The continuous operations of an organization is an important procedure which comes to support the contingency planning, response and recovery from an incident which affects the proper flow of operations. In other words, business continuity reflects the alternative way that the organization will use to keep its key business activities on-going after an adverse event, such as a cyber attack.
Inevitably, disasters reduce the quality, quantity and availability of resources for an enterprise. The extent of the reduction is proportional to the direct and indirect impact of the crisis on the enterprise and its suppliers, customers and clients along the same value chain. Without a certain level of assets, business operations cannot run, thus interrupting or suspending the firm’s capacity to deliver goods and services.
The business continuity comes to bridge the gap that the normal flow of operations may face, until other processes (Emergency Response, Contingency Plan, Crisis Management, Recovery Plan) put things back on line again.
As best practice, there are some basic stages and steps that each organization should implement in order to achieve a minimum acceptable level of experience and capability to keep normal operations on a flow despite any adverse incidents.
Business continuity has to do with the preparation of actions to face the “unexpected”. The more “what if..?” an organisation arises, the better it will be prepared to face adversities in normal operations flow.
Steps towards Business Continuity
Step 1: Identify and determine which parts of an organization’s operations are critical and should be maintained (at a reduced scale if necessary) even after the incident.
Step 2: Inventory of operations, assets and inputs that must be immediate restored (or secured) in order to support operations. Material, systems, human and financial resources may be included along with internal or external third parties sources. Alternatives should be established to support process.
Step 3: Time-critical operations identification, i.e. those operations that can be done for a shorter period of time with respect to others. Beyond that time, which is called “tolerated downtime period”, they have to be resumed; alternatively, costs would be unaffordable.
Step 4: Having assessed what resources an organisation will need to keep certain businesses functions ongoing, it is essential to anticipate how a disaster can impact on the availability and access to essential assets and on the ability to perform critical operations. This is about getting an understanding of the variety of risks that exist in the Company’s business environment. Different types of incidents create different response requirements. Risk and hazard identification in the field of operations should be analyzed in detail along with their potential impact.
Step 5: Once risks are identified, possible scenarios should be set in order to address each potential threat. The scenarios should take into account the uncertainties that the organisation detected in previous step and present realistic, plausible combinations of the same. The scenarios are simplification of possible realities, and provide ways of actions during each situation.
Step 6: All possible scenarios are included in the plan. The plan needs to be tested by simulating the scenarios, and then it shall be adjusted in accordance with the findings of the pilot test; the purpose of testing the plan is to avoid (or at least minimize) surprises during the crisis phase, and to introduce improvements.
Step 7: After the plan is designed, it must be communicated to stakeholders. Communication must be fluid both prior adverse incidence to ensure everybody knows their roles and gets familiar with the crisis response process. Also, it has to function properly during the emergency, to ensure that the response is well coordinated. Finally, once the emergency is over, communication serves to accompany the stakeholders towards the return to usual activities and previous organization of the work.
Step 8: Training follows communication and targets those who, within the organisation, have a precise role to play in the implementation of the business continuity plan. Training needs to be well targeted and tailored to the concerned functions. Employees of each level need to know to respond to each scenario’s requirements in accordance with the provided access and authority level within the organizational structure.
Step 9: When an incident occurs, it should be determined which scenarios of those already prepared and tested is suitable for actions. Probably, the organisation will need to make adjustments on the way, as the process unfolds and as the situation or reality may be different from the basics assumptions of scenario.
Post Incident Stage
Step 10: When the plan implementation is over, lessons identified through the process should be analyzed and incorporated into the plan. This step is very important and should not be forgotten, due to the tendency to rapidly turn the page. Nevertheless, the time spent in gathering lessons learnt and in adjusting the plans and scenarios is an investment that will pay off in the next crisis.