A Business Continuity Plan (BCP) is a strategic playbook created to help an organisation maintain or quickly resume business functions in the face of disruption. (Pratt, Tittel, Lindros, 2023)
Be honest now. Who really has a truly effective Business Continuity Plan in 2024? Not the compliance-driven plan that has not been reviewed or tested properly for years. Or the “oh no, this supplier questionnaire is asking for a BCP… quick, write one” plan that won’t be much help in reality. Who has an effective plan that will be genuinely useful to their organisation in a time of crisis? Not many organisations do and it’s understandable. We are not aiming to criticise anybody’s hard work here. We get it. To put it mildly, the sheer amount of items on any organisation’s to-do list combined with budget and resource constraints often lead to things like Business Continuity Planning being deprioritised. Not to mention the current rate of technological change. Constraints aside, everybody agrees that a BCP is a good idea, but where do you start? What does good look like? How do you make sure that it is effective? How do you keep it updated?
This article is the first in a series where we aim to explore those questions and more, based on our experiences of helping organisations to develop plans that will survive first contact with the “enemy”. Every organisation is a little bit different, so we are unlikely to be able to provide all of the answers even across a series of articles. So our secondary aim is to start a dialogue across industry to begin to provide clarity on how most, if not all, organisations should approach Business Continuity Planning properly and effectively in the third decade of the 21st Century. In this article, the first in the series, we will establish some straightforward principles that we will build upon in later releases.
That quote, referenced above, by Field Marshall Helmuth von Moltke, is a great place to start. “No plan survives contact with the enemy”… so why plan?
Principle 1 – Why plan in the first place?
Helmuth von Moltke has been consistently misquoted over the years. He didn’t say “no plan survives contact with the enemy” (principle 1.5, never trust a quote!). He said (translated from German) “…no plan of operations reaches with any certainty beyond the first encounter with the enemy’s main force…” (Großer Generalstab, 1883). Moltke believed that plans rarely go smoothly and that having multiple strategies in place is important. He was a meticulous planner who emphasised the importance of practice and learning how to react to different situations. So it is time we all stopped using him as an excuse to avoid proper planning!
The key to success is to have a team of people who are trained to be adaptable whilst being tuned to achieve the necessary goal. Often, the sense that planning in advance will lead to a lack of flexibility is used as an excuse to avoid planning. Whilst inflexibility is often a deciding factor during a crisis because it leads to missed opportunities, flexibility is not hindered by planning. In fact, effective prior planning leads to greater flexibility because, when executed correctly, it helps organisations to use their resources more effectively. Proper planning provides direction, reduces uncertainty and improves creativity. All critical elements during a crisis. Ultimately, the British Army, amongst others, had it right: Proper Planning and Preparation Prevents Pitifully Poor Performance (Mulford, 2020).
Principle 2 – Some preparation is better than no preparation.
Planning for an incident that may never happen is a recipe for avoidance. In our experience, the perception that the resources required to prepare are excessively taxing tends to stunt progress. Why spend time putting a BCP together when you already have 1,000 other things to do? It is important to recognise that it is unlikely that you will ever be completely prepared for compromise. However, that is not an excuse for inaction. Getting started is often the hardest part.
But how do you start? Our advice is to start small. Rome wasn’t built in a day and nor will your BCP. Even the smallest action now could have a major impact during a crisis down the line. In our experience, considering how you will communicate during a crisis is a strong place to begin. How will you communicate with your customers and key stakeholders? Who will lead if the CEO and COO are uncontactable on a long flight? What about disseminating messages to your own staff? Coordinating communications won’t be easy if your primary means of collaboration is offline. Without effective communication, chaos ensues, and wasted time leads to missed opportunities during crisis response. Get your communications right and the rest becomes easier. A big benefit here is once you have a communications plan sketched out, it often leads you to identify other opportunities to prepare.
Another approach that we have found to be highly effective is to take an Adversary Simulation-led approach. Adversarial simulations replicate the tactics, techniques and procedures (TTPs) used by advanced threat actors and help to assess your susceptibility to an authentic and realistic targeted attack. Applying an Adversary Simulation-led approach to compromise preparation drastically reduces the scope of items you need to address to prepare for compromise. In effect, this means you don’t need to give your canteen menu the same level of assurance as Personal Identifiable Information (PII) or your other ‘crown jewels’. You may not be able to defend every ‘village’, but you can watch every ‘road’ (attack path).
Principle 3 – The simplest things are usually the most effective
Leonardo Da Vinci once said “simplicity is the ultimate sophistication”. As beautiful as that quote is, there’s actually no evidence of Da Vinci ever saying it. It was first attributed to him in a Campari advert in the early 2000s! (Sullivan, 2015). Nevertheless, when applied to Business Continuity Planning in particular, it is a key principle. The simplest things you can do to prepare are usually the most effective in a crisis.
Disaster Recovery plan stored on your company SharePoint? It won’t be much good to you there if your entire infrastructure is taken out. Print a copy and put it somewhere safe (ideally somewhere fireproof; that’s a war story for another time). Completely reliant on Microsoft Teams for inter-company communications? Put at least your most critical contacts in the phonebook on your mobile phones. Completely reliant on your finance systems to process transactions? Ensure your people can access your banking securely via alternative means. Those were just a few small examples to illustrate the point. You will have many small things you can do that will have a big impact during a crisis. It is a mistake to assume everything you do during Business-As-Usual will be there during a crisis. Do not miss the opportunity to prepare for that effectively.
This article is just our starting point to introduce some key principles. Next time we will address the equally important topic of people, and how to ensure your BCP process resonates with them. Look out for the next edition in the new year.
References
-
- Pratt, Tittel, Lindros (2023). How to create an effective business continuity plan. CIO.com. https://www.cio.com/article/288554/best-practices-how-to-create-an-effective-business-continuity-plan.html
- Großer Generalstab (1883). Kriegsgeschichtliche Einzelschriften. Mittler und Sohn.
- Mulford, A (2020). Repurposing the 7Ps. nature.com. https://www.nature.com/articles/s41415-020-1724-2
- Sullivan, G (2015). Simplicity is the Ultimate Sophistication. quoteInvestigator.com. https://quoteinvestigator.com/2015/04/02/simple/