compliance exercise or a rainy day insurance policy, but rather something that can deliver day-to-day measurable value to an organisation.
Managing risk is a normal part of doing business. One of the roles of the executive is to make sure that the organisation is best placed to reap the opportunities from any uncertain situation rather than suffer disruption because of it. This requires understanding the threats that the business faces, the vulnerabilities of the organisation and the business impact that could result if the threats coincided with the vulnerabilities and then taking action to reduce the potential downside of the risk without compromising the upside.
For example, it may be logistically or economically advantageous to locate business operations near a river or rely on a migrant workforce for seasonal work. However, in such cases it would be negligent not to take steps to minimise the probability of flooding by ensuring essential services were not on the ground floor or ensure that there was a ready pool of seasonal workers so that issues such as Brexit didn’t adversely impact the business.
Likewise, cyber criminality is rapidly increasing at the same time that businesses are becoming more and more reliant on IT and, therefore, technical security measures are a necessity.
Although such measures will undoubtedly reduce the probability of disruption, they will never eliminate it completely and, therefore, organisations need to be prepared to respond to both disruptions that they can anticipate and those that they don’t.
However, implementing a business continuity programme is only half the battle, though, and there are certain things organisations should avoid doing in order to ensure their responses to disruptions are not rendered ineffective.
Managing the wrong risks
Human risk perception is notoriously flawed. We’re pre-programmed to fear risks with the largest negative impact and are more accepting of risks that we have most control over. For example, air travel is one of the safest forms of transport, yet more people fear it than travelling by car. We apply the same biases to our businesses.
However, there are two dimensions to risk: likelihood and impact. When assessing what may disrupt our business and what to invest in to prevent it happening we need to take both dimensions into account. For example, Sungard Availability Services’ invocation statistics show that power outages, network issues and hardware failures account for nearly two-thirds of all business interruptions, yet organisations often ignore these risks and invest in measures for the more exotic risks such as terrorism and targeted cyber attacks.
Therefore, don’t fall into the trap of concentrating on a narrow set of extreme risks. Rather, employ a formal risk assessment method and be clinical, as opposed to emotional, about what you protect.
Failing to update
The risk landscape is constantly changing. Out-of-date measures will almost certainly leave a company vulnerable and unable to effectively respond and recover to a disruption.
Lack of testing and exercising
As well as keeping the business continuity measures up-to-date, it’s also important to practice implementing them through frequent exercising and testing. Several times each year will allow businesses to see if the business continuity programme is working and if there are areas of weakness that need modification.
Threats change and evolve, becoming more sophisticated every year. Therefore, testing the measures often will ensure your members of staff remain aware of the risks that the business faces and what to do if they materialise.
Not backing up
In the event of a business disruption, organisations may be reliant on back-up data, which could be stored at a different secure location. This practice is a front line weapon when it comes to defending against threats such as cyber attacks and should form a central pillar of any business continuity programme.
If back-ups of data that’s necessary for business recovery do not happen regularly, companies could find that data is rendered useless because it’s out-of-date. Make sure to keep backed-up data secure and always look out for any errors and risks.
Finally, back-up data is only of any use if you have an alternative means to process it. Therefore, measures should be put in place to recover priority applications and systems or have alternatives in place should recover take too long.
Not training the whole organisation on continuity
Failure to make everyone aware of the risks that the business faces, what to do in the event of disruption and the priorities of the business can leave companies vulnerable no matter how comprehensive their business continuity capability is in the real world.
It’s vital for everyone to know what to do in an emergency, whether it’s a natural disaster or a massive data breach. An organisation’s staff are the first line of defence. They are the first to identify when things are going wrong and they’re the experts in knowing how to prevent disruptions escalating to crisis situations.
A successful continuity programme is one involving everyone in the organisation and harnesses their expertise.
Not identifying the priority activities
Everything that a business does is important. Some activities contribute directly to the creation of products and services that are sold to create profit, while some are associated with Corporate Social Responsibility or staff and community welfare.
Unfortunately, at the time of disruption an organisation needs to prioritise its activities. Failure to prioritise, or otherwise agree those priorities, will result on people pulling in different directions.
An integral part of any business continuity programme is the business impact analysis that identifies the business processes associated with the priority products and services together with their dependencies (such as IT applications and people). This analysis allows organisations to map which systems are critical to the continued operation and which should be prioritised in terms of risk management and budget allocation. This is an instance of working smarter, not harder and ensuring that key systems are effectively protected and swiftly recoverable following disruption so as to restore normal business function.
Implementing and maintaining business continuity to cope with cyber attacks or other disasters within an organisation is no easy task. While the theory is reasonably straightforward, the practice is frequently beset by conflicting priorities and agendas as well as resource and time constraints.
Being able to rely on a consulting practice that has experience of successfully implementing and managing disaster recovery and business continuity programmes means that achieving effective continuity capabilities in line with corporate policy and regulatory requirements can be achieved effectively and efficiently and, importantly, in line with industry good practice.
Dr Sandra Bell is Head of Resilience Consulting (EMEA) at Sungard Availability Services