Tuesday, 23 April 2013

A bumpy landing

I've just finished doing one of those straightforward "I'll knock that off in a day or two" type
Andy Osborne
Consultancy Director, Acumen
Author of Practical Business
Continuity Management
jobs. It only took me seven days. Over a period of four and a half weeks. The last stint used up pretty much the whole of my weekend. As a result, I now have the backache from hell, serious hockey withdrawal symptoms and a bad case of boarder's knee. That's floorboarder's, rather than snowboarder's, knee by the way - I don't think they suffer particularly from sore knees, although most of them must suffer terrible frostbite of the derrière from all that sitting in the snow, but that's another story (see "

Anyway, the straightforward little job in question was replacing the floorboards on the landing at chez Oz. It's not as if it's a big landing or anything. Neither should it have been particularly tricky. Yes, there are a few corners and a couple of nooks and crannies but nothing particularly complicated, particularly for the seasoned DIY virtuoso I modestly consider myself to be.

No, the problem was that someone had been there before me. Several someones by the look of it. Our house is a hundred-and-something years old, so I sort of realised that some alterations had been done over the intervening years. In fact I've come across several examples of previous owners' "improvements" as we've worked our way through it making our own alterations - most of which slowed things down or bumped up the costs, or both. So why I thought this little job would be any different is beyond me.
I'll spare you the anoraky details - suffice it to say that most of the time was spent putting right someone else's efforts, which exercised my plumbing, electrical, joinery and metalwork skills as well as my general DIY ability. And my sanity.
I don't know about you, but in my experience it's all too often a similar story when updating someone else's business continuity plans. What should be a straightforward job turns into a monster undertaking because someone without the necessary skills or experience has had a go.
One of the most common findings is that the plans contain all sorts of "stuff" - anything and everything even vaguely related to business continuity that the well-meaning but inexperienced DIY-er could find and has enthusiastically, though somewhat misguidedly, pounced on in a frenzy of copying and pasting. The result is a document filled with all kinds of superfluous padding, from fire evacuation procedures to standard operating procedures to the contents of the yellow pages.
More important, however, is the usual accompanying lack of any proper analysis or strategy, let alone any training or awareness raising or exercising and testing. In other words, the business continuity equivalent of the useless and, in some cases, slightly dangerous contents of the void under my landing floorboards.
DIY can sometimes save money in the short term. Longer term, however, it can be quite costly to put right someone else's mistakes. There are, therefore, occasions when it's sensible to get some expert help rather than simply having a go yourself.
My next straightforward DIY job involves more floorboarding - this time the bathroom. Still, It's not a huge bathroom - I should be able to knock that off in two or three days tops!
Follow me on Twitter
Read my blog 

Link with me on LinkedIn 


Monday, 22 April 2013

Debate Unlimited – A glimpse into the Executive Forum

With this year’s Executive Forum running on 12th and 13th June in Brussels, it seems a good

Lee Glendon CBCI
Head of Research & Advocacy
time to look back at the two earlier Forums.  What does happen when 600+ years of BC experience converges on Brussels each year for two days?

As a recap, the purpose of the Forum is to generate informed debate among experienced BC professionals wrestling with ideas about the strategic direction of business continuity, while keeping a firm eye on what is achievable within a real organisation.
Perhaps, the two most memorable ideas that emerged from the 2011 Forum, was that ‘business continuity is not about compliance, it is about embedding resilience through silent running’ and secondly that a key benefit of BC was to identify and prevent ‘sideways bleeding’.   
The debate on compliance started with an academic view that BCM was about compliance:  BCM had become a discussion, which assumed that you can stop things happening if only people followed the rules; BCM lacked emotional intelligence and was seen as a tax on people’s jobs in some organisations; and standards weren’t helping either as they were based on bad organisations and stifled creativity.  With the gauntlet firmly thrown down, an electrifying discussion ensued which ultimately led to the conclusion that BC should actually free-up minds, as it actually assumes that things do go wrong!  While it was acknowledged that ‘tick-box’ might be the starting point for BC, it is not the final destination. There is a need to develop a roadmap and engage and sustain the interest of top management to realise the full potential that BC can bring.
As part of the debate on compliance, there had been extensive discussion around whether BC should look for value add, let alone articulate the next step of what the value would be.  Some asserted that BC was not about helping the financials and in the short term it was a cost, and others argued that adding value is not the same as stopping failures from bringing down the business.  Some questioned whether raising the ability of the organisation to respond to incidents before a major disruption occurred was adding value or capability.   In a sign of conversations to come, one delegate felt that the value add of BC was to be found in facilitating the mission of the organisation and its contribution to the sustainability of the organisation.
The ‘sideways bleeding’ idea came out of a workshop discussion where one participant articulated that external strategy consultants had been retained by their top management to bring about significant cost reductions.  The consultants advocated a vertical approach to securing the costs savings in IT.  The BC team could see the consequences of this initiative as the savings secured in one area of the organisation were effectively nullified by increasing costs and productivity losses in other areas.  This generated a healthy debate about the service that BC professionals should be offering their organisation – while the operational level BC service may be well established in many firms, what would a strategic level service look like?
The 2012 Forum picked up the challenge of defining the strategic level service and identified its key components from developing a centre of excellence in contingency and continuity to engaging top management through crisis response and focusing on the risks that concern them through exercising and scenario analysis.  Value measurement became a hot topic of debate with a very blunt statement from one delegate that reporting to executives that you were doing the job they pay you to do was not ‘adding value’ and BC professionals should take advantage of reporting structures to articulate the value that BC could bring beyond what was expected i.e. compliance to regulations.   Two areas dominated subsequent discussions:  supply chain resilience and horizon scanning.
The academic re-framing of supply chain complexity in terms of layers and networks rather than supply chains was brought to life over the two days with examples ranging from overlooking single points of failure beyond tier one suppliers to unforeseen cascading risks at the logistics level.   One organisation highlighted how its ability to maintain its supply chain during the Arab Spring - through preparedness and enhanced security - secured increased market share.    Supply chain risk was confirmed by all as one risk that can raise the profile and relevancy of BC.  But where should you start?   The advice was to use your analytical skills and look for single points of failure and examine outsource deals; from here you can offer to run an exercise and see what you learn – you may well highlight unknown vulnerabilities and win the mandate to bring in BC.
Horizon Scanning was seen as both a technique to change the conversation with executives from general loss scenarios to a more engaging discussion of specific threats and their strategic consequences.  It was seen as an essential source of developing a situational picture to improve not just the response to events but anticipation of events as well.  The ‘BC radar’ was introduced as an accessible model to set requirements for capability development and ensure readiness in the right areas.
Finally, in 2012 the Open Forum sessions were brought into the programme.  Here delegates proposed and prioritised seven topics of their own choosing to take advantage of the collective experience and expertise of fellow delegates.  Topics included the establishment and composition of ‘resilience councils’, the synergies between BCM and Security disciplines, and Eurozone contingency planning.  For those who take a look at the 2013 programme they will see that some of these topics are going to be developed further this year.
The Executive Forum is a rather unique event:  it seeks to bring together best practice from within the profession while drawing on inspiration from outside.  Participants leave refreshed and invigorated, ready to march towards the sound of gunfire!
The Reports from the 2011 and 2012 Forums will be available to purchase from the BCI Shop in May 2013.
To find out more about this year’s Forum please visit the BCI website: http://www.thebci.org/index.php?option=com_content&view=article&id=379&Itemid=293

Tuesday, 9 April 2013

Exercising, maintaining and reviewing BC

John Bartlett CBCI, DBCI
Once you have established your business continuity requirements and put in place plans, facilities and resilience to defend the organisation against disruptions and incidents, these need to be proven and kept current as the organisation changes. This is the hardest aspect of most business continuity programmes and where most organisations fail to protect their investment in establishing this level of organisation protection.
Exercising (or testing) plans and facilities is an essential aspect to ensure they meet the organisation requirements and work as required. Therefore exercises should be conducted on a regular basis, at least annually and should be based upon realistic scenarios, incidents and disruptions. The main benefits and reasons for exercising include:
  • Validation of business continuity plans;
  • Providing education, training and awareness to those with business continuity roles and responsibilities
  • Confirmation that the required RTOs and RPOs can be achieved;
  • Identifyting preparation or resresilience aspects that require enhancement or improvement (due to changes, such as facilities, technology, information or communication links);
  • Providing reassurance that the plans and facilities work as required and demonstrating resilience or recovery capability
There are international standards (such as ISO 22398) which provide guidance on conducting exercising and testing. However, prior to conducting any exercises it is important for the organisation to consider a number of aspects such as the cost of the exercise, any potential disruption to normal activities, any risks that the exercising may introduce to the organisation and the type of exercise that should be conducted (desktop check, simulation, unit or system test, partial rehearsal or full rehearsal).

The simplest process follows the Plan Do check Act (PDCA) model. Whereby the exercising is:

PlannedThe scope is defined, resources identified, risks evaluated, scheduled and communicated in preparation;
DoneThe exercising is conducted in accordance with the plan, preferable with some independent evaluation and notes are taken on timing and any issues or observations to make improvements; 
CheckedThe results of the exercise are reviewed and checked to ensure business continuity, RTO/RPO and resilience requirements were met, any actions identified for follow up and an exercise report produced;
ActedThe actions from the exercise are followed up, tracked and validated to ensure they are addressed and any issues/risks identified are addressed.

An important part of conducting exercising is to ensure the right people are involved and there is suitable business engagement to plan and conduct the exercises. For IT disaster recovery tests this is vital as any testing may introduce risks to production systems and recovery should be validated and verified by the business to ensure it provides the required functionality and data in the required timeframe. Ensuring exercising is conducted correctly and at the right frequency will help ensure the business continuity environment requires minimal amendments, configuration and purchases upon invocation and therefore avoids delays upon invocation.


Organisations constantly change, whether it is people, technology, processes or products and services. Therefore business continuity information, plans and facilities also need to be changed (to ensure they also remain current). Any change within the organisation should be assessed and evaluated to identify whether it affects the organisations ability to continue or recover.

Often organisations do not realise that by changing business priorities or implementing business strategy (e.g. introducing new products or services, or implementing projects to improve performance, processes or reduce costs) that they may alter the Business Impact analysis, continuity requirements and RTOs/RPOs as dependencies and priorities within the organisation may change, thereby invalidating the business continuity facilities, plans and capability that has been implemented. 

Therefore, the easiest and best method for ensuring a continued capability for business continuity and resilience is by including a business continuity impact evaluation as part of any change. This requires a strict change control and change management processes within the organisation, whereby all changes are recorded and evaluated, and the change processes are strictly adhered. This should include all projects, programs and strategic initiatives and will then also help to identify the true cost of these, rather than identifying additional (separate) business continuity costs later. 

In addition to maintenance and review as part of a strict change process, organisations should also regularly review (at least annually) business continuity information, plans and facilities to ensure these remain current, and review these as a matter of course after conducting exercises. It is very easy for information such as staff telephone numbers and supplier contact details to get out-of-date very quickly. 


Conducting a review of your organisations business continuity arrangements is essential to ensure it has been implemented correctly and appropriately. There are two kinds of reviews that can be conducted, either assessments or audits.

Audits – Verify the business continuity process has been followed correctly, not that the solutions adopted are necessarily the correct ones. Audits can be conducted internally or externally.

Assessments – Review the process to ensure it has been defined and adopted correctly, that it has been applied in an appropriate way within the organisation and (normally) that the solutions adopted and implemented meet the requirements identified. Either self-assessments can be conducted (if the necessary skilled, experienced and qualified people exist internally) or can be conducted by an independent business continuity professional (recommended).

Audits and assessments should be conducted against recognised industry practices and if appropriate, industry standards and will normally ensure:
  • Business continuity policy is defined and contains sufficient appropriate detail;
  • The business continuity policy is being implemented;
  • Sufficient resources and budget have been allocated for implementation and on-going management;
  • Appropriate business impacts, recovery requirements and strategies have been identified;
  • Risks have been identified, recorded and are being addressed;
  • All processes, products and services have been considered and assessed;
  • Ensure the right (defined) facilities, technologies and information is available in the required timeframe upon invocation;
  • Plans, facilities and technology for recovery are being maintained in-line with organisation changes;
  • Roles and responsibilities have been communicated and are being discharged;
  • Suitable and appropriate monitoring and measuring is in place, such as Key Performance Indicators (KPIs);
  • Suitable mechanisms are in place to identify/report incidents and invoke business continuity arrangements;
  • Appropriate business continuity governance and reporting is in place and involves the right people. 


BCI Physical Workshop
Would you like to find out more about how to plan and run an exercise programme or how you can invigorate or  inject new life into an existing programme? 
The BCI is running a workshop dedicated to this topic in Manchester this month:

BCM Exercising Planning Workshops

Wednesday, 24th April 2013: Planning and Running an Exercise
Thursday, 25th April 2013:Invigorating your Exercise Programme
Type: Physical (Delegates can choose to attend both or just one of the sessions)

BCI Member Rates apply.

Monday, 1 April 2013

Meeting the Supply Chain Complexity Challenge - Part Two

Lee Glendon CBCI
Head of Research and Advocacy
Having identified some of the drivers of complexity in supply chains in the first part of the roundtable report, how are organisations dealing with the challenge?
In dealing with the challenge of multiple tiers in the supply chain, there was common agreement on the need to gain better visibility but divergence of approach in practice.  Some organisations were looking at better methods to manage tier two supplier relationships, while others recommended that the best approach was to work with tier one suppliers and get them to work with their suppliers in turn.  In the case of one large retail organisation, they worked through their supply chains to the source applying a consistent code of expectation in terms of product quality and integrity throughout.  It was recognised that this was a very resource intensive process. However, it was an embedded practice, so for them it was not a case of having to justify the investment each time; an enviable position in the eyes of most of the roundtable participants.
The discussion moved on to the challenge of managing 10’s of thousands of suppliers and there was consensus on the need to focus efforts on key suppliers and key supply chains.  It was recommended that filters are applied to provide focus – these filters should be based around criticality in the sense of ‘would failure of this supply chain quickly stop my organisation from being able to carry out its key activities, and how quickly could they be replaced’ and secondly around risks or threats that might cause disruption, such as the supplier’s financial profile, the health of the industry in which they operate, their locations and consequent exposure to risks as diverse as flooding, earthquakes and geo-political instability.   These filters help generate a ‘shorter-list’ to scrutinise.  Another approach favoured by many at the roundtable was to use procurement ‘category management’ to breakdown suppliers into common supply groups and then perform risk profiling on this basis.
For those suppliers identified as key to the organisation, the favoured approach was to seek to build closer relationships at executive and operational levels with the objective of improving communication and co-operation and thereby reduce the number of ‘surprises’.  For one organisation, this took the form of running workshops on business continuity and running joint exercises.  Toolkits were provided free of charge and their business continuity plans were shared to help get alignment.  They would also recommend that supplier staff joined institutes such as the BCI to develop capability and drive programme improvement.  Interestingly, one of the unintended consequences of this deepening of the relationship, is the difficulty of exiting such relationship, as it would mean investing a considerable amount of time bringing on board a new supplier to get to the same level of understanding.
Some organisations were concerned about being overly onerous on their supply network, especially those operating in sectors where there are a limited number of suppliers.  One person noted that they had experienced suppliers not wanting to do business because the compliance requirements did not make it worthwhile.  In such cases, purchasing organisations are co-operating to reduce the burden on their suppliers through articulating common requirements.  
Following a good discussion on approaches to deal with the consequences of increasing supply chain complexity, the ‘wish list’ of participants included the need to gain a better understanding of ‘what supports the supply chain’ and mapping out supply chain networks.  Others were looking for a more dynamic set of indicators that would flag signs of difficulty and an impending risk event in the supply chain.  Another felt that there was a need to consider ‘profit impact’ rather than spend in identifying key supply chains.  While one delegate felt there was a need for procurement to drive risk conversations with suppliers and ensure due diligence had happened.  In this last respect CIPS is planning to develop a number of educational and training resources to support development of its members to meet the challenge.
The final thought from the discussion should go to the ‘what’s the return on investment’ question when it comes to investing in supply chain resilience.   For one major organisation top management evaluates the value of investment in resilience in terms of how well it prevented a problem and how well the organisation come out of it.   Quite simple really. 

Vision Therapy - helping you to see more risks

Ken Simpson, Director
The VR Group Pty Ltd
Thank you all who joined my BCAW webinar, Vision Therapy - helping you to see more risks. I try to make my webinars as interactive as possible, using polls and other techniques, and following up with a post such as this to share any interesting results of the polls and pose some additional questions for people to reflect upon. 
In keeping with the theme for BCAW 2013 my presentation argued that there are those risks we see, those we don't see (because we are not looking or because we refuse to recognise them) and then there are those that you cannot see - which are the Black Swan events. My argument was that there are perhaps less Black Swans than we think and more of the events we don't see because we don't look and recognize the threats and vulnerabilities. 
The concept of the 'Black Swan event' has become part of the language of BC. If we want to understand this concept we should at some point read how it was originally proposed, rather than rely on how somebody else filtered those words. I posed this question to the audience;