How Financial Organisations Can Plan to Overcome Business Continuity Challenges
- Mark Adams, Regional Sales Director, Northern Europe at Cohesity
- 28.06.2022 03:30 pm #finance
Financial Organisations take a lot of calculated risks. Pros and cons are weighed up, and choices are made. Questions like should we enter market X, should we go into partnership with organisation Y, and should we take a loan to get product Z onto the market. These are proactive choices an organisation can decide upon and own. However, not everything that occurs is controllable without adequate planning and preparation. At a time when downtime is unacceptable, business continuity is critical.
Business continuity from a technology perspective
Some risks aren’t always addressed, and one that can easily be put to one side is setting up and then managing a strong business continuity policy and framework. This will cover a lot of ground such as what to do if the phone lines go down, if the supply chain suddenly breaks, or if your IT network falls victim to an external cyberattack such as a ransomware threat, or an internal issue such as sabotage from an employee.
Getting a plan together for such eventualities involves almost no risk, just an investment of time, and will inevitably deliver a high reward. And when it comes to the cybersecurity aspect of business continuity planning, why wouldn’t a business want to take advantage, particularly with the threat landscape so concerning. We only have to look at the continuing rise of ransomware, which Sophos has noted in its The State of Ransomware 2021 report was responsible for 79% of its rapid response engagements in 2020/21, for evidence of the scale of the threat.
It may be that some businesses don’t address the problem because they see it as too difficult. They just don’t know where to start. But in reality, developing a business continuity framework or plan is a matter of working through a series of processes, gathering information, and making sure that you have covered all the bases. With a framework in place, the task is then one of regular revision and review. Developing a framework and plan is the responsibility of the Chief Information Officer, who will work alongside other key personnel within the organisation.
Setting out a business continuity plan
The first steps in setting out a cyber-related business continuity plan revolve around understanding what it should include – and that’s every single aspect of technology that’s used within the business. A key part of the plan is an inventory of every element of your technology setup. All the IT equipment including hardware like laptops and phones and all the software both cloud-based and in-house.
Don’t just list items, but make sure you know the suppliers, the service level agreements (SLAs), and any arrangements for alternative provisions due to outages. If there are no arrangements for such provision, ask why not, and if you think such arrangements should exist, put them in place.
Make sure that all the contact information needed to invoke any special measures is recorded and can be accessed if the computer system goes down. Imagine how frustrating it will be to know the information you need is recorded but it is not reachable.
Even with every ‘t’ crossed and every ‘I’ dotted in a business continuity plan, the worst might still happen and ‘business as usual could be a few days away, or even longer. So the plan should include some practical measures for keeping going in this kind of situation. What are your absolutely critical services and how can you continue to provide these. If some processes can revert to paper systems do you have this set up in such a way that people can start using them immediately?
The disaster recovery process
Knowing what you have, who is responsible for it, how to retrieve those elements which are retrievable, and which systems you can run on a temporary basis to get you to buy is central to a strong business continuity plan.
Inevitably for many businesses, a central pillar of getting up and running post-crisis will be recovering IT services and systems. So central to the business continuity plan should be a highly competent disaster recovery process. You might need to require the ability to recover to a different site in the event that your main premises are inaccessible.
You might need to specify an incremental recovery system which brings critical systems and data on stream first, and ancillary ones later. You will certainly need assurances from your provider that disaster recovery can bring systems back online as fast as possible, and that any malware which can facilitate ransomware and other cyberattacks isn’t simply restored with everything else.
Keeping it fit for purpose
The great challenge with business continuity planning isn’t actually doing the planning and getting the right processes in place. Yes, it takes time and requires resources, but the procedures and processes required are well documented, and there is professional help available from specialist external organisations.
The challenge for CIOs and others responsible for business continuity planning is that such plans are often only tested when they are needed. By then, if there are faults, it is too late to put them right. There are two ways to address this issue. The first is to set a rule that every time a new piece of technology is added, or any changes or upgrades take place, the business continuity plan is revisited so that both internal procedures and any SLA commitments can be checked. In addition, regular complete reviews should be built into the board’s general review schedule.
The second way of ensuring a business continuity plan is fit for purpose is to do dry runs. Paper exercises are one thing, but trying a plan out for real is something else. How to manage these, particularly in terms of critical technology infrastructure and disaster recovery is something your technology vendors and resellers can help you with. Some will be better prepared than others and some will have ready-made recovery plans and runbooks showing best-in-class ways you can adopt to enhance continuity in your business.
Once the organisation completes a test, it should review how it went and update the plan accordingly. It's likely that some parts of the plan will go well but other actions will require more work. A regular schedule for testing is helpful, especially if the business changes its operations, vendors and staff frequently. Comprehensive business continuity undergoes continual testing, review and updating.
Inevitably, business continuity planning creates an additional workload. But it is an important workload. A solid business continuity plan can help your firm continue with business as usual in the face of challenges and feel confident that the challenges will be dealt with in the shortest time possible. Business continuity planning in itself does not require any risk-taking. But it can deliver very high rewards.