days until DORA is in effect on January 17, 2025. Download your cheat sheet here.
Seven Steps to Building a Business Continuity Plan
Cybersecurity is about more than just protecting against attacks; it’s about continually securing and strengthening operations through the ups and downs of changing business conditions. When confronted with unexpected business disruptions, firms must react swiftly, methodically and successfully – or else risk significant financial, regulatory and reputational losses. Achieving this level of adaptation and resilience requires a Business Continuity Plan (BCP).
A BCP is more than just a good idea, it’s an absolute necessity to remain compliant and document how your firm will respond when confronted with unexpected business disruptions – not just cyber attacks, but also unplanned outages or costly downtime for critical software or applications. The good news is that a qualified MSP partner will have a proven road map for quickly building the right BCP for your business. Here’s the time-tested, seven step formula we follow at ECI:
1. Perform a regulatory review to map your compliance landscape – The first step is to undertake a rigorous regulatory review of all the ways the business is subject to requirements coming from multiple oversight bodies and frameworks. These include international ones like Europe’s GDPR, federal agencies in the US like the Securities Exchange Commission (SEC) and industry oversight bodies like FINRA – not to mention countless state and local agencies. All relevant regulations must be mapped and accounted for how they impact the operation.
2. Perform a detailed risk assessment – At a high level, this process includes identifying and prioritizing potential business risks and disruptions, based on severity and likelihood of occurrence. This helps clarify threats to the operation as well as the functions, reputation and organizational assets of the firm. Risk prioritization is part of this, allowing the organization to evaluate which risks are acceptable and which ones it must take action against.
3. Conduct a business impact analysis – This step is designed to identify impacts your firm may suffer from any given scenario – such as costs linked to failures, loss of profits or cash flow, replacement of equipment or salaries paid to catch up with a backlog of work. Quantifying such impacts helps guide fund allocation and better defines the recovery process and operational thresholds such as maximum allowable downtime.
4. Strategize and develop the plan – The next step is to actually develop the specific strategy and plan for applying what you learned in the previous steps to actual systems, processes and workflows in the organization. This should include bespoke contingency planning for each department that is developed with cross-disciplinary input from various staff and all departments.
5. Create an incident response plan – This is closely related to the previous Step 4, but involves a much more detailed level of guidance for what to do if an incident does occur that disrupts day-to-day business. Make sure the plan clearly details which responsibilities and specific actions are
assigned to which specific employees. And make sure all employees are aware of their particular role in the plan.
6. Test, train and maintain the plan – Your plan must be regularly tested using the predefined strategies developed. Testing components include validating KPIs and associated measurement metrics, and optimizing scenario scripts, summaries, postmortem and improvement planning. Firms should test at least once a year – with additional testing throughout the year based on criticality and changeability of specific plan elements.
7. Ensure ongoing communication of the BCP to stakeholders – There is no Business Continuity Plan without continuity of communications across the organization. It is crucial to be able to communicate with key personnel quickly and efficiently during an incident – with redundancies to keep stakeholders connected and collaborating even in cases where email and other usual means of communication are disrupted by an incident.
While this list represents a process of seven distinct steps for building the Business Continuity plan, the truth is that they are all highly interrelated steps – and organizations must continually revisit them. The BCP should be a living, breathing document that is constantly updated and adapting to the business. This holistic and comprehensive approach is what sets ECI apart from all other MSPs. Learn more about how ECI can help you build your Business Continuity Plan at www.eci.com.