Global pandemic, yellow vests movement in France, the housing bubble burst in 2008… The crises to which companies are exposed are numerous and violent. In addition to COVID-related issues, 2021 is a year full of strong digital security challenges for companies. Cyber attacks particularly threaten their activities and their reputation.
Published on July 6, 2021, 1:53 p.m. (Updated on 20 October 2021 11:27)
The Business Continuity Plan, or BCP, is a tool enabling companies to maintain their operation despite disruptions. This type of document already has played a major strategic role in the resilience of certain societies to the coronavirus crisis. What is the BCP? How to conceptualize and implement it in your organization? Here is everything you need to know about the Business Continuity Plan.
The BCP is a strategic tool for companies: they can go through crises with more serenity and emerge more resilient. BCP has official definitions, but also international standards. It is an essential means to face a crisis situation while preserving business continuity, as everyone saw during the COVID-19 pandemic.
The Business Continuity Institute (BCI) defines business continuity as "the capability of an organization to continue the delivery of products or services at pre-defined acceptable levels following a disruptive incident”.
In this context, business continuity management provides a framework to ensure the resilience of your company. This framework also serves to maintain its reputation and the interests of its stakeholders.
From 1995 to 2006, the British Standards Institution has regulated business continuity planning by issuing a series of standards. Many of these are now withdrawn and the United Kingdom is following ISO 22301 and 22313.
The objective of the BCP is to organize the continuity of activities in the event of a disaster, such as a cyberattack, that disrupts the company’s normal operations. It aims to help the company to operate within the framework of its legal obligations despite the crisis. It is also designed to maintain its commercial and financial objectives. One may say that the BCP is an important lever of risk management to the company.
The BCP covers all kinds of crises. These might be internal, such as a digital security breach, a computer failure, or even a fire rampaging through the office. Crises might also be external: an epidemic, a social movement, a financial crisis etc. Having a Business Continuity Plan is a legal obligation for certain sectors, such as finance, banking or health.
The international standard ISO 22301 of 2019 specifies the BCMS, business continuity management system, a company has to install to be protected from crises. In particular, it details the measures to be followed by the sectors for which the BCP is a matter of legal compliance.
These two types of “plans” both aim to ensure the security of the company despite the crisis situation it is going through. The BCP summarises what the company must do to keep it functioning, despite disasters. The DRP, Disaster Recovery Plan, specifies what to do to resume activity after a disaster.
In the example of a cyberattack, the BCP explains how to make sure the computer systems remain operational. This way, essential applications remain usable and protection of confidential data is guaranteed. Besides, employees and potential customers can continue to use the computer systems.
The DRP provides a guide of what to do if the computer system, unfortunately, turns out to be unusable after a cyberattack. For example, it can walk you through, in order to make your website accessible again in the event of a DDoS attack, Distributed Denial of Service. It can also give instructions to boot a backup system.
The BCP is required for all companies where business continuity is at risk. It is especially necessary if this shutdown threatens the financial credibility of the company or its reputation.
Carrying out the procedures provided for by the BCP in the event of a serious crisis helps to gain credibility with stakeholders. When a digital security breach happens, it is essential to reassure investors about the professionalism of your teams. BCP procedures also secure the confidentiality of the data of your users or customers, as well as their ability to carry on their online activities.
The main advantage of the BCP resides in preventing and anticipating the operational risks of the company. It is part of the risk management related to digital security breaches. It means bringing together the right actors around the realization of the processes which ensure business continuity.
The BCP combines several advantages:
To remain advantageous, the BCP must however be considered by general management as a real tool. One of the main drawbacks of the BCP is that it might appear only as an exercise in style, its application might seem very hypothetical. Yet, to be effective, it must be regularly updated and reassessed.
Implementing a Business Continuity Plan may also sometimes be costly, which discourages some organizations. If this is your case, make sure to acquire a remote system, which will preserve your essential applications in the event of a cyberattack.
The BCP consists of anticipating different crisis scenarios, in order to design the strategies to maintain critical business functions. Specifically, it takes into account any loss of resources, be it income, employees, or, in the case of a cyberattack, computer systems, or sensitive data.
Here is an example of a BCP implementation applied to the risk of cyberattack. This example is directly inspired by the PDCA (Plan Do Check Act) provided for by the ISO 22301 standard:
- P: “Plan”;
- D: “Do”, design the appropriate measures;
- C: “Check”, test, try, simulate and verify the BCP;
- A: “Act”, correct the plan’s shortcomings.
1 / First, focus on defining your company’s objectives and needs a digital security breach might jeopardize. Is your priority to ensure the accessibility of your website? Is it to secure your users' data? What are your priority IT activities?
2 / Then define the IT resources and internal skills essential to maintain these objectives: this is called a business impact analysis (BIA). Also, estimate your Recovery Point Objective (RPO): ask yourself how long your computer systems can remain unusable without permanently impacting the sustainability of the business. Finally, evaluate your Recovery Time Objective (RTO): how long will it take to have your computer systems back and running?
3 / Tackle the different cyber crisis scenarios your company may encounter:
- Are you exposed to confidential data theft/loss or ransomware risks?
- Are your site or online services threatened by Denial of Service attacks?
- Is your business exposed to potential malware?
- Have you ever been a victim of phishing?
Use your cyber risk map to anticipate how those scenarios may affect your business.
4 / Proceed to focus on outlining your risk management strategy: the priority measures that must be taken to reduce cyber risks, and where applicable, to ensure that the company, its operations and objectives all survive.
5 / Once these elements have been specified, thoroughly define a continuity strategy for each cyberattack scenario. This step is textbook crisis management. Describe the risk management strategy you need to set up: step by step, one player at a time:
6/ Carry out cyberattack simulation exercises to test the effectiveness of your BCP. This practice should help you ensure that your Business Continuity Plan really contributes to what is called MRO: maintenance, repair, and operations.
The National Cyber Security Centre (NCSC) has published a comprehensive guide on the creation of cyber crisis management exercises. Several essential elements on the very concept of a crisis management exercise are to be recalled:
Thanks to the lessons your company learned from cyber risk simulations you should be able to assess your BCP’s efficiency? If need be, you may redefine it so as to improve performance. From a broader perspective, your Business Continuity Plan should, at the very least, be updated every two to three years. It should also be enhanced after each crisis, thanks to experience feedback.
The Business Continuity Plan can also consist of a single document which deals with all the risks to the company. It can also be broken down into different thematic documents: a BCP focused on digital security, a plan focused on health crises, another dedicated to the strike-related risks, etc.
The BCP details the strategy and the steps you have to follow to ensure the continuity of your operation after a crisis such as a cyberattack. It enables you to quickly deal with the crisis situation while preserving your critical business functions.
The Business Continuity Plan is prepared ahead of a disaster or a disruptive element for the company, its users, and its reputation. Anticipating the risks, mapping them, and creating a BCP adapted to the potential crisis: all of this is paramount.
The Business Continuity Plan Manager, who reports to General Management is the one responsible for the BCP. This manager can be a member of the Information Systems Division when the BCP deals with cyber risks. Ultimately, however, the BCP is everyone's business and must involve all stakeholders to ensure its effectiveness.