Business continuity plans don't fail because of the size of the documents or their content - business continuity plans, incident response and recovery fail because preparations and capabilities are intrinsically flawed. In this post we discuss the most common weaknesses that indermine the effectiveness of business continuity - most of which are not highlighted during a traditional business continuity audit.

1. Weak or Outdated Preparations

Business Continuity Plans are often seen as the fiinished product, their "worth" being measured by the how many pages the "plan" contains and whther or not it contains content that aligns with a particular standard or framework. The size of the plan document is irrelevant, the quality of preparedness is the main differentiator betwen success and failure. Focussing on adapability in the face of organisational growth, changed processes, new technology and changed roles and responsibilities ensures that preparations remain relevant.

Common inaccuracies caused by the above changes are:

• Inaccurate or outdated contact details - which may be held in documents or automated notification systems often decay if not regularly confirmed

• Changes to technology or physical premises can challenge prior assumptions related to recovery timing, resource availability & capacity

• Growth - increasing data volumes, headcount growth and supply chain changes can undermine capabilities previously considered adquate

  
  

2. Lack of Organisational "Muscle Memory"

Muscle memory for incident response is the ability to respond to incidents automatically and effectively. It can be developed through regular practice and exercises, such as:

Simulations & "Micro- Simulations"

Simulations mimic real-world attacks to test incident response such as Red Team/ Blue Team exercises for re-creating a cyber-attack situation

Micro Simulations or "micro-sims" have a crucial role to play in keeping the response organisation "sharp", rather than being scenario based, micro-sims focus on a short, sharp re-enactment of a specific aspect of incident response and are often introduced as a surprise during day-to-day activities. For instance, at the end of a meeting a participant announces, "You are about to receive a test message to notify you of a [type of] incident - tell me what your first actions would be". This type of exercising establishes the "muscle memory" of key role holders in ways that scheduled, periodic testing activities cannot.

Tabletop exercises

Have team members walk through different incident scenarios to practice critical decision-making and familiarize themselves with their roles. The effectiveness of table-top exercises can be significantly improved

Onboarding

Establish relationships with key providers, onboard them with your environment, and conduct joint exercises.

Developing muscle memory for incident response can reduce decision-making time, mitigate the worst outcomes from attacks, and help the team develop critical psychological resilience and adaptability. Lack of familiarity with roles, responsibilities, actions to be taken and operation of resources will significantly reduce the effectiveness of incident response

4. Outdated, Incomplete, Untested or Depleted Recovery Resources

Resources, technology and equipment that are relied upon to facilitate recovery need to be regularly tested and confirmed as fit for purpose. Recovery capabilities for critical systems, inventory, equipment availability and condition, emergency communications facilities all require regular proving and confirmation. (Elite forces don't wait until they are "in theatre" to check that their equipment and weapons are working correctly!!)

5. Sub-optimal Communication

Unclear or missing communication protocols: organisations often lack clear communication channels for informing employees, customers, suppliers, and stakeholders during a disruption.

Establishing how the response organisation including executive leadership to response & recovery team members will communicate is another common oversight

Clear frameworks and communications channels aligned to the needs and expectations of specific audiences need to be clearly defined with individuals responsible for operating those channels highly proficient in their use.

6. Inadequate Vendor and Supply Chain Management

Failure to consider reliance on third-party providers: Disruptions to suppliers, vendors, or service providers can halt business operations.

7. Overly Complex Approaches

Many business continuity plans are too complex or unwieldy to be easily understood or deployed during a major incident. Business Continuity "plans" that have dozens of pages may satisfy some audits, but they will be of limited use to support response and recovery activities during a major incident. One way to establish whether your plans are overly complex is to perform one of the tests outlined in point 2, above. If participants start to leaf through page after page, ultimately discarding the "plan" - it's too complicated. Concentrate on building "muscle memory" instead.

RiskCentric business continuity plan audit service goes beyond compliance assessments and looks deeper into the the intrinsic capabilities of your organisation to recover from a major incident. Click the link above for more information and to contact us.