The crises to which companies are exposed are numerous and disruptive. In addition to COVID-related issues, 2022 is a year full of heavy digital security challenges for companies, with cyberattacks in particular posing a threat to activities and reputations across the board.
A Business Continuity Plan, or BCP, is a tool that enables companies to maintain their operations in spite of disruptions. This type of document has already played a major strategic role in many companies’ resilience during the pandemic. But what is a BCP? How can you conceptualise and implement it in your organisation? This article is takes a close look at the various standards and elements that make up a Business Continuity Plan as well as some of the benefits of a BCP.
The BCP is a strategic tool for companies, allowing them peace of mind when faced with a crisis, safe in the knowledge that they will emerge more resilient. Furthermore, it is an essential way of facing a crisis situation while preserving business continuity, as was required during the COVID-19 pandemic.
There are, of course, official definitions for a BCP and also international standards.
The Business Continuity Institute (BCI) defines business continuity as "the capability of an organization to continue the delivery of products or services at pre-defined acceptable levels following a disruptive incident”.
In this context, business continuity management provides a framework for ensuring your company’s resilience, thereby maintaining its reputation and the interests of its stakeholders.
From 1995 to 2006, the British Standards Institution regulated business continuity planning by issuing a series of standards, many of which have now been withdrawn. The United Kingdom currently follows ISO 22301 and 22313.
The objective of a BCP is to organise the continuity of activities in the event of a disaster that disrupts a company’s normal operations, such as a cyberattack. It aims to help the company to operate within the framework of its legal obligations despite the crisis, and is designed to maintain a company’s commercial and financial objectives. BCPs are considered to be an important lever of risk management in business.
The BCP covers all kinds of crises. These might be internal – such as a digital security breach, a computer failure, or even a fire rampaging through the office – or external, in the case of an epidemic, a social movement, or a financial crisis. What’s more, having a Business Continuity Plan is a legal obligation in certain sectors, such as finance, banking, and health.
The international standard ISO 22301 of 2019 specifies the Business Continuity Management System (BCMS) that a company must install to be protected from crises. In particular, it details the measures to be followed by sectors for which the BCP is a matter of legal compliance.
These two types of “plans” both aim to ensure a company’s security despite the crisis situation it is tackling. The BCP summarises what the company must do to keep it functioning through a disaster, while the Disaster Recovery Plan (DRP) specifies ways to best resume activity after a disaster.
In the example of a cyberattack, the BCP explains how to ensure that computer systems remain operational, allowing essential applications to remain usable and guaranteeing the protection of confidential data. Additionally, it provides mechanisms for employees and potential customers to continue using the computer systems.
The DRP provides a guide of what to do if the computer system, unfortunately, turns out to be unusable after a cyberattack. For example, it can walk you through a step-by-step process of making your website accessible again in the event of a Distributed Denial of Service (DDoS) attack. It can also give instructions for booting a backup system.
The BCP is required for all companies where business continuity is at risk. It is especially necessary if this shutdown threatens the financial credibility of the company or its reputation.
When a digital security breach happens, it is essential to reassure investors about your teams’ professionalism, and carrying out the procedures provided for by the BCP in the event of a serious crisis helps to gain credibility among stakeholders. BCP procedures also secure the confidentiality of your users’ and customers’ data, as well as their ability to pursue their online activities.
The main advantage of BCPs resides in preventing and anticipating the operational risks of a company. It is part of the risk management related to digital security breaches and involves bringing together the right actors to carry out the processes that ensure business continuity.
The BCP combines several advantages:
To remain advantageous, the BCP must however be considered by
management as a real tool. One of the main drawbacks of a BCP is that it might appear only as an exercise in style - its application might seem very hypothetical. Yet, to be effective, it must be regularly updated and reassessed.
Implementing a Business Continuity Plan may also sometimes be costly, which discourages some organizations. If this is your case, make sure to acquire a remote system, which will preserve your essential applications in the event of a cyberattack.
The BCP consists of anticipating different crisis scenarios, in order to design the strategies to maintain critical business functions. Specifically, it takes into account any loss of resources (income, employees, or, in the case of a cyberattack, computer systems) or sensitive data.
Here is an example of BCP implementation applied to the threat of cyberattack. This example is directly inspired by the "Plan Do Check Act" (PDCA) methodology provided for by the ISO 22301 standard:
- P: “Plan”;
- D: “Do”, design the appropriate measures;
- C: “Check”, test, try, simulate and verify the BCP;
- A: “Act”, correct the plan’s shortcomings.
1 / First, focus on defining the company priorities and objectives that a digital security breach might jeopardise. Is your priority to ensure the accessibility of your website? Is it to secure your users' data? What are your priority IT activities?
2 / Then, define the IT resources and internal skills essential to maintaining these objectives: this is called a Business Impact Analysis (BIA). Also, estimate your Recovery Point Objective (RPO): ask yourself how long your computer systems can remain unusable without permanently impacting the sustainability of the business. Finally, evaluate your Recovery Time Objective (RTO): how long will it take to have your computer systems back and running?
3 / Tackle the different cyber crisis scenarios your company may encounter:
Use your cyber risk map to anticipate how these scenarios may affect your business.
4 / Next, focus on outlining your risk management strategy: the priority measures that must be taken to reduce cyber risks, and where applicable, to ensure that the company, its operations, and objectives all survive. There are qualitative and quantitative risk assessment methods. Focusing on the quantitative methods, such as CRQ, will provide decision-makers with financial data for budget decisions.
5 / Once these elements have been identified, define a thorough continuity strategy for each cyberattack scenario. This step is textbook crisis management. Describe the risk management strategy you need to set up, step by step, one player at a time:
6/ Carry out cyberattack simulation exercises to test the effectiveness of your BCP. This practice should help you ensure that your Business Continuity Plan really contributes to the “Maintenance, Repair, and Operations” (MRO) methodology.
The National Cyber Security Centre (NCSC) has published a comprehensive guide to the creation of cyber crisis management exercises. Several essential elements on the very concept of a crisis management exercise are to be recalled:
Thanks to the lessons learned from cyber risk simulations and CRQ methods, your company should be able to assess its BCP’s efficiency, but if necessary, you may redefine it in order to improve performance. From a broader perspective, your Business Continuity Plan should, at the very least, be updated every two to three years. It should also be enhanced after each crisis.
Alternatively, the Business Continuity Plan can also consist of a single document which deals with all the risks a company faces. It can also be broken down into different thematic documents: a BCP focused on digital security, one focused on health crises, and another dedicated to strike-related risks, etc.
The BCP details the strategy and the steps to follow to ensure continuity of your operation after a crisis such as a cyberattack. It enables you to quickly deal with the crisis situation while preserving your critical business processes.
The Business Continuity Plan is prepared ahead of a disaster or a disruptive element for the company, its users, and its reputation. Anticipating the risks, mapping them, and creating a BCP adapted to the potential crisis – all of this is paramount.
The Business Continuity Plan Manager, who reports to General Management, is responsible for the BCP. Where the BCP deals with cyber risks, this manager can be a member of the Information Systems Division. Ultimately, however, the BCP is everyone's business and must involve all stakeholders to ensure its effectiveness.
related to cybersecurity and Cyber Risk Quantification (CRQ)