Q1 What Exactly Is BCP?
By Him Shun Yu
With the recent easing of Covid-19 measures, people however continue staying at and working from home. Some of you may ask: “What can I do to prepare for the next black swan event to protect my business from disruption?” If you wish to learn about Business Continuity Planning, particularly within the context of China and the HKSAR region, then this article may be helpful to you.
A Business Continuity Plan (BCP) is a written document to guide how a business should operate during an emergency to prevent and mitigate disruptions from potential threats from impacting your business.
The threats that a BCP policy aims to target against can anything from data breaches office fires, and changes in local policy that affects your work.
Q2 What Are The Basic Elements Of BCP?
1. Contact Information and Service Level Agreements. This includes the stakeholders, key personnel, emergency responders, managers. Compose a key contact list to ensure that you have aware of all relevant parties, their personal duties and ensure all your contracts are in order.
Surface Level Agreements are commitments between parties, for example, you and the service provider, to clarify the responsibilities of each party for reporting faults, paying fees, and other tasks so services could be restored.
2. Business Impact Analysis. What are the consequences of the disruption you are trying to mitigate? Can you meet client expectations with reduced manpower?
This includes expenses, legal, revenue losses, customer service, and reputation damages. Identify the acceptable Recovery Time Objectives and data losses.
3. Risk Assessment. Here you identify and evaluate potential risks to your business’s organization, and what assets are at risk. You can further quantify this by assessing the probability and magnitude of the hazards, and the vulnerability of the assets affected, and list out the assets at risk.
4. Critical Function Identification. You should also consider in a state of emergency which main processes are critical to maintaining and running your business. These processes can be time sensitive so you should focus your efforts on the most urgent processes first. How long will it take to recover these systems if they fail? By who? Ensure that your team understands the roles of those they work with within the BCP.
5. Communications. What is your crisis communication strategy? What lines of communication will you use? Will it work in the scenarios that you are planning for?
6. Testing. Having a bad plan can be as bad as not having a plan. Routinely test and practice your emergency strategy to identify weaknesses, and improve your policy based on the results, and see what is realistically achievable.
You can think of a BCP as an insurance policy so that in the worst-case scenario, you can minimize the impact on your operations and revenue. Small enterprises have less resources to cope with change than larger ones. In times of uncertainty, SMEs should hold off on investments and instead focus on finding the most cost-effective measures.
One example is the prevalence of patching for online security controls, needing few human resources but able to mitigate some of the most severe threat scenarios such as ransomware attacks. A BCP can help you identify the cost-effective measures with minimal investment.
Scenario 1: Your company had a data breach and this wipes out critical information required to perform regular operations. As a result, an excessive amount of time is spent trying to recover as much information as you can and functions are restored in a haphazard order with some attempts being unsuccessful as they were time sensitive, but this causes many problems with delivering your services on time. As a result, revenue that month is lower than usual.
Scenario 2: The same data breach occurs, but this is one of the possibilities that you have planned for in your BCP.
However, as you’ve previously identified the critical functions required to restore operations and the amount of time needed to restore them, and you manage to do so with minimal fuss. Your key personnel immediately perform their allocated tasks. Because of patches you’ve implemented previously, the attack is not as damaging as it could be.
Furthermore, your business regularly backs up all data on a remote server, and loss of data is minimized. IT support is able to cope with the increased data load, and your service level agreements are fulfilled in a timely manner. Your insurance also covers any losses in digital assets caused by the breach, and your clients’ requests met despite reduced manpower.
Hence you can see why a BCP can be helpful. However, many SMEs do not put BCPs in place due to not believing they do not have enough resources to document and execute such a policy. However, BCP scope is not affected by business size, and
Of course, the BCP for each hazard will be different. If your business involves manufacturing, you would need to shift production to alternate facilities and et cetera, but the general principles are to ensure that damage is limited and critical processes prioritized.
Q3 Why Do I As A Small/Medium Enterprise Owner Need A BCP Policy?
Q4 What Success Factors And Metrics Are Required For A Good BCP Policy? What Solutions Can I Prepare?
Q5 How Would BCP Help Companies Amidst Disasters or Pandemics Such as Covid 19
Now that you know the basic components of a BCP, here are several factors to ensure your BCP policy is robust:
1. Conduct a pre-scope interview to clarify your vision and critical business components into risk impacts. This also helps auditors create a BCP and integrated audit approach that compliments your vision.
2. Are there multiple staff members able to perform each key task? This is so your organization isn’t handicapped by the absence of any one individual. Make sure collaboration between different departments, such as cybersecurity and executive management, is clearly delineated. Different professions will have different vocabularies and approach and mutual comprehension is critical.
3. Create a broader risk mitigation policy. Accept unavoidable risks, avoid unnecessary risks where you can, transfer responsibility externally if possible, and reduce the impact where practical. Are all the key components that your business needs insured?
What is covered by your policy? The type of insurance you need will differ depending on your business. E.g. If you are selling a physical product, product liability insurance will be needed to protect you.
4. Keep in mind that a return to normal may not be the best way forward, as shown through how many customers changed their preferences during the pandemic and how new remote working solutions have been found to be more cost-effective. Constantly adapt to consumer needs and focus on employee well-being.
6. Has your BCP been reviewed by an audit team for deficiencies? What about the contracts you have in place? Review is important to ensure your plan adequately covers your business and is a key part of business system readiness – how prepared your business is if a threat were to appear. It can be said that business continuity is a mindset than a set of directives.
Following the eruption of the pandemic, businesses have identified, key actions that will allow them to improve their operational continuity strategies and introduce new means to ensure their ability to continue operations. Whereas before many might have dismissed the possibility of a pandemic as being quite low, now many organizations are more vigilant and have a more serious outlook on potential threats to their business operations.
One key feature is planning for different time frames in their BCPs, depending on the results of their business impact analysis (BIA). For instance, looking at pandemic restrictions in China and Hong Kong, one common problem was restrictions on travel and face-to-face working and the legal implications.
Hence one solution to this was developing remote work strategies: adjusting how workers worked and ensuring employees have access to data on cloud-backed solution, converting any physical documents to digital where needed.
Furthermore, another problem was the inability for executives to enter the country to sign documents. Several solutions used included appointing managers with the power to enact contracts or transferring these responsibilities to a third party services provider with licensing custodies.
Keep in mind that the threat landscape has also evolved accordingly, as new solutions also create new security gaps, as seen with online working and ransomware. Organizations that continue to develop their capabilities rather than try to force a return to the past will be more versatile in the future.
Have a question, please get in touch with us for a consultation at info@stone-compass.