Business Continuity Planning: Thoughts from a Global, High-Tech CTO
What are the three most important things to consider for business continuity planning?
1. When developing a business continuity plan, organisations need to start with an impact analysis. This informs the business continuity plan, which in turn identifies the disaster recovery plan needs, which are then underpinned by system recovery plans. Too often organisations confuse business continuity planning with disaster recovery planning. Both are important for organisations but are also only one piece of the journey, not the whole, or even the start.
2. Another important element to consider when reviewing business continuity plans is how they will be communicated. There are many audiences: employees, customers, press, etc. Communications plans need to be tailored to each audience. It’s important to establish who is empowered to communicate to whom, when, and to what level of detail. One thing I’ve learned through experience is you need to accept that rumours will happen. No matter how well you communicate it’s natural for people to speculate and talk.
3. It’s also key to test your plan and review it often. There’s no point in having a plan if it’s not tested. You must implement at least annual scenario testing. When an incident happens it's important to implement your plan early. If your plan is good, well tested and reviewed, then triggering it early will have little impact on the business, whereas being late to trigger it could be catastrophic.
What's the most overlooked element of business continuity planning?
1. Security can be impacted in many ways during a business continuity incident. In the rush to ensure access after a business continuity incident information security controls can be weakened. The business continuity plan needs to consider how they will be reimplemented and audited once the incident is over. Security of physical sites can also be overlooked. The recent exodus of technology parks and city centre office zones due to the COVID lockdown have already seen a spate of break-ins.
2. Staff burn out can also be overlooked in business continuity planning. It’s highly likely that it’s the same key staff that will be relied on during a disaster. Organisations need to ensure there are plans in place to spread the load and ensure proper rest for key staff members. Tired people make poor choices.
3. For the business to return to normal, it’s important to think about how this will happen. How do you win lost customers back? How do you regain your employees' trust when they return to the office?
4. Once an incident is over, it’s obviously important to learn from failings in the plan but it is also important to recognise successes.