It risks security and continuity - Business continuity and d...

Learning Outcomes

After reading this article, you will be able to explain the nature of IT risks to business continuity, describe the necessity and components of business continuity plans (BCP) and disaster recovery plans (DRP), and outline key legal and organisational requirements for maintaining continuity. You will also identify appropriate procedures for responding to disruptions and recognise how to ensure data security and ongoing business operations.

ACCA Business and Technology (BT) Syllabus

For ACCA Business and Technology (BT), you are required to understand how organisations manage IT-related risks and prepare for disruptions affecting the continuity of operations and data security. You should be able to:

• Describe key IT risks to data and operations, including technical failure and cyber threats
• Explain the importance and structure of business continuity planning (BCP)
• Outline the elements and operation of disaster recovery plans (DRP)
• Identify the legal responsibilities for protecting systems and data during incidents
• Demonstrate procedures for restoring operations after disruptions

Test Your Knowledge

Attempt these questions before reading this article. If you find some difficult or cannot remember the answers, remember to look more closely at that area during your revision.

1. What is the main difference between a business continuity plan and a disaster recovery plan?
2. List two examples of IT events that could trigger business continuity procedures.
3. Why must backup data be stored off-site or in the cloud as part of a business continuity plan?
4. State the legal obligation of companies in relation to the security and continuity of personally identifiable information (PII) during a major IT incident.

Introduction

Modern organisations depend on uninterrupted access to IT systems and data. System failures, cyber-attacks, or environmental incidents can disrupt operations, risking financial loss, reputation damage, or even closure. Business continuity planning and disaster recovery planning are essential to manage such risks, ensuring critical services remain available and that the business can recover as quickly as possible after disruption.

Key Term: business continuity
The processes and strategies that ensure an organisation can continue its essential operations during and after a disruption.

Key Term: disaster recovery plan (DRP)
A documented plan detailing procedures for restoring IT systems and operations following a major incident or disaster.

IT Risks Threatening Security and Continuity

Organisations face various threats that can disrupt IT operations and compromise data:

• Hardware or software failures
• Cyber-attacks (malware, ransomware, denial of service)
• Human error
• Physical damage from fire, flood, or other disasters
• Power outages
• Malicious or accidental insider actions

These risks can lead to loss of access to critical data or systems, data corruption, or even permanent data loss. Legal and contractual obligations require organisations to prepare measures to prevent and mitigate such incidents.

Key Term: risk assessment
The process of identifying, analysing, and evaluating the threats that could disrupt business operations or compromise information security.

Business Continuity Planning

A business continuity plan (BCP) is a proactive approach to ensure key services can operate during disruptions and be rapidly restored to normal. It details how essential functions are prioritised, which personnel are responsible, and what resources are needed to keep the business running.

Key components of a BCP

• Identification of critical functions and assets
• Assignment of key roles and responsibilities
• Alternative operating sites or methods (e.g., remote working)
• Emergency communication protocols
• Regular staff training and awareness
• Periodic plan testing and review

Worked Example 1.1

Scenario: A company’s main office is inaccessible due to a major power outage after a severe storm. The backup power generators fail.

Question: Which elements of a properly designed business continuity plan would help the business continue operations?
Answer:
The BCP should specify alternative work arrangements (such as remote access or secondary office locations), prioritise restoring critical functions, invoke backup communication lines, and activate delegated staff responsibilities to continue serving priority customers.

Disaster Recovery Planning

Disaster recovery is a focused sub-area of business continuity that targets rapid restoration of IT systems and data after significant disruptions.

A disaster recovery plan (DRP) typically sets out:

• Steps for restoring critical systems and applications
• Procedures for recovering data from backups
• Roles and contact details of responsible technical and management staff
• Timelines for recovery (recovery time objective - RTO & recovery point objective - RPO)
• Regular testing and updating of recovery procedures

Key Term: backup
A copy of data stored separately to enable restoration after data loss, corruption, or system failure.

Key Term: recovery time objective (RTO)
The maximum acceptable length of time a system or process can be unavailable after an incident.

Key Term: recovery point objective (RPO)
The maximum period of data loss (measured in time) that is tolerable after a disaster event.

Worked Example 1.2

Scenario: A ransomware infection encrypts all files on a company’s primary file server.

Question: According to the disaster recovery plan, what are the first priority actions IT should take?
Answer:
IT should isolate affected systems, notify responsible staff per the DRP, identify the most recent unaffected backup, restore files, and ensure the cause is understood to prevent further compromise.

Legal Responsibilities and Data Protection

Businesses have strict legal duties to secure data and maintain continuity of operations, particularly regarding personal or sensitive data.

• Data protection regulations (such as GDPR) require “reasonable” measures to prevent data loss, unlawful access, or extended unavailability.
• Companies must notify authorities promptly of significant data breaches or interruptions.
• Failure to plan for continuity may result in regulatory fines, litigation, or loss of business license.

Worked Example 1.3

Scenario: An online retailer loses access to customer records for three days due to an IT system crash and no tested backup is available.

Question: What possible legal implications can arise from this failure?
Answer:
Breach of data protection requirements could lead to regulatory investigation and fines. Customers and partners may also claim for damages due to breached contracts or loss of service.

Exam Warning

Disaster recovery is part of, but not identical to, business continuity. The DRP focuses on restoring IT, while the BCP deals with the wider organisation, including communication, stakeholder management, and alternative procedures.

Key Procedures in Business Continuity and Disaster Recovery

• Conduct regular risk assessments to identify vulnerabilities
• Automate and schedule frequent, secure backups, stored off-site or in the cloud
• Maintain updated copies of BCP and DRP accessible to key staff
• Clearly assign roles and ensure all staff know their responsibilities during incidents
• Test the entire continuity and recovery process at least annually and after significant IT changes

Revision Tip

Use practical checklists to recall the essential steps in activating business continuity and disaster recovery plans for different scenarios.

Summary

Ensuring IT security and continuity protects a business from operational, financial, and reputational harm. Business continuity plans aim to keep core activities running during disruptions. Disaster recovery procedures focus on restoring IT and data after incidents. Both are required to meet legal and organisational responsibilities, minimise losses, and maintain trust.

Key Point Checklist

This article has covered the following key knowledge points:

• Explain common IT risks to business continuity and security
• Describe the aims and essential components of business continuity plans (BCP)
• Outline key features of disaster recovery planning (DRP), including backups and recovery targets
• Identify the legal obligations for safeguarding systems and data during and after disruptions
• Specify regular procedures for testing, maintaining, and activating continuity plans

Key Terms and Concepts

• business continuity
• disaster recovery plan (DRP)
• risk assessment
• backup
• recovery time objective (RTO)
• recovery point objective (RPO)