4 Steps to Building a Business Continuity Plan

I recently spent some time helping the IT leadership team at a major agricultural firm think through the most significant cybersecurity issues facing its organization. At first, the discussion followed a familiar path: The organization wanted to better understand how well prepared it was for a cybersecurity incident and asked us to perform a routine assessment. 

Then, the conversation took an important turn. The CIO said, “This is all well and good, but what about the risks that we’re not thinking about? Sure, we might be the target of the next major ransomware attack and we should be prepared for that, but we were blindsided by the COVID-19 pandemic. How do we prepare for the next unforeseen threat?”

I almost jumped out of my seat with excitement, because that’s exactly the type of question I enjoy helping customers answer. I knew the next step for this organization’s leaders: They needed a business continuity plan (BCP). This is an exercise that CDW has conducted with many organizations over the years. Through these engagements, I’ve learned four key principles that lead to BCPs that truly help the business. Let’s look at each of them:

Identify all the potential risks that could disrupt your business. Depending on your organization, you may choose to focus on risks that are likely for your region or industry. If you don’t know what’s relevant, you might go with a professional service to conduct a hazard vulnerability assessment to ensure you are looking at what matters. In either case, you’ll want to examine these threats based on two critical factors: the likelihood that each will occur and the impact on your business if they do.

Sometimes referred to as a business impact analysis (BIA), this step is intended to identify what processes keep your business running and what those processes depend on. This will include some physical technology assets, but it should also include information assets and employees, across all business units. During this step, it’s critical to get input from all business stakeholders, as the IT team’s view of a business-critical process might be very different from that of stakeholders in the legal or human resources department.

Will the controls and processes currently in place acceptably mitigate modeled threats? Are alternative procedures already available? If not, examine whether alternative procedures are required in the event a threat arises. When considering alternative procedures, work with stakeholders to develop processes and controls that do not exceed the value of the assets being protected.

With current processes and controls, as well as the BIA and any alternative processes developed, the organization should have what it needs to finalize its BCP.

Organizations that follow this step-by-step process will find themselves well prepared to face future risks of all kinds — those that are easily foreseen and those that are less obvious.