Can Your Business Continuity Plan Survive Today’s New Threats?

Business continuity expert Bob Clark joins Danielle Ricci, Vice President of Marketing for AlertFind, to talk about how companies can improve their business continuity programs and the core elements every organization needs to have.

In our upcoming webinar, he’ll discuss how business continuity planning is evolving and the new threats that business needs to consider.

Here are some highlights from their conversation:

Danielle Ricci: Let’s start by talking about how business continuity is evolving.

Bob Clark: To do this, you have to look at how business continuity got started. The Business Continuity Institute and the Disaster Recovery Institute International started in the late 1980s, early 1990s, but it wasn’t until Sept. 11, 2001, that we really started to developed business continuity standards.

We had no standards that businesses could adhere to. Sept. 11 was the wake-up call to say, "We've got to do something about this." The collateral from Sept. 11 in terms of lost jobs was something about 600,000.

It wasn't just one industry, it was obviously multiple industries. Tourism, in particular, suffered.

We started to see standards appear, the first of which was PAS 56 - Publicly Available Specification Number 56. Other standards followed and have continued to evolve.

The advantage of having a standard is that you can be audited as an organization. In the same ways people want to see that the quality management is up to scratch, they can do the same with business continuity.

So in a sense, we're starting to self-regulate. We're seeing questions about business continuity as part of contract bids. Also, when it comes to insurance. Now, if you're an organization with an accredited business continuity plan, a lot of insurance companies will look upon that more favorably from an underwriting perspective.

A lot of organizations will go through the process of creating a strategic plan, a budget or a marketing plan, but they don't remember or can't be bothered to put together a plan to deal with serious incidents that could place the organization in jeopardy. So while you’re thinking about how can we grow our business, how can we sustain our business, etc., they don't give much thought to what are we going to do to stop our business collapsing if something goes wrong.

Like gardening, business continuity is cyclic. It’s not a case of when do we start, when do we finish, because it’s a continuous improvement exercise.

Danielle Ricci: How is the emergence of these new threats affecting the business continuity process?

Bob Clark: You're going to see new risks come in. You're going to see other risks that are less critical than they used to be.

Take cyber threats. They have evolved over the last 20 or so years. Another threat that is getting more serious is core air quality. Now, obviously, it's worse in a lot of Asian countries and African countries, but nevertheless, it's still posing a problem. So unless we get a hold of the causes of pollution, we’re going to see more issues.

Then, again, so what we can see is the things that have crept up on us over the last few years, the things that are threatening to hit us in the future on the threat horizon if you like, plus all the things that are already here.

If it’s an organization which is new to business continuity, they need to focus on the here and now, and once they have become comfortable and competent in managing that from the business continuity perspective, then look at threat horizons - what's coming in a year's time, what's coming in five years' time, and so on, and putting that all into perspective.

Consider the evolution of the threats. Take terrorism. Terrorism has been around forever. But since former President George W. Bush declared the war on terrorism, the situation has gotten worse. If you look at the number of terrorist incidents that occurred since 2012, they have gone through the roof.

Danielle Ricci: What principles do business continuity managers need to understand before starting the process?

Bob Clark: It’s better to look at scenarios rather than individual threats. For example, how do you react if you lose your head office? That might be because it burns down. It might be because anthrax arrives in the mail and you've got to evacuate and then decontaminate. It could be because of a flood, etc. There's a whole host of things that will keep you out of an office or out of a building. What you should be asking yourself is, "How long are we going to be out of the building? A few hours? A few days? A few weeks? Forever? And how are we going to react depending on the timeframe that we believe we're facing?"

Some organizations can go over the top and try to come up with a plan for every threat, and they don't always need to. If they've identified a particular threat that poses a threat to their business then they should create a plan.

It's really a case of getting organizations to learn how to walk, then run, when they're new to business continuity. Or if they've got some understanding of business continuity, then try and keep it as simple as possible. And this is one way of doing it.

Look at things from a scenario perspective rather than a plan for every possible eventuality. You can't do that. I've never come across an organization, including the likes of IBM and other major corporations that have covered every option. It's just not possible.

Danielle Ricci: How do you, as a business continuity professional, start to shift from this very specific threat perspective to a scenario- or process-driven approach?

Bob Clark: If you look at this threat analysis graphic, you’ll see at the top you've got production process disruption, and below that, you've got a number of issues, human resource issues, plant equipment, single points of failure, security exposure, etc.? In the middle, you've got denial of access, which is specific to a building. In this particular case, this is based on an organization that had two buildings.

I called them Building A and Building B. The denial of access could be caused by any one of the reasons that you see below, a fire, a terrorist attack, a flood, an earthquake, industrial accident, exclusion zone, etc. The question you should be asking, is it short-term, medium-term, or long-term, and you should have a different response depending on what the answer to that question is.

Your risk assessment is likely to show some of those threats are more likely to happen to your organization. If you look at human resource issues, you've got all those things that could affect it. It could be a fire that injures employees, terrorism, pandemic, etc.

All these things have a common denominator in that they’re affecting your human resources and your organization’s ability to produce goods or services.

So by addressing it and saying, "So what are we going to do if the power goes off? What are we going to do if there's some malicious damage? What are we going to do if there's a cyber attack?”

Then you find that your plan is simplified because you're not trying to come up with plan A, plan B, plan C, plan D, plan E to reflect every possible risk.

Danielle Ricci: So what are the core elements of a business continuity plan that business need to put in place to support this scenario-based approach?

Bob Clark: First, you need to undertake a risk assessment. There may be scores of threats that you're considering. In this particular threat analysis diagram there are red ones and others are amber. The red ones are the ones that are considered hot items, whereas the amber ones need attention but aren’t top priority.

Some organizations already have risk management embedded. If so, use what you have. But ideally, you should have a risk register.

After all the risks are recorded, then you need to ask "What are we going to do about this risk? Are we going to sit there and look at it?”

Then you want to map your risks into a 5 by 5 matrix, like this one in the U.K. Risk Register. The most severe and most likely risks go in the upper right corner. The less severe and less likely risks are in the lower left corner.

Danielle Ricci: So how do put this scenario-based approach into action?

Bob Clark: For example, say there’s a fire. Your first priority is get people out the building. This is where we have a crossover with emergency preparedness. Business continuity isn't looking to reinvent the wheel or come up with a better way of evacuating a building. What it's looking to do is to hook into what is there.

If you find that “Oops, we don't have an emergency preparedness plan for a building evacuation,” then clearly one needs to be defined. Getting people out of the building is your first priority. Then you start looking at the questions in terms of the short-term, medium-term, long-term plan. If the building is destroyed and you're not going to be back in there for a long time, then clearly, you need a long-term contingency plan. Do you have another building that you can use? Do you have an arrangement with an office space rental company like Regis?

On the other hand, if it’s just a short-term issue where you need to be out of the building for 24 hours, then everyone goes home and comes back in tomorrow as normal. This is how you would need to react.

You also need to determine who owns the particular plan for each specific area. Now, the person that owns the denial of access plan might be the person responsible for the buildings. The person that owns the human resource issues may be the human resource or the personnel department. The person that owns the IT failure could be the IT manager or the CIO. It's not necessarily going to be the same person responsible for every plan.

Danielle Ricci: Most companies have one person or a small team in charge of business continuity. What other people and departments should they pull into the process?

Bob Clark: Clearly there needs to be a reporting line. You will have an incident or crisis management team set up which, depending on how big or small the organization is, will handle the incidents. You would need obviously regular updates on the status of the incident resolution. You let the people that are best positioned and have the appropriate experience and the skillset sort out whatever the problem is. And sometimes that could mean bringing in external expertise. Sometimes you can deal with it in-house. It depends entirely on what the issue is.

There is no one-size-fits-all, in terms of who needs to be involved in defining the process and implementing the plan. Each organization needs to ask, "What is the scope of what we're trying to achieve?" "Are we looking to roll business continuity across the whole organization or are we just going to look at part of it?"

If you’re not worrying about back office functions, then we don't need to include those people. If we're not worrying about these products or these services, then we don't need to include those people. Conversely, you can say, "These are the things that we want to focus on. We need to bring in the expertise from the business to talk about the products, the services, the processes and obviously, contribute toward the business continuity plan."

You need someone to be leading it from the business continuity perspective and that individual needs to be empowered by someone who is sitting on the board. If there’s no upper level support, then I'm afraid you're wasting your time because if the board do not have visibility, or if the board are not interested in it, then it doesn't matter how dedicated people are at a lower level, it's not going to happen.

You’re also going to need IT to be involved. They may produce their own plan for how to recover from a disaster which affects IT, but they still need to be working to the same parameters that the business is.

They need to answer questions like “How quickly do we need to have this system up and running?” Their plan is going to be driven by the output from the business impact analysis in the same way as business continuity strategy will be. If IT goes and does their own thing, it is quite probable they will not be in sync with what the business really needs. For example, IT could recover in two hours, but the business didn't actually need to recover for two days. So you had a very expensive IT solution which was overengineered and it was costing the company more money than they really needed to spend. You don't want to spend more money than you need to, but you need to make sure you're spending enough to be effective.

Danielle Ricci: What kind of budget do these teams need?

Bob Clark: If you approach your business continuity plan in a phased way then you can define the phases and funding needs as you go. As you’re completing the first phase, you have more information about the second phase and what it is likely to cost. When you finish the second phase, you can do that with the third phase.

So you might have an overall plan, but it's not going to have the detail until you answer all the detailed questions. Then you’ll know if you need a deluxe solution or if a cheaper, simpler solution will work. Each organization needs to go through the pain of working out which way they want to go.

Danielle Ricci: So what’s the next element in your business continuity process?

Bob Clark: Next you need to look at your business impact analysis. This tells you which of your processes, which of your services, which of your products are at risk from the various threats that you've analyzed.

It's part of the overall process of analysis, which is your business impact analysis and your risk assessment combined, so that you can say, "Well, these are the things that are important to us. And these are how quickly we need to recover them in the event of an interruption to the business. And these are the risks that really caught our attention that we need to be looking at and see if we can do something about it from the mitigational contingency perspective."

It's the combination of those two things which puts you in a better position to make business decisions. So if someone says to you, "Why did you do that?" you’ve got the supporting rationale for your choice. The business impact analysis and the risk assessment are key to that.

Danielle Ricci: What role does governance play in the process?

Bob Clark: Business continuity needs to become part of the culture. There's no point in having the world's best business continuity plan if no one knows what's in it and what their part in the whole process is. That is really about your governance from the management point of view, from the policy point of view, from the awareness point of view, which takes us to what would be referred to as the technical professional practices within business continuity.

First you have the analysis, made up of the business impact analysis and risk assessment. Second, you look at your strategies. What are you going to do? Third, is writing your business continuity plan, which defines how you’re going to do it. Then the final stage is validation, which can include exercises, drills, discussions, etc.

You have to make sure you have the foundational pieces correct or the whole plan is useless.

Join Bob and Danielle as they discuss how companies can build a solid foundation for their business continuity program in our new webinar, “No Threat Too Large Or Small: Business Continuity Planning For Today’s Risks,” at 11 a.m. EDT on Thursday, Aug. 9.

Register Now!