Business continuity and the non profit sector

"I always imagined a few people on the phones in a small office taking calls, not a big office with actual departments, and definitely not anyone thinking about business continuity and risks." Over the past year I have heard this line said to me in varying forms when I have explained that I give advice on corporate risk and business continuity in the non profit sector.

Not a common misconception and when being able to easily list the risks relevant to the financial services industry for example, applying that to the non profit industry along with the associations of what is important is not as easily obvious straight away.

Some Challenges and observations:

The varying degrees of academia in non profit organisations are expansive and the primary challenge is making it accessible and relatable to all.

The attitudes that this would take too long - it’s not required in our industry and focusing on delivering primary front line services was more important. But has anyone thought about those supporting functions?

"This will never happen to us anyway." At first, it made me feel uneasy hearing this but this is the best challenge to promote business continuity in any industry. Using the "if we don’t comply, we will get fined" card almost shifts the desired affect from wanting to provide great assurance to an exhausting check box exercise. The appetite and denial factor is a tough barrier to get around.

Forgotten plans - in most cases contingency plans were in people’s minds but just not on paper. Hearing various stories of incidents taking place which resulted in an instant panic before the swift realisation that "oh yes, we have a plan, we know what we need to" kicked off a series of reactions to get things back to normal.

Planning V’s practicing - countless months were spent planning and writing but practicing those BCP’s were missing. In recent exercises some feedback I got was that no one had ever tested their plans and found it really useful. The actions that were thought to take five minutes took twenty. This started a chain of actions which plan owners needed to implement in order to become more resilient in an incident. A friend said to me once that businesses don’t fail because of a bad business continuity plans, but because of bad choices. That stuck with me.

So what does BC look like in these industries?

We live in a robust and dynamic society and whilst a generic approach to start off a plan is valuable, they can be adaptable. I quickly realised that I was getting too hung up on wanting to make each teams plan look the same and what really mattered was that it absolutely has to work for the people invoking it, and if it is clear and coherent, that is sufficient.

It is without a doubt that the non-physical threats such as reputational risks, loss of funding from a major donor and employee scandals can have serious impacts on your operation, especially when the majority of funding is provided by the public generosity. If an incident occurred what would be the emergency funding protocol? It is things like this that needs the most consideration. Yes, every industry needs to consider the building, IT/data and staff but what about the intangible factors that essentially calls for a disaster.

Making those threats relatable is key and, the empowerment resulting in a shift in view of risk and business continuity only being related to IT and Financial services is essential. (Because of the varying levels of academics in these industries often sit under one roof).

What does this all mean?

All non profits, for example charities, are run like businesses. Fact!

Non profit or not, business continuity is on everyone’s mind, but they just don’t know that this is what it is. Yes, the variations of levels in what constitutes a threat differs from industry to industry but essentially, what matters most is the resiliency each organisation has to overcome any incident it faces.

RISKercizing until next time

Rina Bhakta is a Corporate Risk Advisor at the NSPCC. If you would be interested in being a member of a special interest group and want to talk/share ideas about business continuity and risk management challenges at your non-profit contact Rina via her blog RISKercize or via Twitter or Linked In.

Protecting yourself from a social backlash

The first tweet was sent just over eight years ago when creator Jack Dorsey typed up "just setting up my twttr" and it pinged into the history books. Since then the growth of Twitter, Facebook, Instagram, and other lesser known platforms has fundamentally changed the way we process events and read content.

Despite this, the majority of executives are still terrified of social media, and the backlash which happens during a crisis. Many choose to have no part in it, figuring that a visible online presence will make you a sitting target. When Domino’s 2009 YouTube scandal hit, the pizza company didn’t even have a Twitter account set up and they were unable to communicate or even acknowledge their critics properly.

Burying your head in the sand is not an option. Social media isn’t going away, the various platforms may come and go as fickle as fashion, but the internet is here to stay and it's time for corporations to get a handle on how they interact with social media. Monitor your brand properly, be the first to identify a crisis developing and respond fast.

Whether you have a large social media presence or not, you will be discussed and complained about on twitter. During a crisis, Twitter is the breeding ground of unchecked ‘facts’ and misrepresentation which spread like wildfire. Link Twitter to your press statement, allow Twitter users to read the real facts, even if they chose to ignore them. This also leaves your organisation in a much stronger position, in that it can say it has been in dialogue with all its stakeholders including those who vehemently oppose it.

A core part of your crisis plan should be your digital crisis communications plan. Just as the perfectly phrased (and legally cleared) press statement is ready to go for any well prepared company; a perfectly prepared stream of tweets should be poised in order to get the right message out into the blogosphere fast.

Finally, and most importantly, don’t score an own goal for the Twitter trolls. What can go wrong probably will go wrong. Give those haters a hashtag to use and use it they will, effortlessly turning a carefully constructed hashtag into a bashtag, as seen with the #myNYPD. Earlier this year ‘New York’s Finest’ attempted to generate some good publicity by asking the internet to tweet their experiences of their friendly local police department. What could possibly go wrong? Quite a lot as it turned out, Twitter was flooded with accounts of police brutality and the names of those shot dead by police.

Tom Curtin is the Chief Executive of Curtin and Co, a BCI Partner specialising in crisis communications and reputation management. You can view more blogs my Curtin and Co by visiting their website or by joining their Linked In group.

Scottish independence - for better for worse

Throughout Scotland, at the moment, all conversations seem to quite quickly move on to the topic of the independence debate. I was sitting in the lounge bar of the Coll Hotel, on the Island of Coll, and could hear a lively debate going on in the public bar. It was a measured conversation and good points were being made on both sides. Then again, when I was at lunch with my parents we started discussing our latest thoughts on the debate. Most people I know seem to have made up their mind, so when I hear the issue being discussed it is usually just a rundown of the latest news and developments.

In terms of the debate within businesses there is a rather different attitude. Many public sector organisations have been told they are not allowed to talk about independence at all. Other organisations are keeping their head down, saying nothing publicly as they know they don’t want to be seen to belong to either camp, for fear the vote goes the wrong way and then there is a backlash against those who spoke out. For me it seems only the large companies such as Standard Life and Shell, that Scotland needs as much as they need Scotland, that have the luxury of making their feelings on independence clear.

So what has Scottish independence got to do with business continuity?

According to many in the ‘No’ camp, independence will be a disaster for Scotland. They are even discussing invoking their business continuity plan if the vote goes wrong! But what about the rest of us? What should we do to prepare for the independence vote?

1. First of all this is a foreseeable event so we have time to prepare for it and do something now. The first thing I think that you should do is understand your organisation’s vulnerability to Scottish Independence. In examining this you need to look both upstream towards your suppliers and then downstream to your customers. By mapping both you can understand your exposure. In looking at your suppliers then you need to look to your Tier 2 and 3 suppliers to check their exposure.

2. In looking at your exposure you want to take into account a number of factors. Business hates uncertainty and the period up to the independence vote may prevent businesses in the rest of the world making orders to Scottish companies. At PlanB Consulting we have not had any enquiries from English companies for the last three months. If the vote is for independence there will be immense uncertainty for the following 18 months, as the details of a new Scotland are being sorted out. This may cause your suppliers and customers to behave differently and so you might want to identify the critical ones and then make contingency plans if they stop purchasing from you or supplying to you. This will be made much worse and complex if Scotland has to change its currency.

3. If you are a public sector organisation then independence could affect you in a number of ways. If you are a national organisation which operates across the UK, such as the Police, then there will be an immense amount of work in separating databases and separating the parts of the organisation. As an aside, it has been shown that criminals thrive on uncertainty and a fractured police force. For other public organisations there may be a new regulatory regime or different priorities. It will be the same for financial organisations and other regulated industries. There will be uncertainty until it is made clear if the regulatory regime the same as before or has it changed.

4. For business continuity managers, whose organisations span Scotland and the rest of the UK, then it might mean having to change to structures of their plans to take into account organisations having to restructure themselves. Having operational teams during a disaster in Edinburgh, reporting on an incident to a Tactical Team and Strategic Team in London, may no longer be appropriate.

5. In all incidents, or when rapid change occurs, there are always opportunities. The Business Continuity Manager should make sure that when their organisation is discussing the effect of Scottish independence they make sure that identifying opportunities is on the agenda. This could be the opportunity to change suppliers and choose ones closer to where their products are consumed, eliminating the long supply chains with their inherent risk of disruption. If Scotland is not within the EU, having short local supply chains may be essential. It could also be an opportunity to completely review your business continuity plans, structures and strategies and change them for the better.

My feeling is that most organisations, in Scotland and also in the rest of the UK, are hiding their head in the sand and hoping that this problem goes away. They see the ‘No’ vote being ahead in the polls, not taking into account the undecided votes, and think this whole problem will not materialise. We as business continuity people know that if you shut your mind off to unlikely events then they tend to catch you out. So my call to action is for business continuity managers to examine their exposure to Scottish independence and then identify and mitigate any potential risks.

Charlie Maclean-Bristol is a Director at PlanB Consulting in Scotland.

Can you work with just a mobile phone and internet connection?

Recently I did a remarkably silly thing. Something I hadn’t done in almost seventeen years as the proverbial travelling consultant.

I went to London. No, that’s not the silly thing – I go to London quite often and honestly it’s really not that bad there. Even for a country bumpkin like me. No, the silly thing came to light after I’d boarded the train and it was pulling out of the station. I opened my bag to take out my laptop and some papers so that I could start work and my laptop wasn’t there. I checked again. And again. But it still wasn’t there. After checking for a fourth time the penny finally dropped – I’d left my laptop at home. I was a couple of minutes into a two-hour train journey, all ready to get stuck in to some quality report writing time and my laptop, one of the main tools of my trade – if not the main tool – was sitting at home, rather than on the table in front of me.

After the initial panic attack subsided I remembered that I wasn’t presenting today, so at least I didn’t need my laptop for any of my meetings. And I had my phone, and lots of people tell me that’s all they need to be able to work. “I can just work from wherever I am, as long as I have my mobile phone and an internet connection” is an assertion I hear all the time. Well this was a perfect opportunity for me to put that theory to the test.

Luckily I had a charger with me, otherwise I’d have been in trouble from the off. Because the second thing I didn’t do last night – the first being to not spot the absence of a laptop when I checked the contents of my bag (yes I did actually check, or at least I thought I did – it was late) – was to charge my ‘phone. I have one of those ‘phones that you have to charge about every three and a half hours (you know the ones) so the 20% remaining battery life probably wouldn’t have got me halfway to London, let alone seen me through the day.

So I plugged in and off I went. I couldn’t work on the report that I’d planned to because, whilst I synchronise files between my desktop and laptop, I don’t store all of my data in the cloud as a matter of course. In fact I don’t store much there at all, particularly if it’s confidential. Call me old fashioned but I haven’t yet developed the same blind faith in 'the cloud' that many others have. I’m with one of my information security colleagues on this one – he recently said “I wish people would stop calling it ‘the cloud’ and start calling it ‘putting my data on someone else’s computers’. Don’t get me wrong, I’m not saying 'the cloud' is all bad. And yes, I do use it. But I’m extremely selective about what I choose to put there. There are, after all, some significant advantages if it’s used properly. But the cloud is a big and often dimly-lit place and not every cloud is created equal. Call me a cynic but I largely think of 'the cloud', particularly the free bits of it, as a really convenient way of letting someone else delete, corrupt, leak, sell, give away, deny me access to or otherwise compromise my data so that I don’t have to do it myself. Which I personally think is a healthy attitude that others would do well to adopt.

But I digress. In any case, trying to write a proper report on a phone, as opposed to making a few notes, isn’t the easiest thing in the world to do. For a start, typing large amounts of text on a phone isn’t as easy as on a real keyboard, at least for anyone with normal sized fingers. Let alone the fact that my phone is constantly correcting what I type, which means I spend an inordinate amount of time correcting it back again. Then there’s the compatibility issues (which I won’t go into here as it’ll probably just turn into a rant against Microsoft and Apple), which means that you’re pretty much restricted to text only, without too much formatting and certainly nothing as weird and wonderful as a table.

But I digress again. At least I could start by sending a few e-mails. Except there was no network connection. On-board wifi hasn’t made much of an appearance on the trains from Evesham to London yet, at least not the peak time trains (for some reason you can get it at 2 o’clock in the afternoon, which is really useful for the majority of business travellers who actually have to get up in the morning). And the mobile phone signal is somewhat patchy for the first part of the journey. Funny how I can get a mobile signal at the top of a ski slope but not in the Cotswolds, despite the claims of 99% UK coverage by the mobile ‘phone companies (second rant suppressed).

So I read a couple of (paper) documents, wrote a bit of my blog, corrected the corrections, finally managed to send and receive some e-mails, did a bit of web browsing (albeit looking at stuff on a very small screen), popped a couple of headache tablets and arrived in London for my meetings.

Shortly before I got on the train home, my phone started bleating “low battery” at me again. “No matter”, I thought, “I’ll just charge it on the train”. Except the electrical sockets on this particular train weren’t working. So I had about twenty minutes of trying to access my e-mails (and failing, due to a glitch at my internet service provider – good old Sod’s Law!) and writing a few notes for later processing before my phone gave up the ghost. At which point I gave up too and read the paper instead.

So, how effective was my plan to “just work from wherever I am using my mobile ‘phone”. Well, I suppose I managed to do a bit, and significantly more than in the pre-smartphone days. But how effective was it really? Well I think the answer to that is fairly evident. I reckon I probably achieved fifteen to twenty percent of what I’d have been able to do had I had my laptop to hand.

Yes, remote working is eminently possible – I do it all the time – but its effectiveness is hugely dependent on the tools available and the type of work that you’re trying to do remotely. Even working at home can be problematical and far less efficient than working in an office, if that’s what you normally do. And if you’re a laptop user and you don’t have it with you (which is a distinct possibility if you’re one of the many, many people who leave their laptops in the office when they go home) remote working can be trickier still.

And yes, there are all sorts of things that can be done with a smartphone (aside from checking Facebook or tweeting), particularly if your job largely involves phoning and emailing people and making a few notes. But in my experience their usefulness is limited and they’re really no substitute for a proper computer if you have things like reports to write (or read) or large, complicated spreadsheets to deal with, amongst other things. And, whilst they may be OK for a short period, I challenge anyone to work effectively for anything more than a very short time using just their smartphone.

So next time someone says to you “I can just work from wherever I am, as long as I have my mobile phone and an internet connection,” I strongly suggest you challenge them to prove it. Because some things are a lot easier said than done.

Andy Osborne is the Consultancy Director at Acumen, and author of Practical Business Continuity Management. You can follow him on Twitter and his blog or link up with him on Linked In.

The value of continuous learning

I’m really very grateful that Education Month has given me an opportunity to focus on what interests me. Primarily, I’m interested in business continuity (as an element of a wider interest in Organisational Resilience). I’m also interested in improvement; that means self, organisation, personal and professional. And of course, I’m interested in education. I like to learn from my peers, colleagues, students and business partners, as well as by studying and maintaining focus on what is going on around us every day. And because it’s my job, I want to share that enthusiasm and interest with others; in this case, you.

Business continuity is one of those industries/professions/sectors that is on a growth trajectory. It needs to be as it works in an environment that is rife with influences that may engender or initiate change and thus inform the shape of risk and impact landscapes. There is much speculation, theorising and pontificating about what is coming, how it should be influenced or could be controlled and how we deal with impacts. From globalized business activity to changes in national and international power balances, from political reorientations to an emergence of technology enabled ‘people power’. Also, while there is an immense amount of opinion and theory put forward daily from all quarters concerning human behaviour and its effect on others (such as, by implication, political, economic, social, technological impacts) it is also worth considering ideas, theories and opinions on the less easily quantifiable and controllable. These are all areas for thought, concern and yes, education.

So, if we are aware of the potential problems, what’s the problem? Well, there are thousands of business continuity professionals (that is what you are: professionals) out there who are undereducated, or perhaps miseducated, or maybe even not specifically educated at all. You may have been trained; but ‘educated’ is a different thing. Of course, you will know things, processes, functions, problems and issues and you will be adept in your role, and if that’s OK with you; then that’s OK. The sector abounds with professionals who are working hard, mainly successfully, to do what needs to be done and in general, we don’t equate ourselves with reticence, lack of confidence or indecision; or indeed lack of self-awareness.

However, there are very many people who do hesitate when it comes to education. It is interesting. Maybe this hesitancy is not about cost; nor is it usually about obtaining support from employers. Usually, there is a fear of being overcome by the difficulties and challenges of learning, perhaps because they have been away from formal education for many years, or simply because they are familiar with training rather than the academic rigour of university programmes.

Well, simply put, there is nothing to be afraid of or worried about. If you decide to undertake an academic programme you can expect to be provided with advice, support, guidance and resources to allow you to grow into the mysteries of higher educational learning. In fact, here’s a little secret – there are no mysteries at all! Learning takes time; skills take practice, correction and amendment to perfect. It can be done and in fact, it is not intimidating or difficult at all. It does take hard work and application – but so does life.

Most importantly higher education learning doesn’t turn you into an academic; it enhances your professional capabilities. In fact, unless you are steeped in study on a daily basis, you are not an academic or a scholar – in reality, for those who undertake professional and academic courses as part of their CPD (continuing professional development), the clue is in the acronym - ‘CPD’! And importantly, it is not all about theory; education in the modern world and in the BC world should be about practical application.

So, in Education Month, perhaps it is worthwhile taking pause from your busy and demanding life and thinking about what you would like to be.

• Better paid? Education helps whether you study for a certificate, diploma, bachelors or master’s degree.
• More competitive? Education helps you to think about and analyse the world around you.
• Better at your job? Education helps you to learn and understand what you do and why – and what you should be doing and why.
• A thought leader? Education helps you to become a more effective thinker as well as an effective practitioner; win/win!.

Education will not necessarily make you any better than anyone else. Just holding an award is meaningless if you are unable to make it work for you and if you cannot use and develop the skills and knowledge gained from your learning. But - if you’ve taken the time and trouble to read the Education Month blogs and other publicity then you must be interested and it may be time to transform your interest into reality.

Phil Wood is the Head of Enterprise, Security and Resilience within the Faculty of Design, Media and Management at Buckinghamshire New University in the UK.

Are you equipped for the future of work?

The world around us is constantly changing. Some say we now live and work in a VUCA environment, characterised by:

• volatility
• uncertainty
• complexity
• ambiguity

So how do businesses survive (and thrive) when nothing ever stands still? Perhaps part of the answer is in continuous learning and development, which can enable individuals to be agile and responsive to each and every challenge.

Continuing professional development (or CPD) enables you to take charge of your learning. Often CPD will involve a range of different activities which meet your specific needs, from enrolling on a formal training course, or qualification, to using social media to gain immediate insight on a topic. There is no one size fits all, and how you approach CPD will depend on your own preferences and goals.

There are, however, common benefits. Here I'll highlight six key reasons why CPD can support your development, and have a positive business impact.

Developing yourself

1. Setting goals
CPD enables you to spend time reflecting on your strengths and development needs, either from a technical or behavioural skill perspective. Through this process you can gain confidence through recognition of your existing abilities, and greater awareness of what you need to focus on next. This can help you to set clear and tangible goals, and be able secure the support you need to achieve these.

2. Career enhancement
The new skills or additional knowledge that you gain through CPD can help to support your career progression. Showcasing your achievements in the workplace may lead to new opportunities or increased recognition and credibility. Often this may mean moving to a bigger or broader role. You may also identify a new area of professional interest and decide to pursue this as a career option.

3. Future-proofing
The skills and knowledge required in the workplace are constantly changing in response to external factors, such as technological and economic development. CPD is a way of 'future-proofing' your skills, to keep up with the pace of chance. We don't know what jobs or skills will be needed in 10 years time, but we do know that enhancing your skills and knowledge will enable you to adapt whatever changes there are, as roles and organisational requirements evolve.

Developing your business

4. Learning culture
The benefits of CPD are not just confined to the individual. They also relate to the success of the organisation. Encouraging CPD across an organisation can help create a learning culture. This is an environment where learning is continual, expected of everyone and happens at every level. Having this focus on learning can enable an organisation to be more effective, as employees are better equipped to adapt and spot opportunities. It can also mean that there is more willingness to learn from experience, and see mistakes or failure as a developmental opportunity.

5. Maximising performance and potential
There is clearly a personal benefit to an employee developing and progressing in their career. However, there is also an equal gain for the organisation. CPD enables employees to keep their knowledge up to date, which in turn can drive greater performance in the workplace. It can also help 'unlock' potential through the development of enhanced skills. This can lead to a greater proportion of the workforce operating at their full potential.

6. Engagement and retention
CPD activities can also help support retention and engagement. A Spring 2014 Employee Outlook survey published by the Chartered Institute of Personnel and Development (completed by 2,523 UK employees) found that just 35% consider themselves to be engaged and 21% are looking for a new job. This is clearly a significant issues, and one which can have a profound impact on productivity and recruitment costs. Effective CPD can enable an organisation meet this challenge and drive greater engagement and commitment, through enabling employees to develop themselves, meet their goals and progress in their career.

This blog provides just a snap-shot of the key benefits, and depending on the specific activity there are many more. For example, the value of networking with other professionals in training events, or the developmental gain from mentoring someone at the start of their professional career.

You might feel that these benefits are mitigated by the time investment in involved. But CPD
 does not need to be time intensive ; it's about the quality of the experience and how you use the development to enable you to thrive in changing times.

Ruth Stuart is the Research Adviser for Learning and Development at the Chartered Institute of Personnel and Development.

Helpful advice on Ebola for business continuity professionals

Ebola is the big news story of the moment, all the media are covering it and they seem to be competing with each other to raise the fear level. ‘Out of control’, ‘deadly’, ‘terror’, all those words appear in even the more restrained media publications.

Many of us in the business continuity field will have had someone ask what planning we should do; hopefully this article will help you with that and also give you ammunition to combat some of the media excesses!

First some facts:

• Ebola is not new, it was first discovered in 1976, the origin is thought to be fruit bats or other bush meat
• It does have a high mortality rate (always quoted as 90%) but if caught and treated early this can be more like 30%
• It is not as easily spread as diseases like flu which we all knew so much about during the pandemic. It is only passed through contact with bodily fluids. It is NOT passed by any airborne route such as coughing or sneezing.

As a business continuity expert what should you do? Well the first thing is don’t panic! Our role should always be to provide calm and unemotional advice and not help in any way to build up the fear factor.

How your organisation will be affected will depend on how much contact it has with the West African states which are the seat of the virus. If you have no contact then at the moment there is little you need to do other than gather some background information which you can do using the links I provide below. You could add a short section to your Pandemic Plan although Ebola and flu are not related, but many non-BC people will tie them together so it may be easier to go with that in terms of documentation!

If your organisation does have contact with the countries involved in the outbreak then obviously more action is needed.

The first step is to have clear guidance for staff travelling to the region or for staff based there.
The World Health Organisation (WHO) say there is no need for travel restrictions as the risk is very low due to the method of transmission.

They give some good pieces of advice:

• Travellers should avoid all contact with infected patients.
• Anyone who has stayed in areas where cases were recently reported should be aware of the symptoms of infection and seek medical attention at the first sign of illness.
• The disease is NOT resistant to soap and water so good personal hygiene is important.

If you have staff based in any of the affected countries then sensible advice to issue includes:

• Increased personal hygiene
• Advise anyone who may have been in contact with an infected person to stay away from the office for up to 21 days which is the maximum infectious period
• Avoid bush meat as it is a potential source of infection
• Avoid contact with anyone suspected of having (or having died from) the disease.

The symptoms of Ebola in the very early stages are flu like but can be summarised as a sudden onset of fever, intense weakness, muscle pain, headache and sore throat are typical signs and symptoms. This is followed by vomiting, diarrhea, rash, impaired kidney and liver function, and in some cases, both internal and external bleeding.

So in summary for most BC people we should do what we always do, gather facts (not speculation!), understand the risk and have a clear plan of what to do if Ebola affects your organisation.
If you are connected to the Region in any way then prepare plans and advice based on reputable sources such as the WHO.

And above all don’t let the media be the driver for how your organisation reacts!

David Hutcheson is Managing Director of Glen Abbot a BC and Security consultancy. David was CIR Industry Personality of the Year in 2010 for his work on pandemics. He is currently advisor to a number of organisations on Ebola including some based in West Africa. His blog can be found here.

Here are some useful links you may wish to keep:

World Health Organisation (WHO) - FAQs on Ebola virus disease
Public Health England's risk assessment of Ebola outbreak in West Africa

Keeping your eye on the ball (or your supply chain, that is)

Any professional dealing with supply chains knows how complicated its management is. Supply chain disruptions are Murphy’s Law exemplified – anything that can go wrong, will. In the last five years, respondents of the global BCI Supply Chain Resilience Survey have named all sorts of consequences that supply chain disruptions may bring. These range from lost productivity, customer complaints, reputational damage, and even increased scrutiny from regulators, among many others. Costs associated with supply chain disruption are staggering. In fact, 13% of respondents in this survey report losing at least €1 million in a given year.

Given how supply chain disruptions can cause so much damage, it is surprising to note that many organisations are still in the dark. Almost 40% of organisations surveyed do not track supply chain incidents at all. To those who do, gaps are still present – more than 15% do not analyse the source of disruption. As more incidents stem from lower tiers of a supply chain (suppliers of suppliers, or even further down), the potential for loss is great. This lack of visibility has caused some high-profile incidents, such as the horse meat scandal or the Bangladeshi garments factory collapse, leaving companies up the chain scrambling to recover lost profits and reputation.

This evidence points to the need for companies to improve the visibility of their supply chains. Ensuring that companies do not keep their eye off the ball – or their supply chain, in this case – is crucial given that incidents are bound to occur. This can be done in several ways such as continuously working out overall business continuity (BC) strategy, checking how suppliers’ BC arrangements measure up to threats, and constantly engaging with suppliers. Whilst these may be a daunting challenge for supply chain professionals, ensuring top management buy-in and investment in supply chain resilience will facilitate this process.

Retaining the status quo may cost nothing in the short term, but it only takes an incident to bring a company down to its knees. Whilst this is not meant to cause alarm, it is sobering advice that must be heeded. Given the evidence behind the consequences and cost of disruption, companies stand to profit from embedding resilience within their supply chains. Visibility is the key to ensuring supply chain resilience, and must be given priority in company strategy.

The global Supply Chain Resilience Survey sponsored by the Business Continuity Institute and Zurich Insurance is ongoing here. In its sixth year, this study aims to track the origins and consequences of supply chain disruption and benchmark BC arrangements in place worldwide. A copy of last year’s report may be found here whilst a five-year trend analysis may be requested from the BCI.

Patrick Alcantara Patrick Alcantara is a Research Associate for the Business Continuity Institute who joined after finishing a Masters in Lifelong Learning with distinction from the Institute of Education (University of London) and Deusto University.

10 Items which should be in a BCP (and are often forgotten!)

What should a business continuity plan contain? It's important to keep it concise and manageable, but I'm sure we all have our own ideas as to what the 'must have' items are. Charlie Maclean-Bristol of PlanB Consulting takes us through what he thinks the top ten features of a good plan are:

1. Scope. On many of the plans I see it is not clear what the scope of the plan is. The name of the department may be on the front of the plan but it is not always obvious whether this is the whole of the department, which may cover many sites, or just the department based in one location. It should also be clear within strategic and tactical plans what part of the organisation the plan covers. Or does it cover the whole of the organisation? Where large organisations have several entities and subsidiaries it should be clear whether the tactical and strategic plans cover these.

2. Invocation criteria. I believe it should be fairly clear what sort of incidents should cause the business continuity plan to be invoked. I also believe that this invocation criteria should be “SMART”, so as not to be open to interpretation. The criteria should be easy to understand so if you get a call at 3am in the morning and informed of an incident it should be fairly obvious whether you invoke or not. Focus should be on the loss of an asset such as a building or an IT system, not on the cause of the loss. There needs to be a ‘catch-all’ in the invocations criteria which says 'and anything else which could have a major impact on our operations’ so that the criteria is not too rigid if we need to invoke for an incident we have not yet thought of.

3. RTOs. Defining and agreeing your Recovery Time Objectives is one of the most important items you set during the analysis and design stages of the business continuity lifecycle. There should be a list of RTOs relevant to your plans within the document so you can make sure that you are going to recover your operations at an agreed time.

4. Strategy. I have looked at lots of plans which have lots of detail within them but having read them I am no wiser to the organisation’s recovery strategy or even whether they have one at all. I like my plans to have a written strategy which tells the story of how we are going to recover, containing details of outline activities, locations and timescales. Then it is clear to anyone implementing the plan what your recovery strategy is and how it will be implemented.

5. Information from the BIA. I have seen lots of organisations which do very detailed BIAs and collect lots of information. This information, which could all usefully be used in the recovery, does not make it into the plan. It looks as if two separate activities have been carried out - the BIA and the plans - yet there is no visible connection between the information collected in one and the information in the other. If you cannot use the information in the plan then why collect it in the BIA stage at all? There should be a clear relationship between the information collected in the BIA stage and the information within the plan.

6. Items not needed on the day. Many plans I see are a cross between a plan containing information needed on the day of the incident and policy information. During an incident you do not need information on how often the plan needs to be exercised or the responsibilities of the Business Continuity Manager. My suggestion is to go back through your plan and move to a separate document any information which you do not need on the day of an incident.

7. Telephone numbers. I think telephone numbers should not be contained within the plan. You may wonder how that can be so, as surely you need the numbers to communicate with your key interested parties. Having telephone numbers available are important but I think it should be a last resort to put them within the plans. As soon as you put numbers within a plan you create a monster, which needs to be constantly fed. Every time a number changes you have to change the number in the plan and then send out the amendment to all those who hold a copy of the plan. This creates a huge administrative task, if you give out copies of the plan in hard copy this kills loads of trees, as you will have to reprint a number of copies of the plan. If you just send out the relevant section or page of the plan what you end up is an unamended plan stuffed full of amendments.

If possible, make use of existing lists within your organisation. There are people whose responsibility it is to update telephone lists. The CEO’s PA may keep all the senior management team’s details up to date on a laminated card and send the card out to all executives. Get yourself on this distribution list for the card and instantly you have a list of the telephone number of all senior managers. If HR keeps a list of all home telephone number and mobiles ask for the list to be made available to the incident team on the day of the incident. Often people are happy to give HR their details but may be reluctant to give the details to anyone else in the organisation. My suggestion is to, wherever possible, avoid putting the telephone number in a plan and try and make use of existing lists which are maintained by others.

8. Your plan should have a logical sequence. Too often plans have lots of good information but it is difficult to find. Perhaps on the first page of the plan you could have an immediate action list rather than have pages of background information, scope objectives and quality assurance information. These are all important and should be in the document but why not put them at the end so they can be referred to only if necessary.

9. Details of the medium to long term recovery. Many plans only concern themselves with the short term recovery and the immediate actions to be carried out after an incident. They go into great detail of how the first 10 members of the call centre will get to the work area recovery centre within the RTO of 24 hours. What the plan does not mention is the strategy for recovery of the 90 other members of the call centre who need to be recovered within one week. Yes there can be some hot planning on the day but I believe there should be some detail within the plan of how to recover the “second wave” of staff to be recovered.

10. A team to manage the incident. Often at the operational level a plan contains lots of good information on the recovery of the department but does not contain any information on who will manage the recovery. Will their representative on the Tactical Team manage the recovery or will it be the departmental managers who will get together and implement the plan? The Good Practice Guidelines 2013 says that every recovery plan should have a team to manage it.

Charlie Maclean-Bristol is a Director at PlanB Consulting in Scotland.