Expecting the unexpected: why most people struggle to get business continuity right

Jun 15, 2017

Most people know that investing in business continuity is important for their business to continue to survive and thrive in the face of adversity, as well as building customer confidence. But how do they know they’re putting their limited budgets into the right areas? This article shows how business continuity is rarely an exact science.

The nature of business disruption means that it can and does happen without warning, so anticipating hazards and interruptions ahead of time isn’t always easy.

The results of this year’s global ‘Horizon Scan’ report from the Business Continuity Institute (BCI) show just how far off the mark organisations can be in their predictions.

All the organisations surveyed were most concerned about the effects of cyber crime and data breaches on their critical IT infrastructure.

But although they anticipated these as the biggest threats in the year to come, the actual disruptions that impacted their business most in 2016 were not the headline-grabbing hacks and data leaks but the slightly more prosaic, everyday stuff like more common telecoms and IT outages.

They were also hit badly by disruptions of a non-digital nature like bad weather events and outages of utilities like power and plumbing that have probably been causing headaches for businesses for hundreds of years.

So how are they getting it so wrong? And what lessons can this give us about the way we approach business continuity investment?

All aboard the hype train

It’s not surprising that cyber crime looms big in the imaginations of businesses. If the media is anything to go by, attackers are getting more sophisticated by the day and the scale and impact of cyber attacks has never been greater. The number of major cyber security incidents appearing in the press caused 2016 to be dubbed the ‘year of the hack’. Among them, last year’s Yahoo breach was considered the biggest breach from a single site in history, with over a billion user accounts stolen.

There is no doubt that when they occur, these kinds of events are a devastating blow to brand reputation and customer trust. Organisations should rightly do everything they can to safeguard their customers’ data and have response plans in place should the worst happen to the IT systems.

But take a closer look at the high profile data breaches that have peppered the media over the last few years and one thing is clear- the media hype is not a realistic indicator of threat levels to the average business.

Joe Jouhal, CEO of cyber security advisory firm Avatu argues that data security is a lot simpler and safer than you might think, with much of it coming down to common sense practises and keeping your software up to date.

Yes, says Jouhal, there is an urgency to assess the risk:

“But organisations should not be dazzled by the hyperbole or the hype. Security doesn’t need to be a complicated, difficult or vastly expensive business.

There is much enterprises can do, simply and easily, to help prepare for, and protect against, a data breach launched over the internet or caused by a rogue insider.”

Cyber security is evolving fast and the tools to combat attackers are improving all the time. But as exciting as the digital world is, it’s important not to forget the basics. Disaster recovery in the event of data loss is only one small element – it could be that your business continuity plan is giving you a false sense of security because you aren’t investing in the areas that count.

As the BCI’s report stresses, often intense media coverage over a specific threatsuch as cyber attacks influences organisations’ concerns. it encourages them to “reflect on their concerns and see whether it is proportional to the actual levels of disruption caused by a particular threat materialising.”

“These are uncertain times with multiple challenges in the macro and micro environments in which we all operate, and it has never been more important for an organisation to take an objective view of the challenges that are out there.”

Carefully consider what your business needs are from every angle in your business continuity planning, because it’s likely your business relies on far more than just its IT.

You should also be taking into account natural as well as man-made disruptions. Britain’s weather has been getting wetter and more extreme over the past few years, with insurance firms paying out billions to victims of flooding. In fact, adverse weather came second in the BCI’s survey of top ten business disruptions. What contingencies do you need in place to ensure you can carry on in the event that your premises is flooded or there are problems with infrastructure such as phone lines or the road network?

Your telecommunications are one aspect to consider in a business continuity plan if your organisation communicates by phone with customers and stakeholders. Do you have a failsafe in place for your phones?

Our checklist might be useful in helping you assess how you will continue with business as usual should you suddenly be unable to take calls, or staff can’t get into the office for any reason.

In order to identify the areas that may be vulnerable in your business, it’s important to test and review business continuity plans regularly, looking at all critical business functions and processes. Nobody wants the nasty shock of discovering the hole in their business continuity plan at the point when disaster strikes.