Why and how should a business continuity plan be put in place?

Against a tense geopolitical backdrop, the number of cyber attacks targeting the critical infrastructures of European states is constantly on the rise. Moreover, computer attacks are the leading cause of business interruption.

Faced with this high level of cyber threat, organizations need to strengthen their operational resilience by putting in place a Business Continuity Management System (BCMS). This includes a Business Continuity Plan (BCP), which plays an essential role in ensuring that operations continue in the event of an incident. Quentin Mouzard, business continuity and information security consultant at Thales, reveals the best practices to follow when designing an effective BCP.

Resilience, a strategic challenge

Operational resilience is the ability of an organization to quickly resume its activity after an incident that has interrupted its operations. To become more resilient, companies need to adopt a holistic approach: "Cyber attacks, such as ransomware or DDoS attacks, can bring an organization's business to a complete halt, but so can disasters such as fire or flood, or even a pandemic. A business continuity plan must take all these scenarios into account," explains Quentin Mouzard.

A business interruption can have serious consequences. A public hospital in the south of the Ile-de-France region, for example, was completely debilitated for three months by a cyber attack in 2022, and is expected to return to its pre-crisis state... in September 2024.

Aware of this challenge, regulators are defining new regulatory frameworks to encourage organizations to strengthen their resilience.

In the financial sector, the DORA regulation imposes new requirements in terms of resilience in the face of risks linked to Information and Communication Technologies (ICT). For other business sectors, the NIS2 directive sets out a series of measures to be adopted in terms of cybersecurity and operational resilience.

How do you draw up a business continuity plan?

At Thales, we use a six-step approach that is iterative, pragmatic and agile to help you develop the most efficient business continuity plan possible.

1. Analyse the company's internal and external context:

The first step is to identify the activities that are essential to your organization.

This stage involves a top-down approach: the management team delivers its vision for the activities it identifies as vital. On this basis, it is possible to determine the scope and level of detail that analyses must cover in order to develop business continuity plans.

It also incorporates a bottom-up approach: the aim is to get closer to the field during analysis workshops and to report relevant information identified during the analysis phases. Certain employees have sometimes experienced interruptions, such as applications that stop working. They have already put in place informal workarounds. This information is invaluable, and involving the teams will make it easier for them to adhere to the business continuity plan. Employees will be on the front line when it comes to implementing plans in crisis situations.

2. Analyse the business impact:

It is important to define continuity metrics for each activity to establish priorities for the recovery of activities in the event of a disaster. Among the indicators to be included are the recovery time objective and the minimum level of service to be delivered within this timeframe.

For each critical activity identified in this way, we also need to identify the resources that are essential for it to run smoothly: essential supplier services, key employees, IT resources, workstations, etc.

3. Risk analysis

The aim of this third stage is to identify the most likely threat and incident scenarios, so that we can anticipate them more effectively.

This enables priorities to be defined for the establishment of continuity strategies and business continuity plans detailed in the following steps.

4. Defining business continuity strategies:

Here, the aim is to answer the question "How do I react if my critical resources are unavailable?"

"In the current context, this section focuses a great deal on cyber risk. Digitalisation is increasing the attack surface for companies, as is the widespread adoption of teleworking. A cyber attack is therefore the scenario that is often dealt with first," explains Quentin Mouzard.

Several workarounds can be adopted: the use of physical media and handwritten note-taking in the event of an IT attack, teleworking if premises are unavailable, and reciprocal agreements with other suppliers to lend resources in the event of a problem.

However, these solutions need to be analyzed from a cost/benefit perspective.

Following business impact and risk analyses, the most likely threat scenarios and associated vulnerabilities are identified. The selection of strategies is a balance between the cost of putting them in place and the benefits of implementing them.

For example, if an IT infrastructure is hosted in one or more datacenters operated by a business to manage its critical operations, it is worth considering the cost and implications of migrating to a cloud provider versus implementing local backup and redundancy solutions, coupled with downgraded business procedures.

This assessment should take into account the likelihood of server failure, cyber security threats and the potential costs associated with business interruption following an IT disaster.

"In addition, the risk of concentrating IT resources with external service providers needs to be taken into account, especially in the current context of supply chain attacks," stresses Quentin Mouzard.

5. Defining continuity plans:

This involves implementing the continuity strategies defined in the previous stage.

The BCP must be adapted to the operational specificities of the various departments. To do this, it identifies the sub-scenarios specific to each one and draws up the most appropriate continuity plans.

The business continuity plan sets out all the procedures and concrete actions to be taken in the event of an emergency, with plans for smooth and effective communication. It then explains the steps to be taken to restore operations in "downgraded" mode, in line with the business continuity objectives defined in step two. At the same time, it includes guidelines for restoring the availability of affected critical resources. In terms of IT, a BCP often includes a disaster recovery plan, which details the action plan for restoring the most critical IT systems and enabling users to resume work as normal.

Emergency procedures can be distributed to employees to make it easier to implement plans, avoid confusion, and improve team responsiveness. Business continuity plan documentation must be accessible regardless of the type of incident.

6. Carrying out role-playing exercises:

It is important to test the effectiveness of continuity plans and their appropriation by employees through exercise programs. Through iteration, these tests enable us to identify areas for improvement and possible deviations that need to be corrected to ensure that business continuity plans are as effective as possible in the event of an interruption.

The benefits of a business continuity plan

Implementing a business continuity plan has a number of advantages for organizations:

• Damage mitigation: the BCP enables businesses to be restored much more quickly, which reduces both the financial cost of the interruption and the damage to brand reputation caused by the shutdown.
• A competitive advantage: "Demonstrating resilience is a real advantage, so much so that some companies are getting certified to the benchmark standard: ISO/IEC 22301. This enables them to gain market share, in particular by gaining the trust of Anglo-Saxon customers who have a business continuity culture and are looking to work with resilient companies. Demonstrating resilience is also an asset for companies bidding for tenders," notes Quentin Mouzard.
• Strategic decision-making made easier: the audit carried out as part of the business continuity plan can be used to make strategic decisions. For example, some companies use risk analysis to move from on-premises servers to a cloud infrastructure, or to rationalize IT tools with similar functions.

Business continuity planning is crucial to ensuring the continuity of organizations in the face of major incidents likely to interrupt their activity over a long period. By following a rigorous and pragmatic methodology, your organization can minimize disruption, protect its reputation and gain a competitive edge. Do you want to strengthen your operational resilience? Our experts can help you as you draw up your business continuity plan!