Accounting for the Hidden Risks in Business Continuity Planning

For many organizations, business continuity planning has been a way to address broad and well-known organizational disruption from natural disasters, cyber threats, illness, and other events. However, as current events continue to shape our conceptions of organizational continuity, many leaders are determining how to modify their business continuity plans (“BCPs”) to account for certain “embedded risks” – the second and third order consequences resulting from risks that were not fully considered in previous BCP efforts. These risks may have been layered in with the continuity strategies but not given adequate consideration of the possible “what-if” scenarios that are likely to unfold during a disaster. Several lessons can be drawn from these challenges that can help to form a more comprehensive and robust BCP development process. As we reflect on the rapid evolution of business models, our team considers several instances of these embedded risks and how they can be incorporated into future continuity planning efforts.

Evaluating Privacy and Security in BCPs

As organizations increase their reliance on remote working tools, security and privacy-related incidents are becoming more common. Security measures that protected traditional communication channels may not be scalable to support an entire workforce that is now working from home. With the shift in operational practices, video conferencing platforms have been subject to privacy intrusions, where users have been able to inappropriately access private sessions. This, in turn, has demonstrated key vulnerabilities in teleconferencing platforms, and organizations have realized that their selected remote conferencing tool may not have been sufficiently evaluated from a security and privacy perspective.

Because of our current circumstances, and the likelihood that elements of the BCP strategy will become “business as usual,” a full accounting of these types of security and privacy risks should be considered for services and technologies that we may rely on or introduce to our organizations in a time of crisis. Organizations can proactively address these threats through contingency planning to avoid being forced into a reactive approach to risk mitigation. Below are two primary privacy and security risk mitigation techniques that should be applied to the scenarios laid out in a BCP:

Perform privacy impact assessments (PIAs) or similar privacy risk assessments for new software tools and processes, including those that are part of any BCP. This will ensure that tools chosen for different contingencies are evaluated with the same rigor as tools that support normal operations, and will help ensure that evolving operations continue to comply with in-scope privacy regulations while protecting the rights and freedoms of end users and data subjects.

Conduct security risk analyses to identify vulnerabilities in the organization’s current assets and processing activities. This may include stress testing network bandwidth to ensure that network infrastructure can support worst-case scenarios or ensuring the use of up-to-date remote access technologies so that risks do not scale along with usage. The different analyses performed may vary widely depending on your business model, operating environment, etc.

The types of risk assessment activities performed may vary widely depending on the organization. However, the goal is to ensure that the privacy and security risk management activities that are implemented to support “business as usual” extend to operations under any contingency for which you may be operating. Privacy and security by design implies that all processes, including the processes followed during a crisis, should be secure by design. Organizations will not receive dispensation, especially from their consumers, for incidents that occur during a difficult period.

Third-Party Impact to Organizational Continuity

Companies that are dependent on particular products or services may need to evaluate whether their third-party risk management (TPRM) programs support risk management under a business continuity scenario. Just as privacy and security practices must extend to BCP, TPRM practices must take a holistic approach that includes any vendors that may be used during a contingency – even if those vendors are not used during normal day-to-day operations. Many third-party risk management programs are evolving to address supply chain resilience, ensuring that vendors can support business needs during a widespread adverse event. TPRM programs therefore must be tuned to assess areas of particular risk, beyond just knowing whether the vendor has a BCP. The assessment outcomes should also provide key risk insights about our own dependence on that vendor – does the vendor provide a critical product/service, are they susceptible to business failure from an adverse event, etc. Similarly, any BCP must be evaluated to ensure that the vendors that play a role in your continuing operations are accounted for and assessed using these criteria.

Companies must find ways to link possible vendor interruptions and risks with the organization’s BCP development process. Current events have provided renewed understanding of the type and magnitude of risk that vendors introduce into your operations. As a result, organizations should make an effort to update service-level agreements and contractual obligations based on lessons learned from previous execution of BCPs. TPRM programs and BCPs have traditionally been viewed as two separate concepts, however, each should provide key risk insights for the other to enhance an organization’s ability to respond during an interruption. TPRM should not be an exercise for only those vendors that support day-to-day activities, but also those that may only prove critical when activating the BCP.

Conclusion

Business continuity is receiving renewed focus given the rapidly evolving business landscape under COVID-19. As we consider the importance of BCP and its function in safeguarding organizations, it is necessary to take a deeper look at the risks that may not have received adequate consideration in the past. Having a robust BCP that is properly tested includes giving consideration to embedded risks that may have been overlooked when documenting the “what if” scenarios in your BCP. By evaluating your existing BCP to ensure inclusion of leading risk management practices you can ensure that your approach to privacy, security, and TPRM does not become a reactive exercise during critical time.

Are you looking for more information on privacy, cybersecurity, and third-party risk? Get in touch with us.