How to Develop a Robust Business Continuity Plan

Phillip Knight
|
Senior Consultant at URM
|
PUBLISHED on
5 Apr
2024

It is almost inevitable that any organisation will, at some point, face incidents and events that will disrupt and hinder operations.  Natural disasters, technological failures, and straightforward human error are all events that almost every organisation will run into eventually. However, the level of disruption created by these incidents can be mitigated, and the key to managing this is with thorough preparation and foresight in the form of a business continuity plan (BCP).

In order to develop a BCP that is robust and practical, there are a number of key steps you need to take.  By taking these steps, you can have greater assurance that your BCP will be fit for purpose and will deliver when you need to call on it to recover from a business continuity (BC) incident.

In this blog, we will outline these critical steps, drawing both on best practice international standards such as ISO 22301 as well as URM’s two decades of consultancy experience assisting organisations to develop, implement and maintain robust BCPs.  We will be addressing four questions:

What preparation do you need to do?

Before establishing the BCP itself it is important to take the following preparatory steps, as the knowledge and understanding they provide will enhance the robustness of your plan.

Steps ahead of developing your BCP

Business impact analysis (BIA)

It is during the BIA that you look to identify and prioritise the critical business activities and processes which are required to deliver your key products and services, and determine the impact to the business should they be disrupted over various time frames, allowing you to establish at what point the disruption becomes unacceptable to your organisation. This assists you in setting the recovery time objective (RTO), i.e., the time within which the disrupted process must be recovered and operational, albeit at a potentially reduced level of productivity.  

An integral part of this is identifying those services and facilities required to support the critical processes and on which the processes are dependent so they can operate in a recovery situation.  This would include both upstream and downstream dependencies, as well as any required resources, such as: IT, systems, applications, data, records or documents, staffing, office facilities, etc.

During the BIA, you will also determine the information and data requirements, allowing you to establish to what extent the processes can sustain any data loss, which is known as the recovery point objective (RPO).  This aspect assists you in ensuring that data and information sources are suitably backed up and available to meet the RPOs of the various critical processes in a recovery situation.  Here, you will need to closely liaise with the IT service providers, whether in-house or external, to ensure that the IT backup and recovery capabilities meet the RTO and RPO requirements of your organisation’s critical business processes.  For a more comprehensive breakdown of the best practice approach to BIAs, read our blog on Conducting a Business Impact Analysis (BIA) as Part of Your Organisation’s Business Continuity (BC) Planning.

Comprehensive risk assessment

In conjunction with your BIA, you will need to conduct a risk assessment to identify and assess potential threats to your critical business activities and processes.  In order to conduct a risk assessment, you will need to have an established risk assessment and management methodology that is repeatable and able to deliver consistent results.  Guidance on the requirements for establishing a risk management method can be found in the ISO 31000 Risk management guidelines document, with additional information provided in the document ISO 31010:2019 Risk assessment techniques.

Here, you will take into consideration the threats that are relevant to your organisation and may prevent your organisation from being able to deliver your services and/or products, such as:

  • Natural disasters (e.g., adverse weather such as floods and storm damage)
  • Cyber attacks
  • Equipment failure, this includes IT, environmental, production type equipment
  • Supply chain failures or disruptions
  • Political events, whether local, national or international
  • Economic climate changes
  • Technology changes
  • Human error
  • Etc.

Once these threats have been identified, it is then possible to assess the impact to your organisation should the threat manifest and determine the likelihood of the threat occurring.  Using the risk assessment metrics, you can determine the ‘level of risk’ to your organisation.  The risks to your organisation should then be prioritised, which would typically be done on a high to low basis.  Following this, you should identify what actions should be taken to reduce or mitigate the risk levels.

Recovery strategies

In order to meet the recovery requirements of the critical business processes in terms of resources, services and facilities, including the RTO and RPO requirements, you should identify the response and recovery strategies that will meet these requirements.  This should include a review of the various disruption scenarios, and the identification of appropriate incident response mechanisms, depending on the scenario. Once these strategies have been identified, you should also consider the strategies that will meet the data and workforce recovery requirements as identified in the BIA.

This could include aspects such as redundancy, dynamic failover, mirroring and cloud-based solutions.  It also allows you to identify any dependencies on individual members of staff who, if not available, could severely impact the recovery capability of your organisation.

Once the BIA, risk assessment and recovery strategy activities have been concluded, you now have all the foundation components in place upon which to build a robust and effective BCP.  Without a comprehensive understanding of the business impact, identified risks, and strategic approach, your BCP could well lack focus, be inefficient, and most importantly fail to align with your organisation's objectives and priorities.

What are the essential ingredients of your BCP?

Once you have conducted your BIA and risk assessment, and identified the most appropriate recovery strategies, you will be in a position to start developing your BCP.  The following sub-sections cover the key aspects that need to be incorporated into your plan.

Elements of BCP

Clear objectives and Scope

It is essential that you set clearly defined goals for your BCP, outlining what the plan aims to achieve in times of disruption.  There should be a clear delineation on what areas of your organisation your plan covers and the specific scenarios it addresses.

Roles and responsibilities

As with any plan, it is essential that you clearly identify, define and document the various roles and associated responsibilities.  This is necessary to ensure that in the event of a disruption, the individuals and teams understand what their specific tasks and responsibilities are.

An essential part of this aspect is to identify, where appropriate, deputies for the primary roles.  This is to ensure that, should the primary incumbent be unavailable for whatever reason, the deputy is well-placed to take over their role and associated responsibilities.  

Recovery resource requirements

Identifying the necessary resources required for recovery and operating in recovery mode would normally be established during the BIA stage of establishing a BCP.  However, you can carry this out as a separate activity.  Again, it is essential that the resource requirements are identified and validated by the business process owner.  This is necessary to ensure that the resources are adequate to meet the recovery and operational requirements post disruption.

Recovery teams and tasks

To ensure that you are able to recover the prioritised critical business process and activities, it is important to identify the various teams that will be required to carry out the necessary recovery tasks.

It is normal practice for organisations to identify multiple teams that will manage and carry out the recovery tasks.  The key components to manage this aspect are:

  • Recovery team members (including their role)
  • Tasks that each recovery team need to carry out in order to recover the specific business process or activity
  • Any supporting service/facilities or dependencies on which the recovery is dependent
  • Any supporting documentation or information required during the recovery.  This could include information such as router and firewall configurations, application or system parameters, IP address changes necessary.

Alternative locations

Where appropriate, it may be necessary to identify and establish alternate working locations.  In a post-Covid landscape, most employees can work from home.  However, in a production environment, this may not be possible, and consideration is required to determine how this will be addressed.  

With a significant number of organisations utilising cloud services, it is essential that as part of the delivery of these cloud services, the resilience and recovery aspects are addressed.  You may explore regional availability zones and regional geographic resilience, for example, to ensure that your IT services can continue to be available and deliver the required services despite a disruption to the primary facility.  You can validate and exercise this to ensure that the failover of the critical IT services meets both the RTO and RPO recovery requirements of the business.

SPECIAL OFFER
Prepare Your Data Centre for Cyber Incidents with URM’s NCSC-Approved Exercises
Prepare Your Data Centre for Cyber Incidents with URM’s NCSC-Approved Exercises
Contact us before
31/12/2024
SPECIAL OFFER

What are the key supporting processes?

Communications process and plan

An essential part of responding to a disruption is ensuring that a comprehensive communications plan is in place.  The communications plan should provide the process for communicating with the various affected parties, such as stakeholders, customers, employees, and the media.  It should provide guidance on:

  • What will be communicated
  • Who will communicate
  • The mechanisms to be used for communicating
  • Who will authorise or approve the communication.

You should consider creating briefing packs to provide to the media in the immediate aftermath of a disruption with material that can be used in their reports, limiting the possibility of fabricated ‘news’.

Incident management or response plans

Incident management plans (IMPs)* and BCPs are closely related and often get confused, but they do serve different purposes.  When an incident occurs, the IMP dictates the initial steps to address the immediate impact and contain the situation.  The BCP then comes into play by ensuring the continuation or quick recovery of your critical business functions to minimise disruption and maintain operations. When managing a disruption to normal business operations, having an established IMP and incident management team is vital; the IMP enables relevant team members to assess the severity of the incident, its impact on your organisation, and determine (according to pre-established criteria) whether the BCP(s) need to be activated.

*IMPs can be standalone documents or be an integral part of the BCP.

How do you ensure the ongoing robustness of your BCP?

Testing and exercises

To establish whether the developed BCP is adequate and comprehensive enough to recover your critical business processes, you should conduct exercises and tests to identify possible gaps in the plan.  These can also help familiarise participants with their roles and responsibilities in a recovery, and during post-disruption operations.  

Exercises need to be carried out across all members of all recovery teams in a manner that does not disrupt normal business operations, but also provides all plan members with the opportunity to operate at their primary designated role, and in any established secondary role that may have been identified.

During these activities, it is possible to identify where individuals may have been overallocated to teams and tasks in the recovery phase following a disruption.  It is essential that where reliance is placed on certain individuals to perform recovery tasks that consideration is given not just to their workload, but also to the timescales for recovery.  We have identified many instances where, in line with the BCP, some individuals have been tasked with recovering certain processes.  When examined and exercised, this results in the individual working for an extended period on recovery tasks with no relief or break.  These situations can result in burnout and are counterproductive.  Here, you can identify and address the need for training, skills transfer or additional resources.

Communications plans and IMPs will need to feature in your exercise programme, with IMPs requiring exercise to ensure suitability and completeness.  Typically, this involves exercising the response to various scenarios, such as loss of IT services, adverse weather, strike action, protest/civil action, loss of access to the facility, etc.  Meanwhile, communications plans would typically be exercised as part of a wider BCP or IMP exercise.

When examining and implementing alternative locations as part of your recovery strategy, these locations should be included in any testing and exercises.  This will establish whether there are any aspects that could compromise or hinder the recovery process, such as the lack of:

  • Access out of normal office hours
  • Activation authorisation/notification requirements
  • Access to backups (where relevant).

Training and awareness

As with any plan and procedure, it is vital that the people who are tasked with carrying out these activities are trained and made aware of their role and responsibilities.  

You should conduct awareness activities at regular or planned intervals and the content should be adapted to the audience.  For example, awareness programmes for senior management will have some common aspects, however there would be differences when compared to the programme being delivered to general employees.  

In terms of training, exercises are considered a key source for identifying areas where additional training is required.

Other Considerations and Final Thoughts

Depending on the nature of your organisation and its operations in terms of service and/or product delivery, there may be other considerations required.  Some of these include:

  • Regulatory compliance in a recovery situation and operation; this would include sectors such as health care, pharmaceuticals, transport, aviation and finance
  • Managing and working with suppliers to ensure alignment of BCPs among all parties, ensuring that key or single point suppliers have robust BCPs themselves
  • Continuous review and improvement of BCPs
  • Regular reporting to senior management and stakeholders to ensure that they are fully aware of any changes to strategy, risks and current status of BCP preparedness.

While the processes of preparing, developing and exercising BCPs may seem laborious and time-consuming, they are an invaluable lifeline in the event of a disruptive incident. Ultimately, the resources expended in the development of BCPs pale in comparison to the resources saved by a swift return to being fully operational.  By investing the necessary time and resources into BC planning, your organisation can set itself up for quick recovery from disruption when unavoidable BC incidents occur.

SPECIAL OFFER
Prepare Your Data Centre for Cyber Incidents with URM’s NCSC-Approved Exercises
Prepare Your Data Centre for Cyber Incidents with URM’s NCSC-Approved Exercises
Contact us before
31/12/2024
SPECIAL OFFER

SPECIAL OFFER
Prepare Your Data Centre for Cyber Incidents with URM’s NCSC-Approved Exercises
Prepare Your Data Centre for Cyber Incidents with URM’s NCSC-Approved Exercises
Contact us before
31/12/2024
SPECIAL OFFER

How URM Can Help

Our team of business continuity consultants can draw upon their extensive BC knowledge and experience to assist your organisation throughout the entire BCP development process.  From supporting you in the earliest stages to conduct a BIA and risk assessment, through to working with you to develop effective and bespoke incident management plans and BCPs, URM can guide your organisation to improve its BC capabilities and resilience against BC incidents.  Our approach is heavily aligned with the internationally recognised best practice defined in ISO 22301 and we have achieved certification against the Standard.  As such, we can also support your organisation to achieve ISO 22301 certification if this is your goal, or, if not, support you to enhance your BC capabilities with the assurance that any advice you receive from us is reliable and appropriate.

URM’s business continuity services also extend beyond the BCP and IMP development process; once you have developed and implemented your IMPs and BCPs, we can devise and facilitate exercises to help you validate their effectiveness and identify opportunities to improve them.  Following your Team’s completion of the exercise, we will produce a detailed report highlighting both what went well and those areas which may require further attention, providing you with the opportunity to enhance the efficacy of your plans without the risks associated with a genuine incident.  As an Assured Service Provider under the National Cyber Security Centre (NCSC) and IASME Cyber Incident Exercising scheme, URM is also able to create and facilitate table top and live play cyber incident exercises to help your organisation improve its response capabilities to cyber attacks.

Phillip Knight
Senior Consultant at URM
With over 25 years IT experience, Phillip Knight is a highly passionate and proficient governance, risk and compliance (GRC) practitioner specialising in business continuity (BC), and information security (IS). Holding the Practitioner Certificate in Business Continuity Management (PCBCM), Phillip is a Senior Consultant at URM.
Read more

Book FREE Consultation

URM is pleased to provide a FREE 30 minute consultation on business continuity for any UK-based organisation.
Thumbnail of the Blog Illustration
Business Continuity
Published on
27/4/2023
10 Ways COVID Has Impacted Business Continuity

In this blog, we are discussing the top 10 ways in which URM believes COVID-19 has impacted, influenced or affected business continuity (BC).

Read more
Thumbnail of the Blog Illustration
Business Continuity
Published on
5/4/2024
How to Develop a Robust Business Continuity Plan

URM’s blog discusses the key steps to take in order to develop robust and effective business continuity plans which will enable you to recover from disruption.

Read more
Thumbnail of the Blog Illustration
Business Continuity
Published on
22/2/2024
The Digital Operations Resilience Act (DORA)

URM’s blog discusses the EU’s Digital Operation’s Resilience Act (DORA), explaining who it will apply to, its requirements, how it will be enforced, and more.

Read more
Having never gone through the Cyber Essentials Plus process on behalf of a client I was very impressed with how the process went on testing day and I cant wait to take other clients through the process with URM.
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.