Market Intelligence & Research Agency
The Client
Our client is a global market intelligence and research agency offering independent market research to clients across a wide range of industries. The collection and processing of consumer data is key to the client’s core business.
The Challenge
As providers of consumer data, the client is integrated into supply chains enabling their clients to mount marketing campaigns, product launches, understand consumer behaviours and purchasing intent.
The client recognised that a disruption to the service could result in reputational damage in a competitive market. Additionally, its consultancy services have expanded with associated contractual obligations and financial implications.
Whilst business continuity (BC) planning was implemented several years previously with BC plans developed for the regions, this was based upon business impact assessments (BIAs) identifying key assets, services and dependencies. There was little connection with technology response planning and regional plans were at different stages of currency. It was evident that BC had fallen off the radar at a senior level with increasing exposure over time.
The client’s CISO determined that the current BC, cyber security, IT DR planning and associated execution required an examination of alignment with best practice, asset coverage and control effectiveness. A review of existing BC plans, BIAs and select DR capabilities was proposed to ensure effectiveness, validity and currency, taking account of changes in the organisation such as the introduction of new products, assets and services.
With limited resource and more complex technology in the mix, it was recognised that external specialists were needed to provide an independent assessment of preparedness and point the client in the right direction. Teed’s experience and skills in assessing preparedness across response disciplines meant we were ideally placed to support the client with their project.
The Solution
The scope of the project was an assessment of BC plans and associated BIAs for two global regions, together with the review of DR practice, procedures and capability for a selection of IT systems. Teed’s consultant held discussions with key stakeholders to understand the organisation, its risks and current preparedness. Where critical activities had been defined, the BIA methodology was found to be limiting with a need to add substance to better understand the priorities, dependencies and recovery requirements.
Discussions with technology representatives recognised the organisation is moving further into a cloud hosted environment. This can reduce risks if done correctly, but risks remain that need to be accounted for. With an element of on premise, legacy and new cloud hosting, some scenarios were identified where there was no apparent recovery solution for critical IT services, with the potential for a lengthy outage. There was some uncertainty whether all data could be recovered in certain circumstances which is a key concern given that data forms the bedrock of the business.
Ultimately, the client was found to be exposed to some BC threatening risks due to identified gaps in recovery capabilities and irregular BC activities.
The Result
The findings from the review were presented to the client together with actions for consideration including: initiating a BC improvement project to establish a BCM system:
- Implementing a policy and governance process that aligns with BC good practice
- Undertaking BIAs with Improved methods across the business
- Implementing an exercising programme to validate BC strategies and to raise awareness of those managing the response to incidents.
A two-year roadmap was outlined to allow the client to address areas for improvement and risk exposures in a prioritised manner. The client now has a plan of action to enable the project team to join up the dots and create a linked, effective response strategy.
The client’s products and services may not be as time critical as some other organisations, but stakeholders are becoming increasingly demanding when it comes to needing evidence from their key suppliers that effective BC, DR and cybersecurity response capabilities are in place and tested; and somewhat less forgiving when faced with unexpected disruptions to supplier services.