Wednesday, 3 December 2014

Horizon Scan 2015

Unplanned IT and telecoms outage, cyber attack and data breach – these were the three main threats to organisations according to the Business Continuity Institute's Horizon Scan 2014 report, but other threats are on the rise such as adverse weather, human illness and transport network disruption. Of course it varies depending on what sector you’re in, where you're geographically located and how big your organization is.

The annual Horizon Scan report, sponsored by BSI, is one of the main pieces of research conducted by the Institute as it provides an insight that those working in the profession can use to inform their own business continuity programme. The Horizon Scan report continues to receive great feedback from those who use it, but it only provides value if people take the time to complete the survey.

The BCI is now asking business continuity professionals and those working in the wider field of organizational resilience to take just a few minutes to complete the Horizon Scan 2015 survey and share your thoughts on what you think the biggest threats are that organizations face.

To complete the survey, click here. You can read the Horizon Scan 2014 report by clicking here.

Tuesday, 2 December 2014

Organizational resilience: Creating more value for BC practice

Resilience is fast becoming an industry buzzword which reveals underlying changes in the way practitioners view business continuity and other ‘protective disciplines’ such as emergency planning, risk management and cyber/physical security. From the development of clear boundaries which separate disciplines in the last decade or so, work is now underway to bring these fields together into a framework of organizational resilience. However, more than just thinking about it merely as the sum of ‘protective disciplines’, organizational resilience is thought of as a strategic goal that must be driven by top management. The quality of resilience is rooted in a series of capabilities that allow organizations to get through bad times (continuity) and thrive in good/changing times (adaptability). Organizational resilience involves a coherent approach ‘from the boardroom to the storeroom’ that requires strong governance and accountability among other ‘soft’ factors.

In the UK, this development in thinking culminates with the recent launch of the new British Standard 65000 (BS 65000) which outlines the principles and provides guidance behind organizational resilience. This parallels the development of global guidance on organizational resilience or ISO 22316 which is due on April 2017.

The Business Continuity Institute realises the value of BS 65000 and the thinking that comes behind it. It affirms its premise of strengthening the collaboration among ‘protective disciplines’ in order to create a coherent approach to achieving resilience. Business continuity as a discipline has resilience at its heart and the BCM Lifecycle explicitly relates to building resilient organizations. In participating in the ongoing development of organizational resilience, the BCI makes a positive case for the ‘protective disciplines’ and enabling top management buy in into our work. It also makes practitioners responsible for resilience more visible to top management, taking their work as a matter of strategic importance to the organization.

The BCI sees itself as a constructive partner in developing organizational resilience. The latest Good Practice Guidelines address organizational resilience and its relationship with BC. Our colleagues in the BCI such as Deborah Higgins MBCI, as well as our members, have been participating in the development of BS 65000 by representing the views of practitioners. Institute events such as the recently concluded BCI World Conference have also touched upon the various aspects of the organizational resilience debate.

From the thought leadership side, the BCI is committed to developing the literature behind organizational resilience and create resources that will be beneficial to the general practitioner community. Our recent working paper ‘Conceptualising Resilience’, written months before the launch of the standard, is an introductory view of then existing literature in organizational resilience. We are aware that this work has barely touched the surface of this field and we are committed to producing more work that delves deeper into the subject.

More importantly, the BCI 20/20 Think Tank – which now has working groups in the UK and Australasia – is considering how organizational resilience will impact future BC practice. We have had several fruitful meetings this year and work is underway to produce research output in 2015. This serves to complement existing literature and encourage debate leading to better practice.

We believe that resilience is more than just a buzzword and it may possibly herald changes in the way we practice our profession in the future. It is essential therefore that we remain at the forefront of these changes and discover how these developments will create more value to our work.

Patrick Alcantara Patrick Alcantara is a Research Associate for the Business Continuity Institute who joined after finishing a Masters in Lifelong Learning with distinction from the Institute of Education (University of London) and Deusto University.

Wednesday, 26 November 2014

BCI World Conference and Exhibition

Ever reacted to something quickly and soon regretted it? That is our Inner Chimp controlling us and sometimes there is nothing we can do about it. That was the message from Prof Steve Peters during his keynote speech at the BCI World Conference. Psychology plays a major part in business continuity and sometimes you need to take into account that people don’t always respond the way you would like them to, or in a way they would like to.

In the second keynote speech of the conference, Martin Fenlon – Business Resilience Coordinator at the Houses of Parliament, told us of the challenges he faced in ensuring resilience across a highly independent and disparate organisation. Of course it’s a very British organisation, so in the event of a crisis, as long as someone is making tea then all is well. It was particularly appropriate for Martin to be speaking on the 5th November as this day marks the anniversary of when Guy Fawkes attempted, and failed, to blow up the Houses of Parliament.

Over the two days, many speakers educated us and enlightened us about different aspects of business continuity. Whether it was new research such as the BCI’s Supply Chain Resilience or Emergency Communications reports; insight into some practical application of business continuity, for example how to deal with the Ebola crisis; or whether it was developing a greater understanding of the theoretical aspects of business continuity such as how to write a BIA; there was something for everyone.

Day one of the conference ended with the Gala Dinner and Global Awards ceremony at the Science Museum. Well done to all our winners in the nine categories of the Global Awards, those whose contribution to the industry was recognised above all else, and congratulations to everyone who was honoured on the night. A full list of winners can be found here.

One of the main talking points of the conference was the debate about whether business continuity can only ever be subservient to risk management as the top thought leaders from both sides of the industry battled it out. In the end it was a home win for business continuity and the motion was voted against but there were certainly plenty of interesting discussions on the matter. The general consensus however, was that those working in business continuity, risk management or other related fields need to collaborate more in order to improve organisational resiliency.

Organisational resilience has become a common theme in many of our discussions lately and we were fortunate to have Richard Taylor from BSI announce the new Standard on this very topic which is being published on the 27th November. This was followed by Dr Rob MacFarlane from the Cabinet Office who talked about resilience in practical terms, looking beyond just individual organisations but wider communities.

As in previous years, the BCI held a BC clinic, hosted by experienced practitioners, for people to ask their BC related questions and get advice that they can take back to their own organisation and implement.

To finish off the conference in style, Crisis Guardian hosted a game show whereby those working in the industry were given the chance to answer questions with the top three being invited on stage for the grand final. Demonstrating the international flavour of the conference, this was fought between an American, an Australian and an Italian. Ultimately the winner was Chris Miller whose baggage allowance for her trip back down under was put in jeopardy by her shiny new trophy.

Thank you to everyone who came along and made the conference the great success that it was. Exhibitors, presenters and delegates all contributed to this and we look forward to welcoming you back to the London Olympia next year on the 4th and 5th November.

Wednesday, 19 November 2014

Business continuity planning according to Paddington Bear

In just a few weeks the latest blockbuster movie to hit our screens will be released at the cinema – Paddington Bear. This is the story of a well-meaning Spectacled Bear with a fondness for marmalade sandwiches who made his way over to England from Peru and was adopted by the Brown family who named him after the station he was found in.

But what has this got to do with business continuity? When arriving in England, Paddington probably wanted to write to his family and let them know he arrived safely, but had he done so then his letter would soon have been returned to him with a polite note from Royal Mail saying that they weren’t even going to try posting it. Why? Because Peru was going through a lengthy postal strike that had left such a backlog that it would take many months to recover from.

Peru may be an extreme example but postal strikes happen in many countries all the time and if your organisation is reliant on the postal service then it could cause a major disruption to you and your customers.

Of course it’s worth noting that according to the Business Continuity Institute’s latest Horizon Scan Report, industrial disputes are not something that provides most business continuity professionals with any concern. In the survey that informed the report, only 21% of respondents expressed concern or extreme concern at the prospect of an industrial dispute causing a disruption to their organisation. Perhaps they were thinking more of their own employees taking industrial action rather than the consequence of a supplier’s industrial action.

It does make you consider just how reliant you are on the postal service, or any other service for that matter. Despite tending to use email and other forms of electronic communications, there are still times when we rely on ‘snail mail’. The main example is that, with many of us leading such busy lives, we often turn to goods and services that are delivered direct to our door. The rise in electronic communications has also seen the rise in online shopping so if you are a retailer then a postal strike could have a devastating impact on your business.

It is therefore worth thinking, what would you do if the postal service was no longer available to you, what are the alternatives? How would you deliver to your customers or receive goods from your suppliers?

Fortunately for Paddington, Mr Brown had a telephone so he was able to phone home instead and let his Aunt Lucy know he had arrived safely.

Tuesday, 4 November 2014

Business continuity importance to an integrated view when assessing critical infrastructures

As result of EDP Distribuição's responsibilities, its involvement was required in Portuguese efforts to comply with the European Council Directive 2008/114/EC, on the identification and designation of National Critical Infrastructures (NCI) and the assessment of the need to improve their protection.

EDP Distribuição is the Portuguese mainland Distribution System Operator, serving over 6 million customers in a regulated business with clearly defined responsibilities, being the holder of the concession to operate the Distribution Electric Power Network in Medium Voltage and High Voltage, and holding municipal concessions for the distribution of electricity in Low Voltage.

With EDP Distribuição under having responsibility for several assets and systems which are essential for the maintenance of vital societal functions - health, safety, security, economic or social well-being of people, the challenges were many. The selection of a manageable number of assets from a set of more than 400 main premises, the identification of their major threats and vulnerabilities, and writing down their emergency response procedures, were some.

With EDP Distribuição’s Business Continuity Department coordination, an integrated view of the organization was possible, enabling the address of critical infrastructure in the perspective of personal safety, facility security and information security, involving several departments from operational ones (Maintenance and Dispatch) to support departments (Automation & Remote Control, Information Systems, Health and Safety).

The key points and the key learning points we plan to cover in our presentation are:
  • Identification of major threats, vulnerabilities and cross-business risks for each NCI typology;
  • Development of risk assessment methodology in safety and security aspects and;
  • Application to each distinct vectors: people, facilities, system and communications;
  • Definition of emergency response procedures and supporting chain command enabling effective risk mitigation;
  • Upgrading the organization resilience through the implementation of this PDCA process.
Maria Luisa Pestana will be discussing business continuity importance to an integrated view when assessing critical infrastructures on day one of the BCI World Conference and Exhibition on Wednesday 5th November. You will find her in seminar room 2 starting at 13.10.

Friday, 31 October 2014

Resource-based contingency planning – an alternative approach to ISO22301 certification

Business continuity is, especially in the Anglo-American world, not that much a new concept. Being not new also means that it probably is due to be redesigned. Since the inception of Business Continuity Management in the late 80s and early 90s of the last century, the world has changed quite a bit. The main concepts, procedures and processes of BCM however have not changed that much in the past 25 or so years. We are still talking PDCA, we are still talking process-based business impact analysis, we are still trying to do the work of risk managers with our task in the fields of operational and reputation risks. We still have the BCM Lifecycle.

Those who are practitioners in the profession may have already realized that the theoretical strategies and tactics as outlined by the BCM Lifecycle approach may not always meet the needs and possibilities of an organization seeking to implement BCM. The business impact analysis for instance needs processes, since it aims to operationalize the damage because of failed process. But, which organization does have a complete and operationalized process document which allows it to just sum up losses and damages along process chains? And, how can the BCM organization define the so-called BCM-Strategies when they haven’t even asked the business what they think they need as workarounds to cover a resource which was lost or damaged because of some crisis situation?

Here we already have the word, what this presentation is about: Resources. What I do call resource-based contingency planning is actually not just contingency planning, but part of a new approach to business continuity, which offers an alternative to the BCM Lifecycle. In the first part of the presentation, I will briefly introduce this system, which covers all parts of what we know is demanded by the BCM Lifecycle, however in a quite different sequence and with partly completely different methods and tools, and which addresses all controls of the ISO22301 standard.

In the few minutes I have for the presentation, I cannot go through the complete methodology what I call resource-based business continuity. I only show a core part of it, one of the 15 deliverables and work objects of a business continuity management system – the business continuity plan, the probably most important one of five different plan types which need to be created for a complete BCMS (the others being the disaster recovery plans, the emergency and rescue plans, the crisis communication plan and the crisis management plan).

The most astonishing part of these BCPs may be the inclusion of a risk assessment as a part of this plan. The risk assessment, being a core element of ISO22301 requirements, is no longer a work package of its own, but an integral part of contingency planning. The reasons for this, and why this makes much more sense than to emulate the work of a risk manager prior to actually planning for catastrophes, will be given in my presentation. The same by the way, is true for the identification of critical suppliers and clients, which also is done in the course of discussing and deciding on a workaround in the case of the loss of a critical resource.

However, in the title of my presentation, you find the most important difference between the BCM Lifecycle approach to business continuity compared to what I am doing. Where the lifecycle’s objective and basis of action and contingency planning is the business process, in my world it is the resource. One does not need the availability of documented and operationalized business processes to implement a BCMS, but only knowledge about what resources an organization has. And, differently from processes, this bit of information is most often readily available, and if not, can be created without much work.

With the presentation, I will provide a view into a core part of an alternative approach to ISO22301 certification, which delivers some novel ideas how to structure a contingency plan, how to identify critical clients and suppliers, and how to identify and assess operational risks. And if you pay attention, you might get an idea, why this approach to implement business continuity allows for applying for certification some six months after start of the project already, and why this approach reduces the cost of BCM between 50% and 80%.

Rainer Hubert will be discussing ISO22301 further on day two of the BCI World Conference and Exhibition on Thursday 6th November. You will find him in seminar room 1 starting at 13.10.

Thursday, 30 October 2014

Becoming certified to ISO22301 - what NOT to do! (Why auditors get grumpy!)

Tip number 1: The lack of a regular supply of good quality biscuits is the first non-conformity!

Looking forward to my presentation at 13:10hrs on November 6th in seminar room 2 of the free exhibition part of this year’s BCI World Conference and Exhibition. I realise that there are many BC practitioners who, although practiced in the creation and maintenance of a Business Continuity Management System (BCMS), have yet to seek certification to a standard. Additionally I recognise that others may have only assisted in achieving certification and even those though certified constantly struggle with a stream of nonconformities found by external auditors and which if left unresolved threaten the organisations certification.

During the past three years I have been working as an externally contracted assessor and ‘Technical Specialist’ with one of the top assessment organisations in the world who, via audit, assess companies for the suitability of their BCMS for certification to initially the BS25999:2006 standard and subsequently its replacement ISO22301:2012. Over this time I have been fortunate to audit the BCMS of around 100 companies by pre-assessments, Stage 1, Stage 2 and Continuous Assessment Visits (CAV’s).

Fellow practitioners sometimes ask me if I get bored with assessing to the same standard day after day. Fortunately this is not a problem as although the same standard no BCMS is alike and understanding the multiple ways of constructing a BCMS compliant with the standard has been fascinating and provides me with continuous opportunities for my own personal development, sometimes by observing good practice but unfortunately all too often from seeing practices which fail to meet the basic requirements.

I should make it clear, and possibly surprising for those who know me, that I am a big supporter of the 22301 standard. Now it is by no means the perfect standard, if indeed that could ever be achieved. However, I am someone who began in this business when training courses, good practice guides and the words “Business Continuity Management System” were things of the future and, to be frank, “making it up as we went along” was the name of the game. As a result it is in my view great to have a common structure around which to create a Business Continuity Management System. Now of course we need to improve it.

So what will I be presenting? Will it be the secret formula which all Business Continuity practitioners seek to create the perfect BCMS? Will it be the best way to smooth the ego of your auditor to the point where they are purring over your perfect creation? Only one way to find out, be there, oh and bring a biscuit or two.

Colin Ive has been a Member of the Business Continuity Institute since 2001 and is a qualified Lead Auditor for ISO9001, ISO22301 & ISO28000. He is a regular presenter at European & USA Business Continuity and Business Resilience Conferences and a contributing author to both the ‘BCI Good Practice Guide for Business Continuity Planning’ and the acclaimed ‘Business Continuity for Dummies’, in addition to numerous articles.

Colin will be discussing ISO22301 further on day two of the BCI World Conference and Exhibition on Thursday 6th November. You will find him in seminar room 2 starting at 13.10.

Wednesday, 29 October 2014

Developing simple recovery plans for key processes

If a major incident affected your business tomorrow, what are the processes, machinery or even suppliers that would be really hard to replace quickly – the really awkward ones, the unique machinery or equipment that perhaps there isn’t really a plan for, let alone a plan that gets you back within an acceptable recovery time?

Spotting the problems is relatively easy, particularly when you get into manufacturing or supply chain businesses. The challenge for Business Continuity Managers is to do something about them and develop practical, simple recovery plans – even for the hard stuff.

I lead Business Continuity Management at Rolls-Royce Plc, where we have several key manufacturing processes that are both important and challenging to recover quickly.

Over the last year, we have developed a simple but effective approach to business recovery planning for these processes and it fits in just two pages.

This approach has helped the business to understand the risk, recover more efficiently and to prioritise capital investment decisions.

At the 2014 BCI World Conference and Exhibition, I’ll be showing you how this works along with providing practical hints and tips so that you can make it work in your business too.

James Stevenson will be discussing this issue further on day one of the BCI World Conference and Exhibition on Wednesday 5th November. You will find him in seminar room 2 starting at

Tuesday, 28 October 2014

A case study of the integration of ERM and BCM as an independent function

At the 2014 BCI World Conference and Exhibition, participants will have an opportunity to listen to a real case study of the integration of Enterprise Risk Management (ERM) and Business Continuity Management (BCM) as an independent function. This is an innovative and forefront role for the ERM and BCM function.

In my presentation, I will show how the traditional reporting structure and work functions of ERM and BCM in an organisation are usually separated from each other. The ERM and BCM functions are typically part of the executive management team and the head of ERM and BCM reports to the executives such as the CEO or the CFO.

I will share with you the real life case in Malaysia where the ERM and BCM functions are integrated as a 'single' function and act as an 'independent' unit - assuming the roles and responsibilities similar to those of the Internal Audit - separated from the Management. The integrated ERM and BCM independent function reports functionally to the Board of Directors via the Board Audit Committee and administratively to the CEO.

The integrated ERM and BCM function will serve as the foundation for a well-governed and well-managed organisation that is built on a solid resilient foundation of BCM and supported by three pillars of Corporate Governance - Governance, Risk and Compliance.

In order to ensure the effectiveness of an integrated ERM and BCM independent function in an organisation, the following pre-requisite criteria must be established:
  1. An integrated ERM and BCM Charter clearly stating the independent, authority, position, roles and responsibilities of the ERM and BCM functions
  2. Unbiased support from the Board of Directors and the CEO on the independent roles and responsibilities of the integrated ERM and BCM function. The Board of Directors via Board Audit Committee is responsible for the oversight of the work of the integrated ERM and BCM function and for the performance and oversight of the Head of Integrated ERM and BCM function, and ensures that it has a sufficient amount, and quality of resources to fulfil its roles
  3. The appointment of the Head of integrated ERM and BCM function must be approved by the Board of Directors. The Chair of the Board Audit Committee is consulted before the appointment of the Head of integrated ERM and BCM function or the termination of his/her employment and conducts entry and exit interviews with the same
  4. The Head of integrated ERM and BCM function and the supporting subordinates should possess strong knowledge in the disciplines on both ERM and BCM
  5. The Management shall know its role as risk owners and BCM process owners, and these must be clearly communicated and supported by the Management
I will also share with you the benefits of an integrated ERM and BCM independent function and some of the limitations that you may face if you implement the said function in your organisation.

In conclusion, I will share the key takeaways on the lessons learnt from the Malaysian experience that can be adapted to your organisation since there is no 'one-size-fits all' integrated ERM and BCM function. The ultimate goal of the integration is to have a synergy between the two functions as an independent function that will contribute towards a well-governed and well-managed organisation.

Chong Chen Voon is currently the Managing Director of GRC Consulting Services and an Executive Director of EJF Group, a group of consulting firms providing Consulting, Advisory and Training services.

Chong will be discussing 'the integration of ERM and BCM as an independent function' on day one of the BCI World Conference on Wednesday 5th November. You will find him in seminar room 3 starting at 13:10.

Monday, 27 October 2014

Business continuity: human resources as powerbrokers?

The proposition that human resources hold one of the golden keys to successful business continuity will be presented on day two of the BCI World Conference and Exhibition in the Listen Stream. David Evans and Lynne Donaldson of Corpress LLP will argue that the HR role in business continuity is often understated, possibly not understood and for many organisations undervalued.

Please share your thoughts with us on how important HR (Personnel) are to your BCM process: are they heavily engaged or just reactive when pushed and how much time do you spend working with them?

Placing people at the heart of the continuity process has an inherent logic about it: organisations are after all a collection of people with a few facilities, procedures, a purpose and maybe some cash holding them together. The more effectively people work together, then the greater the chance that an organisation will be successful. At a simplistic level, shared goals, good leadership and competent people are a good place to start.

Indeed, according to the BCI Good Practice Guidelines, business continuity is “the capability of the organisation to continue to deliver………” and without the right people in the right place at the right time, there is no capability.

Is there a danger that in stripping down an organisation to assess the causes of failure and analyse business impacts we lose sight of the important role of staff and contractors? It may be easier to consider that an activity or a process can fail due to physical disruption, equipment failure or other losses leading to impacts on the organisation rather than examine the role played by the individuals tasked with developing, maintaining and implementing the process.

If this was the case, then people could legitimately be relegated to a footnote in the BIAs relating to loss of key people or teams. Alternatively we could focus on recovery rather than impact, perhaps creating a starring role for HR when things start to go wrong, when response teams are required to act rapidly and implement the plans and arrangements that have been carefully crafted to recover and ultimately protect the organisation.

It would be easy for business continuity to become technology bound: there is a wealth of failures and impacts that affect organisations when equipment breaks, facilities are damaged or the utilities fail. Plenty to keep us occupied and as a result a dangerous path to take, one where we forget the social side of the equation and concentrate on the technology and the systems.

People + Technology + Systems = Organisation
This blog is being written on the day the Bank of England Governor Mark Carney launches an investigation into the crash of the CHAPS payment system. He promises to discover what went wrong and if officials had responded properly. For officials read people. You can almost picture the inquisitor sitting down with a blank sheet of paper and starting to write down the questions to be answered:
  • Who caused it?
  • Who responded when the problem occurred?
  • Who was competent and possibly not so competent?
  • Who checked the work?
  • Who solved it?
  • Who is to blame?
I accept that there is an equally valid list along the lines of what went wrong and why; “who” is only one of Kipling’s six honest serving men. But it illustrates how important people are in the equation. Which takes us to HR or, if you prefer, Personnel.

From the day you arrive in your new job until you decide to part company with the organisation, HR play a key corporate role in your business life. The culture you work in, the competence and skills of your co workers and yourself, and even your role itself are all guided by the hands of HR. They protect the organisation, including managers and staff from breaching workplace legislation. They have a significant input to the establishment of strategy and its delivery, because nothing happens without people. All major projects, most major investments and nearly all changes to the business will at some point involve them.

Let me introduce you to a professional group of people who work from the top to the bottom of the organisation, have had contact with everyone in it, help to develop their capability and foster their engagement, and protect you from a wide range of legal liabilities.

Not only that, but as soon as the problems occurs and the world is looking a little less rosy, it would be kind of helpful to have a team who know what skills are available, where they are located, help you communicate across the organisation and ultimately, help build a resilient culture.

But more of that during the presentation, if you can’t wait and want to share experiences or request more detail on how to get HR engaged, then please email us at

Friday, 24 October 2014

Business continuity and information security – a good fit?

During my interaction with senior management as a business continuity/information security consultant, especially amongst IT centric organisations, I am invariably asked a question: "We come across too many ISO standards which have common themes. In your opinion, which are some of the Standards that come very close especially from an implementation perspective?"

As you can see this is a very loaded question from the senior management who are typically fed up with too many rules, regulations and standards trying to govern their lives. Also, whilst they want to adhere to all applicable regulations and standards they want some optimisation of their costs in implementation.

My typical answer to this is as follows: "If your emphasis is on service management please combine ISO 9001:2008 and ISO 20000:2011. In fact implement only one standard and ignore the other. If your emphasis is on information security and business continuity please combine ISO 27001:2013 (ISMS) and ISO 22301:2012 (BCMS) implementation."

From historical perspective both ISO 27001 and ISO 22301 have emerged from British Standards and have a sort of a common past. Leaving that aside, information security, as the pundits drum into us, is all about confidentiality, integrity and availability of information. Business continuity, on the other hand, is about availability (of information or business) in case of a disaster. In companies where information is business, these two standards merge quite well.

All this however, has to start with scope of the ISMS/BCMS. What is the context of the organisation that is planning to implement the BCMS/ISMS and does the context match in both cases? If the context matches we have a winner and we can choose to implement both management systems together with a common project plan/team. Typically, BCMS and ISMS (at least in mature organisations), come under the ‘Risk Department’ organisationally. If this is not the case, it would be worthwhile to make organisational changes before commencing implementation of BCMS/ISMS.
In my address at the BCI World Conference and Exhibition, I will be looking at this from a practical perspective to explain how we can implement BCMS and ISMS together along with common features of both the standards.

So …happy interactions!

Ramesh Ramani will be discussing 'Business continuity and information security – a good fit?' on day one of the BCI World Conference and Exhibition on Wednesday 5th November. You will find him in seminar room 3 starting at 9.20.

Wednesday, 22 October 2014

Genoa: The city where maths kills people

On October 9th, 2014 - with HI CARE Association and PANTA RAY - the BCI Italian Forum was launched, the first Business Continuity Institute affiliated network in Italy for business continuity professionals. In a conference held in Milan, I had the chance to point out how the culture on this topic in our country is still very low and how it is important to pursue a radical change in mentality and in the approach to crisis management.

There was no need for the umpteenth flood in Genoa to confirm how urgent the need for change is. But unfortunately just a few nights before our forum, the Bisagno river overcame its embankments killing one person (in 2011 the victims were 6). The city woke up with a widely spread black-out, Enel declared that over 2,000 clients had no power, schools and universities were closed, several blocks were flooded and economic and infrastructural damages were significant (circa €200 million of public expenses and approximately €100 million of private damages to companies and shops).

A scene we are used to, not only in Genoa unfortunately. But there is a good piece of news, we finally found the guilty party: maths! The President of the Liguria Region Burlando declared: “It is the first time that mathematical models are wrong.” He must have missed all the financial slumps in the history of the world. “The phenomenon that was registered yesterday has never happened before and our weather forecasting models could not anticipate it. The model is still valid though, until now it has always predicted the weather so that we never made mistakes related to severe crises”. Good to know.

I think we can list thousands of reasons that led to the umpteenth tragedy: bureaucracy, soil consumption (which in Italy is twice the European average), the lack of resources, the typical Italian mentality that is nothing but focused on prevention and planning, etc. All valid considerations that highlight the need for careful reflections. But, maths?

I really do not want to concentrate the attacks on President Burlando, but I do have to highlight these statements because they reveal a problem that I have to face quite often as a business continuity and crisis management consultant, either with public entities and private companies. Here is the deal: Business continuity is often confused with risk management, a discipline that – by definition – is based on probability calculation and therefore on mathematical models. This is a problem, since business continuity is meant to ensure resilience to an organization regardless of the probability of occurrence of a potential disruption. Business continuity is applied on the so-called 'residual risk', or the part of risk which is not manageable or computable. Outcome: when mathematical models fail and no business continuity practices are embedded in the organization, disasters happen!

Risk management (and math, of course) is a fundamental discipline, as weather forecasting is fundamental as well. But thinking that they never fail is crazy and not doing anything but rely just on math models is criminal. It has to be said pretty clear, because people die and companies fail. The Ferraris Stadium in Genoa is right next to the Bisagno river. What if the 'math models' fail again on a football match day, when the area is full with thousands of supporters?

Earlier this year, we held a conference at the Chamber of Deputy with Joseph Bruno - Commissioner of the New York City Office of Emergency Management as the guest speaker. We discussed these topics and we presented the crisis management model of the City of New York to politicians and the highest members of institutional entities. Now we have launched this BCI Italian Forum, which is completely free and aims at aggregating the most important competencies on the subject to create a network in Italy as well. I want to stress a concept I already mentioned during my speech at the conference in Milan: there are no excuses anymore! Each of us needs to accept his/her own responsibilities and act to raise the awareness on prevention and preparedness in this country. Otherwise, to find the guilty party you just need to look in the mirror.

Alberto Mattia is Managing Director at Panta Ray, a management consulting company specialized in business continuity and crisis management and Secretary-General at HI CARE Association, a non-profit organization dealing with territorial security projects in Italy. Graduated in Economics and Finance at the Università Bocconi in Milan - Italy, Alberto has started his career in the US at BT Radianz and then JPMorgan Chase Bank. He has then worked as a Project Manager at Centrobanca and as a Risk Manager at UniCredit Group.

Monday, 20 October 2014

Business continuity vs risk management

According to ISO22301, business continuity is defined as the capability of an organisation to continue the delivery of its products or services at acceptable predefined levels following a disruptive incident.

Risk management on the other hand is the systematic process of understanding, evaluating and addressing the risks that an organisation faces in order to mitigate against them.

So that all sounds quite clear. The former is more concerned with the management of a disruptive incident after the event and so deals with the consequences, while the latter focusses on the management prior to any incident taking place and so deals with the threats. Two very distinct disciplines, aren’t they?

If you go back to the basics however, risk management assesses the likelihood of an incident occurring and the impact that it would have on the organisation. If one of the aims of risk management is to mitigate against the impact of an incident, then isn’t this moving into business continuity territory? Doesn't this mean that business continuity is just a function of risk management?

This is the issue that is up for discussion on day two of the BCI World Conference and Exhibition on the 6th November. Panel members from a wide variety of organisations on both sides of the debate will clash as they discuss the motion ‘business continuity can only ever be subservient to risk management’. Don’t miss out on this opportunity, book your place at the conference and join the debate.

Friday, 17 October 2014

Deriving X factors to support your BCM programme

Obtaining management commitment for resources and funding for BCM programme implementation and sustainability is always a prime challenge for most of our fellow professionals. We are continuously struggling in selecting the most effective approach to secure a dynamic business continuity programme.

Unavoidably many times in our career we have presented a powerpoint slide with some standard statistics from Google before our management, with best persuasive techniques trying to convince them to allocate the necessary funding to set the programme in motion.

Most of us are using facts and figures as an inspiring method of persuasion, in this case, it can prove to be a downfall to arm you with general information and scare tactics that may potentially overwhelm management and provoke the common reason that many businesses are without a business continuity plan: “It will never happen to me”.

Across-the-board examples and generalizations are vulnerable to being inapplicable or unconfirmed, which is a complete contradiction to what we are striving for in trying to integrate business continuity within our organisations in the first place. So, the number one way to make your management team not only aware of the risks you seek to diminish, but to gain their commitment for your business continuity programme is to outline the specific threats to your specific business. An evident reason for management to commit to a business continuity proposal is risk vs cost. If the risk far outweighs the cost, we are likely to be successful in securing funding for solutions that mitigate that risk.

In my presentation I shall present a practical model case of an organization and the journey of their BCM Manager that secured management commitment by identifying their own 'X' factors that are derived from information within the organisation. These factors are the basis for any legitimate business continuity programme and were mainly driven from the following areas:
  • Regulatory
  • Legal
  • Revenues
  • Shares Price
  • Productivity
  • Brand – Marketing
  • Customer – Opportunity
  • Insurance
  • Operational
I will give the delegates proven approach to understand the current risks and their impacts to the business in terms of financial loss and how it can be presented to convince and secure management commitment.
  • Delegates will benefit from how to identify monetary loss of various impacts and the financial loss implications of not having the right BCM arrangements
  • They will get practical understanding of on how to use these factors to support their BCM programme
  • They shall get an understanding on how information available within the organisation can and support their case
  • This model case can be applied to any type of organisation or sector
Nisar Khan has 14 years of professional career, with 11 years of experience in managing Corporate Business Continuity programmes at public and private sectors. Previously he functioned as a BC/DR Manager for a consultancy firm, delivering end-to-end BCM programmes and training to leading companies. He is a dedicated ambassador of the discipline and has earned the following recognitions:
  • Highly Commended at the BCI Global Awards 2013 as ‘BCM Manager of the Year’
  • Winner of the BCI Middle East Awards 2013 as ‘BCM Personality of the Year’
  • Winner of the first BCI Middle East Awards 2012 as ‘BCM Manager of the Year’
  • Winner of the BCI Asia Awards 2012 as ‘BCM of the Year’
  • Highly Commended at the BCI Global Awards 2012 as ‘BCM Manager of the Year’
Nisar will be discussing 'Deriving X factors to support your BCM program' on day one of the BCI World Conference on Wednesday 5th November. You will find him in seminar room 3 starting at 15:10.

Thursday, 16 October 2014

Design and implementation of a business continuity management programme

The BCI World Conference and Exhibition is split into three streams - listen, learn and lead - and the idea behind the middle of these streams is to enable delegates to explore the full BCM Lifecycle training experience.

I will be doing this through presenting a selection of the material used in the Business Continuity Institute’s five day BCM course, highlighting the main elements of the process, and exploring some of the issues that need to be understood in the Design and Implementation stages of the process. The exploration will be through discussion and debate, into which I will provide the knowledge and experience that I have obtained over many years both teaching and practicing BCM in a wide variety of types of organisation.

In the Design session we will be exploring two issues which, in my experience, most people struggle with both in learning the theory of BCM and in practice when applying the theory to their own organisation:
  • How close should the Recovery Time Objective be to the Maximum Tolerable Period of Disruption?
  • What is a safe separation distance for recovery sites, alternative facilities, and backups?
In the Implementation session we will be exploring three issues, which although they are simpler than the two Design issues, still give rise to considerable debate:
  • What is a Business Continuity Plan (BCP)?
  • What are the common elements of all plans at all levels?
  • What resources do you think are needed for a response team meeting room, and how do you think that space should be best utilised?
In each session I will take the delegates quickly through the main steps of the BCM process as they are taught in the BCI’s five day BCM course, pointing out some of the more important concepts and techniques that need to be learnt, and then, at the appropriate point, raise the issues that I have decided to explore. I will be asking the delegates for their views, encouraging debate on what the most appropriate solutions appear to be, and attempting to bring the discussion to a conclusion through explaining what the BCI’s Good Practice Guidelines (the GPG) recommends.

By attending the two sessions that I am presenting, you will get not only a flavour of what you’d learn on the BCI’s five day BCM course, but you will also get the opportunity to explore some of the Design and Implementation issues that you will need to know how to tackle if you are to help your organisation to successfully implement an effective BCM programme. It will also give you an opportunity to take part in a discussion and debate on some of the Design and Implementation issues that even experienced BCM professionals have difficulty with.

Mel Gosling MBCI has been an instructor for Continuity Shop on the BCI’s five day BCM course ever since it was first launched in 2008, when it was based on the 2008 version of the GPG, and has contributed to developing both the course and the GPG through the 2010 and 2013 versions. Throughout the past six years he has helped over 200 students achieve certification through passing the BCI’s exam, and has learnt how best to present the extensive and concentrated material in the GPG to enable students to both learn and understand the BCM process. Attending these two sessions will give you an insight into how Continuity Shop presents this course, and a taste of some of the issues that you will encounter.

Mel will be discussing design and implementation within the 'Learn' stream at the BCI World Conference on Thursday 6th November, starting at 10:30.

Friday, 10 October 2014

ISO22301 certification at the UK's Houses of Parliament

"If you don’t know where you are going you’ll probably end up somewhere else!” At the BCI World Conference in November I’ve been asked to run a session on two key stages of the BC Lifecycle; Policy and Programme Management and Embedding BC into the organisation. Can you imagine my excitement?!

Well, having just achieved ISO22301 certification for the Houses of Parliament I see the outer ring of the lifecycle (Policy and programme management) and the inner core (Embedding) as the tyre and axel of the wheel; get this right and you’ll have a smoother journey.

There are many lessons to share and I hope the conference provides an opportunity to do so. Let me give you an example of what I mean. My BC policy originally said that it ‘would be reviewed on a regular basis’. The external auditor from the BSI pointed out that ISO22301 requires that the policy is reviewed at ‘planned intervals’. My policy now says it will be reviewed ‘at least annually’; that is what we always meant but didn’t make clear. Other examples of poor language are found in phrases from Management Board papers saying “Human Resources might want to look into….” What does ‘look into’ mean exactly? It is not about being pedantic, it’s about being clear in your planning so that all interested parties understand what is being asked of them and how this will be assessed.

The policy sets out what you are going to do, the scope of your BC capability and defines roles and responsibilities. The programme will set out how and when you will implement the BC capability. So, the policy will help you know where you are going and the embedding will help you stay on course. My workshop at the conference will describe how these parts of the BC Lifecycle can be achieved.

Martin Fenlon MBCI, Business Resilience Coordinator at the UK's Houses of Parliament, will be discussing this issue within the 'Learn' stream at the BCI World Conference on Wednesday 5th November, starting at 10:30.

Thursday, 9 October 2014

Think you're an expert in business continuity?

Jeopardy, The Weakest Link, Who Wants to be a Millionaire, or perhaps just the local pub quiz. Everyone likes a good game show to challenge the mind and to test whether you really are as knowledgeable as you think you are.

Are business continuity practitioners any different? We'll soon find out. To end the BCI World Conference and Exhibition on a high, the Business Continuity Institute along with Crisis Guardian, will be hosting their very own game show.

The game show will contain relevant and important business continuity messages and will touch upon topics covered in some of the conference presentations, so make sure you pay attention. You will however be pleased to know there are no music questions.

This is an audience participation event so you can put your heads together with fellow delegates, using shared interactive voting handsets, to answer a series or topical questions and have fun at the same time as learning something new and interesting to take away with you.

So, do you think you're an expert in business continuity? Perhaps you are. Now is the time to put that to the test. Book your place at the BCI World Conference and Exhibition to take part in this one-off event and really put your business continuity skills to the test.

Wednesday, 17 September 2014

How social media can improve organisational resilience when disaster strikes

The devastating earthquakes that hit the South Island of New Zealand in 2010 and 2011 and over 4000 bigger aftershocks rattling Christchurch and Canterbury have caused an estimated $40 billion damage to the city, including wide parts of the CBD and around 100,000 homes. While there are parts of the city ‘red-zoned’ and will not be rebuilt, the rebuild of the rest is expected to take at least 15 years. The whole inner city is going to be re-arranged and while this is still undergoing, a lot of local businesses have moved out of the centre to somewhere else.
Christchurch, like New Zealand as a whole, has first-world ICT infrastructure and high rates of technology uptake across all sectors of society. This technology uptake and the rising importance of social media in society made the earthquakes one of the first natural disasters, where social media played a major role in direct response but also the long-term recovery. In the immediate aftermath of the major quakes in September 2010 and February 2011, social media services including Twitter provided crucial communication channels for individuals, communities and organizations. With a disrupted electricity supply, and unreliable SMS services, Twitter was an up to date and reliable source for eyewitness accounts and crucial public information.

During the recovery phase social media stayed an important part of people’s lives. While the CBD was corded and totally locked down, people didn’t know if businesses moved somewhere else, what the opening hours under these special circumstances were or which alternatives there were to purchase a certain product, service or simply going out for dinner. Social media enabled people to connect with each other for emotional support, information, calls to action or organizational purposes.

Various online communities developed around the central problems of the earthquakes, from neighbourhood groups helping with insurance claims, to forums and message boards where people posted pictures of lost and found pets or pages where people discussed, how the city should look like after the rebuild, to the Facebook page of the Student Volunteer Army, a student group who organised and coordinated volunteers through a Facebook page.

Apart from the examples mentioned above, I also encountered a couple of business uses in my research. With an online social media platform an organisation or group gains a channel to interact with the community, but also with customers and staff, enhancing business resilience as well.

In the case of Mainland Press, a Christchurch based newspaper business, print production was not possible immediately after the earthquakes. Through a newly found social media site, the Mainland Press reporters were still able to communicate their local news and information until the newspaper went back to normal production. But even after that, their Facebook page ‘Rise Up Christchurch’ remained an important platform for information exchange and discussion with a huge amount of followers.

For other businesses, social media became important a bit later on. To bring life back into the city centre, a transitional mall with shops in shipping containers was build up and re-opened. To spread the news about what was happening there and to keep people up to date about special offers in this new mall, a Facebook page was created and a community was built.

I could go on describing different examples of businesses and other people using social media in the aftermath of the earthquake for different purposes but you probably get what I am aiming for already. All communities are very different and tailored specifically for and through the people engaging, who are interested in the issue, be it earthquake updates, help or the latest news about what is happening in the inner city. Anyway, social media is a great way to keep in touch with your customers, serving as a two-way channel, which enables communication and can help a business or community to reach out and make it more resilient. In most cases, social media was not something organisations or businesses had used before the earthquakes, nor was there a strategy in place for how to deal with the new tool. Even though your social media presence isn’t a core feature in your marketing strategy, it doesn’t hurt to learn these skills and build up a community before a crisis happens.

Martina Wengenmeir is a PhD candidate at the University of Canterbury, in Christchurch, New Zealand. Her research interests lie in cross-medial information flow and online communities and publics.

Friday, 12 September 2014

Learning from experience by blogging

During my time studying business continuity, we were forced by our lecturers to take an additional module on reflective writing (as part of our personal development) and I really didn’t want to do it. I just couldn’t get my head around the value of exploring my thoughts retrospectively. Why should I use my valuable time in completing what is essentially a diary? Surely whatever I learned from the experience would be felt at the time?
Well it’s no secret that the art of completing a journal or a diary has been around for centuries. Many famous and successful individuals in history in their quieter moments have taken the time to reflect. There must be some value in doing this?

Despite my initial reluctance I started to see the value of reflective writing, particularly in understanding the more complex issues. I quickly realised that my brain wasn’t very efficient at breaking things down in real time and approaching it in this way would help me to understand whatever it was that I needed to know. This often included situations where I couldn’t quite grasp a decision, outcome or even the subtext of a meeting or conversation at work. I felt like my brain was clogged up with information that I could barely remember or even understand. I actually felt a bit suffocated by it and in an industry where looking the part is key, perhaps a little stupid. For me, writing these situations out in black and white created an opportunity to take a second look at the experience.

Over the last couple of years I’ve often struggled to see the big picture in situations right away. I’m also very honest about my lack of understanding when it occurs to me. However, I would regularly watch my friends and colleagues working in business continuity appear to understand concepts and other more complex issues much quicker than me (or at least they sounded like they did!). Surely I’m not always the last to the party? I would share these thoughts with close colleagues and loved ones over a period of time and then I started to recognise that I wasn’t the only one. In fact, even the individuals that initially looked or sounded like they understood frequently didn’t. I found some comfort in realising that I wasn’t alone but I was also deeply disappointed to find that very few of my peers were openly sharing these experiences. Wouldn’t it be valuable if we could share from each other’s learning without the fear of looking foolish? To quote an experienced colleague who I respect a great deal, “there is a real absence of a younger voice in what we do.” They are absolutely right.

The last 12 months for me have been a career development whirlwind in business continuity. I’ve had countless new professional experiences from exams and major incidents to ISO 22301 certifications and work area recovery planning. As you can imagine I’ve arrived at situations that are completely new to me and there’s never been a better time to reflect…cue BlueyedBC.

I created the social media platform called BlueyedBC in November 2013 after being encouraged by a number of senior colleagues to share my writing. I decided to go by this title because I wanted to combine the desire of junior professionals to become the blue-eyed boy or girl in their profession with idea of blue-sky thinking. Since this time the BlueyedBC BlogSpot has received over 7000 hits worldwide with hundreds of professionals from around the world starting to follow each article that is released. The unexpected volume of interest prompted me to release a small eBook on Amazon. It includes a series of anecdotes and thought processes that will hopefully assist other new starters and graduates who are about to embark on their careers. I’m also hoping that it offers some insight for senior BC managers in to the fresh mind of a young professional and how some might view these new experiences on face value. Most importantly, I use a simple, honest and easy to understand voice in my writing as described by several senior industry colleagues who have already publically reviewed the content. I can promise readers a light-hearted jargon-free account of how one might feel during the initial steps of their career in business continuity.

Luke Bird is a Business Continuity Executive at Atos in Glasgow and a regular blogger on his own ‘BlueyedBC’ blog site. You can read his blogs by clicking here or follow him on Twitter by clicking here.

Luke’s eBook ‘BlueyedBC: Business Continuity Management - An insight into the world of business continuity management’ is available online by clicking here.

Wednesday, 10 September 2014

Improving organisational resilience – the real justification for business continuity

Although the term resiliency is widely used in setting corporate goals, it is rarely defined in a way in which it can be meaningfully assessed. Traditionally business continuity has provided a proven means of reducing the severity of disruptive interruptions by understanding the operational priorities of the business, the infrastructure that supports them and the acceptable timescales for response and recovery. Business continuity practitioners have always argued that by taking a holistic approach to an organisation, critical dependencies and single points of failure can be better identified and mitigated, thus leading to improved reliability and customer satisfaction. This might seem a reasonable assumption but it is hard to really prove.

This lack of objective proof has perhaps contributed to the often reported difficulties in achieving more substantial stakeholder buy-in for business continuity at the most senior levels in an organisation. Perhaps this partly explains why the change in business terminology from business continuity management (BCM) to organisational resilience is happening so rapidly in many companies. Certainly key individuals promoting the resilience agenda see the opportunity to bring a new discipline into play at the strategic level as a game changer. Adaptability (rather than response) is becoming the new buzzword and traditional business continuity practitioners need to adapt to this new reality.

The construction of more and more detailed plans has failed to achieve the corporate goals for security and resilience that we as practitioners might have expected. The speed of business change makes the need for a more dynamic way of responding to crises ever more important, but as BCM professionals we need to change the way we work – developing organisational resilience capability and the people skills needed to take control of unexpected events should be our primary goals. Good planning is still essential but not writing more compliance based procedural plans.

So what are the obstacles to implementing a successful business resilience plan? Firstly, getting support from the top of the organisation and by this I mean not just budget, but rather the way the message needs to be enthusiastically and positively communicated from the top. Secondly, getting buy-in from the people who have to deliver the plans; this is predominantly the middle managers who are often already over committed and under resourced. Thirdly, making the risk look and feel real because if it is seen as just compliance then you will create a tick-box mentality.

To successfully address these obstacles, it is essential to properly understand how the business actually works and who the really influential players are, those whose opinions are sought and listened to. Find out what the real drivers of success are and what top management really worry about. Do not talk to senior management until you know what is important, any lack of company knowledge will ruin your credibility immediately so prepare well before you talk to them. Build awareness programmes and get your message right when you give presentations as the people who you need on your side are not interested in technical solutions, they want to know about what you can do to help them eliminate or reduce future business problems.

Business resilience is much more than recovery from disaster or serious incidents. It is the ability to identify and monitor risks to prevent them from happening in the first place, or at least minimise the impact. It is about the capability of the organisation to deal with incidents that cannot possibly be predicted or adapt itself to changes in its external circumstances such as civil war in a key supplier country. In some ways it is difficult to highlight companies who are good at resilience because by definition they will be the ones that handle problems, major incidents and even crises almost seamlessly.

The top challenge on the horizon for BCM professionals is changing the mind-set of people both inside the profession and outside it. We have many excellent programme managers but there is not enough really innovative thinking going on. The enthusiasm for the idea of resiliency does give us a chance to articulate a wider strategic vision for our discipline. Thinking up relevant approaches to deal with issues that do not fit the old BCM model of physical disruption to assets is a real challenge – cyber resiliency must be high on our agenda as is mitigating reputational damage using social media. It might be difficult but if we don’t do it, who will?

Lyndon Bird
Technical Director at The Business Continuity Institute

Tuesday, 9 September 2014

Rules of crisis management: don't let lightning strike twice

The great Irish playwright George Bernard Shaw famously once said of success, that it “does not consist in never making mistakes, but in never making the same mistake a second time”. In much the same way this rule can be applied to crisis management. To suffer a crisis once is unfortunate; to suffer a crisis a second time is careless.

Last month the Spanish clothing firm Zara caused outrage when it put on sale a piece of clothing which to some resembled the shirts worn by concentration camp prisoners during the Second World War. The shirt had been designed to be ‘wild west’ themed, but unfortunately the large gold star over the chest looked very much like the Star of David.
To Zara’s credit the company acted quickly to take down the offending item from sale. It also posted apologies to anyone who had been offended by the item on its social media feed with a statement recognising the insensitive nature of the shirt.

Unfortunately for Zara, this was not the first time that the clothing brand had been in trouble for using Second World War iconography in its designs. Back in 2007 the company suffered similar negative publicity when a customer noticed a bag they had purchased from the store included four green swastikas. Again, the company immediately withdrew the item from sale, but not before several tabloid newspapers in Britain had run pictures of the company juxtaposed with Adolph Hitler.
There is no doubt that Zara has made an honest mistake in both instances, unfortunately activist groups and NGOs are less forgiving, with several attacking the company on social media for “ignorance” and a “lack of education”.

In both cases the company reacted swiftly to withdraw the offending products from sale. However, in making the same mistake twice the company has left itself open to accusations of carelessness in the way in which it handles its internal quality control processes.

The key thing about pistols (as anyone who has seen a western will know) is to take the gun out of the holster before firing it, otherwise you risk shooting yourself in the foot, and in this case, twice.

Tom Curtin is the Chief Executive of Curtin and Co, a BCI Partner specialising in crisis communications and reputation management. You can view more blogs my Curtin and Co by visiting their website or by joining their Linked In group.

Friday, 5 September 2014

The CPD Merry-go-round: Why individuals struggle to stay on for the ride

Ever groaned at the thought of undertaking more CPD, to add to another yearly record?

You are not alone: The CPD Research Project found that thousands of professionals in the UK have a great deal of apathy, and negativity, towards their CPD. Many struggle to keep motivated and focused on its true purpose - upholding best practice and ensuring professional qualifications don't become obsolete.

Often such apathy stems from heavy top down requirements from professional bodies and regulators, for number of hours, points, topics, or skills to be covered, coupled with a lack of support or guidance. Yet, paradoxically, CPD Schemes are purposefully designed to be flexible in terms of topic, and are rarely prescriptive in advising what, where, and how an individual professional should undertake their CPD.

Such confusion about what, and how, CPD can be undertaken often spirals and as a result individuals rarely perceive their CPD as a personal achievement and significant addition to their work portfolio.

In particular - individuals lose sight that CPD is actually for them.

Recent CPD should be displayed on your LinkedIn profile, discussed in interviews and job reviews, and included on your CV. Our CPD research shows that clearly demonstrating CPD to employers dramatically improves career prospects, which in real terms, means higher salaries and remuneration.

So what created this generalised apathy in the first place?

A quick look on the internet shows an expansive number of training providers, courses, online activities, events, lunch time and breakfast briefs, and seminars. Many of which have not been verified as 'true CPD'.

For many, the choice is endless, and identifying high calibre or relevant CPD activities becomes a 'hit and miss' activity.

More worryingly, the CPD Research Project found that an alarming number of providers whose training activities are ‘branded’ as CPD happen to be in the lower quartile - in terms of quality.

It therefore comes as no surprise that a central cause of CPD’s bad reputation stems from individual professionals receiving negative, sometimes terrible, CPD experiences. The results of a CPD environment that is populated with low quality training, negative CPD experiences and apathy from all involved, has significant consequences, with many professionals reduced feeling that they are on an endless, and sometimes pointless, merry-go-round.

Find out more at, and when you are sourcing CPD activities, keep an eye out for the CPD Standards accredited providers mark.

Holly Steiner is the Client Relationship Executive at the The CPD Standards Office, a Part of the Professional Development Consortium.

Thursday, 4 September 2014

The development of organisational resilience

With the search for the comprehension and understanding of the meaning of organisational resilience gathering pace with each passing month, the Business Continuity Institute is now well embedded, perhaps even pivotal, in this latest quest to push forward the boundaries of the thinking and theories that relate to protecting and maintaining the value of organisations. The debate about what organisational resilience means in practical terms to organisations and industry practitioners is ongoing, but the recent publication of the BS 65000 – Guidance on Organisational Resilience – as a draft standard for public comment by the British Standards Institute is clearly another step forward in this search for the 'Holy Grail' in enterprise risk management.

The debate about organisational resilience is fascinating because it has been led by a number of academics and academic institutions, which is slightly counterintuitive in the field of social science research and organisational management studies. The usual methodology in the field is for phenomena to occur, the academics then research the phenomena and attempt to understand the causation, context, applicability and the whole myriad of considerations that underpin a theory in the social sciences arena.

With organisational resilience however, this has not been the case. Academics have postulated on the theory of organisational resilience without having the case studies to investigate and sense check their theories against. This situation is exacerbated by the fact that organisational resilience can be a point in time phenomena, so no evidence of the measurement of an organisation’s resilience over a protracted period of time has been published to date. To the contrary, one recently published study stated that an organisation was resilient in its operations, despite the fact that the organisation under consideration no longer exists and its demise was well documented and planned in advance. This situation seems to be counterintuitive to the theory, especially when there is some measure of consensus amongst academics and practitioners that capacity to adapt to change and evolve and thrive in a structured and strategic manner is a key part of what may constitute the state of resilience for any particular organisation.

The BCI has worked to address the gap in the understanding and meaning of organisational resilience by leveraging the wealth of experience and expertise that can be found in the ranks of its members and actively worked to support the development of BS 65000. The BCI also actively participated in the development committee’s deliberations, inputting member’s views and thoughts throughout the development cycle, exactly as it did with BS 25999 Parts 1 and 2, BS PD25666 on Testing and Exercising, ISO 22301, ISO 22313, BS 11200 on Crisis Management and the many other relevant industry standards that have been published nationally and internationally over the past six years.

So back to BS 65000 on organisational resilience and what is happening now, the comments that were submitted from the public consultation phase have now all been collated and the standard’s development committee is now considering those comments and amending the text of the draft standard where that is necessary. After completing the development process and gaining all the necessary approvals required for its final publication, and then the real challenge will commence, as organisations will hopefully take the guidance in BS 65000 and use it to either enhance the resilience of their organisation or sense check or benchmark their current arrangements against the guidance in the standard and then feedback and share their experiences.

It is important to remember that standards and the thinking contained in standards evolves all the time to mirror advances in the relevant industry or activity sector. The new BS 65000 standard not only represents the next big step in our understanding of organisational resilience, but it is also the next phase in the quest for that understanding and the meaning of organisational resilience and it seems quite clear that the quest is still far from complete.

Kevin Brear is a ‘Strategy and Business Systems’ PhD Candidate at the University of Portsmouth and played an important role the development of BS 65000 through his position as a member of the BSI Standards Committee.

Wednesday, 3 September 2014

Seven deadly sins of business continuity plans

Recently I helped plan and deliver a workshop for the Scottish Continuity Group. The theme of the day was to give the delegates ideas of ways to improve their plans. Presentations were given on a number of aspects of planning - including short plans, using business continuity software, the army way of planning and different ways to set out your plans. I gave a talk at the beginning of the workshop to set the scene. It was entitled 'The Seven Deadly Sins of Business Continuity Plans' and I thought I would share the main points with you.

Sin 1 – Unnecessary information

Many Business Continuity Plans I see seem to be full of unnecessary information which is not needed on the day of the incident. They contain policy information, details of when the plan was last exercised and how business continuity is managed within the organisation. I believe that the plan should only contain information which you are going to use on the day of the incident. All the other information should be kept in a separate document.

Sin 2 - Samey

“When something remains consistent when one would expect there to be more variation”.

This is where the plan initially looks good, with lots of detail, and it appears that lots of thought has gone into it. You then read a number of plans within the organisation and you find that almost all the plans are exactly the same. The call centre plan looks exactly the same as the finance plan, except for the name on the front. This says to me that business continuity within the organisation is not taken seriously and the organisation is happy for its plans to be cut and pasted from one department to the next. Of course there will be some parts that need to be the same in all plans, such as the incident management hierarchy, but make sure that your plan is properly tailored to your part of the organisation.

Sin 3 – Connection to the BIA

Many organisations have a large and elaborate Business Impact Analysis (BIA), which capture vast amounts of information. When you come to looking at the plan there is nothing in it recognisable in the BIA. The BIA has a vital part in informing the recovery strategy and key information such as the system recovery order, how many seats the department needs over a timeframe and most importantly what are the Recovery Time Objectives (RTO) of the different activities carried out by the department. Make sure you iron out the essential details which you need during an incident.

Sin 4 – Scope

With many plans I see it is not clear what the scope of the plan is. Is it just the Glasgow call centre or all three call centres across the United Kingdom? Perhaps the author knows the scope of the plans but has not put it into the document. I am never sure whether this is the case or if they have not really thought through the scope of their plan. I think within the plan there should be a very clear scope and the parts of the organisation which are outside of the scope should also be identified.

Sin 5 – No strategy

Many plans you have to read four or five times to actually work out what their strategy is and how they are going to recover their operation. Sometimes it is impossible to work out what they are going to do! There may be tables listing the number of staff to be recovered but no actual location where they are to be recovered to. Sometimes I worry that the organisation doesn’t really know what they are going to do and will make it up on the day, hence they have no strategy to actually write down. Within the plan, I believe, it should be very clear what the recovery strategy of the organisation is. Within my plans I write a paragraph describing the recovery strategy which makes it clear how the organisation will implement its plans.

Sin 6 – The Team

According to the Business Continuity Institute’s Good Practice Guidelines every plan must have a team to implement it. This seems to be missing from many plans and it is not clear who will implement the plan. Even if the plan will be implemented by a team detailed in another document, there should be reference to this within the plan.

Sin – 7 Medium to long term recovery

Many plans I see concentrate on the immediate response to an incident and recovery of the first activities to their designated RTO. After this they run out of steam and are vague on how to recover beyond that. I was guilty of this when I was responsible for planning for a large office of 1,600 people. I had a good robust plan involving a work area for 300 of the key staff but had no plan in place for the recovery of the remaining 1,300 people. Finding space and recovering a small amount for immediate activities is easy; what is more difficult is finding space for the remaining large amounts of people. The same amount of thought and planning should go into your medium and long term planning, especially if it involves large numbers of staff. Once you know how to recover the remaining large numbers of staff then this should be included within your plan.
Charlie Maclean-Bristol is a Director at PlanB Consulting in Scotland.

Blog Archive