Business Continuity Plan: everything you need to know
The BCP is a strategic tool for companies, allowing them peace of mind when faced with a crisis, safe in the knowledge that they will emerge more resilient. Furthermore, it is an essential way of facing a crisis situation while preserving business continuity, as was required during the COVID-19 pandemic.
There are, of course, official definitions for a BCP and also international standards.
BCP: definition of business continuity management
The Business Continuity Institute (BCI) defines business continuity as "the capability of an organization to continue the delivery of products or services at pre-defined acceptable levels following a disruptive incident”.
In this context, business continuity management provides a framework for ensuring your company’s resilience, thereby maintaining its reputation and the interests of its stakeholders.
The BCP in British and international standards
From 1995 to 2006, the British Standards Institution regulated business continuity planning by issuing a series of standards, many of which have now been withdrawn. The United Kingdom currently follows ISO 22301 and 22313.
The objective of a BCP is to organise the continuity of activities in the event of a disaster that disrupts a company’s normal operations, such as a cyberattack. It aims to help the company to operate within the framework of its legal obligations despite the crisis, and is designed to maintain a company’s commercial and financial objectives. BCPs are considered to be an important lever of risk management in business.
The BCP covers all kinds of crises. These might be internal – such as a digital security breach, a computer failure, or even a fire rampaging through the office – or external, in the case of an epidemic, a social movement, or a financial crisis. What’s more, having a Business Continuity Plan is a legal obligation in certain sectors, such as finance, banking, and health.
The international standard ISO 22301 of 2019 specifies the Business Continuity Management System (BCMS) that a company must install to be protected from crises. In particular, it details the measures to be followed by sectors for which the BCP is a matter of legal compliance.
How is the BCP different from the DRP?
These two types of “plans” both aim to ensure a company’s security despite the crisis situation it is tackling. The BCP summarises what the company must do to keep it functioning through a disaster, while the Disaster Recovery Plan (DRP) specifies ways to best resume activity after a disaster.
In the example of a cyberattack, the BCP explains how to ensure that computer systems remain operational, allowing essential applications to remain usable and guaranteeing the protection of confidential data. Additionally, it provides mechanisms for employees and potential customers to continue using the computer systems.
The DRP provides a guide of what to do if the computer system, unfortunately, turns out to be unusable after a cyberattack. For example, it can walk you through a step-by-step process of making your website accessible again in the event of a Distributed Denial of Service (DDoS) attack. It can also give instructions for booting a backup system.
When do you need to implement a Business Continuity Plan?
The BCP is required for all companies where business continuity is at risk. It is especially necessary if this shutdown threatens the financial credibility of the company or its reputation.
When a digital security breach happens, it is essential to reassure investors about your teams’ professionalism, and carrying out the procedures provided for by the BCP in the event of a serious crisis helps to gain credibility among stakeholders. BCP procedures also secure the confidentiality of your users’ and customers’ data, as well as their ability to pursue their online activities.
Why do you need to set up a Business Continuity Plan? Perks and pitfalls
The main advantage of BCPs resides in preventing and anticipating the operational risks of a company. It is part of the risk management related to digital security breaches and involves bringing together the right actors to carry out the processes that ensure business continuity.
Perks of the Business Continuity Plan
The BCP combines several advantages:
- anticipating and preventing a company’s internal and external risks;
- establishing recovery strategies for a rapid and effective reaction to a crisis scenario;
- spreading an in-house culture of risk prevention;
- planning the messages sent to the various stakeholders so that crisis communication strategies are supported by a solid framework;
- contributing to prompt disaster recovery;
- mitigating the effects of the crisis in terms of operation, profitability, and reputation;
- reassuring financial markets;
- maintaining the personal credibility of the leader;
- helping the company to stand out from its competition;
- benefitting from tariff reductions with insurers.
Pitfalls of the Business Continuity Plan
To remain advantageous, the BCP must however be considered by general management as a real tool. One of the main drawbacks of the BCP is that it might appear only as an exercise in style - its application might seem very hypothetical. Yet, to be effective, it must be regularly updated and reassessed.
Implementing a Business Continuity Plan may also sometimes be costly, which discourages some organizations. If this is your case, make sure to acquire a remote system, which will preserve your essential applications in the event of a cyberattack.
Business Continuity Plan
Would you like to set up a business continuity plan and find out more about cyber risks?
How to develop a BCP?
The BCP consists of anticipating different crisis scenarios, in order to design the strategies to maintain critical business functions. Specifically, it takes into account any loss of resources (income, employees, or, in the case of a cyberattack, computer systems) or sensitive data.
Here is an example of BCP implementation applied to the risk of cyberattack. This example is directly inspired by the "Plan Do Check Act" (PDCA) methodology provided for by the ISO 22301 standard:
- P: “Plan”;
- D: “Do”, design the appropriate measures;
- C: “Check”, test, try, simulate and verify the BCP;
- A: “Act”, correct the plan’s shortcomings.
Auditing your business and its cyber context
1 / First, focus on defining the company priorities and objectives that a digital security breach might jeopardise. Is your priority to ensure the accessibility of your website? Is it to secure your users' data? What are your priority IT activities?
2 / Then, define the IT resources and internal skills essential to maintaining these objectives: this is called a Business Impact Analysis (BIA). Also, estimate your Recovery Point Objective (RPO): ask yourself how long your computer systems can remain unusable without permanently impacting the sustainability of the business. Finally, evaluate your Recovery Time Objective (RTO): how long will it take to have your computer systems back and running?
3 / Tackle the different cyber crisis scenarios your company may encounter:
- Are you exposed to confidential data theft/loss or ransomware risks?
- Are your site and online services threatened by Denial of Service attacks?
- Is your business exposed to potential malware?
- Have you ever been a victim of phishing?
Use your cyber risk map to anticipate how these scenarios may affect your business.
Outline a risk management strategy
4 / Next, focus on outlining your risk management strategy: the priority measures that must be taken to reduce cyber risks, and where applicable, to ensure that the company, its operations, and objectives all survive.
5 / Once these elements have been specified, define a thorough continuity strategy for each cyberattack scenario. This step is textbook crisis management. Describe the risk management strategy you need to set up, step by step, one player at a time:
- What is the susceptibility threshold of your company? What are the criteria required to trigger the processes specified by the BCP?
- Who are the people in charge of the Business Continuity Plan? Are they the same people as in your crisis unit? What is each actor’s role and involvement in the overall effectiveness of the BCP?
- What measures can mitigate the effects of the cyberattack on IT systems, data security, and your users’ and collaborators’ activities?
- What are the indicators for evaluating the effectiveness of the BCP? How do you realistically measure the functioning of your company during the crisis?
Digital security crisis training
6/ Carry out cyberattack simulation exercises to test the effectiveness of your BCP. This practice should help you ensure that your Business Continuity Plan really contributes to the “Maintenance, Repair, and Operations” (MRO) methodology.
The National Cyber Security Centre (NCSC) has published a comprehensive guide to the creation of cyber crisis management exercises. Several essential elements on the very concept of a crisis management exercise are to be recalled:
- the exercise is limited in time, most organisations do it over two or three hours;
- it focuses on a fictional but credible cyberattack scenario for employees;
- it should by no means actually disrupt the activities of the company: all elements of the crisis must be simulated;
- simulation helps crisis management actors to achieve their objectives, it is not designed to trip them up;
- the exercise must involve all the internal actors potentially concerned by a digital security breach.
Thanks to the lessons learned from cyber risk simulations, your company should be able to assess its BCP’s efficiency, but if necessary, you may redefine it in order to improve performance. From a broader perspective, your Business Continuity Plan should, at the very least, be updated every two to three years. It should also be enhanced after each crisis, thanks to experience feedback.
Alternatively, the Business Continuity Plan can also consist of a single document which deals with all the risks a company faces. It can also be broken down into different thematic documents: a BCP focused on digital security, one focused on health crises, and another dedicated to strike-related risks, etc.
FAQ : BCP
What is the role of a Business Continuity Plan?
The BCP details the strategy and the steps to follow to ensure continuity of your operation after a crisis such as a cyberattack. It enables you to quickly deal with the crisis situation while preserving your critical business processes.
When do you need to set up a BCP?
The Business Continuity Plan is prepared ahead of a disaster or a disruptive element for the company, its users, and its reputation. Anticipating the risks, mapping them, and creating a BCP adapted to the potential crisis – all of this is paramount.
Who is responsible for the Business Continuity Plan?
The Business Continuity Plan Manager, who reports to General Management, is responsible for the BCP. Where the BCP deals with cyber risks, this manager can be a member of the Information Systems Division. Ultimately, however, the BCP is everyone's business and must involve all stakeholders to ensure its effectiveness.
We build scalable solutions to quantify cyber risk in financial terms so organizations can make informed decisions to improve governance and resilience.