How to Support a Risk-Based BCDR Program without Spending More
Steven Minsky | Sept. 20, 2018
Emergency situations like natural disasters, data breaches, fraud, and the like arise, by definition, without warning, leaving you little to no time to prepare. So how do you build a BCDR plan that is flexible to handle any situation and is always up to date without huge investments?
The hallmark of a successful BCDR program is leveraging the information you already have to discover the potential impact and remediation tactics for an anticipated disaster. So, if you’re collecting information around your organization, you’re halfway done building a BCDR program.
I’ll take you through the benefits and the steps to leveraging your ERM tool to flexibly prepare for emergency situations.
How Can You Create a BCDR Program Without Extra Cost?
I want to share a real example with you of how one governance area can efficiently contribute to business continuity planning without incurring additional costs.
In anticipation of a category 5 hurricane, one of LogicManager’s customers asked us what they could do to understand their risk exposure and makes plans in just four short days. Through their use of the system for their vendor management program, the advisory team was able to give them the critical information they needed to prepare for the storm. The team was able to show them that even though their headquarters did not lie in the storm’s path, it didn’t mean they weren’t at risk.
Within their ERM tool, this customer housed a repository of vendors they contract, along with a host of information about that vendor such as what services and products they provide for them, where they are located, which business processes and procedures they are linked to, and how critical each vendor is to carrying out the organization’s day-to-day business.
Because this information already existed in one centralized location, the organization could pull a couple of key reports to give them some insight into how much this storm was going to affect their business from a third-party perspective.
They were able to instantly generate a map detailing where each vendor was located, the location of their data centers holding key operational data, the risk liability from each of their vendors operations, and the recovery time requirement before that risk liability would impact their operations.
Since all this data was already collected as part of their standard vendor procurement and contract management process, they had all the data they needed to drill down into the vendors who would be affected and look at the impact each vendor would have on the organization if the storm rendered them unable to provide their usual services or products.
Also loaded into the system was due diligence the organization had already done on expected downtime and recovery plans for each vendor, so they had an idea of what to expect in this scenario.
From there, the customer was able to design plans of action in the event a vendor was not available to them.
As you can see, the example above wouldn’t be possible if the customer had not taken an integrated approach to vendor management, which gives you some insight into just how valuable a risk-based approach to any governance area can be, as it can then easily be used to support other governance programs, and in this case, dramatically reduce the costs of a BCDR program.
Here are some steps you can take to make your risk-based vendor management, cybersecurity, and other governance processes transferable to a BCDR program:
- Document an inventory of organizational resources such as assets, applications, vendors, and business processes in one centralized repository.
- Use standardized assessments to understand the criticality of each organizational resource so you can prioritize appropriately in the event of an oncoming threat.
- Use a taxonomy to help you map organizational resources to each other. By connecting policies, assets, applications, data, and business processes together, you can quickly see how a threat will impact a certain area of the business.
- Implement a central communication system where different process owners and third parties can notify each other of affected business areas, report incidents, and assign out tasks in the event of a disaster.
- Configure a flexible and consolidated reporting structure that allows you to examine risk from a very high level or drill down into different facets of your business, like strategic goals or initiatives impacted by certain risks.
If you approach any governance area with these steps in mind, you’ll be well on your way to supporting your BCDR program while dramatically reducing the time and cost of starting from square one, for many hands make light work and keep your program up to date.
What If I Already Use a Risk-Based Approach for BCDR?
It might be the case that you already take a risk-based approach to BCDR and are still wondering what extra steps you can take to prepare in the case of a natural disaster or other emergency event. Here’s what I recommend:
Resources – Make sure government resource contacts are available for each of your offices for compliance and assistance. It can always help to have printed copies of important phone numbers as well as BCDR plans and procedures.
Communications – Have a communication plan available to your employees outlining specific steps of what will happen in different scenarios and how to access your information.
Coordinate – Use your platform to report incidents and communicate in emergency situations if your internal email system or other communication tools go down.
Refresh – Make sure contact information of critical personnel and vendors are up to date. Remind infrequent users how to access the system.
Prepare – Review RTO times for critical processes and applications ahead of time so that if an outage occurs, you already know what to prioritize.
Reflect – Use Incidents to track points of friction, confusion, or failure throughout the process so when things calm down, you can appropriately update exercises and plans as needed.