Can your business survive disruption?
Veronica Rose, CISA, CDPSE
IT Auditor | Published Author | Board Director at ISACA Foundation | Digital Trust Professional | Director, ISACA Board of Directors 2021 - 2022 | Speaker | Member of NACD
Sustainability of any business begins with accepting that disasters will happen. So,
Will your organisation continue after a minor / major disaster? If you have these questions in mind, start thinking about Business Continuity planning and management (BCP). Don’t have a disaster response team? Assemble one as soon as possible.
Business Continuity Planning mainly assesses existing business operations, risks to these operations and the company preparedness in case these operations are disrupted.
It develops an integrated approach to ensure that critical operations and processes continue to function after disruption e.g. due to an incident or disaster like natural happenings, fire, demise of shareholders or CEO, cyber-attack etc.
After developing the BCP, you may need to consider the following ways to test your BCP;
a) Simulation
Simulation testing methods address the recovery and restoration aspects of the plan through seemingly real-life scenarios. Build your continuity simulation by creating scenarios that feel real and address key components of the Business Continuity Plan. Form testing teams and assign each a specific scenario that its members will enact using the facilities, equipment, and supplies available to them. If you can create cascading scenarios – ones that overlap and require inputs from or depend on processes to be completed by other testing teams – your simulation will be a better true-to-life representation of a business-interruption event or disaster.
Members of the company’s disaster response team should evaluate overall company response performance based on the simulation, determine how well teams were able to effectively carry out critical functions of the Business Continuity Plan, and identify key improvements and lessons learned to incorporate in the Business Continuity Plan and implementation procedures.
b) Walk-through
A walk-through or run-through promotes both procedural and muscle memory. Recall the fire drills and tornado drills of your elementary school days. Drills were conducted as a live activity rather than a verbal this-is-what-we-would-do review. The reason for this may be intuitive but studies show that active practice facilitates more efficient internalization of procedures, and key process components have a much higher likelihood of cognitive transfer from working to long-term memory. What that boils down to is simply that your employees will care about it more and remember it longer.
Consider a structured walk-through with department heads to make sure that key points of command and delegation points to internal teams know precisely what to do in an emergency. Electing a team leader from each department and having each form their own testing team which should have extra duties and responsibilities (like evacuating the building) and will likely require extra rehearsal. After testing, department team leaders should discuss findings and then draft a unified report on plan efficacy and suggestions for improvement.
Walk-throughs are not just for the human parts of the plan. Kick off boot sequences, scripted and automated contingencies, data replication tasks, stand-by server switch-overs, cloud backup and data validation; whatever key technical components fall into your operations and continuity plan procedures. And then measure key continuity performance indicators (KCPIs) to report and leverage in your plan’s overall evaluation, such as quality or viability and speed to accessibility.
c) Wrap-up
Use the results from your checklists, simulations and walk-throughs to identify your BCP’s strengths and weaknesses, signal gaps between your plan and company’s current state of strategy and capability, determine how well your personnel can comply with the plan, and assess how ready you are for a disaster now that you’ve done the work of creating the BCP.
If testing your plan feels overwhelming, you aren’t alone. Many BCPs are developed and then are abandoned due to hesitation around the critical and final component of testing. For whichever way your organisation chooses, testing the results will give assurance on the continuity of business in the event of disaster. Therefore, the BCP journey of a thousand tests begins with a single checklist, so start planning your Business Continuity Plan testing today and your will have guarantee on;
Reputational management,
Proper emergency response to minimize loss of life,
Knowledge and understanding of your risks
Assemble all the departments to speak with one voice,
Plan your supplier change management effectively,
Develop incident communication protocols for outsourced services
Manage crisis by taking ownership, apologies and making commitment and actively to changing to better manage your risks,
Ensure your recovery procedure for technology services speaks to your promise to the customer,
And lastly develop a cyber-response strategy or acquire cyberattack insurance.
In conclusion, the entire BCP process should be tested and confirm that the results for all necessary procedures have been successfully implemented for all key services. BCP process is found to be a critical function that involves many different personnel and departments over multiple phases. For the BCP process to be successful in the organization, it should include participation from all levels of an organization, including an organization’s board of directors, senior management, business and technology managers, and all other staff.
“Together We Work Smart”
#sharewithV