Being able to evolve in an uncertain world is a condition of survival that pushes companies to develop or revise their Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) to ensure an ideal level of resilience.
Definition of the Business Continuity Plan: BCP goes far beyond IT
BCP (Business Continuity Plan) and DRP (Disaster Recovery Plan) projects are often approached as IT-only projects, but these approaches must cover all the activities and processes that make up the company’s business, from IT systems to energy suppliers, logistics and premises where employees can return to work if the company's own are no longer accessible or appropriate.
Business Continuity Plan (BCP) : a proven concept for companies
The concept of business continuity is a proven one. It appeared in the 1980s and addressed part of the problem with disaster recovery plans. Efforts were mainly focused on IT, with the aim of guaranteeing the availability of systems or enabling them to be put back into operation quickly after an incident. The concept was subsequently broadened with the publication of the BS 25999 standard and the establishment of ISO 22301 certification. Business continuity projects now cover a broad spectrum of topics. They are driven by the board, taking a holistic approach to the business.
EBRC supports its clients with the aim of making them more cyber-resilient. As such, business continuity is one of its main areas of expertise.
5 rules for building a business continuity plan
Rule No. 1: Start from the business to assess the impacts
The analysis must be based on the business, taking into account all the factors that can affect the smooth running of the business. These issues go far beyond systems management, starting with identifying the activities that are essential to the organisation or acquiring a better understanding of the processes, and then carrying out an impact analysis. It is important to understand what the effects of stopping a critical process might be over time and across the business.
This first step is the Business Impact Analysis. It can only be done by conducting an in-depth study of all the departments making up the organisation with the aim of identifying the activities undertaken and the way in which everyone is involved in the procedures.
Rule No. 2: Identify critical activities and assess the level of tolerance for interruption
Through interviews, identify critical activities, interdependencies with other departments and external stakeholders. In each department and management team, challenge the teams. Based on a framework created on the basis of our experience and recognised good practices, also assess the effects of a business interruption on each team using various criteria such as the Recovery Time Objective (RTO), the Recovery Point Objective (RPO), the Maximum Acceptable Outage (MAO) and the Minimum Business Continuity Objective (MBCO). These indicators show what is acceptable in terms of interruption for each department, including the actual capacity of IT to support the various components of the business.
Rule No. 3: Align the needs to serve the business
Because perceptions of what is acceptable may differ from one department to another, one of the objectives will be to reconcile attitudes with the real needs of the business. "In most cases, it is at the top of the company that arbitration takes place; and often it is only top management that can make decisions on the risks involved. Management often rationalises and decides based on the permissible exposure of the business, i.e. the company's sector of activity and customers, in the event of a major incident. To obtain business continuity certification, it is essential to reconcile all the needs of the teams around a critical process.
Rule No. 4: Evaluate processes to select the best solutions
The Business Impact Analysis is at the heart of any approach to business continuity issues. It will be supplemented by a risk analysis. This involves identifying the threats that could lead to the interruption of a critical activity and assessing the probability of their occurrence. If a company considers all of these elements, then scenarios and plans for resuming activity as quickly as possible can be devised for the different events. Take processes for example: subject them to the threat in order to consider the solutions to be put in place, such as the relocation of employees or a plan for the redeployment of systems and guarantees relating to the restoration of telecommunication lines, not forgetting to assess the resilience of your critical suppliers.
Rule No. 5: Make it easy on yourself. Take advantage of ISO 22301 certification
ISO 22301 certification has been developed specifically to enable organisations to embark on a continuous improvement process: it is an ideal standardised framework serving as a basis for such efforts. The main challenge is to better protect the activity as a whole, by acquiring a better understanding of processes and risks, and to ensure its robustness with all stakeholders such as clients, partners or the company's regulator. Such a certification is likely to reassure and guarantee confidence in the performance of activities. EBRC assists institutions active in the financial, banking, industrial and insurance sectors to obtain this certification.
Finally, distinguish between risk and threat to ensure the success of your Business Continuity Plan
Many stakeholders confuse risk and threat. However, it is important to distinguish between them. A threat is a very specific element, a perfectly identifiable occurrence. It can involve the disclosure of information, an attempt at corruption, an intrusion into computer systems or an act of terrorism. This threat can affect a process more or less easily, depending on the process’ vulnerabilities.
To assess the risk, the threat must be identified and the probability of it affecting the process must be defined. It is also necessary to assess the impact of this likely occurrence on the business, finances, reputation or regulatory obligations. The result is a low, medium or high level of risk. On this basis and with these indicators, the manager will be able to define the objective to be reached: eliminate it, mitigate it, or even accept it.
Where do you stand in your company's resilience framework? How do you stand in relation to what ISO 22301 recommends?
Are you sufficiently prepared?
Assess your maturity level in less than 15 minutes and receive your personalised report.
Ask our experts for advice on the approach to adopt.