What Business Continuity Methodology is Most Important to Start With?

Where do I start?

This is a conversation and situation I’ve had many times with different people, and it may feel familiar to some of you. You’ve been tasked with developing a BC/DR program for your organization. Assuming you have nothing or little in place, and what you do have is so out of date that you’re feeling that it would be wise to start fresh. The question invariably comes up: Where do I start?

Depending on your training or background this may start with a Business Impact Analysis (BIA) in order to prioritize and analyze your organization’s critical processes. If you have a security or internal audit background you may feel inclined to start with a Risk Assessment. You may have an IT background and feel that your application infrastructure is paramount, and you need a DR program immediately. If you’ve come from the emergency services or military, life and safety might be at the foremost in your mind and emergency response and crisis management might be the first steps. I’ve seen clients from big pharmaceuticals that need to prioritize their supply chain as their number one priority.

The reality is that although there are prescribed methodologies with starting points outlined in best practices by various institutes and organizations with expertise in the field, there is only one expert when it comes to your organization. You.

Ultimately each methodology has intrinsic connections to other methods. In the real world, as much as we’d love to get everything completed in one project, doing so from a budgetary standpoint as well as a workload is not always feasible unless you have a large team to get this accomplished. Add the layer of being a global company and consideration of different regulatory requirements and the project becomes even larger.

In the same way that we analyze our organization for impacts in a BIA or threats in a Risk Assessment, we can apply similar logic as to our priorities without getting into a full “analysis paralysis” type of situation.

For example:

What industry vertical does my organization fall into?
Is it heavily regulated?
Did we recently experience a disaster?
What were the lessons learned from that disaster?
What are the areas that the executive committee have the most concerns about?
Are we global?
Do we have any procedures in places, particularly in terms of life and safety?

What industry vertical does my organization fall into?

This question can determine your highest priorities, a financial organization could be regulated by FFIEC, NCUA, OCC or many others. That many demand certain requirements to have MEFs defined with recovery actions or the penalties could be high. A retail or pharmaceutical organization may have a high reliance on their distribution/production network. The latter could have life dependent impact on the distribution of critical medicine and vaccines, therefore their supply chain would be a priority.

Is it heavily regulated?

Heavily regulated industries come with their own set of risks. Not only do we have to be prepared for potential loss due to a disaster, but non-preparedness has its own forfeiture due to fines and penalties. Our start point might be dictated by how exposed we are and might fail an audit. They need to ensure that we are compliant to avoid huge fines or loss of membership, infringement of SLAs or contracts may dictate our highest priority.

Did we recently experience a disaster?

On occasion I’ve encountered companies in industries that were not regulated, but just experienced a flood and realized how vulnerable and unprepared they were. Their board of directors or owners realized how backups were inadequate or inaccessible. The company had no flood insurance because no risk assessment had been performed, there was no communication plan out to vendors or customers which damaged relationships. Fortunately, they still were able to recover but it shed light on all the vulnerabilities of the organization. The driver could be related to prior experience.

What were the lessons learned from that disaster?

“Hindsight is 20/20” and lessons learned provide valuable insight as to the higher risks, likelihood and what could occur again. They are the best exercises or tests we could ever have as they test aspects of our organization that we can’t simulate like stress and how staff endure under real pressure. Everyone who has had a house broken into or experienced a fire immediately went and bought a security system or fire extinguisher respectively the next day. Our driving force could be due to never allowing the unthinkable to happen twice.

What are the areas that the executive committee have the most concerns about?

Independent of regulatory, financial, and past disasters experienced sometimes it can happen where a board member or manager has a concern of a threat based on previous experience that isn’t substantiated. If an executive committee are all in alignment and their guidance matches the evidence, then that works but what do we do when direction is misaligned? In circumstances like this, the only thing we can do is let the numbers and the evidence prove the way. A risk assessment will show where we’re vulnerable and a BIA will show what’s critical.

Are we global?

In an organization that has global offices, we may have to prioritize based on laws in other countries. E.g. The German Bundesdatenschutzgesetz (BDSG), The Data Protection Act, The Danish Personal Data Processing Act or GDPR. The fines can be steep, and infringements and reporting can have short turn around times. Are we in a position to roll out a program that can ensure preparedness for the organization but, also meet the demands of all international privacy policies? Are we more at risk in one country vs. another?

Do we have any procedures in places, particularly in terms of life and safety?

It’s hard to imagine that an organization would currently not have a simple evacuation plan even just for a fire. But has it been tested? Have security alerts gone up in our location for potential terrorism and bomb threats? The current political situation and our location could have some bearing on the need to prioritize life and safety of our employees. Especially if a previous incident has impacted our image or reputation.

In Summary

Ultimately you will need to prioritize your program based on considerations of your industry, previous incidents, your location and your high risks and exposures. Weigh up your budget, the workload, your resources and assess your companies’ highest priorities by evaluating against the questions listed above.

Trust your judgement but back it up with all the evidence you can, the strength of your position is unquestionable when the data shows what the risks are, the potential penalties and the impacts for non-preparedness.