Organisational resilience and business continuity have catapulted themselves to the forefront of organisations’ minds. Given the challenges brought on by disruptions such as COVID-19, organisations were forced to completely abandon the traditional office- based working model and shift to remote working at the drop of a hat – a scenario which few had anticipated or properly planned for. Because of this lack of planning and foresight, many organisations were forced into closure as they simply couldn’t handle the level of disruption the pandemic brought with it.
More recently, the war between Ukraine and Russia has raised the very real possibility of power outages for organisations across Europe. Without having well-planned and executed business continuity strategies in place for such disruptions, organisations may face catastrophic impacts from a financial, strategic, regulatory, and reputational viewpoint.
Thus, by having effective business continuity arrangements in place, organisations will be better equipped to absorb the impacts of major disruptions and continue to provide their high-priority products and services in the face of adversity.
In this blog, we will provide an overview of the different phases that should be included in your organisation’s Business Continuity Management Lifecycle.
What is Business Continuity?
At a high level, Business Continuity can be defined as: ‘the ability of an organisation to recover its predetermined products and services, to predetermined levels, within predetermined timeframes to ensure business survival’.
It is a key management discipline that builds and improves organisational resilience. An effective Business Continuity Programme is essential for any organisation that seeks to develop and enhance organisational resilience. This programme is an ongoing cycle of activities that helps the organisation implement their Business Continuity Policy, which acts as the roadmap for the programme.
The Business Continuity Management Lifecycle
The Business Continuity Institute’s (BCI) Good Practice Guidelines (2018) breaks down the six key phases of the Business Continuity Management Lifecycle. This lifecycle promotes a continual and proactive approach to building and maintaining resilience.
A summary of these six phases can be seen below:
1. Policy and Programme Management
The first step when designing your Programme is to develop your Business Continuity Policy. This sets the direction for the Programme and must include the scope, objectives, and roles and responsibilities in relation to the Programme. It is fundamental at this stage that leadership demonstrate their ongoing commitment to the Programme. This can be done by approving the Business Continuity Policy, providing resources, or supporting continual improvement initiatives.
2. Embedding
Here, the focus is on integrating business continuity into BAU activities within the organisation. Changing the culture and mindset of stakeholders is crucial and can be achieved through effective ongoing communications, training, and awareness activities. To ensure the right message is gotten across, it is important that the audience is taken into account when delivering any communications. It is also important to ensure that those who have responsibilities in relation to crisis and incident management have the necessary level of competence and skill to perform their duties correctly.
3. Analysis
The analysis phase is all about determining an organisation’s business continuity requirements.
The main technique used for the analysis of an organisation for business continuity purposes is the Business Impact Analysis (BIA). The BIA identifies the urgency of each in-scope activity undertaken by the organisation by assessing the impact over time caused by any potential or actual disruption to this activity on the delivery of products and services.
There are a number of important outputs from the BIA process, including:
- Maximum Tolerable Period of Disruption (MTPD)
- Recovery Time Objective (RTO)
- Recovery Point Objective (RPO)
- Minimum Business Continuity Objectives (MBCO)
Different types of BIAs exist (Initial, Product and Service, Process, and Activity) to allow organisations to collect differing levels of information.
Organisations may decide to combine different types of BIAs to meet their own business continuity objectives.
A risk and threat assessment should be conducted at this stage so that risk treatments can be identified in the Design phase of the lifecycle. Horizon scanning is used to forecast potential threats that may lead to a possible disruption in the future and identify where mitigations may be required.
4. Design
Taking into account all of the data gathered in the first three phases, the Design phase is used to develop the Business Continuity Solutions that will be used to help the organisation achieve the predefined RTOs. These solutions may involve diversifying and/or replicating existing processes or resources, as an example. The shorter the RTO, the more reliable the solution must be. However, with greater reliability comes greater financial costs typically. Regardless of what solution is chosen, it is important that it is approved by top management.
5. Implementation
During implementation, organisations implement the solutions agreed during the Design phase through the development of Business Continuity Plans. These plans must help the organisation achieve their agreed business continuity requirements (MTPD, RTO etc) within the agreed timeframes or else their ability to recover from a disruption will be greatly reduced.
The Business Continuity Plan should:
- Be a clear checklist of tasks that must be completed in the event of a crisis or incident occurring to achieve the RTO
- Use clear and concise language
- Only contain information that will support the response to and recovery from a disruption
- Be drafted by those involved in the crises/incident management process
- Not be scenario specific where possible
The implementation phase also includes the development of an Incident Response Structure that defines the necessary roles, authority, and skills required to manage an incident. An organisation’s response structure should be flexible and capable of dealing with many types of disruption.
6. Validation
Validation is used to confirm that the Programme meets the objectives set in the Policy and that the plans and procedures in place are effective. Here, exercise programmes are established to help organisations assess, practice, and improve their business continuity capabilities.
By conducting these activities, the Programme can be continually improved year on year and any issues that exist can be remediated in a timely and structured manner.
For guidance or support for your organisation’s Business Continuity Management Lifecycle, reach out to one of our cyber security experts at +44 (0)3303 110 940 or hello@bridewell.com.
Author
Mark Thornton
Senior Consultant
Author
Mark Thornton
Senior Consultant
Joining Bridewell in November 2021, Mark has strong experience with ISO27001 consultancy and internal audit, risk management, data protection, and general information security consultancy. Mark supports a number of public and private sector clients across the UK achieve their information security objectives using strong problem solving and relationship building skills.
Blogs