6 reasons why your business continuity plan is weak – and how to fix it
15 May 2017
Business continuity planning involves creating a strategy to prevent, reduce and recover from risks to an organisation. Many organisations still have business-impacting IT outages which should have been avoidable, or quick to recover from. There are six key reasons why these types of IT outages continue to impact businesses.
1. Not understanding risk
Most businesses would be surprised if they listed out every asset or asset type within their business and then looked at every risk associated to it. What’s the likelihood of that risk type affecting the asset or the wider business? What would the impact be to the business? It’s impossible to protact against something you are unaware of. It’s critical that a business understands, at the very least, the IT assets they have and what risks to the business can be associated to them. However when you’re talking business continuity it’s best to include other types of asset, such as key employees or sites.
2. Having no controls in place
Once risks are understood, controls can be put in place to reduce or mitigate the risk. This can be something as simple as protecting a laptop from Trojan software with anti-virus protection, through to protecting against a systems outage by replicating all data and systems into the cloud, or into another site. Controls need to be sensible and considered, hence why it’s critical for a business to understand the true cost of a system outage.
3. No reviews
Business continuity must be a living entity within a business. Every new asset, or at least asset type, must be logged, risks associated to it and applicable controls put in place. The controls, particularly around continuity, must be regularly reviewed and tested. Testing should be done as often as feasible, or annually at minimum.
4. Not using the right technology
Over the last decade or two technology has dramatically decreased outage windows and costs when it comes to business continuity. It’s critical that requirements are reviewed and technology is evaluated. This obviously takes time, so technology should assessed every three years (at most) to look for continuity improvements, easier manageability and reduced costs.
5. Senior management don’t take responsibility
In businesses of all sizes, senior management, typically at board level, do not take responsibility for business continuity. IT are usually left to undertake this function, often partnering with heads of departments. So when a disaster strikes, whatever happens IT usually gets the blame, even though they have identified the risks and applied the controls. This is why it’s critical to get senior management to understand the risks to the business, and to accept or reject controls.
Cost factors usually determine whether controls are accepted or rejected. These factors are determined by their stated Recovery Point Objective (RPO) – how much data they can afford to lose. Recovery Time Objective (RTO) is also crucial to understand. This is how long certain systems can be down for without serious consequences. You will often hear a board state that no downtime and no data loss in acceptable, however this viewpoint often changes when the budget to deliver these requirements is put forward.
6. Thinking it’s just about IT
A large amount of business continuity is linked to IT, but businesses will have a vast array of assets which will cause different levels of impact if unavailable. What happens if the Operations Manager disappears tomorrow? What happens if a site burns down? What if 30% of the workforce is affected by listeria originating from the onsite canteen? There are so many scenarios that need to be understood, and suitable controls and processes need to be in place to deal with them if they arise.
Want to know if your business continuity plan is up to scratch? Submit it for a free review, and one of our senior consultants will provide feedback and recommendations for improvement.