Business continuity planning for times of crisis

March 2024  |  SPOTLIGHT | RISK MANAGEMENT

Financier Worldwide Magazine

March 2024 Issue

How is a company to respond if a cyber attack encrypts important data on its servers? If a data centre burns down? Or a power failure prevents employees from working from the office? To remain capable of doing business in the event of unforeseen incidents, companies must take various measures as part of business continuity.

Priorities, responsibilities and actions are defined, and plans are made to ensure normal operations can be resumed after an incident. This article explains the fundamentals of business continuity, and what steps organisations in Germany should take to protect their business from disaster.

What is business continuity?

Fundamentally, business continuity is designed to ensure that operations can continue when inevitable impacts occur, just as departments ensure that staffing levels are sufficient to continue functioning during staff holiday or illness. In addition to the loss of personnel, interruptions to systems, machines, processes and applications are considered. Organisations define what elements are necessary to business operations, and the importance of each individual aspect.

At this point, business continuity management (BCM) overlaps with IT risk management in the analysis of risks. One difference is that IT risk management tries to avoid and minimise potential damage, and BCM is focused on managing the event. Business continuity may leverage IT risk management outcomes, but both disciplines are essential for business operations.

Business continuity also includes developing a detailed business continuity plan (BCP), which defines roles, responsibilities and steps to take in the event of an unforeseen incident.

Who is responsible for business continuity?

The business continuity manager is responsible for establishing and maintaining BCM. Setting up a BCM programme, with a dedicated leader, usually takes between one and two years. During this time, stakeholders from across the business come together to analyse business processes, consider the impacts that a range of events may have upon them and bolster the BCP with further contingency plans.

Once an organisation has established a BCP, the business continuity manager oversees it and ensures it is updated regularly. This person regularly carries out business continuity tests, exchanges information with risk management professionals and brings the topic onto the agenda in regular meetings with IT.

Protection from a range of crises

The BCP takes effect when a crisis begins. This includes various scenarios that may be divided into the following categories: (i) hardware failure; (ii) failure of IT processes due to responsible persons leaving without a successor, change controls failing, resulting in outdated processes, or systems being neglected due to other priorities, for example; (iii) failure of a network due to configuration errors on equipment, physical damage or the action of an external or internal attacker, for example; (iv) failure of personnel (such as employees, partners and service providers); (v) software failure following an operating system update, or due to capacity constraints or expired licences, for example; (vi) a cyber attack (including infection with malware, theft of data or denial of service); (vii) building failure (such as an office, data centre, warehouse or production facility); (viii) natural disasters (such as earthquakes, floods or storms); (ix) power outage (caused by the power supplier or provider, or nationwide line damage, for example); and (x) third-party failure (such as an outage at an important vendor, partner or key stakeholder, resulting in business impact).

Simple solutions can mitigate significant threats. For example, business continuity and risk management officers may ensure that two different electricity providers supply important buildings via diverse routes, or that an emergency generator is available in the event of a power outage. They may also ensure that redundant data centres are widespread, so that a natural disaster would only impact one such centre. Likewise, business continuity professionals may work with IT to ensure that obsolete system hardware is gradually replaced and brought up to date.

The business continuity manager should be aware of all possible crises and risks, and have a plan for how to react to each scenario.

Implementing business continuity

Often, medium-sized companies do not have an overview of all IT systems and assets. If business continuity is established, opportunities can be identified to make the system landscape more homogeneous. This simplifies system maintenance, protecting against cyber attacks and operating in the event of a crisis.

BCM also gives organisations an opportunity to minimise the financial consequences of a crisis. In fact, this is one of the primary reasons for establishing a BCP. Essential business processes can continue to run during unforeseen events, and supply and production chains can proceed uninterrupted.

Furthermore, it provides peace of mind. Failures can lead to confusion, chaos and panic, but it is important to act rationally in a crisis. The BCP provides the framework for this strategy.

Business continuity is part of any successful, healthy business, and employees need to be trained and prepared for crisis scenarios. The BCP can be advertised to partners and customers to promote confidence in the company externally and internally.

Stakeholders will need to meet regularly to analyse, plan and test functions and processes. The process starts with appointing a business continuity manager, either as an employee or via an external expert.

True business continuity planning and implementation occurs across a number of overlapping, repetitive phases, as outlined below.

Analysis. Businesses must prioritise which operations will be supported by business continuity. This requires assessing business functions and identifying the most important operations. With the help of a business impact analysis (BIA) and input from risk management, the consequences can be defined across them.

Design. A team of leaders and stakeholders should be formed to create and design appropriate resilience solutions to address the potential impacts that may affect the most important operations identified during the BIA. Planning should also include identifying options and protocols, for example for switching to remote work, restoring systems from backups and hiring temporary staff.

Implementation. Once designed and defined, the management team needs to make sure the principles and requirements, and associated solutions defined within the preceding phases, are implemented in a manner that suits the organisation’s specific and unique profile. This will involve not only resilience planning, but also implementing a crisis response structure that will serve to respond to any in-scope incidents impacting the organisation.

Validation. Once the BCP is in place, it must be tested. Staff should be trained on their roles and run through different scenarios. The company should identify problems and improve the BCP with practical input. Findings can also be passed on to risk management.

All of these phases must operate under a proper governance structure, ensuring that the business continuity policy and programme define and oversee the business continuity approach, applying the appropriate controls and supervision during the lifecycle of the programme. Once the programme is operational, appropriate training and awareness is another critical phase that must not be overlooked.

Companies often define measures only once, and then the plan disappears into a file. However, the purpose of a BCP is different. It is a document that grows and changes over time and is subject to ongoing review cycles. Regular tests give employees confidence and strengthen the company’s foundation. Only by continually observing a proper business continuity lifecycle can an organisation respond appropriately to the dynamic, changing risks affecting it.

Outlook

An increasing number of companies are attaching importance to business continuity, and they expect the same from their service providers and partners. The pandemic showed that business interruption can lead to losses that threaten a company’s existence. It is therefore essential to keep important business processes running and have the ability to restore them in response to unforeseen events.

Companies are also increasingly expected to establish business continuity. Whereas previously, business continuity was often seen as a ‘nice to have’, it is now essential, even for medium-sized companies. Investors and business partners demand transparency about how companies are positioned to continue operations in the event of a crisis.

Business continuity provides security

Business continuity provides concrete measures for who has to do what in the event of a failure, and how to do it. It provides an overview of IT systems and business processes and works hand in hand with risk management. A business continuity manager initiates the measures and coordinates other responsible parties. The core is the BCP, which should go through analysis, planning and testing on a regular basis. Business continuity begins with an overview and ends with the ability to react to crises and changes in an agile manner, helping to secure the company’s position.

 

Renato Fazzone and David Dunn are senior managing directors at FTI Consulting. Mr Fazzone can be contacted on +49 211 30297955 or by email: renato.fazzone@fticonsulting.com. Mr Dunn can be contacted on +44 (0)78 1625 1410 or by email: david.dunn@fticonsulting.com.

© Financier Worldwide

BY

Renato Fazzone and David Dunn

FTI Consulting

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.