More alive than ever: business continuity

Security Vision

Every organisation depends on professionals from different disciplines working together to achieve common outcomes. It is extremely rare to achieve holistic success while staying within the boundaries of one's own expertise.

And the larger a business becomes, the more non-trivial the task of ensuring its sustainability becomes, as it requires unravelling the tangle of interdependencies between people, processes and technology. This requires business, technical, security and risk professionals to work together to consider the possible consequences of a business interruption from all perspectives.

At the end of the day, this integrated approach to continuity will not only identify the need for redundancy of particularly critical assets, but also the spin-off benefits of optimising processes and eliminating bottle necks.

BCM comes into play

This is where Business continuity management (BCM), in other words, business continuity management, comes in. In essence, it is an approach that enables contingency plans to be put in place. Typically, organisations already have a set of plans in place: a building evacuation plan hanging lonely on the wall, an IT infrastructure recovery plan lying in the desk of the system administrator. At the same time, most often no one knows how much the business itself will suffer if the IT infrastructure goes down.

BCM involves a comprehensive analysis of the organisation's business processes in terms of what financial, legal, reputational and any other types of consequences await the company if they suffer. Taking into account the digitalisation of everything and anything, the dependence of business processes on information systems is also assessed, thus creating a direct dependence of business on IT.

Based on this analysis, the most critical business processes, the entities on which they depend (in addition to information systems, these can be suppliers, facilities, equipment, etc.), and the key metrics for their recovery are identified. In this way, there is a clear understanding of which business processes are vital to maintain in the first place.

Based on the results, continuity plans are drawn up (for a specific business process or for a set of business processes) that outline step-by-step what and who needs to do what in the event of an emergency. A simple example: a building burns down. The continuity plan calls for some employees to work remotely and some to work at an alternative site. The problem will arise: do we have an alternate site ready? The answer is to regularly test each continuity plan to see if there is a place to move to and if we are on schedule.

Does everyone need it, and who will do it?

We have learnt why BCM is needed. Now we need to understand whether everyone needs it and to what extent. The level of implementation of BCM processes depends largely on the size and maturity of the company. If it is relatively small, a full-fledged analysis of business processes is not necessary, because, due to their small number, it is clear which of them are critical and need priority support.

But for large enterprises with a complex distributed structure and thousands of business processes, a comprehensive BCM is actually necessary. Moreover, in some areas, continuity assurance becomes mandatory and is governed by regulatory requirements (banking industry employees will not lie). It is immediately obvious that developing continuity plans manually, using a large number of spreadsheets, will be a Herculean task. The human factor has not been ruled out, and the number of incorrect data, errors in filling out the tables will grow like a snowball and will delay the project for many months. Here the advantage of automated BCM becomes undeniable (we will talk about it in more detail below).

And here we come to another pain point: ‘Who in the organisation will do it?’. Even in mature companies, there is usually no dedicated continuity department. It can be handled by risk specialists or by the information security department in close co-operation with IT. In fact, continuity management should not be seen as an additional burden that has been imposed on your department. It's no secret that in companies, the interaction between business and technical departments is creaky. BCM becomes a point of intersection of interests and allows the ‘techies’ to better understand the needs of the business, while the business, in turn, realises that more money can and should be spent on IS and IT.

But many organisations live without BCM, don't they?

In fact, almost all organisations have some level of emergency preparedness in place. The only question is how effective and measured an approach is taken to put that plan in place. Often the rudiments of continuity plans are formed on a whim by someone in charge, such as a sysadmin keeping a reserve of workstations and backing up what he thinks are important services. This can lead to underestimation of possible consequences and potential losses for the organisation.

Building a full-fledged continuity process will enable an organisation to responsibly and rationally allocate resources, prepare and test contingency plans in the event of an emergency. One of the key aspects of creating a continuity plan is risk analysis and calculation. From this data, the organisation can determine what reserves need to be built up, what processes need to be backed up and what resources should be allocated for this purpose. Only in this way can it be confident in its ability to deal effectively with unforeseen events and minimise losses.

Still, why automate and why is Excel worse?

When a company is small, recording and evaluating business processes, resources, and impact analysis surveys can be done without automation. However, as the number of departments and structural complexity of the organisation increases, the amount of documentation grows exponentially. In addition, when conducting impact assessments, continuity plans, or test cases, data has to be copied from one document to another, which can lead to errors and wasted time.

In this situation, automating processes allows the data to be modelled and re-used without the need for manual action. By implementing processes within the same system, you can effectively manage visibility and access rights for collaboration. In addition, automation allows you to set up automatic collection and processing of information, for example, the results of completed questionnaires can be analysed immediately, as well as checking the availability of backups according to the backup policy.

Thus, the use of process automation systems allows companies to significantly improve the management of business processes and resources, avoid errors and significantly save time. Ultimately, this contributes to improving the company's efficiency and creating favourable conditions for the development of its activities.

Using automation to compile and visualise a model of process and resource interrelationships also plays an important role. This allows a company to re-engineer its operations, identify bottlenecks in processes and redistribute the workload to avoid the risks of failure of key elements or unnecessary investment in unused capacity, which in turn enables the company to optimise its operations and improve its efficiency.

Conclusion

To conclude, I would like to highlight the value that BCM brings to an organisation's infrastructure and resource management processes. For example, infrastructure data collected and stored through asset management processes can be enriched with information about their business value, criticality and interrelationships through interactive questionnaires. Based on the information collected, the potential damage from the failure of certain resources can be modelled and adequate emergency response and recovery plans can be put in place, while regular testing of the plans will ensure that they are up to date.