A structured approach to developing, implementing and running a Business Continuity Management (BCM) program is often seen as a tedious and complicated task requiring deep expertise and knowledge. BCM programs built with conventional tools also run the risk of becoming outdated quickly. It is no wonder that many risk departments in the corporate sector often still see BCM as the unwanted step- sibling, despite its importance for contributing to revenue growth.
A successful BCM plan will not only maintain operations during times of crisis or disaster, but also minimise cost and reduce damage and recovery time.
Optimizing AI for immediate response in Smart CCTV
Business Continuity Management - Operational & Cyber Resilience Part 1 (white paper)
1. Operational and
Cyber Resilience
Part 1: Business Continuity Management
WHITE PAPER
Essential steps and success factors for maturing your BCM capabilities
JUNE 2019ALYNE.COM
2. 1
The ability to successfully build Operational
and Cyber Resilience is a critical component of
any organisation’s need to respond effectively
to crises and adapt strategically to change.
Resilient organisations are agile, proactive and
collaborative. These qualities are especially
crucial in a business environment defined by
an increasing interconnectedness of people,
businesses, processes and technology—
where uncertainty, risks and potential points
of disruption have increased and where the
accompanying size and nature of its impact are
growing.
In this series of white papers on Operational
and Cyber Resilience, the Alyne team will be
using our own experience from developing
Alyne’s operational resilience capabilities to
introduce 6 core and interrelated components
of Operational and Cyber Resilience that we
believe are essential to the development of
a resilient organisation. These 6 components
consist of: Business Continuity Management
and Disaster Recovery, Incident Management,
Risk Management, Vendor Governance and
Cyber. Through this series of white papers, we
would also like to reemphasise our belief here
at Alyne that building resilient organisations
requires a organisation-wide approach that
integrates technology with the processes
and people that use it. Resilience is as much
technology as it is the people and the
processes.
In the first part of our Operational and Cyber
Resilience series, we will cover Business
Continuity Management.
Executive Summary
(SERIES)
1. https://www.pwc.com/gx/en/ceo-agenda/pulse/crisis.html
65%
57%
55%
47%
CEOs surveyed feel most vulnerable when it comes to:
Gathering the right information quickly
An out of date business continuity plan
Communicating adeqately with internal stakeholders
Unclear definition of the crisis
3. 2
Introduction
A structured approach to developing,
implementing and running a Business Continuity
Management (BCM) program is often seen
as a tedious and complicated task requiring
deep expertise and knowledge. BCM programs
built with conventional tools also run the risk
of becoming outdated quickly. It is no wonder
that many risk departments in the corporate
sector often still see BCM as the unwanted step-
sibling, despite its importance for contributing to
revenue growth. A successful BCM plan will not
only maintain operations during times of crisis
or disaster, but also minimise cost and reduce
damage and recovery time.
Nevertheless, the importance and necessity of
having an efficient, solid and audit-proof BCM
Framework cannot be overstated. A successful
BCM Framework is the glue that holds all the 6
components of operational resilience together—it
builds overall preparedness and is a vital asset for
all businesses no matter the size or type. In this
white paper, we will introduce the essential steps
for building a successful BCM plan and highlight
key success factors for a mature BCM framework
that will differentiate yours from the rest.
“FAILING TO PLAN IS
PLANNING TO FAIL.
- ALAN LAKEIN
2. https://www.ibm.com/downloads/cas/NXG1W2VP
3. 2017 Cost of Data Breach Study: Impact of Business Continuity Management,
Ponemon Institute LLC, 2017.
WITH BCM
IDENTIFY: 171 Days
CONTAIN: Additional 50 Days
TOTAL: 221 Days
IDENTIFY: 214 Days
CONTAIN: Additional 65 Days
TOTAL: 299 Day
WITHOUT
BCM
How long does it take to detect
and contain a data breach?
3. Organisations that involve BCM data breach planning and
response take 78 days less to identify and contain a data
breach than companies without BCM involvement.
2.
About 55% of study
participants say the
top challenge they
face is incorporating an
increasing number of
business-critical systems
into their recovery plans.
55%
OPERATIONAL & CYBER RESILIENCE: PART 1 - BCM | WHITE PAPER
4. 3
Building a Culture of Resilience
We cannot talk about developing a successful
BCM Framework without first emphasising that
resilience is not merely a functional process but
also a culture—a way of doing things that spans
across the entire organisation.
A problematic yet common approach that many
organisations take toward BCM is spending
obscene amounts of money on buying new
technology while disregarding the necessity of
building processes and providing correct training
for the people utilising this technology. This
traditional IT-centric approach has dominated for
too long and there is a strong need for modern
companies to rethink their BCM approach from a
holistic perspective. Your BCM plan needs to be
aligned with your overall business strategy.
With the right measures in place, business resilience
can mature and businesses can become far more
resistant to disruptions and be better equipped to
preserve its financial, operational and reputational
value should a crisis occur.
Organisations should focus on developing a
culture of resilience in the following
key areas:
Culture Eats Strategy for Breakfast
1. Alyned Leadership
and Clear Governance
Structure
Successful BCM starts with strong and coherent
leadership and clearly defined lines of authority. Do
leaders share the same vision for the organisation?
Have crisis priorities been established? Is everyone
clear about their roles and responsibilities when
a crisis occurs? Have lines of authority for a crisis
been defined?
Yet, simply answering ‘Yes’ to these questions
is not enough. Successful BCM also hinges on a
commitment by leadership to foster a culture of
resilience. It requires continuous investment in risk
evaluation, strategy and situation awareness, as
well as a focus on nurturing innovation, creativity
and problem solving amongst its staff.
“BCM IS NOT A PROJECT,
IT IS A CULTURE!”
DEUTSCHE BANK IT-DIRECTOR
OPERATIONAL & CYBER RESILIENCE: PART 1 - BCM | WHITE PAPER
5. 4
Forward-Looking and
Change Ready
Anticipation and planning. A preventative
and informational plan to establish that the
organisation is change-ready. Ensuring that the
strategy is clear across the organisation, and
that priorities are understood in the event of
a crisis. Testing the preparedness can include
stress test simulations.
Staff Engagement and
Collaboration
Successful BCM also requires the right mix of
skills and knowledge. Although a central part
of resilience planning is in clearly defining
who has authority to call out a BCM case, it
is also about recognising scenarios where
entrusting employees with specialised
knowledge to make decisions can greatly
aid the company. It also means breaking
down silo mentality and encouraging greater
internal and external relationship building and
networking. An interconnected knowledge
base is invaluable during times of crisis.
“MAKE BUSINESS CONTINUITY
‘BUSINESS AS USUAL’ AND EMBED
IT INTO YOUR MANAGEMENT
ROUTINES AS DECISIONS
ARE MADE, INSTEAD OF AN
AFTERTHOUGHT ‘CHECK OFF THE
BOX’ EXERCISE LATER..”
- JOE TRAVERS
OPERATIONAL & CYBER RESILIENCE: PART 1 - BCM | WHITE PAPER
6. OPERATIONAL & CYBER RESILIENCE: PART 1 - BCM | WHITE PAPER
The 4 Key Components for
a Successful BCM Plan
5
1. Business Impact
Assessment:
Defining a scope
of what to protect
Though simple sounding, the challenge with developing a BCM is usually that these
questions are in fact, both wide in scope and have complex answers that can be highly
subjective and difficult to manage. After all, what seems critical to one person might not be
perceived in the same way to another.
The first critical step of a successful BCM
is in defining the scope of what to protect
and deciding how to prioritise those assets.
This can be done through a Business
Impact Assessment (BIA) that asks three key
questions:
1. How critical are the processes, assets,
people and other objects to my business?
2. How long can I maintain operations without
these objects?
3. What is the correct level of protection my
objects need?
In this section, we highlight the key components that you will need to
consider when developing a BCM plan.
IN THE DEVELOPMENT
OF YOUR BCM, FOUR
KEY COMPONENTS NEED
TO BE CONSIDERED:
7. 6
AT ALYNE, WE OVERCOME
THIS BY UTILISING THE
FUNNELS FUNCTION IN
OUR APP.
The Funnels function allows us to
determine business impact, define
tolerated down-times and establish
the level of protection needed for
our objects and assets.
Most crucially, utilising Alyne’s funnels
has 2 major benefits. First, Funnels is
highly efficient in gathering data—
it is both interactive and simple to
use. Second, it is able to provide
objectivity. Like all other functions in
our app, Funnels is built by experts
for other experts and integrates
people, processes and technology
seamlessly.
2. Defining
your Business
Continuity
Framework
Once you have identified the most critical components and objects of
your business, the next step is about setting up a suitable framework
for your BCM plan. When scoping the relevant controls for your BCM
framework, it is highly recommended that you combine both results
from your Business Impact Analysis as well as the opinions of any
relevant stakeholders in your organisation. As with the development
of any organisation-wide policy or document, a major pitfall of
developing an effective BCM plan is the danger that it gets formulated
in an ivory tower with limited perspective and without any input from
people on the ground. What you end up with would then become
essentially impractical and unusable when a major incident actually
occurs.
OPERATIONAL & CYBER RESILIENCE: PART 1 - BCM | WHITE PAPER
8. OPERATIONAL & CYBER RESILIENCE: PART 1 - BCM | WHITE PAPER7
3. Take
measures and
attach relevant
documentation
A well-functioning BCM framework relies heavily on documented
provisions and measures. It is therefore crucial that you attach
any relevant documents which are specific and easy to execute
in the midst of a crisis, such as guidance on authority and roles,
call sheets or recovery plans. In cases where you have existing
policies or documented measures, make sure to attach them to
the control framework. The more you document, the easier it
becomes for internal and external stakeholders to understand
and comprehend your framework.
Success factors in Disaster Recovery Management
1. Have clearly defined strategies. These will differ vastly between industries and organisations.
Make sure to outline per scenario exactly how you want to react, as sometimes your strategy
could even dictate to do nothing.
2. Authority to invoke. Ensure that the authority is given to those who can call out a BCM case
and is clearly understood by those who cannot.
3. Two very different sets of rules apply between business as usual, and a business in disaster
recovery mode. Understanding the two sets of rules is crucial.
4. Disaster Recovery Management
Your disaster recovery management plan should be
developed in conjunction with your BCM plan. In the
midst of a crisis, good disaster management enables
your organisation to prioritise and focus solely on
restoring business critical resources, as outlined in
your BCM plan. It is not always about the speed that the
organisation returns to normalcy, but the prioritisation
of your most important assets and understanding the
degree of impact.
In 2018, a Unitrends survey on DR
and Cloud adaptation showed
although 75% of respondents report
at least annual DR testing, 52% of
them still reported poor testing
performance.
52%
4.
4. https://www.unitrends.com/resources/2018-survey-results-10-findings-800-pros-handle-disaster-recovery-cloud-adoption
9. 1. Train and test the plans
It is very difficult before actually simulating
the plans, to anticipate just how different the
approaches from various individuals might be. At
Alyne, we have regular BCM tests with different
scenarios. Every training session we have, we
encounter topics where all the responsible
people would have reacted differently. At the
end of our training sessions, we end up taking
away new actions to implement to increase our
resiliency.
2. Involve the whole team
If your team learns about the organisation’s
disaster plans for the first time in a crisis situation,
the resiliency of your organisation will be poor.
3. Keep it structured
A 500 page manual will not be actionable in time
of crisis. There needs to be some easy to grasp
governing principles and easy building blocks to
enable teams to respond to effectively.
Closing Thoughts:
The 3 Success
Factors
At Alyne, we’ve experienced
too many inefficient BCM
frameworks. Developed in
ivory towers, they are usually
unimplementable or require
excessive effort across the
organisation to run. To combat
these issues, we developed a
comprehensive control library
that delivers the possibility of
both an advanced and basic
BCM capability out of the box.
Our control statements have also
been developed with a holistic
approach to BCM that involves
experts across departments
from HR to IT and from the
Strategy Department to Facility
Management. Alyne allows
businesses to easily establish
a customisable and business-
specific framework tailored to its
unique threats whilst fostering
an organisational culture of
resilience.
8
For more information, please
contact our customer success
team at support@alyne.com
or visit our website at:
www.alyne.com
OPERATIONAL & CYBER RESILIENCE:
PART 1 - BCM | WHITE PAPER