Professional Documents
Culture Documents
Q3 2009
2013
ISSN 2046-5874 (Online)
Getting the
balance right
How much information
to put in your BCP
A brake on the
blame culture
SME and Removing the fear of reprisal
climate
change
Anticipatory
adaptation is
critical
Sit up
and listen
Getting the
Boards attention
Over the next few days, he appeared on hundreds of television In recent months, as I attended and participated in numerous
shows and radio programmes, as well as in countless articles BCI events, one thing that struck me was just how proud people
and blogs. In almost every interview, the first question he was were to be involved with the Institute. The volunteers who run our
asked was, In that final game, what was going through your chapters and forums globally must be applauded for what they do.
head? Each time Murray explained that he simply couldnt However, I was also acutely aware of how important the right level
remember. He had almost stepped back from the scene and let of central office support is to sustaining this. To that end, Helen
his body get on with what it had been trained to do over the last Petrie has taken up a new role as Chapters and Forums Manager
20 odd years. to engage with all chapters and forums to enhance lines of
communication and ensure support requests are handled promptly.
This ability to almost switch off yet still continue to maintain This is no small task, so I would ask all chapter and forum leads
peak performance when it really matters seems to be at the core to support her in this very important role.
of most top athletes. In fact, most claim that if they have to think
too much about what they are doing at those key moments it During my travels, I was also greatly impressed by the number of
becomes a distraction and they often fail to deliver as a result. members willing to help start up new forums. Our members have
the passion and desire to make these happen, so please support
Being able to switch onto automatic pilot while still maintaining them in this and reap the benefits at a local level.
your focus is perhaps the nirvana of business continuity that
ability to respond to the vagaries of a particular disruptive event We also had over 1,300 responses to our recent members survey.
without having to consult various plans or checklists; to keep In it, we asked people to rank their top three BCI benefits from
your eyes on the end goal no matter what the incident throws at the 12 listed in our membership brochure. While accreditation
you and your team. was a clear winner, we also had many suggestions for further
benefits which we will look at in detail.
Of course, while it is virtually impossible for BCM teams to
achieve the almost transcendental state reached by top athletes Finally, I must mention some people who are leaving our central
given the complete dedication at all levels that this would office Lee Glendon and Lucy Burns. During his four years at
require, it is still something that they should aspire to emulate. the BCI, Lee has made an enormous contribution to our thought
This is no easy task, particularly given the range of other leadership endeavours. Lucy, who has headed up our events
organisational priorities that BCM competes against. team for the past five years, was responsible for turning the BCI
Symposium into the incredible BCM World Conference we know
It is about putting in the hours, rehearsing the systems and today. Their contributions have made a huge difference to our
process, conducting the training sessions, establishing clear roles Institute and on behalf of the BCI, I would like to thank them both
and encouraging people to take responsibility for those roles. and wish them every success.
It is about embedding BCM into the DNA of your organisation
so that all those involved in tackling the event work in a fluid, With all this change there is certainly no time to sit still.
unified manner to get the business or department back onto its Lorraine Darke and her team are working hard to recruit great
feet as quickly as possible. replacements to maintain and improve still further the services
and products you as members deserve from your Institute.
Nigel Allen is editor of Continuity Steve Mellish FBCI is Chairman of the BCI
Q3 2013 Continuity 1
Contents
Q3 2013
COVER STORY
Will Brown, John White and Thibaut Minguet consider
whether time spent planning for the longer-term
would be better spent ensuring that you are quick
to respond page 16
Continuity
Business Continuity Institute From the opening plays to the end move
10 Southview Park
Marsack Street
13 19
Mel Gosling explores the progression from the initial response to the close of an incident,
and finds similarities with chess
Caversham
Berkshire RG4 5AF
United Kingdom
Continuity is the magazine of the Business Continuity Institute
and is published four times a year.
Editor: Nigel Allen
Tel: +44 (0) 118 947 8215
Email: Nigel.allen@thebci.org
Advertising Sales: Benjamin Foster
Tel: +44 (0) 118 372 3073
Email: Benjamin.foster@thebci.org & advertising@thebci.org
Art Director: Mary Schoales
Continuity is printed by Headley Brothers Ltd, Ashford,
Kent, UK and is published by the Business Continuity Institute.
19 22 32
BCI Chairman: Steve Mellish FBCI
BCI Vice-Chairman: David James-Brown FBCI
BCI Central Office 01 Editors note 19 Putting a brake on 30 Getting back up
Telephone +44 (0) 118 947 8215 or contact:
& Chairs column the blame culture after Sandy
Executive Director and Board Member: Lorraine Darke
Email: Lorraine.darke@thebci.org Claudia van den Heuvel Nigel Allen assesses the damage
discusses how encouraging done to small businesses in
Technical Development Director: Lyndon Bird FBCI 04 News staff to report issues within your the aftermath of hurricane
Email: Lyndon.bird@thebci.org
Technical and Learning Manager: Deborah Higgins MBCI
organisation without fear of Sandy and looks for signs that
Email: Deborah.higgins@thebci.org 08 A clear path the value reprisal can be critical to your it has raised awareness of the
Operations Manager: Jan Gilbert of succession planning overall resilience importance of preparedness
Email: Jan.gilbert@thebci.org Continuity discusses the
Conference and Events Manager: Nicky Tramaseur findings of a recent survey into 22 Making the Board sit 32 Boosting the efficacy
Email: Nicky.tramaseur@thebci.org succession-planning strategies up and listen of your programme
Events Executive: Lucy McDonnell in the IT sector with Board members look to Frank Perlmutter explains how
Email: Lucy.mcdonnell@thebci.org
Jason Hayman of TEKsystems business continuity to provide business continuity metrics
Head of Research and Advocacy: Lee Glendon CBCI
Email: Lee.glendon@thebci.org reporting that shows how are an essential component in
Business Development and Relationship Manager: Faye Leo
11 BCM Bureau resilient the organisation is, but establishing the real value of
Email: Faye.leo@thebci.org Do companies devote sufficient BC practitioners must make your BCP
Membership Development Manager: Helen Petrie time and effort to data capture reporting innovative and cutting
Email: Helen.petrie@thebci.org during an incident? edge say Emmeline Skelton and 35 The flight to resilience
Senior Membership Executive: Lynn Forrest
Andrew Austin
An airport provides an
Email: Lynn.forrest@thebci.org
13 From the opening plays extremely challenging
Membership Engagement Manager (North America): Abby Alling
to the end move 24 Keep calm and collect environment for implementing
Email: Abby.alling@thebci.org
Mel Gosling explores the the information and maintaining effective
Customer Service Executive: Daniel Saunders business continuity plans,
Email: Daniel.saunders@thebci.org progression from the initial Tom Clark outlines the key
response to the close of an stages involved in incident explains Keith Prabhu
Finance Manager: Kate Curry
Email: Kate.curry@thebci.org incident, and finds similarities reporting, from the initial
with chess collection and validation of 39 Information in an
Assistant Accountant: Rebecca Wood
Email: Rebecca.wood@thebci.org information through to the call unsecure world
to action
16 Getting the Recent high profile cases have
The views expressed in Continuity are not necessarily those of the served to drive home the value
balance right
Business Continuity Institute.
Will Brown, John White and
27 Ensuring small business of effective data security.
All efforts have been taken to ensure the accuracy of the
Thibaut Minguet consider continuity under a Patrick Mcilwee considers
iStockphoto.com/lorrainedarke
2 Continuity Q3 2013
Mark your commitment to business continuity management
with ISO 22301 certification from BSI
Show your clients and customers that youre committed Clients that we have certified to ISO 22301 have seen:
to ensuring the continuity of your operations with our Improvements to business and supply chain resilience
third-party certification to ISO 22301, the internationally
An Increased ability to win new business
recognized best practice standard for a business continuity
management system. As the pioneers of the original
Stakeholder reassurance
BCM standard, you can benefit from our expertise and Give your system the recognition it deserves by getting
commitment in this area. certified with us.
Adopting structured management processes for BCM can Find out more
help you to manage your risks and identify opportunities bsigroup.com/bcms
to strengthen your operations.
T +44 (0)845 508 3026
BCI News
News
AT&T releases findings into the business continuity activities proactive strategy in place.
of latest BC survey of IT practitioners across the US. Now Two-thirds (64%) of companies include
in its twelfth year, the annual study was their wireless network capabilities as
Potential for breaches tops this year based on a national sample of part of their business continuityplan.
list of security concerns 500 online surveys among Information 87% of executives indicate their
Technology (IT) executives in companies organisations have a business continuity
with over $25 million in annual revenue. plan in place in case of a disaster or threat
The results showed that: a slight uptick from last year (86%).
More than half of executives surveyed The study also noted that with the
(63%) cite the looming threat of security increase in IT budgets, companies are
iStockphoto.com/lorrainedarke
breaches as the most important security increasingly leveraging the cloud for
concern for 2013. their business continuity plans to help
84% of executives are concerned about minimise the impact of potential threats
the use of mobile networks and devices and disasters. Furthermore, it noted that
and its impact on security threats. as companies look beyond the potential
AT&T, a provider of IP-based 88% of those surveyed understand the impact of natural disasters to the impact of
communications services to businesses, increasing importance ofsecurityand network security events, they continue to
has released the findings of its latest study indicate that their companies have a expand their disaster plans accordingly.
4 Continuity Q3 2013
News
While 2012 experienced a reduction in insured catastrophe losses, insurers events are unlikely the impacts are
continued to implement rate increases through the year said Jim Blinn, executive potentially very serious.
vice president of Advisens Information and Analytics unit and executive editor of the Severe effusive (gas-rich) volcanic
survey. Continued pressure on underwriting results and a low interest rate environment eruptions abroad such an incident
motivated underwriting management to seek these higher rates. could have widespread impacts on
Rates are rising, but our research shows that improving rates attract new capacity, health, agriculture and transport.
which makes it difficult tosustain the trendtowardsprogressively higher rates, said The document can be downloaded
RIMS board director Michael D. Phillipus, ARM. The wealth of information available at: http://naru.org.uk/wp-content/
in the RIMS Benchmark Survey arms risk practitioners with powerful industry insight uploads/2013/07/2900895_
that can help shape their understanding of the market and allow them to fulfill their NationalRiskRegister_acc.pdf
responsibilities with greater confidence and clarity.
6 Continuity Q3 2013
News
Q3 2013 Continuity 7
A clear path the value of
succession planning
Continuity discusses the findings of a recent survey into
succession-planning strategies in the IT sector with
Jason Hayman of TEKsystems
What are the key aspects of an effective The report focuses on succession planning from the employee. This type of approach
succession-planning strategy? in the IT arena. Why is succession planning doesnt allow for the employee to have
so important in this particular part of the ownership over his or her career path,
The key aspects of an effective succession- organisation? which can lead to retention issues.
planning strategy in our view fall into three Pool-based approaches identify the
primary categories. There are a number of reasons why this is high-potential individuals first, before a key
Succession planning must extend the case. Firstly, business leaders are putting position may be available. This approach
beyond the C-suite. The majority of greater demands on IT to deliver results. is more personable and engaging, and
organisations we surveyed indicated that If the IT department is constantly looking employees feel their managers are getting
their succession plans do not go further for people, then they are spending less to know them better on a technical,
than the C-suite or executive level and time actually impacting the business and business and personal level. This type of
therefore overlook the impact of departures delivering tangible, actionable outcomes. engagement also allows employees to feel
in lower-level roles. For example, if your Its critical for the organisation to be able more ownership of their career, increasing
lead security engineer leaves the company to address people challenges proactively to satisfaction and ultimately retention. Finally,
and you do not have a successor waiting, ensure business continuity. this approach provides a bigger picture of
the companys security process and Secondly, there will always be a shortage an organisations talent pool, giving the
programmes could be at risk. of IT talent because technology is always business an opportunity to move top talent
It is also imperative that you seek to changing, making it difficult to have the into key leadership positions based on
define and communicate your evaluation right resources in place at the right time. personal and professional knowledge.
criteria for your priority staff. Only 12% of Lastly, in todays business and IT world,
the IT professionals we surveyed believed IT professionals have options. At any given The survey states that only 22% of IT
the criteria by which organisations evaluate time, great IT professionals (i.e., the ones leaders report their organisations conduct
key talent is clearly defined and 10% organisations want) are often exploring succession management planning for key
reported that it is communicated frequently. several job opportunities one time. line-level positions. How important is it
Without this definition, employees may Succession planning becomes a critical that succession strategies go beyond the
struggle to understand what is expected component to attracting and retaining the top-tier employees?
of them and what they need to do to get best, as it shows prospective employees the
to that next level in their careers. It also organisations career-paving options and Its critical to extend succession
may make it difficult for the organisation can provide long-term career satisfaction. management to key line-level positions
to identify and retain the top performers. like security, application development
IT professionals identified a lack of a Two different types of succession-planning and analytics. Consider the impact of the
formalised/standard programme and a approaches are highlighted position- and departure of a security architect, a role
perception that evaluations were too pool-based plans. What are the advantages with specialised knowledge of the inner
political as the top reasons why their and disadvantages of these two plans? workings of the organisations systems, and
succession planning programmes the potential cyber security risks present
were ineffective. Traditionally, more mature succession without a successor to such a vital position.
Finally, organisations must identify and management programmes use a position- Organisations need to have succession
involve their top talent in the process. based plan. This approach requires up- plans in place for these roles to ensure
Once your organisation has defined the front knowledge of, and agreement on, continuity and protection.
criteria for high-potential talent, leadership the definition of a key position at that Also, as we said before, technology is
can begin to identify and evaluate top organisation. They can then create a line of constantly changing, creating a challenge
talent. Organisations should first look at successors, which tends to be the approach for IT departments to have the right skills in
iStockphoto.com/lorrainedarke
current employees and involve those high- for C-suite positions like CEOs, CFOs, etc. place at the right time. A formal succession-
performance individuals in the process. However, a drawback to this approach planning strategy will help the organisation
This inclusion gives employees a chance to is the risk of losing the other employees identify skills gaps, as well as areas where
better understand the future opportunities up for consideration once the role is filled. they can fill critical positions with internal
available to them and what they need to do Also, position-based plans are typically staff. Having a plan in place for line-level
to take the next step in their careers. implemented with very little or no input employees also provides direction and a
8 Continuity Q3 2013
Industry Q&A
clear career path something all employees foster that strong emotional connection. If their organisations programme negatively
crave, which again can aid in attracting and employees can see and feel their company impacts its success. If employees, especially
retaining top talent. puts time and effort into developing and the high-potential ones, dont know what
grooming them for future opportunities, the organisation expects of them in their
How important is it that organisations have they are much more likely to put in current role and what would be required of
a clear understanding of what constitutes a maximum effort. them in a future role, its difficult for them
high potential employee and how do they Additionally, retention is tied to to do their best.
go about establishing this definition? the development of strong emotional It is also critical that organisations
connections. The longer an employee communicate the purpose and principles
In an ideal world, every single employee stays with an organisation, the more they of the succession management programme
would be a high-potential employee, but understand the business, impact change to educate employees on why the plan and
in reality, some employees are just more and mentor new talent. All of these qualities strategy exists. Illustrate how the succession
capable and possess qualities others dont. also make that employee more valuable as planning strategy benefits both the
The definition of a high-potential employee a leader within the organisation. organisation and each individual employee.
will be specific to each organisations Leadership should also communicate
culture, expectations and specific roles. How important is it that companies the definition of a high-potential employee,
There isnt a magic formula to defining it, establish KPIs for their succession-planning so individuals know what it takes to get to
but the best place to start is to look within. strategy? the next level in their careers. Leadership
An organisation can conduct an should also clearly communicate and
objective and subjective evaluation of Back to the earlier question about defining outline the career path opportunities
their current workforce to establish the high-potential criteria, its impossible to that exist for internal employees. This
definition. Objectively, organisations can show how valuable something is if there explanation of opportunity, in conjunction
conduct apples-to-apples evaluations to isnt anything to measure against. Key with performance criteria, is critical to
determine where individuals with similar performance indicators (KPIs) serve as a clarify the responsibilities and expectations
skill sets rate in their competencies. From baseline for organisations to determine an of various career levels.
a subjective perspective, identify those employees ability to be a leader. KPIs can Organisations should also consider
individuals that stand out or have been with be both quantitative and qualitative, and its incorporating the aspects I mentioned
the business for a long time, and assess a best practice to make decisions based on into external recruiting efforts. This will
what makes them successful. the combination of the two. For example, spark emotional connections before a new
leveraging performance reviews that evaluate employee is even hired, demonstrating that
The survey mentions that organisations can technical performance as well as softer your organisation cares about their future.
benefit by developing a strong emotional skills (i.e., communication, leadership or
connection to the organisation through collaboration) will provide a more holistic Note
succession management. Can you expand view into an employees true future potential. This interview is based on the findings of a study
on this point? conducted by TEKsystems entitled Ensure the
What advice would you give to companies continued success of your organisation through
People want to be happy and fulfilled to help them communicate aspects of effective succession management. The survey
personally and professionally. Great the succession planning to the wider is available at http://teksystems.com/resources/
succession management strategies are able research/it-talent-management-trends/effective-
organisation? succession-management
to incorporate an individuals personal and
professional goals. The best programmes Set the stage for why communication
fully engage the employees themselves, of succession plans is important. Only
iStockphoto.com/lorrainedarke
Q3 2013 Continuity 9
BCI Corporate Partnership
Enabling organisations to work more closely with the BCI to
raise the profile of BCM worldwide
Premium Large organisations with more than 250 employees BCI Partners who have BCM products
and services can increase the benefits
of their Corporate Partnership by
Standard Companies employing less than 250 employees
adding in one of our sponsorship
packages to their Partnership.
Small companies employing less than 25 employees Sponsorship is an exclusive opportunity
Associate
or not-for-profit organisations
offered only to BCI Corporate Partners.
www.thebci.org
kkk
Continuity invites three leading market
practitioners each representing a different sector or
country to provide their expert opinion on a key issue
currently impacting on the BCM arena kkk
BCM Bureau
kkk Ian Morris and Britt Kane
Ian Morris is managing director of Lion Wood Solutions and
Britt Kane is CEO and founder of Intrepid Networks
www.lionwoodsolutions.com
Steve Yates FBCI In a tense, disruptive incident, understanding why response teams
may not have enough time and energy to collect vital information
Steve Yates, FICPEM could be fundamental to real-time decision processes, avoiding
yates999@gmail.com overload, ensuring life safety, and the future sustainability of your
business. A whole industry has been devoted to six sigma data
techniques in manufacturing; no equivalent process exists within
Yes and no. Response teams do, and sometimes dont, devote the incident management sphere.
sufficient time to capturing information on the actions they
take during a disruptive event. This may be due to the scale As we move progressively from information to an
of impact, or the priority given to any response. Whatever intelligence age with greater emphasis on accountability, the
the reasons, it does support the need for responders to have accurate and timely collection of critical data in real time can
appropriate and sufficient capabilities to capture and record only improve performance. Organisations that are data driven
relevant related information. and effective in prioritising intelligence to underpin strategic
decisions and post incident enquiries have demonstrated their
At this point I am reminded of something that a colleague of ability to improve performance consistently and more quickly.
mine stated: If it isnt recorded, then it did not happen, and
as such may then provide the fuel and blame that would Failure to address the issue may result in response teams being:
be allocated against specific response individuals, or even Unable to explain or account for their actions and outcomes;
establish the grounds for a conspiracy theory. So, when we Slow to develop and adopt new techniques, as often data
consider those components associated with disruptions, does not exist to provide practical considerations for
without the ability to time-travel we should ask ourselves; improvement; and
how can we ensure that each event is formally logged, Directed/resorting to best known historic practice since the
recorded and subsequently assessed? risk is too high to rely upon instinctual or observational
techniques stemming from the event itself.
For those who already have an integrated and proactive 24x7
command, control and communications (C3) structure, one Another difficulty that limits learning for major disruptive
that carries out horizon scanning, has the ability to remotely events is the very fact that they are thankfully rare. However,
monitor operational capabilities, is supported by a range of these incidents often shape society. Limited data from these
on-line communications to record actions and for contingency types of events naturally confines the possible pedagogic value
has someone to keep a physical record, then very well done. that could otherwise be obtained.
For others who are still in the process of developing such
capabilities, whatever the reasons, it still remains a must that The action of recording data during an incident is difficult at
they have the ability to capture relevant, real-time information. best. The first responders primary goal is the response itself
which focuses on saving lives and minimising the threat.
This information should at least cover details pertaining to Recording actions for training or further analysis may not be the
the real situation at that time. Key actions that had been first or even the second responsibility.
considered and those that were actually taken must be
recorded as a minimum. In an ideal world, they should also Therefore the inquiry is not any variation of the time response
be supported 24x7 by an assessment of their information, teams devote to capturing information. More importantly we need
where consideration of low, medium and high impacts can be to consider how information can be collected more efficiently.
considered against their decision making. Better after action interviews are one possibility. While supportive,
this method has its limitations; the human memory is narrow and
It is my premise that although our knowledge increases from fallible which leads to voids and inaccuracies in the recounting.
disruptive events, we do not investigate each one fully and
iStockphoto.com/lorrainedarke
hence identify the budgets and support that are necessary to What we must therefore look to provide is embedded
increase the level of resilience. Such resilience needs to be technology which automates and cross checks the collection
proportionate to the likelihood and impact on the community, of vital data during a response. The accumulation must be
infrastructure and businesses disruption, whilst also being automatic and unobtrusive to avoid diverting and distracting
proactive rather than reactive. the responder from their core mission responding.
Q3 2013 Continuity 11
BCM Bureau kkk Do companies devote sufficient time and
effort to data capture during a disruptive event, given its importance
in assessing performance and learning lessons following the event?
iStockphoto.com/lorrainedarke
For all continuity unit teams it is absolutely critical that all tasks to release liquidity, any potential forensic investigation, and
and decisions are documented and signed off by the responsible stakeholder requirements. By ensuring that you include the
resource. Every action must be auditable in some way. And the timing for each task and decision, you can use this information in
standard base line of audit applies if an auditor cant see it, touch your debriefing reviews to help streamline and tighten your plans
it, or read it, then it doesnt exist and is therefore not defendable. and your responses.
Fo qui @t
faye the
en
r s rie hebci s co ebci .org
lu
po s c
BCM World Conference
Al mcdonne
.leo enq ll @t
nicky
cy .tramase
ns on
lo
or ta .org ct
.
sh ct
r
ip
and Exhibition 2013
ui @t hebci
rie h
Free to attend exhibition
ur
showcasing BC products
nt
a .org
and services from around
the globe
Gold sponsor
Visit www.bcm2013.com
to learn more and register today!
12 Continuity Q3 2013
Incident response
D
eveloping plans to successfully respond to incidents is at the heart not address the later phases or how to progress from
of business continuity. But how, when every incident is different, do one phase to the next. I refer to this as the organisations
you plan for the progression of the response as the situation develops planning horizon.
over time from the initial response through to the recovery and return to new
business as usual, and how and when do you bring the incident to a close?
Because all incidents are different, each response to an incident is unique.
However, there are some things that all incident responses have in common,
and one of these is a natural timeline. Examining this timeline enables us to
identify three phases that we can use to structure our response and cope with
the complexity of a developing incident:
Response the initial response to the incident
Continuity providing service continuity at a minimum acceptable level
Recovery recovering to a new agreed level of service
These three phases are artificial constructs without well defined start and end
points, and the nature and length of both the phases and the timeline varies
considerably from one incident to the next.
The process itself can be likened to the game of chess, which progresses from
the opening moves through the middle game to the end game. A plan to win
a game of chess consists of an opening gambit followed by using appropriate
tactics within a set of pre-defined strategies in the middle and end games.
iStockphoto.com/lorrainedarke
An end in sight
Much the same applies in successful incident response. Unlike the end of
a game of chess, though, identifying the end of an incident is fraught with
difficulty particularly as some incidents can have long-lasting effects on an
organisation that do not become apparent for many years. There is therefore, no
natural end point to an incident.
Q3 2013 Continuity 13
Incident response
14 Continuity Q3 2013
continuity
shop
Why Choose Continuity Shop
for Your BCI Training?
BCI European Service Delivering public courses
Provider of the Year and training your team
wherever you are
Training more people
globally than any other Achieving excellent results
Award Winners
Getting the
balance right
Will Brown, John White and Thibaut Minguet
consider whether time spent planning
for the longer-term would be
iStockphoto.com/lorrainedarke
16 Continuity Q3 2013
Incident response
services for another organisation), in part) of a finite number of seats made Will Brown is head of business resilience,
we were discussing how the BCM available in a recovery site in a contractually John White is principal advisor and
commercial market (i.e. the consulting obligated period of time. To this end, the Thibaut Minguet is an advisor at KPMG UK
market for BCM) is polarising. There number of people who would be available
Will.Brown@kpmg.co.uk
is an ongoing requirement for support to work was limited, which meant there had
around initial response capability in all to be time and planning effort put into who
Q3 2013 Continuity 17
iStockphoto.com/lorrainedarke
Reporting
Claudia van den Heuvel discusses how make mistakes. Human errors, which include both
actions and non-actions (such as spotting a problem
encouraging staff to report issues within a system but not reporting or fixing it) can occur
due to lack of knowledge or understanding, inattention,
without fear of reprisal can be critical or, importantly, due to an unwillingness or fear for
assuming responsibility for a problem.
James Reasons Swiss Cheese model of
to your overall resilience organisational accidents illustrates that the impact of
these human errors are usually protected against by
C
onsider this you are buying a car, and you have to choose between specially designed organisational defence layers or
one of these two safety features, either ABS (anti-lock braking system) safeguard systems. However, at times small weaknesses
to control skidding, or airbags to save you on impact. Which would you or holes in the systems line up, thereby allowing
choose? Is it more important to be able to minimise the likelihood of having the errors to pass through those holes resulting in a
an accident or to maximise safety and the chance of a good outcome if you do serious loss for the organisation. In other words, human
have an accident? mistakes at an individual level have the potential
Traditionally, being resilient was focused on the ability of an organisation to grow in significance and impact if there are also
to bounce back from an incident or crisis. Therefore, resources were, and still organisational (or cultural) weaknesses.
are, rightly directed towards implementing metaphorical airbags to minimise
impact and maximise the chance of survival. However, analyses of past
incidents have clearly shown that having a preventative braking system is an The Swiss Cheese Model of Accident Causation
equally crucial part of the resilience equation. Being able to spot errors within
Some holes due
a system or organisation enables them to be dealt with before they escalate to active failures Hazards
into a full-blown crisis, which is preferable in terms of cost, time and protecting
performance and reputation.
However, one very challenging barrier to resilience is the existence of a Some holes
blame culture. History relates that a large proportion of disruptions and due to latent
serious organisational accidents resulted from recurring, yet avoidable, human Losses conditions
errors. A number of these errors went unidentified or unreported due to a deep- Successive layers of defences, barriers & safeguards
seated fear of blame for that mistake or its consequences. However, evidence
from both resilient and high reliability organisations (those organisations, such
iStockphoto.com/lorrainedarke
as nuclear power plants, that achieve high safety records despite operating In the case of error reporting, one of the largest hole-
in very hazardous or risky conditions) illustrate that it is entirely possible to creating factors within organisations is the existence of
sustain near error-free operations. a blame culture. Here, staff members are disinclined to
The differentiating factor of these organisations is not that fewer human be open and honest about the strengths and weaknesses
errors occur; it is that these errors are reported and lessons are actively learned, of the processes or systems used in their work due to a
thereby putting the metaphorical brakes on an incident before it escalates fear of repercussions for being the bearers of bad news.
Q3 2013 Continuity 19
Reporting
Stimulate open Hold formal debrief Design a reporting Drive cultural change by getting away
and transparent sessions where those system spanning the from the desk. Have leaders and senior
communication of errors, employees who organisation and make management engage with staff members
issues and incidents by reported a risk get risk reporting the frequently to discuss both mistakes and
creating a culture of publically commended responsibility of all staff positive progress made
psychological safety, for their behaviour
trust and fairness
Blame cultures often arise from organisations that set unrealistic targets, and information sharing between staff and their
such as zero tolerance for accidents, where individual responsibility is assigned managers without fear of reprisal, as well as across
to people when things go wrong, and where staff members are treated as departments, will serve to strengthen the sense
blameworthy perpetrators who should be punished. This blame game often of interpersonal and interdepartmental trust and
creates an ostrich tendency either to ignore errors, not report unsafe or transparency.
inefficient processes and activities, or shift responsibility to others.
Learn the lessons
Plugging the holes shaping behaviours through cultural drivers To be of real value, any reported issue must be treated
Any organisational system or process, however intelligently designed, is only as as a valuable learning opportunity for the organisation
resilient as the persons operating or managing it. Therefore, resilience depends to implement reforms and improve operations to avoid
on individuals at all levels and departments of an organisation identifying, more serious events in the future. Ensuring that learning
reporting, and learning from problems experienced with those systems or and continual improvement becomes an integral part of
processes. Indeed, recent case studies of highly resilient organisations operations requires:
(including the InterContinental Hotels Group, Jaguar Land Rover and Virgin i A mechanism to identify threats and issues
Atlantic, amongst others) found that risk and resilience were embedded within ii Giving timely feedback to the reporter on what
the cultural DNA of the organisation. They created an exceptional risk radar action will or will not be taken and why
by pushing responsibility for risk reporting out across the organisations, making iii Implementing remedial actions
it a core priority for every department, not just the risk department.1 iv Holding formal debrief sessions with all relevant
Human behaviour in the workplace is shaped by the organisational culture; departments who may experience similar problems
most new members of staff will quickly adjust their patterns of behaviour to to allow for lessons to be shared among the wider
match what is perceived as being expected of them. Similarly, shaping the organisation (such as lessons learned from post-
resilient behaviours of reporting and learning requires the implementation of a incident reviews)
psychologically safe, trusting and fair culture. v Implementing staff training in their contribution
A culture of psychological safety is one where people feel they will receive to the organisational risk radar and encouraging
respect and consideration from the organisation, even when managing participation in and active feedback from exercises
sensitive issues. and scenario-based planning sessions or war gaming
A culture of trust is one where staff members trust the organisational
structures, systems, and procedures within which they work, fostered by a Learning from actively shared information
collaborative and open working relationship across the organisation. While human beings may inevitably be prone to error,
A fair culture is one where people are encouraged, and even rewarded, organisations will not inevitably fall prone to major
for providing essential information; yet in which they are also clear about incidents. There are some that can be nipped in the
where the line must be drawn between acceptable and unacceptable bud. Important lessons can be learned from resilient
reporting behaviour. organisations which illustrate that, rather than assuming
Staff must feel entrusted, empowered and responsible for reporting errors, the brace position and relying on the air bag to save
near misses and issues. them on impact of a crisis, harnessing the power of staff
to create an internal radar and act as the ABS of the
Steps to creating a resilient culture organisation will enable errors to be identified early on.
Visible leadership However, this will only occur if staff feel empowered
Leaders drive culture; therefore, as with any organisational change, the first by their leaders to openly and willingly share important
crucial step requires a cultural shift led from the top-down, in order for staff information without fear of blame for the consequences.
members to lose the fear of blame associated with error reporting. Visible Learning from actively shared information allows
leadership is where opportunities are actively created for senior managers to organisations to remedy errors before incidents occur,
interact with employees and encourage dialogue perhaps through department and thereby become stronger and more resilient.
meetings, forums, newsletters or the company intranet. This will build a sense
1 Steven Carver (2013). Roads to Resilience
of trust between employees and their line managers and higher levels.
This system must set realistic targets and clearly define those procedures
used by all staff to report red lights (errors and accidents) as well as amber Dr Claudia van den Heuvel is a consultant
occurrences (slips, lapses, or issues), and define reasonable boundaries for at Steelhenge Consulting
reporting to avoid naming and shaming. enquiries@steelhenge.co.uk
What this reporting system looks like will vary from organisation to www.steelhenge.co.uk
organisation, but stimulating frequent and open two-way communication
20 Continuity Q3 2013
Todays global markets are constantly changing.
Is your company at risk?
Contact Us Today
mIddlE EasT asIa EUROPE
dubai Pakistan +44 207 038 8366
+971-4-3589884 +92 51 111 888 400 investigations@CRIgroup.co.uk
crimena@CRIgroup.com admin@CRIgroup.com www.CRIgroup.co.uk
www.CRIgroup.com www.CRIgroup.com
Qatar singapore
+974 44292434 +65 6808 5634 (35-36)
doha@CRIgroup.com admin@crigroup.asia
www.CRIgroup.com www.CRIgroup.asia
Making the
board sit up
and listen
Board members look to
business continuity to provide
reporting that shows how
resilient the organisation is, but
BC practitioners must make
reporting innovative and cutting
edge if it is to be effective,
according to Emmeline Skelton
and Andrew Austin
W
e all know that business continuity cannot Current levels of board involvement
be sustained without ongoing board-level The 2012 CEO perspectives on organisational resilience research
involvement and input. However, practitioners paper published by the Commonwealth of Australia measured
regularly tell us that they have difficulty in making BCM the importance that CEOs placed on business continuity. One of
reports sufficiently engaging to capture the boards the findings regarding business continuity managers was, that
attention. This is despite a growing level of interest at the relatively few had achieved effective engagement with their CEOs.
top level in the risks to their business, as demonstrated Those in business continuity or similar roles with strong CEO
by PwCs 16th Annual Global Survey of CEOs. engagement were an exception rather than the rule.
The survey, and our wider experience, suggests that In our experience, a significant amount of momentum is associated
the board are keen to receive assurance that business with the early stages of a business continuity programme. Whether
continuity and wider risk management solutions the programme has been developed in response to a major event in
provide the required level of resilience and protection the life of the organisation such as a near-miss, a change of board
to meet business objectives. This is clearly at odds with or structure, or in response to a negative audit, the level of senior
the experience of those BCM practitioners that struggle management attention follows a relatively standard pattern. The
to engage senior figures. Based on this, it would appear decision to create a programme is in the majority of cases spurred
that a fresh approach to reporting is needed. by a senior sponsor and carries urgency. At this stage reporting is
Without careful thought, business continuity exciting and dynamic as it involves the creation of something new.
managers can easily get bogged down in too much However, this momentum is finite. As the programme moves into
information the harder they struggle the quicker more routine maintenance the level of interest dips. There is a risk
they sink. Countless meeting requests, documents to that at this stage reporting begins to lose relevance to the board,
sign and metrics dashboards can lose their impact as becoming less urgent and more mechanistic, undermining the overall
the board do not have the time to absorb it all when profile of BCM. Even the most accommodating board member suffers
balanced against other pressing operational and from a wide range of time pressures so it is understandable that they
strategic issues. Practitioners that fail to engage the would focus on the immediate needs of the organisation.
board often report in far too much detail, misrepresent Imagine if you stepped into the shoes of your board members
the boards current concerns or fail to talk in language and viewed business continuity against all of the other operations
iStockphoto.com/lorrainedarke
that resonates at board level. of the organisation. The meticulously produced business continuity
To achieve greater traction, a more coordinated compliance report may be competing for attention with the year-end
approach to reporting is required that will reduce the results announcement, the proposal for funding for a new plant or
administrative burden on the board and also act to product, or the acquisition plan for a competitor. Business continuity
provide a more complete picture of the organisations reporting at this stage is not on the boards strategic radar the
resilience capabilities. challenge for practitioners is to keep reporting relevant.
22 Continuity Q3 2013
Reporting
v v v
See your board as your strategic partner Maximum impact with limited Be clear on what you
In order to build the best relationship board face-time are trying to achieve
with the board, engage with them at the Make your briefings known for delivering One of the most commonly
strategic level and do not overwhelm what the board needs to know and when asked questions when
them with detail: they need to know it, and then time with approaching the board is, What is it
Provide high-level metrics with an you will be seen as valuable: that you want us to help you achieve?
easily understood grading of priorities Adapt your meeting length, format Therefore, think about the purpose of the
Give a clear and concise story which and delivery to match what you are meeting and build it into your briefings:
summarises your position trying to explain What do you need the board to
Give them the options to follow up Explain what they need to know and provide you to fulfil your role?
with you for details dont go off message What steps have you taken to achieve
Communicate quickly, effectively and this goal?
compellingly What impact will that have on you,
iStockphoto.com/lorrainedarke
Q3 2013 Continuity 23
Keep calm and
collect the
information
Tom Clark outlines the key stages
involved in incident reporting, from
the initial collection and validation of
information through to the call to action
O
n 15 April 2013, two bombs exploded during the Boston
Marathon causing the deaths of three people and injuring
over 250 others. Within minutes of the explosions there
was an incredible response as first responders, police officers and
bystanders sought to help those affected by the event. Images of the
attack were broadcast on social media and across numerous global
news channels within minutes, as waves of information surged out
from the tragic event via a multitude of sources across a multitude
of channels.
From an incident reporting perspective, the immediate challenge
in such a trying situation is to seek to establish a clear picture of
what has happened and what this means. However, given the
overwhelming amount of information available and the level of
uncertainty regarding the accuracy of that information, gaining a
solid understanding of what has actually taken place can be an
overwhelming and almost impossible task in those early stages.
Reporting on an incident
Comprehensive incident reporting plays a key role in facilitating
the overall effectiveness of our business continuity management
activities. Such reporting will help the organisation to gain a better
understanding of the who, what, where, when and how of the
particular event. As we all know, in the immediate aftermath of
a disruptive event, senior managers want a complete report on
their desk as quickly as possible that explains not only what has
happened, but also what it means for their organisation.
The four key aspects of delivering effective incident reporting in
my view are:
Accuracy of the information being reported (Summary);
What exactly does this mean to the organisation (Impact);
What do I need to do (Action); and
What can we do to make sure this does not happen again
(Mitigation Options).
24 Continuity Q3 2013
Incident Reporting
ion
Hands on informateci
Fact checki
code of con
ng is a key p
art of the
the
ally those protecting
of its agents, esp outlets, norm
duct for mo
st media
ite d Sta tes Se cret Service trains all ey have a confirmati
on ally requirin
Th e Un
ach iev e ab so lut e co nfirmation of facts. Th t the ag ent two indepen
dent sources
g that
President, in how to which means tha
Pre sid en t wh ich is Hands on POTUS, en t of the the informat
ion. Howev
validate
phrase when with the the Presid
ir physical hands on the speed at er, given
un ica tin g the me ssage actually has the en su res the accuracy of any which man
co mm ve rified confirmati on unfold, fact y disasters
S). Th is lev el of s can easily
United States (POTU m. blurred in th b ecome
agues receive from the e rush to ge
information their colle information its must information n erate
me dia can be a useful source of . This is par
For many organisatio
ns, wh ile the bal community. It can case, if we fa ticularly th
e
is an int eg ral part of todays glo ctor in citiz
be handled carefully
. News me dia satellite technology which the co en media, in
rld in mi nu tes of a story breaking via ncept of fac
reach people all aroun
d the wo tial to influence the is certainly t checking
ha ve far rea ch ing effects with the poten not yet an es
ta
d can part of the blished
or via the internet, an en governments. code of con
ind ivi du als , organisations and ev duct.
actions of
storms wake. However, during the following 12-24 hours, the Are the clients or customers of the business affected in any way?
death toll was officially reduced to 24 people dead. Are the premises of the organisations affected? Is there denial of
The issue of inaccurate information can also arise when dealing access at any locations?
with planned events. This was clearly demonstrated during the This information should also include details of when the
G8 Summit held in the UK in June. Forecasts of the number of particular areas were impacted and where. Remember to keep
anticipated protest groups and activists significantly increased in these sections as concise as possible.
the weeks leading up to the Summit, while the ever present threat The incident report needs to be focused and to the point it
of a terrorist attack also grew. As a result, during this period police needs to tell the story quickly and outline the necessary action
numbers rose considerably as more and more members of the Police points to respond effectively to the event. The summary should not
Services of Northern Ireland were drafted in as well as other police use any acronyms that have not been clearly spelt out. It should
resources from agencies such as the Metropolitan Police. However, not use dramatic phrases as these can create the potential for an
the event itself passed off relatively quietly with only a small number emotional response which may influence how the reader responds
of protests actually taking place. to the report. If possible, keep the summaries to one or two
Inaccuracy of the facts in reporting not only has the potential to paragraphs, as senior management will not have time to read reams
cause undue anxiety, but as the G8 Summit demonstrated can also of information and will need content which is easily digestible.
result in vital resources being deployed unnecessarily.
Call to action and mitigation strategies
Verifying your information The next step is to create a list of action points based on this
It is imperative that the goal of the incident report is to achieve information. Too often senior management are provided with
the highest possible level of information accuracy, particularly Situational Awareness Reports (SIT REPS) but, without a clear call to
given the fact that it will form the basis for any actions to deploy action, are left with no idea of what they should do next. The report
necessary resources. A critical component is therefore the process should outline to senior management what steps must be taken in
of verifying the data received and validating all sources. the context of people, processes and technologies to prevent or limit
Where possible, the author of the report should seek to gather the disruption of further disruption to the organisation. Make sure that
data first-hand from the scene of the event. If this is not physically these calls to action are easy to understand and are tailored to the
possible, then it is imperative that any sources which are used specific areas of responsibility of those reading the incident report.
are people who have actually been to the site and can physically Remember that the incident reporting process should not stop
validate the information they are providing. The on-scene person here. The next stage should be to outline possible mitigation
should use photography to record the level of detail potentially strategies to be implemented moving forward, designed to remove
missed by verbal descriptions. A common method is to use digital or reduce exposure to disruption from similar events. The proposed
video imagery to capture a 360 degree perspective of the incident. strategies should be ranked in terms of complexity and potential
Incident reporting should never be based on third-hand cost. However, your aim is not to solve the issue but rather to help
information or uncorroborated empirical data. Using multiple lay the foundations for senior management to establish the most
sources for information is important; however, once again the same appropriate solution.
process of verification must take place. At its core, effective incident reporting is about communicating
the right information to the right people in the right way and at the
Translating the information right time. It is about communicating to senior management in a
The second stage in the incident reporting process is to establish clear and concise manner, based on accurate, verified information.
what exactly the particular occurrence means for your organisation What you are providing is the basis for the actions your organisation
how will it impact your activities? The impact section for the will take to counter the disruptive impacts of the event it faces.
incident report should therefore look at three key areas: people,
processes and technology.
iStockphoto.com/lorrainedarke
Are the normal business operations of the organisation Tom Clark is a director of IT business continuity management, responsible
interrupted by the incident or event? for crisis management, disaster response, emergency preparedness and
How are the normal processes of the organisation affected? business continuity
Is the supply chain of the business disrupted by the event?
Q3 2013 Continuity 25
SMEs
I
n planning for business continuity under a changing climate, one How do you think extreme weather events
of the main issues that needs to be addressed is how to establish will change in the future?
various roles and responsibilities in such an environment. This is
particularly important in the context of small businesses and raises
75% More frequent
a critical question do SMEs have sufficient capacity to respond and/or more intense
effectively to the challenges they will potentially face?
10%
5%
ce
ea
er
ow
ie
dg
io
th
ng
an
ar
rit
kn
at
le
O
lle
fin
io
is
ow
t
th
pr
a
on
fo
of
ch
kn
in
g
in
Id
tin
o
of
se
e
N
La
pe
at
rti
ck
m
pe
La
to
Co
ex
-
up
s
ck
of
La
ck
An uncertain future
La
to build resilience into business continuity, together with their Australia and globally. These include business interruptions through
perceptions of climate risks, are also important considerations. impacts on supply chains, increased investment and insurance costs,
Unfavourable combinations of these contextual issues limit and declines in financial indicators such as measures of value, return
the choices that are available to small businesses in preparing and growth. After natural disasters, SMEs face greater short-term
and dealing with climatic impacts on business continuity. Such losses than larger enterprises, and may have lower capacity to deal
contextual processes have been largely overlooked in formal with natural disasters and other stresses for various reasons.
Q3 2013 Continuity 27
SMEs
18%
What has the business done to avoid this
Anticipatory adaptation damage/disruption in the future?
16%
Anticipatory adaptation (i.e., actions taken in
14%
advance), through planned interventions to moderate
harm or exploit beneficial opportunities, offers 12%
one such way to deal with this challenge whilst 10%
continuing to meet the economic and environmental 8%
performance standards to which SMEs operate. This 6%
is critical to not only reduce impacts on SMEs but 4%
also take advantage of market opportunities that 2%
may arise from certain impacts. For example, in
0%
certain instances SMEs may be able to provide the
Reviewed insurance
and extended cover
Reviewed weather
risks and proofing
Audited exposure to
extreme events
Developed an emergency
or disaster plan
Implemented a computer
data back-up system
Other
Open-ended response
Ceased business
in high risk areas
Nothing
I dont know
To what extent do you believe changing they did not refer to them directly as addressing climate change.
This reflects the short-term planning horizons of SMEs (two to five
climate is a problem for Australia?
years), in which climate change is perceived as a long-term issue
that lies outside these traditional planning horizons.
30% Not at all
Additionally, the process of climate risk assessment has not been
formalised into business continuity plans. Certainly, for many SMEs,
climate risks are assessed alongside other business risks. SMEs who
21% Somewhat experience the impacts of extreme climatic events are more aware
of climate risks than those who have not. This experience acts as
a motivator for introducing measures to adapt to future climate
36% Very much change. Many of the SMEs in this study had experienced extreme
events such as bushfires, drought and cyclones and the direct
and indirect impacts of these events had changed their operating
10% Completely environment and had left them vulnerable to future impacts.
Key resilient elements to building the capacity of SMEs to adapt to
future stresses include: their self-organisation capacity, strong social
5% I dont know
networks, strong beliefs in their own ability to deal with stressful
events and social learning from past experiences. Central to all of
these is the ability of SMEs to access opportunities (e.g., funding to
Areas of vulnerability develop new marketing strategies) and shape processes (e.g., the rigid
The study conducted by the Institute for Sustainable Futures, criteria in accessing disaster funding) that support business continuity.
University of Technology, Sydney and funded through the National
Climate Change and Adaptation Research Facility (NCCARF), The capacity to adapt
found that many of the processes which generate vulnerability of The research found that many of the measures required to enhance
SMEs to climate change tend to operate at levels external to SMEs the business continuity of SMEs under climate change can be
themselves. Specifically, at different tiers of government as well as integrated into existing processes and networks. For example,
various support organisations (e.g., chambers of commerce, industry emphasising long-term and structured disaster recovery through
associations, financial institutions etc.). These constraints limit the building stronger partnerships between local government and
capacity of SMEs to influence processes affecting their business industry associations to encourage information sharing related to
continuity and in turn convert their adaptive choices into outcomes the needs of particular SME sectors.
that will support business continuity under a changing climate. The success of efforts to build the capacity of SMEs to adapt to
It is these support organisations and their institutions (i.e. their future climate and related stresses will depend on how they address
norms, values and policies) that are likely to influence the types of the processes which the ability of SMEs to pursue adaptive choices
opportunities that are available for SMEs in making adaptive choices. that they value.
For example, many non-government organisations (NGOs) are Note
dependent on government grants to offer support programmes such A copy of the final report from the study can be downloaded from the
as business advice for SMEs. The tightening of government funding following site: http://www.nccarf.edu.au/publications/understanding-
often limits the services NGOs can offer to SMEs. In addition, adaptive-capacity-Australian-SMEs
government agencies funding climate risk reduction programmes for
SMEs have limited formal mechanisms for monitoring and evaluating Dr Natasha Kuruppu, Dr Pierre Mukheibir and Janina Murta
those initiatives, and this reduces the opportunity to improve future
Dr Natasha Kuruppu is senior research consultant, Dr Pierre Mukheibir is
programmes for SMEs.
research director and Janina Murta is research consultant at the Institute
for Sustainable Futures, University of Technology in Sydney, Australia
Short-term planning horizons
Many of the SMEs in the study had initiated adaptive strategies natasha.kuruppu@uts.edu.au
to address climate risks related to extreme weather events, and www.isf.uts.edu.au
had integrated these strategies into their business plans. However,
28 Continuity Q3 2013
E
verything about hurricane Sandy was big. It was the largest recorded Counting the cost of Sandy
Atlantic hurricane, with a wind diameter well over 1,000 miles, warranting According to the Hartford 2013 Small Business Pulse:
the title of Superstorm. It was the second costliest storm on record, Storm Sandy report, over three quarters of the 451 SMEs
with overall losses topping out at almost $70bn while insured losses were they interviewed who experienced disruption due to the
approximately half that figure. In total, it claimed 285 lives and affected seven catastrophe had to close their premises. In total, 44%
different countries and some 24 different states in the US. were closed for longer than one week, with over a third
However, in terms of its impact from a business perspective, it is at of that number having the closed sign up for longer than
the smaller end of the market that Sandy has perhaps caused the greatest two weeks. Approximately one third of respondents
devastation. Between 60,000 and 100,000 small businesses in the US were described the impact of the storm on their business as
negatively impacted by Sandy, the US Chamber Foundations Business Civic significant, with just over half experiencing a loss of
Leadership Centre said in January, with almost a third of that number expected sales or revenues. In terms of the main challenges faced
to fail in the months following the announcement. during or after Sandy, 65% experienced customer issues,
Yet despite this fact, some recent studies have shown that many small 47% employee issues and 44% supplier issues.
companies are not learning lessons from the storm and even those directly At a more granular level, and perhaps painting a
affected do not believe that they will be exposed to such a disruptive event again. much more graphic picture than any series of percentage
figures can, the Wall Street Journal ran a series of articles
It wont happen to me charting the attempts of a number of small businesses to
A survey of 200 SMEs conducted by the American Red Cross and FedEx get back onto their feet in the months after the event. In
in February of this year, revealed that fewer than 10% of small businesses the first series of articles which ran in November 2012,
surveyed had taken any disaster preparedness action based on the disruption they focused on four small companies trying to recover.
caused by Sandy. Of those companies which had been impacted by the storm In each case, uncertainty was the key word. One wine
or other disasters in 2012, approximately 50% were confident that they would retailer has seen its wine delivery per week fall from
not be affected again in the next five years; while 70% of all SMEs surveyed 1,500 cases to zero, while a second company, a bakery,
said they did not believe that they would ever experience a major disaster. had had to postpone its launch as their premises had
A more alarming poll was conducted by Alibaba.com, Vendio and Auctiva in been badly damaged.
the aftermath of Sandy. The survey, which looked at the extent to which small Six months later, the paper updated its readers on their
businesses were prepared for natural disasters, found that almost three quarters progress. The owner of the wine retailer had witnessed a
of the 600 SMEs surveyed had no disaster recovery plans in place. Furthermore, 45% drop in quarterly sales between Q1 2012 and Q1
84% did not have natural disaster insurance. When asked how long it might 2013, had lost one of their biggest suppliers and was,
take their organisation to recover from a natural disaster, over one third had in her own words back to square one promoting her
no idea, while 30% said it would take over two weeks, with almost half of that company at trade shows. The owner of the bakery had
figure saying the recovery time could be beyond one month. had to reduce her sales forecasts for 2013 by 44% and
While it is difficult to read too much into these figures, given the number of fork out for a major refurbishment of her premises. She
participants and the wide extent of the survey net, it does appear to support the has failed to secure a business loan, but fortunately her
ever present concern that business continuity or resilience measures are often three temporary staff had stood by her and her landlord
to be found on the to do list of many smaller organisations. had not charged her for rent on the bakery.
30 Continuity Q3 2013
SMEs
Financial support
For many small companies, state loans have become
the crutch that they need to get back on their feet. To
facilitate the recovery process, a series of emergency
loan facilities were set up. There have been mixed
reports on just how successful these have been.
In a report released in May by the Democrats on the
Small Business Committee on the performance of the
relief efforts in the wake of Sandy, it stated that business
loan approval rates by the Smaller Business Association
(SBA) were at near-record lows of just 24% and that
over one third of businesses withdrew their applications.
Furthermore, loan processing times were significantly
longer with businesses experiencing average delays of
46 days. Where loans were approved, disbursement was
slow, with only 14.7% of loans ($215.5m) having been
disbursed by the end of Q1 2013.
Commenting on the findings of the report, Rep. Preparing in advance
Nydia M. Velzquez (D-NY) called on the Government For many smaller organisations, access to capital in the aftermath of Sandy,
Accountability Office (GAO) to assess the SBAs whether in the form of a loan or an insurance pay-out, has been vital. However,
response and performance related to Superstorm Sandy. what these delays or denials of access to such funds demonstrate is that rather
She said: After natural disasters, local economies than relying on a financial help-up, smaller companies must have business
are often decimated and it is vital that the small continuity firmly embedded in their company make-up to ensure that they can
business sector be revitalised quickly, adding that, continue even if the emergency funding fails to materialise.
For a business struggling after a Hurricane, getting an The Hartford study asked respondents who were disrupted by Sandy to
immediate infusion of emergency capital can make the outline what steps they took in advance of the storm hitting to help reduce its
difference between staying in business or going under. impact. The steps included:
For those awaiting an insurance pay-out, the story Created back-up copies of critical data and programmes 25%
was a similarly disappointing one. While it was reported Prepared an emergency kit with essentials 20%
by the Insurance Information Institute that by April the Protected their buildings from the elements 20%
insurance regulators in New Jersey and New York had Protected vital business records 17%
reported that insurers had settled 93% of claims received Created an updated list of emergency contact numbers 15%
following the storm, what this figure did not show was Enabled records and data to be accessed at other locations 15%
that some 20% of claims were closed without payment, Purchased a generator 14%
whether due to coverage issues in the policy or the loss While these figures may seem quite low, this may be reflective of the fact
did not reach the deductible level. that many organisations in the days leading up to Sandy making landfall simply
refused to believe that the storm would affect them.
What is perhaps of greater concern is whether it was the threat of Sandy
that was making them take these steps for the first time. These measures should
all be standard practice within any small business, forming part of a basic
resilience strategy.
When asked what advice they would give to small business owners based on
what they had learned from Sandy, almost a quarter of respondents highlighted
the importance of reviewing your property insurance coverage. Twenty one
percent said they should invest in a generator, while 15% urged owners to
create a back-up of their important records. Fourth on the list, with only 14%,
was to put in place a business continuity plan. While insurance clearly has
an important role to play, and generators are vital if the lights go out, it is the
effective business continuity or preparedness plan that will give small business
the strongest fighting chance of emerging from the rubble of a disaster.
Commenting on the lack of preparedness demonstrated by the findings of the
FedEx and American Red Cross study, Tom Heneghan, manager of preparedness
for the American Red Cross, said: Preparedness is a lot like working out and
eating healthy people know they should do it, but its not always at the top
of the list. Developing an emergency preparedness plan is one of the most
important strategic decisions a small business owner will make.
It is often said that it is only when the worst happens to an organisation
that the importance of having BCM plans in place is really driven home. In
The survey, which looked at the the aftermath of hurricane Sandy, there have been numerous reports released
outlining the lessons that have been learned from the devastating events that
extent to which small businesses took place in October 2012. Whether or not these lessons have actually been
were prepared for natural disasters,
iStockphoto.com/lorrainedarke
Q3 2013 Continuity 31
Boosting the efficacy
of your programme
Frank Perlmutter explains how
business continuity metrics are an
essential component in establishing
the real value of your BCP
M
etrics are essential to enable you to continually measure Business continuity programme metrics examine
the quality, effectiveness, efficiency, and progress of the time and steps taken to complete the planning
your business continuity programme (BCP). Choosing process and determine the plans conformity to
appropriate, objective metrics to evaluate your programme accepted standards and best practices.
against will help you pinpoint operational vulnerabilities, Resilience metrics explore BCP effectiveness by
gauge recovery capabilities, and improve your overall BCP. measuring how long it takes to recover from any
Documenting those results can also help demonstrate the value of downtime-causing event, and how effective the
the process within your organisation and elevate the perception resilience plans are in mitigating losses.
of your role as a true business continuity manager not simply a
traditional plan generator. Organisational metrics
In this article, we aim to provide some guidelines for evaluating It is imperative that you think about how your decision
and improving the use of metrics, with the goal of enhancing your makers view the mission of business continuity. If a
BCP or taking it to an entirely new level. disaster strikes, different people within your organisation
will have different priorities. For example, your COO
What should you measure? will probably think about people and processes first
It is important to consider which metrics have the most value to and foremost. However, your CFO will be focused on
various decision-makers. We can classify those metrics into three getting revenue-generating processes back online first,
major categories: such as your online shopping cart and your receipt
Organisational metrics assist in pinpointing your organisations and processing of customer receivables. Your CIO will
operational inefficiencies, vulnerabilities, and risks. They identify think in terms of applications and systems and loses
the most critical business functions and the infrastructure sleep over the possibility of data loss. Your facilities
resources that support those functions, and can transform your manager will primarily care about physical assets being
BCP from a subjective determination to an objective calculation safeguarded. Your CMO, who would keep CRM data
of risks and impacts. To your decision-makers, facts should in a lockbox if that were possible, might see access to
always prevail over opinions. customer and prospect information as a top priority.
32 Continuity Q3 2013
BCM Metrics
There are plenty of people, processes and technologies Tips on leveraging BCP metrics
that need to be part of your BCP; yet only the most
critical can be recovered as a top priority. Here are some
questions that can help you make the right choices:
What are your most critical operational activities?
What is the impact of downtime for each of these? Gathering data Presenting results
How long can the company go before it sees Ask department heads Keep charts simple and
negative impact on sales and operations? pointed questions
What are the most important IT infrastructure
explanations short
components and data? Survey employees Communicate results that are
Who (internally and externally) are the most critical (keep it short and sweet) relevant to your audience
personnel in terms of operations? Observe people and processes
What are the highest risk hazards to the organisation?
Match the appropriate metrics
(this can be time well-spent) to the stakeholders who have
Those questions will have different answers depending
on who you ask, so investing in software that objectively
Study industry benchmarks/ accountability
evaluates such criteria is an idea worth considering. analyst reports
Be prepared to make succinct
Business Impact Analysis (BIA) A good BIA can Collect internal data recommendations to executives
help you determine priorities by taking stock of the (like financials) (remember, you are the expert)
financial costs and qualitative impacts associated with
disruptions (e.g. lost revenue, damaged reputation,
reduced cash flow, legal impacts, etc.). It should
revolve around business operations and answer most
questions that your leadership asks. One of the most difficult aspects of being a BC professional is
A common, but perhaps misdirected, approach is to obtaining budget to improve a BCP. The appropriate metrics can
begin with gauging the impact of supporting infrastructure assist in justifying returns on software tools, additional personnel,
(e.g. IT, people, and vendors) without understanding or outside assistance. Presenting in plain language and gauging
how they support business operations. A better approach returns against costs of ownership can get you what you need to
would be to start with an understanding of busi excel in your BCP.
ness operations, determine those that are critical, and
subsequently gauge the importance of how supporting Resiliency metrics
resources impact your most critical business functions. Finally, resiliency metrics are necessary to ensure the efficacy of
Recovery Time Objectives (RTOs) The RTO is prob your programme and gauge preparedness in the face of a disaster.
ably the most prominent metric used in BCP. Good Some questions to answer include:
RTOs provide insight into what is most critical to your How long does it take each of your teams to recover?
organisation, and define when business functions and How effective are your mitigation strategies in limiting
resources need to be operational following a disaster. quantitative and qualitative impacts?
Exceeding an RTO means absorbing unacceptable It is no secret that plan exercises are essential to an effective
impacts to your organisation. A myriad of benefits can BCP. However, many exercises that are set up as pass/fail tests do
be gained from RTO metrics from prioritisation of not provide a useful resiliency metric. Tracking each process or
recovery, to mitigation investments, to spotting under departments time to recover evaluates not only the quality of your
performing processes and resources. BC plan, but also the ability of recovery personnel to execute that
With such an important metric, a sound process is plan. For example, if six hours is the RTO for a business function,
key to its calculation. RTOs should be based on fact, but your test exercise proves it actually takes 12 hours to recover,
not opinion. Asking people what they subjectively think that is a clear signal that the recovery plan needs improvement or
the RTO should be is not effective. Because it can be additional mitigation measures need to be put in place. IT, person
difficult to determine RTOs objectively, consider BCP nel, and vendors can be similarly evaluated on their respective
software that automates the calculation of these metrics. capacities to meet the RTOs of the business functions they support.
Q3 2013 Continuity 33
Our state of the art training centre at Ivory House oers executives and their teams a unique
and incredible opportunity to test their Crisis Management and Crisis Communication skills
in a virtual world that is as close to real life as humanly possible. We have a suite of audio
and visual equipment to bring training to life by replicating the crisis, communication and
information ow and the eect you would actually hear, see and feel.
Dramatic, interactive and invaluable, the centres simulator facility trains you to deal with
threats, how to respond and to control the outcome.
iStockphoto.com/lorrainedarke
Case Study
In international
airports, matters are
complicated by the
need to segregate
those who have
passed immigration
check from those
who have yet to
do so. Potential
contamination
of passengers is a
nightmare scenario
Case Study
A
ir transport has today become more of a necessity than a luxury. One Understanding airports
could hardly imagine in 1903 when Wright Flyer I took flight that air The airport ecosystem is incredibly complex. There are
transport would become such an important part of our lives. However, a large number of entities, both private and government,
alongside its growing importance has come the need to handle the complex thatneed to interact with each other to ensure successful
logistics that underpin it. Airports have sprung up all over the world to cater to airport operations. This also includes the private
our needs, and while aircraft are the means that enable us to travel, it is these agencies like baggage handlers, transport companies,
hubs of activity that have facilitated the standardisation of the air travel process fuel companies and commissionaires, which are closely
and made it available to as many as possible. intertwined to facilitate the smooth running of the airport.
Air transport has also become critical to the economy of every country. While In fact, in this symbiotic system, the actual airport
international airports enable cross-border transport, domestic airports enable operator is significantly constrained. It cannot
intra-country trade. Hence an airport is not just a critical asset to the airport unilaterally take decisions without approvals from
operator (private or public) but also to the country. Any disruption of airport government bodies. In matters of security and
operations has serious repercussions. In addition to the direct impact on the operations, the airport operator is heavily regulated not
countrys economy, there is also a negative impact on the countrys reputation. just by national but even international organisations.
It is for this reason that airports are classified as part of Critical National One of the biggest challenges in implementing BCM
iStockphoto.com/lorrainedarke
Infrastructure by governments across the world and are accordingly protected. for airports is integration of government functions into
While most risks can be objectively evaluated and mitigated, business the overall BCM strategy. These include the immigration
continuity management is needed to mitigate the impact of those risks that and customs departments that also need to understand
cannot be easily predicted and accurately quantified. This article seeks the need for BCM. At times, they are slow to appreciate
to outline one of the approaches to implementing BCM at airports and this need and hence it is difficult to get them on board. In
encapsulate some of the insights gained from this process. international airports, matters are further complicated by
Q3 2013 Continuity 35
the need to segregate those who have passed immigration check from those who
have yet to do so. Potential contamination of passengers is a nightmare scenario
for airport operators and government agencies alike.
Airports also have unique and expensive equipment for which redundancy
cannot be easily built in. One such example is the machine required to
clean the runway. Constant landing of aircraft leaves rubber residue on the
runway. This reduces the friction that is required for safe landing and takeoff of
aircraft. As per national and International Civil Aviation Organisation (ICAO)
regulations, the rubber residue needs to be removed to ensure safe friction
levels. The machines that are required to perform this operation are usually
quite cost prohibitive. Having spare machines is an expensive proposition.
Furthermore, in a similar manner to manufacturing facilities, airports are faced
with physical constraints. For example, they cannot be relocated in case of a
disaster! Many of the airport processes are also physically constrained with only the person responsible for risk management. This is
a few that can be virtualised and moved to an alternate geographical location. required to achieve several key objectives:
With constraints like these, BCM in airports requires a pragmatic approach. To understand the current status of continuity
Of course, considering the criticality of the facility, one could argue that money planning at the airport
should not be a constraint when planning for BCM. However, ground realities To understand where BCM will dovetail into the risk
are different (no pun intended). Airports are a business just like any other. While management function
being an important national infrastructure, they are primarily run to make To provide assurances to risk management that the
money. Any BCM activity should keep in mind the basic cost/benefit equation. BCM programme will not trespass into the risk
management domain
BCM approach for airports1 The last point is important from a change
One of the first steps in implementing BCM at airports is to begin working with management point of view. This enables smooth
the risk management team. Risk management is a key part of every airports conduct of the BCM engagement, with the risk
operational activities. Airport risks are usually already defined and controls management team willingly playing a constructive role.
have already been put in place as prescribed by regulatory bodies. This is At this stage, one also needs to clearly define the
because each airport is part of the overall air transport ecosystem consisting of BCM policy and establish who will lead the BCM
components such as aircraft, flight paths, airports etc. This enables a level of function. In cases where an external consultant is
global standardisation across airports without this it would prove difficult to handling the BCM implementation, it is important to
fly an aircraft from Airport A to Airport B. involve a senior internal resource at this stage. This
The first step in any BCM implementation at airports is to meet up with person will ideally lead the BCM function once the
Professional
Liability
Insurance
Contact us today
YOU
to buy a
visit us at:
www.towergateinsurance.co.uk/liability/professional-liability-insurance
or call: 01438 735 251
e-mail: PRsales@towergate.co.uk
iStockphoto.com/lorrainedarke
Towergate Professional Risks and Towergate Insurance are trading names of Towergate Underwriting
Group Limited Registered Office: Towergate House, Eclipse Park, Sittingbourne Road, Maidstone, Kent
ME14 3EN. Authorised and regulated by the Financial Conduct Authority.
Documents and equipment prepared and ready
Gold, Silver and Bronze Levels; Make BCM visible
Hold a BATTLEBOX behind reception
@TowergateProf Visit www.battlebox.biz or call +44 (0) 1253 788 181
36 Continuity Q3 2013
Case Study
Eureka moment #3
Airport processes are not as virtualised as processes in the financial industry, for
example. They are physically constrained by the airport location. Even departments
like human resources are located within the airport premises while they can be
easily virtualised. This makes it difficult to plan relocation strategies even for
processes that dont necessarily need to be physically carried on at the airport.
Q3 2013 Continuity 37
Plan for the unexpected
In turbulent economic times, its tempting to cut back business continuity efforts. Yet in the face of the
fresh threats, its a valuable investment in your organisations future. LRQAs team of expert trainers have
practical experience auditing and conducting assessments so they make the course relevant to your
organisation and illustrate how requirements work in practice.
Our training in ISO 22301 Business Continuity provides a framework to help you build organisational
resilience and keep you in business in the face of a disruptive event. ISO 27001 Information Security
training uses a practical, risk based approach to manage the security of business information.
we learnt into our work
place.
Emily Holbrook,
The Law Society
Training Sales
0800 328 6543 0800 783 2179
lrqatraining@lrqa.com enquiries@lrqa.co.uk
Lloyds Register Quality Assurance Limited (LRQA) is a subsidiary of Lloyds Register Group Limited.
Security
T
here are a multitude of reasons why organisations seek to maintain the information being released without permission into the
strictest levels of control over their prized information. The increasing public domain? These are the primary questions that
amount of confidential data they store on staff, clients, suppliers etc., need to be addressed.
brings with it regulatory demands to protect it, plus fines and potential One of the very important characteristics of the recent
reputational issues for failing to do so. Information relating to new products or incidents is the fact that those responsible for releasing
processes, trade secrets, recent transactions or deals if exposed could result in the data were in fact people who already had access to it
financial losses, damage share price or give away competitive advantage. At the and were trusted by their organisations. This shows that
highest level, sensitive information relating to government activities can create in these instances vetting processes of personnel were
tensions between territories and put lives at risk. not effective at mitigating the risk. This particular issue
In response, companies, bodies and governments have been implementing warrants an article in itself; however, for the purposes of
ever more stringent security procedures to protect their data. However, over the this piece we will focus on some of the other forms of
last few years, there has been a number of very high profile instances where these control that companies can and should implement.
systems have been breached, and sensitive information has entered the public
domain. This data has been brought into the light without the necessary controls Information control
in place and without the public having a clear understanding of the nature or the Many of the controls that companies put in place come
context in which it was compiled, causing significant consternation as a result. in the form of both hardware and software solutions.
The people responsible for releasing this information have been viewed by Examples of such measures might include: putting USB
the public as either heroes or villains depending on where the commentator locks on desktops; implementing strict administration
stands from a geo-political or corporate perspective. While this raises a number controls to limit access to data; restricting which files
iStockphoto.com/lorrainedarke
of interesting issues, the purpose of this article is not to explore what has driven can be copied or emailed. All of these measures can
the whistle-blower to take such actions, but rather to explore the issues such play a key role in limiting your exposure to data loss,
activities raise from a continuity or a resilience standpoint. but rather than looking at specific steps you can take, I
As with most situations we face, prevention is better than cure. This want to focus attention on the requirements laid down
therefore focuses our attention on the issue of information security. Who in ISO 17799, which provides a code of practice for
has access to what? What controls do we have in place to prevent such information security management.
Q3 2013 Continuity 39
The standard sets out ten steps/components that it deems essential to establishing a high
standard of information security within your organisation. I have listed these below and
have included some of my own thoughts on each of these stages:
Information security
po
objectives, and activ licy,
ities that
ACCESS reflect business objec
tives
ALL AREAS Make sure that the
An approach and framework policy which
you implement is fit
of implementing, maintaining, for
organisation. The req your
monitoring and improving information uir
should be specific to ements
Visible support and commitment security that is consistent with the the
demands and exposu
from all levels of management organisational culture res of your
business and the en
vir
Do as I say, and as I do you Ensuring that your information security in which you opera onment
policy is embedded within your te. I would
have to lead the way. Your strongly recommend
tha
management must demonstrate organisations culture is as important develop your own po t you
as the document itself. You not only licy from
their full commitment to the scratch rather than
sim
strategy and not just give it an have to sell the benefits of playing your downloading a tem ply
pla
initial 10 minutes of their time part, but also put in place measures to then look to amend te that you
maintain support for the policy moving accordingly.
the must set a clear example
for all to follow. It must become forward. Continuous monitoring is
an integral part of standard also critical to spot deficiencies in the
management practices across the policy and to ensure that it remains fit
company. Remember that failure for purpose given any changes that may
on their part to do so could have occurred across your organisation.
result in dire consequences for Make sure that you are always on the
themselves and the company as look-out for ways to further enhance the
a whole. level of information security you have.
Ca
ll C
hri
o
e-m n + s N
ee
WHY USE NEEDHAMS 1834 ail 44 (0 dh
ch am
ris ) 207 -B
@n 35 en
TO SUPPORT YOUR ee 3 9
dh 4
am 8 o 9
ne
tt
RESILIENCE PROJECTS? s1
83 r
4.c
om
ACCESS
ALL AREAS
Information security is not about imposing Once people know this, you may
some form of 1984 type system to monitor Patrick Mcilwee FICPEM, is director of well find renewed interest in your
the activities of all your staff. It is about resilience, legislation and enforcement at information security efforts.
putting in place the right controls for your Syndicus Information Security LLP
organisation which serve to limit access to the www.syndicusis.com
right people and that are set at the right level
Q3 2013 Continuity 41
BCI News
Q3 2013 Continuity 43
The Soap Box provides
you the reader with an
opportunity to speak
your mind on the issues
impacting on your
discipline. To air your views
contact Nigel Allen at
nigel.allen@thebci.org
events, yet they had a similar effect they grounded commercial air Stephen Nuttall is head of business operations for Hewlett-
transport over a wide area for a significant period of time. There are other Packard Continuity Services in EMEA
similar examples. Snow in London and strikes by transport workers are stephen.nuttall@hp.com
very different events which can have almost identical impacts in that they www.hp.com/go/continuity
stop public transport.
44 Continuity Q3 2013