Resource-based contingency planning – an alternative approach to ISO22301 certification

Business continuity is, especially in the Anglo-American world, not that much a new concept. Being not new also means that it probably is due to be redesigned. Since the inception of Business Continuity Management in the late 80s and early 90s of the last century, the world has changed quite a bit. The main concepts, procedures and processes of BCM however have not changed that much in the past 25 or so years. We are still talking PDCA, we are still talking process-based business impact analysis, we are still trying to do the work of risk managers with our task in the fields of operational and reputation risks. We still have the BCM Lifecycle.

Those who are practitioners in the profession may have already realized that the theoretical strategies and tactics as outlined by the BCM Lifecycle approach may not always meet the needs and possibilities of an organization seeking to implement BCM. The business impact analysis for instance needs processes, since it aims to operationalize the damage because of failed process. But, which organization does have a complete and operationalized process document which allows it to just sum up losses and damages along process chains? And, how can the BCM organization define the so-called BCM-Strategies when they haven’t even asked the business what they think they need as workarounds to cover a resource which was lost or damaged because of some crisis situation?

Here we already have the word, what this presentation is about: Resources. What I do call resource-based contingency planning is actually not just contingency planning, but part of a new approach to business continuity, which offers an alternative to the BCM Lifecycle. In the first part of the presentation, I will briefly introduce this system, which covers all parts of what we know is demanded by the BCM Lifecycle, however in a quite different sequence and with partly completely different methods and tools, and which addresses all controls of the ISO22301 standard.

In the few minutes I have for the presentation, I cannot go through the complete methodology what I call resource-based business continuity. I only show a core part of it, one of the 15 deliverables and work objects of a business continuity management system – the business continuity plan, the probably most important one of five different plan types which need to be created for a complete BCMS (the others being the disaster recovery plans, the emergency and rescue plans, the crisis communication plan and the crisis management plan).

The most astonishing part of these BCPs may be the inclusion of a risk assessment as a part of this plan. The risk assessment, being a core element of ISO22301 requirements, is no longer a work package of its own, but an integral part of contingency planning. The reasons for this, and why this makes much more sense than to emulate the work of a risk manager prior to actually planning for catastrophes, will be given in my presentation. The same by the way, is true for the identification of critical suppliers and clients, which also is done in the course of discussing and deciding on a workaround in the case of the loss of a critical resource.

However, in the title of my presentation, you find the most important difference between the BCM Lifecycle approach to business continuity compared to what I am doing. Where the lifecycle’s objective and basis of action and contingency planning is the business process, in my world it is the resource. One does not need the availability of documented and operationalized business processes to implement a BCMS, but only knowledge about what resources an organization has. And, differently from processes, this bit of information is most often readily available, and if not, can be created without much work.

With the presentation, I will provide a view into a core part of an alternative approach to ISO22301 certification, which delivers some novel ideas how to structure a contingency plan, how to identify critical clients and suppliers, and how to identify and assess operational risks. And if you pay attention, you might get an idea, why this approach to implement business continuity allows for applying for certification some six months after start of the project already, and why this approach reduces the cost of BCM between 50% and 80%.

Rainer Hubert will be discussing ISO22301 further on day two of the BCI World Conference and Exhibition on Thursday 6th November. You will find him in seminar room 1 starting at 13.10.

Becoming certified to ISO22301 - what NOT to do! (Why auditors get grumpy!)

Tip number 1: The lack of a regular supply of good quality biscuits is the first non-conformity!

Looking forward to my presentation at 13:10hrs on November 6th in seminar room 2 of the free exhibition part of this year’s BCI World Conference and Exhibition. I realise that there are many BC practitioners who, although practiced in the creation and maintenance of a Business Continuity Management System (BCMS), have yet to seek certification to a standard. Additionally I recognise that others may have only assisted in achieving certification and even those though certified constantly struggle with a stream of nonconformities found by external auditors and which if left unresolved threaten the organisations certification.

During the past three years I have been working as an externally contracted assessor and ‘Technical Specialist’ with one of the top assessment organisations in the world who, via audit, assess companies for the suitability of their BCMS for certification to initially the BS25999:2006 standard and subsequently its replacement ISO22301:2012. Over this time I have been fortunate to audit the BCMS of around 100 companies by pre-assessments, Stage 1, Stage 2 and Continuous Assessment Visits (CAV’s).

Fellow practitioners sometimes ask me if I get bored with assessing to the same standard day after day. Fortunately this is not a problem as although the same standard no BCMS is alike and understanding the multiple ways of constructing a BCMS compliant with the standard has been fascinating and provides me with continuous opportunities for my own personal development, sometimes by observing good practice but unfortunately all too often from seeing practices which fail to meet the basic requirements.

I should make it clear, and possibly surprising for those who know me, that I am a big supporter of the 22301 standard. Now it is by no means the perfect standard, if indeed that could ever be achieved. However, I am someone who began in this business when training courses, good practice guides and the words “Business Continuity Management System” were things of the future and, to be frank, “making it up as we went along” was the name of the game. As a result it is in my view great to have a common structure around which to create a Business Continuity Management System. Now of course we need to improve it.

So what will I be presenting? Will it be the secret formula which all Business Continuity practitioners seek to create the perfect BCMS? Will it be the best way to smooth the ego of your auditor to the point where they are purring over your perfect creation? Only one way to find out, be there, oh and bring a biscuit or two.

Colin Ive has been a Member of the Business Continuity Institute since 2001 and is a qualified Lead Auditor for ISO9001, ISO22301 & ISO28000. He is a regular presenter at European & USA Business Continuity and Business Resilience Conferences and a contributing author to both the ‘BCI Good Practice Guide for Business Continuity Planning’ and the acclaimed ‘Business Continuity for Dummies’, in addition to numerous articles.

Colin will be discussing ISO22301 further on day two of the BCI World Conference and Exhibition on Thursday 6th November. You will find him in seminar room 2 starting at 13.10.

Developing simple recovery plans for key processes

If a major incident affected your business tomorrow, what are the processes, machinery or even suppliers that would be really hard to replace quickly – the really awkward ones, the unique machinery or equipment that perhaps there isn’t really a plan for, let alone a plan that gets you back within an acceptable recovery time?

Spotting the problems is relatively easy, particularly when you get into manufacturing or supply chain businesses. The challenge for Business Continuity Managers is to do something about them and develop practical, simple recovery plans – even for the hard stuff.

I lead Business Continuity Management at Rolls-Royce Plc, where we have several key manufacturing processes that are both important and challenging to recover quickly.

Over the last year, we have developed a simple but effective approach to business recovery planning for these processes and it fits in just two pages.

This approach has helped the business to understand the risk, recover more efficiently and to prioritise capital investment decisions.

At the 2014 BCI World Conference and Exhibition, I’ll be showing you how this works along with providing practical hints and tips so that you can make it work in your business too.

James Stevenson will be discussing this issue further on day one of the BCI World Conference and Exhibition on Wednesday 5th November. You will find him in seminar room 2 starting at

A case study of the integration of ERM and BCM as an independent function

At the 2014 BCI World Conference and Exhibition, participants will have an opportunity to listen to a real case study of the integration of Enterprise Risk Management (ERM) and Business Continuity Management (BCM) as an independent function. This is an innovative and forefront role for the ERM and BCM function.

In my presentation, I will show how the traditional reporting structure and work functions of ERM and BCM in an organisation are usually separated from each other. The ERM and BCM functions are typically part of the executive management team and the head of ERM and BCM reports to the executives such as the CEO or the CFO.

I will share with you the real life case in Malaysia where the ERM and BCM functions are integrated as a 'single' function and act as an 'independent' unit - assuming the roles and responsibilities similar to those of the Internal Audit - separated from the Management. The integrated ERM and BCM independent function reports functionally to the Board of Directors via the Board Audit Committee and administratively to the CEO.

The integrated ERM and BCM function will serve as the foundation for a well-governed and well-managed organisation that is built on a solid resilient foundation of BCM and supported by three pillars of Corporate Governance - Governance, Risk and Compliance.

In order to ensure the effectiveness of an integrated ERM and BCM independent function in an organisation, the following pre-requisite criteria must be established:

1. An integrated ERM and BCM Charter clearly stating the independent, authority, position, roles and responsibilities of the ERM and BCM functions
2. Unbiased support from the Board of Directors and the CEO on the independent roles and responsibilities of the integrated ERM and BCM function. The Board of Directors via Board Audit Committee is responsible for the oversight of the work of the integrated ERM and BCM function and for the performance and oversight of the Head of Integrated ERM and BCM function, and ensures that it has a sufficient amount, and quality of resources to fulfil its roles
3. The appointment of the Head of integrated ERM and BCM function must be approved by the Board of Directors. The Chair of the Board Audit Committee is consulted before the appointment of the Head of integrated ERM and BCM function or the termination of his/her employment and conducts entry and exit interviews with the same
4. The Head of integrated ERM and BCM function and the supporting subordinates should possess strong knowledge in the disciplines on both ERM and BCM
5. The Management shall know its role as risk owners and BCM process owners, and these must be clearly communicated and supported by the Management

I will also share with you the benefits of an integrated ERM and BCM independent function and some of the limitations that you may face if you implement the said function in your organisation.

In conclusion, I will share the key takeaways on the lessons learnt from the Malaysian experience that can be adapted to your organisation since there is no 'one-size-fits all' integrated ERM and BCM function. The ultimate goal of the integration is to have a synergy between the two functions as an independent function that will contribute towards a well-governed and well-managed organisation.

Chong Chen Voon is currently the Managing Director of GRC Consulting Services and an Executive Director of EJF Group, a group of consulting firms providing Consulting, Advisory and Training services.

Chong will be discussing 'the integration of ERM and BCM as an independent function' on day one of the BCI World Conference on Wednesday 5th November. You will find him in seminar room 3 starting at 13:10.

Business continuity: human resources as powerbrokers?

The proposition that human resources hold one of the golden keys to successful business continuity will be presented on day two of the BCI World Conference and Exhibition in the Listen Stream. David Evans and Lynne Donaldson of Corpress LLP will argue that the HR role in business continuity is often understated, possibly not understood and for many organisations undervalued.

Please share your thoughts with us on how important HR (Personnel) are to your BCM process: are they heavily engaged or just reactive when pushed and how much time do you spend working with them?

Placing people at the heart of the continuity process has an inherent logic about it: organisations are after all a collection of people with a few facilities, procedures, a purpose and maybe some cash holding them together. The more effectively people work together, then the greater the chance that an organisation will be successful. At a simplistic level, shared goals, good leadership and competent people are a good place to start.

Indeed, according to the BCI Good Practice Guidelines, business continuity is “the capability of the organisation to continue to deliver………” and without the right people in the right place at the right time, there is no capability.

Is there a danger that in stripping down an organisation to assess the causes of failure and analyse business impacts we lose sight of the important role of staff and contractors? It may be easier to consider that an activity or a process can fail due to physical disruption, equipment failure or other losses leading to impacts on the organisation rather than examine the role played by the individuals tasked with developing, maintaining and implementing the process.

If this was the case, then people could legitimately be relegated to a footnote in the BIAs relating to loss of key people or teams. Alternatively we could focus on recovery rather than impact, perhaps creating a starring role for HR when things start to go wrong, when response teams are required to act rapidly and implement the plans and arrangements that have been carefully crafted to recover and ultimately protect the organisation.

It would be easy for business continuity to become technology bound: there is a wealth of failures and impacts that affect organisations when equipment breaks, facilities are damaged or the utilities fail. Plenty to keep us occupied and as a result a dangerous path to take, one where we forget the social side of the equation and concentrate on the technology and the systems.

People + Technology + Systems = Organisation

 

This blog is being written on the day the Bank of England Governor Mark Carney launches an investigation into the crash of the CHAPS payment system. He promises to discover what went wrong and if officials had responded properly. For officials read people. You can almost picture the inquisitor sitting down with a blank sheet of paper and starting to write down the questions to be answered:

• Who caused it?
• Who responded when the problem occurred?
• Who was competent and possibly not so competent?
• Who checked the work?
• Who solved it?
• Who is to blame?

I accept that there is an equally valid list along the lines of what went wrong and why; “who” is only one of Kipling’s six honest serving men. But it illustrates how important people are in the equation. Which takes us to HR or, if you prefer, Personnel.

From the day you arrive in your new job until you decide to part company with the organisation, HR play a key corporate role in your business life. The culture you work in, the competence and skills of your co workers and yourself, and even your role itself are all guided by the hands of HR. They protect the organisation, including managers and staff from breaching workplace legislation. They have a significant input to the establishment of strategy and its delivery, because nothing happens without people. All major projects, most major investments and nearly all changes to the business will at some point involve them.

Let me introduce you to a professional group of people who work from the top to the bottom of the organisation, have had contact with everyone in it, help to develop their capability and foster their engagement, and protect you from a wide range of legal liabilities.

Not only that, but as soon as the problems occurs and the world is looking a little less rosy, it would be kind of helpful to have a team who know what skills are available, where they are located, help you communicate across the organisation and ultimately, help build a resilient culture.

But more of that during the presentation, if you can’t wait and want to share experiences or request more detail on how to get HR engaged, then please email us at contact_us@corpress.uk

Business continuity and information security – a good fit?

During my interaction with senior management as a business continuity/information security consultant, especially amongst IT centric organisations, I am invariably asked a question: "We come across too many ISO standards which have common themes. In your opinion, which are some of the Standards that come very close especially from an implementation perspective?"

As you can see this is a very loaded question from the senior management who are typically fed up with too many rules, regulations and standards trying to govern their lives. Also, whilst they want to adhere to all applicable regulations and standards they want some optimisation of their costs in implementation.

My typical answer to this is as follows: "If your emphasis is on service management please combine ISO 9001:2008 and ISO 20000:2011. In fact implement only one standard and ignore the other. If your emphasis is on information security and business continuity please combine ISO 27001:2013 (ISMS) and ISO 22301:2012 (BCMS) implementation."

From historical perspective both ISO 27001 and ISO 22301 have emerged from British Standards and have a sort of a common past. Leaving that aside, information security, as the pundits drum into us, is all about confidentiality, integrity and availability of information. Business continuity, on the other hand, is about availability (of information or business) in case of a disaster. In companies where information is business, these two standards merge quite well.

All this however, has to start with scope of the ISMS/BCMS. What is the context of the organisation that is planning to implement the BCMS/ISMS and does the context match in both cases? If the context matches we have a winner and we can choose to implement both management systems together with a common project plan/team. Typically, BCMS and ISMS (at least in mature organisations), come under the ‘Risk Department’ organisationally. If this is not the case, it would be worthwhile to make organisational changes before commencing implementation of BCMS/ISMS.
In my address at the BCI World Conference and Exhibition, I will be looking at this from a practical perspective to explain how we can implement BCMS and ISMS together along with common features of both the standards.

So …happy interactions!

Ramesh Ramani will be discussing 'Business continuity and information security – a good fit?' on day one of the BCI World Conference and Exhibition on Wednesday 5th November. You will find him in seminar room 3 starting at 9.20.

Genoa: The city where maths kills people

On October 9th, 2014 - with HI CARE Association and PANTA RAY - the BCI Italian Forum was launched, the first Business Continuity Institute affiliated network in Italy for business continuity professionals. In a conference held in Milan, I had the chance to point out how the culture on this topic in our country is still very low and how it is important to pursue a radical change in mentality and in the approach to crisis management.

There was no need for the umpteenth flood in Genoa to confirm how urgent the need for change is. But unfortunately just a few nights before our forum, the Bisagno river overcame its embankments killing one person (in 2011 the victims were 6). The city woke up with a widely spread black-out, Enel declared that over 2,000 clients had no power, schools and universities were closed, several blocks were flooded and economic and infrastructural damages were significant (circa €200 million of public expenses and approximately €100 million of private damages to companies and shops).

A scene we are used to, not only in Genoa unfortunately. But there is a good piece of news, we finally found the guilty party: maths! The President of the Liguria Region Burlando declared: “It is the first time that mathematical models are wrong.” He must have missed all the financial slumps in the history of the world. “The phenomenon that was registered yesterday has never happened before and our weather forecasting models could not anticipate it. The model is still valid though, until now it has always predicted the weather so that we never made mistakes related to severe crises”. Good to know.

I think we can list thousands of reasons that led to the umpteenth tragedy: bureaucracy, soil consumption (which in Italy is twice the European average), the lack of resources, the typical Italian mentality that is nothing but focused on prevention and planning, etc. All valid considerations that highlight the need for careful reflections. But, maths?

I really do not want to concentrate the attacks on President Burlando, but I do have to highlight these statements because they reveal a problem that I have to face quite often as a business continuity and crisis management consultant, either with public entities and private companies. Here is the deal: Business continuity is often confused with risk management, a discipline that – by definition – is based on probability calculation and therefore on mathematical models. This is a problem, since business continuity is meant to ensure resilience to an organization regardless of the probability of occurrence of a potential disruption. Business continuity is applied on the so-called 'residual risk', or the part of risk which is not manageable or computable. Outcome: when mathematical models fail and no business continuity practices are embedded in the organization, disasters happen!

Risk management (and math, of course) is a fundamental discipline, as weather forecasting is fundamental as well. But thinking that they never fail is crazy and not doing anything but rely just on math models is criminal. It has to be said pretty clear, because people die and companies fail. The Ferraris Stadium in Genoa is right next to the Bisagno river. What if the 'math models' fail again on a football match day, when the area is full with thousands of supporters?

Earlier this year, we held a conference at the Chamber of Deputy with Joseph Bruno - Commissioner of the New York City Office of Emergency Management as the guest speaker. We discussed these topics and we presented the crisis management model of the City of New York to politicians and the highest members of institutional entities. Now we have launched this BCI Italian Forum, which is completely free and aims at aggregating the most important competencies on the subject to create a network in Italy as well. I want to stress a concept I already mentioned during my speech at the conference in Milan: there are no excuses anymore! Each of us needs to accept his/her own responsibilities and act to raise the awareness on prevention and preparedness in this country. Otherwise, to find the guilty party you just need to look in the mirror.

Alberto Mattia is Managing Director at Panta Ray, a management consulting company specialized in business continuity and crisis management and Secretary-General at HI CARE Association, a non-profit organization dealing with territorial security projects in Italy. Graduated in Economics and Finance at the Università Bocconi in Milan - Italy, Alberto has started his career in the US at BT Radianz and then JPMorgan Chase Bank. He has then worked as a Project Manager at Centrobanca and as a Risk Manager at UniCredit Group.

Business continuity vs risk management

According to ISO22301, business continuity is defined as the capability of an organisation to continue the delivery of its products or services at acceptable predefined levels following a disruptive incident.

Risk management on the other hand is the systematic process of understanding, evaluating and addressing the risks that an organisation faces in order to mitigate against them.

So that all sounds quite clear. The former is more concerned with the management of a disruptive incident after the event and so deals with the consequences, while the latter focusses on the management prior to any incident taking place and so deals with the threats. Two very distinct disciplines, aren’t they?

If you go back to the basics however, risk management assesses the likelihood of an incident occurring and the impact that it would have on the organisation. If one of the aims of risk management is to mitigate against the impact of an incident, then isn’t this moving into business continuity territory? Doesn't this mean that business continuity is just a function of risk management?

This is the issue that is up for discussion on day two of the BCI World Conference and Exhibition on the 6th November. Panel members from a wide variety of organisations on both sides of the debate will clash as they discuss the motion ‘business continuity can only ever be subservient to risk management’. Don’t miss out on this opportunity, book your place at the conference and join the debate.

Deriving X factors to support your BCM programme

Obtaining management commitment for resources and funding for BCM programme implementation and sustainability is always a prime challenge for most of our fellow professionals. We are continuously struggling in selecting the most effective approach to secure a dynamic business continuity programme.

Unavoidably many times in our career we have presented a powerpoint slide with some standard statistics from Google before our management, with best persuasive techniques trying to convince them to allocate the necessary funding to set the programme in motion.

Most of us are using facts and figures as an inspiring method of persuasion, in this case, it can prove to be a downfall to arm you with general information and scare tactics that may potentially overwhelm management and provoke the common reason that many businesses are without a business continuity plan: “It will never happen to me”.

Across-the-board examples and generalizations are vulnerable to being inapplicable or unconfirmed, which is a complete contradiction to what we are striving for in trying to integrate business continuity within our organisations in the first place. So, the number one way to make your management team not only aware of the risks you seek to diminish, but to gain their commitment for your business continuity programme is to outline the specific threats to your specific business. An evident reason for management to commit to a business continuity proposal is risk vs cost. If the risk far outweighs the cost, we are likely to be successful in securing funding for solutions that mitigate that risk.

In my presentation I shall present a practical model case of an organization and the journey of their BCM Manager that secured management commitment by identifying their own 'X' factors that are derived from information within the organisation. These factors are the basis for any legitimate business continuity programme and were mainly driven from the following areas:

• Regulatory
• Legal
• Revenues
• Shares Price
• Productivity
• Brand – Marketing
• Customer – Opportunity
• Insurance
• Operational

I will give the delegates proven approach to understand the current risks and their impacts to the business in terms of financial loss and how it can be presented to convince and secure management commitment.

• Delegates will benefit from how to identify monetary loss of various impacts and the financial loss implications of not having the right BCM arrangements
• They will get practical understanding of on how to use these factors to support their BCM programme
• They shall get an understanding on how information available within the organisation can and support their case
• This model case can be applied to any type of organisation or sector

Nisar Khan has 14 years of professional career, with 11 years of experience in managing Corporate Business Continuity programmes at public and private sectors. Previously he functioned as a BC/DR Manager for a consultancy firm, delivering end-to-end BCM programmes and training to leading companies. He is a dedicated ambassador of the discipline and has earned the following recognitions:

• Highly Commended at the BCI Global Awards 2013 as ‘BCM Manager of the Year’
• Winner of the BCI Middle East Awards 2013 as ‘BCM Personality of the Year’
• Winner of the first BCI Middle East Awards 2012 as ‘BCM Manager of the Year’
• Winner of the BCI Asia Awards 2012 as ‘BCM of the Year’
• Highly Commended at the BCI Global Awards 2012 as ‘BCM Manager of the Year’

Nisar will be discussing 'Deriving X factors to support your BCM program' on day one of the BCI World Conference on Wednesday 5th November. You will find him in seminar room 3 starting at 15:10.

Design and implementation of a business continuity management programme

The BCI World Conference and Exhibition is split into three streams - listen, learn and lead - and the idea behind the middle of these streams is to enable delegates to explore the full BCM Lifecycle training experience.

I will be doing this through presenting a selection of the material used in the Business Continuity Institute’s five day BCM course, highlighting the main elements of the process, and exploring some of the issues that need to be understood in the Design and Implementation stages of the process. The exploration will be through discussion and debate, into which I will provide the knowledge and experience that I have obtained over many years both teaching and practicing BCM in a wide variety of types of organisation.

In the Design session we will be exploring two issues which, in my experience, most people struggle with both in learning the theory of BCM and in practice when applying the theory to their own organisation:

• How close should the Recovery Time Objective be to the Maximum Tolerable Period of Disruption?
• What is a safe separation distance for recovery sites, alternative facilities, and backups?

In the Implementation session we will be exploring three issues, which although they are simpler than the two Design issues, still give rise to considerable debate:

• What is a Business Continuity Plan (BCP)?
• What are the common elements of all plans at all levels?
• What resources do you think are needed for a response team meeting room, and how do you think that space should be best utilised?

In each session I will take the delegates quickly through the main steps of the BCM process as they are taught in the BCI’s five day BCM course, pointing out some of the more important concepts and techniques that need to be learnt, and then, at the appropriate point, raise the issues that I have decided to explore. I will be asking the delegates for their views, encouraging debate on what the most appropriate solutions appear to be, and attempting to bring the discussion to a conclusion through explaining what the BCI’s Good Practice Guidelines (the GPG) recommends.

By attending the two sessions that I am presenting, you will get not only a flavour of what you’d learn on the BCI’s five day BCM course, but you will also get the opportunity to explore some of the Design and Implementation issues that you will need to know how to tackle if you are to help your organisation to successfully implement an effective BCM programme. It will also give you an opportunity to take part in a discussion and debate on some of the Design and Implementation issues that even experienced BCM professionals have difficulty with.

Mel Gosling MBCI has been an instructor for Continuity Shop on the BCI’s five day BCM course ever since it was first launched in 2008, when it was based on the 2008 version of the GPG, and has contributed to developing both the course and the GPG through the 2010 and 2013 versions. Throughout the past six years he has helped over 200 students achieve certification through passing the BCI’s exam, and has learnt how best to present the extensive and concentrated material in the GPG to enable students to both learn and understand the BCM process. Attending these two sessions will give you an insight into how Continuity Shop presents this course, and a taste of some of the issues that you will encounter.

Mel will be discussing design and implementation within the 'Learn' stream at the BCI World Conference on Thursday 6th November, starting at 10:30.

ISO22301 certification at the UK's Houses of Parliament

"If you don’t know where you are going you’ll probably end up somewhere else!” At the BCI World Conference in November I’ve been asked to run a session on two key stages of the BC Lifecycle; Policy and Programme Management and Embedding BC into the organisation. Can you imagine my excitement?!

Well, having just achieved ISO22301 certification for the Houses of Parliament I see the outer ring of the lifecycle (Policy and programme management) and the inner core (Embedding) as the tyre and axel of the wheel; get this right and you’ll have a smoother journey.

There are many lessons to share and I hope the conference provides an opportunity to do so. Let me give you an example of what I mean. My BC policy originally said that it ‘would be reviewed on a regular basis’. The external auditor from the BSI pointed out that ISO22301 requires that the policy is reviewed at ‘planned intervals’. My policy now says it will be reviewed ‘at least annually’; that is what we always meant but didn’t make clear. Other examples of poor language are found in phrases from Management Board papers saying “Human Resources might want to look into….” What does ‘look into’ mean exactly? It is not about being pedantic, it’s about being clear in your planning so that all interested parties understand what is being asked of them and how this will be assessed.

The policy sets out what you are going to do, the scope of your BC capability and defines roles and responsibilities. The programme will set out how and when you will implement the BC capability. So, the policy will help you know where you are going and the embedding will help you stay on course. My workshop at the conference will describe how these parts of the BC Lifecycle can be achieved.

Martin Fenlon MBCI, Business Resilience Coordinator at the UK's Houses of Parliament, will be discussing this issue within the 'Learn' stream at the BCI World Conference on Wednesday 5th November, starting at 10:30.

Think you're an expert in business continuity?

Jeopardy, The Weakest Link, Who Wants to be a Millionaire, or perhaps just the local pub quiz. Everyone likes a good game show to challenge the mind and to test whether you really are as knowledgeable as you think you are.

Are business continuity practitioners any different? We'll soon find out. To end the BCI World Conference and Exhibition on a high, the Business Continuity Institute along with Crisis Guardian, will be hosting their very own game show.

The game show will contain relevant and important business continuity messages and will touch upon topics covered in some of the conference presentations, so make sure you pay attention. You will however be pleased to know there are no music questions.

This is an audience participation event so you can put your heads together with fellow delegates, using shared interactive voting handsets, to answer a series or topical questions and have fun at the same time as learning something new and interesting to take away with you.

So, do you think you're an expert in business continuity? Perhaps you are. Now is the time to put that to the test. Book your place at the BCI World Conference and Exhibition to take part in this one-off event and really put your business continuity skills to the test.