Fundamental Components of a Business Continuity Plan
Having the right plans and procedures in place for dealing with crises is only half the battle. The fundamental components of a business continuity plan must include workspace recovery, cyber resilience, change management, and several other elements. Additionally, sharing a business continuity plan with the essential personnel and educating them on how to handle disasters is another vital component. Why? Because even if you have an emergency response plan in place, if your teams are unfamiliar with it, they will be at a loss for what to do when a crisis occurs.
A textbook definition of a disaster is any situation that threatens the integrity or reputation of a firm or business, usually brought on by adverse or negative media attention. However, let's not forget what natural disasters can bring upon a business.
The past couple of years proved to be the most disastrous in terms of hurricanes, wildfires, civil unrest, and cyberattacks.
When simultaneous business continuity risks have become the new norm, it's vital for any organization to have such a plan that can help avoid downtime. That's why we've seen an increased demand for a comprehensive business continuity plan for any disaster,
Among the most common reasons for developing a plan that covers various scenarios are:
- Compliance issues (Client audits and RFP’s)
- Regulatory Requirements (Government or ISO certification)
- New hardware or operating systems and applications that are now in the “Cloud”
- Facility and/or personnel changes/moves/ relocation
- Changes in voice/data networks
- Changes in critical third-party vendor/suppliers
- Pandemic Planning
Even though planning for adverse risks and various threats may need more than one plan, considering the nuances of each potential interruption, there are several essential components of a business continuity plan.
Fundamental Components of a Business Continuity Plan
Planning, testing, and recovery of these vital components are key to building a resilient organization.
- Workspace Recovery
- Cyber Resilience
- Data Backup, Replication, and Recovery
- Personnel
- Third-Party Service Providers
- Telecommunications
- Power
- Change Management
- Communication and Notifications
Workspace Recovery
- Identify backup sites for employees and alternatives for core operations, facilities, and infrastructure.
- A backup site should mirror operational functionality of primary site.
- In the case of disruptions, there should be designated alternative sites for employees (this includes key personnel) in the resumption of business operations.
Cyber Resilience
Maintaining operations despite ever-changing risks.
- ID and mitigate cyber threats to data and operational infrastructure.
- Develop incident response procedures for cyberattacks with flexible enough measures to adapt to a diverse range of events.
Data Backup, Replication and Recovery
- Maintain data confidentiality, integrity, and availability for all data.
- Accessible, off-site repository of software, configuration settings, and related documentation.
- SOPs to recover critical networks and systems.
- Data replication (also referred to as data synchronization or mirroring) is the process of copying data, to maintain identical data sets in redundant locations.
- Do backup and recovery strategies match current technology and threats?
- Documentation of where primary books and records, backup files (hard copy and electronic) are kept or located. Include a detailed description of the data backup and recovery process during major business disruptions.
Personnel
- Resilience is dependent upon personnel availability to maintain critical business processes. Know that key personnel could be unavailable or distracted during such events as natural disasters, severe weather events, or pandemics.
- Management should plan for events during which personnel may not be able to access facilities and critical personnel may not be available immediately after the disruption.
- Considerations:
- Staffing and skills needed to operate critical functions related to business continuity.
- Employee Training: Any organization should provide business continuity training for personnel to ensure that everyone is aware of their primary and back-up responsibilities should a disaster occur.
- Involve key employees in the business continuity development process as well as regular tests and training exercises, including your service providers and partners beyond your own employees.
Third Party Service Providers and Managed Security Service Providers
- Many entities depend on third-party service providers to perform or support critical operations. A disruption in the delivery of those services can have a direct impact on entities’ resilience. A critical failure at a widely used third-party service provider could have large-scale consequences. Management should assess critical third-party service providers’ susceptibility to multiple event scenarios and verify such third parties’ resilience capabilities.
- Management should consider the same risks outlined in their entity’s own internal BCP(s) in relation to third-party service providers, as well as:
- The capacity of third-party service provider to meet client recovery objectives in the agreements, relative to other clients’ needs.
- Ability to participate in recovery testing with third-party service providers and access to testing results.
- Ability to move outsourced processes either in-house or to another third-party service provider.
- Alternative resource options (e.g., personnel and systems) for when primary services cannot be delivered.
- Data confidentiality, integrity, and availability (e.g., transportability and interoperability).
- Financial capacity to continue meeting contractual obligations.
- Services concentrated in a limited number of third-party service providers.
Telecommunications
- BCP should ensure appropriate redundancy levels in the entity’s telecommunications infrastructure.
- Identify and mitigate single points of failure across infrastructure.
- Develop plan to address an outage in the telecom lines.
- Establish redundant telecommunications links.
Power
- The financial industry is dependent on power to run its technology infrastructure and to supply basic necessities to personnel and customers.
- As part of its short-term and long-term plans, management should consider the following:
- Alternate energy sources (e.g., generators, multiple power grids).
- Fuel requirements, both for fuel on-hand and contracts with suppliers for deliveries during events, and any potential impediments to obtaining fuel.
- The load capacity of generators (e.g., length of time, useful life, level of power supplied).
- Continued maintenance of generators.
- Testing of generators.
Change Management
- As changes are made to production systems and business processes during the normal course of business, recovery systems and documentation at alternate locations should similarly be updated to reflect production and primary system changes.
- The change management process should allow for the expedient implementation of emergency changes during an event, such as changing an access control list to provide rapid access for troubleshooting and analysis.
Communications
- Consider, plan for, and prepare multiple mechanisms to communicate with others. For example, when traditional voice communications and telecommunications are impaired or inoperable, management may consider alternative communications systems such as text messaging through employer-provided and personal mobile phones, personal email, and instant messaging.
- Communication with customers and employees :
- These encompass the provisions to be made to ensure an interrupted connection among everyone involved.
- Communications with regulators :
- This covers how a bank can communicate with FINRA during a significant disruption, and identifies designated business continuity plan contacts with FINRA who will assist in the communication.
Notification Standards
- Formal notification standards should be developed and integrated into the business continuity planning process. Various communication methods, such as pagers, satellite phones, cell phones, e-mail, or two-way radios, can be used to promptly notify employees and applicable third parties of a disaster situation. Comprehensive notification standards should address the maintenance and distribution of contact lists that include primary phone numbers, emergency phone numbers, e-mail addresses, and physical addresses of institution personnel, vendors, emergency services, transportation companies, and regulatory agencies.
It’s important to remember that the question is not if, it is when the unexpected is going to come your way. For the sake of business’s longevity, invest in devising your own disaster preparedness plan.