Crisis management - achieving control in a crisis

Dominic Cockram
Steelhenge

I will be talking on the topic of 'achieving control in a crisis' at the BCM World Conference 2013, and focussing on the key areas of:

• What happens in a crisis?
• What are the challenges you face?
• How can you achieve control in such a situation?

 

First of all, one must understand just what a crisis means in terms of the characteristics of the actual crisis itself and the impacts on an organisation.  It is generally accepted that crises are characterised by:

• Unpredictability
• Complexity
• Highly dynamic threat
• Lack of boundaries
• Scrutiny from the media, public and other interested parties
• Uncertainty

These aspects create a situation which is volatile, fast moving, confusing and enormously pressured – not to mention the potential added emotional aspects if people have been injured or killed. Into this environment comes a crisis team – brought together at very short notice, not necessarily fully in the picture and expected to lead and generate the key strategic decisions for the organisation that will steer it into calmer waters with its reputation at least intact.

No pressure then!

Whilst this pressure cannot be removed necessarily, there are a number of aspects of good practice in crisis management that can, if well applied, lead to achieving control over events and the ability of the crisis team to get on the 'front foot'.

My focus at the conference will be to bring these critical areas to life, to use practical examples of what works and what does not, and what are some of the most important areas upon which to focus in order to maximise the chances of 'taking control' and achieving a good outcome for your organisation.

Dominic will be discussing the issue of crisis management within the 'Thought Leadership' stream at the BCM World Conference on Wednesday 6th November, starting at 11:15.

How can we evaluate business continuity risks in the supply chain?

James Stevenson
Rolls-Royce plc

The experts keep telling us that supply chain risks are important and it is old news that:

• An interruption could damage the business
• Customers should work with their suppliers to reduce the risk of interruption
• Sometimes the problem is with supplier’s supplier, or their suppliers
• Unfortunately, supply chain risks seem to be increasing in scale and complexity

Occasionally, this kind of alarm call reaches the Board or Executive Management responsible for understanding the significant risks facing their business. They realise that the threat is real and ask around to see who is managing this area of risk.

In my view, BC Managers are well placed to do this and with some minor adjustments to the BCM programme we can help the business to understand and manage supply chain business continuity risks.

At the BCM Global Conference, I will introduce the work underway at Rolls-Royce plc that is helping us to:

• Assess the BCM process site by site
• Evaluate the major SC risks at owned facilities
• Evaluate the major SC risks presented by external suppliers

I hope that this will provide BC Managers with practical steps and simple suggestions to evaluate supply chain business continuity risks more effectively.

James will be discussing this and the issue of supply chain continuity within the 'BC in Action' stream at the BCM World Conference on Thursday 67h November, starting at 10:35.

Making the most of your conference experience

Andrew Scott
Business Continuity Institute

The BCI is a global organisation with Members, Forums, Chapters and Partners all across the world, but whether it is due to time, distance or perhaps even environmental concerns, unfortunately not everyone who would like to attend the BCM World Conference and Exhibition on the 6th and 7th November will be able to do so. Sadly some people will miss out…

I don’t know about you but I sometimes feel like I’m doing several jobs at once. I'm sure we all do at times but even so, and with the best will in the world, none of us will be able to attend all three streams of the conference at the same time, not to mention the packed exhibition that will be going on or the free seminar programme taking place. With so much happening, we simply cannot attend everything. Again, sadly some people will miss out…

Or will they? Of course attending the conference and listening to the individual presentations will offer the best learning experience. But just because you’re separated by several thousand miles, or only in the next lecture hall, does not mean you have to miss out completely. In this day and age, with many of us using social media, we can take the discussions out of the lecture hall and into the virtual world. We can involve in our conversations all those connected to the Institute, or business continuity in general, whether they are at the conference or not.

If you use Twitter or Linked In, or perhaps Google+ or Facebook, then why not start a discussion online and engage with many more of your BC colleagues. The bonus is that it will help make sure the conversations continue long after the conference is over.

Of course it is also important not to miss out on the earliest form of social networking - talking to your colleagues face to face, at least those who are fortunate to be there with you.

Enjoy the conference and I look forward to meeting many of you there. For those of you on Twitter, the hashtag we will be using is #BCM2013.

Identifying your organization's business continuity requirements

Kuniyuki Tashiro
InterRisk Research Institute and Consulting

When I started to learn about business continuity management 10 years ago when I worked for a manufacturing company, one of my biggest questions was how to perform a business impact analysis (BIA) in our company. I could not find enough information to improve my understanding of the methodology behind BIA at that time. Nowadays we can access a lot of information about BCM through many books, standards, guidelines, seminars, or websites. But despite the situation getting better, many people still say that BIA methodology is unclear.

I think that one of the biggest reasons is that there are various methods used for BIA at different levels or for different purposes. Furthermore, the methods should be customized for each organization and developed with an understanding of the organization's context.

However, the latest version of the Good Practice Guidelines (GPG) has great potential to help deepen our understanding of BIA because the explanation of what it involves has been substantially expanded. In the 'Analysis' section of the guidelines, the methodology for BIA is explained with four different stages - Initial BIA / Strategic BIA / Tactical BIA / Operational BIA. This does not mean you have to divide your BIA process into four stages, but that understanding the four stages of BIA with each outcome would be a strong starting point for planning BIA in your organization, and customizing/developing BIA methodology. The guidelines also provide a practical knowledge for risk assessment in BCM by discussing the benefit of a 'Threat Analysis' to identify unacceptable concentration of risk or single points of failure.

In my session - 'Analysis' on the first day of the conference - I will discuss how to apply the methodologies described in GPG to the organization by using case studies so that attendees can obtain a practical knowledge.

Kuniyuki will be discussing this within the 'BCM Lifecycle' stream at the BCM World Conference on Wednesday 6th November, starting at 15:20.

Cyber threat opportunity

Ken Simpson
The VR Group

Only a week to go until the BCM World Conference!

What if we took a different approach to our reflective learning this time?

Instead of waiting until after the conference to reflect and integrate what we have learned, what if we took a proactive approach and spent some time ahead of the conference reflecting on what aspects of our current practice we need to change.

What if that reflection also included reframing the problem – not just how can I fine tune my practices within current frameworks and constraints, but how would I want to transform my practice going forward and remove some of those constraints.

To achieve that outcome perhaps we may take a different mindset into the conference.
If we can try that exercise in critical reflection and recalibrate our mindsets, then perhaps new, or at least different, learning could emerge from the way we interact with the ideas presented and with other conference delegates.

That is the core of what my session at the conference is about, thinking differently about a problem and the way we practice our craft. I hope to encourage discussion around emerging threats and how we might use these to improve our engagement with Executives and the wider organization.

Specifically the session will present my experiences of using cyber-attacks as the focus for Executive exercises and engagement. Cyber is used as an example, and as a metaphor for emerging threats/risks, not as a vehicle to talk about a lot of IT technical stuff. Come and hear how (and why) Executives are more engaged when we use confidentiality and integrity as the disruption risk - rather than the more common approach of using availability.

As befits a 'holistic management discipline' the discussions will most likely touch on a number of issues also discussed in other sessions including:

• the critical nature of cross discipline engagement,
• thinking more like management,
• taking  a strategic rather than compliance approach, and
• the concept of resilience

 

Some pre-reading on Mindset:

 

http://blogs.hbr.org/2013/09/the-right-innovation-mindset-can-take-you-from-idea-to-impact/

 

http://mindsetonline.com/whatisit/about/index.html

 

http://www.tree4health.org/distancelearning/sites/www.tree4health.org.distancelearning/files/readings/The%20Five%20Minds%20of%20a%20Manager_0.pdf

 

Ken will be discussing this and the issue of influencing key decision makers within the 'Thought Leadership' stream at the BCM World Conference on Thursday 7th November, starting at 14:50.

Crossing boundaries

John Robinson
INONI

Our BCM World Conference presentation is an illustration of how BCM can pleasantly surprise business leaders with the value it brings. Our case study will be about Reed and MacKay, a £200M turnover top-end executive travel firm located in Farringdon close to the heart of London’s legal, media and financial district. This is a multi-faceted, time-pressured and highly successful business and illustrates perfectly the importance of accurate and decisive BIA. The following explains why I believe they found it so valuable, noting that Reed and Mackay subsequently gained accreditation to ISO 22301 at the first attempt.

On the heels of recession, R&M’s 2012 budget for BCM was tight, so this was by necessity Business Impact Analysis (BIA) in a hurry, allowing just six days to complete. Head of GRC Suzanne Elmore and I booked the ‘goldfish bowl’ office for an initial two days’ intensive research, compiling all the information we needed, hauling in knowledgeable others wherever and whenever we couldn’t find the answers ourselves. It was intense, coffee fuelled work, but for the business we were conspicuous by our absence - no long haul activity, no hit-and-miss scheduling of meetings and consequently no interruption. From their standpoint, the BIA was building itself painlessly; from ours it was systematically providing a detailed and accurate view of the business, marketplace and supply chain.

By the end of day two we had a large and colourful layered map and a steady stream of visitors poking their heads round the door just to see what the pictures actually meant. One was the CEO. His initial reaction was ‘what on earth is that?!’ After a brief explanation, he got it… and asked us to deliver a presentation of the map to the extended management team – for a full day. He realised our technique would let him pinpoint the organisation context and that this would allow executives to think outside their areas for both BCM and normal business.

We delivered to a room of around 15 C-level execs and managers, testing and refining the picture using scenarios. Engagement was total and by 4pm everyone understood the effect of disruption, risks and priorities, dependencies, strengths and weaknesses. Our approach reduced the effects of personality and gave individual execs ownership of the outcome. We authored the formal BIA document based on the high grade information we took from the workshop, requiring the bare minimum review before release and allowing us to complete on time.

Finally, on completing the workshop, we were approached and thanked by the Commercial Director who saw the exercise as exemplary PR for the firm and who now uses their accreditation to emphasise R&M’s superior service to clients.

The message to you from me is this: we know that BIA is the foundation for effective BCM, setting out the organisation’s context for managing this important aspect of business risk. It can seem daunting the first time, trying to see a way through that is efficient and cost effective, and which is accurate and capable of being totally embraced by senior management. We achieved exactly that and gained accreditation on the back of it, with total management support. Please attend our presentation if you’d like to know more about how we did it. We’ll be pleased to see you and answer your questions.

John, along with R&M's Suzanne Elmore, will be discussing the issue of crossing boundaries during his Practitioner Presentation at the BCM World Conference. This will be part of the free seminar programme within the exhibition.

Managing supply chain continuity

David Window
Continuity 22301 Ltd

As a member of three institutes - Institute of Risk Management, Business Continuity Institute and the Chartered Institute of Purchasing and Supply - I hope to explain why as business continuity professionals, we struggle to engage with my alter ego - the procurement professional.

Over the last two years I have been debating this topic with a colleague who is an accomplished procurement professional and we have challenged each other considerably in our efforts to justify the question, “why bother doing business continuity in supply chain”. We have also interviewed other procurement professionals to gauge our opinions against theirs.

The short answer we believe is that procurement professionals, especially those who use category management techniques, are incentivised to make savings. Resilience comes at a cost and this cost erodes savings.

Yet how many times during the period of a contract do businesses suffer minor disruptions, delays to a service or product delivery, how much additional cost do they incur which is not captured and quantified but still erodes the original savings?

Category Managers deal with strategic sourcing and that very name should ring alarm bells with business continuity professionals. When they are sourcing goods and services of strategic importance, potentially time critical, urgent goods and services, which the business depends upon, then they need to consider business continuity for continuity of supply.

So the business continuity professional encourages them to seek assurances on their supplier’s business continuity preparedness. The hard part is convincing them of the value of doing so for a future event that they can’t perceive of. This is because their minds naturally move into the area of probability. How often do we, as business continuity professionals, hear the words “what are the chances of that happening?”

Whatever your opinion is of risk management and the concept of estimating probability, I would suggest that it is a natural instinctive thought process that we as humans undertake daily even as we cross a busy road; we evaluate the risks and the probabilities.

So as business continuity professionals we need to speak the language of risk too and we need to understand the concepts of total cost of ownership and the drivers for procurement professionals, before we stand a chance of successfully engaging with them.

Consider that there may be something called the risk assessed total cost of ownership, whereby through modelling your supply chain you can assess the inherent risks within it before entering into a contract. Suppose through that analysis you can understand when it is appropriate to use risk mitigation strategy and when to use business continuity strategy and tactics cost effectively.

Now suppose that you could do that in a way that enthuses procurement professionals and top management alike by offering a potential estimate of quantifiable impacts caused by any minor or major supply chain failure.

If, as a result of this analysis, procurement professionals made more informed decisions when strategic sourcing, having an insight into the inherent risks and knowing when to incur costs on risk mitigation strategies, continuity strategies and tactics. Does that sound better than simply asking for a tick box questionnaire to prequalify your potential strategic partners who deliver time critical goods and services to your business?

The Good Practice Guidelines 2013 advocate both multiple suppliers and buffer stocks, but these carry a cost in the eyes of the procurement manager. Where these alternative suppliers are based and where you hold that contingency stock falls more into a risk assessment model, knowing your supplier is in a geopolitical area that carries a risk of a supply disruption may be sufficient for you to source elsewhere.

A risk assessed approach to establishing the total cost of ownership by procurement professionals may lead to exposing known risks and therefore require an amendment to the sourcing strategy. In circumstances where you discover that the options for supply are limited by a variety of imperatives such as cost, location, availability or uniqueness, a risk mitigation strategy may have limited benefit for these supply lines so you must delve deeper into your supplier’s resilience. Most importantly you must understand the costs involved.

As with all things business continuity, it is those business elements that are time critical or urgent, and therefore within the scope of business continuity, that need to be given scrutiny, not all your supply chains.

It is important to justify the need for business continuity to procurement professionals and to top management, by talking their language, commercial drivers, and cost of impacts for time critical supply chains need to be part of the assessment prior to committing a business in a purchase contract.

Finally, ask yourselves the following questions, is it sufficient and productive to ask suppliers to complete questionnaires when you prequalify them in order to be a part of a competitive tender? Does this add value to your procurement process? If you ask for a copy of their plans are you really competent to assess its efficacy? I would suggest the answers to all of these questions is no.

David, along with Brian Leigh of QiPS Consulting Ltd, will be discussing this issue further in his Practitioner Presentation at the BCM World Conference and Exhibition. The Practitioner Presentations are part of the seminar programme at the free exhibition.

The road to fire safety resilience

Russ Timpson
Horizonscan

The key messages when it comes to fire safety resilience are that:

• Prescriptive approaches to fire risk mitigation are reactive, cumbersome and commercially irrelevant
• Fire risk ownership will only be achieved through linkage to business imperatives such as resilience, supply chain integrity and insurance
• Tools and techniques do exist to assist those tasked with risk ownership to understand the scope and scale of the risks involved

The next step within the risk management community is to migrate from essentially a legislation based compliance and reactive role with regard to fire, to one of adding value to any given undertaking by embracing the principles of resilience.

Resilience has been defined as ‘the ability of an organization to absorb, respond and recover from disruptions’ (Business Continuity Institute). In relative terms the ‘bar’ for fire risk mitigation in a prescriptive regime must be set very low in order to allow for generic application. Whereas, if the imperative for resilience is applied and linked to commercial priorities such as insurance and supply chain integrity, the requirement must be higher and more relevant.

My presentation at the BCM World Conference will seek to explore the historic model for fire risk mitigation; code compliance and enforcement. This will include an analysis of the relative merits and drawbacks of this approach with commentary. An overview of the current movement towards ‘fire risk assessment’ and risk ownership by employers and building owners in the UK will also be discussed with recent case studies. I will also describe the commercial approach to fire risk mitigation and give insight to the role of insurance underwriters and potential loss calculations.

This has been successfully achieved by employing a derivation of the ‘HAZOP’ (Hazard and Operability Study) from the process industries such as petrochemical and pharmaceutical. The output from this assessment is a fire risk ‘contour’ map of a given building combined with a ‘criticality index’ for given areas, plant and systems.

We need to challenge existing thinking in the risk management community, to promote closer understanding of the commercial environment. With ever increasing fiscal pressures on tax funded fire safety enforcement agencies, there must be informed thinking on engagement with building and business owners.

“You can lead a horse to water, but you cannot make it drink” – however, you can put a lot of salt in its foodbag.

Russ will be discussing the issue of fire safety resilience during his Practitioner Presentation at the BCM World Conference. This will be part of the free seminar programme within the exhibition.

Drivers for the employment of BCI members in large UK companies

Patrick Roberts
Cambridge Risk Solutions

Ever since becoming involved in the profession, nearly ten years ago, I have been constantly intrigued by the attitude of different organisations towards business continuity. Simplistically, I began by assuming that large well known companies, with both assets and reputation to protect would be universally receptive to the idea of BCM, but (painful) experience has taught me that this is not the case. Equally, since starting our own BCM consultancy in the east of England, we have been surprised by the number of very small organisations that have asked us for assistance, organisations that we would never have considered approaching as potential clients. The same surprising pattern is borne out if you look at the firms which are certified to BS 2599, and are now certifying to ISO 22301. It is a curious mixture of large household names and much smaller firms.

My presentation at the BCI World Conference and Exhibition is based on PhD research conducted at Nottingham University Business School, and attempts to understand these differing attitudes towards BCM in a more formal way. The starting point of the study is the observation, based on data provided by the BCI in 2011, that only 70 firms in the FTSE 350 actually employed a member of the BCI at that time. The research then goes on to explore the relationship between various observable characteristics of these large publicly quoted companies and the likelihood of them employing BCI members. A broad range of possible drivers are identified from reviewing previous work on risk management and from specific consideration of the aims and objectives of BCM.

The main finding is that, at least within these large UK companies, the employment of BCI members appears to be primarily driven by the expectations and demands of external stakeholders such as lenders and regulators. I’m not sure how much this insight helps me in targeting our marketing efforts more effectively, but it has certainly helped to make sense of some of the patterns that we have observed over the years and I look forward to sharing more insights with you in November.

Patrick will be discussing this issue further in his Practitioner Presentation at the BCM World Conference and Exhibition. The Practitioner Presentations are part of the seminar programme at the free exhibition.

Supply chain resilience

Lyndon Bird
Business Continuity Institute

In 2009 The Business Continuity Institute decided that more research was needed into the level of business disruption being caused by supply chain problems. The challenge we set ourselves was to provide data to help organizations develop and enhance resiliency within their supply chains. This work was done with the strong support of Zurich Insurance Services and in collaboration with the Chartered Institute of Purchasing and Supply.

Since then, this has become a regular annual survey and its findings have become increasingly influential to the business continuity, purchasing and supply and insurance communities. At BCM World 2013, the findings from the most recent survey will be announced and I will be leading a discussion on these alongside Nick Wildgoose of Zurich Insurance Services.

This is the first release of data from 2013 survey and those attending the session will be given a printed copy of the full report. Although the methodology used in 2013 was consistent with previous years, some additional questions were added.

One issue looked at in 2013 in some detail was the extent to which non-physical events in the supply chain were causing disruption. These are seen as those events where supply itself is unaffected in the short term but could cause potential long term damage to reputation or even business viability. Another new question in 2013 looked to understand the extent to which supply chain failures were generating negative and positive social media discussions.

The presentation will look at the key findings that emerged from the report relating to supply chain vulnerability and what organizations are doing about it. The causes of disruption are identified, together with their relative frequency of occurrence and the actual consequences. Strategic, financial and reputational exposures are considered, as well as the more typical short term operational disruptions resulting in reduced productivity. Comparisons with previous years will be discussed and these show that some interesting trends are starting to emerge.

The discussion will then look at the lessons for business continuity practitioners; the way organizations try to keep track of their key suppliers’ business continuity capabilities; what works well and what still needs changing. We perhaps need to look at the need for senior management to understand and participate more fully in the supply chain selection and monitoring process.

The takeaway from this session will be the recommendations that can be used immediately to start identifying supply chain weaknesses and strengthen supply chain resiliency.

Lyndon, along with Nick Wildgoose of Zurich Insurance Services, will be discussing the issue of supply chain resilience within the 'Thought Leadership' stream at the BCM World Conference on Wednesday 6th November, starting at 15:20.

Implementing crisis decisions – turning desire into reality

Alan Elwood
Risk and Resilience Ltd

So far I have posted about the need to concentrate on ensuring your OODA Loop can operate faster than the emergency and talked about how to manage information and actions in a crisis. To complete this series of three blog posts I am going to look at how you can structure crisis decision making. Decision making in a crisis is not the same as in everyday circumstances so you will need access to different tools. Here are five things to consider:

Key Questions: Have a system to guide your decision making that analyses the situation but also allows you to use your experience and intuition. Think about the key set of questions you need to ask yourself and write them down in advance. These questions should help you (1) understand what is going on and the implications of that; (2) appreciate what needs to be done and why it needs to be done; (3) be clear on where your priority lies; and (4) identify, resource and co-ordinate tasks. Once you have this in place make its use is second nature - rehearse, rehearse, rehearse!

Getting Your Intention Across: Remember those completing a task may encounter unforeseen problems. Tell people why they need to complete each task so that if they encounter a difficulty they can adapt the task given to them and still achieve the intent.

Achieving a Focus: There will be lots going on so to avoid dissipation of effort, make it clear where the focus lies. Define what is critical for success and make sure everyone knows and is working towards that. It can help to define the end state - what will success look like?

Using Resources: Resources are scarce so use them wisely. Allocate resources to those tasks that are supporting your focus. Others will have to wait. Remember that not everything will go to plan so have spare capacity. Don’t allocate them all at once and know where you can get more resources.

Using Time Effectively: The one resource that can’t be regenerated is time. If you have to take decisions then think about those who will have to implement them. Leave them the time to do that. Work out how much time is available between starting the decision process and the resulting actions needing to take place. Then use one third of that time to take the decision and leave two thirds for everyone else.

Alan will be discussing this and the issue of incident management within the 'BC in Action' stream at the BCM World Conference on Wednesday 6th November, starting at 15:20.

Establishing ISO 22301 in Europe’s largest construction project

Katie Collison
Steelhenge

Crossrail is the biggest construction project currently in Europe and is one of the largest single infrastructure investments ever undertaken in the UK. It is a rail link that will run 118km from Maidenhead and Heathrow airport to the West of London, through new twin bore 21 km tunnels under central London to Shenfield and Abbey Wood, east of London. Crossrail will increase London’s rail based transport network capacity by 10% and bring an additional 1.5 million people to within 45 minutes of commuting time to London’s key business districts, supporting regeneration across the capital. It represents construction on a staggering scale.

Presently in the tunnel boring phase, Crossrail is managing a multiple worksite programme with construction works running concurrently across the entire route with:

• Over 10,000 people working on the project
• Over 35 million working hours completed on the project so far
• 40 construction sites

For the first train to roll in 2018, the schedule must be adhered to so the next stage of the programme, the stations fit out, can commence on time.

So where does ISO 22301 fit in and why is business continuity important to Crossrail? In part this question is answered by the statistics above. The Crossrail construction programme is being delivered at an astonishing pace with any delays to construction works on one site, big or small, having the potential to impact the time and budgetary constraints of the entire programme. As with any major construction project Crossrail recognises the inevitable risks. Health and safety is taken extremely seriously, and a zero harm target is promoted with an incident response philosophy of ‘prudent overreaction’.

In line with all of the work that has already been achieved by Crossrail in this area, a comprehensive business continuity management system (BCMS) to manage and minimise the impact of disruptions was both an identified gap and an obvious addition to the organisation’s resilience portfolio. The decision to establish a BCMS in line with ISO 22301 was driven by Crossrail’s desire to deliver a world class railway that genuinely improves standards within the construction industry and meets best practice in all areas.

The challenges and route to success

However, the rate at which the project is being delivered and the finite existence of Crossrail Ltd in its current form meant that any business continuity programme needed to be pragmatic, simple to update, and easy to maintain. Something which typically contradicts management system standards, but which is achievable under ISO 22301.

Steve Hails, Crossrail Health and Safety Director, and Katie Collison, Steelhenge Senior Manager; will be discussing this topic and the path to ISO22301 success within the ‘BC in Action’ stream at the BCM World Conference on Thursday 7th November, starting at 13.05.

Horizon Scanning

Colin Ive
CoDRIM

As new threats appear, it is easy for busy Business Continuity practioners to miss these with their heads so deeply burrowed into the challenges of organisations. Practitioners are already overloaded with work and, as we have seen in recent years, this is often due to cutbacks, to having an amalgamation of roles or simply by being directed to focus on achieving compliance with new standards and increasing demands from customers etc. Yet without an effective and externally focused ‘risk radar’ seeking out these threats on a permanent, efficient and effective basis, an organisation can find itself suddenly confronted with unwelcome surprises which could impact their business either directly or via a failing supply chain. Surprises which can severely damage their bottom line!

As is often the case, as well as a threat there is also an opportunity. In this case an opportunity for the Business Continuity practioner to build horizon scanning into an organisation so that it becomes simply part of ‘business as usual’. How? By promoting the importance of establishing a ‘risk radar’, particularly into the mind set of supply chain or procurement managers.

The recent disasters that have affected supply chains across the globe e.g. the Japanese earthquake with its subsequent tsunami followed by the huge floods in Thailand, must sound a wakeup call for all organisations not to simply rely upon luck, but to establish a ‘risk radar’ to spot possible threats. Not only this, but also to have systems in place to analyse their impact and what steps they would need to take to mitigate against them. The time for action is prior to or when a disaster occurs and not simply waiting to see what happens.

An organisation cannot be expected to monitor all suppliers so there is a need to focus efforts on key suppliers and key supply chains, so providing a manageable yet importantly relevant short list of suppliers.

In this issue and its resolution, there is a clear opportunity for different functions of the organization to work together in monitoring the radar. Certainly the supply chain or procurement functions should have a formal role, but I would argue that ALL staff, no matter what their role, should be encouraged to keep their eyes and ears open to potential threats. Sales staff may be aware of an important customer who is affected by a developing risk so should consider puting ahalt on orders. Engineers or designers within the R&D function often have good contacts with suppliers or potential suppliers before any purchasing takes place, so should be encouraged help the ‘radar’. HR staff can pick up on trends by monitoring advertisements for certain staff key to the organization who may be attracted to leave, a threat often too late to deal with once someone hands in their notice! Any one of these staff can pick up on information so should be encouraged to share it across the organisations silos. It's better to share than to say after the event "oh yes I heard about ‘X’ weeks ago".

The Business Continuity practioner can be the catalyst for pulling together and establishing the ‘risk radar’ but they cannot and must not be left on watch alone. Horizon scanning of suppliers, customers and external threats are a responsibility to be shared.

Colin will be discussing this issue further in his Practitioner Presentation at the BCM World Conference and Exhibition. The Practitioner Presentations are part of the seminar programme at the free exhibition.

Walk a mile in their shoes

David Tickner
Computrix Services

Whether a consultant or an internal business continuity planner, it’s never easy to get management to commit to a continuity program. Perhaps it’s the approach you take or that you find management a bit too bottom line focussed.

Where is the key to gaining corporate commitment for BC programs - the CEO’s office, the CFO or the Risk Manager? Perhaps it’s not even inside your organisation, there could be other options.

The most common fault in gaining corporate commitment for BC programs is to present the approach to management, rather than understanding that they have all business programs to consider, not just yours. Perhaps we all need to think more like management and not just as a BC consultant or planner.

'Walk a mile in their shoes' is the lead off session for the BCM lifecycle programme. It will inform and challenge you to think a little more laterally about gaining more effective corporate commitment to BC planning.

David will be discussing this and the issue of policy and programme management within the 'BCM Lifecycle' stream at the BCM World Conference on Wednesday 6th November, starting at 11:15.

Recovery Strategies

Ian Charters
Continuity Systems Ltd

It is a pity that the term ‘recovery strategy’ was ever coined. It gives the impression that an organisation has one high level recovery strategy which will provide a response to all BC issues and around which all recovery plans and procedures will be based. For example – “in the event a disruption the organisation will move priority staff to operate from its recovery centre at...” which is seen as a solution to all problems.

Instead the ‘recovery strategy’ of an organisation is likely to be a whole raft of measures put in place before an incident occurs that will, hopefully, give it some workable options for response when an incident occurs whatever the circumstances.

'Recovery strategy’ is also used to describe an approach to disruption management – such as subcontracting delivery, withdrawing the product or internal recovery. It can also be used to describe approaches within the organisation such as ensuring the delivery capacity is always available at more than one site – so it can easily be transferred.
 
Perhaps the term ‘recovery options’ is a better description ; a comprehensive set of recovery options needs to cover all the resources required to undertake activities. Therefore it is going to include measures to provide:

• Alternative staff: Through cross training and documentation
• Alternative premises: Making duplicate or standby locations available
• Alternative technology; Back-up IT facilities or alternative sources of equipment
• Alternative supplies: By sourcing from more than one supplier or maintaining stocks of materials

It may also include measures to reduce the damage an incident may cause such as insurance, salvage and a reputation management plan.

Lastly you could include in the recovery strategy portfolio a number of measures that are not about ‘recovery’ but may reduce the likelihood or impact of a disruption affecting the most urgent activities – such as scheduled maintenance, monitoring systems, generators etc.

Therefore when an incident occurs there may be a number of options available to manage the disruption and the choice of which depends on the circumstances. For example, if there is widespread flooding but your building is operational, do you want to relocate your business and staff elsewhere or stay put as this is less disruptive to your staff’s home lives – or do you do some of both? This clearly identifies the need for a tactical level response team who can identify the available options following the disruption and select the optimal one.

The main parameter that will identify what responses need to be available, and which will be used in the response, is time. Each product, each process and each activity should have a documented ‘Recovery Time Objective’ (RTO) set less than the Maximum Period of Disruption (point of no return) identified in the Business Impact Analysis. The RTO is set at the estimated optimum point that balances the damage that may be done before it is recovered (as this will increase with time), against the ongoing costs of maintaining the capability to achieve it (which usually decreases with time).

So recovery strategies are a complex ‘kit bag’ of possible responses – not a single strategy.  As such senior management as well as those involved at the tactical response level should be familiar with all the options. A manual describing these options and how they can be used should be written and be required reading. It can also prove a useful ‘sales’ document to show (redacted) to potential customers or insurers when they asked to see your ‘BC plan’ – as the individual recovery plans may mean very little without a context of the overall recovery strategy. It may well begin “If we experience an incident then this is what we do...”

Ian will be discussing this and the issue of design within the 'BCM Lifecycle' stream at the BCM World Conference on Thursday 7th November, starting at 10:35.

Are security and business continuity a good fit?

Daniel Dec
Cognizant Technology Solutions

The answer to that question is 'yes' - security and business continuity are a good fit and my reasons for this are based on observations and experiences over my career, along with some research evidence to support my position. My reasons can be summarised under five broad headings and these are:

Availability, core in security and BC
The definition of Information Security focuses on three main principles - confidentiality, integrity and availability. It is the availability part of this triad that illustrates the close relationship that BC has with security. Computerized information is only of value if it is available when needed. The concepts and objectives of BC support the availability of Information Security. In addition, there is more relevance as the need for high availability has increased which we will talk more about in a future section.

The bottom line is information is only useful and of value if it is available when needed, and having a well architected and tested DR/BC program supports this availability principle.

Typical organizational structure of the BC and security roles
More than two thirds of the companies that I have visited over the years have BC as one of the responsibilities of the person responsible for security. In addition, several studies by various IT related organizations support this fact. The value that many organizations gain because of the close relationship of BC and security is why this responsibility typically resides with the Information Security Officer.  Both security and BC rely on influencing others to perform tasks so this is another piece of evidence illustrating they are a good fit.

High availability – security – BC
The need for more systems to have low RTO/RPO, including having zero time, has increased over the years and so has the need for a full BC program.  This includes the technical mechanisms to protect of the security of the production and failover systems.

But those complex systems also require adequate security to ensure that unauthorized access including malicious activities does not adversely affect the ability of the use to process information as intended.

Need for security in BC data
Staying with the premise that information is only useful if accessible, information is also only useful if there is integrity behind it.  So strong security controls must be present around the backup/failover data and backup/failover systems.  One of the main documented reasons for failures in recovery testing is the lack of security around backup data/media resulting in lost or mislabelled information. This is critical during recovery and many a test has been stopped in their tracks because of the lack of security over the recovery data.

Inclusion of BC and security in various regulation and standards
Various regulations and standards have closely related their requirements to include controls surrounding BC and security.  For example, the HIPAA healthcare Security Rule has a safeguarding provision for having a Continuity Plan. From a risk perspective, ISO27002 along with the security of key company information also include having a contingency plan.

Daniel will be discussing this and the issue of resilience within the 'Thought Leadership' stream at the BCM World Conference on Thursday 7th November, starting at 13:05.

Can you afford not to embrace next generation business continuity

Kathleen Lucey

Montague Risk Management

 

The bleeding edge of our profession is now resiliency – not recovery, not continuity. But the most interesting part of this is the analysis of events as they occur: calculating the effects of these events and responding in new and different ways.

 

Coupled with detailed current information and analytics engines to help us to understand the impact of events on our markets, our competitors, and our operations, we are now beginning not just to respond faster and better, but to position ourselves to be able to manage improbable, adverse events – sometimes called 'black swans' – to our advantage. We are able to generate additional revenues and/or open new markets for existing products, rather than just minimizing event damages.

 

I don’t know about you, but I would like to move to the side of the organization that deals with revenue enhancement – marketing and new product development – and move away from compliance. There is more funding there to get the job done right!

Kathleen will be discussing this and the issue of resilience within the 'Thought Leadership' stream at the BCM World Conference on Thursday 7th November, starting at 10:35.

Building resilience in the provision of critical national infrastructure with ISO 22301

David Clarke
Telefónica UK

At Telefónica UK we are proud to be one of the first UK businesses to achieve the international ISO 22301 accreditation for business continuity management. We’ve always worked hard to ensure that all parts of our business are robust. Our business continuity provisions were accredited under the former British standard BS 25999, so the transition to ISO 22301 was a natural one for us.

Our COO and business continuity champion on the Board, Derek McManus, summed it up nicely when he said: “Achieving ISO 22301 accreditation demonstrates our commitment to providing a reliable, high quality service to our customers. It shows that we have the resources, investment and processes in place to protect ourselves from potential service disruption – minimising the impact on our customers.”

The acid test

Last year, in the run up to the Olympic Games, we got an opportunity that most businesses don’t – the chance to put our business continuity plans to the test.

We undertook a number of activities, and one of the most high profile involved asking 2,500 of our employees to work away from our Slough Head Office for one day. The goal was to try out our technology, our network and the way we work – for real, on a working day.

I’m glad to say that we passed the test. Everyone was able to do their normal work – with no impact on our customers.

The ISO 22301 accreditation and the results of our flexible working day both demonstrate that we really do understand business readiness and continuity, and that our customers can rely on us when the unexpected occurs.

David will be discussing this and the issue of standards within the 'Supply Chain Continuity' stream at the BCM World Conference on Thursday 7th November, starting at 13:05.

Implementing BCM through complexity

Thomas Puschnik
Zurich Financial Services

Leading a BCM framework in a complex and challenging operating environment is no easy task but one potential key to success is effective relationship management. There are at least two key components to achieving this.

First is in terms of the BCM workforce. Having a team identity or common purpose, a set of agreed goals and clear roles and responsibilities all help to form the basis of a good team. Going from 'good' to 'great' requires a focus and commitment to building strong trusted relationships and recognising there will be setbacks along the way. This requires strong leadership and the will to take time out to listen and get to know team members and to understand their needs and concerns. This is especially true in regions where languages and cultures differ significantly.

Second is in terms of establishing regular engagement with your key business partners. Knowing who your key stakeholders are i.e. those who have or should have a vested interest in BCM, is relatively straightforward but the challenge often comes in determining how best to engage with these people. Selling BCM as a shared goal and using different levers to do this is fundamental. It is important to answer the question "what’s in it for me?" so that both parties understand the benefits for freeing up time and budget to support the activities within the framework.

Building an effective BCM team and support network is a critical success factor for any BCM implementation - one cannot deliver without the other!

Thomas will be discussing this and the issue of rolling out a global BC programme within the 'BC in Action' stream at the BCM World Conference on Wednesday 6th November, starting at 11:15.

The return on investment of a BCM programme

Rainer Hübert
HiSolutions AG

When will the investment for a BCM programme pay off? Most people think that the only correct answer is when a damage scenario has taken place. Hopefully then an effective BCM programme will reduce an otherwise much more costly, or even possibly fatal financial impact to a bearable amount. Then, and only then, will the investment in BCM be paid off – just like insurance policy.

In our finance driven business world however, investment in BCM needs to be justified in financial terms, unless a BCM programme is forced upon an organization by its clients or by regulatory authorities.

While the cost of a BCM programme is widely known, many people will have no idea what the returns will be. During my presentation at the BCM World Conference, I will discuss what I believe are four sources of return for those investments that go some way to justifying a BCM programme.

Insurance premiums and interest rates are the most obvious candidates; however they are the least effective ones. One can reduce the business disruption insurance premium by reducing the time coverage of the business disruption pay out. At banks, it is possible to negotiate the interest rates with by providing additional information about a reduced credit default risk due to a working BCM programme.

More potential for a return of investment however stems from the lowering of process costs by improving process efficiency. When discussing contingency procedures and measures, the way the business operates is more closely scrutinised and so the opportunity is provided to generate ideas as to where efficiencies and savings can be made. These ideas may find their way into day to day operations of a company with the potential to improve the effectiveness or efficiency of business processes across the board.

The largest effect however will actually come from the new ISO 22301 standard. This standard will become instrumental to comply with purchase regulations of clients, especially the larger ones. More often than not, contingency planning will become a requirement of critical suppliers. In future, one may lose existing contracts or fail to win new tenders without a certified BCM programme. BCM will be fundamental to winning or sustaining these contracts.

BCM leaders often struggle with justification for investment in a BCM programme in general or individual BCM measures in particular. Especially when discussing with economists or business administrators, those working in the BC industry are regularly confronted with standard business case approaches to justify BCM, which require a detailed explanation of the return on investment. My talk offers a way to meet this demand and outlines in more detail an approach on how to calculate and demonstrate a return on investment of a BCM programme.

Rainer will be discussing this and the issue of measurement within the 'BC in Action' stream at the BCM World Conference on Wednesday 6th November, starting at 13:30.

Supply Chain Vulnerability: Resilience versus Interdependence

David Hawkins
Institute for Collaborative Working

Over the past three decades the sourcing programmes and supply chains have increased exponentially not simply in terms of commodities and products, but also in a wider variety of outsourcing and service propositions. These extended networks have now bridged the traditional boundaries between organisations and in doing so introduce a significant spectrum of risk to business continuity and reputation. At the same time the implications for both natural and manmade disasters highlights the interdependence of companies of all sizes and in all sectors. Reliance on these extended relationships to deliver business performance raises the prospect that resilience and business continuity is no longer simply an internal issue for companies and prompts consideration for a much greater awareness in the identification of risk, selection of suppliers and increased focus on collaborative working and the capability of third parties to jointly perform when necessary.

The last two decades of the 20th century saw major changes in the business world, perhaps more so than ever before. Pressures on costs, diminishing traditional markets, the explosion in information technology add complex influences on the potential success of business strategies. This is combined with perhaps the most crucial of all – the dramatic growth in globalisation. These trends continue into the 21st century and will likely remain key factors for the future. Over the same period we have witnessed major changes to weather patterns and their impacts, increased political unrest, escalation of cyber crime and fraud on unprecedented scales and networked terrorism introducing wide ranging threats. Not to mention the implications of financial interdependence as seen through the banking crisis and its impacts on sovereign currency stability and contagion.

Ensuring the resilience of the supply chain, whilst harnessing the benefits of greater external engagement means that management of sustainable arrangements and their inherent risks must be integrated into operating practices. Sourcing strategies now have to balance the more historical parameters of completion with a greater understanding of the associated risks. The extended supply chain has now become an integral aspect of many businesses, but perhaps less focus is being given to the potential of third party risk flash back. The impact of the Tsunami on Japan’s nuclear industry highlights the potential reverse domino effect, as did the backlash from Rana Plaza.

Clearly the key to supply chain resilience and for that matter business continuity is clarity of potential impacts and risks. Seeking to simply have visibility or contractual commitments around these issues is likely to leave some aspects to assumptions which are perhaps even bigger risks. Developing the right kind of collaborative relationship with suppliers not only will help to broaden the perspective of risk but in many cases will, through greater openness, likely bring about wider and more effective solutions. Not only increasing openness but also building trust and commitment to jointly work together when challenges arise.

David will be discussing this and the issue of supply chain resilience within the 'Thought Leadership' stream at the BCM World Conference on Wednesday 6th November, starting at 15:20.

Managing Information - Speeding Up Your OODA Loop

Alan Elwood
Risk and Resilience Ltd

In my last post I talked about the need to manage the process by which crisis decisions are taken and talked about the OODA Loop (read Decision Making Under Pressure – The OODA Loop). In this post I’m going to present some concepts around how you can speed up the time it takes you to complete the OODA Loop. If you can get your decision making processes to happen at a greater speed than that at which the crisis is unfolding then your decisions stand to be more effective. On top of that, making a larger number of quicker decisions, each one correcting the errors of the previous one, is likely to help you reach an optimum solution faster than if you wait for total clarity and try to take one right decision. So what to do?

CRIP: Establish and maintain a full understanding of the situation. This is sometimes referred to as the Common Recognised Information Picture (CRIP). It is built up of all available validated information. It is not a chronological list but a contextualised picture that can inform decisions. Date/time stamp it and keep it up to date, even when the decision makers are not meetings. Use information pull (gathering information in) and information push (people and organisations knowing instinctively to forward information) to achieve this.

Strategic Aims: Make sure the Crisis Management Team establish the strategic aims for the crisis early on. They may even be drafted in a plan for confirmation or adjustment on the day. These won’t change very often but they set the tone for the response, driving information management and response. If the top aim is ‘safety and staff welfare’ this will determine that things progress differently for any given situation than if it is say ‘corporate client entertainment events’. Sounds obvious and simple, but it is often overlooked.

Key Issues: Identify the key issues of the moment and when decisions have to be made by. Remember that people need time to carry out the actions that result from the decisions, so you have less time than you think. Key issues are those that arrive from looking at the CRIP through the lens of the strategic aims. They require management as they reflect the priorities that have been set. Use talented managers to select key issues and identify options prior to the CMT meeting up.

Manage Actions: Decisions need actions to make them a reality. Taking a decision is not the same as things happening. Have a process, team and resources to break decisions down into actions, allocate those actions and monitor performance. Update the CMT on progress so that they can adjust decisions accordingly.

In my final post in this series I will be looking at the reality of translating decisions into actions and all that this entails.

Decision Making Under Pressure – The OODA Loop

Alan Elwood

Risk and Resilience Ltd

This post relates to a presentation that I will give at the BCM World Conference on the 6 Nov 13 about Control Centre Design. It is one of three posts I will make before then and I hope it is of interest to you.

When United States Air Force pilot John Boyd studied the manner by which those engaged in combat took decisions in time to increase the chances of victory he developed the OODA Loop. From its origins in military doctrine the concepts around how to take decisions in time such that the actions they result in can be effective have made their way into business life. Being able to ensure that, in a crisis, an organisation is able to alter the speed at which it completes the OODA Loop can be the difference between success and failure. Ask yourself the question “Are the world’s governments able to take decisions that result in actions that are ahead of the pace at which problems in the world’s economy unfold?” It might be argued that they are not as their OODA Loop is too slow. So what is involved?

Observation: We need to be aware of what is going on around us in a crisis. That information will come from varied sources, many of which will lie outside of your organisation. Your view of the situational picture must reflect the reality of what is going on. If it does not your decisions will be ill informed and likely as not ineffective or simply too late.  

Orientation: Once a handle on the situation is achieved then its implications must be determined. Clearly you need to know that has happened, you should be clear on what is currently going on but the real trick is anticipating what might change and how that could impact you and others you rely on.  One way of doing this is to be clear on your strategic objectives for the crisis.

Making Decisions. Decisions must be taken in time to allow the actions they produce to be effective. To take decisions you need accurate and timely information, options to choose from and guidance on the time available to do so. You also need the right people.

Taking Actions. Decisions are really just expressed desires as to what should happen. Taking a decision is not the same as the actions it requires taking place. Decisions need to be translated into actions, allocated to teams and performance monitored. Feedback on progress influences our Observation aspect once more.

The nature of the crisis will determine how quickly you need to able to get round the OODA Loop. It is not the other way round!

You can read some more about this subject here. I will post the next blog on how to process information to achieve a suitable tempo of decision making soon.

Five things I learned from this year's Executive Forum...

Lyndon Bird FBCI

Leadership in Resilience was the theme of this year's well-attended Executive Forum and the whole programme was set up to ensure a lively debate around resilience and how BC professionals can take the initiative and lead on this hot issue.   These two-days in Brussels made real progress in clearing the fog and providing some specific examples of where BC professionals can make a difference.  For me the five key learning points were:

1. The growth of the term Resilience in job titles is much more widespread than I had expected. In some cases BC Manager has been changed to Head of Business Resilience without any change of responsibilities. This change is not universally popular among those with the new title because "business continuity" is a strong, meaningful "internal brand" whereas "business resilience" is non-specific and aspirational.

2. Most BC professionals felt there was little or no difference between supply chain continuity or service chain continuity. The only problem is when the criteria for buying an easily specified physical item is applied to buying complex services. The main failure is when procurement professionals do not fully understand the risk associated with any interruption to the service they are acquiring.

3. The new threats that put a business at risk are too complex for one single discipline to "own". For example cyber threats are as varied and as nuanced (both in likelihood and impact) as the physical threats we face - so they cannot just be an IT or Information Security issue. However, they cannot be just a BCM issue either. Risk, Security and BCM must work together, which perhaps is really how resilience needs to be defined in the future.

4. Horizon scanning is now definitely on the BC professionals' agenda. Not necessarily "futurology" yet  - but certainly the mid term assessment of trends and what might threaten business sustainability in the next decade or two.

5. There is a reluctance to consider functional integration as an effective means of breaking down silos. Integration fails to recognise the different purposes of different disciplines and although BCM might logically fit into an overarching risk framework, it has closer practical overlap with security than with conventional risk management or compliance. Collaborative working more than integration seems to be the preferred way forward.

If you missed this year's Executive Forum - I'd certainly recommend you buy a copy of the report when it's available and sign-up for next year's Forum.  It is a rather unique opportunity for senior experienced professionals to think strategically and look ahead.



The BCI - Winners of the BCI Middle East Awards 2013 are announced

The BCI - Winners of the BCI Middle East Awards 2013 are announced

Business Continuity relationship with other activities

BC shares common goals and objectives with other management activities. When

John Bartlett CBCI, DBCI

implemented correctly and with maturity, BC can provide significant benefit through the sharing of key information and the prioritisation of activities.

The Business Continuity Institute (BCI), a recognised world leader in setting and communication best practices for BC, states that an organisation’s vulnerabilities in its business and operating model can be categorised into seven areas: Reputation, Supply Chain, Information and Communication, Sites and Facilities, People, Finance and Customers. It can also be argued that the categories of Technology and Processes should also be included in this list. Anything that can affect one or more of these categories can potentially disrupt the organisation and therefore should be reviewed and/or considered by the organisations BC.

That does not mean that the BC function should manage areas that could introduce a vulnerability under these categories, but it does mean that BC should perform a Quality Assurance and Governance role to ensure activities that could introduce vulnerabilities are being performed correctly, diligently and with the necessary controls. This will ensure BC remains a pro-active measure within the organisation as well as a reactive one. 

Looking at these vulnerabilities in a more depth allows us to build an understanding of their relationship with BC, and therefore some of the considerations required when conducting a BC risk assessment as well as performing the on-going BC management:

Reputation & Customers

Any activities that are customer facing (such as product or service quality and reliability, help desk, websites, branches, sales people, reception desks) could impact the customers perception of the organisation and therefore the organisations reputation and possibly result in negative publicity which would require management attention and could lead to more wide scale impact and disruption.

Supply Chain

Selection and management of suppliers is an important quality criteria, get it wrong and you place your organisation in jeopardy. Therefore due diligence of suppliers and confidence in their ability to deliver reliable, quality services and have their own risk management and BC in place (for continuance of services to you in the event of an incident is critical). Being able to monitor and measure supplier performance (quality and reliability) and ensure controls are in place will help identify issues early and enable proactive management before an incident becomes a crisis. This may require specific contractual clauses in supplier agreements. For BC, spreading key supplies across suppliers and identifying alternative suppliers will also help manage the risks.

Information and Communication

Ensuring that key information is identified (e.g. during the BIA) and has the necessary controls for safe and secure storage and retrieval, along with preservation will help ensure the information can be available if something goes wrong.

Communication is vital in today’s world of technology, maintaining contact details for key suppliers and staff, and maintaining contact even following disruption is critical. Problems often occur with communication links, so controls should be in place to protect them and alternative links or methods of communication which can be relied upon in the event of an incident should be in place (e.g. email, SMS, GSM, fixed line, data links, satellite links/phones).

Sites and Facilities

Building and site facilities are essential for the smooth running of organisations and numerous resilience options are available from UPS systems and backup generators to spreading occupation over multiple sites. However, the right controls should also be in place to manage and maintain the sites, conducting risk assessments before maintenance work is carried out, notifying stakeholders and ensuring that only authorised or appropriate people conduct work or have access to facilities. It should not be forgotten that BC recovery facilities require the same level of maintenance and control as primary sites.

People

People are sometimes referred to as the ‘life blood’ of organisations therefore it is important to develop resilience and protection for them. This should include implementing Health and Safety (HSSE) to protect their wellbeing, providing suitable training to remove single points of failure (knowledge), improve staff morale & job satisfaction to reduce staff turnover rates, ensure BC requirements are included in job responsibilities and performance measurement. Assessing these is all part of the BC risk assessment as they could contribute to significant risks in the organisation.

Finance

Financial due diligence of suppliers as a control helps protect the organisation. But BC also requires budget, without the right budget facility BC can itself become a risk to the organisation as information and facilities may not be available or maintained as required and therefore not available when needed following a disruption. Also, the information from the BIA should help prioritise expenditure on risk reduction and resilience for critical activities and facilities to help protect the organisation from disruptions.

Technology

Ensuring controls and resilience over technology and infrastructure is paramount in protecting an organisation and developing resilience. This should include regular backups of systems, maintaining IT DR systems in-line with primary systems, include BC and DR assessments in projects and changes, ensuring security and access controls are in place to provide protection, controlling and managing the desktop environment at normal and Business recovery locations, and ensuring focus on the critical systems identified during the BIA and CRA.

Processes

A breakdown in a process often results in a disruption to the organisation. Therefore processes should be designed with controls in place and wherever possible alternative methods for conducting an activity. All these should be documented with procedures to ensure consistency and enforce controls, and maintained.

All of the above should be regularly monitored by the BC function to ensure the controls are in place, being managed and being maintained as they should be. The BC function should have the confidence that this is happening and the capability of escalating any problems if they are not.

BC cannot be implemented and managed in isolation. It holds critical information (from the BIA, RA and CRA) on the organisation, its critical activities, systems, information and suppliers. This should be shared with other management activities such as Enterprise Risk Management (ERM), IT, procurement and Quality Assurance, helping to focus controls, ensure prioritisation on expenditure, projects, etc. and enhance risk reporting. Thereby helping to manage risk more effectively and ensure informed risk-based decisions are made, reducing the likelihood of disruption and level of impact if it does occur. This is the proactive nature of BC and where it will truly add value to any organisation.