6 reasons your business continuity plan is weak – and how to fix it

/ Security
Last updated on April 15th, 2020

Business continuity - Your business continuity plan is weak. Here's why:

Business continuity planning involves creating a strategy to prevent, reduce and recover from risks to an organisation. Many organisations still have business-impacting IT outages which should be avoidable, or quick to recover from. There are six key reasons why these types of IT outages continue to impact businesses.

1. Not understanding risk

Most businesses would be surprised if they listed out every asset or asset type within their business and then looked at every risk associated with it. What’s the likelihood of that risk type affecting the asset or the wider business? What would the impact be on the business? It’s impossible to protect against something you are unaware of. It’s critical that a business understands, at the very least, the IT assets they have and the associated risks to the business. However, when you’re talking business continuity it’s best to include other types of asset, such as key employees or sites.

2. Having no controls in place

Once you understand the risks, you can put controls in place to reduce or mitigate the risk. This can be something as simple as protecting a laptop from Trojan software with anti-virus protection, through to protecting against a systems outage by replicating all data and systems into the cloud, or into another site. Controls need to be sensible and considered, hence why it’s critical for a business to understand the true cost of a system outage.

3. No reviews

Business continuity must be a living entity within a business. Every new asset should be logged, have its associated risks identified and have applicable controls put in place. The controls, particularly around continuity, must be regularly reviewed and tested. And by ‘regularly’ that means you should be testing as often as feasibly possible. If you’re waiting for longer than a year between reviews, you’re leaving yourself highly vulnerable.

4. Not using the right technology

Over the last decade, technology has dramatically decreased outage windows and costs when it comes to business continuity. So it’s critical that you review requirements and evaluate the technology. This process takes time and experience to do correctly, so you may want to contact a consultant so you can keep focused on your own business and have confidence in your choice. You should be assessing technology every three years (at most) to look for continuity improvements, easier management and reduced costs.

5. Senior management don’t take responsibility

In businesses of all sizes, senior management, typically at board level, do not take responsibility for business continuity. It’s usually up to IT to undertake this function, often with heads of departments. So when a disaster strikes, whatever happens, IT gets the blame – even though they’ve identified the risks and applied the controls. This is why it’s critical to get senior management to understand the risks to the business and to accept or reject controls.

Cost factors usually determine whether management accept or reject controls. The controls’ stated Recovery Point Objective (RPO) – how much data they can afford to lose – typically determine these factors. Recovery Time Objective (RTO) is also crucial to understand. This is how long certain systems can be down for without serious consequences. You will often hear a board state that no downtime and no data loss is acceptable, however, this viewpoint often changes when viewing the budget.

6. Thinking it’s just about IT

While IT is important, businesses will have a vast array of assets which will cause different levels of impact if unavailable. What happens if the Operations Manager disappears tomorrow? If a site burns down? Or if listeria from the onsite canteens takes out 30% of the workforce? There are so many scenarios that need to be understood, and suitable controls and processes need to be in place to deal with them if they arise.

Click here to download your 3 essential templates for managing risk

In the press: Digitising courtrooms & law firms

Digital was a key focus of the Autumn Statement this year, with a total of £1.8 billion in planned investments listed by the Chancellor at the end of November. Part of this embrace of digital included an allocation of £700 million to fully digitise the courtrooms, moving from the current paper-based system to an online […]

/ Security
Eight ways to avoid phishing scams

Phishing is a form of online scam in which fraudsters trick Internet users into submitting personal information to what they believe is a legitimate organisation. This can lead to scammers gaining your personal login credentials or the information needed for identity theft. Phishing scams usually arrive as an email pretending to come from a legitimate […]

/ Technical
12 ways to get more out of your cloud computing spend

How to reduce cloud computing spend Fortunately, there are plenty of opportunities for recovering spend quickly and effectively – largely around better cloud management and resource allocation. Of course, any cost-cutting measures need to be performed in a controlled way to ensure the integrity, performance and security of the cloud platform is not compromised. 1. […]