2020 was a tough year for many organizations where we faced a global pandemic and increase in cyber activity among other disruptions.
Here are the lessons we look at from the year 2020 when it comes to Business Continuity Planning.
Evaluate existing controls
Most organizations have structures to mitigate risks, however the probability of some risks materializing is very low. This does not prove that the controls are effective, it is simply good luck. It is important to test effectiveness of controls over time to ensure that when the disruption will inevitably occur, we will be prepared to deal with the impacts.
Conduct a Business Impact Assessment
A Business Impact Assessment enables organizations to assess the impacts of disruptions to business functions and gathers information needed to develop recovery strategies.
The key questions of the Business Impact Assessment are:
- What are the critical/ prioritized operations
- The minimum operating requirements you need to maintain those operations.
- The core systems and service providers that those functions are reliant on
Most organizations have a risk department and assume that the role of disaster recovery and Business continuity planning is a risk department affair. However, every member of the organization is a player in Business Continuity planning, roles should be defined, and management should show commitment.
Scenario Based Planning.
Planning requires us to think in a ‘What if?” manner and also be ready to improvise. Nominating a Crisis Management Team is critical, the team should involve the right people with the right skills.
The scenarios should be used to evaluate the adequacy of the controls in place to ensure continuity of operations.
Do not Wait for a Disaster to plan. We all watched as COVID-19 hit China before it spread all over the world most countries never planned until the first case was reported.
Communication is vital for every Business Continuity Management System. Every organization should determine the communication requirements for all interested parties and tailor the communications to best suit them.
Test Recovery Capabilities
The business should conduct tests that simulate the unavailability of enablers for the critical operations and the plan in place in the event of such a scenario.
Always start with the simple tests then incrementally increase the scope.