This is the 2nd in a series of articles focusing on Business Continuity Planning – from basics to testing. While not intended to define any standard for BCP’s, these articles should provide assistance for new Planners, and provoke the thought processes of experienced Planners. The series began with a 7 Things Every Plan Should Contain. Next we examine the latest threats that Business Continuity Planning should address.
A Business Continuity Plan is the playbook for responding to a disruption of day-to-day operations. It shouldn’t be a compilation of lists, it should be actionable. Given that assumption, what should be the nature of the disruptions that are within the scope of the BC Plan?
Often, BC Plans focus on what we already know how to do: respond to things that have already occurred in the past, or to which we’ve repeatedly practiced to respond. But like the TSA making us remove our shoes (because someone once tried to smuggle a bomb in his shoe), those “scenarios focus on what were – not what are – today’s most potent threats.
Today there are 3 main threats that all business organizations face:
- Cyber Security Incidents
Theft of data (breaches), denial of service (DoS), malware and data ransoming have become common occurrences. It may not be a matter of if an organization is attacked, but when – regardless of the size of the organization.
Most cybercrimes are carried out anonymously. That creates opportunity and increases the chance of occurrence. Cyber security incidents can lead to business interruptions and regulatory consequences. Management needs data & information to make realistic assessments of the impact of cyber incidents on various stakeholders, assets and data. Companies need crisis response or breach response plans and notification plans in addition to DR plans to assure an effective response.
- Physical Security
Denial of access, physical inaccessibility, lockdowns, & forced evacuations result from many incidents that may not directly impact a facility of employees – but may hamper their ability to perform day-to-day operations. When an ‘active shooter’ event occurs, many nearby facilities may be locked down or evacuated. The same may result from bomb threats, chemical spills, train derailments, truck accidents – even civil protests and celebrations.
Traditional Loss of Facility and Loss of People scenarios often assume long-term abandonment of a building or a major catastrophe to employees, respectively. But physical security threats – to facilities and employees – may last only hours or a day. Planning must focus on strategies that can continue critical services, or deliver vital products despite short-term delays or manpower shortages – since those are more likely than smoke and rubble losses of facilities or employee groups.
- Supply Chain Reliability
As organizations extend their supply chains across the globe, their resilience assumes greater risks. Business Continuity can play a larger role in mitigating the threat of disruptions of supplies – and customers. Planning which focuses on single points of failure and over-reliance on single vendors can develop strategic responses to Supply Chain failures.
Traditional Loss of Vendor scenarios – when they are used – often focus very narrowly on business process level suppliers. Understanding both the roles of major Supply Chain vendors – and the potential threats to their disruption – enables the development of strategies to meet their short-and long-term unavailability.
There is a long-running debate regarding the advisability of using scenarios as the basis for planning. Each organization must make its own decision; what’s right for one may not be for another. But when the choice is to employ scenarios as a Business Continuity Planning as a starting point, make certain those scenarios include today’s major threats – not yesterday’s.
The next blog in the series will focus on leveraging well-known strategies to create viable, sustainable and actionable Business Continuity and Disaster Recovery Plans
