A CFO’s Guide to Business Continuity Management
Join today and start learning
TFD is the learning platform built for finance professionals.
This content is available as part of our bitesized video series.
Watch this video today by joining our free community.
Join today and start learning
TFD is the learning platform built for finance professionals.
This content is available as part of our bitesized video series.
Watch this video today by joining our free community.
A CFO’s Guide to Business Continuity Management
Video information:
In this video, Sean Huggett from Evalian discusses what you, as a Chief Financial Officer should have in mind when considering business continuity.
Hello. I’m Sean Huggett. I’m one of the directors at Evalian. We’re an information security, data protection, and business continuity services provider. And in this video, I’m going to talk about what you, as a Chief Financial Officer, should have in mind when considering business continuity.
For a long time, organisations felt that they had business continuity under control or well managed because they had maybe a template-based business continuity plan tucked away in a filing cabinet that they could dust off once a year to show to their auditors or other interested parties. But really, they were safe in the knowledge that they may never need to use it.
Now this overconfidence came from a number of factors, one of them being that businesses have become more resilient to common hazards over the years through good risk management but also because public infrastructure, like power and internet connectivity has become more reliable. And most of our organisations have adopted mobile and cloud technologies, which have meant that employees are just as productive at home as they are sat at their desk in the office.
In the past two years though, maybe longer, business continuity has probably moved up your agenda. Not only have we had the COVID pandemic, but we’ve had the aftershocks of the pandemic, things like supply chain disruption, and labour shortages, which have had an impact on our businesses. The conflict in the Ukraine has also shown how events that are outside our control can have a big impact on our business. For example, we’ve worked with organisations which outsource software development to suppliers in Ukraine and even Russia and since conflict started, they’ve had to take steps to find new sources of supply or to relocate key members of staff located in those countries. On top of this, most organisations can expect some sort of business disruption from a cyber attack.
On top of this, most organisations can expect to suffer cyber attacks and some threats, things like ransomware, and distributed denial of service attacks can be enough to bring your business to a halt if you rely heavily on systems and software. As such, you’re probably recognising now or your shareholders or your insurers are recognising that business continuity planning is a key consideration. And actually, you should start to think of it as a type of insurance. Your business continuity plan is like an insurance policy. You may never need it, but you’ll be glad it’s there when you do. But yes, there’s time and money associated with developing a business continuity plan. But if you manage it properly, the cost to your business will be much less than the cost of not having an appropriate business continuity plan in place. Because an organisation is ill prepared to respond to a severe business disruption may struggle to recover, or may not recover quickly enough to satisfy customer expectations or meet contractual commitments, which in turn could lead to financial loss, reputational damage, and the loss of customers to competitors.
Having good business impact analysis and continuity planning can also help your organisation to identify proportionate solutions to potential issues, and therefore, avoid knee jerk spending on quick fix solutions, which might treat the symptoms but don’t actually address the root causes, things like a quick fix technology.
So having made the case of business continuity, how do you know if your business continuity plans are fit for purpose? Well, your starting point is to ask yourself and your business stakeholders a series of questions and seek their honest warts and all input. Dressing things up now is not going to help when something really bad happens. The things to ask include, are our commitments to our staff, clients, partners, and even our suppliers, clear and understood across key stakeholders.
Do we understand the impact to our organisation of not being able to meet these commitments over any given period of time? Will we, for example, exceed SLAs, breach contracts or potentially fail to comply with a legal obligation? And if so, what’s the impact on our organisation going to be? Have we documented our recovery requirements and plans as well as key systems, processes, and science. And if so, have these been agreed and are they kept up to date? If you’re satisfied by the answers to these questions, you should then go down a level and you should think about resources, competencies, and capabilities.
The key questions here include, do we have the right people in the right places, taken into account our business locations? Do we have any single points of failure among our people or our systems or our resources? Are there physical or technology constraints that mean that certain tasks can only be completed from a specific location. Do we have sufficient redundancy within our IT and communication systems to enable us keep working if our primary systems, applications, and tools cease to be available to us. Finally, but really importantly, have we identified our key suppliers and are we satisfied that their business continuity arrangements are sufficient.
Now you might have strong business continuity processes in place, but a failure by a key supplier can have a big knock-on effect for your organisation, and in turn your customers. If the answers to these questions are unsatisfactory, then you’re going to need to take steps to improve your business continuity planning. But the question is where do you start?
Well, whatever you do, don’t rush to invest in expensive and complex solutions. Start with the basics. Gather the information needed to answer the questions that we’ve already discussed and from there build a plan with key stakeholders from across your organisation. Sounds obvious, but make sure that you prioritise parts of your business that will have the biggest impact if they become unavailable. From there, take a commensurate approach and iterate over time. Use an analogy. Don’t set out to construct a palace from nothing. First, lay your foundations and start by building a small cottage. Get to know it. Identify areas for improvement, and make sure that each extension forms parts of a coherent design which focuses on priorities. Be prepared that it can take four to five years to develop a mature business continuity management system, but at the same time, don’t accept that it’s finished or even good enough. Business continuity is not a set and forget exercise. Your business will change and evolve over time, and it’s therefore important that your business continuity plans develop in parallel.
In summary then, good business continuity should save you money over time, help make your business more resilient to unexpected events, and should give comfort to your shareholders and customers when making investment and purchasing decisions.
Founder and Managing Director for Evalian
Sean specialises in data protection, information risk and information security consulting. He is a qualified barrister, having been called to the Bar in 1998, and started his career as an in-house lawyer working in intellectual property, data protection and commercial contracts. He later progressed into commercial leadership roles, working in a number of sectors before specialising in governance, risk and compliance with a focus on privacy and security. Sean is also Managing Director at Evalian®.
His qualifications include IAPP CIPP-E, CIPT, GDPR Practitioner Certificate, ISO 27001 Lead Implementer, ISO 27001 Lead Auditor and CISMP.
Video information:
In this video, Sean Huggett from Evalian discusses what you, as a Chief Financial Officer should have in mind when considering business continuity.
Hello. I’m Sean Huggett. I’m one of the directors at Evalian. We’re an information security, data protection, and business continuity services provider. And in this video, I’m going to talk about what you, as a Chief Financial Officer, should have in mind when considering business continuity.
For a long time, organisations felt that they had business continuity under control or well managed because they had maybe a template-based business continuity plan tucked away in a filing cabinet that they could dust off once a year to show to their auditors or other interested parties. But really, they were safe in the knowledge that they may never need to use it.
Now this overconfidence came from a number of factors, one of them being that businesses have become more resilient to common hazards over the years through good risk management but also because public infrastructure, like power and internet connectivity has become more reliable. And most of our organisations have adopted mobile and cloud technologies, which have meant that employees are just as productive at home as they are sat at their desk in the office.
In the past two years though, maybe longer, business continuity has probably moved up your agenda. Not only have we had the COVID pandemic, but we’ve had the aftershocks of the pandemic, things like supply chain disruption, and labour shortages, which have had an impact on our businesses. The conflict in the Ukraine has also shown how events that are outside our control can have a big impact on our business. For example, we’ve worked with organisations which outsource software development to suppliers in Ukraine and even Russia and since conflict started, they’ve had to take steps to find new sources of supply or to relocate key members of staff located in those countries. On top of this, most organisations can expect some sort of business disruption from a cyber attack.
On top of this, most organisations can expect to suffer cyber attacks and some threats, things like ransomware, and distributed denial of service attacks can be enough to bring your business to a halt if you rely heavily on systems and software. As such, you’re probably recognising now or your shareholders or your insurers are recognising that business continuity planning is a key consideration. And actually, you should start to think of it as a type of insurance. Your business continuity plan is like an insurance policy. You may never need it, but you’ll be glad it’s there when you do. But yes, there’s time and money associated with developing a business continuity plan. But if you manage it properly, the cost to your business will be much less than the cost of not having an appropriate business continuity plan in place. Because an organisation is ill prepared to respond to a severe business disruption may struggle to recover, or may not recover quickly enough to satisfy customer expectations or meet contractual commitments, which in turn could lead to financial loss, reputational damage, and the loss of customers to competitors.
Having good business impact analysis and continuity planning can also help your organisation to identify proportionate solutions to potential issues, and therefore, avoid knee jerk spending on quick fix solutions, which might treat the symptoms but don’t actually address the root causes, things like a quick fix technology.
So having made the case of business continuity, how do you know if your business continuity plans are fit for purpose? Well, your starting point is to ask yourself and your business stakeholders a series of questions and seek their honest warts and all input. Dressing things up now is not going to help when something really bad happens. The things to ask include, are our commitments to our staff, clients, partners, and even our suppliers, clear and understood across key stakeholders.
Do we understand the impact to our organisation of not being able to meet these commitments over any given period of time? Will we, for example, exceed SLAs, breach contracts or potentially fail to comply with a legal obligation? And if so, what’s the impact on our organisation going to be? Have we documented our recovery requirements and plans as well as key systems, processes, and science. And if so, have these been agreed and are they kept up to date? If you’re satisfied by the answers to these questions, you should then go down a level and you should think about resources, competencies, and capabilities.
The key questions here include, do we have the right people in the right places, taken into account our business locations? Do we have any single points of failure among our people or our systems or our resources? Are there physical or technology constraints that mean that certain tasks can only be completed from a specific location. Do we have sufficient redundancy within our IT and communication systems to enable us keep working if our primary systems, applications, and tools cease to be available to us. Finally, but really importantly, have we identified our key suppliers and are we satisfied that their business continuity arrangements are sufficient.
Now you might have strong business continuity processes in place, but a failure by a key supplier can have a big knock-on effect for your organisation, and in turn your customers. If the answers to these questions are unsatisfactory, then you’re going to need to take steps to improve your business continuity planning. But the question is where do you start?
Well, whatever you do, don’t rush to invest in expensive and complex solutions. Start with the basics. Gather the information needed to answer the questions that we’ve already discussed and from there build a plan with key stakeholders from across your organisation. Sounds obvious, but make sure that you prioritise parts of your business that will have the biggest impact if they become unavailable. From there, take a commensurate approach and iterate over time. Use an analogy. Don’t set out to construct a palace from nothing. First, lay your foundations and start by building a small cottage. Get to know it. Identify areas for improvement, and make sure that each extension forms parts of a coherent design which focuses on priorities. Be prepared that it can take four to five years to develop a mature business continuity management system, but at the same time, don’t accept that it’s finished or even good enough. Business continuity is not a set and forget exercise. Your business will change and evolve over time, and it’s therefore important that your business continuity plans develop in parallel.
In summary then, good business continuity should save you money over time, help make your business more resilient to unexpected events, and should give comfort to your shareholders and customers when making investment and purchasing decisions.
Founder and Managing Director for Evalian
Sean specialises in data protection, information risk and information security consulting. He is a qualified barrister, having been called to the Bar in 1998, and started his career as an in-house lawyer working in intellectual property, data protection and commercial contracts. He later progressed into commercial leadership roles, working in a number of sectors before specialising in governance, risk and compliance with a focus on privacy and security. Sean is also Managing Director at Evalian®.
His qualifications include IAPP CIPP-E, CIPT, GDPR Practitioner Certificate, ISO 27001 Lead Implementer, ISO 27001 Lead Auditor and CISMP.
Video information:
In this video, Sean Huggett from Evalian discusses what you, as a Chief Financial Officer should have in mind when considering business continuity.
Hello. I’m Sean Huggett. I’m one of the directors at Evalian. We’re an information security, data protection, and business continuity services provider. And in this video, I’m going to talk about what you, as a Chief Financial Officer, should have in mind when considering business continuity.
For a long time, organisations felt that they had business continuity under control or well managed because they had maybe a template-based business continuity plan tucked away in a filing cabinet that they could dust off once a year to show to their auditors or other interested parties. But really, they were safe in the knowledge that they may never need to use it.
Now this overconfidence came from a number of factors, one of them being that businesses have become more resilient to common hazards over the years through good risk management but also because public infrastructure, like power and internet connectivity has become more reliable. And most of our organisations have adopted mobile and cloud technologies, which have meant that employees are just as productive at home as they are sat at their desk in the office.
In the past two years though, maybe longer, business continuity has probably moved up your agenda. Not only have we had the COVID pandemic, but we’ve had the aftershocks of the pandemic, things like supply chain disruption, and labour shortages, which have had an impact on our businesses. The conflict in the Ukraine has also shown how events that are outside our control can have a big impact on our business. For example, we’ve worked with organisations which outsource software development to suppliers in Ukraine and even Russia and since conflict started, they’ve had to take steps to find new sources of supply or to relocate key members of staff located in those countries. On top of this, most organisations can expect some sort of business disruption from a cyber attack.
On top of this, most organisations can expect to suffer cyber attacks and some threats, things like ransomware, and distributed denial of service attacks can be enough to bring your business to a halt if you rely heavily on systems and software. As such, you’re probably recognising now or your shareholders or your insurers are recognising that business continuity planning is a key consideration. And actually, you should start to think of it as a type of insurance. Your business continuity plan is like an insurance policy. You may never need it, but you’ll be glad it’s there when you do. But yes, there’s time and money associated with developing a business continuity plan. But if you manage it properly, the cost to your business will be much less than the cost of not having an appropriate business continuity plan in place. Because an organisation is ill prepared to respond to a severe business disruption may struggle to recover, or may not recover quickly enough to satisfy customer expectations or meet contractual commitments, which in turn could lead to financial loss, reputational damage, and the loss of customers to competitors.
Having good business impact analysis and continuity planning can also help your organisation to identify proportionate solutions to potential issues, and therefore, avoid knee jerk spending on quick fix solutions, which might treat the symptoms but don’t actually address the root causes, things like a quick fix technology.
So having made the case of business continuity, how do you know if your business continuity plans are fit for purpose? Well, your starting point is to ask yourself and your business stakeholders a series of questions and seek their honest warts and all input. Dressing things up now is not going to help when something really bad happens. The things to ask include, are our commitments to our staff, clients, partners, and even our suppliers, clear and understood across key stakeholders.
Do we understand the impact to our organisation of not being able to meet these commitments over any given period of time? Will we, for example, exceed SLAs, breach contracts or potentially fail to comply with a legal obligation? And if so, what’s the impact on our organisation going to be? Have we documented our recovery requirements and plans as well as key systems, processes, and science. And if so, have these been agreed and are they kept up to date? If you’re satisfied by the answers to these questions, you should then go down a level and you should think about resources, competencies, and capabilities.
The key questions here include, do we have the right people in the right places, taken into account our business locations? Do we have any single points of failure among our people or our systems or our resources? Are there physical or technology constraints that mean that certain tasks can only be completed from a specific location. Do we have sufficient redundancy within our IT and communication systems to enable us keep working if our primary systems, applications, and tools cease to be available to us. Finally, but really importantly, have we identified our key suppliers and are we satisfied that their business continuity arrangements are sufficient.
Now you might have strong business continuity processes in place, but a failure by a key supplier can have a big knock-on effect for your organisation, and in turn your customers. If the answers to these questions are unsatisfactory, then you’re going to need to take steps to improve your business continuity planning. But the question is where do you start?
Well, whatever you do, don’t rush to invest in expensive and complex solutions. Start with the basics. Gather the information needed to answer the questions that we’ve already discussed and from there build a plan with key stakeholders from across your organisation. Sounds obvious, but make sure that you prioritise parts of your business that will have the biggest impact if they become unavailable. From there, take a commensurate approach and iterate over time. Use an analogy. Don’t set out to construct a palace from nothing. First, lay your foundations and start by building a small cottage. Get to know it. Identify areas for improvement, and make sure that each extension forms parts of a coherent design which focuses on priorities. Be prepared that it can take four to five years to develop a mature business continuity management system, but at the same time, don’t accept that it’s finished or even good enough. Business continuity is not a set and forget exercise. Your business will change and evolve over time, and it’s therefore important that your business continuity plans develop in parallel.
In summary then, good business continuity should save you money over time, help make your business more resilient to unexpected events, and should give comfort to your shareholders and customers when making investment and purchasing decisions.
Founder and Managing Director for Evalian
Sean specialises in data protection, information risk and information security consulting. He is a qualified barrister, having been called to the Bar in 1998, and started his career as an in-house lawyer working in intellectual property, data protection and commercial contracts. He later progressed into commercial leadership roles, working in a number of sectors before specialising in governance, risk and compliance with a focus on privacy and security. Sean is also Managing Director at Evalian®.
His qualifications include IAPP CIPP-E, CIPT, GDPR Practitioner Certificate, ISO 27001 Lead Implementer, ISO 27001 Lead Auditor and CISMP.
