The Value of BUSINESS CONTINUITY
By Richard Lee

LINKAGE Q3 (2024) - OPPORTUNITY IN ADVERSITY

Hurricane Beryl sprang to action so quickly you’d think she had a ticket to the Kensington Oval for the ICC world cup final. The earliest category four hurricane on record is a grim reminder of the need to prepare for the unexpected – whether it be acceleration of familiar natural threats or the re-emergence of levels of pandemia not seen for a century.


Beyond Mother Nature’s wrath there are, of course, mankind’s own monsters to consider – the pervasiveness of cyber-attacks can be considered a pandemic in its own right. The idea that your business may evade the attention of hackers due to its size, location, lack of internet presence, etc. is no longer valid – if indeed it ever was. Cybercrime is systematic, organised and automated to the point where we are all prey.


However, as much as these threats capture the imagination, there are other, more mundane risks which are more present. Shocks to the supply chain, economic downturns and internal threats including human error, malevolent actions by disgruntled employees or the sudden unavailability of key personnel without whom the business struggles to function.


With all these risks to consider it may seem daunting to determine the arrangements needed to address them. Furthermore, disaster recovery arrangements are often viewed as a costly and profitless necessity – leading many to largely ignore it or deal with it as expediently as possible. The popular recipe of establishing replicas of all your core IT systems to either a remote site or the cloud provides limited protection if done in isolation and little value to the business.


THE RIGHT APPROACH

The key is in adopting the right approach from the outset – prioritising the above and other risks faced by the business based on their projected impact in terms of loss of revenue, downtime, cost of reputational repair (public relations), loss of customers and/or investors due to bad press and compliance with applicable regulations. This sets the agenda for business continuity.


Formulating the business continuity plan requires a proper understanding how your business operates. I should stress that it’s an understanding of how your business actually operates rather than how it’s meant to. 


T here’s a certain economy to the level of effort required for this. A simpler organisation should be able to map it’s processes relatively easily – especially with the use of a simple process mapping tool which allows for easy collaboration. More complex organisations naturally need a larger investigation but stand to benefit more from it as their risk profile is higher. In such cases process mining tools can be used to automate the discovery not just of how IT services interconnect but also business processes and how employees carry out their activities as well. In addition, such solutions allow for the creation of a full model of your business (often referred to as a “digital twin”) allowing for proposed refinements to be simulated with ROI projections.


Regardless of the manner in which it is performed, the insights derived from this effort result in a functional blueprint of the business which facilitates easy identification of vulnerabilities and the practices to mitigate them. This also provides not only a means to refine the secondary infrastructure needed for failover but also to optimise and automate your primary architecture and processes as well – thus driving efficiencies beyond business continuity planning. Framing the effort his way also drives greater engagement from participants in the process and a more effective results. 


TECHNOLOGY CONTINUITY

Using the business impact analysis and the above model, one can determine key points of technology continuity such as setting appropriate recovery time and recovery point objectives for IT services based on their criticality. Realising these objectives has been aided by advances in data management and replication technology – especially important given the costs associated in the region for network connectivity between geographically dispersed site and/or the cloud. Customising how data is handled can drive significant savings in the long term.


On the point of data there are also synergies between business continuity, cyber-resilience and data governance which can be of wider benefit to the business as well. Data is the life blood of business and the primary target of cybercrime. Proper data governance practices can reduce vulnerability not just to hacks but also minimise the effect of human error, limit the impact of malevolent actors within your business and ensure compliance with data regulations. In addition to all this the proper handling of data creates business opportunity in of itself – making deeper analytics and automation possible and opening up possibilities such as conversational AI – another way to derive value from continuity efforts.


AI

Artificial Intelligence plays a key role in both the detection and mitigation of risks to the business. Cybersecurity is one of the most effective applications of AI – as the nature of cyber-crime has evolved to avoid detection (yes, they use AI too) the means for detecting a breach goes far beyond what traditional anti-malware and endpoint security tools are capable of. Often the only means of detecting a breach is through spotting subtle deviations in the behaviour of IT services, data movement and/or end users. Modern security tools use AI to parse the volumes of information needed to achieve this and are key especially for regulated and data-driven organisations. In addition there are increasing examples of cyber-secure devices powered by embedded AI – such as storage devices allows that automatically detect and protect your data from ransomware – eliminating the threat altogether.


ROLES

As important as incident prevention is so too is incident response – especially with regards to brand and reputational risk. Clear assignment of roles and responsibilities forms the basis of this. The needed structure will vary according to your needs but the following are common roles in an incident response team:
• Incident reporter, who maintains contact information for relevant parties and communicates with business leaders and stakeholders when disruptive events occur.
• DRP supervisor, who ensures that team members perform their assigned tasks during an incident. 
• Asset manager, whose job it is to secure and protect critical assets when a disaster strikes. 
• Third-party liaison, who coordinates with any third-party vendors or service providers you’ve hired as part of your DRP and updates stakeholders accordingly on how the DRP is going.


A proper incident response plan not only minimises the effect of an incident but can in fact demonstrate preparedness and transparency which can bolster a business’ brand.


L ooking even more broadly, an enterprise wide understanding of proper security and business continuity practices and policies is often the key determinant in the success of the plan. Education from the executive level to the entry level is key and there is an increasing wealth of resources available to enable this – from consultative and IT services providers to third party non-profit security research firms – allowing you to find the tools and resources most suitable for your business.


ABOUT THE AUTHOR

Richard Lee is an Advisory Partner Technical Specialist – Caribbean at IBM World Trade Corporation