Business Continuity Trends and Tactics

Christopher Horne, Assistant Vice President, IT Governance, Vendor Management, Corporate Security and Business Continuity, CIBC Mellon
200
369
71

Christopher Horne, Assistant Vice President, IT Governance, Vendor Management, Corporate Security and Business Continuity, CIBC Mellon

Business continuity is a framework for building organizational resilience capabilities, which can safeguard the interests of the organization’s stakeholders, reputation, and value-creating activities. It focuses not only on safeguarding life and facilities, but also on maintaining continuity of critical services.

Business continuity should not be a one-time project, but rather should be constructed as an ongoing management and governance process designed to identify potential impacts, maintain viable strategies and plans designed to mitigate those impacts. It should be kept vital and up-to-date with training, exercises, maintenance, and review. Collaboration is also a key: business continuity processes should engage leaders and employees across an organization. A carefully considered, well-documented, and actively rehearsed business continuity regime allows an organization to provide confidence to its stakeholders that it is indeed operating within the parameters of risk and risk appetite defined by the organization.

Trends in Business Continuity

The Business Continuity Institute (BCI) is a leading international membership and certifying organization for business continuity professionals worldwide. BCI produces an annual Horizon Scan Report designed to track risks and threats to organizations through assessing perceived threats as shown by practitioners’ in-house analysis; the most recent report tracked top trends according to 568 responding organizations in 74 countries. At least half of respondents cited five trends and uncertainties:

1. Use of the internet for malicious attacks
2. Influence of social media
3. Loss of key employees
4. New regulations and increased regulatory scrutiny
5. Prevalence and high adoption of internet-dependent services

  Business continuity plans are critically dependent on the ability of staff to develop, document and most importantly, execute plans effectively 

1. Use of the internet for malicious attacks

Business continuity practitioners remain concerned about the potential for damage via cyber-attacks and data breaches given the increased sophistication of hostile elements. Organizations of all sizes should place a high premium on IT governance, security, and preparation. From internal processes to vendor management, organizations should seek to remain vigilant and work to continuously improve the controls and security measures in place to protect themselves and their stakeholders.

2. Influence of social media

The growing influence of social media, especially in relation to company reputation, placed second in this year’s report with 63 percent of respondents concurring. In addition to concerns related to corporate reputation and the potential for brand damage, social media risks can include legal/regulatory compliance, security and privacy, and employee/HR issues.

3. Loss of key employees

Every business depends on key players to deliver strong results. The “human factor” (i.e. skills shortage, loss of key employees) is a key focus area for business continuity management as a field. An organization’s planning, documentation and response to an issue will significantly depend on the ability of its teams to react quickly and effectively.

4. New regulations and increased regulatory scrutiny

Across the globe, regulatory bodies continue to introduce new, expanded and evolving requirements for market participants in financial services and many other sectors. From demonstrating service continuity and stress testing  to records retention, regulatory expectations continue to grow for suppliers to provide confidence to their customers that risks related to business continuity are being well managed.

5. Prevalence and high adoption of internet-dependent services

To respond to risks related to internet-enabled services such as email or cloud applications, organizations must appropriately review service providers–not only before and during vendor selection and on boarding, but also as an ongoing process. Vendors may provide assurance across many factors, such as multiple redundant/backup data centers, detailed disaster recovery/ service continuity planning, and high standards for information security.

Third Party Assurance and Certification

As stakeholders seek assurance that suppliers have effective business continuity programs in place, demand has grown for frameworks through which organizations may provide formal assurance–notably the International Organization for Standardization (ISO) developed ISO 22301:2012, Societal security–Business continuity management systems-Requirements. ISO 22301:2012 is a management system standard, which specifies requirements to plan, establish, implement, operate, monitor, review, maintain, and continually improve a documented management system to protect against, reduce the likelihood of, prepare for, respond to, and recover from disruptive incidents when they arise. These organizations will be able to obtain accredited certification against this standard and demonstrate that they are adhering to good practice in business continuity management.

Regular Testing and Exercises

Business continuity plans are critically dependent on the ability of staff to develop, document and most importantly, execute plans effectively. When employees know where to go and what to do, an organization can respond more effectively. Employees should also be familiar with the communications tools and the means by which they will be advised. Senior managers involved in leading the company’s response should have familiarity with the available tools and their responsibilities during an incident, helping to validate strategies as well as support enhanced response times–for example, through “table-top” exercises undertaken in real time to a simulated incident.  

Preparing for the Unexpected

Business continuity is about improving organizational resilience, including clearly assessing the risks, expectations and dependencies attached to key products and services. An organization should investigate, understand, and document the activities, systems, and people that help underpin critical organizational commitments. With effective business continuity plans and strategies, an organization can position itself to carry out operations during and following a crisis, and to recover quickly and effectively from any type of disruption. While no business or organization can absolutely guarantee against all potential disruptions, a strong plan, engaged employees and robust systems can help provide stability, mitigate risk, and enable an organization to best serve its stakeholders during the most challenging times.

Business Continuity Questions to Consider

• Does your organization have an active and ongoing business continuity process?
• What critical business or service commitments has your organization made to its clients and stakeholders?
• How does your organization document its business continuity plans and needs?
• How does your organization plan to communicate to its employees, clients and other stakeholders during an emergency or crisis? How would you reach people outside regular business hours?
• What are your organization’s critical dependencies, technologies, and systems?
• Who are your essential employees?
• Who are your critical vendors, and how have you worked to satisfy yourself and your own stakeholders that those vendors are prepared for a disruption?
• What regulatory, board, or stakeholder reporting requirements call for your organization to address business continuity preparations?

Read Also

Digitizing Business Processes

Mike Kennedy, CIO, Breakthru Beverage Group

Optimizing Business Processes through Automation

Kimberly Watson Hemphill, President, Firefly Consulting

Making the Business Case for Managed Print

Rob Ince, Senior Director, Managed Print Services, ITsavvy