What’s your business plan if it hits the fan?
Business continuity plans (BCP) safeguard your organisation from being brought down by unexpected events. It doesn’t need to involve pages of documents, in fact a straightforward and simplified approach will result in an effective response when it really does hit the fan. Global business continuity expert and founder of Business As Usual, Rinske Geerlings, adopts a refreshingly open and direct approach to cut to the chase in relation to complex processes with business continuity and information security.
“Phones are ringing in the building, there are delivery trucks turning up, there are emails from customers flooding in – that’s when business continuity planning kicks in.” – Rinske Geerlings, Founder and Managing Director, Business As Usual
From earthquakes and terrorist attacks to slow onset events like COVID-19 or cybersecurity threats, the point is to address anything that could cripple the operational capability of an organisation beyond acceptable levels. We can confidently implement preventative controls for events such as floods, fires, and electricity failures. However, it’s a bit different when we turn to our IT systems. “Cybersecurity has actually become the driving force for many businesses to make continuity plans, considering they’re so difficult to foresee and to prevent.” Cyber attacks are in a constant state of improvement and evolution, so it’s much harder to predict what new vulnerabilities we’re exposing ourselves to.
The most surprising insight from Rinske’s experience is just how many BCPs assume the staff will be there to activate the plan. Consider how your staff will be vulnerable and subject to unexpected responses, and make sure to allocate second and third backups for key roles. Job rotation schemes are also very useful in order to avoid stretching out your people, and maintain good checklists in case alternate people have to step in. “Your people are actually the most critical ingredient in any business. Even if the building is accessible or your IT system has melted down, staff can still inform clients and other stakeholders of the expected resolution time and maintain some reputation.”
“BCP is not like climbing Mount Everest. There are easy, tested, and tried ways to keep it simple and to be able to really rely on a plan that works in practice when you need it most.”
It’s easy to assume that a BCP would cost a lot of money, but when it comes to running a small business you don’t have to dig deep to be prepared. Rinske advocates for simple structures of BCPs that don’t cost money and effort. Don’t make a plan for all the things that can go wrong, just keep your planning process simple by breaking it down to the core consequences of those threats. This could include loss of IT, building, staff, external suppliers, or voice communication. You're creating a modular approach by planning for the impact rather than all of the causes. For each of those consequences give clear priorities instead of a long list of what each person needs to be doing, because in panic mode we can only remember so much.
Where possible, see where you can substitute manual workarounds and try to engage in mutual aid agreements (or MOUs) with another business that has good backup facilities. This could be anything from meeting rooms to wifi, anything that could help your business in case something happens and you need to share those facilities. Years ago, Rinske made plans for the first version of pandemics in Tasmania where a private hospital was backed by a hotel nearby. They offered to clean up a floor for the non-contagious patients so that the hospital could focus on the people that needed their services. This agreement didn’t cost anything, it just needed a bit of pre-organisation and a brief group session. This kind of planning can go a long way to save days of trying to find who’s in charge of what when an emergency happens.
Regarding the recent COVID-19 situation, it has certainly equipped a lot of people with the awareness of how important it is to have backups for staff when they’re ill or looking after sick family members. On the other hand, some businesses are making the mistake of jeopardising their security with operational decisions that involve lifting off some measures. In an example when Rinske was doing a walkthrough of a mobile network fail, the business decided to lift two-factor authentication measures from getting into their systems. This is alarming because people are already working from home with less secure devices and networks. People often take the real risk for granted, so it’s really important to keep staff engaged and ‘incident ready’ with drills, games, and other activities. Make sure that you have the same security measures applied to remote working situations as they are normally applied in the office.
For many businesses right now planning the transition back to business as usual is going to need some serious considerations. “Start tracking lessons learned before you go back to the new business as usual.” This means having an honest talk with staff about the challenges and the silver linings of working remotely, encourage staff to speak up about what they struggled with. Also check in to see what they’re learning and what they think could be done better. The reality is that working from home isn’t for everyone, so having a better understanding of what helps people do their job better is only going to make the transition more effective.
Rinske points out that many like herself have been suggesting pandemic scenarios for the last half decade, especially since the first incidents of bird flu and swine flu happened. Unfortunately the response at the time was flat out rejection, particularly for businesses in Australia and Europe who couldn’t understand the possibility of something like that happening to them. In fact, adoption is the key part here because “many standards actually already were available for these things, and smart people already thought about these scenarios like pandemics – even APRA produced a pandemic standard years ago.” It’s ultimately up to businesses to believe that actual and viable scenarios will occur and that they will need a plan to deal with them in order to have a chance of surviving.
Many organisations now finally see the point of a solid BCP to help them when an incident actually happens rather than just focusing on preventative controls, particularly around cybersecurity. Organisations should be sufficiently testing and simulating scenarios. We shouldn’t care too much about the cause and chance of something happening, but rather assume it has happened and figure out how to move forward without the business being damaged beyond acceptable levels.