Christophe Ruppert, Business Continuity Management - Practice Lead, EBRC

By Sébastien Lambotte for EBRC

Companies have to consider a business-based approach so that the continuity and recovery of their activities may be ensured, should they be impacted by a disaster situation; the Business Impact Analysis (BIA) is therefore crucial. This analysis is a fundamental prerequisite to get ISO 22301 certified (related to the Business Continuity management systems). Interview with Christophe Ruppert, Senior Consultant, Lead Implementer & Lead Auditor ISO 22301, Business Continuity Management Practice Lead at EBRC.

Business Continuity is a proven concept. When it first appeared in the 1980’s, it addressed some of the issues surrounding disaster recovery plans. Efforts in this regard mainly focused on IT, with the aim of guaranteeing system availability or enabling them to recover quickly after an incident. It is only recently, since the beginning of this decade, that the concept has been extended with the publication of the BS 25999 standard and the creation of the ISO 22301 certification. “The scope of business continuity is now wider. Projects are carried by the Board based on a holistic business approach”, said Christophe Ruppert. EBRC, as a business continuity expert, supports its customers, with the aim of improving their cyber-resilience.

Rule 1: Consider the business to assess the risks

Considering the business is a prerequisite to get a global analysis of what may impact the proper running of the company, said Christophe Ruppert. The stakes are higher than the system management. First, the core activities have to be identified through a better understanding of the processes, after what a business impact analysis can be carried out. It is important to get what may the impacts be in the long run and on the whole business, should a critical process stop.

This first step is the Business Impact Analysis. It can only be carried out with in-depth knowledge of the organisation and its departments in order to identify the various activities and how each employee is involved in the processes.

Rule 2: Identify critical activities and assess the tolerance level for interruption

Lead interviews to identify the critical activities, the interdependencies between the departments or with external stakeholders, said Christophe Ruppert. Challenge the teams in each and every department, with each and every manager. Define a framework based on our experience and recognised best practices so that the consequences of a business interruption can be evaluated for each team/department with various criteria such as Recovery Time Objective (RTO), Recovery Point Objective (RPO), Maximum Acceptable Outage (MAO) and Minimum Business Continuity Objective (MBCO). Thanks to these indicators, we can define what can be accepted by each department in terms of interruption, so that we know in the end how IT is able to support business.

Rule 3: Have the needs match the business

From one department to another, what is acceptable can be different, therefore everything will have to be compared and matched with the actual business needs. “In most cases, decisions are made by the Top Management, as it is the only body with sufficient knowledge of risks. In the event of a major incident, the Management often rationalises and makes decisions based on the acceptable level of business exposure, which is also the exposure level of the industry and its customers, said Christophe Ruppert. All the needs of every team have to be considered when building the critical process in order to obtain a business continuity certification.

Rule 4: Assess the processes to identify the best solutions

The Business Impact Analysis is at the heart of the stakes of business continuity. It is completed with a risk analysis which involves identifying threats that may interrupt a critical activity and assessing their occurrence probability. “Based on this information, crisis scenarii and business recovery plans can be built to be up and running in the shortest delay. Let’s take the processes, compare them to the threat in order to get the best recovery solutions like in case of employees’ relocation or telecommunication restore, and all the while assessing the resilience of your critical suppliers”, advised Christophe Ruppert.

Rule 5: Make things easier for yourself. Make use of ISO 22301 certification

ISO 22301 certification was specifically developed to enable organisations to benefit from continuous improvement: it is the perfect framework to start implementing business continuity activities. “The challenge is to improve the global business protection by a higher understanding of the processes and risks, and to ensure the business is solid with all stakeholders such as the customers, the partners, and the business regulator, said Christophe Ruppert. Such a certification is reassuring and helps reinforcing trust in business continuity” EBRC provides support to institutions in the finance, banking, industrial and insurance sectors to help them get ISO 22301 certified.

Make the difference between risk and threat

Many stakeholders mix up risk and threat, yet it is crucial to make the difference between both concepts. A threat is a perfectly identifiable occurrence. It can be disclosure of information, a corruption attempt, intrusion in IT systems or a terrorist act. The threat can easily affect one or more processes, depending on their vulnerability.

Assessing a risk requires the threat to be identified and its probability defined. It is also necessary to assess the impact of its likely occurrence on the business, financial resources, reputation, or with respect to regulatory requirements. The assessment helps identifying whether the risk is low, medium, or high. Using this information and these indicators, the management will be able to make a decision: eliminating, mitigating or accepting the risk.