Wednesday, 3 September 2014

Seven deadly sins of business continuity plans

Recently I helped plan and deliver a workshop for the Scottish Continuity Group. The theme of the day was to give the delegates ideas of ways to improve their plans. Presentations were given on a number of aspects of planning - including short plans, using business continuity software, the army way of planning and different ways to set out your plans. I gave a talk at the beginning of the workshop to set the scene. It was entitled 'The Seven Deadly Sins of Business Continuity Plans' and I thought I would share the main points with you.

Sin 1 – Unnecessary information

Many Business Continuity Plans I see seem to be full of unnecessary information which is not needed on the day of the incident. They contain policy information, details of when the plan was last exercised and how business continuity is managed within the organisation. I believe that the plan should only contain information which you are going to use on the day of the incident. All the other information should be kept in a separate document.

Sin 2 - Samey

“When something remains consistent when one would expect there to be more variation”.

This is where the plan initially looks good, with lots of detail, and it appears that lots of thought has gone into it. You then read a number of plans within the organisation and you find that almost all the plans are exactly the same. The call centre plan looks exactly the same as the finance plan, except for the name on the front. This says to me that business continuity within the organisation is not taken seriously and the organisation is happy for its plans to be cut and pasted from one department to the next. Of course there will be some parts that need to be the same in all plans, such as the incident management hierarchy, but make sure that your plan is properly tailored to your part of the organisation.

Sin 3 – Connection to the BIA

Many organisations have a large and elaborate Business Impact Analysis (BIA), which capture vast amounts of information. When you come to looking at the plan there is nothing in it recognisable in the BIA. The BIA has a vital part in informing the recovery strategy and key information such as the system recovery order, how many seats the department needs over a timeframe and most importantly what are the Recovery Time Objectives (RTO) of the different activities carried out by the department. Make sure you iron out the essential details which you need during an incident.

Sin 4 – Scope

With many plans I see it is not clear what the scope of the plan is. Is it just the Glasgow call centre or all three call centres across the United Kingdom? Perhaps the author knows the scope of the plans but has not put it into the document. I am never sure whether this is the case or if they have not really thought through the scope of their plan. I think within the plan there should be a very clear scope and the parts of the organisation which are outside of the scope should also be identified.

Sin 5 – No strategy

Many plans you have to read four or five times to actually work out what their strategy is and how they are going to recover their operation. Sometimes it is impossible to work out what they are going to do! There may be tables listing the number of staff to be recovered but no actual location where they are to be recovered to. Sometimes I worry that the organisation doesn’t really know what they are going to do and will make it up on the day, hence they have no strategy to actually write down. Within the plan, I believe, it should be very clear what the recovery strategy of the organisation is. Within my plans I write a paragraph describing the recovery strategy which makes it clear how the organisation will implement its plans.

Sin 6 – The Team

According to the Business Continuity Institute’s Good Practice Guidelines every plan must have a team to implement it. This seems to be missing from many plans and it is not clear who will implement the plan. Even if the plan will be implemented by a team detailed in another document, there should be reference to this within the plan.

Sin – 7 Medium to long term recovery

Many plans I see concentrate on the immediate response to an incident and recovery of the first activities to their designated RTO. After this they run out of steam and are vague on how to recover beyond that. I was guilty of this when I was responsible for planning for a large office of 1,600 people. I had a good robust plan involving a work area for 300 of the key staff but had no plan in place for the recovery of the remaining 1,300 people. Finding space and recovering a small amount for immediate activities is easy; what is more difficult is finding space for the remaining large amounts of people. The same amount of thought and planning should go into your medium and long term planning, especially if it involves large numbers of staff. Once you know how to recover the remaining large numbers of staff then this should be included within your plan.
Charlie Maclean-Bristol is a Director at PlanB Consulting in Scotland.

Friday, 22 August 2014

Business continuity and the non profit sector


"I always imagined a few people on the phones in a small office taking calls, not a big office with actual departments, and definitely not anyone thinking about business continuity and risks." Over the past year I have heard this line said to me in varying forms when I have explained that I give advice on corporate risk and business continuity in the non profit sector.

Not a common misconception and when being able to easily list the risks relevant to the financial services industry for example, applying that to the non profit industry along with the associations of what is important is not as easily obvious straight away.

Some Challenges and observations:

The varying degrees of academia in non profit organisations are expansive and the primary challenge is making it accessible and relatable to all.

The attitudes that this would take too long - it’s not required in our industry and focusing on delivering primary front line services was more important. But has anyone thought about those supporting functions?

"This will never happen to us anyway." At first, it made me feel uneasy hearing this but this is the best challenge to promote business continuity in any industry. Using the "if we don’t comply, we will get fined" card almost shifts the desired affect from wanting to provide great assurance to an exhausting check box exercise. The appetite and denial factor is a tough barrier to get around.

Forgotten plans - in most cases contingency plans were in people’s minds but just not on paper. Hearing various stories of incidents taking place which resulted in an instant panic before the swift realisation that "oh yes, we have a plan, we know what we need to" kicked off a series of reactions to get things back to normal.

Planning V’s practicing - countless months were spent planning and writing but practicing those BCP’s were missing. In recent exercises some feedback I got was that no one had ever tested their plans and found it really useful. The actions that were thought to take five minutes took twenty. This started a chain of actions which plan owners needed to implement in order to become more resilient in an incident. A friend said to me once that businesses don’t fail because of a bad business continuity plans, but because of bad choices. That stuck with me.

So what does BC look like in these industries?

We live in a robust and dynamic society and whilst a generic approach to start off a plan is valuable, they can be adaptable. I quickly realised that I was getting too hung up on wanting to make each teams plan look the same and what really mattered was that it absolutely has to work for the people invoking it, and if it is clear and coherent, that is sufficient.

It is without a doubt that the non-physical threats such as reputational risks, loss of funding from a major donor and employee scandals can have serious impacts on your operation, especially when the majority of funding is provided by the public generosity. If an incident occurred what would be the emergency funding protocol? It is things like this that needs the most consideration. Yes, every industry needs to consider the building, IT/data and staff but what about the intangible factors that essentially calls for a disaster.

Making those threats relatable is key and, the empowerment resulting in a shift in view of risk and business continuity only being related to IT and Financial services is essential. (Because of the varying levels of academics in these industries often sit under one roof).

What does this all mean?

All non profits, for example charities, are run like businesses. Fact!

Non profit or not, business continuity is on everyone’s mind, but they just don’t know that this is what it is. Yes, the variations of levels in what constitutes a threat differs from industry to industry but essentially, what matters most is the resiliency each organisation has to overcome any incident it faces.

RISKercizing until next time

Rina Bhakta is a Corporate Risk Advisor at the NSPCC. If you would be interested in being a member of a special interest group and want to talk/share ideas about business continuity and risk management challenges at your non-profit contact Rina via her blog RISKercize or via Twitter or Linked In.

Thursday, 21 August 2014

Protecting yourself from a social backlash

The first tweet was sent just over eight years ago when creator Jack Dorsey typed up "just setting up my twttr" and it pinged into the history books. Since then the growth of Twitter, Facebook, Instagram, and other lesser known platforms has fundamentally changed the way we process events and read content.

Despite this, the majority of executives are still terrified of social media, and the backlash which happens during a crisis. Many choose to have no part in it, figuring that a visible online presence will make you a sitting target. When Domino’s 2009 YouTube scandal hit, the pizza company didn’t even have a Twitter account set up and they were unable to communicate or even acknowledge their critics properly.

Burying your head in the sand is not an option. Social media isn’t going away, the various platforms may come and go as fickle as fashion, but the internet is here to stay and it's time for corporations to get a handle on how they interact with social media. Monitor your brand properly, be the first to identify a crisis developing and respond fast.

Whether you have a large social media presence or not, you will be discussed and complained about on twitter. During a crisis, Twitter is the breeding ground of unchecked ‘facts’ and misrepresentation which spread like wildfire. Link Twitter to your press statement, allow Twitter users to read the real facts, even if they chose to ignore them. This also leaves your organisation in a much stronger position, in that it can say it has been in dialogue with all its stakeholders including those who vehemently oppose it.

A core part of your crisis plan should be your digital crisis communications plan. Just as the perfectly phrased (and legally cleared) press statement is ready to go for any well prepared company; a perfectly prepared stream of tweets should be poised in order to get the right message out into the blogosphere fast.

Finally, and most importantly, don’t score an own goal for the Twitter trolls. What can go wrong probably will go wrong. Give those haters a hashtag to use and use it they will, effortlessly turning a carefully constructed hashtag into a bashtag, as seen with the #myNYPD. Earlier this year ‘New York’s Finest’ attempted to generate some good publicity by asking the internet to tweet their experiences of their friendly local police department. What could possibly go wrong? Quite a lot as it turned out, Twitter was flooded with accounts of police brutality and the names of those shot dead by police.

Tom Curtin is the Chief Executive of Curtin and Co, a BCI Partner specialising in crisis communications and reputation management. You can view more blogs my Curtin and Co by visiting their website or by joining their Linked In group.

Monday, 18 August 2014

Scottish independence - for better for worse

Throughout Scotland, at the moment, all conversations seem to quite quickly move on to the topic of the independence debate. I was sitting in the lounge bar of the Coll Hotel, on the Island of Coll, and could hear a lively debate going on in the public bar. It was a measured conversation and good points were being made on both sides. Then again, when I was at lunch with my parents we started discussing our latest thoughts on the debate. Most people I know seem to have made up their mind, so when I hear the issue being discussed it is usually just a rundown of the latest news and developments.

In terms of the debate within businesses there is a rather different attitude. Many public sector organisations have been told they are not allowed to talk about independence at all. Other organisations are keeping their head down, saying nothing publicly as they know they don’t want to be seen to belong to either camp, for fear the vote goes the wrong way and then there is a backlash against those who spoke out. For me it seems only the large companies such as Standard Life and Shell, that Scotland needs as much as they need Scotland, that have the luxury of making their feelings on independence clear.

So what has Scottish independence got to do with business continuity?

According to many in the ‘No’ camp, independence will be a disaster for Scotland. They are even discussing invoking their business continuity plan if the vote goes wrong! But what about the rest of us? What should we do to prepare for the independence vote?

1. First of all this is a foreseeable event so we have time to prepare for it and do something now. The first thing I think that you should do is understand your organisation’s vulnerability to Scottish Independence. In examining this you need to look both upstream towards your suppliers and then downstream to your customers. By mapping both you can understand your exposure. In looking at your suppliers then you need to look to your Tier 2 and 3 suppliers to check their exposure.

2. In looking at your exposure you want to take into account a number of factors. Business hates uncertainty and the period up to the independence vote may prevent businesses in the rest of the world making orders to Scottish companies. At PlanB Consulting we have not had any enquiries from English companies for the last three months. If the vote is for independence there will be immense uncertainty for the following 18 months, as the details of a new Scotland are being sorted out. This may cause your suppliers and customers to behave differently and so you might want to identify the critical ones and then make contingency plans if they stop purchasing from you or supplying to you. This will be made much worse and complex if Scotland has to change its currency.

3. If you are a public sector organisation then independence could affect you in a number of ways. If you are a national organisation which operates across the UK, such as the Police, then there will be an immense amount of work in separating databases and separating the parts of the organisation. As an aside, it has been shown that criminals thrive on uncertainty and a fractured police force. For other public organisations there may be a new regulatory regime or different priorities. It will be the same for financial organisations and other regulated industries. There will be uncertainty until it is made clear if the regulatory regime the same as before or has it changed.

4. For business continuity managers, whose organisations span Scotland and the rest of the UK, then it might mean having to change to structures of their plans to take into account organisations having to restructure themselves. Having operational teams during a disaster in Edinburgh, reporting on an incident to a Tactical Team and Strategic Team in London, may no longer be appropriate.

5. In all incidents, or when rapid change occurs, there are always opportunities. The Business Continuity Manager should make sure that when their organisation is discussing the effect of Scottish independence they make sure that identifying opportunities is on the agenda. This could be the opportunity to change suppliers and choose ones closer to where their products are consumed, eliminating the long supply chains with their inherent risk of disruption. If Scotland is not within the EU, having short local supply chains may be essential. It could also be an opportunity to completely review your business continuity plans, structures and strategies and change them for the better.

My feeling is that most organisations, in Scotland and also in the rest of the UK, are hiding their head in the sand and hoping that this problem goes away. They see the ‘No’ vote being ahead in the polls, not taking into account the undecided votes, and think this whole problem will not materialise. We as business continuity people know that if you shut your mind off to unlikely events then they tend to catch you out. So my call to action is for business continuity managers to examine their exposure to Scottish independence and then identify and mitigate any potential risks.

Charlie Maclean-Bristol is a Director at PlanB Consulting in Scotland.

Wednesday, 13 August 2014

Can you work with just a mobile phone and internet connection?

Recently I did a remarkably silly thing. Something I hadn’t done in almost seventeen years as the proverbial travelling consultant.

I went to London. No, that’s not the silly thing – I go to London quite often and honestly it’s really not that bad there. Even for a country bumpkin like me. No, the silly thing came to light after I’d boarded the train and it was pulling out of the station. I opened my bag to take out my laptop and some papers so that I could start work and my laptop wasn’t there. I checked again. And again. But it still wasn’t there. After checking for a fourth time the penny finally dropped – I’d left my laptop at home. I was a couple of minutes into a two-hour train journey, all ready to get stuck in to some quality report writing time and my laptop, one of the main tools of my trade – if not the main tool – was sitting at home, rather than on the table in front of me.

After the initial panic attack subsided I remembered that I wasn’t presenting today, so at least I didn’t need my laptop for any of my meetings. And I had my phone, and lots of people tell me that’s all they need to be able to work. “I can just work from wherever I am, as long as I have my mobile phone and an internet connection” is an assertion I hear all the time. Well this was a perfect opportunity for me to put that theory to the test.

Luckily I had a charger with me, otherwise I’d have been in trouble from the off. Because the second thing I didn’t do last night – the first being to not spot the absence of a laptop when I checked the contents of my bag (yes I did actually check, or at least I thought I did – it was late) – was to charge my ‘phone. I have one of those ‘phones that you have to charge about every three and a half hours (you know the ones) so the 20% remaining battery life probably wouldn’t have got me halfway to London, let alone seen me through the day.

So I plugged in and off I went. I couldn’t work on the report that I’d planned to because, whilst I synchronise files between my desktop and laptop, I don’t store all of my data in the cloud as a matter of course. In fact I don’t store much there at all, particularly if it’s confidential. Call me old fashioned but I haven’t yet developed the same blind faith in 'the cloud' that many others have. I’m with one of my information security colleagues on this one – he recently said “I wish people would stop calling it ‘the cloud’ and start calling it ‘putting my data on someone else’s computers’. Don’t get me wrong, I’m not saying 'the cloud' is all bad. And yes, I do use it. But I’m extremely selective about what I choose to put there. There are, after all, some significant advantages if it’s used properly. But the cloud is a big and often dimly-lit place and not every cloud is created equal. Call me a cynic but I largely think of 'the cloud', particularly the free bits of it, as a really convenient way of letting someone else delete, corrupt, leak, sell, give away, deny me access to or otherwise compromise my data so that I don’t have to do it myself. Which I personally think is a healthy attitude that others would do well to adopt.

But I digress. In any case, trying to write a proper report on a phone, as opposed to making a few notes, isn’t the easiest thing in the world to do. For a start, typing large amounts of text on a phone isn’t as easy as on a real keyboard, at least for anyone with normal sized fingers. Let alone the fact that my phone is constantly correcting what I type, which means I spend an inordinate amount of time correcting it back again. Then there’s the compatibility issues (which I won’t go into here as it’ll probably just turn into a rant against Microsoft and Apple), which means that you’re pretty much restricted to text only, without too much formatting and certainly nothing as weird and wonderful as a table.

But I digress again. At least I could start by sending a few e-mails. Except there was no network connection. On-board wifi hasn’t made much of an appearance on the trains from Evesham to London yet, at least not the peak time trains (for some reason you can get it at 2 o’clock in the afternoon, which is really useful for the majority of business travellers who actually have to get up in the morning). And the mobile phone signal is somewhat patchy for the first part of the journey. Funny how I can get a mobile signal at the top of a ski slope but not in the Cotswolds, despite the claims of 99% UK coverage by the mobile ‘phone companies (second rant suppressed).

So I read a couple of (paper) documents, wrote a bit of my blog, corrected the corrections, finally managed to send and receive some e-mails, did a bit of web browsing (albeit looking at stuff on a very small screen), popped a couple of headache tablets and arrived in London for my meetings.

Shortly before I got on the train home, my phone started bleating “low battery” at me again. “No matter”, I thought, “I’ll just charge it on the train”. Except the electrical sockets on this particular train weren’t working. So I had about twenty minutes of trying to access my e-mails (and failing, due to a glitch at my internet service provider – good old Sod’s Law!) and writing a few notes for later processing before my phone gave up the ghost. At which point I gave up too and read the paper instead.

So, how effective was my plan to “just work from wherever I am using my mobile ‘phone”. Well, I suppose I managed to do a bit, and significantly more than in the pre-smartphone days. But how effective was it really? Well I think the answer to that is fairly evident. I reckon I probably achieved fifteen to twenty percent of what I’d have been able to do had I had my laptop to hand.

Yes, remote working is eminently possible – I do it all the time – but its effectiveness is hugely dependent on the tools available and the type of work that you’re trying to do remotely. Even working at home can be problematical and far less efficient than working in an office, if that’s what you normally do. And if you’re a laptop user and you don’t have it with you (which is a distinct possibility if you’re one of the many, many people who leave their laptops in the office when they go home) remote working can be trickier still.

And yes, there are all sorts of things that can be done with a smartphone (aside from checking Facebook or tweeting), particularly if your job largely involves phoning and emailing people and making a few notes. But in my experience their usefulness is limited and they’re really no substitute for a proper computer if you have things like reports to write (or read) or large, complicated spreadsheets to deal with, amongst other things. And, whilst they may be OK for a short period, I challenge anyone to work effectively for anything more than a very short time using just their smartphone.

So next time someone says to you “I can just work from wherever I am, as long as I have my mobile phone and an internet connection,” I strongly suggest you challenge them to prove it. Because some things are a lot easier said than done.

Andy Osborne is the Consultancy Director at Acumen, and author of Practical Business Continuity Management. You can follow him on Twitter and his blog or link up with him on Linked In.
There was an error in this gadget