Among the most common errors of judgement that I see from company directors is the failure to carry out regular and detailed reviews of their business continuity arrangements. For most boards, the whole discussion is boring. It becomes even more boring when the discussion has to work its way through identification of critical systems and processes, determination of Minimum Tolerable Periods of Disruption and Recovery Time Objectives, as well as identifying threats and vulnerabilities and estimating likelihoods and impacts of external events that might unacceptably disrupt key processes.
Inactions have consequences. DistributeIT.com.au ceased to exist as an independent business because it hadn’t identified the possible impact of a devastating hack attack: it didn’t have adequate offsite backups for the 4,800 websites it hosted. And that’s what business continuity plans are for: to ensure that, as an organisation, you can survive when something terrible happens. You would have thought that an IT company would understand the importance of backups but, again, my experience is that most organisations never actually think through the circumstances in which they might have to recover from their backups and they are therefore never prepared when disaster strikes.
The good news, of course, is that there are internationally recognised standards for business continuity management – BS25999 (shortly to be ISO22301) and ISO/IEC 27031 – and there are Business Continuity Management Toolkits to help you with an BCM implementation – but there is no substitute for directors paying attention to what is going on in the risk world around us, and taking appropriate action to survive the unexpected. Right now, of course, being hacked is one of the more likely things to happen – so there really isn’t an excuse for being caught napping on this one!