It is standard business practice for organizations to have a contingency plan after acknowledging the various threats and risks that it faces.
Having a plan in place, however, is not enough. The organization must periodically update the plan, test how well it works, communicate it to stakeholders, and ensure that people have the capability to implement in the event it needs to be set in motion.
The common first step is to identify potential risks. A typical manufacturing company, for instance, likely faces the following risks:
- Information systems vulnerabilities. Hackers will use vulnerabilities in enterprise information systems to gain unauthorized access to the system. A manufacturing company’s crown jewel in terms of data, for instance, would likely be in the form of design specifications, product pricing information, customer data and employee data.
- Malware. Viruses, Trojans and Worms can cause information system destruction, data exfiltration and extortion. Hackers use custom-developed software which exploit vulnerabilities and misconfigurations.
- Legal risks. Does the company do considerable business in other places – in EU, for instance, with stringent rules? The likelihood and severity of the risk are high, especially since fines and other sanctions for violators could be damaging to the firm’s ability to conduct business in a certain area.
- Natural Disasters. Data stored on enterprise information systems are always at risk in the event of earthquakes, wildfires, tornadoes and flooding. Likelihood of occurrence may be low but the impact, should it happen, is severe and potentially life changing.
- Manufacturing uncertainties. There are times when raw materials needed for the manufacture of equipment are not available. This adversely affects assembly line operations.
- Power loss. Power loss may come from scheduled outages, accidental damage or force of nature. Do the company’s data centers have access issues to reliable power?
- Cloud services misconfigurations. This is a risk that is dependent on the human factor – specifically, internal technical staff members and external contractors tasked to configuring the company’s cloud resources.
- Equipment loss/ theft. Loss or theft can result in the exposure of sensitive business intellectual property. Employees and contractors may lose resources, and criminals may target such assets. IT equipment is always an attractive target. And should the sensitive intellectual property be exposed, the company stands to be less competitive.
Notwithstanding the safeguards that have been put in anticipation of these risks, the possibility of a disaster cannot be fully discounted. A BCP Team – a composite of the business’ stakeholders – has the primary responsibility of putting in place a business continuity plan so that the company could continue to function after a contingency event, and revert to normal operations at the soonest possible time.
The BCP should:
- Support the current risk decisions of the company;
- Not introduce new risks;
- Provide options for relocation or telework in the event of disasters;
- Establish a succession plan such that there is no confusion on who takes key executive leadership roles if team members or leaders become unavailable or incapacitated;
- Identify the source of funds with which to execute contingency measures;
- Determine the roles and hierarchy for the implementation of the plan, from a technical (not organizational) perspective.
A living document
While the BCP is developed prior to any contingency event and lays down what who will do in such situations, it is never a static document that is bound and kept on drawers, only to be pulled out in the case of a contingency event.
Instead, the BCP must contain guidelines on its own periodic update, based on changes due to deficiencies discovered or to newly implemented technology.
The plan should be periodically tested to ensure it takes necessary and current business concerns into account. Along with the testing come fault discovery and mitigation. A repeatable change control process ensures that BCP errors are corrected and new systems changes are properly documented.
Finally, the plan should also establish how it will be communicated among various stakeholders so that everyone knows his or her role.
The crafting process
The most important thing in developing a BCP is involving the stakeholders in determining the kind of plan you want to develop. Is it something at the enterprise level, or something at the individual information system? If it is the former, then it is absolutely necessary to involve your senior leaders for their perspective on what would spell disaster for the business, and what is critical to keep it running in the event of disaster.
Once senior leadership has defined what it means to keep the organization running, the plans for each business unit should also be developed.
You go through tabletop exercises when validating the steps in the plan you are making with the various units, until you get a functioning continuity program. Once you have that, you make sure that everyone who has a role in the plan understands his role. You give proper training so everyone has the tools he needs to carry out the plan in appropriate places.
Just as important is working with your finance units so you can make sure that in the aftermath of a disaster, there will be funds available. If there is something you need to buy, or to keep the business running, contingency funds would be there. You have to have a figure – with X number of dollars, the company would still continue to function.
For the information side, you have to determine support, restoration, evaluation and testing to ensure that your plan would be workable even if one of your locations becomes non-functional.
Your worst enemy
Still, a plan is just that – a plan, and the challenge is making it work in the unfortunate event that a disaster actually strikes.
In the course of my career I have been involved in implementing continuity plans, and what I have learned to be universally true is that problems arise when people panic and end up not following the plan altogether.
Remember, if you think you have done a good job at having a sound business continuity plan, then your best bet is to follow the steps you developed when you were not panicking. Bear in mind that the plan you now have was well thought out and was successfully tested and verified. You know that it works.
The worst I have seen is when people panicked, didn’t follow the plan they worked so hard at developing, and believed they could just sort of wing it. So my advice is, don’t even think you can wing it – stick to the plan, and you should be fine.