In our world today, our threat environment may include many outages or issues that are the result of non-traditional concerns or events. As you think about each of the items below, remember that your first step will be to determine the potential risk. Once you understand the risk, you can identity the impact of an occurrence, and determine and implement an appropriate mitigation strategy.
Ask yourself the following questions to determine your potential threats and risks.
Due to the dependence on technology, these outages can have significant impact on your business, regardless of the cause. For example, a major data storage outage would be a disaster event even if it was self-inflicted (e.g., resulting from the failure of internal controls or procedures). Consider the recent issues with airline outages or cloud service providers; those were self-inflicted.
Can the SPOF be addressed through the implementation of redundant components? Compare any costs associated with an outage with the cost of purchasing and maintaining duplicate components. Not everything needs to be redundant, but you should always have some kind of plan for addressing the restoration of these critical components.
Determine your critical vendors’ business continuity capabilities. How prepared are they to respond to a crisis situation? What is your reliance on these vendors?
Are they your only source for the goods or services you require? You must develop a plan for how you will address any inability to support your needs. Will they be able to provide additional support or changes to their services during an emergency event, whether it is related to them or to your organization?
In today’s threat environment, issues in other countries or continents may impact your organization, even though you may have only a regional or local focus. Consider how changes to financial markets can impact your company, or how global events might impact your vendors (for example, the availability of raw materials or components manufactured in foreign countries). Identify your risks and and develop strategies as necessary. You may need to identify secondary sources or vendors.
If so, consider your physical security situation. What are your current visitor policies? What are the ingress and egress locations of your facilities?
How secure are they? For example, many organizations have still not adopted a policy of questioning visitors who are walking around unescorted.
Notice, the question was not how likely is a breach. Your organization will have a breach of some type. The question is, what is your plan for responding to a data breach when it does occur? What is your current monitoring and detection capability? What is your encryption strategy, or your policies for personal information, proprietary information, or regulated data (PII, PCI, or HIPAA, for example)? Consider your data retention policy and its execution and enforcement. Ensure that you have data stewards (business owners of data), and that you have implemented data destruction policies and procedures for both electronic and paper records.
Can changes in laws or policy impact your business processes or require additional regulatory compliance? While your finance department or business units may consider these items from a business or financial perspective, consider how any changes made at a functional level may require modification to business continuity planning or may change the amount of impact related to already identified risks.
Understand decisions or actions throughout the organization that could have a negative impact on the brand, operations, or customer service. For example, consider mismanagement, malpractice, vehicle or machine accidents, or even the unintended consequences of following policies and procedures (think of the recent United Airlines situation).
Examples include winter storms, hurricanes, tornadoes, flooding, and earthquakes. Don’t forget about those that may be localized to your area.
For example, your building may be affected by extreme temperatures, or employee access may be restricted by weather-related impacts such as flooded roads, fallen trees, downed power lines, etc. Think about which facilities, functions, and people could be impacted by these events. Determine alternate facilities or alternate work sites for staff, as well as how customers or other members of the public can contact you or visit your company.
Understanding actual threats and risks to your company, and the necessary remediation or planning to address those threats, is critical to an effective business continuity program. Just addressing the “standard” threats and risks will not provide adequate value and protection in today’s threat environment. Your risks could be very different from those of neighboring companies, even those that may share your building. In evaluating your organization’s risks and preparing to address them, thinking of the exceptions will help you look outside the box, which is a useful skill.
This doesn’t mean you should ignore the obvious risks and remediation efforts; tried and true work as well.
A great way to uncover your threat environment is to conduct a business impact analysis. Read more about conducting a BIA, including why you should do it and where to start, visit our post: The Art of a BIA.