Well, unfortunately that is the attitude of many NZ organisations.
If it happens we will deal with it – after all, why would we spend time and money working on something that might not even happen?
Once upon a time that kind of thinking was acceptable, but things are changing rapidly and that approach is now reckless at best.
Yes, it’s difficult to understand the complexity of modern threats like cyber terrorism, let alone the probability of being impacted, but that’s no excuse for not having some kind of business continuity plan.
A plan that will guide process and actions in the event that your organisation is brought to its knees, whether through a cyber attack, weather event, malicious staff action, hardware or software failure.
To help you avoid embarrassing questions from your CEO (after all, there are quite harsh penalties in NZ with respect to Director liabilities) or worse, a journalist, I spoke with highly respected Business Continuity specialist Nalin Wijetilleke who shared his thoughts on the steps that should be taken to ensure that our organisations are protected from mortal outages.
1. Risk Reduction
The risks that could jeopardise the running of business should be identified and appropriately mitigated. While that does sound straightforward, many threats are often unknown or unquantified, which is why specialist advice is crucial to implement the correct tools, techniques and practices.
The way the organisation responds is very important. A small issue could easily get out of control and become a crisis. There are ample examples from within New Zealand when basic safety issues have been overlooked resulting in major disasters. To be well prepared to effectively respond to such situations, organisations must have well-rehearsed plans and communication strategies.
Recovery plans should be designed to be flexible and scalable to a broad range of scenarios. Those responsible must detail the actions required within pre-established time frames. Whom to contact, when to escalate and plans with the key suppliers should be in place. The plan should show the priority and sequence of resolution activities.
Once the problem is resolved, the process for resuming operations must be started. All critical activities and when to resume after a disruption must be pre-defined.
Depending on the nature of the disruption or the disaster, restoration can take anywhere from hours to months. The time to return to ‘business as usual’ after a critical process or product/service line failure can be pre-defined based on analytical techniques. Preplanning provides opportunity to think ahead as to what resources, external support or stakeholder communications are needed during the recovery and resumption stages.
It’s always good to learn from your mistakes. They should be well documented and actions taken to further improve resilience. Impact on the people, business, customers, community, and environment are all key aspects reviews should focus upon.
According to managing director of Continuity NZ and international speaker on the discipline of business continuity management, Nalin Wijetilleke, a logical first step is to take stock of your business’ current state including extent of exposure.
Exclusive to Techday readers, this month Nalin is offering a discounted Business Continuity Health Check (typically 4 hours).