Monday, 20 May 2013

Business Continuity relationship with other activities

BC shares common goals and objectives with other management activities. When
John Bartlett CBCI, DBCI
implemented correctly and with maturity, BC can provide significant benefit through the sharing of key information and the prioritisation of activities.

The Business Continuity Institute (BCI), a recognised world leader in setting and communication best practices for BC, states that an organisation’s vulnerabilities in its business and operating model can be categorised into seven areas: Reputation, Supply Chain, Information and Communication, Sites and Facilities, People, Finance and Customers. It can also be argued that the categories of Technology and Processes should also be included in this list. Anything that can affect one or more of these categories can potentially disrupt the organisation and therefore should be reviewed and/or considered by the organisations BC.
That does not mean that the BC function should manage areas that could introduce a vulnerability under these categories, but it does mean that BC should perform a Quality Assurance and Governance role to ensure activities that could introduce vulnerabilities are being performed correctly, diligently and with the necessary controls. This will ensure BC remains a pro-active measure within the organisation as well as a reactive one. 
Looking at these vulnerabilities in a more depth allows us to build an understanding of their relationship with BC, and therefore some of the considerations required when conducting a BC risk assessment as well as performing the on-going BC management:
Reputation & Customers
Any activities that are customer facing (such as product or service quality and reliability, help desk, websites, branches, sales people, reception desks) could impact the customers perception of the organisation and therefore the organisations reputation and possibly result in negative publicity which would require management attention and could lead to more wide scale impact and disruption.
Supply Chain
Selection and management of suppliers is an important quality criteria, get it wrong and you place your organisation in jeopardy. Therefore due diligence of suppliers and confidence in their ability to deliver reliable, quality services and have their own risk management and BC in place (for continuance of services to you in the event of an incident is critical). Being able to monitor and measure supplier performance (quality and reliability) and ensure controls are in place will help identify issues early and enable proactive management before an incident becomes a crisis. This may require specific contractual clauses in supplier agreements. For BC, spreading key supplies across suppliers and identifying alternative suppliers will also help manage the risks.
Information and Communication
Ensuring that key information is identified (e.g. during the BIA) and has the necessary controls for safe and secure storage and retrieval, along with preservation will help ensure the information can be available if something goes wrong.
Communication is vital in today’s world of technology, maintaining contact details for key suppliers and staff, and maintaining contact even following disruption is critical. Problems often occur with communication links, so controls should be in place to protect them and alternative links or methods of communication which can be relied upon in the event of an incident should be in place (e.g. email, SMS, GSM, fixed line, data links, satellite links/phones).
Sites and Facilities
Building and site facilities are essential for the smooth running of organisations and numerous resilience options are available from UPS systems and backup generators to spreading occupation over multiple sites. However, the right controls should also be in place to manage and maintain the sites, conducting risk assessments before maintenance work is carried out, notifying stakeholders and ensuring that only authorised or appropriate people conduct work or have access to facilities. It should not be forgotten that BC recovery facilities require the same level of maintenance and control as primary sites.
People are sometimes referred to as the ‘life blood’ of organisations therefore it is important to develop resilience and protection for them. This should include implementing Health and Safety (HSSE) to protect their wellbeing, providing suitable training to remove single points of failure (knowledge), improve staff morale & job satisfaction to reduce staff turnover rates, ensure BC requirements are included in job responsibilities and performance measurement. Assessing these is all part of the BC risk assessment as they could contribute to significant risks in the organisation.
Financial due diligence of suppliers as a control helps protect the organisation. But BC also requires budget, without the right budget facility BC can itself become a risk to the organisation as information and facilities may not be available or maintained as required and therefore not available when needed following a disruption. Also, the information from the BIA should help prioritise expenditure on risk reduction and resilience for critical activities and facilities to help protect the organisation from disruptions.
Ensuring controls and resilience over technology and infrastructure is paramount in protecting an organisation and developing resilience. This should include regular backups of systems, maintaining IT DR systems in-line with primary systems, include BC and DR assessments in projects and changes, ensuring security and access controls are in place to provide protection, controlling and managing the desktop environment at normal and Business recovery locations, and ensuring focus on the critical systems identified during the BIA and CRA.
A breakdown in a process often results in a disruption to the organisation. Therefore processes should be designed with controls in place and wherever possible alternative methods for conducting an activity. All these should be documented with procedures to ensure consistency and enforce controls, and maintained.
All of the above should be regularly monitored by the BC function to ensure the controls are in place, being managed and being maintained as they should be. The BC function should have the confidence that this is happening and the capability of escalating any problems if they are not.
BC cannot be implemented and managed in isolation. It holds critical information (from the BIA, RA and CRA) on the organisation, its critical activities, systems, information and suppliers. This should be shared with other management activities such as Enterprise Risk Management (ERM), IT, procurement and Quality Assurance, helping to focus controls, ensure prioritisation on expenditure, projects, etc. and enhance risk reporting. Thereby helping to manage risk more effectively and ensure informed risk-based decisions are made, reducing the likelihood of disruption and level of impact if it does occur. This is the proactive nature of BC and where it will truly add value to any organisation. 

Friday, 17 May 2013

Embedding Business Continuity in the Organisation

John Bartlett CBCI, DBCI
Getting people to think about business continuity and include it in their daily lives is one ofthe most difficult and underestimated aspects of a business continuity programme, yet it can make or break the perception of how successful the programme is. It doesn’t matter how good your resilience and continuity are, if people do not know about it, what to do in an incident or how to maintain it, then you have failed to achieve some of the fundamental principles of implementing business continuity.

This requires communication in the form of education, training and awareness on your organisations business continuity at all levels: staff, management, Directors and key suppliers. Embedding business continuity in the organisation requires an organisational culture change. Organisational culture is often described as ‘the way we do things’, which can be broken down into a collection of shared values, working styles and patterns of behaviour, typically enforced by a set of strong social controls which establish behaviour and control the behavioural patterns. Industry experience has shown that behaviour change initiatives fail to achieve lasting commitment unless attitudes and beliefs are also engaged and corrected. One such attitude which occurs frequently as a barrier to BCM is: ‘it will never happen here’ or ‘it will never happen to us’. In 2003, when embarking on my first BCM project in Oman, I heard these exact comments when discussing BCM threats and risks relating to Cyclones, Hurricanes, floods, industrial disputes and civil disorder/strikes.
The extent of successfully embedding BCM into the organisation will be determined by the degree to which individuals change their behaviour, attitudes and beliefs. To measure and assess this we first have to establish a baseline for the level of current awareness. This helps develop a targetted training, education and awareness strategy and allow the measurement of change achieved through the program. This awareness assessment is similar to a Training Needs Analysis which comprises of:
  1. Identifying the current level of BCM awareness;
  2. Defining the desired level of BCM awareness;
  3. Understanding the nature and scope of the gap to be addressed between 1 & 2.
Once the gaps have been identified, it is a case of working out what needs to be communicated and the best way of doing it. This may also require some development in terms of the tools and techniques that will be used.
Embedding business continuity within the organisation is a battle of ‘hearts and minds’. People need to know what it is, what it does, what benefit it is to them and what could happen if it doesn’t work or is not maintained. The key messages that need to be delivered and understood can be summarised as the who, what, when, where and why of business continuity, the campaign (or project) will then define how these are best communicated. A key aspect is to ensure all the campaign activities are conducted in a clear, easy to understand and consistent manner so that no misunderstanding, mixed messages or confusion occurs.
Simply put, who is responsible for what when it comes to business continuity. This includes: 
  • What are the roles and responsibilities for establishing and maintaining business continuity?
  • What are the roles and responsibilities for investigating, invoking and revoking business continuity?
  • Who has ultimate accountability for the above?
The above information may be broken down by function, job title and/or individuals name, such as business continuity manager, department manager, internal audit, corporate communications, human resources, risk management, etc. It is also advisable to implement personal performance measurement criteria for each of these roles to assess whether these activities are being performed as required on an on-going basis. Lastly, there should be one named Senior Manager or Executive at the top level of the organisation who has accountability for business continuity.
This aspect should cover communicating what the roles will be required to do, such as maintaining BIA information, updated Business continuity plans, maintaining recovery facilities, updating IT disaster Recovery plans and facilities, conducting exercises and such forth. Each group of individuals identified above (in the Who section) will require specific briefing and clarification on what is expected from them in their business continuity role and how this relates to their day-to-day role.
In addition to the above roles, there will need to be an explanation to all the other staff to explain to them what they may be expected to do (for example, in the event of an incident await instructions from their manager or after a fire evacuation wait at the assembly point for instructions).
Having determined and communicated who is involved in business continuity and what they are expected to do, it is important to let them know when they are expected to do it. This will include timing requirements for reviewing and updating: 
  • BIA and recovery requirements;
  • Business continuity risks;
  • Business continuity strategy;
  • Business and IT recovery plans;
  • IT Disaster Recovery and business recovery facilities;
It will also be necessary to communicate how and when issues and problems need to be escalated, to whom, how they will be managed and who is entitled to make decisions regarding business continuity, IT Disaster Recovery and the issues/problems.
This part should communicate where people are expected to go in the event of an incident if business continuity is invoked. Should they go home, proceed to the business recovery site, meet at the nearest hotel, go to the IT Disaster Recovery site, etc. A clear plan of who may be required to conduct essential activities, when and where they will perform them should be communicated.
This is most probably one of the most important aspects to communicate. It needs to be individually relevant to each group identified above and each function. Individuals need to relate to the need for business continuity, the benefit it brings and the protection it provides.
This aspect will vary from organisation to organisation and covers the methods that can and will be used to communicate the information above, the tools & techniques, which may consist of: 
  • Posters;
  • Newsletters;
  • Computer Based Training;
  • E-Learning;
  • BCM awareness DVD’s;
  • Email briefings;
  • Verbal team briefings;
  • Awareness sessions;
  • Trips to the business recovery site and/or IT Disaster Recovery site;
  • Individuals involvement in testing;
  • Inclusion of business continuity in induction programs;
  • Management presentations;
  • A business continuity intranet site/pages.


Wednesday, 15 May 2013

Developing a response for the unexpected

The only thing harder than planning for an incident, is having to explain why you didn't.”
John Bartlett CBCI, DBCI
A number of organisations believe that, somehow, they are different and unlikely to experience or suffer from an incident, the “it will never happen to me” attitude. More often than not, they are wrong. No organisation wants to be affected by an incident or expects it, but that does not mean that they should not consider and plan a response in case it does happen. 

Developing and implementing a response to incidents and disruptions is at the core of Business Continuity. It can determine how your organisation is perceived and whether your business survives. It consists of ensuring the appropriate plans are developed and communicated; the required infrastructure and facilities are implemented to support the plans; and completing the necessary risk treatments to achieve the desired Business Continuity strategy defined and agreed (see previous article).


No matter what the incident or serious disruption, there are five overlapping stages of the response, each of which needs to be considered and included within the planning. These stages are:

Emergency – the immediate response and actions that should be considered and if necessary taken, for example evacuation of a building;

Incident Management – the management and coordination of a response to an incident, for example deciding priorities and communicating with stakeholders.

Continuity – the initial response to ensure that essential activities can continue at their minimum level (as defined in the Continuity Requirements Analysis).

Recovery – the actions and activities required to recover additional important activities and increase the essential activities up to a sustainable level above the minimum level.

Resumption – the activities and actions required to return the organisation back to its desired state of operation, which is considered to be “normal” operations. This stage is sometimes referred to as the “Return to normal” stage.

Within each of these stages, most organisations will need to consider activities that fall within either a strategic, tactical or operational context. These three levels should be considered and addressed for each of the 5 response stages above.


Once you have discussed and decided on appropriate responses for your organisation, the appropriate individuals to be involved in each context (strategic, tactical and operational) should be identified along with how decisions, actions and communication will operate between them. The responses and corresponding structure should then be documented.

The purpose of a Business Continuity Plan (BCP) is to provide guidance, not to be too prescriptive, detailed and complex. This will defeat its purpose, reduce the likelihood of it being used and make it time consuming to maintain. A BCP should include all the necessary and essential information, but be concise, accessible and easy to follow. There is no “one size fits all” definitive structure that is appropriate for all organisations, but there are numerous examples of BCP’s on the internet. The ones which are appropriate for you will depend upon your organisation. However, Business and BCM knowledge should be combined to determine the optimum Business Continuity response structure for your organisation, and each plan should have an owner, be regularly reviewed, tested and validated - then updated if necessary.

Within large organisations it is reasonable to expect there to be a number of different plans covering aspects of the recovery stages, for example a Crisis/Incident Management Plan, Business continuity/recovery plans for each department, IT disaster Recovery plan and a “return to normal” plan. These may be complimented with specialist plans or procedures to deal with different types of incident such as evacuation, product recall, stakeholder/media communication, social media management, pandemics (not to be confused with specific threat scenarios). Within small organisations or SMEs, a number of these plans may be combined together.

Infrastructure and facilities

All Business Continuity responses and strategies will require resources, including people, infrastructure and facilities, whether the strategy is to operate from someone’s home, or commercial premises. Someone will need to do something and will need to use something to do it. The BIA and CRA previously undertaken will identify the essential items required and how quickly they are required; the agreed strategy will define how they should be provided. The essential part in planning and implementing the response is to ensure these requirements can be provided when needed, and the necessary provisions are implemented and tested to ensure this can happen.

Technology is at the core of most businesses these days and most organisations struggle to operate without it. Whether it be a large data centre with multiple, complex servers, data storage and communication links, or whether it is simply a GSM, laptop and internet connection. Developing a response, includes implementing the strategy for technology and proving its capability to support the business during the response stages. This may be spare GSMs, a backup data centre, replication of data storage, spare maintenance parts, additional supplies of PCs, laptops and printers or duplicate communication links.

In addition to the technology, people require somewhere to work and facilities to assist their working. This is true of a Crisis/Incident response team and also the people required to continue essential business activities. Facilities may include office space, desk, chair, telephone, fax, photocopier, filing cabinets and such forth. If the organisation is involved in manufacturing, there may also be a requirement for plant and machinery. These should be identified and provisions implemented to ensure they can be available when required.

Risk Treatment

As part of achieving the desired and agreed business continuity strategy, it is important that the agreed treatment for business continuity risks have been implemented, thereby reducing the likelihood or impact if certain incidents or disruptions do occur. The response plans should integrate into the risk treatment plans and ensure methods are implemented to identify when a risk materialises and the point at which escalation is required in case it develops into an incident or disruption which requires activation of part or all of the response plans. The risk treatments should also be regularly reviewed and monitored to ensure they are still appropriate and achieve the desired results.

Tuesday, 14 May 2013

Not what it seems

I was walking my dog, Barney recently when someone stopped to say hello. To him, not me – he’s always the first one that people talk to, I can’t think why. “I love Springer Spaniels”, she said, when she eventually acknowledged my presence, “in fact I have two myself”. 

Andy Osborne
Consultancy Director, Acumen
Author of Practical Business
Continuity Management
"Actually he's a Field Spaniel" I replied, to which she asked "are you sure? He looks like a Springer".
I pointed out that whilst his markings are quite Springer-like, Field Spaniels are generally a bit shorter, a bit stockier and a bit squarer-faced than Springers (and a tad more expensive, but I kept that one to myself as I thought she might take it the wrong way).

“Oh” she responded, “he does look like a Springer though”.

This conversation isn’t at all unusual. In fact it’s quite a regular occurrence. On a slightly different, though related note, when my kids were quite young, a similar(ish) thing used to happen with monotonous regularity. They looked quite alike to the casual observer and would sometimes be mistaken for twins. That in itself was fairly understandable I suppose, but we’d occasionally have some bizarre conversations as a result.

One day my wife was in a local supermarket, with both boys in tow. At the checkout the woman behind her asked if they were twins. ”No, there’s twenty months between them”, my wife replied.

“Are you sure?” asked the woman, “they certainly look like twins”.

“No, they’re not twins” my wife replied, but the woman was having none of it and continued to dispute my wife’s assertions. Somewhat exasperated, Mrs Oz said “Look, I was there at the birth of both of them and I’m pretty sure I remember. They definitely aren’t twins.”

At which point the woman turned to the checkout operator and said “Would you say they’re twins?”

In a similar vein, it’s very easy for the uninitiated to assume that something that looks a bit like a Business Continuity plan actually is one. After all, it says ‘Business Continuity Plan’ on the front cover and it seems to have the sort of information in it that you’d expect to see.

But sometimes you have to look past the superficial bits to get to the reality. Sometimes, when you dig a bit, it becomes apparent that what, on the surface, is a convincing looking Business Continuity plan doesn’t actually have any substance to it – perhaps because it’s based on assumptions that have never been validated (or are just plain wrong); or because despite the fact that it contains lots of names and ‘phone numbers, those named have little if any awareness of the plan or their roles and responsibilities within it; or because it’s never been tested; or because it’s full of holes. Still, it looks a bit like a Business Continuity plan so it must be one, mustn’t it?

There’s a saying that goes something like “if it looks like a duck, walks like a duck and quacks like a duck, it’s probably a duck”. Which may well be true. In fairness though, there’s really no mistaking a duck. But if it looks a bit like a Springer, walks a bit like a Springer and barks a bit like a Springer, it might just be a Field Spaniel. And just because two kids are about the same height and both have blonde hair it doesn’t necessarily mean they’re twins.

…And just because a document looks a bit like a Business Continuity plan it doesn’t necessarily mean it really is one.

If you would like to find out more about how to write a Business Continuity plan, the BCI offers a one-day training course entitled "Writing Business Continuity Plans".