Wednesday, 17 September 2014

How social media can improve organisational resilience when disaster strikes

The devastating earthquakes that hit the South Island of New Zealand in 2010 and 2011 and over 4000 bigger aftershocks rattling Christchurch and Canterbury have caused an estimated $40 billion damage to the city, including wide parts of the CBD and around 100,000 homes. While there are parts of the city ‘red-zoned’ and will not be rebuilt, the rebuild of the rest is expected to take at least 15 years. The whole inner city is going to be re-arranged and while this is still undergoing, a lot of local businesses have moved out of the centre to somewhere else.
Christchurch, like New Zealand as a whole, has first-world ICT infrastructure and high rates of technology uptake across all sectors of society. This technology uptake and the rising importance of social media in society made the earthquakes one of the first natural disasters, where social media played a major role in direct response but also the long-term recovery. In the immediate aftermath of the major quakes in September 2010 and February 2011, social media services including Twitter provided crucial communication channels for individuals, communities and organizations. With a disrupted electricity supply, and unreliable SMS services, Twitter was an up to date and reliable source for eyewitness accounts and crucial public information.

During the recovery phase social media stayed an important part of people’s lives. While the CBD was corded and totally locked down, people didn’t know if businesses moved somewhere else, what the opening hours under these special circumstances were or which alternatives there were to purchase a certain product, service or simply going out for dinner. Social media enabled people to connect with each other for emotional support, information, calls to action or organizational purposes.

Various online communities developed around the central problems of the earthquakes, from neighbourhood groups helping with insurance claims, to forums and message boards where people posted pictures of lost and found pets or pages where people discussed, how the city should look like after the rebuild, to the Facebook page of the Student Volunteer Army, a student group who organised and coordinated volunteers through a Facebook page.

Apart from the examples mentioned above, I also encountered a couple of business uses in my research. With an online social media platform an organisation or group gains a channel to interact with the community, but also with customers and staff, enhancing business resilience as well.

In the case of Mainland Press, a Christchurch based newspaper business, print production was not possible immediately after the earthquakes. Through a newly found social media site, the Mainland Press reporters were still able to communicate their local news and information until the newspaper went back to normal production. But even after that, their Facebook page ‘Rise Up Christchurch’ remained an important platform for information exchange and discussion with a huge amount of followers.

For other businesses, social media became important a bit later on. To bring life back into the city centre, a transitional mall with shops in shipping containers was build up and re-opened. To spread the news about what was happening there and to keep people up to date about special offers in this new mall, a Facebook page was created and a community was built.

I could go on describing different examples of businesses and other people using social media in the aftermath of the earthquake for different purposes but you probably get what I am aiming for already. All communities are very different and tailored specifically for and through the people engaging, who are interested in the issue, be it earthquake updates, help or the latest news about what is happening in the inner city. Anyway, social media is a great way to keep in touch with your customers, serving as a two-way channel, which enables communication and can help a business or community to reach out and make it more resilient. In most cases, social media was not something organisations or businesses had used before the earthquakes, nor was there a strategy in place for how to deal with the new tool. Even though your social media presence isn’t a core feature in your marketing strategy, it doesn’t hurt to learn these skills and build up a community before a crisis happens.

Martina Wengenmeir is a PhD candidate at the University of Canterbury, in Christchurch, New Zealand. Her research interests lie in cross-medial information flow and online communities and publics.

Friday, 12 September 2014

Learning from experience by blogging

During my time studying business continuity, we were forced by our lecturers to take an additional module on reflective writing (as part of our personal development) and I really didn’t want to do it. I just couldn’t get my head around the value of exploring my thoughts retrospectively. Why should I use my valuable time in completing what is essentially a diary? Surely whatever I learned from the experience would be felt at the time?
Well it’s no secret that the art of completing a journal or a diary has been around for centuries. Many famous and successful individuals in history in their quieter moments have taken the time to reflect. There must be some value in doing this?

Despite my initial reluctance I started to see the value of reflective writing, particularly in understanding the more complex issues. I quickly realised that my brain wasn’t very efficient at breaking things down in real time and approaching it in this way would help me to understand whatever it was that I needed to know. This often included situations where I couldn’t quite grasp a decision, outcome or even the subtext of a meeting or conversation at work. I felt like my brain was clogged up with information that I could barely remember or even understand. I actually felt a bit suffocated by it and in an industry where looking the part is key, perhaps a little stupid. For me, writing these situations out in black and white created an opportunity to take a second look at the experience.

Over the last couple of years I’ve often struggled to see the big picture in situations right away. I’m also very honest about my lack of understanding when it occurs to me. However, I would regularly watch my friends and colleagues working in business continuity appear to understand concepts and other more complex issues much quicker than me (or at least they sounded like they did!). Surely I’m not always the last to the party? I would share these thoughts with close colleagues and loved ones over a period of time and then I started to recognise that I wasn’t the only one. In fact, even the individuals that initially looked or sounded like they understood frequently didn’t. I found some comfort in realising that I wasn’t alone but I was also deeply disappointed to find that very few of my peers were openly sharing these experiences. Wouldn’t it be valuable if we could share from each other’s learning without the fear of looking foolish? To quote an experienced colleague who I respect a great deal, “there is a real absence of a younger voice in what we do.” They are absolutely right.

The last 12 months for me have been a career development whirlwind in business continuity. I’ve had countless new professional experiences from exams and major incidents to ISO 22301 certifications and work area recovery planning. As you can imagine I’ve arrived at situations that are completely new to me and there’s never been a better time to reflect…cue BlueyedBC.

I created the social media platform called BlueyedBC in November 2013 after being encouraged by a number of senior colleagues to share my writing. I decided to go by this title because I wanted to combine the desire of junior professionals to become the blue-eyed boy or girl in their profession with idea of blue-sky thinking. Since this time the BlueyedBC BlogSpot has received over 7000 hits worldwide with hundreds of professionals from around the world starting to follow each article that is released. The unexpected volume of interest prompted me to release a small eBook on Amazon. It includes a series of anecdotes and thought processes that will hopefully assist other new starters and graduates who are about to embark on their careers. I’m also hoping that it offers some insight for senior BC managers in to the fresh mind of a young professional and how some might view these new experiences on face value. Most importantly, I use a simple, honest and easy to understand voice in my writing as described by several senior industry colleagues who have already publically reviewed the content. I can promise readers a light-hearted jargon-free account of how one might feel during the initial steps of their career in business continuity.

Luke Bird is a Business Continuity Executive at Atos in Glasgow and a regular blogger on his own ‘BlueyedBC’ blog site. You can read his blogs by clicking here or follow him on Twitter by clicking here.

Luke’s eBook ‘BlueyedBC: Business Continuity Management - An insight into the world of business continuity management’ is available online by clicking here.

Wednesday, 10 September 2014

Improving organisational resilience – the real justification for business continuity

Although the term resiliency is widely used in setting corporate goals, it is rarely defined in a way in which it can be meaningfully assessed. Traditionally business continuity has provided a proven means of reducing the severity of disruptive interruptions by understanding the operational priorities of the business, the infrastructure that supports them and the acceptable timescales for response and recovery. Business continuity practitioners have always argued that by taking a holistic approach to an organisation, critical dependencies and single points of failure can be better identified and mitigated, thus leading to improved reliability and customer satisfaction. This might seem a reasonable assumption but it is hard to really prove.

This lack of objective proof has perhaps contributed to the often reported difficulties in achieving more substantial stakeholder buy-in for business continuity at the most senior levels in an organisation. Perhaps this partly explains why the change in business terminology from business continuity management (BCM) to organisational resilience is happening so rapidly in many companies. Certainly key individuals promoting the resilience agenda see the opportunity to bring a new discipline into play at the strategic level as a game changer. Adaptability (rather than response) is becoming the new buzzword and traditional business continuity practitioners need to adapt to this new reality.

The construction of more and more detailed plans has failed to achieve the corporate goals for security and resilience that we as practitioners might have expected. The speed of business change makes the need for a more dynamic way of responding to crises ever more important, but as BCM professionals we need to change the way we work – developing organisational resilience capability and the people skills needed to take control of unexpected events should be our primary goals. Good planning is still essential but not writing more compliance based procedural plans.

So what are the obstacles to implementing a successful business resilience plan? Firstly, getting support from the top of the organisation and by this I mean not just budget, but rather the way the message needs to be enthusiastically and positively communicated from the top. Secondly, getting buy-in from the people who have to deliver the plans; this is predominantly the middle managers who are often already over committed and under resourced. Thirdly, making the risk look and feel real because if it is seen as just compliance then you will create a tick-box mentality.

To successfully address these obstacles, it is essential to properly understand how the business actually works and who the really influential players are, those whose opinions are sought and listened to. Find out what the real drivers of success are and what top management really worry about. Do not talk to senior management until you know what is important, any lack of company knowledge will ruin your credibility immediately so prepare well before you talk to them. Build awareness programmes and get your message right when you give presentations as the people who you need on your side are not interested in technical solutions, they want to know about what you can do to help them eliminate or reduce future business problems.

Business resilience is much more than recovery from disaster or serious incidents. It is the ability to identify and monitor risks to prevent them from happening in the first place, or at least minimise the impact. It is about the capability of the organisation to deal with incidents that cannot possibly be predicted or adapt itself to changes in its external circumstances such as civil war in a key supplier country. In some ways it is difficult to highlight companies who are good at resilience because by definition they will be the ones that handle problems, major incidents and even crises almost seamlessly.

The top challenge on the horizon for BCM professionals is changing the mind-set of people both inside the profession and outside it. We have many excellent programme managers but there is not enough really innovative thinking going on. The enthusiasm for the idea of resiliency does give us a chance to articulate a wider strategic vision for our discipline. Thinking up relevant approaches to deal with issues that do not fit the old BCM model of physical disruption to assets is a real challenge – cyber resiliency must be high on our agenda as is mitigating reputational damage using social media. It might be difficult but if we don’t do it, who will?

Lyndon Bird
Technical Director at The Business Continuity Institute

Tuesday, 9 September 2014

Rules of crisis management: don't let lightning strike twice

The great Irish playwright George Bernard Shaw famously once said of success, that it “does not consist in never making mistakes, but in never making the same mistake a second time”. In much the same way this rule can be applied to crisis management. To suffer a crisis once is unfortunate; to suffer a crisis a second time is careless.

Last month the Spanish clothing firm Zara caused outrage when it put on sale a piece of clothing which to some resembled the shirts worn by concentration camp prisoners during the Second World War. The shirt had been designed to be ‘wild west’ themed, but unfortunately the large gold star over the chest looked very much like the Star of David.
To Zara’s credit the company acted quickly to take down the offending item from sale. It also posted apologies to anyone who had been offended by the item on its social media feed with a statement recognising the insensitive nature of the shirt.

Unfortunately for Zara, this was not the first time that the clothing brand had been in trouble for using Second World War iconography in its designs. Back in 2007 the company suffered similar negative publicity when a customer noticed a bag they had purchased from the store included four green swastikas. Again, the company immediately withdrew the item from sale, but not before several tabloid newspapers in Britain had run pictures of the company juxtaposed with Adolph Hitler.
There is no doubt that Zara has made an honest mistake in both instances, unfortunately activist groups and NGOs are less forgiving, with several attacking the company on social media for “ignorance” and a “lack of education”.

In both cases the company reacted swiftly to withdraw the offending products from sale. However, in making the same mistake twice the company has left itself open to accusations of carelessness in the way in which it handles its internal quality control processes.

The key thing about pistols (as anyone who has seen a western will know) is to take the gun out of the holster before firing it, otherwise you risk shooting yourself in the foot, and in this case, twice.

Tom Curtin is the Chief Executive of Curtin and Co, a BCI Partner specialising in crisis communications and reputation management. You can view more blogs my Curtin and Co by visiting their website or by joining their Linked In group.

Friday, 5 September 2014

The CPD Merry-go-round: Why individuals struggle to stay on for the ride

Ever groaned at the thought of undertaking more CPD, to add to another yearly record?

You are not alone: The CPD Research Project found that thousands of professionals in the UK have a great deal of apathy, and negativity, towards their CPD. Many struggle to keep motivated and focused on its true purpose - upholding best practice and ensuring professional qualifications don't become obsolete.

Often such apathy stems from heavy top down requirements from professional bodies and regulators, for number of hours, points, topics, or skills to be covered, coupled with a lack of support or guidance. Yet, paradoxically, CPD Schemes are purposefully designed to be flexible in terms of topic, and are rarely prescriptive in advising what, where, and how an individual professional should undertake their CPD.

Such confusion about what, and how, CPD can be undertaken often spirals and as a result individuals rarely perceive their CPD as a personal achievement and significant addition to their work portfolio.

In particular - individuals lose sight that CPD is actually for them.

Recent CPD should be displayed on your LinkedIn profile, discussed in interviews and job reviews, and included on your CV. Our CPD research shows that clearly demonstrating CPD to employers dramatically improves career prospects, which in real terms, means higher salaries and remuneration.

So what created this generalised apathy in the first place?

A quick look on the internet shows an expansive number of training providers, courses, online activities, events, lunch time and breakfast briefs, and seminars. Many of which have not been verified as 'true CPD'.

For many, the choice is endless, and identifying high calibre or relevant CPD activities becomes a 'hit and miss' activity.

More worryingly, the CPD Research Project found that an alarming number of providers whose training activities are ‘branded’ as CPD happen to be in the lower quartile - in terms of quality.

It therefore comes as no surprise that a central cause of CPD’s bad reputation stems from individual professionals receiving negative, sometimes terrible, CPD experiences. The results of a CPD environment that is populated with low quality training, negative CPD experiences and apathy from all involved, has significant consequences, with many professionals reduced feeling that they are on an endless, and sometimes pointless, merry-go-round.

Find out more at, and when you are sourcing CPD activities, keep an eye out for the CPD Standards accredited providers mark.

Holly Steiner is the Client Relationship Executive at the The CPD Standards Office, a Part of the Professional Development Consortium.

Thursday, 4 September 2014

The development of organisational resilience

With the search for the comprehension and understanding of the meaning of organisational resilience gathering pace with each passing month, the Business Continuity Institute is now well embedded, perhaps even pivotal, in this latest quest to push forward the boundaries of the thinking and theories that relate to protecting and maintaining the value of organisations. The debate about what organisational resilience means in practical terms to organisations and industry practitioners is ongoing, but the recent publication of the BS 65000 – Guidance on Organisational Resilience – as a draft standard for public comment by the British Standards Institute is clearly another step forward in this search for the 'Holy Grail' in enterprise risk management.

The debate about organisational resilience is fascinating because it has been led by a number of academics and academic institutions, which is slightly counterintuitive in the field of social science research and organisational management studies. The usual methodology in the field is for phenomena to occur, the academics then research the phenomena and attempt to understand the causation, context, applicability and the whole myriad of considerations that underpin a theory in the social sciences arena.

With organisational resilience however, this has not been the case. Academics have postulated on the theory of organisational resilience without having the case studies to investigate and sense check their theories against. This situation is exacerbated by the fact that organisational resilience can be a point in time phenomena, so no evidence of the measurement of an organisation’s resilience over a protracted period of time has been published to date. To the contrary, one recently published study stated that an organisation was resilient in its operations, despite the fact that the organisation under consideration no longer exists and its demise was well documented and planned in advance. This situation seems to be counterintuitive to the theory, especially when there is some measure of consensus amongst academics and practitioners that capacity to adapt to change and evolve and thrive in a structured and strategic manner is a key part of what may constitute the state of resilience for any particular organisation.

The BCI has worked to address the gap in the understanding and meaning of organisational resilience by leveraging the wealth of experience and expertise that can be found in the ranks of its members and actively worked to support the development of BS 65000. The BCI also actively participated in the development committee’s deliberations, inputting member’s views and thoughts throughout the development cycle, exactly as it did with BS 25999 Parts 1 and 2, BS PD25666 on Testing and Exercising, ISO 22301, ISO 22313, BS 11200 on Crisis Management and the many other relevant industry standards that have been published nationally and internationally over the past six years.

So back to BS 65000 on organisational resilience and what is happening now, the comments that were submitted from the public consultation phase have now all been collated and the standard’s development committee is now considering those comments and amending the text of the draft standard where that is necessary. After completing the development process and gaining all the necessary approvals required for its final publication, and then the real challenge will commence, as organisations will hopefully take the guidance in BS 65000 and use it to either enhance the resilience of their organisation or sense check or benchmark their current arrangements against the guidance in the standard and then feedback and share their experiences.

It is important to remember that standards and the thinking contained in standards evolves all the time to mirror advances in the relevant industry or activity sector. The new BS 65000 standard not only represents the next big step in our understanding of organisational resilience, but it is also the next phase in the quest for that understanding and the meaning of organisational resilience and it seems quite clear that the quest is still far from complete.

Kevin Brear is a ‘Strategy and Business Systems’ PhD Candidate at the University of Portsmouth and played an important role the development of BS 65000 through his position as a member of the BSI Standards Committee.

Wednesday, 3 September 2014

Seven deadly sins of business continuity plans

Recently I helped plan and deliver a workshop for the Scottish Continuity Group. The theme of the day was to give the delegates ideas of ways to improve their plans. Presentations were given on a number of aspects of planning - including short plans, using business continuity software, the army way of planning and different ways to set out your plans. I gave a talk at the beginning of the workshop to set the scene. It was entitled 'The Seven Deadly Sins of Business Continuity Plans' and I thought I would share the main points with you.

Sin 1 – Unnecessary information

Many Business Continuity Plans I see seem to be full of unnecessary information which is not needed on the day of the incident. They contain policy information, details of when the plan was last exercised and how business continuity is managed within the organisation. I believe that the plan should only contain information which you are going to use on the day of the incident. All the other information should be kept in a separate document.

Sin 2 - Samey

“When something remains consistent when one would expect there to be more variation”.

This is where the plan initially looks good, with lots of detail, and it appears that lots of thought has gone into it. You then read a number of plans within the organisation and you find that almost all the plans are exactly the same. The call centre plan looks exactly the same as the finance plan, except for the name on the front. This says to me that business continuity within the organisation is not taken seriously and the organisation is happy for its plans to be cut and pasted from one department to the next. Of course there will be some parts that need to be the same in all plans, such as the incident management hierarchy, but make sure that your plan is properly tailored to your part of the organisation.

Sin 3 – Connection to the BIA

Many organisations have a large and elaborate Business Impact Analysis (BIA), which capture vast amounts of information. When you come to looking at the plan there is nothing in it recognisable in the BIA. The BIA has a vital part in informing the recovery strategy and key information such as the system recovery order, how many seats the department needs over a timeframe and most importantly what are the Recovery Time Objectives (RTO) of the different activities carried out by the department. Make sure you iron out the essential details which you need during an incident.

Sin 4 – Scope

With many plans I see it is not clear what the scope of the plan is. Is it just the Glasgow call centre or all three call centres across the United Kingdom? Perhaps the author knows the scope of the plans but has not put it into the document. I am never sure whether this is the case or if they have not really thought through the scope of their plan. I think within the plan there should be a very clear scope and the parts of the organisation which are outside of the scope should also be identified.

Sin 5 – No strategy

Many plans you have to read four or five times to actually work out what their strategy is and how they are going to recover their operation. Sometimes it is impossible to work out what they are going to do! There may be tables listing the number of staff to be recovered but no actual location where they are to be recovered to. Sometimes I worry that the organisation doesn’t really know what they are going to do and will make it up on the day, hence they have no strategy to actually write down. Within the plan, I believe, it should be very clear what the recovery strategy of the organisation is. Within my plans I write a paragraph describing the recovery strategy which makes it clear how the organisation will implement its plans.

Sin 6 – The Team

According to the Business Continuity Institute’s Good Practice Guidelines every plan must have a team to implement it. This seems to be missing from many plans and it is not clear who will implement the plan. Even if the plan will be implemented by a team detailed in another document, there should be reference to this within the plan.

Sin – 7 Medium to long term recovery

Many plans I see concentrate on the immediate response to an incident and recovery of the first activities to their designated RTO. After this they run out of steam and are vague on how to recover beyond that. I was guilty of this when I was responsible for planning for a large office of 1,600 people. I had a good robust plan involving a work area for 300 of the key staff but had no plan in place for the recovery of the remaining 1,300 people. Finding space and recovering a small amount for immediate activities is easy; what is more difficult is finding space for the remaining large amounts of people. The same amount of thought and planning should go into your medium and long term planning, especially if it involves large numbers of staff. Once you know how to recover the remaining large numbers of staff then this should be included within your plan.
Charlie Maclean-Bristol is a Director at PlanB Consulting in Scotland.