fr flag en flag

Business Continuity: Challenges, Pitfalls and Challenges

  • Author : Ahmed HARIZE

Business Continuity. This is a term that is now familiar to all security and information systems professionals. However, only a few decades ago, this concept was still obscure, not to say practically unknown, except perhaps for a few large companies across the Atlantic.

The context is now very different and nowadays, the rise of Business Continuity has been important on two levels: On the one hand, business continuity needs have changed drastically: a tense global context on the social, economic and even climatic levels. On the other hand, with the development of redundancy and replication techniques, the exponential improvement of interconnection rates and the appearance of now mature offerings for the outsourcing of one or more parts of the Information System with SaaS, IaaS, Housing, Cloud, etc. have simplified the implementation of effective disaster recovery solutions.

All this has made having a Business Continuity Plan a major concern for any Self-respecting Manager, CIO and Security Manager.

The difficulty is that setting up and maintaining a Business Continuity Plan is often an obstacle course strewn with pitfalls, which often leads organizations to use specialized consulting firms to minimize the risks.

Let us first mention the fact that despite the popularity of the concept of Business Continuity, confusion is often made between two different concepts, namely Business Continuity and IT Disaster Recovery. The latter is only part of the Business Continuity aimed at ensuring continuity of service for IT equipment and applications. A Business Continuity Plan represents a more complete study, involving business aspects through BIA studies and risk analysis, and complements IT backup procedures with business procedures, a crisis device, intersecting procedures, as well as a device to test and sustain the BCP.

In addition, we will mention that one of the factors of success (or failure) is Sponsorship. Indeed, it happens when the implementation of a Business Continuity Plan is an isolated initiative of the IT department and / or the Security team without the Management being really involved. This represents a major risk for the success of the project, because we can never say enough that like a governance project or an ISMS, the establishment and maintenance of a BCP is a business project where everyone without exception must be involved, and especially the Management who must provide clear support on the one hand by making available all the necessary resources for the project, and on the other hand by acting as an arbitrator in several phases of the project; not to mention the fact that it guarantees the level of involvement and availability of business teams. Moreover, this has been very well emphasized in the latest standard defined for Business Continuity (ISO 22301), where management must play a leading role and is a key to the success of this type of project.

Thus, this last point generally makes it possible to overcome several pitfalls which would appear inevitable in its absence and which must always be monitored constantly, such as ensuring the availability and a satisfactory level of involvement of all teams, or the adequate financing of the project.

This point is not to be taken lightly either, because setting up a BCP can be quite expensive, encompassing numerous cost centres which can lead to a hefty bill if a pragmatic approach is not taken and is not adopted. Among these cost centres, we can briefly mention the costs of backup IT equipment, software licenses, hosting for IT backup and business fallback, training, interconnections, or even consultations.

This highlights another problem that needs careful attention in this type of project, namely the choice of the backup and business fallback solution(s). It will then be necessary to find a compromise by taking into account several criteria for the solutions to be implemented, such as implementation costs and recurring costs (CAPEX and OPEX), but also locational aspects, adequacy with current needs, maintenance aspects or certain practical aspects.

One should be reminded in passing that identifying the right solutions is one thing, budgeting for them is another. It is also necessary to take into account the delays in drafting specifications, launching consultations or calls for tenders, examining tenders, delivery and installation, which can sometimes cause a delay of several weeks to a few months in the implementation of the project. These deadlines must therefore be incorporated in the project roadmap and other actions planned in parallel.

Finally, a last significant point to take into account, is on the one hand the validation of the operability of the BCP through a test plan over several years to include crisis tests, IT disaster recovery tests and several business continuity tests, and on the other hand its sustainability through the formalization of an MOC device, in particular through the appointment of a Business Continuity Plan Manager (BCPM), the periodic identification of technical and organisational changes, and the updating of procedures and emergency facilities.

Conclusion :

In conclusion, it is clear that the BCP is a large-scale project that demonstrates a certain level of maturity within a company. Internally, it can stimulate active and integrated collaboration within the organization, bring the IT and the Security department closer to the business lines and lead to a better understanding of the needs of each other and the requirements of others. Externally, it will undoubtedly represent a commercial asset in addition to meeting certain regulatory requirements. It should be noted that by its elements, a PCA is destined to evolve perpetually with the Organization, hence the qualification used in this article of 'business project'...