"I always imagined a few people on the phones in a small office taking calls, not a big office with actual departments, and definitely not anyone thinking about business continuity and risks." Over the past year I have heard this line said to me in varying forms when I have explained that I give advice on corporate risk and business continuity in the non profit sector.
Not a common misconception and when being able to easily list the risks relevant to the financial services industry for example, applying that to the non profit industry along with the associations of what is important is not as easily obvious straight away.
Some Challenges and observations:
The varying degrees of academia in non profit organisations are expansive and the primary challenge is making it accessible and relatable to all.
The attitudes that this would take too long - it’s not required in our industry and focusing on delivering primary front line services was more important. But has anyone thought about those supporting functions?
"This will never happen to us anyway." At first, it made me feel uneasy hearing this but this is the best challenge to promote business continuity in any industry. Using the "if we don’t comply, we will get fined" card almost shifts the desired affect from wanting to provide great assurance to an exhausting check box exercise. The appetite and denial factor is a tough barrier to get around.
Forgotten plans - in most cases contingency plans were in people’s minds but just not on paper. Hearing various stories of incidents taking place which resulted in an instant panic before the swift realisation that "oh yes, we have a plan, we know what we need to" kicked off a series of reactions to get things back to normal.
Planning V’s practicing - countless months were spent planning and writing but practicing those BCP’s were missing. In recent exercises some feedback I got was that no one had ever tested their plans and found it really useful. The actions that were thought to take five minutes took twenty. This started a chain of actions which plan owners needed to implement in order to become more resilient in an incident. A friend said to me once that businesses don’t fail because of a bad business continuity plans, but because of bad choices. That stuck with me.
So what does BC look like in these industries?
We live in a robust and dynamic society and whilst a generic approach to start off a plan is valuable, they can be adaptable. I quickly realised that I was getting too hung up on wanting to make each teams plan look the same and what really mattered was that it absolutely has to work for the people invoking it, and if it is clear and coherent, that is sufficient.
It is without a doubt that the non-physical threats such as reputational risks, loss of funding from a major donor and employee scandals can have serious impacts on your operation, especially when the majority of funding is provided by the public generosity. If an incident occurred what would be the emergency funding protocol? It is things like this that needs the most consideration. Yes, every industry needs to consider the building, IT/data and staff but what about the intangible factors that essentially calls for a disaster.
Making those threats relatable is key and, the empowerment resulting in a shift in view of risk and business continuity only being related to IT and Financial services is essential. (Because of the varying levels of academics in these industries often sit under one roof).
What does this all mean?
All non profits, for example charities, are run like businesses. Fact!
Non profit or not, business continuity is on everyone’s mind, but they just don’t know that this is what it is. Yes, the variations of levels in what constitutes a threat differs from industry to industry but essentially, what matters most is the resiliency each organisation has to overcome any incident it faces.
RISKercizing until next time
Friday, 22 August 2014
Thursday, 21 August 2014
Despite this, the majority of executives are still terrified of social media, and the backlash which happens during a crisis. Many choose to have no part in it, figuring that a visible online presence will make you a sitting target. When Domino’s 2009 YouTube scandal hit, the pizza company didn’t even have a Twitter account set up and they were unable to communicate or even acknowledge their critics properly.
Burying your head in the sand is not an option. Social media isn’t going away, the various platforms may come and go as fickle as fashion, but the internet is here to stay and it's time for corporations to get a handle on how they interact with social media. Monitor your brand properly, be the first to identify a crisis developing and respond fast.
Whether you have a large social media presence or not, you will be discussed and complained about on twitter. During a crisis, Twitter is the breeding ground of unchecked ‘facts’ and misrepresentation which spread like wildfire. Link Twitter to your press statement, allow Twitter users to read the real facts, even if they chose to ignore them. This also leaves your organisation in a much stronger position, in that it can say it has been in dialogue with all its stakeholders including those who vehemently oppose it.
A core part of your crisis plan should be your digital crisis communications plan. Just as the perfectly phrased (and legally cleared) press statement is ready to go for any well prepared company; a perfectly prepared stream of tweets should be poised in order to get the right message out into the blogosphere fast.
Finally, and most importantly, don’t score an own goal for the Twitter trolls. What can go wrong probably will go wrong. Give those haters a hashtag to use and use it they will, effortlessly turning a carefully constructed hashtag into a bashtag, as seen with the #myNYPD. Earlier this year ‘New York’s Finest’ attempted to generate some good publicity by asking the internet to tweet their experiences of their friendly local police department. What could possibly go wrong? Quite a lot as it turned out, Twitter was flooded with accounts of police brutality and the names of those shot dead by police.
Tom Curtin is the Chief Executive of Curtin and Co, a BCI Partner specialising in crisis communications and reputation management. You can view more blogs my Curtin and Co by visiting their website or by joining their Linked In group.
Monday, 18 August 2014
In terms of the debate within businesses there is a rather different attitude. Many public sector organisations have been told they are not allowed to talk about independence at all. Other organisations are keeping their head down, saying nothing publicly as they know they don’t want to be seen to belong to either camp, for fear the vote goes the wrong way and then there is a backlash against those who spoke out. For me it seems only the large companies such as Standard Life and Shell, that Scotland needs as much as they need Scotland, that have the luxury of making their feelings on independence clear.
So what has Scottish independence got to do with business continuity?
According to many in the ‘No’ camp, independence will be a disaster for Scotland. They are even discussing invoking their business continuity plan if the vote goes wrong! But what about the rest of us? What should we do to prepare for the independence vote?
1. First of all this is a foreseeable event so we have time to prepare for it and do something now. The first thing I think that you should do is understand your organisation’s vulnerability to Scottish Independence. In examining this you need to look both upstream towards your suppliers and then downstream to your customers. By mapping both you can understand your exposure. In looking at your suppliers then you need to look to your Tier 2 and 3 suppliers to check their exposure.
2. In looking at your exposure you want to take into account a number of factors. Business hates uncertainty and the period up to the independence vote may prevent businesses in the rest of the world making orders to Scottish companies. At PlanB Consulting we have not had any enquiries from English companies for the last three months. If the vote is for independence there will be immense uncertainty for the following 18 months, as the details of a new Scotland are being sorted out. This may cause your suppliers and customers to behave differently and so you might want to identify the critical ones and then make contingency plans if they stop purchasing from you or supplying to you. This will be made much worse and complex if Scotland has to change its currency.
3. If you are a public sector organisation then independence could affect you in a number of ways. If you are a national organisation which operates across the UK, such as the Police, then there will be an immense amount of work in separating databases and separating the parts of the organisation. As an aside, it has been shown that criminals thrive on uncertainty and a fractured police force. For other public organisations there may be a new regulatory regime or different priorities. It will be the same for financial organisations and other regulated industries. There will be uncertainty until it is made clear if the regulatory regime the same as before or has it changed.
4. For business continuity managers, whose organisations span Scotland and the rest of the UK, then it might mean having to change to structures of their plans to take into account organisations having to restructure themselves. Having operational teams during a disaster in Edinburgh, reporting on an incident to a Tactical Team and Strategic Team in London, may no longer be appropriate.
5. In all incidents, or when rapid change occurs, there are always opportunities. The Business Continuity Manager should make sure that when their organisation is discussing the effect of Scottish independence they make sure that identifying opportunities is on the agenda. This could be the opportunity to change suppliers and choose ones closer to where their products are consumed, eliminating the long supply chains with their inherent risk of disruption. If Scotland is not within the EU, having short local supply chains may be essential. It could also be an opportunity to completely review your business continuity plans, structures and strategies and change them for the better.
My feeling is that most organisations, in Scotland and also in the rest of the UK, are hiding their head in the sand and hoping that this problem goes away. They see the ‘No’ vote being ahead in the polls, not taking into account the undecided votes, and think this whole problem will not materialise. We as business continuity people know that if you shut your mind off to unlikely events then they tend to catch you out. So my call to action is for business continuity managers to examine their exposure to Scottish independence and then identify and mitigate any potential risks.
Charlie Maclean-Bristol is a Director at PlanB Consulting in Scotland.
Wednesday, 13 August 2014
I went to London. No, that’s not the silly thing – I go to London quite often and honestly it’s really not that bad there. Even for a country bumpkin like me. No, the silly thing came to light after I’d boarded the train and it was pulling out of the station. I opened my bag to take out my laptop and some papers so that I could start work and my laptop wasn’t there. I checked again. And again. But it still wasn’t there. After checking for a fourth time the penny finally dropped – I’d left my laptop at home. I was a couple of minutes into a two-hour train journey, all ready to get stuck in to some quality report writing time and my laptop, one of the main tools of my trade – if not the main tool – was sitting at home, rather than on the table in front of me.
After the initial panic attack subsided I remembered that I wasn’t presenting today, so at least I didn’t need my laptop for any of my meetings. And I had my phone, and lots of people tell me that’s all they need to be able to work. “I can just work from wherever I am, as long as I have my mobile phone and an internet connection” is an assertion I hear all the time. Well this was a perfect opportunity for me to put that theory to the test.
Luckily I had a charger with me, otherwise I’d have been in trouble from the off. Because the second thing I didn’t do last night – the first being to not spot the absence of a laptop when I checked the contents of my bag (yes I did actually check, or at least I thought I did – it was late) – was to charge my ‘phone. I have one of those ‘phones that you have to charge about every three and a half hours (you know the ones) so the 20% remaining battery life probably wouldn’t have got me halfway to London, let alone seen me through the day.
So I plugged in and off I went. I couldn’t work on the report that I’d planned to because, whilst I synchronise files between my desktop and laptop, I don’t store all of my data in the cloud as a matter of course. In fact I don’t store much there at all, particularly if it’s confidential. Call me old fashioned but I haven’t yet developed the same blind faith in 'the cloud' that many others have. I’m with one of my information security colleagues on this one – he recently said “I wish people would stop calling it ‘the cloud’ and start calling it ‘putting my data on someone else’s computers’. Don’t get me wrong, I’m not saying 'the cloud' is all bad. And yes, I do use it. But I’m extremely selective about what I choose to put there. There are, after all, some significant advantages if it’s used properly. But the cloud is a big and often dimly-lit place and not every cloud is created equal. Call me a cynic but I largely think of 'the cloud', particularly the free bits of it, as a really convenient way of letting someone else delete, corrupt, leak, sell, give away, deny me access to or otherwise compromise my data so that I don’t have to do it myself. Which I personally think is a healthy attitude that others would do well to adopt.
But I digress. In any case, trying to write a proper report on a phone, as opposed to making a few notes, isn’t the easiest thing in the world to do. For a start, typing large amounts of text on a phone isn’t as easy as on a real keyboard, at least for anyone with normal sized fingers. Let alone the fact that my phone is constantly correcting what I type, which means I spend an inordinate amount of time correcting it back again. Then there’s the compatibility issues (which I won’t go into here as it’ll probably just turn into a rant against Microsoft and Apple), which means that you’re pretty much restricted to text only, without too much formatting and certainly nothing as weird and wonderful as a table.
But I digress again. At least I could start by sending a few e-mails. Except there was no network connection. On-board wifi hasn’t made much of an appearance on the trains from Evesham to London yet, at least not the peak time trains (for some reason you can get it at 2 o’clock in the afternoon, which is really useful for the majority of business travellers who actually have to get up in the morning). And the mobile phone signal is somewhat patchy for the first part of the journey. Funny how I can get a mobile signal at the top of a ski slope but not in the Cotswolds, despite the claims of 99% UK coverage by the mobile ‘phone companies (second rant suppressed).
So I read a couple of (paper) documents, wrote a bit of my blog, corrected the corrections, finally managed to send and receive some e-mails, did a bit of web browsing (albeit looking at stuff on a very small screen), popped a couple of headache tablets and arrived in London for my meetings.
Shortly before I got on the train home, my phone started bleating “low battery” at me again. “No matter”, I thought, “I’ll just charge it on the train”. Except the electrical sockets on this particular train weren’t working. So I had about twenty minutes of trying to access my e-mails (and failing, due to a glitch at my internet service provider – good old Sod’s Law!) and writing a few notes for later processing before my phone gave up the ghost. At which point I gave up too and read the paper instead.
So, how effective was my plan to “just work from wherever I am using my mobile ‘phone”. Well, I suppose I managed to do a bit, and significantly more than in the pre-smartphone days. But how effective was it really? Well I think the answer to that is fairly evident. I reckon I probably achieved fifteen to twenty percent of what I’d have been able to do had I had my laptop to hand.
Yes, remote working is eminently possible – I do it all the time – but its effectiveness is hugely dependent on the tools available and the type of work that you’re trying to do remotely. Even working at home can be problematical and far less efficient than working in an office, if that’s what you normally do. And if you’re a laptop user and you don’t have it with you (which is a distinct possibility if you’re one of the many, many people who leave their laptops in the office when they go home) remote working can be trickier still.
And yes, there are all sorts of things that can be done with a smartphone (aside from checking Facebook or tweeting), particularly if your job largely involves phoning and emailing people and making a few notes. But in my experience their usefulness is limited and they’re really no substitute for a proper computer if you have things like reports to write (or read) or large, complicated spreadsheets to deal with, amongst other things. And, whilst they may be OK for a short period, I challenge anyone to work effectively for anything more than a very short time using just their smartphone.
So next time someone says to you “I can just work from wherever I am, as long as I have my mobile phone and an internet connection,” I strongly suggest you challenge them to prove it. Because some things are a lot easier said than done.
Andy Osborne is the Consultancy Director at Acumen, and author of Practical Business Continuity Management. You can follow him on Twitter and his blog or link up with him on Linked In.
Tuesday, 12 August 2014
Business continuity is one of those industries/professions/sectors that is on a growth trajectory. It needs to be as it works in an environment that is rife with influences that may engender or initiate change and thus inform the shape of risk and impact landscapes. There is much speculation, theorising and pontificating about what is coming, how it should be influenced or could be controlled and how we deal with impacts. From globalized business activity to changes in national and international power balances, from political reorientations to an emergence of technology enabled ‘people power’. Also, while there is an immense amount of opinion and theory put forward daily from all quarters concerning human behaviour and its effect on others (such as, by implication, political, economic, social, technological impacts) it is also worth considering ideas, theories and opinions on the less easily quantifiable and controllable. These are all areas for thought, concern and yes, education.
So, if we are aware of the potential problems, what’s the problem? Well, there are thousands of business continuity professionals (that is what you are: professionals) out there who are undereducated, or perhaps miseducated, or maybe even not specifically educated at all. You may have been trained; but ‘educated’ is a different thing. Of course, you will know things, processes, functions, problems and issues and you will be adept in your role, and if that’s OK with you; then that’s OK. The sector abounds with professionals who are working hard, mainly successfully, to do what needs to be done and in general, we don’t equate ourselves with reticence, lack of confidence or indecision; or indeed lack of self-awareness.
However, there are very many people who do hesitate when it comes to education. It is interesting. Maybe this hesitancy is not about cost; nor is it usually about obtaining support from employers. Usually, there is a fear of being overcome by the difficulties and challenges of learning, perhaps because they have been away from formal education for many years, or simply because they are familiar with training rather than the academic rigour of university programmes.
Well, simply put, there is nothing to be afraid of or worried about. If you decide to undertake an academic programme you can expect to be provided with advice, support, guidance and resources to allow you to grow into the mysteries of higher educational learning. In fact, here’s a little secret – there are no mysteries at all! Learning takes time; skills take practice, correction and amendment to perfect. It can be done and in fact, it is not intimidating or difficult at all. It does take hard work and application – but so does life.
Most importantly higher education learning doesn’t turn you into an academic; it enhances your professional capabilities. In fact, unless you are steeped in study on a daily basis, you are not an academic or a scholar – in reality, for those who undertake professional and academic courses as part of their CPD (continuing professional development), the clue is in the acronym - ‘CPD’! And importantly, it is not all about theory; education in the modern world and in the BC world should be about practical application.
So, in Education Month, perhaps it is worthwhile taking pause from your busy and demanding life and thinking about what you would like to be.
- Better paid? Education helps whether you study for a certificate, diploma, bachelors or master’s degree.
- More competitive? Education helps you to think about and analyse the world around you.
- Better at your job? Education helps you to learn and understand what you do and why – and what you should be doing and why.
- A thought leader? Education helps you to become a more effective thinker as well as an effective practitioner; win/win!.
Phil Wood is the Head of Enterprise, Security and Resilience within the Faculty of Design, Media and Management at Buckinghamshire New University in the UK.
- Business continuity and the non profit sector
- Protecting yourself from a social backlash
- Scottish independence - for better for worse
- Can you work with just a mobile phone and internet...
- The value of continuous learning
- Are you equipped for the future of work?
- Helpful advice on Ebola for business continuity pr...
- Keeping your eye on the ball (or your supply chain...
- 10 Items which should be in a BCP (and are often f...
- ▼ August (9)
- ► 2013 (59)