Who is the ideal person to approve an organization’s business continuity plan?
|
- [Instructor] Business continuity planning is one of the core responsibilities of the cybersecurity profession. Business continuity efforts are a collection of activities designed to keep a business running in the face of adversity. And this adversity may come in the form of a small scale incident such as a single system failure or a catastrophic incident such as an earthquake or tornado. The focus of business continuity is keeping operations running. And because of this, business continuity planning is sometimes referred to as continuity of operations planning or COOP. While many organizations place responsibility for business continuity with operational engineering teams, business continuity is a core security concept because it's the primary control that supports the security objective of availability. Remember, that's one of the big three objectives of information security, confidentiality, integrity and availability. When an organization begins a business continuity effort, it's easy to quickly become overwhelmed by the many possible scenarios and controls that the project must consider. For this reason, the team developing a business continuity plan should take the time upfront to carefully define their scope. They should answer questions like, what business activities will be covered by the plan? What type of systems will the plan cover? And what types of controls will it consider? The answers to these questions will help make critical prioritization decisions down the road. Continuity planners use a tool known as a business impact assessment or BIA to help make these decisions. The BIA is a risk assessment that uses a quantitative or qualitative process. It begins by identifying the organization's mission essential functions and then traces those backwards to identify the critical IT systems that support those processes. Once planners have identified the effected IT systems, they then identify the potential risks to those systems and conduct their risk assessment. The output of a business impact assessment is a prioritize listing of risks that might disrupt the organization's business such as the one shown here. Planners can use this information to help select controls that mitigate the risks facing the organization within acceptable expense limits. For example, notice the risks in this scenario, are listed in descending order of expected loss. It makes sense to place the highest priority on addressing the risk at the top of the list, hurricane damage to a data center. But the organization must then make decisions about control implementation that factor in costs. For example, if a $50,000 flood prevention system would reduce the risk of hurricane damage to the data center by 50%, purchasing that system is probably a good decision because it has an expected payback period of less than one year. In a cloud centric environment, business continuity planning becomes a collaboration between Cloud service providers and the customer. For example, the risk of a hurricane damaging a data center may be mitigated by the service provider building a flood prevention system but it also may be mitigated by the customer choosing to replicate a service across data centers, availability zones and geographic regions. Show
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app. A business continuity plan (BCP) is a system of prevention and recovery from potential threats to a company. The plan ensures that personnel and assets are protected and are able to function quickly in the event of a disaster. When we talk to businesses about their business continuity program and business continuity plans, we get asked everything from “What is one?”—at the most basic level, many businesses also don’t understand that a business continuity plan, or BCP, is fundamentally different from a disaster recovery plan; the former is focused on keeping your business running through a disruption and the latter on resuming and recovering technology applications and infrastructure after a major technology disruption occurs—to questions on a more granular level, like:
As risk management and business continuity planning experts, Bryghtpath helps companies cut through all this confusion and get clear about the path to business continuity planning success. The Unexpected Benefits of a Good Business Continuity ProgramFirst, let’s take a step back to examine the “Why?” of business continuity planning. Why should you have an established business continuity program? If the pandemic has taught us anything, it’s that the unexpected CAN and absolutely WILL happen. One particular client of ours shared a debrief of their experience and how having a solid business continuity program and plans were critical to their response. Their plan, like many others, was centered on a geographical redistribution of work based upon a potential region-wide disruption: “If interruptions are disrupted in Manila, we shift them to India. And if things get really bad, we bring it back to our operations center in the U.S.” When the pandemic hit, the same problem was shared by many—geographical redistribution was not a viable option because everyone was faced with the same pandemic-centered disruptions and restrictions. Fortunately, although their business continuity plan did not anticipate a global disruption such as the COVID-19 global pandemic, our client’s process of planning and responding to prior disruptions had exercised the organizational muscles they needed to quickly think of and implement new solutions. As a result, their pandemic response was swift and business carried on in the ‘new normal’ despite the disruption. In debriefing the pandemic response ourselves, we discovered that our best-prepared clients were the ones who had a mature business continuity program in place. Not necessarily because they were able to pull from existing plans (because nobody expected the entire supply chain to be shuttered overnight for example) but because the preparedness of their organization allowed them to build over the standard disruption in a calm and organized fashion. As a result, they could quickly react to a complex situation and shift operations in response—even if that situation didn’t exactly fit the prepared scenarios in their plan. As the pandemic response demonstrated, the value of a good business continuity program goes far beyond responding to planned disasters and more pedestrian objectives, like aligning to ISO 22301 and other common BCP standards. A solid business continuity program forms the foundation of organizational resilience. That resilience is now paramount for businesses to thrive, let alone survive, in response to the unlikely disruptions of our new normal. Business Continuity Program Roles and ResponsibilitiesOne of the first steps in establishing a good business continuity program is to define and assess key roles and responsibilities. In other words, what does each role really mean and does everyone have an agreement about the function and responsibilities for each? Although we usually have recommendations for what these roles and responsibilities should look like, every business will have a slightly different approach based on their particular organization’s structure and corporate culture. Against this backdrop, we typically assess each business’s current organizational structure and who is assigned against each role.  We break down some of the most common roles and responsibilities below. Board of DirectorsEvery board member has a fiduciary duty to exercise strategic level visibility and oversight over business continuity planning and progress. Importantly the board sets the foundation for continuity planning success by promoting a company culture that recognizes the value of well-managing risk. Audit or Risk CommitteeSpecific board oversight and strategic level visibility is typically delegated to the board’s risk or audit committee, as outlined in the committee charter. Sometimes another committee has this responsibility such as an operations or governance committee. Executive ManagementEach member of the executive team retains ultimate oversight and responsibility for continuity planning in their specific area of operations. Executive SponsorOne or two persons at the executive level (typically the general counsel, COO, CIO, CTO, or a C-Suite appointee) act as executive sponsors. They have direct oversight of the continuity planning program and usually chair the business continuity steering committee. They oversee the day-to-day management of business continuity planning activities at a tactical level and advocate for the program, as necessary, within the organization. Business Continuity Steering Committee MembersThe business continuity steering committee—usually an interdisciplinary team of six to eight people—meets quarterly or annually to ensure the business continuity program is aligned to corporate strategy and objectives and is maturing and making forward progress towards annual goals. Business Continuity Program ManagerThe business continuity program manager has direct oversight and responsibility for business continuity program operations, reporting, and day-to-day activities. They manage and set the programmatic expectations that guide business unit leaders and business continuity planners in writing their continuity plans. Business Continuity Team MembersTeam members execute day-to-day BCP planning activities under the direction of the business continuity program manager. Business Continuity Plan OwnersBusiness unit leaders (i.e. payroll, corporate travel, physical security, information security, HR) are responsible for creating their respective unit’s business continuity plan under the guidance of the program manager. Business Continuity PlannersBusiness unit plan owners often delegate business continuity planning activities to internal team members, or what we call “business continuity planners.” They pull from their business unit area expertise and knowledge to write the continuity plan for their respective business unit. Want to learn more about Business Continuity?Our Ultimate Guide to Business Continuity contains everything you need to know about business continuity. You’ll learn what it is, why it’s important to your organization, how to develop a business continuity program, how to establish roles & responsibilities for your program, how to get buy-in from your executives, how to execute your Business Impact Analysis (BIA) and Business Continuity Plans, and how to integrate with your Crisis Management strategy. We’ll also provide some perspectives on how to get help with your program and where to go to learn more about Business Continuity. Read our Ultimate Guide to Business Continuity 3 Keys to Continuity Program and Planning Success1. Board-level commitment.Even before the pandemic, we found that many of our clients came to us with a clear board mandate to implement or improve their business continuity plans and program But equally important to board-level buy-in is their demonstrated commitment towards an effective business continuity program that is focused on continual improvement. Like any corporate-wide effort, the success of your business continuity program efforts largely rests on company-wide buy-in. And that buy-in begins at the top. That’s why it’s critical for your board and executive leadership to have continued high-level involvement in continuity planning efforts and to model the importance that continuity planning plays in managing risk. 2. Steering committee members who get the “big picture”.Steering committee members should understand the importance of continuity planning and commit to doing it effectively. Critical thinking skills and a big picture perspective are also critical to this role. Steering committee members should not only well-represent their area of responsibility, but also have the ability to think horizontally across organizational silos and understand the interdependencies of processes and people within the organization. Serving on the business continuity steering committee is also an excellent growth opportunity for mid-level leaders with senior leadership potential. It provides the opportunity for both strategic and operational insights, along with developing risk-management expertise 3. Business unit ownership over plan creation.One mistake we often see is when program managers or continuity team members are tasked with writing the business continuity plans for each business unit. However, it’s the business plan owners who are most directly driven by the business, so it’s critical that business continuity plans align well to their day-to-day leadership management responsibilities. As a result, it is important that the actual plan creation, including writing, editing, and revising, is done by the actual business unit that will put the plan into action. Ideally, each business unit leader will exercise direct oversight and responsibility using his or her knowledge of their department to make sure their business continuity plan is completed and carried out. The actual “doing” of creating the plan is sometimes delegated to business unit team members. The ideal team member for this task should understand their function well, be organized, and be able to collaborate well with others in the organization to execute planning activities. How can we help establish your business continuity program roles & responsibilities?Well-defined and understood business continuity program roles and responsibilities can help you hum through your next disruption. If you still have more questions than answers about business continuity planning and business continuity programs in your business, we would love to help. Bryghtpath works with the world’s leading brands, public sector agencies, and nonprofit organizations to strategically navigate uncertainty and disruption. What is the role of business continuity plan in risk management?Business continuity plans (BCPs) are created to help speed up the recovery of an organization filling a threat or disaster. The plan puts in place mechanisms and functions to allow personnel and assets to minimize company downtime. BCPs cover all organizational risks should a disaster happen, such as flood or fire.
What is risk in business continuity?Business continuity risk refers to threats that disrupt the functioning of a business. These threats maybe any untoward incidents or disasters that negatively impact an organization.
What domain is BCP Cissp?BCP is covered in the CISSP certification exam in several domains: Domain 1 — 1.8 Identify, analyze, and prioritize Business Continuity (BC) requirements. Domain 6 — 6.3 Collect security process data (e.g., technical and administrative), including disaster recovery (DR) and business continuity (BC)
What principle states that an individual should make every effort to complete his or her responsibilities in an accurate and timely manner?The due diligence principle is a more specific component of due care that states that an individual assigned a responsibility should exercise due care to complete it accurately and in a timely manner.
|
