Identifying your organization's business continuity requirements

Kuniyuki Tashiro
InterRisk Research Institute and Consulting

When I started to learn about business continuity management 10 years ago when I worked for a manufacturing company, one of my biggest questions was how to perform a business impact analysis (BIA) in our company. I could not find enough information to improve my understanding of the methodology behind BIA at that time. Nowadays we can access a lot of information about BCM through many books, standards, guidelines, seminars, or websites. But despite the situation getting better, many people still say that BIA methodology is unclear.

I think that one of the biggest reasons is that there are various methods used for BIA at different levels or for different purposes. Furthermore, the methods should be customized for each organization and developed with an understanding of the organization's context.

However, the latest version of the Good Practice Guidelines (GPG) has great potential to help deepen our understanding of BIA because the explanation of what it involves has been substantially expanded. In the 'Analysis' section of the guidelines, the methodology for BIA is explained with four different stages - Initial BIA / Strategic BIA / Tactical BIA / Operational BIA. This does not mean you have to divide your BIA process into four stages, but that understanding the four stages of BIA with each outcome would be a strong starting point for planning BIA in your organization, and customizing/developing BIA methodology. The guidelines also provide a practical knowledge for risk assessment in BCM by discussing the benefit of a 'Threat Analysis' to identify unacceptable concentration of risk or single points of failure.

In my session - 'Analysis' on the first day of the conference - I will discuss how to apply the methodologies described in GPG to the organization by using case studies so that attendees can obtain a practical knowledge.

Kuniyuki will be discussing this within the 'BCM Lifecycle' stream at the BCM World Conference on Wednesday 6th November, starting at 15:20.

Cyber threat opportunity

Ken Simpson
The VR Group

Only a week to go until the BCM World Conference!

What if we took a different approach to our reflective learning this time?

Instead of waiting until after the conference to reflect and integrate what we have learned, what if we took a proactive approach and spent some time ahead of the conference reflecting on what aspects of our current practice we need to change.

What if that reflection also included reframing the problem – not just how can I fine tune my practices within current frameworks and constraints, but how would I want to transform my practice going forward and remove some of those constraints.

To achieve that outcome perhaps we may take a different mindset into the conference.
If we can try that exercise in critical reflection and recalibrate our mindsets, then perhaps new, or at least different, learning could emerge from the way we interact with the ideas presented and with other conference delegates.

That is the core of what my session at the conference is about, thinking differently about a problem and the way we practice our craft. I hope to encourage discussion around emerging threats and how we might use these to improve our engagement with Executives and the wider organization.

Specifically the session will present my experiences of using cyber-attacks as the focus for Executive exercises and engagement. Cyber is used as an example, and as a metaphor for emerging threats/risks, not as a vehicle to talk about a lot of IT technical stuff. Come and hear how (and why) Executives are more engaged when we use confidentiality and integrity as the disruption risk - rather than the more common approach of using availability.

As befits a 'holistic management discipline' the discussions will most likely touch on a number of issues also discussed in other sessions including:

• the critical nature of cross discipline engagement,
• thinking more like management,
• taking  a strategic rather than compliance approach, and
• the concept of resilience

 

Some pre-reading on Mindset:

 

http://blogs.hbr.org/2013/09/the-right-innovation-mindset-can-take-you-from-idea-to-impact/

 

http://mindsetonline.com/whatisit/about/index.html

 

http://www.tree4health.org/distancelearning/sites/www.tree4health.org.distancelearning/files/readings/The%20Five%20Minds%20of%20a%20Manager_0.pdf

 

Ken will be discussing this and the issue of influencing key decision makers within the 'Thought Leadership' stream at the BCM World Conference on Thursday 7th November, starting at 14:50.

Crossing boundaries

John Robinson
INONI

Our BCM World Conference presentation is an illustration of how BCM can pleasantly surprise business leaders with the value it brings. Our case study will be about Reed and MacKay, a £200M turnover top-end executive travel firm located in Farringdon close to the heart of London’s legal, media and financial district. This is a multi-faceted, time-pressured and highly successful business and illustrates perfectly the importance of accurate and decisive BIA. The following explains why I believe they found it so valuable, noting that Reed and Mackay subsequently gained accreditation to ISO 22301 at the first attempt.

On the heels of recession, R&M’s 2012 budget for BCM was tight, so this was by necessity Business Impact Analysis (BIA) in a hurry, allowing just six days to complete. Head of GRC Suzanne Elmore and I booked the ‘goldfish bowl’ office for an initial two days’ intensive research, compiling all the information we needed, hauling in knowledgeable others wherever and whenever we couldn’t find the answers ourselves. It was intense, coffee fuelled work, but for the business we were conspicuous by our absence - no long haul activity, no hit-and-miss scheduling of meetings and consequently no interruption. From their standpoint, the BIA was building itself painlessly; from ours it was systematically providing a detailed and accurate view of the business, marketplace and supply chain.

By the end of day two we had a large and colourful layered map and a steady stream of visitors poking their heads round the door just to see what the pictures actually meant. One was the CEO. His initial reaction was ‘what on earth is that?!’ After a brief explanation, he got it… and asked us to deliver a presentation of the map to the extended management team – for a full day. He realised our technique would let him pinpoint the organisation context and that this would allow executives to think outside their areas for both BCM and normal business.

We delivered to a room of around 15 C-level execs and managers, testing and refining the picture using scenarios. Engagement was total and by 4pm everyone understood the effect of disruption, risks and priorities, dependencies, strengths and weaknesses. Our approach reduced the effects of personality and gave individual execs ownership of the outcome. We authored the formal BIA document based on the high grade information we took from the workshop, requiring the bare minimum review before release and allowing us to complete on time.

Finally, on completing the workshop, we were approached and thanked by the Commercial Director who saw the exercise as exemplary PR for the firm and who now uses their accreditation to emphasise R&M’s superior service to clients.

The message to you from me is this: we know that BIA is the foundation for effective BCM, setting out the organisation’s context for managing this important aspect of business risk. It can seem daunting the first time, trying to see a way through that is efficient and cost effective, and which is accurate and capable of being totally embraced by senior management. We achieved exactly that and gained accreditation on the back of it, with total management support. Please attend our presentation if you’d like to know more about how we did it. We’ll be pleased to see you and answer your questions.

John, along with R&M's Suzanne Elmore, will be discussing the issue of crossing boundaries during his Practitioner Presentation at the BCM World Conference. This will be part of the free seminar programme within the exhibition.

Managing supply chain continuity

David Window
Continuity 22301 Ltd

As a member of three institutes - Institute of Risk Management, Business Continuity Institute and the Chartered Institute of Purchasing and Supply - I hope to explain why as business continuity professionals, we struggle to engage with my alter ego - the procurement professional.

Over the last two years I have been debating this topic with a colleague who is an accomplished procurement professional and we have challenged each other considerably in our efforts to justify the question, “why bother doing business continuity in supply chain”. We have also interviewed other procurement professionals to gauge our opinions against theirs.

The short answer we believe is that procurement professionals, especially those who use category management techniques, are incentivised to make savings. Resilience comes at a cost and this cost erodes savings.

Yet how many times during the period of a contract do businesses suffer minor disruptions, delays to a service or product delivery, how much additional cost do they incur which is not captured and quantified but still erodes the original savings?

Category Managers deal with strategic sourcing and that very name should ring alarm bells with business continuity professionals. When they are sourcing goods and services of strategic importance, potentially time critical, urgent goods and services, which the business depends upon, then they need to consider business continuity for continuity of supply.

So the business continuity professional encourages them to seek assurances on their supplier’s business continuity preparedness. The hard part is convincing them of the value of doing so for a future event that they can’t perceive of. This is because their minds naturally move into the area of probability. How often do we, as business continuity professionals, hear the words “what are the chances of that happening?”

Whatever your opinion is of risk management and the concept of estimating probability, I would suggest that it is a natural instinctive thought process that we as humans undertake daily even as we cross a busy road; we evaluate the risks and the probabilities.

So as business continuity professionals we need to speak the language of risk too and we need to understand the concepts of total cost of ownership and the drivers for procurement professionals, before we stand a chance of successfully engaging with them.

Consider that there may be something called the risk assessed total cost of ownership, whereby through modelling your supply chain you can assess the inherent risks within it before entering into a contract. Suppose through that analysis you can understand when it is appropriate to use risk mitigation strategy and when to use business continuity strategy and tactics cost effectively.

Now suppose that you could do that in a way that enthuses procurement professionals and top management alike by offering a potential estimate of quantifiable impacts caused by any minor or major supply chain failure.

If, as a result of this analysis, procurement professionals made more informed decisions when strategic sourcing, having an insight into the inherent risks and knowing when to incur costs on risk mitigation strategies, continuity strategies and tactics. Does that sound better than simply asking for a tick box questionnaire to prequalify your potential strategic partners who deliver time critical goods and services to your business?

The Good Practice Guidelines 2013 advocate both multiple suppliers and buffer stocks, but these carry a cost in the eyes of the procurement manager. Where these alternative suppliers are based and where you hold that contingency stock falls more into a risk assessment model, knowing your supplier is in a geopolitical area that carries a risk of a supply disruption may be sufficient for you to source elsewhere.

A risk assessed approach to establishing the total cost of ownership by procurement professionals may lead to exposing known risks and therefore require an amendment to the sourcing strategy. In circumstances where you discover that the options for supply are limited by a variety of imperatives such as cost, location, availability or uniqueness, a risk mitigation strategy may have limited benefit for these supply lines so you must delve deeper into your supplier’s resilience. Most importantly you must understand the costs involved.

As with all things business continuity, it is those business elements that are time critical or urgent, and therefore within the scope of business continuity, that need to be given scrutiny, not all your supply chains.

It is important to justify the need for business continuity to procurement professionals and to top management, by talking their language, commercial drivers, and cost of impacts for time critical supply chains need to be part of the assessment prior to committing a business in a purchase contract.

Finally, ask yourselves the following questions, is it sufficient and productive to ask suppliers to complete questionnaires when you prequalify them in order to be a part of a competitive tender? Does this add value to your procurement process? If you ask for a copy of their plans are you really competent to assess its efficacy? I would suggest the answers to all of these questions is no.

David, along with Brian Leigh of QiPS Consulting Ltd, will be discussing this issue further in his Practitioner Presentation at the BCM World Conference and Exhibition. The Practitioner Presentations are part of the seminar programme at the free exhibition.

The road to fire safety resilience

Russ Timpson
Horizonscan

The key messages when it comes to fire safety resilience are that:

• Prescriptive approaches to fire risk mitigation are reactive, cumbersome and commercially irrelevant
• Fire risk ownership will only be achieved through linkage to business imperatives such as resilience, supply chain integrity and insurance
• Tools and techniques do exist to assist those tasked with risk ownership to understand the scope and scale of the risks involved

The next step within the risk management community is to migrate from essentially a legislation based compliance and reactive role with regard to fire, to one of adding value to any given undertaking by embracing the principles of resilience.

Resilience has been defined as ‘the ability of an organization to absorb, respond and recover from disruptions’ (Business Continuity Institute). In relative terms the ‘bar’ for fire risk mitigation in a prescriptive regime must be set very low in order to allow for generic application. Whereas, if the imperative for resilience is applied and linked to commercial priorities such as insurance and supply chain integrity, the requirement must be higher and more relevant.

My presentation at the BCM World Conference will seek to explore the historic model for fire risk mitigation; code compliance and enforcement. This will include an analysis of the relative merits and drawbacks of this approach with commentary. An overview of the current movement towards ‘fire risk assessment’ and risk ownership by employers and building owners in the UK will also be discussed with recent case studies. I will also describe the commercial approach to fire risk mitigation and give insight to the role of insurance underwriters and potential loss calculations.

This has been successfully achieved by employing a derivation of the ‘HAZOP’ (Hazard and Operability Study) from the process industries such as petrochemical and pharmaceutical. The output from this assessment is a fire risk ‘contour’ map of a given building combined with a ‘criticality index’ for given areas, plant and systems.

We need to challenge existing thinking in the risk management community, to promote closer understanding of the commercial environment. With ever increasing fiscal pressures on tax funded fire safety enforcement agencies, there must be informed thinking on engagement with building and business owners.

“You can lead a horse to water, but you cannot make it drink” – however, you can put a lot of salt in its foodbag.

Russ will be discussing the issue of fire safety resilience during his Practitioner Presentation at the BCM World Conference. This will be part of the free seminar programme within the exhibition.

Drivers for the employment of BCI members in large UK companies

Patrick Roberts
Cambridge Risk Solutions

Ever since becoming involved in the profession, nearly ten years ago, I have been constantly intrigued by the attitude of different organisations towards business continuity. Simplistically, I began by assuming that large well known companies, with both assets and reputation to protect would be universally receptive to the idea of BCM, but (painful) experience has taught me that this is not the case. Equally, since starting our own BCM consultancy in the east of England, we have been surprised by the number of very small organisations that have asked us for assistance, organisations that we would never have considered approaching as potential clients. The same surprising pattern is borne out if you look at the firms which are certified to BS 2599, and are now certifying to ISO 22301. It is a curious mixture of large household names and much smaller firms.

My presentation at the BCI World Conference and Exhibition is based on PhD research conducted at Nottingham University Business School, and attempts to understand these differing attitudes towards BCM in a more formal way. The starting point of the study is the observation, based on data provided by the BCI in 2011, that only 70 firms in the FTSE 350 actually employed a member of the BCI at that time. The research then goes on to explore the relationship between various observable characteristics of these large publicly quoted companies and the likelihood of them employing BCI members. A broad range of possible drivers are identified from reviewing previous work on risk management and from specific consideration of the aims and objectives of BCM.

The main finding is that, at least within these large UK companies, the employment of BCI members appears to be primarily driven by the expectations and demands of external stakeholders such as lenders and regulators. I’m not sure how much this insight helps me in targeting our marketing efforts more effectively, but it has certainly helped to make sense of some of the patterns that we have observed over the years and I look forward to sharing more insights with you in November.

Patrick will be discussing this issue further in his Practitioner Presentation at the BCM World Conference and Exhibition. The Practitioner Presentations are part of the seminar programme at the free exhibition.

Supply chain resilience

Lyndon Bird
Business Continuity Institute

In 2009 The Business Continuity Institute decided that more research was needed into the level of business disruption being caused by supply chain problems. The challenge we set ourselves was to provide data to help organizations develop and enhance resiliency within their supply chains. This work was done with the strong support of Zurich Insurance Services and in collaboration with the Chartered Institute of Purchasing and Supply.

Since then, this has become a regular annual survey and its findings have become increasingly influential to the business continuity, purchasing and supply and insurance communities. At BCM World 2013, the findings from the most recent survey will be announced and I will be leading a discussion on these alongside Nick Wildgoose of Zurich Insurance Services.

This is the first release of data from 2013 survey and those attending the session will be given a printed copy of the full report. Although the methodology used in 2013 was consistent with previous years, some additional questions were added.

One issue looked at in 2013 in some detail was the extent to which non-physical events in the supply chain were causing disruption. These are seen as those events where supply itself is unaffected in the short term but could cause potential long term damage to reputation or even business viability. Another new question in 2013 looked to understand the extent to which supply chain failures were generating negative and positive social media discussions.

The presentation will look at the key findings that emerged from the report relating to supply chain vulnerability and what organizations are doing about it. The causes of disruption are identified, together with their relative frequency of occurrence and the actual consequences. Strategic, financial and reputational exposures are considered, as well as the more typical short term operational disruptions resulting in reduced productivity. Comparisons with previous years will be discussed and these show that some interesting trends are starting to emerge.

The discussion will then look at the lessons for business continuity practitioners; the way organizations try to keep track of their key suppliers’ business continuity capabilities; what works well and what still needs changing. We perhaps need to look at the need for senior management to understand and participate more fully in the supply chain selection and monitoring process.

The takeaway from this session will be the recommendations that can be used immediately to start identifying supply chain weaknesses and strengthen supply chain resiliency.

Lyndon, along with Nick Wildgoose of Zurich Insurance Services, will be discussing the issue of supply chain resilience within the 'Thought Leadership' stream at the BCM World Conference on Wednesday 6th November, starting at 15:20.

Implementing crisis decisions – turning desire into reality

Alan Elwood
Risk and Resilience Ltd

So far I have posted about the need to concentrate on ensuring your OODA Loop can operate faster than the emergency and talked about how to manage information and actions in a crisis. To complete this series of three blog posts I am going to look at how you can structure crisis decision making. Decision making in a crisis is not the same as in everyday circumstances so you will need access to different tools. Here are five things to consider:

Key Questions: Have a system to guide your decision making that analyses the situation but also allows you to use your experience and intuition. Think about the key set of questions you need to ask yourself and write them down in advance. These questions should help you (1) understand what is going on and the implications of that; (2) appreciate what needs to be done and why it needs to be done; (3) be clear on where your priority lies; and (4) identify, resource and co-ordinate tasks. Once you have this in place make its use is second nature - rehearse, rehearse, rehearse!

Getting Your Intention Across: Remember those completing a task may encounter unforeseen problems. Tell people why they need to complete each task so that if they encounter a difficulty they can adapt the task given to them and still achieve the intent.

Achieving a Focus: There will be lots going on so to avoid dissipation of effort, make it clear where the focus lies. Define what is critical for success and make sure everyone knows and is working towards that. It can help to define the end state - what will success look like?

Using Resources: Resources are scarce so use them wisely. Allocate resources to those tasks that are supporting your focus. Others will have to wait. Remember that not everything will go to plan so have spare capacity. Don’t allocate them all at once and know where you can get more resources.

Using Time Effectively: The one resource that can’t be regenerated is time. If you have to take decisions then think about those who will have to implement them. Leave them the time to do that. Work out how much time is available between starting the decision process and the resulting actions needing to take place. Then use one third of that time to take the decision and leave two thirds for everyone else.

Alan will be discussing this and the issue of incident management within the 'BC in Action' stream at the BCM World Conference on Wednesday 6th November, starting at 15:20.

Establishing ISO 22301 in Europe’s largest construction project

Katie Collison
Steelhenge

Crossrail is the biggest construction project currently in Europe and is one of the largest single infrastructure investments ever undertaken in the UK. It is a rail link that will run 118km from Maidenhead and Heathrow airport to the West of London, through new twin bore 21 km tunnels under central London to Shenfield and Abbey Wood, east of London. Crossrail will increase London’s rail based transport network capacity by 10% and bring an additional 1.5 million people to within 45 minutes of commuting time to London’s key business districts, supporting regeneration across the capital. It represents construction on a staggering scale.

Presently in the tunnel boring phase, Crossrail is managing a multiple worksite programme with construction works running concurrently across the entire route with:

• Over 10,000 people working on the project
• Over 35 million working hours completed on the project so far
• 40 construction sites

For the first train to roll in 2018, the schedule must be adhered to so the next stage of the programme, the stations fit out, can commence on time.

So where does ISO 22301 fit in and why is business continuity important to Crossrail? In part this question is answered by the statistics above. The Crossrail construction programme is being delivered at an astonishing pace with any delays to construction works on one site, big or small, having the potential to impact the time and budgetary constraints of the entire programme. As with any major construction project Crossrail recognises the inevitable risks. Health and safety is taken extremely seriously, and a zero harm target is promoted with an incident response philosophy of ‘prudent overreaction’.

In line with all of the work that has already been achieved by Crossrail in this area, a comprehensive business continuity management system (BCMS) to manage and minimise the impact of disruptions was both an identified gap and an obvious addition to the organisation’s resilience portfolio. The decision to establish a BCMS in line with ISO 22301 was driven by Crossrail’s desire to deliver a world class railway that genuinely improves standards within the construction industry and meets best practice in all areas.

The challenges and route to success

However, the rate at which the project is being delivered and the finite existence of Crossrail Ltd in its current form meant that any business continuity programme needed to be pragmatic, simple to update, and easy to maintain. Something which typically contradicts management system standards, but which is achievable under ISO 22301.

Steve Hails, Crossrail Health and Safety Director, and Katie Collison, Steelhenge Senior Manager; will be discussing this topic and the path to ISO22301 success within the ‘BC in Action’ stream at the BCM World Conference on Thursday 7th November, starting at 13.05.

Horizon Scanning

Colin Ive
CoDRIM

As new threats appear, it is easy for busy Business Continuity practioners to miss these with their heads so deeply burrowed into the challenges of organisations. Practitioners are already overloaded with work and, as we have seen in recent years, this is often due to cutbacks, to having an amalgamation of roles or simply by being directed to focus on achieving compliance with new standards and increasing demands from customers etc. Yet without an effective and externally focused ‘risk radar’ seeking out these threats on a permanent, efficient and effective basis, an organisation can find itself suddenly confronted with unwelcome surprises which could impact their business either directly or via a failing supply chain. Surprises which can severely damage their bottom line!

As is often the case, as well as a threat there is also an opportunity. In this case an opportunity for the Business Continuity practioner to build horizon scanning into an organisation so that it becomes simply part of ‘business as usual’. How? By promoting the importance of establishing a ‘risk radar’, particularly into the mind set of supply chain or procurement managers.

The recent disasters that have affected supply chains across the globe e.g. the Japanese earthquake with its subsequent tsunami followed by the huge floods in Thailand, must sound a wakeup call for all organisations not to simply rely upon luck, but to establish a ‘risk radar’ to spot possible threats. Not only this, but also to have systems in place to analyse their impact and what steps they would need to take to mitigate against them. The time for action is prior to or when a disaster occurs and not simply waiting to see what happens.

An organisation cannot be expected to monitor all suppliers so there is a need to focus efforts on key suppliers and key supply chains, so providing a manageable yet importantly relevant short list of suppliers.

In this issue and its resolution, there is a clear opportunity for different functions of the organization to work together in monitoring the radar. Certainly the supply chain or procurement functions should have a formal role, but I would argue that ALL staff, no matter what their role, should be encouraged to keep their eyes and ears open to potential threats. Sales staff may be aware of an important customer who is affected by a developing risk so should consider puting ahalt on orders. Engineers or designers within the R&D function often have good contacts with suppliers or potential suppliers before any purchasing takes place, so should be encouraged help the ‘radar’. HR staff can pick up on trends by monitoring advertisements for certain staff key to the organization who may be attracted to leave, a threat often too late to deal with once someone hands in their notice! Any one of these staff can pick up on information so should be encouraged to share it across the organisations silos. It's better to share than to say after the event "oh yes I heard about ‘X’ weeks ago".

The Business Continuity practioner can be the catalyst for pulling together and establishing the ‘risk radar’ but they cannot and must not be left on watch alone. Horizon scanning of suppliers, customers and external threats are a responsibility to be shared.

Colin will be discussing this issue further in his Practitioner Presentation at the BCM World Conference and Exhibition. The Practitioner Presentations are part of the seminar programme at the free exhibition.

Walk a mile in their shoes

David Tickner
Computrix Services

Whether a consultant or an internal business continuity planner, it’s never easy to get management to commit to a continuity program. Perhaps it’s the approach you take or that you find management a bit too bottom line focussed.

Where is the key to gaining corporate commitment for BC programs - the CEO’s office, the CFO or the Risk Manager? Perhaps it’s not even inside your organisation, there could be other options.

The most common fault in gaining corporate commitment for BC programs is to present the approach to management, rather than understanding that they have all business programs to consider, not just yours. Perhaps we all need to think more like management and not just as a BC consultant or planner.

'Walk a mile in their shoes' is the lead off session for the BCM lifecycle programme. It will inform and challenge you to think a little more laterally about gaining more effective corporate commitment to BC planning.

David will be discussing this and the issue of policy and programme management within the 'BCM Lifecycle' stream at the BCM World Conference on Wednesday 6th November, starting at 11:15.

Recovery Strategies

Ian Charters
Continuity Systems Ltd

It is a pity that the term ‘recovery strategy’ was ever coined. It gives the impression that an organisation has one high level recovery strategy which will provide a response to all BC issues and around which all recovery plans and procedures will be based. For example – “in the event a disruption the organisation will move priority staff to operate from its recovery centre at...” which is seen as a solution to all problems.

Instead the ‘recovery strategy’ of an organisation is likely to be a whole raft of measures put in place before an incident occurs that will, hopefully, give it some workable options for response when an incident occurs whatever the circumstances.

'Recovery strategy’ is also used to describe an approach to disruption management – such as subcontracting delivery, withdrawing the product or internal recovery. It can also be used to describe approaches within the organisation such as ensuring the delivery capacity is always available at more than one site – so it can easily be transferred.
 
Perhaps the term ‘recovery options’ is a better description ; a comprehensive set of recovery options needs to cover all the resources required to undertake activities. Therefore it is going to include measures to provide:

• Alternative staff: Through cross training and documentation
• Alternative premises: Making duplicate or standby locations available
• Alternative technology; Back-up IT facilities or alternative sources of equipment
• Alternative supplies: By sourcing from more than one supplier or maintaining stocks of materials

It may also include measures to reduce the damage an incident may cause such as insurance, salvage and a reputation management plan.

Lastly you could include in the recovery strategy portfolio a number of measures that are not about ‘recovery’ but may reduce the likelihood or impact of a disruption affecting the most urgent activities – such as scheduled maintenance, monitoring systems, generators etc.

Therefore when an incident occurs there may be a number of options available to manage the disruption and the choice of which depends on the circumstances. For example, if there is widespread flooding but your building is operational, do you want to relocate your business and staff elsewhere or stay put as this is less disruptive to your staff’s home lives – or do you do some of both? This clearly identifies the need for a tactical level response team who can identify the available options following the disruption and select the optimal one.

The main parameter that will identify what responses need to be available, and which will be used in the response, is time. Each product, each process and each activity should have a documented ‘Recovery Time Objective’ (RTO) set less than the Maximum Period of Disruption (point of no return) identified in the Business Impact Analysis. The RTO is set at the estimated optimum point that balances the damage that may be done before it is recovered (as this will increase with time), against the ongoing costs of maintaining the capability to achieve it (which usually decreases with time).

So recovery strategies are a complex ‘kit bag’ of possible responses – not a single strategy.  As such senior management as well as those involved at the tactical response level should be familiar with all the options. A manual describing these options and how they can be used should be written and be required reading. It can also prove a useful ‘sales’ document to show (redacted) to potential customers or insurers when they asked to see your ‘BC plan’ – as the individual recovery plans may mean very little without a context of the overall recovery strategy. It may well begin “If we experience an incident then this is what we do...”

Ian will be discussing this and the issue of design within the 'BCM Lifecycle' stream at the BCM World Conference on Thursday 7th November, starting at 10:35.

Are security and business continuity a good fit?

Daniel Dec
Cognizant Technology Solutions

The answer to that question is 'yes' - security and business continuity are a good fit and my reasons for this are based on observations and experiences over my career, along with some research evidence to support my position. My reasons can be summarised under five broad headings and these are:

Availability, core in security and BC
The definition of Information Security focuses on three main principles - confidentiality, integrity and availability. It is the availability part of this triad that illustrates the close relationship that BC has with security. Computerized information is only of value if it is available when needed. The concepts and objectives of BC support the availability of Information Security. In addition, there is more relevance as the need for high availability has increased which we will talk more about in a future section.

The bottom line is information is only useful and of value if it is available when needed, and having a well architected and tested DR/BC program supports this availability principle.

Typical organizational structure of the BC and security roles
More than two thirds of the companies that I have visited over the years have BC as one of the responsibilities of the person responsible for security. In addition, several studies by various IT related organizations support this fact. The value that many organizations gain because of the close relationship of BC and security is why this responsibility typically resides with the Information Security Officer.  Both security and BC rely on influencing others to perform tasks so this is another piece of evidence illustrating they are a good fit.

High availability – security – BC
The need for more systems to have low RTO/RPO, including having zero time, has increased over the years and so has the need for a full BC program.  This includes the technical mechanisms to protect of the security of the production and failover systems.

But those complex systems also require adequate security to ensure that unauthorized access including malicious activities does not adversely affect the ability of the use to process information as intended.

Need for security in BC data
Staying with the premise that information is only useful if accessible, information is also only useful if there is integrity behind it.  So strong security controls must be present around the backup/failover data and backup/failover systems.  One of the main documented reasons for failures in recovery testing is the lack of security around backup data/media resulting in lost or mislabelled information. This is critical during recovery and many a test has been stopped in their tracks because of the lack of security over the recovery data.

Inclusion of BC and security in various regulation and standards
Various regulations and standards have closely related their requirements to include controls surrounding BC and security.  For example, the HIPAA healthcare Security Rule has a safeguarding provision for having a Continuity Plan. From a risk perspective, ISO27002 along with the security of key company information also include having a contingency plan.

Daniel will be discussing this and the issue of resilience within the 'Thought Leadership' stream at the BCM World Conference on Thursday 7th November, starting at 13:05.

Can you afford not to embrace next generation business continuity

Kathleen Lucey

Montague Risk Management

 

The bleeding edge of our profession is now resiliency – not recovery, not continuity. But the most interesting part of this is the analysis of events as they occur: calculating the effects of these events and responding in new and different ways.

 

Coupled with detailed current information and analytics engines to help us to understand the impact of events on our markets, our competitors, and our operations, we are now beginning not just to respond faster and better, but to position ourselves to be able to manage improbable, adverse events – sometimes called 'black swans' – to our advantage. We are able to generate additional revenues and/or open new markets for existing products, rather than just minimizing event damages.

 

I don’t know about you, but I would like to move to the side of the organization that deals with revenue enhancement – marketing and new product development – and move away from compliance. There is more funding there to get the job done right!

Kathleen will be discussing this and the issue of resilience within the 'Thought Leadership' stream at the BCM World Conference on Thursday 7th November, starting at 10:35.

Building resilience in the provision of critical national infrastructure with ISO 22301

David Clarke
Telefónica UK

At Telefónica UK we are proud to be one of the first UK businesses to achieve the international ISO 22301 accreditation for business continuity management. We’ve always worked hard to ensure that all parts of our business are robust. Our business continuity provisions were accredited under the former British standard BS 25999, so the transition to ISO 22301 was a natural one for us.

Our COO and business continuity champion on the Board, Derek McManus, summed it up nicely when he said: “Achieving ISO 22301 accreditation demonstrates our commitment to providing a reliable, high quality service to our customers. It shows that we have the resources, investment and processes in place to protect ourselves from potential service disruption – minimising the impact on our customers.”

The acid test

Last year, in the run up to the Olympic Games, we got an opportunity that most businesses don’t – the chance to put our business continuity plans to the test.

We undertook a number of activities, and one of the most high profile involved asking 2,500 of our employees to work away from our Slough Head Office for one day. The goal was to try out our technology, our network and the way we work – for real, on a working day.

I’m glad to say that we passed the test. Everyone was able to do their normal work – with no impact on our customers.

The ISO 22301 accreditation and the results of our flexible working day both demonstrate that we really do understand business readiness and continuity, and that our customers can rely on us when the unexpected occurs.

David will be discussing this and the issue of standards within the 'Supply Chain Continuity' stream at the BCM World Conference on Thursday 7th November, starting at 13:05.

Implementing BCM through complexity

Thomas Puschnik
Zurich Financial Services

Leading a BCM framework in a complex and challenging operating environment is no easy task but one potential key to success is effective relationship management. There are at least two key components to achieving this.

First is in terms of the BCM workforce. Having a team identity or common purpose, a set of agreed goals and clear roles and responsibilities all help to form the basis of a good team. Going from 'good' to 'great' requires a focus and commitment to building strong trusted relationships and recognising there will be setbacks along the way. This requires strong leadership and the will to take time out to listen and get to know team members and to understand their needs and concerns. This is especially true in regions where languages and cultures differ significantly.

Second is in terms of establishing regular engagement with your key business partners. Knowing who your key stakeholders are i.e. those who have or should have a vested interest in BCM, is relatively straightforward but the challenge often comes in determining how best to engage with these people. Selling BCM as a shared goal and using different levers to do this is fundamental. It is important to answer the question "what’s in it for me?" so that both parties understand the benefits for freeing up time and budget to support the activities within the framework.

Building an effective BCM team and support network is a critical success factor for any BCM implementation - one cannot deliver without the other!

Thomas will be discussing this and the issue of rolling out a global BC programme within the 'BC in Action' stream at the BCM World Conference on Wednesday 6th November, starting at 11:15.

The return on investment of a BCM programme

Rainer Hübert
HiSolutions AG

When will the investment for a BCM programme pay off? Most people think that the only correct answer is when a damage scenario has taken place. Hopefully then an effective BCM programme will reduce an otherwise much more costly, or even possibly fatal financial impact to a bearable amount. Then, and only then, will the investment in BCM be paid off – just like insurance policy.

In our finance driven business world however, investment in BCM needs to be justified in financial terms, unless a BCM programme is forced upon an organization by its clients or by regulatory authorities.

While the cost of a BCM programme is widely known, many people will have no idea what the returns will be. During my presentation at the BCM World Conference, I will discuss what I believe are four sources of return for those investments that go some way to justifying a BCM programme.

Insurance premiums and interest rates are the most obvious candidates; however they are the least effective ones. One can reduce the business disruption insurance premium by reducing the time coverage of the business disruption pay out. At banks, it is possible to negotiate the interest rates with by providing additional information about a reduced credit default risk due to a working BCM programme.

More potential for a return of investment however stems from the lowering of process costs by improving process efficiency. When discussing contingency procedures and measures, the way the business operates is more closely scrutinised and so the opportunity is provided to generate ideas as to where efficiencies and savings can be made. These ideas may find their way into day to day operations of a company with the potential to improve the effectiveness or efficiency of business processes across the board.

The largest effect however will actually come from the new ISO 22301 standard. This standard will become instrumental to comply with purchase regulations of clients, especially the larger ones. More often than not, contingency planning will become a requirement of critical suppliers. In future, one may lose existing contracts or fail to win new tenders without a certified BCM programme. BCM will be fundamental to winning or sustaining these contracts.

BCM leaders often struggle with justification for investment in a BCM programme in general or individual BCM measures in particular. Especially when discussing with economists or business administrators, those working in the BC industry are regularly confronted with standard business case approaches to justify BCM, which require a detailed explanation of the return on investment. My talk offers a way to meet this demand and outlines in more detail an approach on how to calculate and demonstrate a return on investment of a BCM programme.

Rainer will be discussing this and the issue of measurement within the 'BC in Action' stream at the BCM World Conference on Wednesday 6th November, starting at 13:30.

Supply Chain Vulnerability: Resilience versus Interdependence

David Hawkins
Institute for Collaborative Working

Over the past three decades the sourcing programmes and supply chains have increased exponentially not simply in terms of commodities and products, but also in a wider variety of outsourcing and service propositions. These extended networks have now bridged the traditional boundaries between organisations and in doing so introduce a significant spectrum of risk to business continuity and reputation. At the same time the implications for both natural and manmade disasters highlights the interdependence of companies of all sizes and in all sectors. Reliance on these extended relationships to deliver business performance raises the prospect that resilience and business continuity is no longer simply an internal issue for companies and prompts consideration for a much greater awareness in the identification of risk, selection of suppliers and increased focus on collaborative working and the capability of third parties to jointly perform when necessary.

The last two decades of the 20th century saw major changes in the business world, perhaps more so than ever before. Pressures on costs, diminishing traditional markets, the explosion in information technology add complex influences on the potential success of business strategies. This is combined with perhaps the most crucial of all – the dramatic growth in globalisation. These trends continue into the 21st century and will likely remain key factors for the future. Over the same period we have witnessed major changes to weather patterns and their impacts, increased political unrest, escalation of cyber crime and fraud on unprecedented scales and networked terrorism introducing wide ranging threats. Not to mention the implications of financial interdependence as seen through the banking crisis and its impacts on sovereign currency stability and contagion.

Ensuring the resilience of the supply chain, whilst harnessing the benefits of greater external engagement means that management of sustainable arrangements and their inherent risks must be integrated into operating practices. Sourcing strategies now have to balance the more historical parameters of completion with a greater understanding of the associated risks. The extended supply chain has now become an integral aspect of many businesses, but perhaps less focus is being given to the potential of third party risk flash back. The impact of the Tsunami on Japan’s nuclear industry highlights the potential reverse domino effect, as did the backlash from Rana Plaza.

Clearly the key to supply chain resilience and for that matter business continuity is clarity of potential impacts and risks. Seeking to simply have visibility or contractual commitments around these issues is likely to leave some aspects to assumptions which are perhaps even bigger risks. Developing the right kind of collaborative relationship with suppliers not only will help to broaden the perspective of risk but in many cases will, through greater openness, likely bring about wider and more effective solutions. Not only increasing openness but also building trust and commitment to jointly work together when challenges arise.

David will be discussing this and the issue of supply chain resilience within the 'Thought Leadership' stream at the BCM World Conference on Wednesday 6th November, starting at 15:20.