Business Continuity – the real threats, from Del Brazil
News and information from the Advent IM team.
News and information from the Advent IM team.
From Del Brazil, Advent IM Security Consultant – for Business Continuity Awareness Week #BCAW2016
As its Business Continuity Week it seems only logical to start at beginning of the whole Business Continuity process, which is to ask ‘Why do we need Business Continuity?’
Business Continuity is a standard methodology that addresses the critical outputs and functions of an organisation. If it’s planned, implemented and tested well, then it can help to ensure that any potential disruptive event has minimal impact to business critical outputs, thus facilitating the survival of the organisation,
A classic mistake made by a lot of organisations is not the lack of preparedness but ensuring that any plans are in line with the actual (not perceived) risks posed to the organisation and its critical business functions. It is so easy for an organisation to get swept up by the hype of global or national threats/risks highlighted by the media, when in reality they should be looking closer to home in order to correctly identify those risks that are more specific to the business or organisation. This is also summarised in the annual Horizon Scan publication by the Business Continuity Institute.
With all the recent terrorist attacks taking place in Paris and Brussels, it does make sense to consider the threat from terrorist organisations; however if organisations carry out appropriate and regular risk assessments in line with their critical activities/functions it more likely that there is a higher threat from staff not being able to get to work due to industrial action by local transport agencies, or an unplanned telecom outage, for example. If we look at the 2015 Horizon Scan from The Business Continuity Institute, we can see that a higher proportion of concern was perceived about terrorism (90%) than about key customer insolvency (50%).
As always, a good risk assessment methodology is crucial in identifying those risks posed to an organisation. There are many different ways of conducting risk assessments but the key element about conducting any risk assessment is that it is easily understood and repeatable throughout the business or organisation. The first step of any risk assessment is identifying the threats to the business or organisation, whether that be from flooding through to an IT failure. There is no definitive list as each organisation or business has its own threats associated with its outputs, location, environment and technologies being used.
Any risk assessment should include the likelihood of an event taking place and the impact of that event on the business/organisation. Having identified the threats to the business the next step is to calculate the likelihood of the threats actually being realised and the impact it may have on the business and/or organisation. This is a relatively simple task with the use of a 5 x 5 matrix; however for a risk assessment to be correct and comprehensive, the necessary personnel need to be included in the process. Having calculated the likelihood and impact of any threat, the end result is more commonly known as the ‘risk’ or ‘risk statement’.
The next step would be to evaluate the impact to the business by either quantifying or qualifying the risk i.e. A low risk could be equivalent to 1 lost day of productivity or £10,000 of lost revenue or a high risk impact being equivalent to 7 lost days of productivity or £50,000 of lost revenue. These are only examples, as each business must evaluate the impact of any threat in line with their business outputs.
Having formulated a prioritised risk list the next phase would be develop business continuity plans in line with the results of the risk assessment. There would be no point planning for a potential flood to occur if the organisation was based on a hill; obviously this could still occur from an internal burst pipe but the risk from flooding is substantially higher if the organisation was based within a know flood plain.
Having quickly looked at the risk assessment methodology associated with Business Continuity, it becomes clear that organisations need to maintain a focus on the immediate threats posed to their critical activities, whilst also keeping an eye on the wider threats. Should organisation ignore the threats posed from major sources such as terrorism? The quick answer is no. No organisation is immune from the threat of terrorism whether it be as a result of a direct attack or an indirect attack i.e. being in the immediate area of a targeted attack or suffering as a result of exclusions imposed by various different government agencies.
The main point here is to ensure that any Business Continuity planning is appropriate to the organisation and its critical business functions and not just aligned to the major threats that grab the headlines that week.
Business Continuity is very effective and if planned and tested correctly, can help ensure that organisations not only survive potential crippling events but are also able to continue to deliver critical business functions.