6 reasons why your business continuity plan is weak – and how to fix it
15 May 2017
Business continuity planning involves creating a strategy to prevent, reduce and recover from risks to an organisation. Many organisations still have business-impacting IT outages which should be avoidable, or quick to recover from. There are six key reasons why these types of IT outages continue to impact businesses.
1. Not understanding risk
Most businesses would be surprised if they listed out every asset or asset type within their business and then looked at every risk associated with it. What’s the likelihood of that risk type affecting the asset or the wider business? What would the impact be on the business? It’s impossible to protect against something you are unaware of. It’s critical that a business understands, at the very least, the IT assets they have and the associated risks to the business. However, when you’re talking business continuity it’s best to include other types of asset, such as key employees or sites.
2. Having no controls in place
Once you understand the risks, you can put controls in place to reduce or mitigate the risk. This can be something as simple as protecting a laptop from Trojan software with anti-virus protection, through to protecting against a systems outage by replicating all data and systems into the cloud, or into another site. Controls need to be sensible and considered, hence why it’s critical for a business to understand the true cost of a system outage.
3. No reviews
Business continuity must be a living entity within a business. Every new asset, or at least asset type, must be logged, risks associated with it and applicable controls put in place. The controls, particularly around continuity, must be regularly reviewed and tested. Test as often as feasibly possible, or annually at a minimum.
4. Not using the right technology
Over the last decade or two technology has dramatically decreased outage windows and costs when it comes to business continuity. It’s critical that to review requirements and evaluate the technology. This obviously takes time, so assess technology every three years (at most) to look for continuity improvements, easier manageability and reduced costs.
5. Senior management don’t take responsibility
In businesses of all sizes, senior management, typically at board level, do not take responsibility for business continuity. IT is usually up to IT to undertake this function, often with heads of departments. So when a disaster strikes, whatever happens, IT usually gets the blame, even though they have identified the risks and applied the controls. This is why it’s critical to get senior management to understand the risks to the business and to accept or reject controls.
Cost factors usually determine whether management accept or reject controls. The controls’ stated Recovery Point Objective (RPO) – how much data they can afford to lose – typically determine these factors. Recovery Time Objective (RTO) is also crucial to understand. This is how long certain systems can be down for without serious consequences. You will often hear a board state that no downtime and no data loss is acceptable, however, this viewpoint often changes when viewing the budget.
6. Thinking it’s just about IT
While IT is important, businesses will have a vast array of assets which will cause different levels of impact if unavailable. What happens if the Operations Manager disappears tomorrow? If a site burns down? Or if listeria from the onsite canteens takes out 30% of the workforce? There are so many scenarios that need to be understood, and suitable controls and processes need to be in place to deal with them if they arise.
Want to know if your business continuity plan is up to scratch? Submit it for a free review, and one of our senior consultants will provide feedback and recommendations for improvement.