Business continuity plan: building your cyber resilience

Business Continuity Plan: everything you need to know

The BCP is a strategic tool for companies, allowing them peace of mind when faced with a crisis, safe in the knowledge that they will emerge more resilient. Furthermore, it is an essential way of facing a crisis situation while preserving business continuity, as was required during the COVID-19 pandemic.

There are, of course, official definitions for a BCP and also international standards.

BCP: definition of business continuity management

The Business Continuity Institute (BCI) defines business continuity as "the capability of an organization to continue the delivery of products or services at pre-defined acceptable levels following a disruptive incident”.

In this context, business continuity management provides a framework for ensuring your company’s resilience, thereby maintaining its reputation and the interests of its stakeholders.

The BCP in British and international standards

From 1995 to 2006, the British Standards Institution regulated business continuity planning by issuing a series of standards, many of which have now been withdrawn. The United Kingdom currently follows ISO 22301 and 22313.

The objective of a BCP is to organize the continuity of activities in the event of a disaster that disrupts a company’s normal operations, such as a cyberattack. It aims to help the company to operate within the framework of its legal obligations despite the crisis, and is designed to maintain a company’s commercial and financial objectives. BCPs are considered to be an important lever of risk management in business.

The BCP covers all kinds of crises. These might be internal – such as a digital security breach, a computer failure, or even a fire rampaging through the office – or external, in the case of an epidemic, a social movement, or a financial crisis. What’s more, having a Business Continuity Plan is a legal obligation in certain sectors, such as finance, banking, and health.

The international standard ISO 22301 of 2019 specifies the Business Continuity Management System (BCMS) that a company must install to be protected from crises. In particular, it details the measures to be followed by sectors for which the BCP is a matter of legal compliance.

‍

‍

‍

How is the BCP different from the DRP?

These two types of “plans” both aim to ensure a company’s security despite the crisis situation it is tackling. The BCP summarizes what the company must do to keep it functioning through a disaster, while the Disaster Recovery Plan (DRP) specifies ways to best resume activity after a disaster.

In the example of a cyberattack, the BCP explains how to ensure that computer systems remain operational, allowing essential applications to remain usable and guaranteeing the protection of confidential data. Additionally, it provides mechanisms for employees and potential customers to continue using the computer systems.

The DRP provides a guide of what to do if the computer system, unfortunately, turns out to be unusable after a cyberattack. For example, it can walk you through a step-by-step process of making your website accessible again in the event of a Distributed Denial of Service (DDoS) attack. It can also give instructions for booting a backup system.

When do you need to implement a Business Continuity Plan?

The BCP is required for all companies where business continuity is at risk. It is especially necessary if this shutdown threatens the financial credibility of the company or its reputation.

When a digital security breach happens, it is essential to reassure investors about your teams’ professionalism, and carrying out the procedures provided for by the BCP in the event of a serious crisis helps to gain credibility among stakeholders. BCP procedures also secure the confidentiality of your users’ and customers’ data, as well as their ability to pursue their online activities.

Why do you need to set up a Business Continuity Plan? Perks and pitfalls

The main advantage of BCPs resides in preventing and anticipating the operational risks of a company. It is part of the risk management related to digital security breaches and involves bringing together the right actors to carry out the processes that ensure business continuity.

Perks of the Business Continuity Plan

The BCP combines several advantages:

• anticipating and preventing a company’s internal and external risks;
• establishing recovery strategies for a rapid and effective reaction to a crisis scenario;
• spreading an in-house culture of risk prevention;
• planning the messages sent to the various stakeholders so that crisis communication strategies are supported by a solid framework;
• contributing to prompt disaster recovery;
• mitigating the effects of the crisis in terms of operation, profitability, and reputation;
• reassuring financial markets;
• maintaining the personal credibility of the leader;
• helping the company to stand out from its competition;
• benefitting from tariff reductions with insurers.

Pitfalls of the Business Continuity Plan

To remain advantageous, the BCP must however be considered by general management as a real tool. One of the main drawbacks of the BCP is that it might appear only as an exercise in style - its application might seem very hypothetical. Yet, to be effective, it must be regularly updated and reassessed.

Implementing a Business Continuity Plan may also sometimes be costly, which discourages some organizations. If this is your case, make sure to acquire a remote system, which will preserve your essential applications in the event of a cyberattack.

‍