Seven Steps To Create A Business Continuity Plan
Seven Steps To Create A Business Continuity Plan
Global IT provider, Eze Castle Integration, has been running an educational program for October’s ‘Cyber Security month’ and on Thursday, October 25th, hosted a webinar entitled ‘7 Steps to Create a Business Continuity Plan’. AlphaWeek is publishing edited transcripts of these webinars. The speakers are Matt Donahue, Business Continuity and Data Privacy Consultant, and Steve Banda, Senior Product Manager, Eze Castle Integration, and the webinar was moderated by Olivia Munro, Senior Marketing Specialist, Eze Castle Integration.
Why having a business continuity plan is so important
Matt Donahue: Let's start by looking at what business continuity is at a high level. It's typically documentation and resources that will help your firm respond to different types of issues that come up, whether these are outages caused by human error or failure of critical systems, to minimise the negative effects of the disruptions or those outages.
Step one is understanding the regulatory landscape that your business sits in. There are always going to be different requirements depending upon the business that you have. Some of them might be from federal bodies, some might be from an international place, some might be self-regulatory, but a lot of times, it's just good practice to have a business continuity plan, even if it's not necessarily needed from a regulatory overview; there is a lot of pressure from investors or people performing due diligence on your fund because they understand that it's important to have these things, and people might not want to work with you if you haven't focused time and effort into these.
Step two is risk assessment. Whether it's a business continuity plan or an information security plan, looking at the different risks is helpful. Evaluate your company's risks and exposures. It's not something that's supplied via a single software solution, or something that's just done through discussions; it's usually a combination of a few different things, but you want to look at the different potential impact, to the businesses, based on typical situations you're going to be dealing with. You have to consider people, technology, your business office location. Look for single points of failure, or your most common situations; understanding what might be critical in one unit and not for others within the organisation.
Step three is business impact analysis. This is a really helpful tool to help you understand how different business units function, what's critical to them, the different tools they use, and what their dependencies are. When you're carrying out a business impact analysis you want to look at critical applications, their critical functions, when things need to be recovered by, and what the expectations are, and from whom. Trying to get the whole picture for that specific business impact analysis for each unit is important, and you want to try to pull those all together to understand that what might be important for operations and finance is not that valuable from an accounting standpoint, for example. When you can put all of this information together, alongside the risk assessment and the business impact analysis, it helps to guide you to identifying some gaps that you can incorporate into the plan.
Steve Banda: Once the risk assessment and the business impact assessment are completed, it's time to start to think about step four, the overall strategy. Incorporating multiple perspectives is critical to making sure that all departments have had their view considered. It’s important that this doesn’t mean for each separate department, but it means all departments views are mapped to the overall holistic strategy of the company and what's important to the organisation. ensuring that all stakeholders have an input is critical. This information has to be available and easily accessible by your staff, especially when there's a disaster. Ensuring that this information is stored safely and reliably on an ongoing basis is essential; some sort of offsite cloud secure web repository could be employed here, and then ensuring that you can get it when you need it. Finally, we really do recommend that you have an executive sign off on the overall plan to give it credibility and prove buy-in.
Step five is creating an incident response plan. We often see plans that are light in nature, but the key is to ensure that the plans are realistic for your firm specifically and that your vendors and your customers that have a stake are accounted for. When creating an incident response plan, you want to involve internal parties like IT and HR as well as your external parties. The guiding light will be understanding what the impact on your customer base is. I think it's important to mention that you shouldn’t hesitate to talk to your vendors and see how they're going to respond to incidents that might came up. Incorporating an outside perspective from outside counsel is also very important as it can act as a due diligence of sorts on your own policies. The last point I'd like to make is that I think that having these conversations well ahead of time is critical because meeting your expectations of how the plan will impact how successful your response is requires proper planning in advance.
Step six is the planning, testing, training, and maintenance of your plan. Incorporating a tabletop exercises element is key so you can practice what is in the plan. Employee training sessions should be held annually but how you train - whether it's in person or remote sessions - is less important than the fact that you're covering your specific policies and procedures laid out by your firm. We often provide quick reference cards for employees so that they have information readily available when they walk out of a training session. An annual review of your BCP will help ensure that as things change, your plan changes, making it a living document. Keeping this as part of your culture is important to ensure that that the business continuity element is a foundation to your overall practice.
Matt Donahue: The final steps is step seven, communication. Communication is always something that can be improved upon, and that means how you communicate internally – not just from the management down, but truly how communication flows within your organisation - and externally, whether it be to the general public, whether it be to different regulators, whether it be to investors or vendors or third parties. You need to make sure that the appropriate communications are approved so that people are not just answering questions based upon their best knowledge. These are the areas where people can get in trouble, and consequently reputational and PR issues can arise. Make sure that you have a strong communications plan that is well practiced based on different situations, both internally and externally with your vendors.
Matt Donahue and Steve Banda were talking to Olivia Munro, Senior Marketing Specialist, Eze Castle Integration. Replay the webinar here.
Eze Castle Integration has also produced an e-book on creating a Business Continuity Plan, which is available for download here.
© The Sortino Group Ltd
All Rights Reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or scanning or otherwise, except under the terms of the Copyright, Designs and Patents Act 1988 or under the terms of a licence issued by the Copyright Licensing Agency or other Reprographic Rights Organisation, without the written permission of the publisher.