High-profile events such as data breaches, natural disasters and terrorist attacks are raising enterprise awareness of business continuity management (BCM). Leaders have a crucial stake in ensuring the continuity and resiliency of business operations in the face of interruptions. Unfortunately, many organizations still have not put into place the people, processes and technologies necessary to demonstrate to their employees, shareholders, business partners and regulators that they can recover operations after a crisis or disaster.

The “2015 Cost of Data Breach Study: Impact of Business Continuity Management illustrated how BCM improves the resilience of operations as well as other key takeaways about the importance of BCM.

A Business Case for Being Prepared

BCM is defined as a holistic process that identifies potential threats to an organization and provides a framework for an effective response that safeguards the interests of key stakeholders, reputation, brand and value-creating activities.

Your organization should take an all-hazards approach to preparedness by developing those common response and recovery capabilities necessary for any type of incident, in addition to those unique capabilities required for specific types of incidents. Your preparedness activities will help ensure your ability to serve customers while protecting employees and assets.

BCM aims to improve your organization’s resilience, allowing the organization to survive the loss of part or all of its operational capability. The benefits of an effective program include:

  • Proactive identification of operational risks and the ability to mitigate and manage those risks;
  • Ability to manage uninsurable risks, such as risk to image and reputation;
  • Capability to effectively respond to major disruptions; and
  • Competitive advantage through the demonstrated ability to maintain customer service even when faced with significant disruption.

Developing a Business Continuity Plan

A business continuity plan is a documented, step-by-step plan for immediate response, backup operations and post-disaster recovery that will ensure the availability of critical resources and facilitate the continuity of operations in a crisis situation. Business continuity planning is what organizations do to stay in business.

A business continuity plan answers the question, “How will we get our jobs done if we suffer a significant business disruption such as losing our facility?” Developing your business continuity plan to include the worst-case scenario will help to ensure that all your bases are covered, even with less devastating events.

Your first job will be to identify and prioritize the most important business activities. These are essential business functions that need to be maintained or restored during a disruption. If your organization cannot get by without performing a certain activity, then it belongs as an essential function in your plan.

Next, you’ll determine which people or groups both internal and external to your organization are essential to getting these jobs done. Then you’ll decide what steps these people will take and what resources they will need.

**UPDATED** Read the 2016 Cost of a Data Breach Study: Impact of Business Continuity Management

Primary and Alternate Locations

If your primary location is unavailable, where will your business recovery take place? Where will your business recovery teams meet to resume their work? A primary location refers to the facility where your organization conducts normal business activities. Based on the scope of your business continuity plan, these activities may span more than one location. In this case, you will need to define multiple primary locations.

In the event of a business disruption, what alternate locations will you rely on? Alternate locations are off-site offices, buildings or areas available to you during a disruption. If all or part of your primary location is unavailable, then you’ll rely on several types of alternate locations, including:

  • A backup site where your teams will gather to continue your most essential business functions;
  • An off-site command center from which you will direct your recovery efforts;
  • Storage locations where you keep supplies, documentation and business records you may need; and
  • A restoration site where your organization can restore business activity if your primary locations are unavailable for an extended period.

Teams and Positions

A key to planning effectively is anticipating what you’ll need in a crisis. Since your essential business functions won’t be maintained or restored by themselves, you should consider which teams of people will be required to support these critical processes.

A team is a collection of people with responsibilities to perform when you activate your plan. You decide how many people should be on each team, who will fill positions on it and which tasks they’ll perform.

For a given essential business function, you may need a team to perform steps and a leader to supervise the work. For each essential business function, you will create a team or teams that execute assigned tasks. At a minimum, each team should include the position of team leader.

You also want your team members to be able to dive right in and begin performing recovery tasks, not waste time searching for equipment, software and supplies. Resources and materials are the basic supplies you need to continue essential business functions after an interruption. You’ll need to assign resources and materials to your business continuity plan to make sure workers have what they need.

Essential Vendors and Agencies

Almost all businesses depend on outside vendors and agencies to some extent, and your business is likely no exception. Consider all types of third parties that provide products and services in support of your essential business functions or those that would provide support in an emergency.

Make an effort to meet with your local emergency first responders such as the police and fire departments to exchange contact information and review plans. You should also identify alternate vendors for your critical services and suppliers as part of your preparation.

Effective business continuity planning presupposes that you take a look at how your organization could be affected by events that impact your products and services. Ask yourself:

  • What would be the impact on your organization if a critical vendor could not deliver necessary products or services for two or more days?
  • How would your organization be impacted by power outages, low fuel supplies or labor shortages?
  • Does your organization have contractual relationships with alternate vendors if a disaster happened?

During your meetings with vendors, you’ll want to:

  • Capture emergency contact information and 24/7 procedures.
  • Identify alternate suppliers for critical vendors.
  • Review the vendor’s business continuity plan and program.
  • Determine if the vendor has a dedicated BCM team.
  • Analyze how the vendor’s plans are organized, such as by location, asset or business function.
  • Ensure the vendor has identified essential business functions, the people required to perform these key activities and the resources necessary to support these activities.
  • Confirm the vendor’s own critical suppliers are identified with 24/7 contact information.
  • Verify that the vendor’s emergency notification and escalation procedures have been defined.
  • Determine how often vendors exercise and maintain business continuity plans.
  • Validate that a risk assessment and/or business impact analysis has been conducted within the past year.
  • Find out if all the vendor’s key employees and business management team have been trained on emergency response and recovery procedures.

Before signing any additional contracts, review your vendor’s business continuity programs and evaluate how they may affect your organization. Additionally, be sure the contract includes the opportunity to review, test and update these plans on a periodic basis.

Train Your Employees

No matter how complete your plans may be, they only work if you and your people know how to use them. Effective training not only helps your people manage and mitigate the immediate crisis, but it also equips them with the knowledge and skills needed to keep your business running after a crisis. There are three basic types of exercises to help you train your employees.

Orientation

This type of exercise is simply an educational session, typically in the form of a presentation or discussion. To conduct an orientation:

  • Introduce the purpose of business continuity planning.
  • Describe your business continuity plan’s structure and content.
  • Identify key team members, roles, responsibilities and procedures.
  • Distribute plans and review plan content. This includes checking for accuracy, verifying completeness, identifying assumptions and validating assignments.

Drill

A drill is a type of exercise that involves an activity that tests, develops or maintains skills in a response procedure. Fire and tornado drills are common examples. Exercising your organization’s emergency notification procedure or call tree is another example.

To conduct a drill, start by defining a drill purpose. This could be:

  • To test a single function of the plan;
  • To test processes and responsibility response; or
  • To develop response skills.

Then define the drill simulation:

  • Is it a fire drill?
  • Is it an emergency notification drill?
  • Are you practicing roles and responsibilities as defined in your plan?
  • Are you evaluating the processes and responses?
  • Are you reviewing lessons learned and updating plans?

Tabletop Exercise

A tabletop exercise involves a facilitated discussion to simulate a crisis situation in a structured, low-stress environment. To conduct a tabletop exercise:

  • Define the tabletop exercise purpose. Is it to:
    • Help team members internalize roles and responsibilities?
    • Expose gaps in the plan?
    • Encourage group problem-solving processes?
    • Examine staffing allocation contingencies?
    • Review process contingencies?
  • Develop a hypothetical crisis scenario.
  • Facilitate discussions on the scenario with all team members.
  • Identify gaps between the documented response plan and actions based on the crisis scenario.
  • Capture lessons learned and update plans.

Preparing for a Crisis

Effective leaders prepare their organizations for the possibility of crisis, developing emergency response and business recovery plans outlining who should do what when a crisis occurs. But effective leaders do more than just document a plan. They also put their plans into action through periodic exercises and drills.

The leadership skills necessary for responding to a crisis are the same you use in managing your normal operations, only amplified. Preparing for a crisis can actually improve day-to-day operations and the ability to weather any type of business interruption. Additionally, being prepared for any crisis can substantially improve your recovery time, dramatically lowering the economic costs and psychological impact of a particular crisis.

Crisis Communication

As part of crisis preparation, leaders need to consistently share the possibility that a crisis may occur and the organization’s plans to respond. Here are a few helpful tips to keep in mind when communicating with your employees:

  • Face-to-face communication is most effective.
  • Sharing information isn’t a one-time event. It’s important to review, repeat and reinforce your message.
  • Outline the personal advantages to be gained so employees understand what’s in it for them.
  • Practice behaviors that validate, affirm and recognize employees.

During a crisis, it’s essential that you communicate clearly, consistently and frequently. Be sure to keep lines of communication open and know who should be informed when and how.

In times of crisis, it’s important you stick to the facts: Avoid conjecture and speculation about future implications. You’ll also want to avoid technical details or overly complicated statistics because you are trying to communicate openly and honestly while communicating emotionally.

Leadership After the Crisis

Reviews should be conducted after action. You’ll meet with your leadership team to review how your organization and teams handled the crisis. This review should begin as soon as is practical after the crisis is contained. During this review, you’ll want to:

  • Determine and closely scrutinize all the causes and effects of the crisis because some may not be obvious.
  • Focus on learning from the incident, not on determining responsibility, accountability or guilt.
  • Discuss lessons learned and incorporate them into your business continuity plan.
  • Update communication policies and/or operating procedures that may have been inadequate during the crisis.

After the review, you’ll also want to brief employees on the changes and develop any necessary training. Keep in mind that people will want to know what happened, why it occurred, what it means and what’s being done to ensure it won’t happen again.

How you respond after the crisis can actually improve employee morale, attitudes and loyalty, leading to a more effective and engaged organization. Be sure to recognize and reward individuals who made a significant contribution to containing and resolving the crisis. You may also need to develop a strategy to restore and improve the organization’s reputation if it was damaged.

Even after a crisis has ended, you, as a leader, have a number of responsibilities:

  • Rebuild and strengthen relationships between people in the organization and between people and the organization.
  • Learn from the experience in order to prepare for the next crisis.
  • Talk to employees and personally share what preventive measures are being taken to avert another crisis.

Final Thoughts on Business Continuity Management

Forward-thinking organizations realize that developing risk mitigation programs in silos is a reactive approach to managing risks. There is a growing recognition of the competitive advantage of emergency preparedness, crisis management, business continuity and business resiliency.

Leaders must take a proactive, process-oriented and risk management approach to crisis situations and business interruptions. Recognize that business continuity management is a mission-critical function that extends beyond the demands of restoring technical systems following an emergency.

Learn how Business Continuity Management Reduces Cost and Impact: Read the full report

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today