A Business Continuity Plan (BCP) is a “must have” for any small to medium-sized business (SMB) but it is not a “once and done” process. As a testament to this statement, Gartner published a Business Continuity Management (BCM) Program Methodology that defines five levels of maturity when it comes to developing and continually managing a business continuity program. As Gartner states, “a BCM program is not a project with a start and end date; rather, it is an ongoing program, and you cycle through each step and discipline to ensure continuous improvement and recovery effectiveness.”
According to Gartner’s methodology, any organization with its own comprehensive BCM framework in place is a Level 5 organization, whereas an organization with no BCM framework in place is a Level 1. Here are some interesting statistics that Gartner has published on how organizations at different levels of maturity cope when disaster strikes.
- 85 percent of maturity Level 1 and 58 percent of maturity Level 2 organizations either don't use a BCM methodology or have their own ad hoc approach.
- Only 13 percent of organizations with no BCM framework in place (Level 1) were able to recover all mission-critical processes according to predefined recovery objectives (see Table 1).
- 15 percent of Level 1 organizations experienced significant problems in recovering one or more mission-critical business applications (see Table 1).
- There is at least a 17 percent increase in recovery success when a BCM program methodology is used (see Table 1).
Simply having a business continuity plan in place is no guarantee that your organization can recover from a disaster. Developing the plan is only a first step, but in many cases, these plans do nothing more than collect dust. To better understand how to make your plan a successful, living document, read about the most common problems that you may have with your business continuity plan and how you can address them.
IT and the Business Are Not Aligned
You are the president of a Level 2 SMB; your organization developed a business continuity plan last year. Today, you asked for a copy of the plan to review. In reading the plan, you were surprised to see that the RTO for executive emails is 24 hours. You do not remember anyone on the team asking you about that. You and your executive team had thought that the email system would be available within four hours of a disaster. You wondered why you and other executives were not consulted and whether there are other parts of the business that have requirements that are not addressed in the scope of the business continuity plan.
First, executive management must be involved in any business continuity planning initiatives to be effective. In addition, the BCM team should include selected executives, decision makers from other departments across the business, as well as financial associates, customer service representatives, key suppliers, and IT personnel. These individuals must be actively engaged to ensure that the business continuity plans and activities are aligned with the organization’s goals. They should be able to make decisions with regard to business continuity strategies for their department as well as the business as a whole. Each member of the team must take the time to understand the operations of the organization, including its products and services and how they are delivered. With this knowledge, the team can better scope the program to ensure that the organization can recover in the event of a disaster.
The BCP is Not Tested
You asked your team for a copy of the business continuity plan test report. You discover that the plan has never been tested. An untested plan is almost as bad as having no plan at all. Without ongoing testing, there is no assurance that the plan will ensure your company recovers from a disaster.
In a recent article, Christopher Britton, Chief Operating Officer at RockDove Solutions, suggests that every plan be exercised as follows:
- A checklist review, which is a high-level check on each element of the plan, should be performed twice a year.
- An emergency drill, which requires all stakeholder participation, should be performed once a year. This reinforces each participant’s role in the event of a disaster and ensures the plan works.
- A tabletop review should be performed every other year. In this type of review, key personnel who are assigned emergency management roles and responsibilities are gathered to discuss simulated emergency situations.
- A comprehensive review should be performed every other year or when there are significant changes in the organization, such as a major IT infrastructure change, a merger, or other major change to business operations. This type of review provides the stakeholders with the opportunity to review the current plan to identify new risks and update the plan accordingly.
- A mock recovery test should be performed every two or three years. With this type of review, the plan is fully tested to identify any gaps, help employees perform their roles, and ensure that the organization can recover in accordance with planned Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).
The BCP is Out of Date
Since your team developed the initial version of the business continuity plan, you realize that you have virtualized part of your IT environment and ask if the plan includes these IT infrastructure changes. You are told that the plan has not been updated.
As discussed above, your business continuity plan should be updated whenever the organization introduces a change to operations that introduces new categories of risks. Stakeholders should meet on a regular basis to discuss changes to the business that can affect the plan. For more information on this topic, refer to an Acronis article entitled “Are You Sure Your Business Continuity Plan Still Works?”
The BCP Does Not Consider Your Supply Chain
Your organization is pursuing a new contract with an important supplier so you ask your supply chain manager for a current copy of the contract under negotiation. You notice that there is no section in the contract that talks to the supplier’s Service Level Agreement (SLA) when it comes to business continuity. There is no discussion as to how and when the supplier will respond to fulfill the contract if the supplier experiences an unexpected interruption.
You review the BCP again and realize that the team did not consider the business’ supply chain in the plan. In speaking further with the supply chain manager, you realize that none of the contracts with suppliers or internal processes inside your company address the impact on SLAs when a supplier experiences a disaster. Some of these contracts are sole-sourced, which can have a major impact on your business.
The resiliency of your supply chain impacts your customers and your business. According to Gianluca Riglietti, Research Manager at the BCI and author of the BCI Supply Chain Resilience Report 2017 Launch, “Supply chain disruptions have become increasingly tough for organizations to deal with. The current threat landscape requires very high levels of preparedness, as it includes a wide range of threats such as cyber-attacks, terrorism, and natural disasters. Professionals understand this, which is reflected in the higher number of respondents (74 percent) adopting business continuity arrangements to deal with supply chain disruptions. However, there is still room for improvement, as more than one in five (22 percent) do not have full visibility of their supply chains.”
New Threats Are Not Considered in Your BCP
Your plan was developed early last year, before the WannaCry attack that impacted more than 200,000 Windows machines around the globe. In reviewing the plan, you realize there is no accommodation or mention of how your company will survive a ransomware attack. When you question your head of IT, he indicates that, at the time, ransomware was not considered a major threat to the company’s business.
You always need to update your plan to address any new risk and threat and ransomware is a good example of a new threat that can be just as destructive as the other disasters your plan already includes. According to the fifth annual Horizon Scan report published in 2016 by the Business Continuity Institute, a cyberattack remains the number 1 threat for two years in a row; 85 percent of business continuity managers that were surveyed fear the possibility of a cyberattack. And it is no wonder. According to Druva’s Annual Ransomware Report for 2017, 50 percent of organizations have been attacked multiple times by ransomware, 33 percent of attacks hit multiple servers, 70 percent of attacks hit multiple devices, and 40 percent of attacks took longer than two hours to detect.
For all of these reasons, it is important that your business continuity and disaster recovery plans have a strong focus on cybersecurity so you can be sure your organization survives an attack and can do so quickly. Do not rely on getting your data back by paying the ransom. According to ZDNet, one in five users who paid the ransom did not get their data back. You must have a defense-in-depth strategy to protect your organization from ransomware attacks, including anti-malware software, firewalls, data encryption, full system backups, and active protection.
While cybersecurity and ransomware attacks are relatively new threats, the same report published by the Business Continuity Institute demonstrated that business continuity managers are concerned over the availability of other new threats. For the first time, “talent and key skills” entered the top 10 business continuity threats with 13 percent of respondents indicating they are “extremely concerned” and 34 percent “concerned” about the threat. “Health and safety incidents” were also included in the top 10 list for the first time as well.
By 2019, Gartner predicts that 35 percent of organizations with BCM programs that lack maturity will endure major problems recovering one or more mission critical business processes. This is a 17 percent increase compared to 2015. Furthermore, 39 percent of organizations that developed their own comprehensive BCM framework (Level 5) recovered all mission-critical business processes with only minor problems, or according to expected RTOs and RPOs.
A study by Travelers Insurance found that 48 percent of small businesses are operating without any type of business continuity plan, yet 95 percent indicated they felt they were prepared. These are some frightening statistics.
If your BCP sits on a shelf collecting dust, you have a high probability of joining the ranks of a “business out of business” if disaster strikes.