Today most organisations have set business continuity (BCP) and/or disaster recovery plan (DRP) to comply with regulators, maintain their core business process and assure normal activities can be resumed as quickly as possible in the event of an incident, writes Sofiane Chafai.
But the plan is only the first step. A strong and valid business continuity model, complete with performance criteria and supporting management systems, is required to assure a workable roadmap to recovery.
An immediate step for all organisations in assuring a valid business continuity model is to test the plan and identify areas where improvements may be needed. Conducting simulation tests, walk through testing, within a disaster scenario is most effective.
The second step is to review the company risk register and update it, if needed, to ensure to the risks covered are current. Take a good look at risks, related to new and developing threat areas, such as climate change, civil unrest, cyber attacks and pandemic diseases.
Third, assess outsourced operations. Do the service level agreements with vendors ensure contingency resources if requested?
In practice, organisations should not have to start from scratch in assuring a model to support the plan. And they can outline a roadmap for the inclusion of missing items over time. Overall the following considerations are a must:
- People are key. Organisations should have a staff mobility and job rotation programme. They should review key functions and ensure there is a clear succession plan with a training and hiring plan to support sudden vacancies. Job descriptions must be clear and up to date. With people possibly needing to travel to alternate sites during a crisis, some personal considerations may need to be discussed, such as whether individuals are willing to travel.
- Empower a crisis management team with the capability and authority to make decisions and invoke the BCP.
- Develop training and awareness programmes and audit performance to ensure compliance as well as capability.
- Ensure the ability to finance the BCP. It must be included in the company reserves, with estimated budgets reviewed and kept up to date.
- Think about technology that can improve the model by reducing the costs and/or recover times during crisis. One of the best recent examples is the development of virtualisation technologies which reduce the number of physical assets and devices needed in a disaster recovery site and generally assure IT systems administrators can recover systems in a simple and quick manner.
- Ensure change management is embedded into the BCP lifecycle. Every major change: application, IT infrastructure should have their respective business impact analysis (BIA) reviewed for applicability along with their recovery time objective (RTO) and recovery point objective (RPO). This is an ongoing process that will not stop after testing.
Done properly, the development of the business continuity model is an exercise that can change the risk perception of the business. It requires support from the top level and clear reporting lines to avoid conflicts of interest, and be effective. This means that risk management works its way onto board meeting agendas and every corporate policy and procedure undergoes regular risk review to stay on top of changes in the organisation’s risk profile. The challenge is to create a situation where people will instinctively look for risk and consider their impact prior to making decisions.
Sofiane Chafai, CISSP, is security officer at Trust Bank Algeria