Seven Essential Practices for Developing a Business Continuity Plan
Having a business continuity plan is essential for effectively managing business continuity and resiliency, thus ensuring that an organization doesn’t suffer serious business disruption in the event of a damaging security incident or disaster. Ensuring business continuity is an essential part of enterprise risk management and should be part and parcel of the overall risk management program.
However, a survey from the Ponemon Institute, sponsored by IBM, showed that almost one-third of respondents didn’t have an IT risk strategy that included a business continuity plan. Only 17 percent said they have a formal continuity plan that is consistently applied.
An organization that has a well-documented, thoroughly tested and up-to-date business continuity plan with executive-level buy-in will see numerous benefits, not least of which is faster time to recovery, increased likelihood of business survival and a strong, trusted reputation. According to StandBy Consulting, just 6 percent of organizations that suffer a significant data breach and do not have such a plan will be in business two years after the event occurs.
The Seven Essential Practices
Recent research from IBM outlined seven essential practices that organizations should consider. These concepts can act as a road map that will help enterprises elevate business continuity management so that it is part of the overall risk management strategy.
1. Secure an Executive Champion for Business Continuity Management
Unless an enterprise sponsor is assigned responsibility and accountability for business continuity, an organization is unlikely to achieve a holistic, top-down view of business continuity. However, in many organizations, business continuity is handled at a functional level by different business units or locations. There should be a leader in place to share developments among these departments and encourage everyone to remain on the same page.
2. Conduct a Comprehensive Assessment of Current Business Resilience Posture
This will help organizations link continuity risks to overall business risks, which is vital in gaining executive-level support for improving business continuity. By making this an enterprise-wide activity, gaps and redundancies can be eliminated.
3. Elevate the Business Continuity Management Discussion to the Enterprise Risk Management Level
A patchwork approach to risk — where areas such as IT and operations risks are handled in isolation — can leave an organization vulnerable and at risk of not meeting its compliance objectives. Business continuity risks should be considered in the context of the organization’s strategic business objectives.
4. Perform a Holistic Analysis by Looking Across Organizational and Geographic Boundaries
An enterprise-wide impact analysis is the foundation of any business continuity program, but it’s often overlooked or poorly implemented. Both technology recovery capabilities and business requirements should be considered in tandem to decrease risk, but make sure the findings apply to all areas of the organization.
5. Identify the Most Critical Processes for Driving Business Strategy
Organizations gain true insight into their critical business processes and interdependencies through an enterprise-wide analysis. Their processes and the risks they address can then be prioritized according to the strategic needs of the business. Focus on the most critical to rationalize funding effectively.
6. Apply a Consistent, Integrated Approach to Enable More Consistent Planning and Risk Mitigation
Regular enterprise-wide reviews and updates to business continuity programs are key to ensuring that the program remains in line with business strategy and imperatives. A consistent approach with cross-organizational oversight will help to overcome fragmentation across different business units and ensure a holistic approach is taken.
7. Establish a Centralized Governance Structure Integrated Across Business and IT
An effective governance structure should align business continuity management with business strategy, but it’s often stymied by inadequately defined policies, roles, responsibilities, processes and oversight. Make sure the IT department is on board with the plan and believes it’s effective.
Don’t Leave a Business Continuity Plan Behind
Risk management is too important to be left to chance, especially since risks are constantly proliferating. The seven essential practices outlined here have a common theme: the need for executive sponsorship, integrated governance and strategic alignment with business requirements. They provide a framework for ensuring business continuity is given the priority it deserves. It also emphasizes consistency across business units and locations so that business resiliency can be more easily achieved and organizations can shield their brands, reputations, operations and finances from harm.