10 steps to achieving business continuity
According to ISO 22301, business continuity is defined as: ‘the capability of the organisation to continue delivery of products or services at acceptable predefined levels following disruptive incident’ and it has developed a framework that firms can use to ensure business continuity is consistently in mind.
Ensuring your organisation has a robust business continuity capability is key to minimise revenue loss, continually comply with legal, regulatory and contractual requirements, reduce negative impact for customers and employees, and so much more.
But how can you achieve a robust business continuity system? We take a 10-step approach…
1. Define service catalogue by listing all business services with their associated assets (i.e. IT systems, staff, intellectual property, premises, etc) and dependent third parties
2. Identify disaster scenarios that are applicable and realistic for your organisation. One example could be ‘we have been infected with a ransomware and all IT systems have been locked’
3. Perform a business impact analysis (BIA) process to understand the potential impact all applicable disaster scenarios could have against your business services; this in turn will allow you to identify the criticality of each service offering and the maximum acceptable outage time your organisation can accept against the services
4. Perform a risk assessment to help your organisation understand what controls are in place and identify areas for improvement to reduce the risk’s likelihood as well as reduce its impact. For example, implementing an anti-virus solution to reduce the likelihood of a ransomware attack, as well as introducing a mechanism to trigger an incident response should ransomware be detected
5. Define your business continuity team who can be assembled in the event of a disaster to effectively respond and recover your business operations
6. Define a comms strategy to understand who, when and how you will communicate with internal and external stakeholders. In most territories, organisations are obliged to report cyber incidents to a central authority, but it is also vital you determine how you will communicate with staff, customers and even the media
7. Understand and deliver any required training & awareness making sure team members understand their roles and responsibilities during an incident
8. Establish documentation such as a business continuity policy and plan to allow your organisation to effectively respond with an approved process.
9. Conduct disaster scenario exercising to ensure your processes and plan are adequate by walking through the disaster recovery plan as a desktop exercise, as well as performing a full interruption test by activating your technical recovery controls and disaster recovery locations.
10. Continuous improvement – Your organisation may decide to extend the scope to include additional services or disaster scenarios, introduce new controls to prevent a disruption ,or reduce the potential impact should they occur. As these improvements are made, it is important your documented policies and processes are updated to reflect them.
Fig 3 – 10 Steps to Business Continuity
Manageable scope or continuous Improvement
Establishing a business continuity management system can be daunting, especially if your department offers a number of both internal and client facing services, and we understand the above seems time and resource consuming – but that entirely depends on the scope; it is up to you how big or small you want to make it.
For example, a smaller scope could be focusing on the most likely disruption scenarios and the top two critical services (i.e. the crown jewels). Then, through continuous improvement, additional services and scenarios can be incorporated over time to extend the management system.
Organisations that want to demonstrate how effective their capability is can become certified under ISO 22301, which specifies the requirements for a business continuity management system to protect against, reduce the likelihood of, and ensure your business recovers from disruptive incidents.
The overarching benefit of achieving ISO22301 is that your organisation can demonstrate to key stakeholders you have an independent third party to validate and verify your compliance and reassurance that the management system is effective.
Waterstons can support your organisation’s delivery of a best practice framework that aligns with ISO 22301, including documentation, policies and procedures that are mandatory under certification. We can also support your organisation achieve and maintain your certification through management reviews, risk management and our internal audit function.