Monday 24 December 2012

Planning for major events

Donna Monkhouse, Your BC Eye
2012 will always be synonymous with the UK staging one of the most successful ever Olympic and Paralympic Games.   Its success has become part of Britain’s legacy.  But despite the strong positivity that surrounds the smooth operation of the Games, on the planning front, there were many that complained about a state of over-preparedness, declaring that too much time and effort had been squandered on unnecessary planning. 
 
Wide-spread traffic chaos, business disruptions, terrorist attacks and a grid-locked London were all predicted, but never actually occured.   So perhaps the question we need to be asking is not whether we did too much planning, but whether the quantity and quality of the planning undertaken helped to minimise any disruptions and whether without it, we would have experienced more chaos, more incidents and a less successful hosting of this major event

Wednesday 12 December 2012

10 tips to avoid tipsy digital disasters at office parties

A few too many drinks at the office Christmas party could cost you more than your dignity!
 
In a digital age many of us won’t leave our work behind when we head for the bar for a festive tipple. Smart phones, iPads and laptops are likely to contain our work contacts at the very least and, in some cases, may store even more confidential information.
 
Making a fool of yourself on the dance floor will be the least of your worries if your phone or laptop is lost or stolen. Data falling into wrong hands could cost you your job; your employer their reputation or even, in the worst case scenario, their business.
 
Here are my 10 seasonal security tips:
 
1.    Phones, laptops and tablets all come with the facility to set a password – so use it.
 
2.    Twitter and alcohol don’t mix. Your Tweets may seem witty after a few glasses, but you may embarrass or even offend.
 
3.    You may be keen to share photos of your festive fun on Facebook but colleagues who over indulged won’t thank you.
 
4.    Lock your laptop in the office rather than take it out with you.
 
5.    Empty pockets and handbags of USB sticks and take them off your keyring.  Lock them safely in a drawer.
 
6.    If you’re an employer consider the timing of your office party. Will staff work productively, and securely, with a hangover?
 
7.    Is your office party being held in the office?  If so, remind your employees about the need to clear desks, lock down computers and screens.
 
8.    As an employer, introduce a clear desk concept and stick to it all year round.  That way no one leaves confidential information or data lying around ….ever.
 
9.    Don’t be tempted to access company data on the free wifi available at your Christmas party venue.
 
10.  Finally, if you’re a boss don’t leave IT and social media security until the festive season.   Build cyber security and awareness into your culture and have policies in place, including guidance on social media use.  
 
Alan Cook, Director, the Agenci, specialists in information security and business continuity
 
 
 

How lessons from Skyfall can prevent businesses plunging into IT freefall

The new James Bond film Skyfall parachutes 007 into a chilling cyberspace of computer hacking and cyber terrorism in which malicious software – known as malware which infects and damages computers – is more dangerous than exploding pens.      
 
In true Bond style the battle of good versus evil submerges audiences into an explosion of special effects where fantasy villains such as Jaws, Blofeld and Oddjob are replaced by the hero’s more chilling nemesis Raoul Silva - a former agent turned vengeful computer hacker. 
 
As Gary Hibberd, director at The Agenci which specialises in information security and business continuity for small and medium sized enterprises, explains, Silva’s dastardly mission of cyber destruction mirrors the harsh reality of the off-screen bad guys who can eradicate micro business and corporations - leaving a trail of devastation in their wake.       
 
The real threat of cyber crime and the vulnerability of organisations is nowhere more apparent than when the youthful MI6 boffin Q tells Bond: “I can do more damage on my laptop in my pyjamas than you can do in a year in the field.” Such a warning reinforces the unprecedented importance of implementing robust security processes.
 
We only have to swap the cinema screen for the TV screen to see and hear big name brands reporting serious breaches of customer data. The repercussions can be catastrophic and include financial loss, incurring substantial fines for breaching legislation – and even irreparable damage to their reputation. 
 
In a more understated way than the flamboyant Bond, The Agenci helps companies to ‘beat the baddies’ and prevent information from falling into the wrong hands by supporting wide-ranging sectors to boost their processes and feel more secure when running their businesses. 
 
Gary Hibberd explains: “Irrespective of the size or sector in which your enterprise operates, it’s crucial to protect yourself against the bad guys. Time and again we find that companies leave themselves open for attack when a few simple steps could save much cost and heartache.” 
 
Here are five top tips to getting the fundamentals right:
 
1. Install Antivirus Software
 
The simplest forms of defence are surprisingly often overlooked. Antivirus stops people employing bad code on your computer and infecting it with a virus.  If you connect an unprotected computer to the internet it can be infected with a virus within 20 seconds!
 
Check your computer to ensure that you have software installed and ensure that it is kept up to date.
 
2. One User One I.D.
 
Ensuring that each employee has a unique user name and password can go a long way to protect your business assets. Following this process is helpful if you need to track an incident to find out who did what and when. 
 
3. Set up a Firewall
 
A little more technical but critical because it essentially operates like a locked front door and only allows those people to whom you want to give access to be able to get in. You wouldn’t leave your front door open to criminals – why would you leave your business open to computer hackers? 
 
4. Establish a Policy
 
Your employees can only be expected to follow the rules and guidelines if you have communicated to them exactly what they are. Compile a Computer Usage Policy which educates your employees and partners and spells out clearly what staff can and can’t do on a business computer.
 
5. Draw up Contracts
 
From customers to suppliers, it is essential that you have contracts setting out the provisions for the management and protection of company assets such as information, levels of controls, service levels expected - and a right to audit.
 
In the adage that prevention is better than cure, these simple steps will enable you to savour the Skyfall experience without worrying that fiction could turn into reality.
 The Agenci - A specialist in information security and business continuity.

Black Swans – something for senior managers to hide behind or to action?

Lyndon Bird FBCI
Some business continuity practitioners have argued that Risk Management techniques provide a tried and tested approach to dealing with conventional threats, but have limited effectiveness in identifying or evaluating rare but potentially catastrophic issues.  
 
There has even been a host of terms that have entered our common lexicon simply to try and define these types of high impact situations.  The former US Defence Secretary Donald Rumsfeld was much satirised when he talked about “known, unknowns” and “unknown, unknowns” etc. but it is proving to be a useful way of distinguishing types of threat.   
 
The idea of “Black Swans” to define things that are outside of personal experience, and therefore missed when trying to register potential risks has also been much debated.  Many have treated “Black Swans” as if they are the same as “unknown, unknowns”, but in most circumstances they are more akin to “unknown, knowns”  - perhaps unknown to key decision makers but certainly not unknown to everyone.  
 
For example the volcano ash cloud which closed European airspace is often called a “Black Swan” event – but every aspect of that drama was well-known by some people - the volcano might erupt (meteorologists); there is a level of ash that airplanes were not allowed to fly through (aviation authorities); and there is a relatively high tolerance to ash levels in more recently designed jet engines (aerospace engineers).  So the problem was less to do with lack of knowledge but the failure to share and assimilate the significance of that knowledge.
 
This is at the heart of the debates we have about apparent failures of risk management; the Libor rate scandal; the sub-prime mortgage crisis that bankrupted many banks; the collapse of the once impregnable Arthur Anderson global business empire.  All came as a great shock at the time, not only to outsiders, but apparently also to the Board and C-Suite executives of the organizations concerned.  
 
Lack of available knowledge was not the problem; lack of knowledge by those who had the power to stop dangerous things happening was.  Claiming such things as “Black Swans” helps deflect blame on the premise that “how can we have done anything about it if it was an inconceivable incident?” This excuse might work if a meteorite hits the earth, but not if we simply have failed to look at signs, talk to people who know what is happening and adjusted our behaviour accordingly.
 
I wonder if there is now a risk that we are headed towards another problem which is not being properly confronted at the right level. The Business Continuity Institute and the Chartered Institute of Purchasing and Supply conduct an annual survey into how well Business Continuity is being handled within the Supply Chain.  As a basic question, we collect data about the main causes of operational disruptions across the world.  One item has been steadily rising up the list until today this year it finished 3rd – after the perennial top-two of Adverse Weather and IT/Telecoms failure.  That factor is “failure or serious disruption to services provided by an outsourcer”.  In the world of globalization, low cost manufacturing and just-in-time delivery, we have treated outsourcing (and its close cousin off-shoring) as self-evidently good things.  It allows management to concentrate on core business; it manages external costs better through competitive bidding processes and it buys in a higher level of specialist expertise than might be affordable in-house.
 
The problem is that some of this accepted wisdom is being questioned by supply chain and BCM professionals in organizations, but this message is not being heard by those who could change it.  
 
As the global economy continues to stagnate, more and more pressure is placed on cost-saving and often this leads to excessive price pressure on those organizations bidding to gain or even retain their accounts.  It also leads to more single source suppliers in return for lower prices and service provision from more geographically, politically and culturally unstable regions.  This seems to be a trade-off between cost and reliability, and some feel the balance has gone too far with significantly more disruptions ensuing - which are then causing higher levels of dissatisfied customers and eventual loss of business.  
 
There is always a need to make a judgment and a sensible balance between “no risk at any costs” and “any risk at lowest cost” has to be taken – but for those who favour the higher risk end of that scale do they really know what consequences they might be facing.  Is this perhaps another “unknown, known” that top management might try to pass of as a “black swan” if all goes wrong?
 

Wednesday 5 December 2012

Preparing for the worst, whatever the weather


Deborah Higgins MBCI

Set against the background of the recent severe flooding that was affected or at least threatened to affect large areas of the UK, putting both business and homes at risk, there is no better time than now for businesses to think about how prepared they are to deal with such disruptions and to take the first steps towards preparing for the worst.

But how do we prepare?
 
Business continuity is all about having the capability to cope with disruptions no matter what they are.  So when there is calm before a storm, it is important that businesses take the time to develop and implement comprehensive business continuity arrangements to provide confidence in an organization’s resilience and ability to survive whatever the incident or weather. 
What do businesses need to do?
  • Understand what risks the business is vulnerable to – for example, are premises or assets at risk of flooding? Do all staff live locally and will they be impacted by the same event? Would the ability to communicate with staff, customers and suppliers be affected?
  • Determine the most urgent business activities – which activities must be continued in order to stay in business? Which activities could be temporarily put on hold and for how long?
  • Understand the impact of any disruption to the most urgent business activities – what could happen if these activities were lost or disrupted? 
  • Identify key suppliers for the urgent activities – which suppliers are critical to the delivery of key products and services? How might they be impacted by a disruption?
  • Understand the business impact of a supply chain disruption or supply failure - for example, even if the business is not directly impacted by the flooding, a supplier may be, so having an alternative arrangement in place (where possible) will minimise disruption to the ability to carry on delivering products and services.
  • Consider what alternative arrangements could be put in place to enable the business to carry on operating.
  • Make sure a well-rehearsed incident response plan is in place as part of business continuity arrangements.
There are good examples in the news today of a business whose competitor assisted them with continuing to make a product after their premises were disrupted by a fire. Another business owner who was severely affected by the riots in London utilised an arrangement with a neighbouring premise that was not affected and has now seen massive growth in his business as a result.  
Taking time to consider the potential impacts and making alternative arrangements in advance makes good business sense.
Business continuity is a way to help businesses become more resilient to the increasing number of risks and threats they are facing. Good business continuity practice means businesses will know ahead of time, what threats there are to their organisation and what the impacts of these could be. Even when we cannot predict the exact scope of a problem, we can at least plan to resume key activities in the speediest and most cost-effective manner.
So no matter what is predicted or what comes to bite us, we can be assured that we know what we will do when the time comes by adopting good business continuity practice.  
 

Tuesday 4 December 2012

How to ride the peaks and flatten the troughs of executive engagement

Lee Glendon CBCI
If your experience of engaging senior and executive management feels like a constant struggle to sustain momentum or defend investment, then you should take 15 minutes to look at the C-Suite EngagementToolkit that has just been launched by the BCI.
In 2011, the BCI published its report on members’ experience of board-level engagement, and some of the comments are reprised here:
  • The board has implemented a corporate BC plan after a study from consultants but the momentum isn’t there any more
  • No sustained interest shown, despite a variety of constructive efforts
  • The board has received papers on BCM at its last two meetings but the time and discussion were limited. 
  • BC resourcing is under increasing pressure in all areas of the company
  • There was great interest in 2006 but less since the auditors’ requirements were met
  • We are still working on board buy-in
  • Some projects were approved by the board but I do not have access to what is discussed on BCM
  • The interest in BCM goes in peaks and troughs dependent on what current risks are high profile e.g. severe weather, volcanic ash, pandemic flu, IT failure
It’s important to counter-balance these comments with a different experience enjoyed by others:
  • The board has an understanding of what BCM has to offer the organization and is now beginning to understand that it protects the organization’s assets and reputation during an incident or crisis
  • BCM is an advisor in many decisions, adding to the information available to senior management to support informed decisions regarding risk, resilience and continuity
  • Business Continuity is playing an ever increasing role within the procurement process and this is changing the way the tender process is approached
  • Our senior management team is very supportive and committed, if it is presented and implemented well
C-Suite Toolkit
The toolkit was developed to help address this disparity of experience by trying to understand what can be done to build and sustain engagement.  In short, if you want to have more of the latter experiences than the former, then it is worth thinking about developing a structured approach to executive engagement. 
Even if you do not have an incident, near miss, or industry peer that has suffered from a crisis, your organization will have key projects and programmes with related risks and key performance indicators.  These risks and indicators are likely to be assigned to key executives.  One of the key benefits of business continuity, as expressed by BCI members, is its value in better understanding critical processes and vulnerabilities, valuable information for decision makers, so it is important to be clear on this area of value add.
So how does the toolkit help?
The development of the C-Suite Engagement Toolkit has been practitioner-led from the start.  It is not an academic paper on the importance of engaging executives – anyone running a business continuity programme already recognises this requirement– this toolkit sets out a framework for achieving sustained board and senior management engagement by drawing upon insights and expertise from disciplines such as sales, third party research into executive interests, and the world of psychology and soft skills.
The first part of the toolkit contains profiles on common C-Suite, or senior management roles from Chief Executive Officers to Chief Financial Officers and their equivalents in IT, Marketing, Operations, HR and many more.  These profiles include suggestions on areas of their interest where business continuity has a contribution to make.  Naturally, exercising is a proven way of engaging executives, so ideas for shaping the exercise to fit the interests of the C-Suite executive are provided as well.
The second part of the toolkit asks you to think more closely about your existing programme and the information it delivers and how this can provide the facts and evidence to build a compelling story to support engagement with executives based around the interests identified in the first part of the toolkit. 
The third part of the toolkit takes the facts from the second part and the broad understanding of functional interests from the first and asks whether this is sufficient for successful and repeatable engagement.   Through a series of videos, you are taken into a scenario where it becomes evident that a key element is still missing.  This element is sometimes called soft skills, other terms may include building rapport, or simply communicating effectively.  Through the scenario, you are introduced to the value of understanding personality types, and how soft skills such as speed reading can improve the likelihood of success.  In other words, all three elements of the toolkit need to be understood and applied if we are to expect more consistent results from engagement with executives.
In addition to the videos and information provided on the website, worksheets are provided for each section of the toolkit, to help plan your own engagement approach.  Links are also provided to third party and BCI resources.  For those who are keen to develop their understanding of different personality types, including their own, reference is made to available models.  And for those looking to revamp their executive-level communication skills, a master class training course has been specifically designed to support you.
So now over to you!  Let us know what you think of the toolkit, please try some of the ideas and let us have your feedback (research@thebci.org).