Thursday 28 March 2013

In cyberspace, no-one can hear you scream (or snore)

Andy Osborne
Consultancy Director, Acumen
Author of Practical Business
Continuity Management
On Friday I presented a webinar, on scenario-based exercising, as part of the Business Continuity Institute's Business Continuity Awareness Week 2013. And I have to tell you, it was one of the most nerve-wracking things I've done for a long time. 
 
Which is a bit bizarre, really, as I do presentations all the time, to audiences of various sizes (that's numbers of people, as opposed to body mass). I'll admit that there are often a few butterflies just before the start, but nothing particularly serious. 
 
The difference with this one was the strangeness of it all. I was effectively presenting to an empty room and it felt like I was talking to myself - into my 'phone but with no-one on the other end. Except I wasn't, because there was quite a decent sized audience out there, somewhere. All I knew was that there were 76 of them. I only knew that because there was a little green "76" on my computer screen. I didn't know who they were, what they looked like, where they were, why they were listening or what they were expecting.
 
The strangest thing was the absence of any feedback (aside from the online polls I did in an attempt to discover some small snippet of information about the audience). I didn't have the faintest idea whether people were nodding in agreement, smiling, shaking their heads, falling asleep, going off to make a cup of tea or checking their e-mails (heaven forbid). All I could see was that little green number telling me that 76 people were at least still logged in and all I could hear was a deafening silence on the other end of the line.  It was very disconcerting for someone who likes to see the whites of his audience's eyes.
 
It didn't help that, having logged in, as instructed, well in advance of the start time, the webinar system then insisted on telling me, every minute, via one of those awful "press one to be ignored for a bit longer" recorded voices, how long was left until show time, followed by a final countdown that did nothing to ease my pre-match nerves. 
 
Then there was the system itself. I'd had a trial run - which was just as well really as when I tried it with a headset the sound quality was awful and I had to revert to the 'phone's handset. Which meant I couldn't move further than the length of its cable, and that severely curtailed my usual habit of going for a bit of a wander when I'm presenting. And some of the system's features weren't available on the test site so I was learning as I went along on the day. All in all I found it just a teeny bit unnerving. I was out of my comfort zone, I suppose. 
 
I ended up standing up for most of the session, adopting a sort of 1960s horror film manservant hunch over my computer screen and mouse, along with a sort of side-to-side shamble. So it's just as well my audience couldn’t see me either. But, after a bit of a wobbly start, I got my act together, my nerves settled and I got on with the job in hand. In the end I received a pretty decent score, along with some very complimentary comments, so it can't have been that bad - it just felt like it to me at the time.
 
Afterwards I couldn't help thinking that there were some parallels with exercising and testing our business continuity capability, which was the topic of the webinar.

Monday 25 March 2013

What’s driving supply chain complexity? Part One

Lee Glendon CBCI
Head of Research and Advocacy
In the BCI’s report Horizon Scan 2013, one of the key trends of concern identified by Business Continuity professionals was “increasing supply chain complexity”.  So on Tuesday 19th March, the BCI and the Chartered Institute of Purchasing & Supply (CIPS) convened a roundtable of senior supply chain, risk and business continuity practitioners from sectors as diverse as retail, manufacturing, energy, housing, construction and telecommunications to share experiences and discuss how they were dealing with the challenge.
 
If folk were hoping that complexity is something that will stop or slowly unwind, then they would not have got much comfort from the discussion.  
 

BCAW Roundtable Discussion 2013
Perhaps, the most important driver of complexity is the customer and the desire of businesses to develop the right supply chain to meet the needs of the customer.  For example, the supply chain required to be able to sell a product as “made in Italy” sets its own restrictions and risks that need to be managed.  
 
Many of the drivers of complexity have come about through conscious business decisions.  A number of organisations had decided to consolidate their tier one suppliers – while this simplifies the number of interfaces at tier one, what is has done has created many more tiers below the immediate supplier, reducing visibility.  Participants noted that they were now experiencing disruption originating at tiers five and even six!  
 
Another issue raised by a number of people was around the illusion of diversity that dual-sourcing can bring.  While many had introduced dual-sourcing in terms of immediate suppliers, some had found to their cost that at tier two or three they were reliant on a single supplier again.  This point opened up a wider discussion about how difficult it was to understand interdependencies between suppliers and that the term supply chain should perhaps be replaced by ‘supply chain networks’.
 
Some sectors were suffering from lack of communication around changes in their extended supply chain.  More than one participant commented that their suppliers would change the location of production or the people providing a service without informing them, so organisations would be caught out in finding that an event, for example industrial action, in one country affected them, even though they didn’t think they had any exposure to the event.
 
Representatives from the public sector provided an interesting contrast to their colleagues in the private sector.  Their driver of complexity was government policy which was requiring not supplier consolidation but increasing their spend with small and medium sized businesses, while this was sometimes managed through a large tier one supplier, there was a need to monitor the success of this policy and provide extensive training and development support for small businesses to work with government entities.
 
The consequences of redrawing the boundaries of organisations over many years through outsourcing were also flagged as creating challenges in that the suppliers often had more knowledge and expertise than the client. Some felt that too much intellectual power had been outsourced and one organisation stated that they were now bringing back in-house some of the higher skilled activities.
 
In concluding this part of the roundtable discussion, it’s much clearer why complexity is such a taxing trend for Business Continuity professionals and why it is so important to find an approach to manage it effectively. 
 
In Part 2 of this roundtable report, we’ll look at some of the techniques that are being used to manage complexity.
 

Practice makes perfect or scenario-based BC Plans are a waste of time!

Your BC Eye
Donna Monkhouse
We are all familiar with the expression “practice makes perfect” and never has a truer word been spoken.  Practising is all about rehearsing again and again until you have mastered the role you’ve been assigned; but, it is also about improving your behaviour.
Today’s BCAW 2013 webinar of my choice was the one on exercising, or rather scenario-based exercising, which was presented by Andy Osborne MBCI, Associate Consultant at Clearview-Continuity.
The first question Andy raised was, why bother with exercises?   
Well, the short answer is that it takes a lot of time, effort, resources and money to write a Business Continuity Plan (BCP) and if you want to see a return on this investment, you need to make sure it works.  Simply having a BCP in place will not save your business; what will save it is having the right people with the right capability to deliver that plan, and the only way to develop that capability is through practising or as Business Continuity professionals prefer to say, through exercising. 
So should a BCP be based on particular scenarios? 
Well according to Andy, “scenario-based plans are a waste of time”.  What Andy was essentially saying with this somewhat controversial statement (at least at first glance)  is that there is no way that we can think of every possible scenario nor can we plan for every conceivable type of incident that we may be faced with at some point in the future.  More often than not, old Murphy’s Law will kick in and you will find yourself either faced with the one scenario you hadn’t thought of or the scenario you had in your head pans out quite differently in reality.  What is critical here is not to plan for every scenario, but to plan for any scenario and the way you do this is to build the capability within your organization to respond to any incident by getting the people involved to rehearse again and again until they know their lines off by heart (speaking in theatrical terms of course)!
What about scenario-based exercises?
Scenario-based exercises, on the other hand are not a waste of time but can be very valuable in terms of emphasising issues that no one had thought of; highlighting your strengths and your weaknesses (remember, you are only as strong as the weakest link); clarifying responsibilities; testing your communications and ultimately, helping you to improve and enhance your response capability. 
Which scenarios should you select?
It doesn’t really matter what type of scenario you select, but what it does need to be is credible, engaging and realistic and it needs to meet and reflect your objectives and the key issues you are hoping to address through the exercise.  So when planning an exercise, don’t start the process by trying to think of some great theatrical spectacular, focus in the first instance on your objectives and issues.  You can make up the most exciting, mind-blowingly creative and fictitious incident, but if it doesn’t meet your objectives then it will have little value and will really be a complete waste of time!
When it comes to facilitation of a scenario-based exercise, there are many approaches that can be taken.  It could be as simple as a desk-top exercise where you gather everyone around the table to talk them through the plan or even walk them through it; or it could be a bigger event involving role play and fake journalists, doctored photos and staged radio broadcasts. 
The key observation made by Andy based on his extensive experience in the field, is that what you do will and should be decided by the people you need to involve inasmuch as some people will feel comfortable with role play; others will feel totally out of their comfort zone; some will react well and others badly.  You need to understand the composition of your Incident Management Team, the intricacies of their personalities as well as having (if possible) some insight into past history and previous experiences and traumas so that you can at least make some kind of pre-judgement as to how they might react to certain scenarios and whether they are the right men or women for the job.
 You also need to consider whether they can work well together as a team and whether indeed they know each other well enough to perform effectively as a unit, after all, you are only as good as the sum of your parts.   
Both approaches of course have their value.  If you decide for the role play (which does not involve dressing up in fancy costume), you can make this as realistic as you like, just be sure to be aware of the fact that different people will react in different ways.  Certainly, if you wish to include a death of a colleague in your scenario, it is wise not to use real people’s names but safer to stick to a fictitious name instead; using real names can have terrible emotional consequences for some of the players on your stage.  How realistic you can make it, will of course depend on how realistic you can afford to make it, but the sky really is the limit here.  You can involve multiple teams and use multiple locations in your scenario; there is no right or wrong.  Andy did, however, strongly advise anyone planning to use multiple teams to first carefully consider which teams to involve at what point otherwise you will have people involved with nothing to do for long periods of time, which destroys the ‘engaging’ element of your scenario and will result in loss of interest and loss of ownership and ultimately spell out a miserable failure.
So how do you get the most out of your exercising?  Here Andy’s top tips:
  1. Plan and prepare for your exercise properly
  2. Think about the management and the coordination of the exercise
  3. Use experienced facilitators
  4. Develop an exercise plan and schedule
  5. Ensure you have clear objectives and measurable success criteria
  6. Brief all participants including the facilitators in advance as well as you can or should
  7. Have some independent observers on the side line as they can provide excellent, impartial feedback post-event
  8. Create and use post exercise critique forms and log books to capture key information and observations
  9. Write a report and follow up on the report’s recommendations as part of your lessons learned (after all exercising is also about improving your capability)
  10. Finally de-brief everyone who was involved and make sure all loose ends are firmly tied up
At this point, Andy reminded us of the 5 Ps (or 6 Ps used in the army, but we won’t mention the sixth one here!): Proper Planning Prevents Poor Performance – good planning breeds success; success breeds confidence, confidence in your plan, in your team and ultimately in your organization to withstand any scenario! 
The final question that Andy put on the table was when to exercise? 
The Business Continuity Management Lifecycle tells us to exercise and test at the end of the process, but we could exercise during strategy definition or maybe during the implementation process.  In fact, Andy went one step further and made the brave suggestion that maybe the Lifecycle should begin with exercising as this is guaranteed to make people sit up in their seats and pay attention; it will highlight the key issues; it will emphasise the importance of Business Continuity and it could be key to getting buy-in especially at the top, which as we know can be more than difficult! 
This webinar certainly provided me with ample food for thought and hopefully you have learned something too by reading this blog!
BCI Physical Workshop
Would you like to find out more about how to plan and run an exercise programme or how you can invigorate or inject new life into an existing programme? 

The BCI is running a workshop dedicated to this topic in Manchester this month:
 



Dates:
Wednesday, 24th April 2013: Planning and Running an Exercise
Thursday, 25th April 2013:Invigorating your Exercise Programme
Location: Manchester
Type: Physical (Delegates can choose to attend both or just one of the sessions)

BOOK NOW >>

BCI Member Rates apply.

Friday 22 March 2013

Cyber Threats and Cyber Security – are they real and can they be managed?

Your BC Eye
Donna Monkhouse
 
My  topic of choice for yesterday's webinar listen-into was the one on Cyber Threats and Cyber Security by Brendan Byrne from IBM in which Brendan shared both IBM’s and other organizations experiences from the dark world of cyber threat.
 
According to a recent IBM survey, the biggest threat perceived by Business Continuity professionals is cyber-security.  Some of the challenges faced include BYOD (Bring Your Own Device) which is on the increase; the widespread use of social media with its pros and cons; workforce mobility and the increasing use of cloud-based solutions.
 
The landscape is changing for organizations all around the globe.  Big Data or Smarter Data inevitably means more security considerations and the growing use of online services is another cause for security concern.  The boundaries are becoming blurred as we step up the use of the innovative technology that is advancing our way.  Supply Chain Security, as Brendan quite rightly said, is indeed only as strong as the weakest link in the chain and the expanding use of data is presenting more and more problems in terms of potential threats to an organization.
 
According to the X-Force Research Team (just one of the jewels in IBM’s crown) who is tasked with analysing the worldwide web on a daily basis, scanning the horizon for new trends and new vulnerabilities, there are over 40M spam and phishing attacks every month!  Now that is a scary figure.  KPMG’s Data Loss Barometer 2012 showed that hacking is the number one cause of data loss and that data loss incidents have increased by 40% since 2011.  There is evidence of new attack activity as malware gets too clever for its boots.  Some of the challenges faced are down to things as apparently simple as passwords (or rather the common and widespread use of the same password) and of course there is the challenge of BYOD and a new concept, called APT (Advanced Persistent Threats).
 
One of the key messages that this webinar drove home, was the importance of embedding cyber-security into an organization’s business culture.  It is not enough to develop a policy and then file it away thinking that the job is done and a big fat tick has been put in the box.  With a constantly changing landscape and new threat activity entering the “Cyber Charts”, it is essential that organizations review, review and review again to ensure that their policies and procedures meet the current and future security needs of their business.
 
One of the key issues is that cyber threats are just getting more and more sophisticated.  Motives for cyber-attacks range from simple curiosity, to revenge, right through to the big stuff like espionage and political activism.  The players or actors on the cyber stage are also becoming increasingly more educated and organised.  They scale of actor type runs from the inadvertent actor, who may cause an incident through ignorance or lack of training; to the opportunist that just grabs the moment to do some damage; to the “hacktivist” (remember that is the number one cause of data loss); right through to the top of the tree with the advanced actor, that heads up some big scam.
 
According to IBM research, the top three IT risks that damage a company’s brand (its greatest asset) and reputation (as perceived by BC professionals) are:  Data Breach; Systems Failure and Data Loss in that order.
 
An interesting example of a botnet was put in the room as such to demonstrate both its apparent innocence and its inherent danger.   We can all very easily download a botnet.   More often than not, this just sits harmlessly on our computers until the organiser of said botnet decides to sell this onto another organization, which in turns uses this to collate important and personal data and there we have it – bring this data together into one central location and you have a hacker’s dream and the so-called Money Mule concept kicks or trots (does a donkey trot?) into action.  So we see that the end users are also part of an organization’s security landscape.
 
Brendan also expanded on the IBM approach to managing cyber threats. The IBM approach consists of two elements – the first is the “Pre-exploit”, which is all about prediction and prevention and the second is the “Post-exploit” which is about reaction and remediation.  Every organization needs to adopt this approach.  Every organization needs an instant handling approach and every organization needs an intelligent view of their security position.  When working with clients, IBM has discovered that most organizations think they have an optimised approach; but reality tells another story with the majority only having basic measures in place.  Organizations need to aim to be proficient in order to be able to proactively protect themselves from cyber-attacks.
 
Brendan listed the essential practices as follows: 
  1. Build a risk awareness culture and management system
  2. Manage security incidents with greater intelligence
  3. Defend the mobile and social workplace and make social media work for you and not against you
  4. Have security-rich services by design and not as an after-thought
  5. Automate security hygiene
  6. Control network access and help assure resilience
  7. Address the new complexity of cloud and virtualisation
  8. Manage third party security compliance
  9. Better secure data and protect privacy
  10. Manage people’s identity throughout the whole security lifecycle
Brendan then talked about the IT Trends for 2013, which he defined as follows:
  1. Cloud security will move from hype to a mature solution and will progress
  2. Advances in BYOD mobile will increase and be more secure than laptops by 2014
  3. Compliance will be a big driver for 2013 with organizations facing potential fines of 2% of their global annual turnover
  4. Data explosion will increase

And in conclusion, Brendan left us with the top threats for individuals to consider in 2013 and these are:
  1. Cyber Security
  2. Supply Chain Security
  3. Big Data
  4. Data Security in the cloud
  5. Consumerization
So yes, cyber-threats are very real, but with the right approach to cyber-security they can be managed!


 

Thursday 21 March 2013

A Winning Combination with great odds

Your BC Eye
Donna Monkhouse
Once again your BC Eye tuned into yet another excellent webinar – just one of the many free webinars that are being run as part of this year’s BCAW activities to raise awareness around the value of Business Continuity.
 
This one discussed the rise (and not fall) of contingency planning (widely used and known in the financial sector as the way to deal with threats) and its continued rise to become an integral part of good Business Continuity practice.   
 
Based on the recently released BCI Research Report: The Winning Combination – the 3 Cs of Business Continuity: Contingency Planning, Continuity Capability and Crisis Response and hosted by our very own Lee Glendon, who heads up our Research and Advocacy activities, this webinar showed us that by bringing the 3 Cs together we can accomplish good Business Continuity practice and ultimately achieve the one true goal, which is organizational resilience. 
 
Lee Glendon CBCI
Lee talked about the specific role of the BC professional in Contingency Planning, which he neatly defined as the individual who makes an action plan actionable and the challenges a BC Manager faces as a non-financial professional of being deemed capable of assuming responsibility for supporting the development of a Contingency Plan. 
 
The key thing this presentation drove home to me was that fact that Contingency Planning, Continuity Capability and Crisis response should not be dealt with in isolation but that they all support each other.   Continuity Planning is all about the pre-plan response for things that can be reasonably planned for; Contingency Planning is all about dealing with specific threats or scenarios; and Crisis Response is required when an event goes beyond reasonable planning and poses a high degree of threat to the existence of an organization.   Together they form, as Lee stated, “a three-line defence” mechanism, which works!
 
Putting this concept into a context that we can all relate to, Lee took us through a case study that demonstrated the successful application of the 3Cs, namely, Cheltenham Races, which are organised by the British Horseracing Authority. 
 
He explained that the Continuity Capability was in this instance about ‘keeping the show on the road’, which meant making sure the event could happen, like for example identifying an alternative location for the same date (not easy to change a race date).  This included the recognition of the fact that things can go wrong and that there will inevitably be disruptions, after all, it is the winter race programme in the UK that we are talking about here!   Then he talked about the Contingency Planning element, which in this case was essentially having plans at local level (i.e. for the racecourse itself) in the event that it snowed, or there was a hard frost or security issues.  And finally he talked about the Crisis Response, for the bigger things like injuries to the horses, cruelty to animal campaigns that might damage the good reputation of the British Horseracing Authority as well as our beloved (and I can say that as a Brit) Cheltenham Races or cause a major disruption to the event. 
 
The success of this wonderful example of the practical application of the 3 Cs was evidenced through an enhanced reputation and wide public recognition according to the British Horseracing Association.   There were lots of contributory factors including good communications; making sure the needs of all the race stakeholders were met; bending the rules a bit where necessary (or as Lee referred to it, flexible policy); not having a fixed plan but having the capability to deal with threats and incidents; as well as the continuity of staff.
 
The next phase of this truly insightful webinar was about the application of the 3 Cs to threats and risks or rather the question of how this could be done.   This is where the black swans of this year’s BCAW 2013 theme appeared on the horizon.  (Remember the main banner on the BCAW website?)  Lee defined the characteristics of these infamous black swans as:  unexpected; more consequential than your white swan (the ones you do see coming); relative in terms of knowledge (i.e. the more knowledge, the less black the swan (!); and ones where we have a clear understanding of what the consequences could be even if we don’t know what that event will be exactly or how likely it is.
 
Here, Lee brought into play the famous Known, Knowns” concept of Donald Rumsfeld (2002) and linked them to the 3 Cs as follows:
 
Known Knowns i.e. things we know we know, which can be dealt with using Contingency Planning;
 
Known Unknowns i.e. the things we know we don’t know, which require us to build Continuity Capability;
 
Unknown Knowns i.e. the things we know about but don’t know when they will happen, which if they do, will require a Crisis Response;
 
Unknown Unknowns i.e. the things we don’t know about nor do we know when they will happen, which also fall under the remit of a Crisis Response.
 
In conclusion, Lee brought us back to the opening topic of the webinar, namely, Contingency Planning, which he concluded, is known, particularly in the Financial Sector to work across strategic, financial and operational risks.  What this webinar proved was that the 3 Cs would work just as well and actually when we talk about Contingency Planning, in essence, we are talking about the application of the 3 Cs; all we are doing essentially is using different elements of the same structure.  Which elements we ultimately use, will simply depend on the level of our knowledge. 
 
So Contingency Planning really is on the rise; on the rise to become an integral part of Business Continuity and the application of the 3 Cs will help us to build resilience.
 
 
 
 

Wednesday 20 March 2013

How well are you weathering the storm? Lorraine Darke, Executive Director of the BCI provides the insider view on the official launch of the CMI’s annual BCM Survey Report

Tuesday of Business Continuity Awareness Week saw the launch of the Chartered Management Institute’s annual Business Continuity Management Survey which is supported by the BCI, the BSI and the UK’s Civil Contingencies Secretariat. The setting for this year’s launch was the rather imposing setting of the Grand Committee Room, House of Commons, Palace of Westminster and took the form of a discussion around “Weathering the storm: is lack of business continuity management holding back the UK economy?” Member of Parliament, Barry Sheerman, Chair of the All-Party Parliamentary Group on Management hosted the event.

BCI members, Martin Caddick MBCI, Rob McAssey AMBCI and Néstor Alfonzo Santamaria AMBCI formed the majority of the panel which was chaired by CEO of the CMI, Anne Francke.

The CMI’s annual survey, now in its 14th year, is markedly different from other business continuity surveys in that the respondents are not business continuity practitioners but more general managers who look at disruption, and potential disruption, giving a different perspective. Research purists may argue that the methodology underpinning the survey – that of a self-selecting group of 637 individuals from a sample of 25,000 – is not robust but the longevity of the survey and the benchmark it provides cannot be disputed.

As was highlighted in the theme for the evening’s discussion, the extreme weather experienced in the UK over the past 3 winters ranked most highly as a continuing threat based on recent disruptions. When we refer to “extreme” that is, of course, by UK standards and I am sure that our members based in Canada, Scandinavia and other Northern countries will have a different opinion. What was particularly interesting was the low threat rating given to cyber-attacks by the respondents to the CMI survey as this threat is given increasing importance by business continuity practitioners in BCI surveys. This perhaps highlights the difference between visible and obvious threats that can be seen by general management and less visible threats which may already have been dealt with as “business as usual” by specialist practitioners.

Our BCI members on the panel did an excellent job of reinforcing the business continuity message of “don’t focus on the cause but look at the impact of an incident”. Martin Caddick of PwC talked about: the cost of implementing business continuity and whether it could be seen by senior management as a waste of money if never invoked; the scale of the cost of an incident which can rise exponentially once the reputation of an organisation is threatened; and how a robust business continuity programme may bring about a reduction in Business Interruption Insurance premiums.

Rob McAssey of the Adidas Group gave us a lovely case study of embedding business continuity Рfirstly in the UK, then throughout Europe and finally worldwide Рthe stress being on ensuring the process is enjoyable by those participating. Finally, N̩stor Alfonzo Santamaria, a Contingency Planning Officer at the City of London spoke of a collaborative approach and how the 33 Local Authorities within London have worked together to share best practice to help make London more resilient.

Questions from the floor to the panel, as might be expected, questioned how business continuity as a specialism fitted within a management structure and asked whether the discipline shouldn’t just be embedded within management roles as the norm. The panel agreed that embedding was an aspiration but as organisations move towards this they should identify key processes through BIAs, plan how to keep these processes operational during and after an incident and carry out regular exercises to test these plans using a range of stimulating scenarios. With his tongue only slightly in his cheek, Néstor advocated a Zombie Apocalypse scenario urging the audience to “pretend and enjoy”.

 

Guiding you through Good Business Continuity Practice - the Good Practice Guidelines (GPG) 2013 now available

Your BC Eye
Donna Monkhouse
Monday 18th March saw the official launch of the Good Practice Guidelines (GPG) 2013, the independent body of knowledge for good Business Continuity (BC) practice worldwide.

The launch of GPG 2013 signifies a memorable event for BC professionals all around the world and marks a key milestone for the Business Continuity Institute (BCI).  Its release has met with great enthusiasm and has been applauded around the globe as a key tool in achieving organizational resilience.

GPG 2013 is central to the work of the BCI as it underpins BCI Certification and the BCI Statutory membership application process as well as the validation of BCI Training. 

Furthermore, it provides the BCI with a solid industry benchmark against which the technical and professional competence of its members can be effectively measured and examined.  So it is key to the Institute and plays an important role in the daily lives of BC professionals.

The Good Practice Guidelines 2013 are not a standard or a mandate; nor are they designed to serve the same purpose as a standard.  They don’t just prescribe what you have to do, but offer more scope and insight by explaining the how, why and when of good BC practice. 

Building on the technical, practical as well as academic experiences of BC professionals from across the BCI’s global Statutory membership, they really do reflect current thinking on BC.  What makes them even more significant and formidable is the fact that they can be applied to every type and size of organization working in any sector in any part of the world.  So whether you are working in the Middle East, the UK or are up a mountain in the beautiful Swiss Alps, the GPG 2013 is relevant to you.

 
One of the principal strengths of the Good Practice Guidelines 2013 is that they have not been written in isolation.  They have been carefully aligned to various standards and recognised industry practices across a wide range of BC related disciplines, including Risk and Crisis Management, to ensure that they are as comprehensive and current as possible.  They are not the only resource that can be used to develop a Business Continuity Management (BCM) programme, but they certainly represent one of the key reference sources and remain a top resource for BC professionals when setting up a BCM programme.

The Good Practice Guidelines 2013 have been subject to a stringent quality assurance process to ensure they continue to drive the highest standards in BC.  In fact, they have been through multiple audits and reviews by a wealth of BC experts to ensure they are relevant, coherent and above all easy-to-read and easy-to-follow as all good guidelines should be.
 
So what has changed?  What makes this GPG different to the others?

Well the key word here is simplification.  The core principles remain the same, but the tone, quality and consistency of the GPG have been improved and the language has been notably simplified making it far more inclusive. 

BCM Lifecycle
The GPG has retained its six Professional Practices (PP1 right through to PP6); the only difference is that they have “simply” been renamed and are now referred to as:  Policy and Programme Management; Analysis; Design; Implementation; Validation and Embedding Business Continuity.  Together these six Professional Practices make up the BCM Lifecycle, which is central to good BC practice and ensures the success of any BCM Programme and its continued value to the organization.

The GPG 2013 now uses terminology from the international standard for business continuity, ISO 22301:2012, thus improving its international appeal and relevance.

Logic, simplicity and a clear structure now characterise the very essence of the GPG, running through its pages from start to finish.  In particular, the BCM Lifecycle has been subject to an especially positive and eye-catching make-over, which now better reflects the purpose of the Lifecycle, which is to embed BC in an organization by working through the other 5 Professional Practices that make up the Lifecycle, each one taking you closer and closer to your target.  For those of you familiar with the previous Lifecycle, the BCI has simply turned in inside out!

The GPG 2013 also makes a key differentiation between Business Continuity as a discipline that leads to organizational resilience and Business Continuity Management as a process, which is the sum of the activities that make up good BC practice, which is in itself quite revolutionary and will play a key role in taking this discipline forward and ensuring its cross-disciplinary adoption by Crisis, Risk Managers and the like and not just by BC practitioners.

To mark the occasion of the official launch, Lyndon Bird FBCI and Deborah Higgins MBCI, the editor-in-chief and assistant editor respectively, delivered an insightful webinar that highlighted the key changes to the GPG 2013 and talked attendees through the BCM Lifecycle.  If you missed the presentation, fear not, you can catch up here

During the presentation they ran a couple of polls and the results were interesting with 50% of the attendees confirming that the GPG is one of the sources they use when putting together a BCM Programme and 74% confirming that the GPG adds value to their work.  Pretty healthy statistics!

At the moment, the Good Practice Guidelines are only available in English (UK), but there are plans for other editions in line with the requirements of the global membership of the BCI. 

By the end of June, copies will be available in English (USA), French, Spanish, Chinese, Japanese and Arabic.   Additionally, BCI members are working on the further languages of German, Italian, Portuguese and Korean which will be made available as soon as they are ready.

BCI Members are entitled to a free download via the BCI Members’ Area; non BCI Members can buy a pdf version here 
 
A hard copy of the GPG 2013 will be available to buy in May and BCI Member rates will apply.

If you are not yet a member of the BCI, why not think about joining?  Find out more here

You would like to find out more about BCI Training?  Click here