In 2017, the world had the highest number of cyber-attacks, natural disasters and more active shooters than any year on record. For example, in June of 2017, the global law firm DLA Piper went a full day without phones, six days without email, and nearly two weeks without complete access to older email and other documents. This was a wake-up call for many AmLaw 100 firms and corporations across the globe.
Ensuring that employees remain safe and that organizations are truly resilient in the face of cyber-threats is changing the way Information Technology departments support their respective companies. Executive teams are asking “are we ready and prepared for these types of events?” Business continuity and disaster recovery frameworks need to evolve from static “plans” to more of an agile “system.”
A Business Continuity Management System (BCMS) is a framework for identifying an organization’s risk of exposure to internal and external threats. It includes the disaster recovery, business recovery, crisis management, incident management and emergency management. At a high level, it is the systems of people, process, and systems that ensure that business remains resilient.
A focus on “Business Resilience” is emerging and IT departments are critical to success:
In today’s digital world, IT departments must work with their business and key partners to ensure their business can protect, absorb, recover, and adapt in a complex and rapidly changing environment. Companies that are successful in shifting to this new paradigm are those that hold “tabletop exercises” on a frequent basis. These exercises help test, develop, and improve their company’s BCMS.
What is a tabletop exercise and what are the benefits?
Tabletop exercises are discussion-based events where personnel with roles and responsibilities in a business come together in an informal classroom setting. Tabletop exercises have a facilitator guiding participants through a scenario discussion to assess or improve a company’s BCMS and ability to respond and protect their business in this scenario.
These scenarios may include:
- Natural disaster
- and more
The duration of a tabletop exercise (typically two to eight hours) varies depending on the audience, the topic being exercised, and the exercise objectives. Tabletop exercises are cost-effective tools to validate that a company’s BCMS remains in alignment to protect workers, sources of revenue, and customers’ data.
Tabletop objectives focus on:
- Clarifying roles and responsibilities
- Communications (both internal and external)
- Improving awareness for “interested parties”
- Improving coordination between internal and external teams, organizations, and entities
- Validating and enhancing procedures (incident > emergency > crisis)
- Improving security awareness
- Improving workplace safety
- Meeting compliance objectives to shareholders and regulator entities
- Continuously improving the company’s overall BCMS
Companies that shift away from static and disjointed Business Continuity and Disaster Recovery Plan frameworks and shift to an agile BCMS are going to have a distinct advantage when it comes to protecting their business from unplanned events.
A business resilience strategy includes:
- Culture: Your BCMS should be engrained in your company’s culture, not disregarded as someone else’s job.
- People: Everyone should be trained and understand their role and participate in exercises (i.e., tabletops) to build muscle memory and more depth in critical roles.
- Your processes should be aligned to adapt to various scenarios and tested regularly. The people should understand the process and procedures around incident, emergency, and crisis response.
- Infrastructure: The infrastructure should align with the business expectations of business resiliency.
- Leadership: Your BCMS leadership team should start with the executive team and have a clear scope.
- Partners: Engage the right ecosystem of technology partners to keep your organizations BCMS in alignment with the company’s expectations.
The companies that shift their focus to a paradigm of “Business Resiliency” and engage the right partners are the ones that will stay out of the headlines in 2018 and beyond.