Focus on business continuity management & incident response planning

Jill M. Czerwinski, Tracy Hall, Trevor Quinlan
2/15/2024
Focus on business continuity & incident response planning

Though it can be hard to find time to focus on business continuity management and incident response, our team covers why these initiatives are vital.

Business continuity management and incident response planning are vital for any organization. Yet, when businesses work on these initiatives in silos, they might introduce inconsistencies, redundancies, and gaps.

Many executives find the two types of planning can overlap. Our team’s recent webinar, “January 2024 Financial Services Audit Committee Overview,” covers some of those synergies. Following are key takeaways.

Business continuity management and incident response planning: A package deal

Business continuity management and incident response planning: A package deal

As cybersecurity threats become increasingly common, more attention is paid to business continuity management and incident response planning and how they work together. Although both types of initiatives are under the umbrella of overall resiliency, each serves a different function.

  • Business continuity management is about the processes, procedures, decisions, and activities to keep an organization functioning through any kind of interruption, including a data breach or cybersecurity attack.
  • Incident response planning deals with detecting, responding to, and limiting the consequences of a cybersecurity-related interruption.

Both are a vital part of mitigating the effects of an incident but must be cross-referenced to ensure the organization is responding consistently regardless of the type of incident.

How business continuity management and incident response planning can protect an organization

How business continuity management and incident response planning can prepare an organization

Organizations and business leaders are encouraged to adequately prepare for an event using best practices in both business continuity and incident response planning. Without preparation in both areas, organizations can be affected in a variety of ways, including:

  • Operations. Whenever a system goes down, operations will be affected in some way.
  • Data. Data can be compromised as part of a business continuity event. This happens when a system crashes in the middle of an update or during an event like a cybersecurity breach.
  • Regulatory and legal. Regulations vary by industry and location, but organizations should be aware of any regulations in areas like continuing service, reporting requirements, data security, and more. 
  • Reputation. No matter what type or level of event a business could potentially experience, its reputation is at risk the minute customers can’t be served. How a business responds to that interruption can also be a reputational risk. 
  • Finances. Any interruption in operations can affect an organization’s bottom line.
  • Strategy. An incident might affect business strategy, either in the short or long term.
Top threats to consider in resiliency planning strategies

Top threats to consider in resiliency planning strategies

Threats can come from various sources. Business leaders should prepare their strategies for resiliency by considering the following:

  • Unplanned IT outages. Any unplanned outages can affect operations and have consistently been a top risk for years.
  • Cybersecurity. The risk of cybersecurity breaches has increased exponentially in recent years.
  • Climate change and natural disasters. Protecting against threats of natural disasters, while unpredictable, is incredibly important from a business continuity and resiliency standpoint. 
  • Staffing shortages. While reports show unemployment is down, some businesses regularly report difficulty hiring and retaining good staff. 
  • Supply chain and third-party outages. Many businesses are heavily reliant on their third parties, which is why supply chain and vendors should be part of business continuity management and incident response planning. 
  • Economic uncertainty. Economic shifts can affect numerous areas of a business, including business continuity management and incident response strategies. 
Business continuity management: Areas of focus

Business continuity management: Areas of focus

Businesses might have a lot of reasons for ignoring business continuity management planning: lack of time, resources, and bandwidth, for starters. Still, whether business leaders are held to industry regulations or want to keep up with the competition, business continuity management planning is a best practice to stay competitive and relevant. The threat to reputation alone is worth investing in business continuity management planning.

While working through a business continuity management plan, leaders should focus on major areas including the following:

  • Business impact analysis. Prioritize business functions and supporting resources.
  • Risk assessment. Identify top threats or vulnerabilities for the organization.
  • Enterprisewide planning. Develop plans that are representative of the entire organization.
Incident response planning: Areas of focus

Incident response planning: Areas of focus

One of the most important steps in incident response planning is regulated reporting – when is a business required to report an incident, and to what extent? But regulators aren’t the only reason to consider incident response planning. Proper planning can help organizations mitigate risks to data, financial responsibility, and more after an incident. The ability to identify, contain, and respond to incidents quickly is an area where minutes matter.

When working toward the goal of minimizing downtime, leaders can consider these areas of focus for both incident response planning and business continuity management:

Preparation

  • Gain leadership support
  • Develop appropriate teams
  • Invest in training 

Tabletop exercises (simulations)

  • Scenario selection
  • Stakeholder involvement
  • Facilitators
  • Documentation and reporting
  • Communication plans
  • Actionable recommendations

Testing

  • Incident response and disaster recovery tests
  • Assessment of the incident response process and documentation
  • Penetration testing – performance of a realistic and simulated attack, unannounced

Training

  • Conduct annual training for all employees
  • Identify and report incidents
  • Develop dedicated training for incident response and disaster recovery test members
  • Investigate technical training tools and technology
  • Expand remedial training
  • Direct hands-on tests
  • Share threat intelligence

Assigning resources to these vital initiatives can be hard for leaders who are also managing the day to day of a business – but business continuity management and incident response planning are foundational efforts that help an organization get back on track when work is interrupted.

Listen to the full session

January 2024 financial services audit committee overview 

Contact our team

If you’re wondering how to start – or continue – business continuity management planning or incident response planning in your organization, our team can help.
Jill Czerwinski
Jill M. Czerwinski
Principal, Third-Party Risk Leader
Tracy Hall
Tracy Hall
Senior Manager, Financial Services Consulting
Trevor Quinlan
Trevor Quinlan
Senior Manager, Financial Services Consulting