Friday, 11 April 2014

Business Continuity Flash Blog

On Tuesday 18th March 2014, as part of the Business Continuity Awareness Week activities, we witnessed the first ever BC Flash Blog. This is probably a new term to most readers, it is a virtual Flash Mob – but instead of a dance routine the participants wrote and published their own blog post or article.

The event featured 22 writers, from all sectors of the BC industry – and from various corners of the globe. All the articles were on the same subject, and published at the same time. In keeping with the BCAW theme, the subject was “Counting the costs, and benefits, for business continuity”, with each writer taking their own, unique, perspective on this issue.

If you haven’t already done so, you can find links to all 22 of these blogs here. If we do nothing else, we can at least pay these writers the respect of reading their work.

For those who are interested in statistics, the page with the list of articles has had over 600 views (as of the 7th April). The list is hosted on a service called List.ly that facilitates social media style interactions with the community. Readers are able to flag like/dislike; indicate which articles they have read and, perhaps just as importantly, which subjects they would like to learn more about.

To date there have been 123 of these interactions recorded – but sadly these have come from only 11 people. You do have to register with the service to interact, which may have stopped many from casting a vote. These interactions are still open, and it would provide useful feedback to guide future articles if you could visit the site and record your thoughts.

Despite the relatively low number of interactions recorded, the feedback from a number of the writers indicates a good level of hits on these articles. While not everybody had full scale analytics, reported around 100 hits on their article and another over 180 hits. This may, in part, represent the existing audience of some of these writers as much as the BCAW promotion - but that is part of the educational value to be derived from the exercise.

BC folk need to learn about tapping into, and leveraging, existing networks and communities if we want to promote our cause and our message. The extra reader base accessed by distributed, rather than centralised, blog hosting. Just as importantly, the extended reach of the Social Media networks of the various writers and the 'priceless' publicity that was generated by the Tweets and Retweets. These are lessons we can look at applying to our own BC programmes. How we can use tools like blogs and wikis in our organizations; improving our understanding (and adoption) of the various social media tools (like List.ly) and the value of debate and interaction, rather than passive consumption, in promoting a vibrant discipline.

One message that comes through very clearly in several of these articles is the passion that BC people have for the work we do. It was a joy to see that passion from old practitioners as well as from newer ones. The passion for the work and promoting the cause also spanned geography and language.

That passion means we can at times be forceful when we debate our different views and perspectives on how to count the costs – and even what constitutes benefits and value from BC. But it also drives a genuine desire to promote improvement and learning across our practices. Without debate, and passion, no field of knowledge will develop. But debate requires engagement.

I spoke about this passion, and used three of the articles as examples, in my BCAW webinar. It is recorded and can be accessed here, it also contains some instruction on how to access and engage with the List of articles.

It would be great to hear some feedback about the concept of a Flash Blog, about the articles, or even what topic you would like to see for a future Flash Blog event. You can comment here on The BC Eye, or start a discussion in one of the many Linked In groups where this post will be promoted.

My thanks to all those who contributed articles, I hope you all keep writing! Thank you also to those who take the time to read – and extra special thanks to those who make it all worthwhile by engaging and debating these ideas.

Finally, if you are wondering why we chose to have our Flash Mob write a blog post rather than demonstrate a dance routine – then this YouTube clip (featuring one of our contributors) should provide an adequate explanation.

Ken Simpson
Director of The VR Group

Tuesday, 18 March 2014

Counting the costs and benefits of business continuity, a Non-Executive Director's perspective

Essentially the Non-Executive Director's role is to provide a creative contribution to the board by providing objective criticism. So I recommend that all Non-Executive Directors consider challenging the board to count the costs involved in deploying business continuity management and balancing these costs against quantifiable benefits gained from its Business Continuity Management System and Programme.

The Good Practice Guidelines suggest that embedding BCM is hard to measure, but secretly I believe that Executive Directors deep down in their hearts and minds know full well if they are merely trying to be compliant.

In the busy world of the Executive, maybe they only have time to ask if the business is adequately covered from a risk and business continuity perspective. Is it the difference between plausible deniability and culpable liability? To paraphrase a well-known political interviewer: “Did you know there was a problem, in which case you are culpable or did you genuinely not know in which case you were incompetent, which is it?”

Apply that logic to the board and ask them if they understand the relationship between, in some cases, hundreds of thousands they spend on business continuity management believing that it will deliver benefits should it be needed, without insisting on seeing the cost benefit analysis that proves the case, only to find that in reality, plans are hardly invoked or utilised even in a real event.

I can only suggest from experience that Top Management Executives are unlikely to ask the question: “Show me the costs associated with maintaining our Business Continuity Management System/Programme and tell us how much deploying our strategy for resumption will cost if invoked and the savings, yes, savings to the business in reducing the impacts to the business over a known time scale.”

If business continuity professionals were pressed to answer this question, they would have to take a more commercial view of business continuity, they would have to truly align to risk disciplines and share common risk and impact scales and they just may invite procurement professionals to assist in quantifying response strategies and tactic and resource requirements.

This would lead to Top Management Executives having a genuine opinion, to give a mandate and possibly believing that business continuity does indeed add commercial advantage to your business.
So, I implore Non-Executive Directors and Heads of Audit Committees, challenge your Top Management Executives to prove the commercial case for undertaking business continuity management for your business.

Ask your Chief Risk Officer or their equivalent in your business:

  • How much do we spend annually on business continuity management, without an incident taking place?
  • How much would you estimate we would spend on deploying our strategy and tactics during a disruption and in achieving the timescales for resumption how much cost avoidance would we achieve in monetary terms?

Even as I write this, the national news talks of under spending and being under prepared for severe disruptions, they offer the costs associated with preparedness and with failure, within days or weeks of an event.

So I will say it one more time, why do we not estimate these impacts in monetary terms using the same methods as undertaken post event – but do this in advance. Why can we not offer Top Management Executives fixed and variable costs (including invocation) set against the cost of impacts over time? Let them decide their Maximum Attitude to Disruption M.A.D.

Finally, why don’t Top Management Executives ask these questions, rather than simply are we covered?

By David Window
Non Executive Director at Continuity 22301 Ltd

Counting the costs and benefits of business continuity, the BCI Technical Director's perspective

For those of you who think BCM is expensive, try operating without it.

Business Continuity has often been treated almost as an ‘act of faith’. Common sense has suggested that well prepared companies are likely to recover from an unexpected interruption quicker than unprepared ones; that they are likely to lose much less money by being productive again more quickly.

In times of financial restraint, with organizations looking to squeeze costs wherever possible this position is hard to defend, in some cases it simply no longer works. It is not too difficult to find out how much is directly lost as a result of disruptive incidents; in fact our friends from the insurance world have facts and figures about all types of incident – the amounts claimed, the amounts paid out and the actuarial data that supports the likelihood of every type of known problem.

This does however, leave difficulties for the BCM practitioner. Given the increasing attention paid to ‘black swans’, ‘unknown-unknowns’ or generally unpredictable events (illustrated again by the Malaysian aircraft disappearance), conventional risk pricing that requires forecasting both probability and loss expectancy is meaningless. For BCM people, how can we hope to quantify the potential loss connected to brand and reputation damage, market-share loss, share value collapse and more aggressive targeting by competitors?

Even if we can argue successfully (without detailed facts and figures) that we need to protect ourselves from the potentially terminal consequences of unexpected incidents, can we make a strong enough case for BCM as the solution? It is one thing to point out a problem, it is an entirely different thing to show you have the answer. For many years the BCI and other similar bodies have conducted regular surveys that demonstrate that the cost of business disruptions is significant. This has increased in line with trends such as ‘JIT’ manufacturing, complex and extended supply chains, increased off-shoring of services and purely cost driven out-sourcing of operations.

A soon to be released global survey indicates that almost 30% of respondents have experienced business losses of over $5 million as a result of a disruptive incident. This was up from less than 20% three years ago. The challenge for BCM professionals is not so much to shout about those facts (although that approach can help sometimes) but to show why Business Continuity can help both reduce the likelihood of suffering that loss at all, but if it should happen that the loss can be dramatically mitigated.

The wider dialogue taking place about resiliency throughout industry and government actually helps our case. In some ways recovery is simply a failure to be resilient, although total protection from everything is clearly impossible. The need to balance measures that make us inherently more able to withstand rapid changes in risk (political, environment, social and technological) with our ability to adopt and response as needed is the future for BCM thinking. What value do you put on success and what cost do you put on failure? Does effective BCM make the former a more likely outcome than the latter? The answer to those questions provide the justification for Business Continuity – in my view it is a modest investment for corporate decision takers who understand the real questions.

By Lyndon Bird
Technical Director at the Business Continuity Institute

Friday, 21 February 2014

Never work with children or animals... or technology

The other day I attended a meeting of a local business continuity forum. It was a very well run, very interesting meeting – the latter despite the fact that one of the topics was business interruption insurance, living proof that any subject can be made interesting by an engaging speaker. There was, however, one small glitch in proceedings that I thought was worthy of note. Or that at least gave me an excuse to write a blog.

The second item on the agenda involved a live link-up, via Skype, to a presenter in some far flung, desolate location – Reading, I think. At the appropriate time, the chairman initiated the call. And then… nothing happened, apart from a deafening silence. The technology didn’t work. Now, before you say anything, yes, of course it had been tested beforehand. This was, after all, a group of consummate business continuity professionals. It had, however, been tested on the previous Friday afternoon, whereas the live event was on a Monday morning, when the volume of traffic on the network is, apparently, much greater. To the extent that there wasn’t enough room left in the pipe for a teeny weeny little Skype call.

After much umm-ing and ah-ing and “talk amongst yourselves”-ing, the organisers finally got it working – for a while at least, but then it failed again and they eventually had to resort to a somewhat Heath Robinson solution involving the loudspeaker on a mobile ‘phone next to a microphone connected to the room’s sound system. Which, I have to say, was a better sound quality than the original Skype solution. And so the meeting continued with no further hiccups.

The episode brought to mind a technology glitch at another seminar that I was at a while ago. This time I was presenting to an audience of 200-odd people (by which I mean approximately 200, as opposed to 200 odd people – although there were one or two there who fitted the description admirably). The venue was a concert hall with a huge stage about ten feet above the audience, who were seated around tables in an auditorium the size of a small country. Not at all daunting.

It came to my turn. I took a deep breath, walked up the steps to the stage, introduced myself, pressed the button on the remote control to fire up my slides and…nothing happened. There was a completely blank screen behind me and a couple of hundred people looking at me expectantly. Not even a whiteboard to fall back on. Oops! Time for Plan B. Which was to busk it for ten minutes while the techies scurried around poking things and unplugging and re-plugging things, having tried the universal solution of powering it off and on, which had no effect whatsoever. Eventually the screen came back on, I re-synched my blathering with the pretty pictures and all was well. It was a bit uncomfortable for a while but I got away with it. I even got a bit of a buzz from it in a masochistic sort of a way, although I was only too happy to take the applause and return to my seat at the end of it. And, before you ask, yes, of course it had been tested beforehand. I am, after all, a consummate business continuity professional!

Both incidents made me think about the huge reliance that we place on technology and the difficulties it can cause when it’s not there. But they also made me think that, as often as not, there are alternatives, whether they involve the use of other technologies or switching to manual processes – maybe even reverting back to the way we used to do it in the old days, before all the clever and sophisticated technology arrived to “help” us.

They reminded me of the importance of testing, and the fact that, to be really confident that things will work, testing should be as comparable to the real thing as we can possibly make it. Even then there are no guarantees, but if our testing isn’t realistic it can give us a completely false sense of security.

And they reinforced the point that, whether the solution is highly technical and whizzy or simple and old fashioned, we should always, always have a Plan B up our metaphorical sleeve. Because, as a certain Mr Murphy decreed long ago, whatever can go wrong almost certainly will.

Andy Osborne is the Consultancy Director at Acumen, and author of Practical Business Continuity Management.
You can follow him on Twitter and his blog or link up with him on Linked In.

Thursday, 13 February 2014

A vision of the future

I’m relatively new to business continuity management, with only a little over ten years’ experience in this industry that is said to be made up of the 'Men in Grey' - bearded and grey suited men. Someone said this to me at last year’s BCI World Conference, I then looked in the mirror and sure enough that was me already.

So in my short time what changes have I seen, what incenses me and what gives me hope that as an Institute we are making progress?

Like many when they start out in this industry, I was volunteered as opposed to being a volunteer. It was in the days of PAS56 (Publicly Available Specification 56), the forerunner to BS25999 and now ultimately ISO22301.

My experience was that the business in Eastern Europe that I worked for needed to comply with various standards and regulations and business continuity management was beginning to be the latest fashionable topic.

Returning to the parent company in England, I was suddenly considered an expert because I had actually read the existing standard - "Dave can write us a plan" I was told. Oh dear! No ten pillars of business continuity (PAS56); no BCM Lifecycle (BS25999); just "write us a plan." This was post 2000 and the millennium bug scare which had achieved a lot in some respects, but also suggested that BCM was exaggerated to create a cottage industry.

So have we truly progressed? The point in time when business continuity management moved forward for me, I can now see clearly was driven by the right Top Management influencers driving it. Even then however, the dark side of 'minimum compliance' versus 'budget availability' was always present.

I’m proud to say I now tutor the topic for the BCI via one of its top training providers and in doing so I meet people from many business sectors from Directors to BC Coordinators, and yes, some of those who have been volunteered.

I still see in some of the biggest and multi-facetted global organizations a culture centred on compliance; equally I see huge amounts of dedication, expertise and frustration from people hugely committed to business continuity management.

So what incenses me?

The fact that we still use dramatic events to explain the concept of business continuity. As impacting as they are, and perhaps getting more frequent, I'm incensed that we still think this is how to promote this topic.

The fact that we are often still at loggerheads with the risk industry and that we struggle to embrace each other’s discipline to a common objective.

The fact that we as an Institute analyze supply chain continuity each year and come up with very similar data, yet we still do not have the means to change those findings through a common understanding of the issues.

Finally, the fact that whenever you attend forums, presentations are largely centred around statistics that depict the frequency of events and a series of pictures showing how bad things can get, invariably with no evidence of what we can do to make things practically better.

So, what is the solution and what are you doing about it I hear you say. My view is simple, but the solution may be a little more complex.

Organizations in this day and age have to be commercially driven, be they charities, public sector or private sector, small medium or global; they have to be commercially efficient. Top Management are driven by success often evidenced by financial targets.

The most common phrase I hear when discussing business continuity management and disruptive events is “what’s the chances of that happening?” the classic response borne out of risk appetite and risk attitude. Why spend budget on an unlikely event?

Top Management speak of 'risk' - they can comprehend this because it’s built in to us all from birth. Planning is counter intuitive, reacting is natural.

Something we all must do, and I try to, is promote the concept of business continuity as a value adding, commercially driven, essential part of a successful organization. This includes understanding your Top management’s appetite and attitude to risk, their maximum attitude to disruption (over time).

When it comes to procurement and managing supply chain continuity, Top Management need to understand the 'Risk/resilience Assessed Total Cost of Ownership'.

As an Institute, as BC professionals, we need to place business continuity at the top table by giving Top Management reasons to adopt it based on commercial efficiency, not compliance.

This cultural shift that the BCI Good Practice Guidelines tell us is so hard to measure will happen if we present commercial evidence as to why Top Management need business continuity management.
My part in this transition is to constantly discuss business continuity management in terms of a commercial imperative and offer solutions and concepts, not statistics and photographs.

David Window is the Managing Consultant of Continuity 22301 Ltd in Cheshire, UK.
There was an error in this gadget