How to create a business continuity plan
Having a plan can mean the difference between recovery and disaster
While everyone would like to believe their organisation will never run into a disaster, it's essential to plan for it so that your business can come out on the other side - and with our IT architectures becoming more and more complex, it's especially important to have a business continuity plan.
A business continuity plan is a document outlining a business' operations in the event of a disruption such as a data breach or outage.
More than just a plan for getting IT systems back up, it includes contingencies for every aspect of the business that could be affected, with the aim of keeping the entire ecosystem of critical business functions working. This might include checklists, contact information for plan administrators and backup providers, and steps for short- versus long-term outages.
You will also want to consider having plans for various types of disruptions. The pandemic is one major disruption that comes to mind, and the probability of further pandemics is only increasing. Despite 61% of UK organisations having a business continuity plan in place pre-pandemic, only a third of all organisations had a pandemic-specific plan, meaning many businesses ground to a halt and suffered loss of revenue and/or data breaches.
Even small disruptions can have a costly effect, so having a plan in place can mitigate loss of revenue.
Why have a business continuity plan?
There are a wide range of reasons why an organisation should have a business continuity plan put in place.
Firstly, it is a communication tool. Having a plan in place means that everyone will know what to do in an emergency. In a disaster, if someone doesn't know what role they need to play, the risks aren't going to be mitigated.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Secondly, it means that your organisation is proactive. When disaster strikes, people will know what to do instead of trying to figure out things as they go along. This also helps manage any negative impact on the company's reputation; it may be difficult to avoid data breaches entirely, but demonstrating preparedness will make clients more understanding.
Thirdly, having a plan means that you have a good chance of recovering from disaster. When you protect mission-critical parts of a business, there is a good chance of survival and staff morale will be higher for it.
Not only does having a plan increase your chances of recovering from an incident, but it also reduces the likelihood of you having another one. Businesses that don't have a business continuity plan are 32.3% likely to have a data breach at some point over the next two years, but this falls to 23.4% for businesses with a plan, according to the Ponemon Institute.
Finally, a business continuity plan can reduce the time it takes to identify and contain the data breach incident, especially if staff have a structured plan to follow. It significantly minimises disruption if teams are aware what steps they need to take to keep the business up and running.
What's in a business continuity plan?
A plan should provide a roadmap for employees so they know what to do when things go bad. Such a plan should include the following.
Threat analysis natural disasters, such as a flood can destroy IT infrastructure, while a cybersecurity hack can put your network offline but not affect personnel. Bombs could kill people and destroy equipment. It's important to cover what to do for all major possible threats.
Who's responsible when disaster strikes, an organisation should have a list of personnel to contact and what they role in a continuity plan will be. An organisation should also keep contact details of external services, such as police, fire, etc.
Plan a backup it is important to have a backup of important data offsite away from where an organisation is based. There should also be consideration given to backup power supplies. In addition to uninterruptible power supplies, one should also consider what to do if the power will be out for a considerable amount of time.
Alternative comms and operational sites if you have no telephones or internet, you need to plan how you will keep in contact with customers, employees and others. A plan should also cover how and where to set up operations in an alternative location.
Increasingly, organisations are putting in place formal disaster recovery (DR) processes as part of their business continuity plans.
A global study into DR processes in 2018 showed that 39% of companies had an automated DR process in place, up from just 16% in 2017. Using automated processes like this to get your business up and running in the event of a breach is a good way to make significant cost savings.
Managing a business continuity plan
Managing a business continuity plan means keeping it up to date, changing details to ensure they are correct. It is also important to review the impact of new processes, systems and technology on a regular basis and add these to the original plan.
Those responsible for the plan should also make sure that all employees that could be affected by a disruption to the business have read and understood the plan, what their role in the implementation is and how the plan will be executed. Even non-essential personnel should be informed about such things as building evacuation measures, as well as emergency locations.
In the event of a breach, the business continuity plan should be reviewed and adapted if necessary to further minimise disruption in the future.
Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.