Business continuity best practice implementation is top of the to-do list in 2021 for organisations aiming to draw on the experiences of 2020. The significant human, financial, legal and reputational impacts of business interruption have become more apparent than ever as organisations analyse where they could have done better to maintain operations as the pandemic unfolded.
Insulating the business from the impact of unplanned outages and extreme events is a complex undertaking in today’s highly interconnected digital corporate ecosystems. Business-critical services may be delivered by third parties, which in turn rely on fourth parties to stay operational.
This means the exercise of identifying vulnerabilities that could impact the organisation extends well beyond the four walls of the business.
Every crisis is different from the ever-present threat of destructive cyberattacks to the disruptive impact of climate change-induced weather events on supply chains. Still, core business continuity best practices and principles exist that organisations can adopt to improve their preparedness when the unexpected happens.
1) Make Business Continuity Strategic Board Business
Business continuity planning may be top of mind right now for obvious reasons, but this hasn’t always been the case. It has historically been viewed more as “insurance” against infrequent events rather than a strategic differentiator. However, recent experience has amply demonstrated that business resilience and the ability to absorb the impact of disruption rapidly should be subject to board oversight and evaluation.
The board must not stray into management territory when it comes to business continuity, however. Best practice dictates that the board evaluates and challenges the organisation’s business continuity management programme, particularly relating to the company’s risk appetite, at least annually. Our recent blog has more on the role of the board in business continuity planning.
2) Place Technology Front and Centre as Both a Risk and Recovery Resource
In a digital-centric world, technology is undoubtedly a source of risk in business continuity – a technology interruption can constitute an immediate threat to the ability of the business to operate. However, it is also the route to resilience, as evidenced by the rapid shift to remote working seen in spring 2020.
Consequently, a comprehensive back-up and disaster recovery programme for corporate IT systems are table stakes in continuity planning. The ability to restore access to data and applications with minimum physical intervention is critical, and automation is vital to avoid the problems that arise when key personnel are out of position or unable to access sites in person. IT teams should be able to activate back-up and disaster recovery protocols remotely.
Data centre location is also an important consideration. If a back-up data centre is located too close to the primary data centre, any localised event such as an extreme storm could impact both sites, preventing failover to the back-up site.
3) Prioritise Mobility and Explore Process Alternatives
2020 brought home the true value of mobility and remote working as the foundation of business continuity. Organisations must continue to invest in secure, mobile infrastructure, technology and processes to maintain productivity and decision-making when disruption strikes.
The pandemic challenges have encouraged businesses that had been slow to adopt digital processes to accelerate their plans. When adding new capabilities, their potential to support the business during disruption should also be explored. Examples we’ve noted include the switch to digital signatures for authorising board resolutions and the use of secure board communication channels that operate independently of the corporate network.
Finding and documenting alternatives to standard communications channels should be considered part of planning to preserve business continuity.
4) Extend Best Practice Business Continuity Principles Throughout the Corporate Ecosystem
Modern businesses are not islands of self-sufficiency. Instead they are highly interconnected entities with deep interdependencies with third-party vendors who provide everything from mission-critical IT systems to raw materials for products. Every supplier relationship and the risk it poses to business continuity if the supplier is disrupted must be understood. What stresses are suppliers experiencing, and how resilient are your partners when they are under pressure?
For example, a hurricane in the Philippines may not directly affect your organisation, but if a business in that country is the sole supplier of a key product component, manufacturing disruption might severely impact your ability to meet customer demand.
Supply chains were hit hard during COVID-19, and businesses operating on a just-in-time basis found that they lacked resilience when subjected to stress. As a result, many are now considering the need to diversify suppliers to reduce risk and, potentially, find a broader base of partners closer to home.
Third party vendors should be subjected to rigorous due diligence at the start of the relationship and regularly monitored as new risks emerge. What are their own business continuity plans, and are they sufficient to protect your business?
5) Monitor Data Risk Across the Digital Environment
Data is the lifeblood of modern commerce and is both an organisation’s biggest asset and significant risk. For organisations to continue to function, two steps are essential. Firstly, corporate data must continue to flow. Secondly, and even more crucially, this data must be protected and managed in a way that is compliant with data protection regulations.
These steps apply to in-house systems, which should be protected by rigorous back-up and recovery programmes and infrastructure and applications provided by third parties. Suppose a third-party technology supplier suddenly has to switch to remote working, for example. What procedures and policies are in place to ensure staff accessing your data from home will not put them at risk?
Again, the health of third-party technology suppliers should be regularly monitored to ensure that they are robust and resistant to disruption – including cybersecurity incidents and physical events. You should avoid high-risk suppliers and explore alternative suppliers should a critical failure with a vital partner require you to pivot to a substitute provider.
6) Create Communications Plans for Key Stakeholders
When a crisis strikes, communication is critical. If it is poorly handled, key parties may not have the information they need to maintain operations.
Best practice business continuity planning involves identifying the major stakeholder groups. The board, senior management team, employees, customers and key third-party vendors may need individual framework communication plans. A schedule of information sharing should be outlined, including what type of information should be shared with whom, in what detail, and how frequently. At the planning stage, this must necessarily be at quite a high level. Much will depend on the nature of the situation, but establishing a framework in advance can save time and set expectations.
We have witnessed the role of crisis communications during the COVID-19 pandemic. Government briefings have been regular and format-based, sharing essential information consistently. Data has also been released to the government website regularly in a bid to keep citizens informed. Official social media channels have been used to augment televised broadcasts. This structure has ensured that critical points are communicated and, while we make no comment on the messaging and strategy the government has adopted, the communications framework has been solid.
7) Map Out Important Personnel Relationships and Third-Party Contacts
When the organisation is under pressure, personal relationships come into their own. People who know one another work improved speed and trust to achieve the necessary ends. Internally, establishing who the leading players are is relatively straightforward – it can be found on an organisational chart: the board, CEO, CISO, departmental leads should all be included.
But what about external parties? These are the emergency contacts at critical suppliers such as cloud partners, application providers, supply chain entities or law firms that may need to act when there is a threat to business continuity. If no one knows who to contact those suppliers, valuable time can be lost trying to find the right person.
All the key relationships and responsibilities for dealing with incidents should be documented and maintained, so current information can be accessed in seconds should it be necessary. Redundancy must also be built-in. If key personnel are unavailable, how does responsibility for decision-making cascade through the business?
8) Don’t Just Write the Plan, Test the Plan
A business continuity plan must not become shelf-ware, gathering dust during times of stability. It is a living, evolving programme that may need to be activated at any point. It must be tested, evaluated, and refined both from a technology perspective and in human terms.
IT teams should have a regular programme of back-up and disaster recovery testing that ensures the automated steps will work when they need to. Businesses that use cloud back-up and recovery can usually conduct testing without impacting the production environment.
Table-top exercises that test various scenarios with the relevant personnel are highly valuable as they often highlight gaps or grey areas where responsibilities may not be defined. Beyond that, modelling business disruption incidents helps to familiarise the team with the actions they need to take when a real incident arises. As our CISO Henry Juang put it during the Modern Governance Summit: “Building muscle memory is important. Get a plan in place and test it so if anything bad happens we’ve got a lot of the kinks ironed out ahead of time.”
Read more about maintaining a business continuity plan in our recent blog.
Making Business Continuity Planning Intrinsic To “Business as Usual”
Business interruptions may be caused by a point-in-time event, like a power outage or extreme weather incident, but what COVID-19 has taught us is that some events can come in waves. An initial crisis followed by a succession of related changes puts even the most up-to-date response plan to the test.
In 2021, business continuity planning needs to evolve even further to ensure its management, testing and refinement are conducted as part of business-as-usual operations. Crucially, this has to include the broader vendor ecosystem with monitoring to alert the business to emerging threats to business continuity.
This is a long way from seeing business continuity planning as mere “insurance”, but it is a change in mindset that will come into its own in an environment that continues to be defined by volatility and uncertainty.