Exclusive: What does security need to know about business continuity?
James Thorpe
Share this content
The pandemic over the past year has accelerated many changes in the way companies do business. Companies with strong cohesion between teams and departments found that they were better able to adapt to changing operating conditions and were more resilient. Security teams and business continuity efforts have typically operated in separate siloes, but many are finding that this distinction no longer makes sense – for security teams to be effective at protecting their organisations and responding to threats, they need to be involved in continuity planning and management.
Many security managers aren’t familiar with the processes of BCM, so it can be a challenge to see how the two disciplines can work well together. Here we’ll outline the basic principles of BCM, discuss how these principles can be applied to better achieve objectives and finally break down the walls between BCM and security.
BCM approaches are more standardised than security management
BCM is a growing field, that has recently come onto the radar of many security managers. Quite simply, the aim of BCM is to ensure that an organisation can maintain its critical functions during a disruptive event. The ISO has developed a standardised BCM lifecycle and there is general agreement on the basic approach, unlike in security management where we have less of a consensus on standards and processes.
The BCM lifecycle
The key phases of the BCM process are:
Business Impact Analysis
The Business Impact Analysis (BIA) is a closer look at the business from a process perspective. A BIA looks at which products or services an organisation delivers, takes into account all the processes needed in the organisation to deliver these and the resources needed to perform the processes.
When this has been mapped out, all the elements are analysed to see which the business needs to protect the most. This is done by looking at each product, process and resource and asking the question, “What is the impact if this particular element is unavailable?”. You set targets for when you want those units to be up and running again after a potential disruption, this target is called a “Return Time Objective” (RTO). The shorter the RTO, the more critical the element is.
Risk assessment
With an understanding of the elements that are most critical to the business, you start looking at potential risks that may cause a disruption to normal operations. As with any risk assessment, you assess the potential impact and likelihood of threats and build a disruption risk profile for the business. Risks can be mitigated with a number of different actions, as with other non-disruption risks. In many cases, you will likely need to build a business continuity plan for those unit elements that are higher risk to limit potential disruptions.
Business Continuity Planning
Business Continuity Plans (BCPs) are made to minimise the impact of disruptions by planning out actions for specific stakeholders during and following a disruptive incident. Whereas crisis management plans are designed to deal with a crisis as it occurs, BCPs can go on for hours, days, or even months after the incident. The number one goal of a BCP is ensuring that the business will limit disruption and reach its RTO for all critical elements. BCPs are likely to focus on impact-based scenarios. These are scenarios where a specific group of resources is unavailable, such as; Buildings, People (personnel), Technology (IT applications), or suppliers. This structure ensures that the planned scenarios are broad and can be used to respond to most critical incidents.
Integrating BCM with security leads to a more strategic approach
BCM processes can help security managers bring a more strategic approach to security management and become “enablers” of business activity because there is more of a focus on what is crucial to the organisation. This focus ensures that preventive efforts are centred on what is actually critical and security measures or procedures for resources can be better prioritised. There is a risk of losing this focus on criticality when we only consider resource vulnerability in relation to a potential adversary or threat. Having this view of what is critical to protect should then serve as the platform for the security program to ensure there is a connection between the resources used in protection and what consequences are mitigated.
If security managers are aligned on what is essential to an organisation’s function, then security programs are easier to justify against these priorities. Measures can be based on protecting essential products, processes, activities and resources against the potential consequences of disruptions. Strong business cases for security programs can then be built using these measures.
BCM as a starting point for further convergence
When you go through the process of identifying all the activities and resources that are critical to an organisation, it requires a holistic approach. This can be a great starting point for working more closely with information security, health and safety and other teams involved in enterprise risk management. In this way, integrating BCM can lead to the breaking down of siloes between the different functions that all work to ensure organisational resilience.
By Mads Pærregaard, CEO of Human Risks
Mathias Jensen, Co-Owner of Leading BCM
Shivaun Anderberg, Strategy and Behaviour Insights Professional
