July/August

Q3 2009
2013
ISSN 2046-5874 (Online)

Getting the
balance right
How much information
to put in your BCP

A brake on the
blame culture
SME and Removing the fear of reprisal
climate
change
Anticipatory
adaptation is
critical

Sit up
and listen
Getting the
Boards attention

Visit the BCI website www.thebci.org


When it really matters
Andy Murray barely had time to draw breath
following his victory in the final of the Wimbledon
Championships in July before being dragged in front
of the press to face a barrage of questions.
Over the next few days, he appeared on hundreds of television
shows and radio programmes, as well as in countless articles
and blogs. In almost every interview, the first question he was
asked was, In that final game, what was going through your
head? Each time Murray explained that he simply couldnt
remember. He had almost stepped back from the scene and let
his body get on with what it had been trained to do over the last
20 odd years.
This ability to almost switch off yet still continue to maintain
peak performance when it really matters seems to be at the core
of most top athletes. In fact, most claim that if they have to think
too much about what they are doing at those key moments it
becomes a distraction and they often fail to deliver as a result.
Being able to switch onto automatic pilot while still maintaining
your focus is perhaps the nirvana of business continuity that
ability to respond to the vagaries of a particular disruptive event
without having to consult various plans or checklists; to keep
your eyes on the end goal no matter what the incident throws at
you and your team.
Of course, while it is virtually impossible for BCM teams to
achieve the almost transcendental state reached by top athletes
given the complete dedication at all levels that this would
require, it is still something that they should aspire to emulate.
This is no easy task, particularly given the range of other
organisational priorities that BCM competes against.
It is about putting in the hours, rehearsing the systems and
process, conducting the training sessions, establishing clear roles
and encouraging people to take responsibility for those roles.
It is about embedding BCM into the DNA of your organisation
so that all those involved in tackling the event work in a fluid,
unified manner to get the business or department back onto its
feet as quickly as possible.
Nigel Allen is editor of Continuity
Editors Note & Chairs Column
Proud of what we do
I firmly believe the global opportunities for the BCI
are there for the taking if we can sufficiently raise our
profile and consistently provide the great services
members and potential members want.
In recent months, as I attended and participated in numerous
BCI events, one thing that struck me was just how proud people
were to be involved with the Institute. The volunteers who run our
chapters and forums globally must be applauded for what they do.
However, I was also acutely aware of how important the right level
of central office support is to sustaining this. To that end, Helen
Petrie has taken up a new role as Chapters and Forums Manager
to engage with all chapters and forums to enhance lines of
communication and ensure support requests are handled promptly.
This is no small task, so I would ask all chapter and forum leads
to support her in this very important role.
During my travels, I was also greatly impressed by the number of
members willing to help start up new forums. Our members have
the passion and desire to make these happen, so please support
them in this and reap the benefits at a local level.
We also had over 1,300 responses to our recent members survey.
In it, we asked people to rank their top three BCI benefits from
the 12 listed in our membership brochure. While accreditation
was a clear winner, we also had many suggestions for further
benefits which we will look at in detail.
Finally, I must mention some people who are leaving our central
office Lee Glendon and Lucy Burns. During his four years at
the BCI, Lee has made an enormous contribution to our thought
leadership endeavours. Lucy, who has headed up our events
team for the past five years, was responsible for turning the BCI
Symposium into the incredible BCM World Conference we know
today. Their contributions have made a huge difference to our
Institute and on behalf of the BCI, I would like to thank them both
and wish them every success.
With all this change there is certainly no time to sit still.
Lorraine Darke and her team are working hard to recruit great
replacements to maintain and improve still further the services
and products you as members deserve from your Institute.
Steve Mellish FBCI is Chairman of the BCI
Q3 2013 Continuity 1
 Contents
Q3 2013

COVER STORY
Will Brown, John White and Thibaut Minguet consider
whether time spent planning for the longer-term
would be better spent ensuring that you are quick
to respond page 16

Continuity
Business Continuity Institute From the opening plays to the end move
10 Southview Park
Marsack Street
13 19
Mel Gosling explores the progression from the initial response to the close of an incident,
and finds similarities with chess
Caversham
Berkshire RG4 5AF
United Kingdom
Continuity is the magazine of the Business Continuity Institute
and is published four times a year.
Editor: Nigel Allen
Tel: +44 (0) 118 947 8215
Email: Nigel.allen@thebci.org
Advertising Sales: Benjamin Foster
Tel: +44 (0) 118 372 3073
Email: Benjamin.foster@thebci.org & advertising@thebci.org
Art Director: Mary Schoales
Continuity is printed by Headley Brothers Ltd, Ashford,
Kent, UK and is published by the Business Continuity Institute.
19 22 32
BCI Chairman: Steve Mellish FBCI
BCI Vice-Chairman: David James-Brown FBCI
BCI Central Office 01 Editors note 19 Putting a brake on 30 Getting back up
Telephone +44 (0) 118 947 8215 or contact:
& Chairs column the blame culture after Sandy
Executive Director and Board Member: Lorraine Darke
Email: Lorraine.darke@thebci.org Claudia van den Heuvel Nigel Allen assesses the damage
discusses how encouraging done to small businesses in
Technical Development Director: Lyndon Bird FBCI 04 News staff to report issues within your the aftermath of hurricane
Email: Lyndon.bird@thebci.org
Technical and Learning Manager: Deborah Higgins MBCI
organisation without fear of Sandy and looks for signs that
Email: Deborah.higgins@thebci.org 08 A clear path the value reprisal can be critical to your it has raised awareness of the
Operations Manager: Jan Gilbert of succession planning overall resilience importance of preparedness
Email: Jan.gilbert@thebci.org Continuity discusses the
Conference and Events Manager: Nicky Tramaseur findings of a recent survey into 22 Making the Board sit 32 Boosting the efficacy
Email: Nicky.tramaseur@thebci.org succession-planning strategies up and listen of your programme
Events Executive: Lucy McDonnell in the IT sector with Board members look to Frank Perlmutter explains how
Email: Lucy.mcdonnell@thebci.org
Jason Hayman of TEKsystems business continuity to provide business continuity metrics
Head of Research and Advocacy: Lee Glendon CBCI
Email: Lee.glendon@thebci.org reporting that shows how are an essential component in
Business Development and Relationship Manager: Faye Leo
11 BCM Bureau resilient the organisation is, but establishing the real value of
Email: Faye.leo@thebci.org Do companies devote sufficient BC practitioners must make your BCP
Membership Development Manager: Helen Petrie time and effort to data capture reporting innovative and cutting
Email: Helen.petrie@thebci.org during an incident? edge say Emmeline Skelton and 35 The flight to resilience
Senior Membership Executive: Lynn Forrest
Andrew Austin
An airport provides an
Email: Lynn.forrest@thebci.org
13 From the opening plays extremely challenging
Membership Engagement Manager (North America): Abby Alling
to the end move 24 Keep calm and collect environment for implementing
Email: Abby.alling@thebci.org
Mel Gosling explores the the information and maintaining effective
Customer Service Executive: Daniel Saunders business continuity plans,
Email: Daniel.saunders@thebci.org progression from the initial Tom Clark outlines the key
response to the close of an stages involved in incident explains Keith Prabhu
Finance Manager: Kate Curry
Email: Kate.curry@thebci.org incident, and finds similarities reporting, from the initial
with chess collection and validation of 39 Information in an
Assistant Accountant: Rebecca Wood
Email: Rebecca.wood@thebci.org information through to the call unsecure world
to action
16 Getting the Recent high profile cases have
The views expressed in Continuity are not necessarily those of the served to drive home the value
balance right
Business Continuity Institute.
Will Brown, John White and
27 Ensuring small business of effective data security.
All efforts have been taken to ensure the accuracy of the
Thibaut Minguet consider continuity under a Patrick Mcilwee considers
iStockphoto.com/lorrainedarke

information published in Continuity. However, the publisher

accepts no responsibility for any inaccuracies or error and whether time spent planning changing climate some of the control measures
omissions in the information produced in this publication. for the longer-term would be Dr Natasha Kuruppu, Dr Pierre companies should implement
Business Continuity Institute. No information contained in better spent ensuring that Mukheibir and Janina Murta
this publication may be used or reproduced without the prior you are quick to respond consider how anticipatory 43 BCI News
permission of the Business Continuity Institute. adaptation is critical to the
ability of SMEs to deal with 44 Soap Box
environmental changes

2 Continuity Q3 2013
Mark your commitment to business continuity management
with ISO 22301 certification from BSI

Show your clients and customers that youre committed
to ensuring the continuity of your operations with our
third-party certification to ISO 22301, the internationally
recognized best practice standard for a business continuity
management system. As the pioneers of the original
BCM standard, you can benefit from our expertise and
commitment in this area.
Clients that we have certified to ISO 22301 have seen:
Improvements to business and supply chain resilience
An Increased ability to win new business
Stakeholder reassurance
Give your system the recognition it deserves by getting
certified with us.

Adopting structured management processes for BCM can Find out more
help you to manage your risks and identify opportunities bsigroup.com/bcms
to strengthen your operations.
T +44 (0)845 508 3026
 BCI News
News

SIFMA announces successful

Systemic risk and global securities markets paper published completion of cyber exercise
Research report explores evolving nature of cyber-crime in securities market The US Securities Industry and Financial
Markets Association (SIFMA) has
announced the successful completion of its
one-day cyber-security exercise Quantum
Dawn 2. The exercise, which took place
on 18 July, involved over 50 organisations,
including: financial companies, exchanges,
utilities, US Department of the Treasury,
Securities & Exchange Commission,
Department of Homeland Security, and
Federal Bureau of Investigation.
The event was designed to test incident
response, resolution and coordination
The Research Department of the International Organization of Securities Commissions processes for the financial services sector
(IOSCO) has published a joint Staff Working Paper, with the World Federation of and the individual member firms to a
Exchanges (WFE), entitled Cybercrime, securities markets and systemic risk. street-wide cyber attack. Participants
The report explores the evolving nature of cyber-crime in securities markets and the were able to use existing protocols,
threat it poses to the fair and efficient functioning of markets. Importantly, it highlights the procedures and processes to communicate
urgent need to consider cyber threats to securities markets as a potential systemic risk. with each other and with government
The first part of the report assesses what is known of the cyber-threat so far. It also partners to address the crisis and restore
presents a framework for monitoring the extent of cyber-crime in securities markets the markets to fair and orderly operation.
going forward. This is in line with IOSCOs commitment to identifying emerging risks in Karl Schimmeck, vice president of
a proactive way. financial services operations at SIFMA
The report also points out that certain types of cyber-crime constitute more than said: Cybersecurityis a top priority for
an IT issue or simple extension of financial crime. While cyber-crime in securities the financial industry. The Quantum
markets has not had systemic impacts so far, it is rapidly evolving in terms of actors, Dawn 2 exercise was a success, with
motives, complexity and frequency. The number of high-profile and critical hits is also robust participation from over 500
increasing. The report warns that underestimation of the severity of this emerging risk individuals at approximately 50 entities
may lay open securities markets to a black swan event. from the financial services sector and
On the other hand, efforts to neutralise cyber-crime in securities markets can be the government. This exercise gave
assisted through high levels of awareness and a concerted cross-border, cross-sectorial, participants the opportunity to run
collaborative approach. through their crisis response procedures,
The second part of the report provides the results of a survey to the world exchanges. practice information sharing and refine
The survey explores the experiences of exchanges in dealing with cyber-crime and their protocols relating to a systemic
perceptions of the risk. The focus on exchanges is not due to any perceived or particular cyber attack. He added: SIFMA
vulnerability. The survey is intended as part of a series of surveys exploring the continues to believe that industry efforts
experiences of different groups of securities market actors. alone are insufficient to address cyber
The survey revealed that a significant number of exchanges are already under attack attacks. A strong partnership between the
with 53% suffering an attack in the last year. Attacks tend to be disruptive in nature, industry and government is essential to
rather than motivated by financial gain. This distinguishes these cyber-crimes from effectively defend against these threats.
traditional crimes in the financial sector such as fraud and theft.

AT&T releases findings into the business continuity activities
of latest BC survey of IT practitioners across the US. Now
in its twelfth year, the annual study was
Potential for breaches tops this year based on a national sample of
list of security concerns 500 online surveys among Information
Technology (IT) executives in companies
with over $25 million in annual revenue.
The results showed that:
More than half of executives surveyed
(63%) cite the looming threat of security
proactive strategy in place.
Two-thirds (64%) of companies include
their wireless network capabilities as
part of their business continuityplan.
87% of executives indicate their
organisations have a business continuity
plan in place in case of a disaster or threat
a slight uptick from last year (86%).
The study also noted that with the
increase in IT budgets, companies are
iStockphoto.com/lorrainedarke

AT&T, a provider of IP-based
communications services to businesses,
has released the findings of its latest study
breaches as the most important security
concern for 2013.
84% of executives are concerned about
the use of mobile networks and devices
and its impact on security threats.
88% of those surveyed understand the
increasing importance ofsecurityand
indicate that their companies have a
increasingly leveraging the cloud for
their business continuity plans to help
minimise the impact of potential threats
and disasters. Furthermore, it noted that
as companies look beyond the potential
impact of natural disasters to the impact of
network security events, they continue to
expand their disaster plans accordingly.

4 Continuity Q3 2013
 News

Next generation must take up resilience challenge

UK Cabinet office releases
Education critical to success, says Margareta Wahlstrm National Risk Register
The head of the UN Office for Disaster Risk Reduction (UNISDR), Ms Margareta Pandemic influenza remains number
Wahlstrm, signalled the importance of the next generation taking up the challenge of one civil emergency risk
building a safer and more resilient future.
Ms Wahlstrm urged a group of youth ambassadors from the Republic of Korea,
China and Japan to take leadership roles in advocating for disaster and climate resilient
development.When asked how young women, in particular, can become leaders she
replied: Education.
Ms Wahlstrm told youngsters to take inspiration from the strong example currently
being set by Incheon, Seoul and other cities in the Republic of Korea that were very
active in UNISDRs Making Cities Resilient campaign.
It is very important that the cities and urban coastal areas of East Asia are so proactive
because after such dramatic development over recent years which of course has brought
many benefits there has been a rapid accumulation of assets and populations located in
hazard-prone cities and coastal areas, Ms Wahlstrm said.
This years Global Assessment Report on Disaster Risk Reduction shows the extent of the
exposure in parts of East Asia but also clearly states that with strong local leadership and
active engagement from the private sector a resilient future can be secured that will save
thousands of lives, protect millions of livelihoods and safeguard billions of dollars worth of
investment.
The Mayor of Seoul, Mr Won Soon Park, told Ms Wahlstrm that urban safety is an
important focus of his office. Because of climate change more disasters are happening
in the Republic of Korea and East Asia in general, he said.
The President of the Republic of Korea Ms Park Geun-hye recently visited the national
Disaster Control Centre ahead of anticipated heavy rains as part of her strong public
safety agenda, which is called The Path to Happiness. It builds on the establishment of The UK Cabinet Office has published
the national Urban Safety Department in 2010. the2013 edition of the National Risk
The Minister of Security and Public Administration Mr Jeong-bok Yoo said the Register for Civil Emergencies.
Government was in the process of developing a Comprehensive Plan for Public Safety. He The document provides an updated
praised UNISDR for its global advocacy role on disaster risk reduction saying the issues government assessment of the
have direct relevance to the Republic of Korea today. likelihood and potential impact of a
range of different civil emergency risks
that may directly affect the UK over the
Total cost of risk up 5% in 2012 next five years.
According to the 2013 National Risk
2013 RIMS Benchmark Survey released Register the highest priority risks are:
Pandemic influenza this remains
According to the2013 RIMS Benchmark Survey,the average Total Cost of Risk (TCOR) the most significant civil emergency
increased in 2012 climbing 5% in 2012 as opposed to its increase of only 1.7% in risk. The 2009 H1N1 pandemic
2011 driven largely by firming market conditions. The annual RIMS survey, produced does not change the risk of another
with Advisen Ltd, is a single source of benchmark statistics with industry data for more pandemic emerging or mean that
than 52,000 insurance programmes from almost 1,500 organisations. the severity of any future pandemics
will be the same as the 2009 H1N1
Key findings of the 2013 RIMS Benchmark Survey: outbreak.
Average TCOR for all companies increased by 5%, from $10.19 per $1,000 of revenue Coastal flooding The risk is of an
to $10.70 per $1,000 of revenue the result of hard market conditions. event similar in consequence to the
A review of Advisens umbrella / excess pricing and limit data showed that pricing 1953 east coast flooding emergency
influences excess insurance programme limit buying trends. When prices were which was the last occasion on
dropping, insurance buyers tended to increase their limits more. On the other hand, which a national emergency was
when prices were increasing, they tended to increase their limits less. formally declared in the UK.
The contribution of property premiums to average TCOR grew nearly 6%, from $2.92 Catastrophic terrorist attacks
per $1,000 of revenue to $3.09 per $1,000 of revenue. although mass impact terrorist
iStockphoto.com/lorrainedarke

While 2012 experienced a reduction in insured catastrophe losses, insurers events are unlikely the impacts are
continued to implement rate increases through the year said Jim Blinn, executive potentially very serious.
vice president of Advisens Information and Analytics unit and executive editor of the Severe effusive (gas-rich) volcanic
survey. Continued pressure on underwriting results and a low interest rate environment eruptions abroad such an incident
motivated underwriting management to seek these higher rates. could have widespread impacts on
Rates are rising, but our research shows that improving rates attract new capacity, health, agriculture and transport.
which makes it difficult tosustain the trendtowardsprogressively higher rates, said The document can be downloaded
RIMS board director Michael D. Phillipus, ARM. The wealth of information available at: http://naru.org.uk/wp-content/
in the RIMS Benchmark Survey arms risk practitioners with powerful industry insight uploads/2013/07/2900895_
that can help shape their understanding of the market and allow them to fulfill their NationalRiskRegister_acc.pdf
responsibilities with greater confidence and clarity.

6 Continuity Q3 2013

SMEs not focused on data protection
40% of small businesses have no protocols in place
Many US small businesses are taking a passive approach when it comes to
protecting their data leaving themselves vulnerable to data loss and possible
financial and reputational damage. A recent study conducted by Ipsos Reid
on behalf of Shred-it, an information security company, revealed that small
businesses do not fully comprehend the impact a data breach could have and as
a result, are not safeguarding sensitive information as thoroughly as they should.
The 2013 Shred-it Information Security Tracker indicates that an alarming
number of small businesses (69%) are not aware or dont believe data being
lost or stolen would result in financial impact and harm to their businesses
credibility.
This false sense of security is putting businesses at risk. In fact, the study
found that:
40% of small business owners have no protocols in place for securing data,
a 5% increase from last year.
More than 1/3 of the small business report that they never train staff on
information security procedures.
48% have no one directly responsible for management of data security.
Only 18% would encourage new data privacy legislation requiring stricter
compliance and penalties to information security threats.
Mike Skidmore, privacy & security officer at Shred-it, said: We have
seen a consistent increase in small businesses without security protocols in
place and a crucial first step for practicing effective information security is
improving awareness of policies and procedures. Organisations face a lot of
risks, but enforcing sensitive data safeguarding as a company-wide practice
will potentially avert both significant financial and reputational damage.
News
Shred-it offered the following advice to SMEs:
Analyse possible security gaps in your organisation
and your supply chain, and work with security
experts to assess existing security systems.
Implement ongoing risk analysis processes and
create a policy specifically designed to limiting
exposure to fraud and data breaches.
Regularly train employees in proper document
management and encourage their adoption of
security best practices.
Utilise special locked consoles to house sensitive
materials that are waiting to be properly shredded.
Implement a shred-all policy so that all unneeded
documents are fully destroyed on a regular basis.
Dont overlook hard drives on computers or
photocopiers; physical hard drive destruction is
proven to be the only 100% secure way to destroy
data from hard drives permanently.
Have up-to-date and effective computer network
protection, including anti-virus software and a
firewall.
Q3 2013 Continuity 7
 A clear path the value of
succession planning
Continuity discusses the findings of a recent survey into
succession-planning strategies in the IT sector with
Jason Hayman of TEKsystems
What are the key aspects of an effective
succession-planning strategy?
The key aspects of an effective succession-
planning strategy in our view fall into three
primary categories.
Succession planning must extend
beyond the C-suite. The majority of
organisations we surveyed indicated that
their succession plans do not go further
than the C-suite or executive level and
therefore overlook the impact of departures
in lower-level roles. For example, if your
lead security engineer leaves the company
and you do not have a successor waiting,
the companys security process and
programmes could be at risk.
It is also imperative that you seek to
define and communicate your evaluation
criteria for your priority staff. Only 12% of
the IT professionals we surveyed believed
the criteria by which organisations evaluate
key talent is clearly defined and 10%
reported that it is communicated frequently.
Without this definition, employees may
struggle to understand what is expected
of them and what they need to do to get
to that next level in their careers. It also
may make it difficult for the organisation
to identify and retain the top performers.
IT professionals identified a lack of a
formalised/standard programme and a
perception that evaluations were too
political as the top reasons why their
succession planning programmes
were ineffective.
Finally, organisations must identify and
involve their top talent in the process.
Once your organisation has defined the
criteria for high-potential talent, leadership
can begin to identify and evaluate top
talent. Organisations should first look at
current employees and involve those high-
performance individuals in the process.
This inclusion gives employees a chance to
better understand the future opportunities
available to them and what they need to do
to take the next step in their careers.
8 Continuity Q3 2013
The report focuses on succession planning
in the IT arena. Why is succession planning
so important in this particular part of the
organisation?
There are a number of reasons why this is
the case. Firstly, business leaders are putting
greater demands on IT to deliver results.
If the IT department is constantly looking
for people, then they are spending less
time actually impacting the business and
delivering tangible, actionable outcomes.
Its critical for the organisation to be able
to address people challenges proactively to
ensure business continuity.
Secondly, there will always be a shortage
of IT talent because technology is always
changing, making it difficult to have the
right resources in place at the right time.
Lastly, in todays business and IT world,
IT professionals have options. At any given
time, great IT professionals (i.e., the ones
organisations want) are often exploring
several job opportunities one time.
Succession planning becomes a critical
component to attracting and retaining the
best, as it shows prospective employees the
organisations career-paving options and
can provide long-term career satisfaction.
Two different types of succession-planning
approaches are highlighted position- and
pool-based plans. What are the advantages
and disadvantages of these two plans?
Traditionally, more mature succession
management programmes use a position-
based plan. This approach requires up-
front knowledge of, and agreement on,
the definition of a key position at that
organisation. They can then create a line of
successors, which tends to be the approach
for C-suite positions like CEOs, CFOs, etc.
However, a drawback to this approach
is the risk of losing the other employees
up for consideration once the role is filled.
Also, position-based plans are typically
implemented with very little or no input
from the employee. This type of approach
doesnt allow for the employee to have
ownership over his or her career path,
which can lead to retention issues.
Pool-based approaches identify the
high-potential individuals first, before a key
position may be available. This approach
is more personable and engaging, and
employees feel their managers are getting
to know them better on a technical,
business and personal level. This type of
engagement also allows employees to feel
more ownership of their career, increasing
satisfaction and ultimately retention. Finally,
this approach provides a bigger picture of
an organisations talent pool, giving the
business an opportunity to move top talent
into key leadership positions based on
personal and professional knowledge.
The survey states that only 22% of IT
leaders report their organisations conduct
succession management planning for key
line-level positions. How important is it
that succession strategies go beyond the
top-tier employees?
Its critical to extend succession
management to key line-level positions
like security, application development
and analytics. Consider the impact of the
departure of a security architect, a role
with specialised knowledge of the inner
workings of the organisations systems, and
the potential cyber security risks present
without a successor to such a vital position.
Organisations need to have succession
plans in place for these roles to ensure
continuity and protection.
Also, as we said before, technology is
constantly changing, creating a challenge
for IT departments to have the right skills in
iStockphoto.com/lorrainedarke
place at the right time. A formal succession-
planning strategy will help the organisation
identify skills gaps, as well as areas where
they can fill critical positions with internal
staff. Having a plan in place for line-level
employees also provides direction and a

clear career path something all employees
crave, which again can aid in attracting and
retaining top talent.
How important is it that organisations have
a clear understanding of what constitutes a
high potential employee and how do they
go about establishing this definition?
In an ideal world, every single employee
would be a high-potential employee, but
in reality, some employees are just more
capable and possess qualities others dont.
The definition of a high-potential employee
will be specific to each organisations
culture, expectations and specific roles.
There isnt a magic formula to defining it,
but the best place to start is to look within.
An organisation can conduct an
objective and subjective evaluation of
their current workforce to establish the
definition. Objectively, organisations can
conduct apples-to-apples evaluations to
determine where individuals with similar
skill sets rate in their competencies. From
a subjective perspective, identify those
individuals that stand out or have been with
the business for a long time, and assess
what makes them successful.
The survey mentions that organisations can
benefit by developing a strong emotional
connection to the organisation through
succession management. Can you expand
on this point?
People want to be happy and fulfilled
personally and professionally. Great
succession management strategies are able
to incorporate an individuals personal and
professional goals. The best programmes
fully engage the employees themselves,
iStockphoto.com/lorrainedarke
transferring a sense of ownership of the
career path to the employee. By nature,
people crave an emotional attachment, and
succession management provides a vehicle
where employees are engaged and able
to provide input on their career path and
foster that strong emotional connection. If
employees can see and feel their company
puts time and effort into developing and
grooming them for future opportunities,
they are much more likely to put in
maximum effort.
Additionally, retention is tied to
the development of strong emotional
connections. The longer an employee
stays with an organisation, the more they
understand the business, impact change
and mentor new talent. All of these qualities
also make that employee more valuable as
a leader within the organisation.
How important is it that companies
establish KPIs for their succession-planning
strategy?
Back to the earlier question about defining
high-potential criteria, its impossible to
show how valuable something is if there
isnt anything to measure against. Key
performance indicators (KPIs) serve as a
baseline for organisations to determine an
employees ability to be a leader. KPIs can
be both quantitative and qualitative, and its
a best practice to make decisions based on
the combination of the two. For example,
leveraging performance reviews that evaluate
technical performance as well as softer
skills (i.e., communication, leadership or
collaboration) will provide a more holistic
view into an employees true future potential.
What advice would you give to companies
to help them communicate aspects of
the succession planning to the wider
organisation?
Set the stage for why communication
of succession plans is important. Only
35% of IT professionals we surveyed
agree that the criteria for high-potential
employees is communicated frequently
by the organisation. Further, 82% of
IT leaders and 79% of IT professionals
believe that this lack of discussion around
Industry Q&A
their organisations programme negatively
impacts its success. If employees, especially
the high-potential ones, dont know what
the organisation expects of them in their
current role and what would be required of
them in a future role, its difficult for them
to do their best.
It is also critical that organisations
communicate the purpose and principles
of the succession management programme
to educate employees on why the plan and
strategy exists. Illustrate how the succession
planning strategy benefits both the
organisation and each individual employee.
Leadership should also communicate
the definition of a high-potential employee,
so individuals know what it takes to get to
the next level in their careers. Leadership
should also clearly communicate and
outline the career path opportunities
that exist for internal employees. This
explanation of opportunity, in conjunction
with performance criteria, is critical to
clarify the responsibilities and expectations
of various career levels.
Organisations should also consider
incorporating the aspects I mentioned
into external recruiting efforts. This will
spark emotional connections before a new
employee is even hired, demonstrating that
your organisation cares about their future.
Note
This interview is based on the findings of a study
conducted by TEKsystems entitled Ensure the
continued success of your organisation through
effective succession management. The survey
is available at http://teksystems.com/resources/
research/it-talent-management-trends/effective-
succession-management
Jason Hayman
Jason Hayman is market research manager
at TEKsystems
www.teksystems.com
Q3 2013 Continuity 9
BCI Corporate Partnership
Enabling organisations to work more closely with the BCI to
raise the profile of BCM worldwide

Three levels of Partnership Three levels of Sponsorship

Determined by the size and type of your organisation Gold, Silver and Bronze

Premium Large organisations with more than 250 employees
Standard Companies employing less than 250 employees
Small companies employing less than 25 employees
Associate
or not-for-profit organisations
BCI Partners who have BCM products
and services can increase the benefits
of their Corporate Partnership by
adding in one of our sponsorship
packages to their Partnership.
Sponsorship is an exclusive opportunity
offered only to BCI Corporate Partners.

Want to be recognised as a key contributor to BCM best practice worldwide?

Contact Faye Leo, BCI Corporate Partnership Manager on 07800 552 726
or email partnership@thebci.org and sign up today

www.thebci.org

Do companies devote sufficient time and effort to data capture during a
disruptive event, given its importance in assessing performance and learning
lessons following the event?
BCM Bureau
kkk
Steve Yates FBCI
Steve Yates, FICPEM
yates999@gmail.com
Yes and no. Response teams do, and sometimes dont, devote
sufficient time to capturing information on the actions they
take during a disruptive event. This may be due to the scale
of impact, or the priority given to any response. Whatever
the reasons, it does support the need for responders to have
appropriate and sufficient capabilities to capture and record
relevant related information.
At this point I am reminded of something that a colleague of
mine stated: If it isnt recorded, then it did not happen, and
as such may then provide the fuel and blame that would
be allocated against specific response individuals, or even
establish the grounds for a conspiracy theory. So, when we
consider those components associated with disruptions,
without the ability to time-travel we should ask ourselves;
how can we ensure that each event is formally logged,
recorded and subsequently assessed?
For those who already have an integrated and proactive 24x7
command, control and communications (C3) structure, one
that carries out horizon scanning, has the ability to remotely
monitor operational capabilities, is supported by a range of
on-line communications to record actions and for contingency
has someone to keep a physical record, then very well done.
For others who are still in the process of developing such
capabilities, whatever the reasons, it still remains a must that
they have the ability to capture relevant, real-time information.
This information should at least cover details pertaining to
the real situation at that time. Key actions that had been
considered and those that were actually taken must be
recorded as a minimum. In an ideal world, they should also
be supported 24x7 by an assessment of their information,
where consideration of low, medium and high impacts can be
considered against their decision making.
It is my premise that although our knowledge increases from
disruptive events, we do not investigate each one fully and
iStockphoto.com/lorrainedarke
hence identify the budgets and support that are necessary to
increase the level of resilience. Such resilience needs to be
proportionate to the likelihood and impact on the community,
infrastructure and businesses disruption, whilst also being
proactive rather than reactive.
kkk
Continuity invites three leading market
practitioners each representing a different sector or
country to provide their expert opinion on a key issue
currently impacting on the BCM arena kkk
Ian Morris and Britt Kane
Ian Morris is managing director of Lion Wood Solutions and
Britt Kane is CEO and founder of Intrepid Networks
www.lionwoodsolutions.com
In a tense, disruptive incident, understanding why response teams
may not have enough time and energy to collect vital information
could be fundamental to real-time decision processes, avoiding
overload, ensuring life safety, and the future sustainability of your
business. A whole industry has been devoted to six sigma data
techniques in manufacturing; no equivalent process exists within
the incident management sphere.
As we move progressively from information to an
intelligence age with greater emphasis on accountability, the
accurate and timely collection of critical data in real time can
only improve performance. Organisations that are data driven
and effective in prioritising intelligence to underpin strategic
decisions and post incident enquiries have demonstrated their
ability to improve performance consistently and more quickly.
Failure to address the issue may result in response teams being:
Unable to explain or account for their actions and outcomes;
Slow to develop and adopt new techniques, as often data
does not exist to provide practical considerations for
improvement; and
Directed/resorting to best known historic practice since the
risk is too high to rely upon instinctual or observational
techniques stemming from the event itself.
Another difficulty that limits learning for major disruptive
events is the very fact that they are thankfully rare. However,
these incidents often shape society. Limited data from these
types of events naturally confines the possible pedagogic value
that could otherwise be obtained.
The action of recording data during an incident is difficult at
best. The first responders primary goal is the response itself
which focuses on saving lives and minimising the threat.
Recording actions for training or further analysis may not be the
first or even the second responsibility.
Therefore the inquiry is not any variation of the time response
teams devote to capturing information. More importantly we need
to consider how information can be collected more efficiently.
Better after action interviews are one possibility. While supportive,
this method has its limitations; the human memory is narrow and
fallible which leads to voids and inaccuracies in the recounting.
What we must therefore look to provide is embedded
technology which automates and cross checks the collection
of vital data during a response. The accumulation must be
automatic and unobtrusive to avoid diverting and distracting
the responder from their core mission responding.
Q3 2013 Continuity 11
 BCM Bureau kkk Do companies devote sufficient time and
effort to data capture during a disruptive event, given its importance
in assessing performance and learning lessons following the event?

Jayne Howe FBCI

Jayne Howe, MRP, CBRM, Managing Partner, The Howe Partnership
jayne.howe@sympatico.ca
During real events, or comprehensive, stressful exercises, how
often have we observed that the champions that emerge dont
follow the corporate hierarchy pyramid? We can install all
the automated alternate processing technology we want, but
when you have to include the human element in responses and
reactions to disruptive events, youll always have a wild card in
your midst.
The sole reason for exercising plans is to build competence
within the team members. By building competence, we build
confidence. This is especially true for our higher level corporate
team the crisis management team (CMT). Unlike individual
business units, the CMT doesnt have a set recovery script
to follow. Their purpose is to make decisions based on the
information that is presented to them. Therefore, every scenario is
different, and presents the team with challenges and conditions
that might be new and unrehearsed.
For individual business units that are using scripted recovery
plans, simply adding columns to each task should suffice. Similar
to IT DR scripts, the column headings for each task would
include:
Task Number
Task Description
Person Responsible
Task Start Time/Date
Task End Time/Date
Completed by: (this is a signature column)
For CMTs, the team itself should include one to two scribes.
Executive assistants are often best for this. They need to have two
sets of running documents. One for listing summaries of updates
received into the CMT, who gave them the information, and the
time it was received. The other document lists open issues, the
time they were identified, the course of action decided to resolve
each issue and the time the issues were resolved. The CMT team
leader must sign off on these.
This kind of documentation will satisfy your insurance agents for
business interruption reimbursement, your financial institutions

For all continuity unit teams it is absolutely critical that all tasks
and decisions are documented and signed off by the responsible
resource. Every action must be auditable in some way. And the
standard base line of audit applies if an auditor cant see it, touch
it, or read it, then it doesnt exist and is therefore not defendable.
iStockphoto.com/lorrainedarke
to release liquidity, any potential forensic investigation, and
stakeholder requirements. By ensuring that you include the
timing for each task and decision, you can use this information in
your debriefing reviews to help streamline and tighten your plans
and your responses.

Fo qui @t
faye the

en
r s rie hebci s co ebci .org
lu

po s c
BCM World Conference
Al mcdonne

.leo enq ll @t
nicky
cy .tramase

ns on
lo

or ta .org ct
.

sh ct
r

ip
and Exhibition 2013
ui @t hebci
rie h
Free to attend exhibition
ur
showcasing BC products

nt
a .org
and services from around
the globe

6th 7th Conference programme with

unique three stream structure,
November 2013 which caters for the BC newcomer
Olympia, London to the experienced practitioner

Exhibition seminar programme

consisting of practitioner and
vendor presentations Standard Rate
Attend
Member
the Exhibition Training at BCM World 890 + vat

for free The BCI Gala Dinner

non-Member
990 + vat

and Global Awards

Gold sponsor

Visit www.bcm2013.com
to learn more and register today!
12 Continuity Q3 2013
 Incident response

From the opening plays to the end move

Mel Gosling explores the progression from the initial response to
the close of an incident, and finds similarities with chess
Unlike the end of a game of chess,
though, identifying the end of an
incident is fraught with difficulty
particularly as some incidents can have
long-lasting effects

However, there is a need for an incident to be

closed so that response teams can be stood down and
a review can be undertaken to identify lessons learned.
As such, each organisation needs to set its own criteria
for formally identifying the end of an incident, and
deciding when it can be closed.
An example of the sort of criteria that might be used
to identify the final stage would be to declare it at an
end when a new norm of service has been identified
and achieved such that there is no longer any need to
use specially prepared plans to manage the response to
the incident. The logic behind this is that the incident
response starts when the specially prepared plans are
activated and should therefore end when these plans
are no longer needed but like the three phases of
response, this is an artificial construct to enable us to
simplify reality.
Like many chess players, business continuity
planners tend to concentrate on their opening gambits
as these are the easiest to identify and plan for, with
the result that most business continuity plans will cover
only the first few days or weeks of the response, and

D
eveloping plans to successfully respond to incidents is at the heart not address the later phases or how to progress from
of business continuity. But how, when every incident is different, do one phase to the next. I refer to this as the organisations
you plan for the progression of the response as the situation develops planning horizon.
over time from the initial response through to the recovery and return to new
business as usual, and how and when do you bring the incident to a close?
Because all incidents are different, each response to an incident is unique.
However, there are some things that all incident responses have in common,
and one of these is a natural timeline. Examining this timeline enables us to
identify three phases that we can use to structure our response and cope with
the complexity of a developing incident:
Response the initial response to the incident
Continuity providing service continuity at a minimum acceptable level
Recovery recovering to a new agreed level of service
These three phases are artificial constructs without well defined start and end
points, and the nature and length of both the phases and the timeline varies
considerably from one incident to the next.
The process itself can be likened to the game of chess, which progresses from
the opening moves through the middle game to the end game. A plan to win
a game of chess consists of an opening gambit followed by using appropriate
tactics within a set of pre-defined strategies in the middle and end games.
iStockphoto.com/lorrainedarke

An end in sight
Much the same applies in successful incident response. Unlike the end of
a game of chess, though, identifying the end of an incident is fraught with
difficulty particularly as some incidents can have long-lasting effects on an
organisation that do not become apparent for many years. There is therefore, no
natural end point to an incident.

Q3 2013 Continuity 13
Incident response
The planning horizon
The majority of incidents that affect an organisations operational capability
are short in duration, such as a power cut, temporary exclusion from an area,
or bad weather. As a result, the planning horizon used by most organisations
in developing their business continuity plans is perfectly adequate. For longer
duration incidents though, such as a major fire, limiting the planning horizon
buys time to enable longer-term plans to be created and then implemented.
A vital element of any business continuity plan must therefore be to evaluate
the incident and estimate the likely duration of its effect on the organisation. If
the estimate of the duration is less than the planning horizon then the plans are
adequate, if not, then new longer-term plans need to be created and implemented
before the end of the planning horizon. The shorter the planning horizon the
more difficult this is to achieve which is something that you should consider
before determining what your organisations planning horizon should be.
Deciding on a short planning horizon is perfectly understandable because
of the exponential increase in the number of potential situations that an
organisation could find itself in as time progresses following an incident. This
means that the longer the planning horizon the less useful the plans are likely
to be. By following a limited horizon plan, the organisation tries to put itself in
a favourable position to take advantage of the situation that develops and then
go on to a successful conclusion when the incident is closed just like a chess
player moving from the opening gambit to go on to winning the game.
A multi-player strategy
A chess player is a single person who analyses the situation, decides on the
most appropriate strategy to deploy, and ensures that the right tactics are used.
Organisations though, are made up of many different people and teams. If the
incident response is to be successful it needs to be carefully coordinated as if it
came from a single mind.
This requires a well-managed response at the three fundamental levels at
which all organisations operates:
Strategic where policy is set and decisions on direction are made
Tactical where processes are managed
Operational where activities are undertaken
The roles and responsibilities of the recovery teams at each of these levels
need to be defined, including when something is outside the authority of
a team and needs to be escalated. In this way, any decisions to create and
implement new longer-term plans when the duration of the incident looks
likely to exceed the planning horizon can be taken at the most appropriate
level. Minor incidents should be able to be managed at the operational level,
but the more significant the incident the more likely it is that the response will
be coordinated by the strategic level.
Similarly, if the results of decisions made and any issues encountered are to
become known and understood as if there was a single directing mind, then the
roles and responsibilities of the recovery teams need to encompass how, where,
and when information is escalated from the operational and tactical teams.
One of the most common causes of incident response problems is a failure to
escalate information in a timely manner to the appropriate team.
14 Continuity Q3 2013
Playing the game
The key in all of this is to concentrate on how to
minimise the impact of the incident on the organisation,
and not to worry about moving from one phase to the
next. The progression through the three artificial phases
of the response should be well defined in procedures
and action plans, and become seamless when activated.
In terms of a preparing your business continuity
plans to achieve this aim, you need to:
Select an appropriate planning horizon;
Develop plans at the strategic, tactical, and
operational levels;
Clearly define the responsibilities, authorities, and
escalation procedures for each recovery team; and
Include the progression as part of the responsibilities,
and link it to the planning horizon.
Then, when an incident occurs, the strategy to follow
from the initial response through to the recovery and
return to new business as usual is:
Activate the appropriate business continuity plans
the opening gambit;
Estimate the likely duration of the incident is this
less than our planning horizon or are we going to
have to plan for a longer duration disruption?
If necessary, create longer term plans the middle
game; and
Either close the incident or implement the longer
term plans the end game.
On a final note, although chess is complex,
responding to an incident is far more difficult as there
are more pieces and types of pieces on the board, the
board itself is much larger and multi-dimensional, and
unlike chess, the number of things that can happen is
not finite.
However, one of the underlying principles of chess
strategy is to take control, which is also an underlying
principle of incident response strategy. You need to be
in control of what is happening, moving at the pace of
the incident not at the pace of your decision making.
Mel Gosling MBCI
Mel Gosling is managing director and principal business
continuity consultant at Merrycon Ltd
melgosling@merrycon.com
iStockphoto.com/lorrainedarke
 continuity
shop
Why Choose Continuity Shop
for Your BCI Training?
BCI European Service Delivering public courses
Provider of the Year and training your team
wherever you are
Training more people
globally than any other Achieving excellent results

Award Winners

www.continuityshop.com +44 (0) 161 743 3555

donnaedge@continuityshop.com
A
s BC practitioners, we continually
assess our business processes;
analyse our changing operating
environments; identify and reduce our
vulnerabilities; design, improve and
validate our response capabilities; and take
advantage of (or respond to challenges
associated with) new technologies. One
area that we also need to consider is the
timeframe for our plans.
In this article, I want to explore the extent
to which long-term BC planning can prove
effective. I will also focus particularly on
when the value realised from long-term
planning is exceeded by the effort put into it.
Appropriate planning
As BC professionals we all recognise that
BC plans should be appropriate to the
nature and size of the business, but the
question is what period of time should we
plan for following an incident? How far
into the future can we see? How quickly
do our certainties become predictions, our
predictions forecasts, and our forecasts
guesses?
There are two key thoughts that I would
like to raise right from the off:
Firstly, that BC planners will realise a far
greater benefit by focussing their efforts
on shortening their response time than
elongating the time covered in their
recovery plans; and secondly,
That BC planners should only plan
to the extent of accurate information
available to them at the time of planning
all other planning should be about
ensuring the process continues when
certainties run out.
BC plans, by definition, help organisations
to respond to events which do not come
16 Continuity Q3 2013
with a set of recognisable parameters
spelling out how severe or long an incident
might be. Having said that, with effective
risk controls and awareness of our operating
environment, neither are we completely
blind to the things that could happen. As
such, the normal business environment in
place when plans are invoked is one of rapid
change, and a high level of uncertainty.
This sense of uncertainty exists whether the
incident is the result of an identified risk or a
completely unseen event.
Whether the incident in question has
come completely out of left-field, or
is recognised as something which the
organisation could have foreseen, the
objective of the first response remains the
same to respond quickly and effectively,
stabilising the incident and moving as soon
as possible into recovery.
Getting out of the blocks
This is perhaps explained better using a
sports analogy. In a 100 metre race the start
is crucial. Sprinters repeatedly practice this
phase of the race. Following a good start,
the rest of the race is a sustained effort, but
the end result will be strongly determined
by how the start was executed.
Experience tells us that what really
matters in the recovery is not how far into
the recovery you can plan for, but how
quickly you can recover from an event. The
more you can plan for the early stages of
your recovery, the better armed you are to
face longer disruptions. It is very difficult
to predict how your customers, suppliers,
processes or employees will react to a
disruption, and what the consequences of
your first actions will be.
You can, however, still prepare for
the money time. This is the time when
information is critical but when you have
Getting the
balance right
Will Brown, John White and Thibaut Minguet
consider whether time spent planning
for the longer-term would be
better spent ensuring that
you are quick to respond
none; when you need to make decisions
based on incomplete or missing facts.
Focusing your efforts on being ready for
the first 10 metres will make the difference
at the end.
This is also supported by the fact that your
initial decisions will change the way events
play out. Past the initial response period, you
need to adapt and take into consideration
the consequences of your first actions.
The disruption will bring new rules, a new
environment that needs to be embraced. If
your business is not agile enough to adapt
to the new world caused by the disruption,
your recovery will take longer and the
outcome will certainly not be as predicted.
Detailed task lists with extensive and
specific action lists for every possible
scenario will give the business continuity
practitioner who believes in quality being
defined by the kilo a great sense of self
worth. In reality though, how much better
could some of this time have been spent
in refining first response protocols, or
addressing real and known risks?
Manage is the key word
Following an incident, heavy plans tend
not be used at all. As we mentioned earlier,
the quality of a plan is not measured by its
size or length, but how it helps the response
team to manage the incident. The key word
here is manage. Plans should not be a
list of tasks which need to be completed
to recover the organisation. Plans should
focus on enabling the process of recovery.
The reason for this is simple you can
accurately and effectively predict the process
steps required to gather information and
react to it; you cannot predict the content of
that information and its implications, and if
you do, your plan is wholly dependent on
your planning assumptions.
With each iteration of decisions made
during response and recovery, the real
iStockphoto.com/lorrainedarke

response will deviate further from the
planned response the BC team start
basing their decisions on real information
as opposed to planning assumptions. Put
another way, the further into a response/
recovery you plan for the less accurate your
plans become.
A case in point
To illustrate this, when conducting
interviews as part of a planning activity
for a mining company, an interviewee
mentioned that their individual process had
a (pre-processing) stockpile for two weeks
effectively stating that if anything happened
up-stream of their part of the production
line they could maintain production for
this two-week period. The individual also
shared with the interviewer a number of
creative/inventive options for working
around the problem should this disruption
extend beyond two weeks, whether that
was bringing in product from another mine,
servicing the client orders from another
location etc. In reality, these workarounds
were largely unproven and would have
reduced operating capacity significantly.
Is there any value in the BC planner
recording these options within the
BC document itself? From a practical
perspective, just having had this discussion
is hugely beneficial to the organisation.
However, does this require detailed
planning as part of the plan, and where does
the value of recognising various options
become eclipsed by time spent planning out
each of these options based on inaccurate
assumptions made prior to the incident?
Following a good start, the rest of the race is a
sustained effort, but the end result will be strongly
determined by how the start was executed
Reaching the tipping point
What we are trying to highlight here is that
the tipping point for deciding what to
record versus what to leave out of a BC plan
is generally that point at which the benefit
of having the information beforehand (ie
when the BC team is in urgent decision-
making mode) ceases to exist. Not
considering this tipping point is generally
the reason why some BC plans can run
into hundreds of pages back in the world
where the BC manager believes quality is
measured by the kilo.
In a recent meeting with a peer (who
provides business resilience consultancy
iStockphoto.com/lorrainedarke
services for another organisation),
we were discussing how the BCM
commercial market (i.e. the consulting
market for BCM) is polarising. There
is an ongoing requirement for support
around initial response capability in all
its forms (emergency, incident and crisis
management); and increasing requirements
for technology resilience support (typically
to assist and assure the delivery of
technology to the business throughout BAU
and following a major incident).
The BCM process is still taking place
in-house with organisations completing
their BIAs and plans, conducting drills and
tests for both the human and the technology
components of their response. However,
there is less support required for detailed
continuity planning past the initial stages
of the incident. This could be proof that
organisations are planning for these two
areas, and not longer-term response plans.
So what is the reason for this? It is
probably a simplification, but with the
availability of bandwidth as well as
organisational and regulatory relaxation of
which activities can be delivered remotely,
an organisations recovery strategy (from
a technology point of view) can now just
be to send people to work from home.
Following an incident and subject to
prioritised access to remote capability for
key workers, this can significantly reduce
the requirement for detailed planning at a
process level for the longer-term recovery.
Ten to fifteen years ago, response plans
for many organisations consisted (at least
in part) of a finite number of seats made
available in a recovery site in a contractually
obligated period of time. To this end, the
number of people who would be available
to work was limited, which meant there had
to be time and planning effort put into who
Incident response
Not considering this
tipping point is generally
the reason why some
BC plans can run into
hundreds of pages back
in the world where the BC
manager believes quality is
measured by the kilo
those people were, and specifically what
they would be doing in terms of business
processes and how those processes would
change over time following an incident.
This required detailed planning at business
process level, and hence longer periods
covered in plans than we often see now.
How long to plan for?
So what time period should we plan for?
There is no definitive answer on this.
However, I believe the planning activity
should ensure that the response teams
understand their priorities, are empowered
to make decisions based on their experience
of the business and the pre-incident
information provided, and most importantly
have the ability to adapt to the situation.
There are some elements of plans which
you can be sure are invoked during an
incident, for example trigger points and
escalations, bringing the team together,
using the standing agenda for formalising
assessment of the incident, etc. All these
activities empower the team to react to the
conditions they are faced with and adapt.
The planning activity over a longer
period of time following an incident should
facilitate this ongoing process not detail
task lists and individual activities, but
continue the sustained effort to get back
to business as usual. Benefits from longer-
term planning following an incident are
gained when it is focussed on managing
the process of recovery, rather than
hypothesising about possible outcomes and
detailing recovery tasks accordingly.
Will Brown, John White and Thibaut Minguet
Will Brown is head of business resilience,
John White is principal advisor and
Thibaut Minguet is an advisor at KPMG UK
Will.Brown@kpmg.co.uk
Q3 2013 Continuity 17
iStockphoto.com/lorrainedarke

Putting a brake on
the blame culture
Claudia van den Heuvel discusses how
encouraging staff to report issues
without fear of reprisal can be critical
to your overall resilience
C
onsider this you are buying a car, and you have to choose between
one of these two safety features, either ABS (anti-lock braking system)
to control skidding, or airbags to save you on impact. Which would you
choose? Is it more important to be able to minimise the likelihood of having
an accident or to maximise safety and the chance of a good outcome if you do
have an accident?
Traditionally, being resilient was focused on the ability of an organisation
to bounce back from an incident or crisis. Therefore, resources were, and still
are, rightly directed towards implementing metaphorical airbags to minimise
impact and maximise the chance of survival. However, analyses of past
incidents have clearly shown that having a preventative braking system is an
equally crucial part of the resilience equation. Being able to spot errors within
a system or organisation enables them to be dealt with before they escalate
into a full-blown crisis, which is preferable in terms of cost, time and protecting
performance and reputation.
However, one very challenging barrier to resilience is the existence of a
blame culture. History relates that a large proportion of disruptions and
serious organisational accidents resulted from recurring, yet avoidable, human
errors. A number of these errors went unidentified or unreported due to a deep-
seated fear of blame for that mistake or its consequences. However, evidence
from both resilient and high reliability organisations (those organisations, such
iStockphoto.com/lorrainedarke
as nuclear power plants, that achieve high safety records despite operating
in very hazardous or risky conditions) illustrate that it is entirely possible to
sustain near error-free operations.
The differentiating factor of these organisations is not that fewer human
errors occur; it is that these errors are reported and lessons are actively learned,
thereby putting the metaphorical brakes on an incident before it escalates
Reporting
in impact. These resilient behaviours are achieved by
operating a culture of psychological safety, fairness and
trust, as opposed to one where blame proliferates.
Organisational errors and the blame game
Human beings are inevitably prone to error; we all
make mistakes. Human errors, which include both
actions and non-actions (such as spotting a problem
within a system but not reporting or fixing it) can occur
due to lack of knowledge or understanding, inattention,
or, importantly, due to an unwillingness or fear for
assuming responsibility for a problem.
James Reasons Swiss Cheese model of
organisational accidents illustrates that the impact of
these human errors are usually protected against by
specially designed organisational defence layers or
safeguard systems. However, at times small weaknesses
or holes in the systems line up, thereby allowing
the errors to pass through those holes resulting in a
serious loss for the organisation. In other words, human
mistakes at an individual level have the potential
to grow in significance and impact if there are also
organisational (or cultural) weaknesses.
The Swiss Cheese Model of Accident Causation
Some holes due
to active failures Hazards
Some holes
due to latent
Losses conditions
Successive layers of defences, barriers & safeguards
In the case of error reporting, one of the largest hole-
creating factors within organisations is the existence of
a blame culture. Here, staff members are disinclined to
be open and honest about the strengths and weaknesses
of the processes or systems used in their work due to a
fear of repercussions for being the bearers of bad news.
Q3 2013 Continuity 19
Reporting
Top tips to tackle the blame game
Stimulate open Hold formal debrief Design a reporting
and transparent sessions where those system spanning the
communication of errors, employees who organisation and make
issues and incidents by reported a risk get risk reporting the
creating a culture of publically commended responsibility of all staff
psychological safety, for their behaviour
trust and fairness
Blame cultures often arise from organisations that set unrealistic targets,
such as zero tolerance for accidents, where individual responsibility is assigned
to people when things go wrong, and where staff members are treated as
blameworthy perpetrators who should be punished. This blame game often
creates an ostrich tendency either to ignore errors, not report unsafe or
inefficient processes and activities, or shift responsibility to others.
Plugging the holes shaping behaviours through cultural drivers
Any organisational system or process, however intelligently designed, is only as
resilient as the persons operating or managing it. Therefore, resilience depends
on individuals at all levels and departments of an organisation identifying,
reporting, and learning from problems experienced with those systems or
processes. Indeed, recent case studies of highly resilient organisations
(including the InterContinental Hotels Group, Jaguar Land Rover and Virgin
Atlantic, amongst others) found that risk and resilience were embedded within
the cultural DNA of the organisation. They created an exceptional risk radar
by pushing responsibility for risk reporting out across the organisations, making
it a core priority for every department, not just the risk department.1
Human behaviour in the workplace is shaped by the organisational culture;
most new members of staff will quickly adjust their patterns of behaviour to
match what is perceived as being expected of them. Similarly, shaping the
resilient behaviours of reporting and learning requires the implementation of a
psychologically safe, trusting and fair culture.
A culture of psychological safety is one where people feel they will receive
respect and consideration from the organisation, even when managing
sensitive issues.
A culture of trust is one where staff members trust the organisational
structures, systems, and procedures within which they work, fostered by a
collaborative and open working relationship across the organisation.
A fair culture is one where people are encouraged, and even rewarded,
for providing essential information; yet in which they are also clear about
where the line must be drawn between acceptable and unacceptable
reporting behaviour.
Staff must feel entrusted, empowered and responsible for reporting errors,
near misses and issues.
Steps to creating a resilient culture
Visible leadership
Leaders drive culture; therefore, as with any organisational change, the first
crucial step requires a cultural shift led from the top-down, in order for staff
members to lose the fear of blame associated with error reporting. Visible
leadership is where opportunities are actively created for senior managers to
interact with employees and encourage dialogue perhaps through department
meetings, forums, newsletters or the company intranet. This will build a sense
of trust between employees and their line managers and higher levels.
Design a formal reporting system & foster open communication
Leaders should invest in a reporting system that spans the entire organisation.
This system must set realistic targets and clearly define those procedures
used by all staff to report red lights (errors and accidents) as well as amber
occurrences (slips, lapses, or issues), and define reasonable boundaries for
reporting to avoid naming and shaming.
What this reporting system looks like will vary from organisation to
organisation, but stimulating frequent and open two-way communication
20 Continuity Q3 2013
Drive cultural change by getting away
from the desk. Have leaders and senior
management engage with staff members
frequently to discuss both mistakes and
positive progress made
and information sharing between staff and their
managers without fear of reprisal, as well as across
departments, will serve to strengthen the sense
of interpersonal and interdepartmental trust and
transparency.
Learn the lessons
To be of real value, any reported issue must be treated
as a valuable learning opportunity for the organisation
to implement reforms and improve operations to avoid
more serious events in the future. Ensuring that learning
and continual improvement becomes an integral part of
operations requires:
i A mechanism to identify threats and issues
ii Giving timely feedback to the reporter on what
action will or will not be taken and why
iii Implementing remedial actions
iv Holding formal debrief sessions with all relevant
departments who may experience similar problems
to allow for lessons to be shared among the wider
organisation (such as lessons learned from post-
incident reviews)
v Implementing staff training in their contribution
to the organisational risk radar and encouraging
participation in and active feedback from exercises
and scenario-based planning sessions or war gaming
Learning from actively shared information
While human beings may inevitably be prone to error,
organisations will not inevitably fall prone to major
incidents. There are some that can be nipped in the
bud. Important lessons can be learned from resilient
organisations which illustrate that, rather than assuming
the brace position and relying on the air bag to save
them on impact of a crisis, harnessing the power of staff
to create an internal radar and act as the ABS of the
organisation will enable errors to be identified early on.
However, this will only occur if staff feel empowered
by their leaders to openly and willingly share important
information without fear of blame for the consequences.
Learning from actively shared information allows
organisations to remedy errors before incidents occur,
and thereby become stronger and more resilient.
1 Steven Carver (2013). Roads to Resilience
Dr Claudia van den Heuvel
iStockphoto.com/lorrainedarke
Dr Claudia van den Heuvel is a consultant
at Steelhenge Consulting
enquiries@steelhenge.co.uk
www.steelhenge.co.uk
Todays global markets are constantly changing.
Is your company at risk?

CRI Group can help.

CRI Group provides clients comprehensive tools to mitigate risk in international

business transactions, mergers and other growth opportunities. CRI Group offers:

Risk Management Consulting Business Intelligence and Investigations

Investigative Due Diligence
Fraud Risk Investigations
Fraud and White-collar Crime Prevention
Insurance Fraud Investigations
Corporate Security Consulting and
Investigations
Forensic Accounting and Investigations
Skip Tracing and Debt Collections
Intellectual Property Investigations
AML Consulting Services
Employment Screening and
Background Investigations

Contact Us Today
mIddlE EasT asIa EUROPE
dubai Pakistan +44 207 038 8366
+971-4-3589884 +92 51 111 888 400 investigations@CRIgroup.co.uk
crimena@CRIgroup.com admin@CRIgroup.com www.CRIgroup.co.uk
www.CRIgroup.com www.CRIgroup.com
Qatar singapore
+974 44292434 +65 6808 5634 (35-36)
doha@CRIgroup.com admin@crigroup.asia
www.CRIgroup.com www.CRIgroup.asia
 Making the
board sit up
and listen
Board members look to
business continuity to provide
reporting that shows how
resilient the organisation is, but
BC practitioners must make
reporting innovative and cutting
edge if it is to be effective,
according to Emmeline Skelton
and Andrew Austin
W
e all know that business continuity cannot
be sustained without ongoing board-level
involvement and input. However, practitioners
regularly tell us that they have difficulty in making BCM
reports sufficiently engaging to capture the boards
attention. This is despite a growing level of interest at the
top level in the risks to their business, as demonstrated
by PwCs 16th Annual Global Survey of CEOs.
The survey, and our wider experience, suggests that
the board are keen to receive assurance that business
continuity and wider risk management solutions
provide the required level of resilience and protection
to meet business objectives. This is clearly at odds with
the experience of those BCM practitioners that struggle
to engage senior figures. Based on this, it would appear
that a fresh approach to reporting is needed.
Without careful thought, business continuity
managers can easily get bogged down in too much
information the harder they struggle the quicker
they sink. Countless meeting requests, documents to
sign and metrics dashboards can lose their impact as
the board do not have the time to absorb it all when
balanced against other pressing operational and
strategic issues. Practitioners that fail to engage the
board often report in far too much detail, misrepresent
the boards current concerns or fail to talk in language
that resonates at board level.
To achieve greater traction, a more coordinated
approach to reporting is required that will reduce the
administrative burden on the board and also act to
provide a more complete picture of the organisations
resilience capabilities.
22 Continuity Q3 2013
Current levels of board involvement
The 2012 CEO perspectives on organisational resilience research
paper published by the Commonwealth of Australia measured
the importance that CEOs placed on business continuity. One of
the findings regarding business continuity managers was, that
relatively few had achieved effective engagement with their CEOs.
Those in business continuity or similar roles with strong CEO
engagement were an exception rather than the rule.
In our experience, a significant amount of momentum is associated
with the early stages of a business continuity programme. Whether
the programme has been developed in response to a major event in
the life of the organisation such as a near-miss, a change of board
or structure, or in response to a negative audit, the level of senior
management attention follows a relatively standard pattern. The
decision to create a programme is in the majority of cases spurred
by a senior sponsor and carries urgency. At this stage reporting is
exciting and dynamic as it involves the creation of something new.
However, this momentum is finite. As the programme moves into
more routine maintenance the level of interest dips. There is a risk
that at this stage reporting begins to lose relevance to the board,
becoming less urgent and more mechanistic, undermining the overall
profile of BCM. Even the most accommodating board member suffers
from a wide range of time pressures so it is understandable that they
would focus on the immediate needs of the organisation.
Imagine if you stepped into the shoes of your board members
and viewed business continuity against all of the other operations
iStockphoto.com/lorrainedarke
of the organisation. The meticulously produced business continuity
compliance report may be competing for attention with the year-end
results announcement, the proposal for funding for a new plant or
product, or the acquisition plan for a competitor. Business continuity
reporting at this stage is not on the boards strategic radar the
challenge for practitioners is to keep reporting relevant.
 Reporting

Innovation helps you hit the mark

One way of helping to create a strong relationship with
the board is to report in ways that add value. Traditionally,
we have seen components of operational resilience
such as business continuity, risk and security reported in
silos. We have noted that companies are asking for more
integrated reporting in order to provide a greater level of
overall assurance that the organisation is resilient. A good
example we follow when we review a companys cyber
security arrangements is to provide an assessment of crisis
management to provide assurance on prevention, detection
and incident response in one report.
Being innovative in the way we report BCM issues, along
with good communication, has helped companies leverage
business continuity to the board. Outputs of integrated
reporting include:
Boards aligning their risk management functions;
Development of an operational resilience strategy;
Integration of business continuity with other key
protection functions (crisis management, risk, IT recovery)
in order to create one consistent framework
and approach;
Considering organisational behaviour as a key factor
underpinning resilience preparations;
Focusing on hot topics such as cyber security and
sustainability to ensure that reporting is cutting edge and
in tune with new risks; and
Disaster risk reduction solutions. Even businesses with
established risk management systems in place need to do
more to protect themselves against natural disasters.
In reporting BCM in this integrated way you are not only
demonstrating to the board how innovative you are but also
demonstrating the role business continuity plays as a key
driver of building resilience.

Make reporting stand out

Each organisation is unique and your board members themselves
will have unique requirements. We often encourage business
continuity managers to use reporting to help build a relationship
with the board. The ultimate aim is for senior management to know
you well enough to understand that if you raise a concern, it should
immediately be an item they take seriously. There are a number of
steps you can take to use your report to build your relationship as a
trusted advisor: v
Emmeline Skelton MBCI and Andrew Austin
Emmeline Skelton MBCI is a business resilience manager
specialising in disaster risk reduction and Andrew Austin is
a senior associate specialising in business continuity and IT
recovery within PwCs risk and business resilience team
@emmelineskelton
pwc.blogs.com/business_continuity/

v v
See your board as your strategic partner
In order to build the best relationship
with the board, engage with them at the
strategic level and do not overwhelm
them with detail:
Provide high-level metrics with an
easily understood grading of priorities
Give a clear and concise story which
summarises your position
Give them the options to follow up
with you for details
iStockphoto.com/lorrainedarke
Maximum impact with limited
board face-time
Make your briefings known for delivering
what the board needs to know and when
they need to know it, and then time with
you will be seen as valuable:
Adapt your meeting length, format
and delivery to match what you are
trying to explain
Explain what they need to know and
dont go off message
Communicate quickly, effectively and
compellingly
v
Be clear on what you
are trying to achieve
One of the most commonly
asked questions when
approaching the board is, What is it
that you want us to help you achieve?
Therefore, think about the purpose of the
meeting and build it into your briefings:
What do you need the board to
provide you to fulfil your role?
What steps have you taken to achieve
this goal?
What impact will that have on you,

the organisation and its overall

resilience?

Q3 2013 Continuity 23
 Keep calm and
collect the
information
Tom Clark outlines the key stages
involved in incident reporting, from
the initial collection and validation of
information through to the call to action

O
n 15 April 2013, two bombs exploded during the Boston
Marathon causing the deaths of three people and injuring
over 250 others. Within minutes of the explosions there
was an incredible response as first responders, police officers and
bystanders sought to help those affected by the event. Images of the
attack were broadcast on social media and across numerous global
news channels within minutes, as waves of information surged out
from the tragic event via a multitude of sources across a multitude
of channels.
From an incident reporting perspective, the immediate challenge
in such a trying situation is to seek to establish a clear picture of
what has happened and what this means. However, given the
overwhelming amount of information available and the level of
uncertainty regarding the accuracy of that information, gaining a
solid understanding of what has actually taken place can be an
overwhelming and almost impossible task in those early stages.

Reporting on an incident
Comprehensive incident reporting plays a key role in facilitating
the overall effectiveness of our business continuity management
activities. Such reporting will help the organisation to gain a better
understanding of the who, what, where, when and how of the
particular event. As we all know, in the immediate aftermath of
a disruptive event, senior managers want a complete report on
their desk as quickly as possible that explains not only what has
happened, but also what it means for their organisation.
The four key aspects of delivering effective incident reporting in
my view are:
Accuracy of the information being reported (Summary);
What exactly does this mean to the organisation (Impact);
What do I need to do (Action); and
What can we do to make sure this does not happen again
(Mitigation Options).

Information but at what cost?

During or immediately following a disruptive event or a crisis,
people want information and they want it straight away. Depending
on the scale of the event, they are faced with a broad range
of different types of information. Initial reports can stem from
numerous sources, including internal updates, television or radio
reports, social media, local government updates etc. However, in
these early stages there will always be a high level of uncertainty
iStockphoto.com/lorrainedarke

regarding the accuracy of this data.

A recent example of this was the EF5 Tornado which struck in
Oklahoma on 20 May 2013. Initial reports suggested possibly 100
or more fatalities. Within 4-6 hours multiple sources, including
local government agencies, were reporting 51 dead, while
television pictures showed us the complete devastation left in the

24 Continuity Q3 2013
 Incident Reporting

ion
Hands on informateci
Fact checki
code of con
ng is a key p
art of the
the
ally those protecting
of its agents, esp outlets, norm
duct for mo
st media
ite d Sta tes Se cret Service trains all ey have a confirmati
on ally requirin
Th e Un
ach iev e ab so lut e co nfirmation of facts. Th t the ag ent two indepen
dent sources
g that
President, in how to which means tha
Pre sid en t wh ich is Hands on POTUS, en t of the the informat
ion. Howev
validate
phrase when with the the Presid
ir physical hands on the speed at er, given
un ica tin g the me ssage actually has the en su res the accuracy of any which man
co mm ve rified confirmati on unfold, fact y disasters
S). Th is lev el of s can easily
United States (POTU m. blurred in th b ecome
agues receive from the e rush to ge
information their colle information its must information n erate
me dia can be a useful source of . This is par
For many organisatio
ns, wh ile the bal community. It can case, if we fa ticularly th
e
is an int eg ral part of todays glo ctor in citiz
be handled carefully
. News me dia satellite technology which the co en media, in
rld in mi nu tes of a story breaking via ncept of fac
reach people all aroun
d the wo tial to influence the is certainly t checking
ha ve far rea ch ing effects with the poten not yet an es
ta
d can part of the blished
or via the internet, an en governments. code of con
ind ivi du als , organisations and ev duct.
actions of

storms wake. However, during the following 12-24 hours, the
death toll was officially reduced to 24 people dead.
The issue of inaccurate information can also arise when dealing
with planned events. This was clearly demonstrated during the
G8 Summit held in the UK in June. Forecasts of the number of
anticipated protest groups and activists significantly increased in
the weeks leading up to the Summit, while the ever present threat
of a terrorist attack also grew. As a result, during this period police
numbers rose considerably as more and more members of the Police
Services of Northern Ireland were drafted in as well as other police
resources from agencies such as the Metropolitan Police. However,
the event itself passed off relatively quietly with only a small number
of protests actually taking place.
Inaccuracy of the facts in reporting not only has the potential to
cause undue anxiety, but as the G8 Summit demonstrated can also
result in vital resources being deployed unnecessarily.
Verifying your information
It is imperative that the goal of the incident report is to achieve
the highest possible level of information accuracy, particularly
given the fact that it will form the basis for any actions to deploy
necessary resources. A critical component is therefore the process
of verifying the data received and validating all sources.
Where possible, the author of the report should seek to gather the
data first-hand from the scene of the event. If this is not physically
possible, then it is imperative that any sources which are used
are people who have actually been to the site and can physically
validate the information they are providing. The on-scene person
should use photography to record the level of detail potentially
missed by verbal descriptions. A common method is to use digital
video imagery to capture a 360 degree perspective of the incident.
Incident reporting should never be based on third-hand
information or uncorroborated empirical data. Using multiple
sources for information is important; however, once again the same
process of verification must take place.
Translating the information
The second stage in the incident reporting process is to establish
what exactly the particular occurrence means for your organisation
how will it impact your activities? The impact section for the
incident report should therefore look at three key areas: people,
processes and technology.
iStockphoto.com/lorrainedarke
Are the clients or customers of the business affected in any way?
Are the premises of the organisations affected? Is there denial of
access at any locations?
This information should also include details of when the
particular areas were impacted and where. Remember to keep
these sections as concise as possible.
The incident report needs to be focused and to the point it
needs to tell the story quickly and outline the necessary action
points to respond effectively to the event. The summary should not
use any acronyms that have not been clearly spelt out. It should
not use dramatic phrases as these can create the potential for an
emotional response which may influence how the reader responds
to the report. If possible, keep the summaries to one or two
paragraphs, as senior management will not have time to read reams
of information and will need content which is easily digestible.
Call to action and mitigation strategies
The next step is to create a list of action points based on this
information. Too often senior management are provided with
Situational Awareness Reports (SIT REPS) but, without a clear call to
action, are left with no idea of what they should do next. The report
should outline to senior management what steps must be taken in
the context of people, processes and technologies to prevent or limit
disruption of further disruption to the organisation. Make sure that
these calls to action are easy to understand and are tailored to the
specific areas of responsibility of those reading the incident report.
Remember that the incident reporting process should not stop
here. The next stage should be to outline possible mitigation
strategies to be implemented moving forward, designed to remove
or reduce exposure to disruption from similar events. The proposed
strategies should be ranked in terms of complexity and potential
cost. However, your aim is not to solve the issue but rather to help
lay the foundations for senior management to establish the most
appropriate solution.
At its core, effective incident reporting is about communicating
the right information to the right people in the right way and at the
right time. It is about communicating to senior management in a
clear and concise manner, based on accurate, verified information.
What you are providing is the basis for the actions your organisation
will take to counter the disruptive impacts of the event it faces.

These sections should tackle the following questions:

Are employees impacted or disrupted by the incident? Tom Clark MBCI

Are the normal business operations of the organisation Tom Clark is a director of IT business continuity management, responsible
interrupted by the incident or event? for crisis management, disaster response, emergency preparedness and
How are the normal processes of the organisation affected? business continuity
Is the supply chain of the business disrupted by the event?

Q3 2013 Continuity 25
 SMEs

A changing climate for SME continuity

Dr Natasha Kuruppu, Dr Pierre Mukheibir and Janina Murta consider
how anticipatory adaptation is critical to the ability of SMEs to deal with
environmental changes

I
n planning for business continuity under a changing climate, one How do you think extreme weather events
of the main issues that needs to be addressed is how to establish will change in the future?
various roles and responsibilities in such an environment. This is
particularly important in the context of small businesses and raises
75% More frequent
a critical question do SMEs have sufficient capacity to respond and/or more intense
effectively to the challenges they will potentially face?

5%Less frequent and/or

What key challenges does your business face less intense

25% when planning for future extreme events?

15% No change
20%

15% 5% Dont know

10%

5%

0% programmes that aim to build business resilience in Australia.

These programmes have tended to be reactive and focus on
es

ce

ea

er

ow
ie
dg
io

th
ng

an

ar

rit

kn
at

le

O
lle

fin

io
is

business recovery during and after disasters. They do little to alter

rm

ow

t
th

pr
a

on
fo

of
ch

kn

in

g
in

Id

the conditions that generate the underlying vulnerability of SMEs to

ck

tin
o

of

se
e
N

La

pe
at

rti
ck

climate change through efforts such as proactive risk reduction and

-d

m
pe
La
to

Co
ex
-
up

preparedness or adaptation planning.

ff
ta
of

s
ck

of
La

ck

An uncertain future
La

Small businesses comprise 96% of all private businesses in

A question of context
A key finding of a recent study in Australia Understanding the
adaptive capacity of Australian small-to-medium enterprises to
climate change and variability highlights the significance of the
contextual processes in the environment in which SMEs operate
to enhancing the capacity to adapt to climate change. These
contextual processes include the relationships between SMEs and
support organisations, and those within support organisations
together with the power struggles which take place between
support organisations. The capacity of SMEs to use their resources
iStockphoto.com/lorrainedarke
Australia. SMEs play a significant role within society they provide
employment, goods and services, and tax revenue for communities.
Historically, business risk management in this sector has coped
with climate variability. However, the uncertainty surrounding
how future climate change will impact geographic areas and
specific sectors signifies the need to re-learn and challenge the way
business planning is undertaken.
Climate change, which is projected to increase the frequency and
severity of extreme weather events such as drought, storms, floods
and bushfires, may result in adverse business outcomes for SMEs in

to build resilience into business continuity, together with their
perceptions of climate risks, are also important considerations.
Unfavourable combinations of these contextual issues limit
the choices that are available to small businesses in preparing
and dealing with climatic impacts on business continuity. Such
contextual processes have been largely overlooked in formal
Australia and globally. These include business interruptions through
impacts on supply chains, increased investment and insurance costs,
and declines in financial indicators such as measures of value, return
and growth. After natural disasters, SMEs face greater short-term
losses than larger enterprises, and may have lower capacity to deal
with natural disasters and other stresses for various reasons.

Q3 2013 Continuity 27
SMEs
Anticipatory adaptation
Anticipatory adaptation (i.e., actions taken in
advance), through planned interventions to moderate
harm or exploit beneficial opportunities, offers
one such way to deal with this challenge whilst
continuing to meet the economic and environmental
performance standards to which SMEs operate. This
is critical to not only reduce impacts on SMEs but
also take advantage of market opportunities that
may arise from certain impacts. For example, in
certain instances SMEs may be able to provide the
technologies required to help communities adapt.
Global studies have demonstrated that at
the macro-level, SMEs that implement effective
adaptation initiatives are contributing to driving
whole countries towards resilient economies and this
may occur in localised operations, via supply chains,
in partnership with surrounding communities and
even in collaboration with the global community.
To what extent do you believe changing
climate is a problem for Australia?
30% Not at all
21% Somewhat
36% Very much
10% Completely
5% I dont know
Areas of vulnerability
The study conducted by the Institute for Sustainable Futures,
University of Technology, Sydney and funded through the National
Climate Change and Adaptation Research Facility (NCCARF),
found that many of the processes which generate vulnerability of
SMEs to climate change tend to operate at levels external to SMEs
themselves. Specifically, at different tiers of government as well as
various support organisations (e.g., chambers of commerce, industry
associations, financial institutions etc.). These constraints limit the
capacity of SMEs to influence processes affecting their business
continuity and in turn convert their adaptive choices into outcomes
that will support business continuity under a changing climate.
It is these support organisations and their institutions (i.e. their
norms, values and policies) that are likely to influence the types of
opportunities that are available for SMEs in making adaptive choices.
For example, many non-government organisations (NGOs) are
dependent on government grants to offer support programmes such
as business advice for SMEs. The tightening of government funding
often limits the services NGOs can offer to SMEs. In addition,
government agencies funding climate risk reduction programmes for
SMEs have limited formal mechanisms for monitoring and evaluating
those initiatives, and this reduces the opportunity to improve future
programmes for SMEs.
Short-term planning horizons
Many of the SMEs in the study had initiated adaptive strategies
to address climate risks related to extreme weather events, and
had integrated these strategies into their business plans. However,
28 Continuity Q3 2013
18%
What has the business done to avoid this
damage/disruption in the future?
16%
14%
12%
10%
8%
6%
4%
2%
0%
Reviewed insurance
and extended cover
Reviewed weather
risks and proofing
Audited exposure to
extreme events
Developed an emergency
or disaster plan
Implemented a computer
data back-up system
Other
Open-ended response
Seek advice from government
bodies on what to do
Ceased business
in high risk areas
Nothing
I dont know
Re-located business premises
No longer use suppliers
in high risk areas
they did not refer to them directly as addressing climate change.
This reflects the short-term planning horizons of SMEs (two to five
years), in which climate change is perceived as a long-term issue
that lies outside these traditional planning horizons.
Additionally, the process of climate risk assessment has not been
formalised into business continuity plans. Certainly, for many SMEs,
climate risks are assessed alongside other business risks. SMEs who
experience the impacts of extreme climatic events are more aware
of climate risks than those who have not. This experience acts as
a motivator for introducing measures to adapt to future climate
change. Many of the SMEs in this study had experienced extreme
events such as bushfires, drought and cyclones and the direct
and indirect impacts of these events had changed their operating
environment and had left them vulnerable to future impacts.
Key resilient elements to building the capacity of SMEs to adapt to
future stresses include: their self-organisation capacity, strong social
networks, strong beliefs in their own ability to deal with stressful
events and social learning from past experiences. Central to all of
these is the ability of SMEs to access opportunities (e.g., funding to
develop new marketing strategies) and shape processes (e.g., the rigid
criteria in accessing disaster funding) that support business continuity.
The capacity to adapt
The research found that many of the measures required to enhance
the business continuity of SMEs under climate change can be
integrated into existing processes and networks. For example,
emphasising long-term and structured disaster recovery through
building stronger partnerships between local government and
industry associations to encourage information sharing related to
the needs of particular SME sectors.
The success of efforts to build the capacity of SMEs to adapt to
future climate and related stresses will depend on how they address
the processes which the ability of SMEs to pursue adaptive choices
that they value.
Note
A copy of the final report from the study can be downloaded from the
following site: http://www.nccarf.edu.au/publications/understanding-
adaptive-capacity-Australian-SMEs
Dr Natasha Kuruppu, Dr Pierre Mukheibir and Janina Murta
Dr Natasha Kuruppu is senior research consultant, Dr Pierre Mukheibir is
research director and Janina Murta is research consultant at the Institute
for Sustainable Futures, University of Technology in Sydney, Australia
natasha.kuruppu@uts.edu.au
www.isf.uts.edu.au
E
verything about hurricane Sandy was big. It was the largest recorded
Atlantic hurricane, with a wind diameter well over 1,000 miles, warranting
the title of Superstorm. It was the second costliest storm on record,
with overall losses topping out at almost $70bn while insured losses were
approximately half that figure. In total, it claimed 285 lives and affected seven
different countries and some 24 different states in the US.
However, in terms of its impact from a business perspective, it is at
the smaller end of the market that Sandy has perhaps caused the greatest
devastation. Between 60,000 and 100,000 small businesses in the US were
negatively impacted by Sandy, the US Chamber Foundations Business Civic
Leadership Centre said in January, with almost a third of that number expected
to fail in the months following the announcement.
Yet despite this fact, some recent studies have shown that many small
companies are not learning lessons from the storm and even those directly
affected do not believe that they will be exposed to such a disruptive event again.
It wont happen to me
A survey of 200 SMEs conducted by the American Red Cross and FedEx
in February of this year, revealed that fewer than 10% of small businesses
surveyed had taken any disaster preparedness action based on the disruption
caused by Sandy. Of those companies which had been impacted by the storm
or other disasters in 2012, approximately 50% were confident that they would
not be affected again in the next five years; while 70% of all SMEs surveyed
said they did not believe that they would ever experience a major disaster.
A more alarming poll was conducted by Alibaba.com, Vendio and Auctiva in
the aftermath of Sandy. The survey, which looked at the extent to which small
businesses were prepared for natural disasters, found that almost three quarters
of the 600 SMEs surveyed had no disaster recovery plans in place. Furthermore,
84% did not have natural disaster insurance. When asked how long it might
take their organisation to recover from a natural disaster, over one third had
no idea, while 30% said it would take over two weeks, with almost half of that
figure saying the recovery time could be beyond one month.
While it is difficult to read too much into these figures, given the number of
participants and the wide extent of the survey net, it does appear to support the
ever present concern that business continuity or resilience measures are often
to be found on the to do list of many smaller organisations.
Getting back up after Sandy
Nigel Allen assesses the damage done to small businesses in the aftermath of hurricane
Sandy and looks for signs that it has raised awareness of the importance of preparedness
30 Continuity Q3 2013
Counting the cost of Sandy
According to the Hartford 2013 Small Business Pulse:
Storm Sandy report, over three quarters of the 451 SMEs
they interviewed who experienced disruption due to the
catastrophe had to close their premises. In total, 44%
were closed for longer than one week, with over a third
of that number having the closed sign up for longer than
two weeks. Approximately one third of respondents
described the impact of the storm on their business as
significant, with just over half experiencing a loss of
sales or revenues. In terms of the main challenges faced
during or after Sandy, 65% experienced customer issues,
47% employee issues and 44% supplier issues.
At a more granular level, and perhaps painting a
much more graphic picture than any series of percentage
figures can, the Wall Street Journal ran a series of articles
charting the attempts of a number of small businesses to
get back onto their feet in the months after the event. In
the first series of articles which ran in November 2012,
they focused on four small companies trying to recover.
In each case, uncertainty was the key word. One wine
retailer has seen its wine delivery per week fall from
1,500 cases to zero, while a second company, a bakery,
had had to postpone its launch as their premises had
been badly damaged.
Six months later, the paper updated its readers on their
progress. The owner of the wine retailer had witnessed a
45% drop in quarterly sales between Q1 2012 and Q1
2013, had lost one of their biggest suppliers and was,
in her own words back to square one promoting her
company at trade shows. The owner of the bakery had
had to reduce her sales forecasts for 2013 by 44% and
fork out for a major refurbishment of her premises. She
has failed to secure a business loan, but fortunately her
three temporary staff had stood by her and her landlord
had not charged her for rent on the bakery.
iStockphoto.com/lorrainedarke

Financial support
For many small companies, state loans have become
the crutch that they need to get back on their feet. To
facilitate the recovery process, a series of emergency
loan facilities were set up. There have been mixed
reports on just how successful these have been.
In a report released in May by the Democrats on the
Small Business Committee on the performance of the
relief efforts in the wake of Sandy, it stated that business
loan approval rates by the Smaller Business Association
(SBA) were at near-record lows of just 24% and that
over one third of businesses withdrew their applications.
Furthermore, loan processing times were significantly
longer with businesses experiencing average delays of
46 days. Where loans were approved, disbursement was
slow, with only 14.7% of loans ($215.5m) having been
disbursed by the end of Q1 2013.
Commenting on the findings of the report, Rep.
Nydia M. Velzquez (D-NY) called on the Government
Accountability Office (GAO) to assess the SBAs
response and performance related to Superstorm Sandy.
She said: After natural disasters, local economies
are often decimated and it is vital that the small
business sector be revitalised quickly, adding that,
For a business struggling after a Hurricane, getting an
immediate infusion of emergency capital can make the
difference between staying in business or going under.
For those awaiting an insurance pay-out, the story
was a similarly disappointing one. While it was reported
by the Insurance Information Institute that by April the
insurance regulators in New Jersey and New York had
reported that insurers had settled 93% of claims received
following the storm, what this figure did not show was
that some 20% of claims were closed without payment,
whether due to coverage issues in the policy or the loss
did not reach the deductible level.
The survey, which looked at the
extent to which small businesses
were prepared for natural disasters,
iStockphoto.com/lorrainedarke
found that almost three quarters
of the 600 SMEs surveyed had no
disaster recovery plans in place
SMEs
Preparing in advance
For many smaller organisations, access to capital in the aftermath of Sandy,
whether in the form of a loan or an insurance pay-out, has been vital. However,
what these delays or denials of access to such funds demonstrate is that rather
than relying on a financial help-up, smaller companies must have business
continuity firmly embedded in their company make-up to ensure that they can
continue even if the emergency funding fails to materialise.
The Hartford study asked respondents who were disrupted by Sandy to
outline what steps they took in advance of the storm hitting to help reduce its
impact. The steps included:
Created back-up copies of critical data and programmes 25%
Prepared an emergency kit with essentials 20%
Protected their buildings from the elements 20%
Protected vital business records 17%
Created an updated list of emergency contact numbers 15%
Enabled records and data to be accessed at other locations 15%
Purchased a generator 14%
While these figures may seem quite low, this may be reflective of the fact
that many organisations in the days leading up to Sandy making landfall simply
refused to believe that the storm would affect them.
What is perhaps of greater concern is whether it was the threat of Sandy
that was making them take these steps for the first time. These measures should
all be standard practice within any small business, forming part of a basic
resilience strategy.
When asked what advice they would give to small business owners based on
what they had learned from Sandy, almost a quarter of respondents highlighted
the importance of reviewing your property insurance coverage. Twenty one
percent said they should invest in a generator, while 15% urged owners to
create a back-up of their important records. Fourth on the list, with only 14%,
was to put in place a business continuity plan. While insurance clearly has
an important role to play, and generators are vital if the lights go out, it is the
effective business continuity or preparedness plan that will give small business
the strongest fighting chance of emerging from the rubble of a disaster.
Commenting on the lack of preparedness demonstrated by the findings of the
FedEx and American Red Cross study, Tom Heneghan, manager of preparedness
for the American Red Cross, said: Preparedness is a lot like working out and
eating healthy people know they should do it, but its not always at the top
of the list. Developing an emergency preparedness plan is one of the most
important strategic decisions a small business owner will make.
It is often said that it is only when the worst happens to an organisation
that the importance of having BCM plans in place is really driven home. In
the aftermath of hurricane Sandy, there have been numerous reports released
outlining the lessons that have been learned from the devastating events that
took place in October 2012. Whether or not these lessons have actually been
learned remains to be seen.
Nigel Allen
Nigel Allen is editor of Continuity
Q3 2013 Continuity 31
 Boosting the efficacy
of your programme
Frank Perlmutter explains how
business continuity metrics are an
essential component in establishing
the real value of your BCP
M
etrics are essential to enable you to continually measure
the quality, effectiveness, efficiency, and progress of
your business continuity programme (BCP). Choosing
appropriate, objective metrics to evaluate your programme
against will help you pinpoint operational vulnerabilities,
gauge recovery capabilities, and improve your overall BCP.
Documenting those results can also help demonstrate the value of
the process within your organisation and elevate the perception
of your role as a true business continuity manager not simply a
traditional plan generator.
In this article, we aim to provide some guidelines for evaluating
and improving the use of metrics, with the goal of enhancing your
BCP or taking it to an entirely new level.
What should you measure?
It is important to consider which metrics have the most value to
various decision-makers. We can classify those metrics into three
major categories:
Organisational metrics assist in pinpointing your organisations
operational inefficiencies, vulnerabilities, and risks. They identify
the most critical business functions and the infrastructure
resources that support those functions, and can transform your
BCP from a subjective determination to an objective calculation
of risks and impacts. To your decision-makers, facts should
always prevail over opinions.
32 Continuity Q3 2013
Business continuity programme metrics examine
the time and steps taken to complete the planning
process and determine the plans conformity to
accepted standards and best practices.
Resilience metrics explore BCP effectiveness by
measuring how long it takes to recover from any
downtime-causing event, and how effective the
resilience plans are in mitigating losses.
Organisational metrics
It is imperative that you think about how your decision
makers view the mission of business continuity. If a
disaster strikes, different people within your organisation
will have different priorities. For example, your COO
will probably think about people and processes first
and foremost. However, your CFO will be focused on
getting revenue-generating processes back online first,
such as your online shopping cart and your receipt
and processing of customer receivables. Your CIO will
think in terms of applications and systems and loses
sleep over the possibility of data loss. Your facilities
manager will primarily care about physical assets being
safeguarded. Your CMO, who would keep CRM data
in a lockbox if that were possible, might see access to
customer and prospect information as a top priority.

There are plenty of people, processes and technologies
that need to be part of your BCP; yet only the most
critical can be recovered as a top priority. Here are some
questions that can help you make the right choices:
What are your most critical operational activities?
What is the impact of downtime for each of these?
How long can the company go before it sees
negative impact on sales and operations?
What are the most important IT infrastructure
components and data?
Who (internally and externally) are the most critical
personnel in terms of operations?
What are the highest risk hazards to the organisation?
Those questions will have different answers depending
on who you ask, so investing in software that objectively
evaluates such criteria is an idea worth considering.
Business Impact Analysis (BIA) A good BIA can
help you determine priorities by taking stock of the
financial costs and qualitative impacts associated with
disruptions (e.g. lost revenue, damaged reputation,
reduced cash flow, legal impacts, etc.). It should
revolve around business operations and answer most
questions that your leadership asks.
A common, but perhaps misdirected, approach is to
begin with gauging the impact of supporting infrastructure
(e.g. IT, people, and vendors) without understanding
how they support business operations. A better approach
would be to start with an understanding of busi
ness operations, determine those that are critical, and
subsequently gauge the importance of how supporting
resources impact your most critical business functions.
Recovery Time Objectives (RTOs) The RTO is prob
ably the most prominent metric used in BCP. Good
RTOs provide insight into what is most critical to your
organisation, and define when business functions and
resources need to be operational following a disaster.
Exceeding an RTO means absorbing unacceptable
impacts to your organisation. A myriad of benefits can
be gained from RTO metrics from prioritisation of
recovery, to mitigation investments, to spotting under
performing processes and resources.
With such an important metric, a sound process is
key to its calculation. RTOs should be based on fact,
not opinion. Asking people what they subjectively think
the RTO should be is not effective. Because it can be
difficult to determine RTOs objectively, consider BCP
software that automates the calculation of these metrics.
Business continuity programme metrics
The next set of metrics to consider is BC programme
metrics. Here are some important questions for
determining the status of your plan and the efficiency of
your BCP process:
What is the progress in completing your planning?
How long does it take to write a plan?
How well does our BCP comply or conform to
standards and auditor criteria?
How well has the plan been conveyed to the
organisation?
What is the awareness of the plan among the
organisation at large?
iStockphoto.com/lorrainedarke
What portion of our plan is overdue for re-evaluation?
All of these metrics can be tracked, scored, and
summarised. It is important to identify your expected
results and gradually improve to complete BCP
tasks in less time, or to conform more closely to
industry standards.
BCM Metrics
Tips on leveraging BCP metrics
Gathering data Presenting results
Ask department heads Keep charts simple and
pointed questions
explanations short
Survey employees Communicate results that are
(keep it short and sweet) relevant to your audience
Observe people and processes
Match the appropriate metrics
(this can be time well-spent) to the stakeholders who have
Study industry benchmarks/ accountability
analyst reports
Be prepared to make succinct
Collect internal data recommendations to executives
(like financials) (remember, you are the expert)
One of the most difficult aspects of being a BC professional is
obtaining budget to improve a BCP. The appropriate metrics can
assist in justifying returns on software tools, additional personnel,
or outside assistance. Presenting in plain language and gauging
returns against costs of ownership can get you what you need to
excel in your BCP.
Resiliency metrics
Finally, resiliency metrics are necessary to ensure the efficacy of
your programme and gauge preparedness in the face of a disaster.
Some questions to answer include:
How long does it take each of your teams to recover?
How effective are your mitigation strategies in limiting
quantitative and qualitative impacts?
It is no secret that plan exercises are essential to an effective
BCP. However, many exercises that are set up as pass/fail tests do
not provide a useful resiliency metric. Tracking each process or
departments time to recover evaluates not only the quality of your
BC plan, but also the ability of recovery personnel to execute that
plan. For example, if six hours is the RTO for a business function,
but your test exercise proves it actually takes 12 hours to recover,
that is a clear signal that the recovery plan needs improvement or
additional mitigation measures need to be put in place. IT, person
nel, and vendors can be similarly evaluated on their respective
capacities to meet the RTOs of the business functions they support.
Moving forward
Like BC planning, developing BCP metrics is hard work that is
never really finished. It is an ongoing process that needs periodic
revision to ensure that you are monitoring and measuring the
appropriate metrics in your ongoing effort to improve BCP and its
real value to your organisation.
Having your BCP metrics evolve in terms of their sophistication
and their reflection of changing organisational priorities can
help you uncover deeper, more revealing insights into the inner
workings of your organisation. That will help you keep pace with
changing trends and needs and strengthen your role as a true risk
manager within your organisation.
Frank Perlmutter MBCI
Frank Perlmutter CBCP, is co-founder of Strategic BCP and
ResilienceONE BCM software
www.strategicbcp.com
Q3 2013 Continuity 33
Our state of the art training centre at Ivory House oers executives and their teams a unique
and incredible opportunity to test their Crisis Management and Crisis Communication skills
in a virtual world that is as close to real life as humanly possible. We have a suite of audio
and visual equipment to bring training to life by replicating the crisis, communication and
information ow and the eect you would actually hear, see and feel.

Dramatic, interactive and invaluable, the centres simulator facility trains you to deal with
threats, how to respond and to control the outcome.
iStockphoto.com/lorrainedarke
 Case Study
In international
airports, matters are
complicated by the
need to segregate
those who have
passed immigration
check from those
who have yet to
do so. Potential
contamination
of passengers is a
nightmare scenario

Case Study

The flight to resilience

An airport provides an extremely challenging environment for
implementing and maintaining effective business continuity
plans, explains Keith Prabhu

A
ir transport has today become more of a necessity than a luxury. One
could hardly imagine in 1903 when Wright Flyer I took flight that air
transport would become such an important part of our lives. However,
alongside its growing importance has come the need to handle the complex
logistics that underpin it. Airports have sprung up all over the world to cater to
our needs, and while aircraft are the means that enable us to travel, it is these
hubs of activity that have facilitated the standardisation of the air travel process
and made it available to as many as possible.
Air transport has also become critical to the economy of every country. While
international airports enable cross-border transport, domestic airports enable
intra-country trade. Hence an airport is not just a critical asset to the airport
operator (private or public) but also to the country. Any disruption of airport
operations has serious repercussions. In addition to the direct impact on the
countrys economy, there is also a negative impact on the countrys reputation.
It is for this reason that airports are classified as part of Critical National
iStockphoto.com/lorrainedarke
Understanding airports
The airport ecosystem is incredibly complex. There are
a large number of entities, both private and government,
thatneed to interact with each other to ensure successful
airport operations. This also includes the private
agencies like baggage handlers, transport companies,
fuel companies and commissionaires, which are closely
intertwined to facilitate the smooth running of the airport.
In fact, in this symbiotic system, the actual airport
operator is significantly constrained. It cannot
unilaterally take decisions without approvals from
government bodies. In matters of security and
operations, the airport operator is heavily regulated not
just by national but even international organisations.
One of the biggest challenges in implementing BCM

Infrastructure by governments across the world and are accordingly protected.
While most risks can be objectively evaluated and mitigated, business
continuity management is needed to mitigate the impact of those risks that
cannot be easily predicted and accurately quantified. This article seeks
to outline one of the approaches to implementing BCM at airports and
encapsulate some of the insights gained from this process.
for airports is integration of government functions into
the overall BCM strategy. These include the immigration
and customs departments that also need to understand
the need for BCM. At times, they are slow to appreciate
this need and hence it is difficult to get them on board. In
international airports, matters are further complicated by

Q3 2013 Continuity 35
the need to segregate those who have passed immigration check from those who
have yet to do so. Potential contamination of passengers is a nightmare scenario
for airport operators and government agencies alike.
Airports also have unique and expensive equipment for which redundancy
cannot be easily built in. One such example is the machine required to
clean the runway. Constant landing of aircraft leaves rubber residue on the
runway. This reduces the friction that is required for safe landing and takeoff of
aircraft. As per national and International Civil Aviation Organisation (ICAO)
regulations, the rubber residue needs to be removed to ensure safe friction
levels. The machines that are required to perform this operation are usually
quite cost prohibitive. Having spare machines is an expensive proposition.
Furthermore, in a similar manner to manufacturing facilities, airports are faced
with physical constraints. For example, they cannot be relocated in case of a
disaster! Many of the airport processes are also physically constrained with only the person responsible for risk management. This is
a few that can be virtualised and moved to an alternate geographical location. required to achieve several key objectives:
With constraints like these, BCM in airports requires a pragmatic approach. To understand the current status of continuity
Of course, considering the criticality of the facility, one could argue that money planning at the airport
should not be a constraint when planning for BCM. However, ground realities To understand where BCM will dovetail into the risk
are different (no pun intended). Airports are a business just like any other. While management function
being an important national infrastructure, they are primarily run to make To provide assurances to risk management that the
money. Any BCM activity should keep in mind the basic cost/benefit equation. BCM programme will not trespass into the risk
management domain
BCM approach for airports1 The last point is important from a change
One of the first steps in implementing BCM at airports is to begin working with management point of view. This enables smooth
the risk management team. Risk management is a key part of every airports conduct of the BCM engagement, with the risk
operational activities. Airport risks are usually already defined and controls management team willingly playing a constructive role.
have already been put in place as prescribed by regulatory bodies. This is At this stage, one also needs to clearly define the
because each airport is part of the overall air transport ecosystem consisting of BCM policy and establish who will lead the BCM
components such as aircraft, flight paths, airports etc. This enables a level of function. In cases where an external consultant is
global standardisation across airports without this it would prove difficult to handling the BCM implementation, it is important to
fly an aircraft from Airport A to Airport B. involve a senior internal resource at this stage. This
The first step in any BCM implementation at airports is to meet up with person will ideally lead the BCM function once the

Professional
Liability
Insurance

We know that providing the best

possible service to your clients is
your priority. Towergate Professional
Risks priority is looking after you. Your
Company
needs

Contact us today
YOU
to buy a
visit us at:
www.towergateinsurance.co.uk/liability/professional-liability-insurance
or call: 01438 735 251
e-mail: PRsales@towergate.co.uk
iStockphoto.com/lorrainedarke

Towergate Professional Risks and Towergate Insurance are trading names of Towergate Underwriting
Group Limited Registered Office: Towergate House, Eclipse Park, Sittingbourne Road, Maidstone, Kent
ME14 3EN. Authorised and regulated by the Financial Conduct Authority.
Documents and equipment prepared and ready
Gold, Silver and Bronze Levels; Make BCM visible
Hold a BATTLEBOX behind reception
@TowergateProf Visit www.battlebox.biz or call +44 (0) 1253 788 181

36 Continuity Q3 2013

consultant completes his/her job.
It is also important to establish an understanding of
the culture of the organisation at this stage:
How open are staff to new concepts?
Do they know about BCM?
Do they consider it important?
Is this entire exercise just part of an audit requirement?
What awareness methods will work?
Analysing the situation
As with any BCM programme, analysis takes the
most time. Performing business impact analysis (BIA),
continuity requirements analysis (CRA), and risk
assessments (RA) is a challenge at the best of times.
In the case of airports, this is further complicated by
the real-time nature of the environment. Operations
staff are always on their toes and need to be available
immediately to handle any incident. Getting process
owners to sit through a 45-minute interview is a
challenge. Also follow-up interviews and BIA sign-offs
can pose significant challenges.
The key precaution that one needs to take at this
point is to plan BIAs so that there is not much iteration.
One needs to read the process manuals well in advance
to understand the various processes at airports. One of
the key learnings at this stage is the sheer number of
acronyms and jargon associated with airport operations.
It is important to create a bibliography of airport terms
so that BIA interviews can become smoother, without
the need for explanation of basic concepts. You must
be familiar with airport operations before meeting up
with process owners. Unless you have a good grasp of
airport speak, process owners can become quickly
dismissive of you. Further, an attitude of respect is
important to get information at this stage. The process
owners are hardened airport professionals who have
lived to tell the tale.
Designing the programme
As one completes the analysis phase, there are several
Eureka moments that occur. As a BCM professional,
you soon realise the constraints in designing business
continuity measures.
Eureka moment #1
As mentioned earlier, the cost of putting in continuity
measures at airports can be prohibitive. While airport
management many have budgeted for the BCM project,
iStockphoto.com/lorrainedarke
they may not have budgeted for the BCM programme
that includes continuity measures.
Eureka moment #2
However much you plan for continuity, one constraint
will always remain. You cannot easily relocate to
Case Study
another airport. Of course, there may be instances in certain countries where
other airports could provide a fall-back position when they are located within
a short geographic distance. However, when dealing with a major international
airport, with no other airport close by, you need to focus your efforts on
prevention rather than redundancy.
Eureka moment #3
Airport processes are not as virtualised as processes in the financial industry, for
example. They are physically constrained by the airport location. Even departments
like human resources are located within the airport premises while they can be
easily virtualised. This makes it difficult to plan relocation strategies even for
processes that dont necessarily need to be physically carried on at the airport.
Eureka moment #4
Airports have a large number of suppliers. Due to the unique nature of services
provided, it is difficult to plan for alternate suppliers
Keeping these constraints in mind, some of the continuity measures that can
be suggested for airports include:
Prevention: Great care needs to be taken to prevent incidents in the first place.
These include having mitigation measures for incidents like fires, bird hits etc.
Spares: While it may not be possible to have standby equipment, it may be
possible to maintain critical spares. This is a cheaper and feasible option.
Process virtualisation: Processes that do not need to be physically carried
out at airports should be virtualised. This does not necessarily mean that they
should be done offsite. It means that it should be possible to carry them out
from offsite locations, if so required.
IT disaster recovery: With IT systems playing such a key role at airports, it is
absolutely essential to have a strong IT disaster recovery strategy in place.
Alternate suppliers: It is important for airports to maintain alternate supplier
lists or even have a multi-supplier strategy. At the very least, supplier
contracts should include necessary BCM clauses.
Implementation and validation
During the implementation phase, awareness is the key to success. One of the
challenges to raising awareness about the BCM programme is the size of the
organisation. Traditional methods like class-room sessions do not work. Instead,
techniques like posters, e-Learning and online assessments need to be explored.
During this phase, it is important to keep a strong grip on the timelines.
Given the pressures of running airport operations, it is difficult to implement
continuity measures. The only way out of this dilemma is to either add
more resources to specifically handle continuity-related tasks or factor these
responsibilities in as part of each persons daily schedule.
Validation of the BCM implementation is of utmost importance to get
assurance that the business continuity plan will work in a disaster situation.
Airports normally have a well-defined exercise schedule as part of emergency
drills. Planning for BCM tests and exercises should follow a similar approach to
avoid it becoming a standalone activity.
Up, up and away
Planning for business continuity at airports is a challenging task. The inherent
real-time, location-constrained nature of airports, coupled with the high cost of
continuity measures, call upon not just the technical but also the creative skills
of BCM practitioners. As with all BCM programmes, due diligence needs to be
exercised as life and property is at stake.
Note
1. The approach described in this section largely follows the BCIs BCM Lifecycle.
The views presented in this article are the personal views/opinions of the author and
not of the organisation he represents. The content is for information purposes only.
Keith Prabhumbci
Keith Prabhu is an executive director at Confidis
www.confidis.co
keith.prabhu@confidis.co
Q3 2013 Continuity 37
Plan for the unexpected
In turbulent economic times, its tempting to cut back business continuity efforts. Yet in the face of the
fresh threats, its a valuable investment in your organisations future. LRQAs team of expert trainers have
practical experience auditing and conducting assessments so they make the course relevant to your
organisation and illustrate how requirements work in practice.

Our training in ISO 22301 Business Continuity provides a framework to help you build organisational
resilience and keep you in business in the face of a disruptive event. ISO 27001 Information Security
training uses a practical, risk based approach to manage the security of business information.

LRQA Business Assurance

Improving performance, reducing risk

World Conf Advert The trainer was

very good at giving
examples that included
all participants on the
course, allowing us to
easily transfer the skill

we learnt into our work
place.
Emily Holbrook,
The Law Society

Training Sales
0800 328 6543 0800 783 2179
lrqatraining@lrqa.com enquiries@lrqa.co.uk

Book training: www.lrqa.co.uk/continuity

Lloyds Register Quality Assurance Limited (LRQA) is a subsidiary of Lloyds Register Group Limited.

Information in an
unsecure world
Recent high profile cases have served to drive
home the value of effective data security. Patrick
Mcilwee considers some of the control measures
companies should implement
T
here are a multitude of reasons why organisations seek to maintain the
strictest levels of control over their prized information. The increasing
amount of confidential data they store on staff, clients, suppliers etc.,
brings with it regulatory demands to protect it, plus fines and potential
reputational issues for failing to do so. Information relating to new products or
processes, trade secrets, recent transactions or deals if exposed could result in
financial losses, damage share price or give away competitive advantage. At the
highest level, sensitive information relating to government activities can create
tensions between territories and put lives at risk.
In response, companies, bodies and governments have been implementing
ever more stringent security procedures to protect their data. However, over the
last few years, there has been a number of very high profile instances where these
systems have been breached, and sensitive information has entered the public
domain. This data has been brought into the light without the necessary controls
in place and without the public having a clear understanding of the nature or the
context in which it was compiled, causing significant consternation as a result.
The people responsible for releasing this information have been viewed by
the public as either heroes or villains depending on where the commentator
stands from a geo-political or corporate perspective. While this raises a number
iStockphoto.com/lorrainedarke
of interesting issues, the purpose of this article is not to explore what has driven
the whistle-blower to take such actions, but rather to explore the issues such
activities raise from a continuity or a resilience standpoint.
As with most situations we face, prevention is better than cure. This
therefore focuses our attention on the issue of information security. Who
has access to what? What controls do we have in place to prevent such
Security
You not only have
to sell the benefits
of playing your part,
but also put in place
measures to maintain
support for the policy
moving forward
information being released without permission into the
public domain? These are the primary questions that
need to be addressed.
One of the very important characteristics of the recent
incidents is the fact that those responsible for releasing
the data were in fact people who already had access to it
and were trusted by their organisations. This shows that
in these instances vetting processes of personnel were
not effective at mitigating the risk. This particular issue
warrants an article in itself; however, for the purposes of
this piece we will focus on some of the other forms of
control that companies can and should implement.
Information control
Many of the controls that companies put in place come
in the form of both hardware and software solutions.
Examples of such measures might include: putting USB
locks on desktops; implementing strict administration
controls to limit access to data; restricting which files
can be copied or emailed. All of these measures can
play a key role in limiting your exposure to data loss,
but rather than looking at specific steps you can take, I
want to focus attention on the requirements laid down
in ISO 17799, which provides a code of practice for
information security management.
Q3 2013 Continuity 39
 The standard sets out ten steps/components that it deems essential to establishing a high
standard of information security within your organisation. I have listed these below and
have included some of my own thoughts on each of these stages:

ACCESS
ALL AREAS
Visible support and commitment
from all levels of management
Do as I say, and as I do you
have to lead the way. Your
management must demonstrate
their full commitment to the
strategy and not just give it an
initial 10 minutes of their time
the must set a clear example
for all to follow. It must become
an integral part of standard
management practices across the
company. Remember that failure
on their part to do so could
result in dire consequences for
themselves and the company as
a whole.
Information security
po
objectives, and activ licy,
ities that
reflect business objec
tives
Make sure that the
An approach and framework policy which
you implement is fit
of implementing, maintaining, for
organisation. The req your
monitoring and improving information uir
should be specific to ements
security that is consistent with the the
demands and exposu
organisational culture res of your
business and the en
vir
Ensuring that your information security in which you opera onment
policy is embedded within your te. I would
strongly recommend
tha
organisations culture is as important develop your own po t you
as the document itself. You not only licy from
scratch rather than
sim
have to sell the benefits of playing your downloading a tem ply
pla
part, but also put in place measures to then look to amend te that you
maintain support for the policy moving accordingly.
forward. Continuous monitoring is
also critical to spot deficiencies in the
policy and to ensure that it remains fit
for purpose given any changes that may
have occurred across your organisation.
Make sure that you are always on the
look-out for ways to further enhance the
level of information security you have.

Ca
ll C
hri
o
e-m n + s N
ee
WHY USE NEEDHAMS 1834 ail 44 (0 dh
ch am
ris ) 207 -B
@n 35 en
TO SUPPORT YOUR ee 3 9
dh 4
am 8 o 9
ne
tt

RESILIENCE PROJECTS? s1
83 r
4.c
om

Working in business continuity

since 1996 and still doing so
Professionally and academically
qualified full time employees
First in the UK to gain ISO 22301
London and Edinburgh offices
Emergency Planning Society
approved courses
Three FREE open evenings a year
iStockphoto.com/lorrainedarke

with guest speakers

Three lead auditors to ISO 22301 NEEDHAMS
Four lead auditors to BS 25999 1 8 3 4
www.needhams1834.com
40 Continuity Q3 2013
 Security

A good understanding of the Effective marketing of information Provision to fund information

information security requirements,
risk assessment and risk management
It is imperative that you have a
clear understanding of the controls
which you currently have in place
and the controls that you can put
in place. It is about ensuring that
your information security strategy
is precisely aligned with your risk
profile. Make sure that all security
measures are regularly tested. It is
also important to remember that
information security is not just
restricted to IT systems it is about
managing all types of sensitive
information in all formats, whether
digital files or hard copy documents.
security to all managers,
employees and other parties to
achieve awareness
Once again this comes back to
how you sell information security.
Is it just another process come
down from top management or is it
something in which each member
of staff has a key role to play and
acknowledges that role? In many
of the recent cases of information
being released to the public, the
issue was not so much with the
information security systems they
had in place, but rather with the
controls that they had in
place for those with
access to the data.
security management activities
Information security does not
necessarily require spending
a lot of money but you must
be sure that the funds you have
available are sufficient to cover the
measures needed based on your
risk assessments. Remember that
in some cases solutions can be
implemented that cost nothing. Its
about having the right controls in
place, whether they cost thousands
of pounds, hundreds of pounds or
nothing at all, and making sure that
they are used effectively.

Distribution of guidance on Establishin

g
information security policy ACCESS informatio an effective
n
and standards to all managers, ALL AREAS managem security incident
employees and other parties ent proce
Your incid ss
e
It is essential that all information processes nt management
m
relating to what people can exposure ust reflect the leve
your comp l of
and cannot do with regarding informatio a
to company information is
Implementation of a measurement system that n security ny faces. An
is used to evaluate performance in information form the fo audit shou
ld
documented and clearly security management and feedback suggestions as this wil undations of any stra
l help ensu te
communicated to everyone within for improvement processes re that suc gy
d h
the organisation. You may also sledge ham ont end up becom
This process should involve people from across mer to cra ing a
wish to review your knowledge ck a nut.
your organisation remember that they have a
management to make sure that there
stake in protecting information too, as some of it
are no gaps in your access controls.
relates to them. Constantly monitor and evaluate
the effectiveness of your systems and procedures,
and get feedback from your staff.

ACCESS
ALL AREAS

Providing appropriate awareness,

All ISO standards state the need for
continuous improvement and information
security is no different. This is not only about
looking at what your organisation is doing,
but also looking to benchmark against your
competitors and the sector as a whole. Have
other similar companies experienced breeches
recently? How would your organisation hold
up under similar circumstances? It happened
to them make sure it doesnt happen to you.
iStockphoto.com/lorrainedarke
for the risk that a release of that information
would cause. Remember though, that no
matter how water tight your security controls
are, all it can take is one whistle-blower to
see all that information flooding out.
Note
The views expressed in this article are the
authors own
they dont receive their bonus.
Patrick Mcilwee FBCI
training and education
Training is an essential part of your
efforts to embed an information
security plan. Use it to explain
your policy, how it works, what
the benefits are and what their
role is. Make this training part
of their KPIs and link it to their
bonus if they dont participate
or implement the training then

Information security is not about imposing
some form of 1984 type system to monitor
the activities of all your staff. It is about
putting in place the right controls for your
organisation which serve to limit access to the
right people and that are set at the right level
Patrick Mcilwee FICPEM, is director of
resilience, legislation and enforcement at
Syndicus Information Security LLP
www.syndicusis.com
Once people know this, you may
well find renewed interest in your
information security efforts.

Q3 2013 Continuity 41
 BCI News

BCI Gifted Awards and Grades Approved BCI Instructor Programme

Do you have a colleague who deserves special recognition? The nomination The BCI is in the process of
period for 2013 is now open for BCI Statutory members to recommend creating a register of instructors
individuals members and non-members who have made a difference to approved by the Institute to
the BCM community. Gifted Awards and Grades offer special recognition by deliver BCI Training and we
the BCI Board for individuals who have made a key contribution to either are inviting applications from
the Institute or to business continuity. Nominations are managed through a members to join this register. INSTRUCTORS
C
Nominations Committee and can only be made by a Statutory member of the Further information on how to REGISTER
Institute (FBCI, MBCI or AMBCI). Individuals cannot nominate themselves. apply can be obtained from
For more details on how to make a nomination, please go to the BCI website Deborah.higgins@thebci.org
or email helen.petrie@thebci.org

the Australasian Summit 2013

The BCI Australasian Summit 2013 was held on 4-6 June at Luna
Park complex on the magnificent Sydney Harbour. Now in its
seventh year, the Summit is the principal business continuity
management conference in the region. The Summit is organised
jointly by Continuity Forum and the Business Continuity Institute
Australasian Chapter.
Proceedings began with full-day Business Impact and
Scenario Planning workshops on Tuesday 4 June. These
workshops were well attended, with more than 30 people
opting to arrive early and take advantage of some hands on
learning opportunities. The main conference event which was
held over Wednesday and Thursday was attended by over 110
industry professionals. Key-note presentations were provided by
Sasha Maiyah of ADC Forum The Evolving Risk Landscape,
and Anthony Mitchell, Director Bendelta How to Prepare for
things youve Never Done Before. There were presentations
from over 20 subject matter experts, with the primary focus
being on four key themes: BCM Lifecycle, BCM in Action, BCM
in the Public Sector and Thought Leadership.
Overall, the conference was an unmitigated success. It
provided endless opportunities for professionals to network in
formal, non-formal and social environments. The mood of the
conference was upbeat and light-hearted, while the presentations
were of an extremely high quality. The respected speakers
provided new ways of approaching existing tasks and challenged
conventional thinking. Worthwhile, enjoyable and memorable.
Written by David James-Brown, Vice-Chair of the BCI

BCI Executive Forum 2013 Brussels, Belgium

New region added to the
BCI Awards programme
The BCI Africa Awards join the North
American Awards, the European
Awards, the Middle East Awards, the
Asia Awards, the Indian Awards and
the Australasian Awards as part of
the Institutes recognition of global
excellence in business continuity.
Evolution or revolution? This years Executive Forum debated the topic of business
resilience and how professionals can shape and lead the resilience agenda in their
organisations. The debate was kicked-off with an excellent presentation on the scope
of a business resilience programme and how it might differ from a BCM programme.
Interestingly, the consensus of the group was that the move to business resilience would
be very much evolutionary rather than revolutionary for BC professionals.
The Forum moved on to discuss horizon scanning, widely seen as an essential capability
in order to become proactive. Discussions also considered the specific threats which were
driving a need for collaboration between disciplines; specifically the cyber threat, which
was seen as an integrated threat that could not be managed effectively by disciplines
acting in isolation.
A unique aspect of the Executive Forum is the time set aside for participants to propose
their own topics for discussion and to gain valuable perspective from trusted fellow
professionals. This years selection of eight topics included a discussion on the skill sets
that BC professionals would need to meet the business resilience agenda and how the
business continuity message could be simplified to resonate better with small businesses.
A full report on the discussions and outputs from the Executive Forum will be available
at the end of July from the BCI Shop.

Q3 2013 Continuity 43
 The Soap Box provides
you the reader with an
opportunity to speak
your mind on the issues
impacting on your
discipline. To air your views
contact Nigel Allen at
nigel.allen@thebci.org

Do BC practitioners look far enough into the future?

As business continuity professionals, we are often expected to have all, So what lessons can we take from this? Well, I feel
or at least most, of the answers. The problem is, do we know what all that we have a very positive lesson the future event
the questions are? Understanding the question is the real issue which is not as important as understanding its impact. If we
determines our overall planning approach or at least it should be a base our strategies and plans on likely disruptions to
key part of the process. We all understand that our various strategies our business, critical infrastructure and resources and
and plans have to have clear recovery objectives; identify appropriate the potential duration and frequency, we will create
timescales; have a thorough understanding of what we will recover and robust, pragmatic plans which are tied to effects
their various dependencies; and be supported by concise and pragmatic rather than events.
crisis management plans and processes. Together, these are all part of
In looking to the future, we help to build a picture
providing the right answers and solutions that will enable us to maintain
of the likelihood of disruptions happening. Or
or recover our business.
as Eisenhower would think of it, we would be
However, the one thing which is always missing from the planning and considering all the potential planning activities
development process is a crystal ball which will tell us exactly what will needed to meet multiple events and threats without
happen, when and what the impact will be. If we knew this, we would be worrying too much about what exact form those
able to come up with the perfect answer every time. events take.
In order to understand the questions to be answered, we need to think
about what the future will bring. What disruptions, events, disasters and
challenges will we need to address in order to keep our business running?
How far should we look into the future? This is an eternal topic for all BC
practitioners and one on which almost all of us have an opinion although
rarely the same one! However, I feel that we need to challenge what we
look for in the future. It is human nature to look to the future in a way that
is influenced by our knowledge of past events. This is why old sci-fi movies
look so dated their view of the future was influenced by the past that
they understood.
However, if we hold this thought for a moment, we can change the
question from how far should we look into the future and think instead of
So, do we look far enough ahead? On balance, I think
how flexibly we should look into the future. Dwight D Eisenhower once
that we probably look as far as we can reasonably
said: In preparing for battle I have always found that plans are useless,
see, but sometimes we try too hard to predict what
but planning is indispensable. And I feel that this simple statement holds
might happen and not hard enough about what the
the key to how we need to view the future as it impacts our planning.
impact will be. In looking into the future, planning is
It is not so much what happens in the future as how those future events King but plans are tomorrows waste paper.
impact our business, our environment and our operations. Consider for a
moment the aviation industry. The tragic events of 9/11 in 2001 and the
2010 eruption of the Eyjafjallajkull volcano in Iceland were very different Stephen Nuttall MBCI
iStockphoto.com/lorrainedarke

events, yet they had a similar effect they grounded commercial air Stephen Nuttall is head of business operations for Hewlett-
transport over a wide area for a significant period of time. There are other Packard Continuity Services in EMEA
similar examples. Snow in London and strikes by transport workers are stephen.nuttall@hp.com
very different events which can have almost identical impacts in that they www.hp.com/go/continuity
stop public transport.

44 Continuity Q3 2013