10 Items which should be in a BCP (and are often forgotten!)

What should a business continuity plan contain? It's important to keep it concise and manageable, but I'm sure we all have our own ideas as to what the 'must have' items are. Charlie Maclean-Bristol of PlanB Consulting takes us through what he thinks the top ten features of a good plan are:

1. Scope. On many of the plans I see it is not clear what the scope of the plan is. The name of the department may be on the front of the plan but it is not always obvious whether this is the whole of the department, which may cover many sites, or just the department based in one location. It should also be clear within strategic and tactical plans what part of the organisation the plan covers. Or does it cover the whole of the organisation? Where large organisations have several entities and subsidiaries it should be clear whether the tactical and strategic plans cover these.

2. Invocation criteria. I believe it should be fairly clear what sort of incidents should cause the business continuity plan to be invoked. I also believe that this invocation criteria should be “SMART”, so as not to be open to interpretation. The criteria should be easy to understand so if you get a call at 3am in the morning and informed of an incident it should be fairly obvious whether you invoke or not. Focus should be on the loss of an asset such as a building or an IT system, not on the cause of the loss. There needs to be a ‘catch-all’ in the invocations criteria which says 'and anything else which could have a major impact on our operations’ so that the criteria is not too rigid if we need to invoke for an incident we have not yet thought of.

3. RTOs. Defining and agreeing your Recovery Time Objectives is one of the most important items you set during the analysis and design stages of the business continuity lifecycle. There should be a list of RTOs relevant to your plans within the document so you can make sure that you are going to recover your operations at an agreed time.

4. Strategy. I have looked at lots of plans which have lots of detail within them but having read them I am no wiser to the organisation’s recovery strategy or even whether they have one at all. I like my plans to have a written strategy which tells the story of how we are going to recover, containing details of outline activities, locations and timescales. Then it is clear to anyone implementing the plan what your recovery strategy is and how it will be implemented.

5. Information from the BIA. I have seen lots of organisations which do very detailed BIAs and collect lots of information. This information, which could all usefully be used in the recovery, does not make it into the plan. It looks as if two separate activities have been carried out - the BIA and the plans - yet there is no visible connection between the information collected in one and the information in the other. If you cannot use the information in the plan then why collect it in the BIA stage at all? There should be a clear relationship between the information collected in the BIA stage and the information within the plan.

6. Items not needed on the day. Many plans I see are a cross between a plan containing information needed on the day of the incident and policy information. During an incident you do not need information on how often the plan needs to be exercised or the responsibilities of the Business Continuity Manager. My suggestion is to go back through your plan and move to a separate document any information which you do not need on the day of an incident.

7. Telephone numbers. I think telephone numbers should not be contained within the plan. You may wonder how that can be so, as surely you need the numbers to communicate with your key interested parties. Having telephone numbers available are important but I think it should be a last resort to put them within the plans. As soon as you put numbers within a plan you create a monster, which needs to be constantly fed. Every time a number changes you have to change the number in the plan and then send out the amendment to all those who hold a copy of the plan. This creates a huge administrative task, if you give out copies of the plan in hard copy this kills loads of trees, as you will have to reprint a number of copies of the plan. If you just send out the relevant section or page of the plan what you end up is an unamended plan stuffed full of amendments.

If possible, make use of existing lists within your organisation. There are people whose responsibility it is to update telephone lists. The CEO’s PA may keep all the senior management team’s details up to date on a laminated card and send the card out to all executives. Get yourself on this distribution list for the card and instantly you have a list of the telephone number of all senior managers. If HR keeps a list of all home telephone number and mobiles ask for the list to be made available to the incident team on the day of the incident. Often people are happy to give HR their details but may be reluctant to give the details to anyone else in the organisation. My suggestion is to, wherever possible, avoid putting the telephone number in a plan and try and make use of existing lists which are maintained by others.

8. Your plan should have a logical sequence. Too often plans have lots of good information but it is difficult to find. Perhaps on the first page of the plan you could have an immediate action list rather than have pages of background information, scope objectives and quality assurance information. These are all important and should be in the document but why not put them at the end so they can be referred to only if necessary.

9. Details of the medium to long term recovery. Many plans only concern themselves with the short term recovery and the immediate actions to be carried out after an incident. They go into great detail of how the first 10 members of the call centre will get to the work area recovery centre within the RTO of 24 hours. What the plan does not mention is the strategy for recovery of the 90 other members of the call centre who need to be recovered within one week. Yes there can be some hot planning on the day but I believe there should be some detail within the plan of how to recover the “second wave” of staff to be recovered.

10. A team to manage the incident. Often at the operational level a plan contains lots of good information on the recovery of the department but does not contain any information on who will manage the recovery. Will their representative on the Tactical Team manage the recovery or will it be the departmental managers who will get together and implement the plan? The Good Practice Guidelines 2013 says that every recovery plan should have a team to manage it.

Charlie Maclean-Bristol is a Director at PlanB Consulting in Scotland.

Preparing for the Commonwealth Games

Two years on from the London 2012 Olympic Games, the UK is set to play host yet again to one of the largest sporting events in the world – the Commonwealth Games, hosted by the city of Glasgow in Scotland. Glasgow 2014 may not quite be on the same scale as London 2012, but the crowds will still be high.

On the 23rd July, and over the following two weeks, 6,500 athletes from 71 different countries will be taking part in 17 different sports for the right to win a gold medal. 2,500 journalists will be attending the events and with more than a million tickets sold, the number of additional visitors to Glasgow is expected to exceed 100,000.

So what does all this mean for business continuity planners? For many organizations events like this are a dream come true. Investment in the city in order to rebuild infrastructure over the past few years has been high with many local firms reaping the benefit. During the Games, retail outlets will do a roaring trade as the visitors spend their money on souvenirs, food, drink and, seeing as it’s the west coast of Scotland, probably a few umbrellas and rain coats.

For some organizations however, whether getting into the spirit of the Games or not, there will possibly be some disruption during the two weeks.

If you’re an employer then it’s highly likely that a few of your staff will want to attend some of the events or take leave during what is normally the holiday period. Have you taken this into consideration and made suitable arrangements?

Transport networks will be stretched to the limit as trains and roads become busier than normal. Have you made suitable arrangements to ensure your staff can get to work or perhaps work from home instead? If you work in the transport industry, are your customers or suppliers aware that there might be some delays? For such high profile events, security is always an issue and this can slow things down even further.

If you’re a retailer then the increase in visitor numbers means your stock may go quickly (that’s a good thing) but how quickly can you replace it in order to take an even greater advantage of the circumstances? With international events such as the Commonwealth Games, language can often be a barrier. English may be the common language for many of the countries competing, but there will be many other languages spoken too, do you have the ability to communicate with non-English speakers?

Let’s not forget the extra strain that will be placed on the communications network, do you rely on your mobile phone, and can you guarantee it will work when so many other people are trying to use theirs? There may be a similar issue with broadband if the network starts to reach capacity.

Of course, with all the excitement about the influx of new customers, businesses mustn’t forget their existing customers, those people who will (hopefully!) still be there long after the Games are over. Do they know what your arrangements are during the Games and have you considered ways to reduce the disruption to them?

A major event such as the Commonwealth Games brings plenty of opportunities to the host city and the surrounding area, but everything comes at a cost. If you prepare properly however, and consider what disruptions could affect your organization, then plans can easily be put in place to ensure that this cost is not high and is far outweighed by the positives.

Andrew Scott is the Senior Communications Manager at the Business Continuity Institute who joined after a brief stint working as the Press Officer for a national health charity. Prior to that he had over ten years at the Ministry of Defence working in a number of roles including communications and business continuity. During this time he also completed a Masters in Public Relations at the University of Stirling.

Practice makes perfect

I used to do the Telegraph crossword years ago, after my mother-in-law got me into it (one of the two things for which she is to be applauded – the other being her daughter, obviously). Whilst I wouldn’t claim to be an expert, I did go from not having the faintest idea what most of the clues meant to the point where I managed to finish it more often than not. But for one reason or another I stopped doing it and, until recently, I hadn’t had a go for donkey’s years.

When I started doing it again, I have to admit that I was absolutely useless, sometimes struggling to do more than half a dozen clues. The thing is, there’s a knack to doing crosswords and if you get out of the habit it can take a while to get that knack back again. Anyway, I persevered and, slowly but surely it’s coming back to me.

There are three things that have helped enormously:

Firstly, practice – seven crosswords a week provides an opportunity for lots of practice. Sadly I don’t have time to do it every day, but I usually manage two or three a week.

Secondly, I came across a website called 'Big Dave’s Crossword Blog' which gives the answers. More importantly though, it explains how those answers are arrived at. So for the clues I’ve struggled with (and sometimes there are lots), rather than just giving it up as a bad job, I have a quick look on Big Dave’s site and find out what they were on about.

And thirdly, I’ve put together my own little guide, which includes things like what certain words or phrases in a clue might mean, and what words might be anagram or 'sounds like' indicators or such like. I refer to it when I’m a bit stuck and it often nudges me in the right direction. (Let me know if you’d like a copy).

I still don’t finish the crossword every day (there are some really obscure clues from time to time that you’d have to be Einstein or Stephen Fry to stand a chance of solving), but I don’t do too badly now. I still have to think quite hard about things, but the basics are becoming ingrained and now when I pick up the crossword, I slip reasonably easily into the right way of thinking. I’ve progressed from seldom completing it, through occasionally to fairly regularly, and now I’m setting my sites on the dizzy heights of usually.

The point is that crosswords, as with many things in life – like juggling or playing a musical instrument or crisis management or business or IT recovery for instance – take practice if you want to be any good at them. And for most people, the more practice they get, the more proficient they become. Or to put it another way, the less you practice, the less proficient you’ll be.

So if we want our crisis management or recovery teams to be proficient and effective, we need to make sure they’re up to the job, adequately trained and get sufficient practice to keep them on top form.

Andy Osborne is the Consultancy Director at Acumen, and author of Practical Business Continuity Management. You can follow him on Twitter and his blog or link up with him on Linked In.

Does business continuity in the public sector work, and does it get the buy in it deserves?

Many larger companies which have Business Continuity Management systems produce or deliver products. Failure to deliver as a result of any interruption will very likely impact upon the business financially and could ultimately put companies out of business. Is there any wonder therefore that the management of such businesses are often quite willing to spend money on protecting their interests.

Public Sector organisations tend to be on the larger size, often having a few hundred employees at the very least and in some cases going into the several thousands of staff. So why is it that the willingness of managers in the public sector to deliver BCMs is not always on the top of the priority list? I should say at this point that I am fortunate to work for a large public service organisation that is wholly behind BC and which has continued to invest in BC despite the financial restrictions which are currently impacting upon us.

In relation to public services there is often little chance of losing business as a result of an interruption and even less chance of being put out of business as a result of financial implications. There is often a cushion of ‘the public purse’ and an assumption that we can manage without BC. However there is every chance of reputational damage being done to the organisation or even to a whole group of organisations. Damage to our reputations is probably under greater scrutiny than at any time in our history.

BC is implemented in the private sector as a matter of necessity or indeed because it is seen by the companies as beneficial. It provides protection against unintended events and may even be a requirement of insurance companies to mitigate any foreseeable risks.

In the public sector BC is often implemented because it is a statutory requirement for plans to be in place. In particular the Civil Contingencies Act 1994 imposes a duty for many public sector organisations to have BC plans in place. The feeling of having something imposed upon you without having the buy in from senior management can only be detrimental to the introduction of BC planning within an organisation.

Many Public Sector organisations utilise ISO22301 to align their BC planning to, or certify their planning against. Is this standard really suitable for the Public Sector? I have heard comments from various sources that the standard doesn’t work for certain organisations.

Many public sector organisations rely upon specialist equipment, very often things which can only be supplied by one manufacturer and sometimes with extremely long lead times. For instance if an individual piece of medical equipment, or a specialised vehicle, is rendered unavailable, no business continuity plan would provide resilience, or would it?

I firmly believe that ISO22301 provides all organisations with the opportunity to create BCMs which are appropriate to their individual requirements. Alignment to most parts of the standard can be achieved and for those organisations wishing to certify against the standard then there are ample opportunities to achieve this.

Due to the very nature of public services, usually a ‘can do’ attitude and the ability to obtain mutual aid from each other, perhaps the very existence of Business Continuity Plans provides the opportunity for us to document this reliable form of restoring services. Borrowing both staff and equipment is not unusual throughout much of the public sector. There will always be occasions when a single point of failure cannot be wholly mitigated against, but this is a rarity and should not be used as an excuse not to establish a course of action, as a minimum, should a failure occur.

In the current climate, where most public sector organisations are trying to deliver services with less financial backing there seems to be an increase in appetite for BC plans to identify resilience, especially in relation to reputational issues. It is clear to the majority that massive reductions in staff numbers across the sector lead to a reduction of services and certainly do not allow for any depth of resilience should the worst occur.

It is imperative that public services spend their available finances wisely. A small amount of expenditure spent now to provide suitable resilience could save large chunks of their budget in the future.

The smallest of changes can make a difference. BC managers should grasp every opportunity to join groups of BC professionals, enabling them to share experiences and collaborate with each other. They should take advantage of training opportunities, which don’t always have to be expensive, participation in webinars and locally arranged events are a great source of information. They should also take advantage of organised promotions to put plans in place and embed them throughout their organisations.

Russ Parramore
Business Continuity Manager
South Yorkshire Fire & Rescue

Never work with children or animals... or technology

The other day I attended a meeting of a local business continuity forum. It was a very well run, very interesting meeting – the latter despite the fact that one of the topics was business interruption insurance, living proof that any subject can be made interesting by an engaging speaker. There was, however, one small glitch in proceedings that I thought was worthy of note. Or that at least gave me an excuse to write a blog.

The second item on the agenda involved a live link-up, via Skype, to a presenter in some far flung, desolate location – Reading, I think. At the appropriate time, the chairman initiated the call. And then… nothing happened, apart from a deafening silence. The technology didn’t work. Now, before you say anything, yes, of course it had been tested beforehand. This was, after all, a group of consummate business continuity professionals. It had, however, been tested on the previous Friday afternoon, whereas the live event was on a Monday morning, when the volume of traffic on the network is, apparently, much greater. To the extent that there wasn’t enough room left in the pipe for a teeny weeny little Skype call.

After much umm-ing and ah-ing and “talk amongst yourselves”-ing, the organisers finally got it working – for a while at least, but then it failed again and they eventually had to resort to a somewhat Heath Robinson solution involving the loudspeaker on a mobile ‘phone next to a microphone connected to the room’s sound system. Which, I have to say, was a better sound quality than the original Skype solution. And so the meeting continued with no further hiccups.

The episode brought to mind a technology glitch at another seminar that I was at a while ago. This time I was presenting to an audience of 200-odd people (by which I mean approximately 200, as opposed to 200 odd people – although there were one or two there who fitted the description admirably). The venue was a concert hall with a huge stage about ten feet above the audience, who were seated around tables in an auditorium the size of a small country. Not at all daunting.

It came to my turn. I took a deep breath, walked up the steps to the stage, introduced myself, pressed the button on the remote control to fire up my slides and…nothing happened. There was a completely blank screen behind me and a couple of hundred people looking at me expectantly. Not even a whiteboard to fall back on. Oops! Time for Plan B. Which was to busk it for ten minutes while the techies scurried around poking things and unplugging and re-plugging things, having tried the universal solution of powering it off and on, which had no effect whatsoever. Eventually the screen came back on, I re-synched my blathering with the pretty pictures and all was well. It was a bit uncomfortable for a while but I got away with it. I even got a bit of a buzz from it in a masochistic sort of a way, although I was only too happy to take the applause and return to my seat at the end of it. And, before you ask, yes, of course it had been tested beforehand. I am, after all, a consummate business continuity professional!

Both incidents made me think about the huge reliance that we place on technology and the difficulties it can cause when it’s not there. But they also made me think that, as often as not, there are alternatives, whether they involve the use of other technologies or switching to manual processes – maybe even reverting back to the way we used to do it in the old days, before all the clever and sophisticated technology arrived to “help” us.

They reminded me of the importance of testing, and the fact that, to be really confident that things will work, testing should be as comparable to the real thing as we can possibly make it. Even then there are no guarantees, but if our testing isn’t realistic it can give us a completely false sense of security.

And they reinforced the point that, whether the solution is highly technical and whizzy or simple and old fashioned, we should always, always have a Plan B up our metaphorical sleeve. Because, as a certain Mr Murphy decreed long ago, whatever can go wrong almost certainly will.

Andy Osborne is the Consultancy Director at Acumen, and author of Practical Business Continuity Management.
You can follow him on Twitter and his blog or link up with him on Linked In.

A vision of the future

I’m relatively new to business continuity management, with only a little over ten years’ experience in this industry that is said to be made up of the 'Men in Grey' - bearded and grey suited men. Someone said this to me at last year’s BCI World Conference, I then looked in the mirror and sure enough that was me already.

So in my short time what changes have I seen, what incenses me and what gives me hope that as an Institute we are making progress?

Like many when they start out in this industry, I was volunteered as opposed to being a volunteer. It was in the days of PAS56 (Publicly Available Specification 56), the forerunner to BS25999 and now ultimately ISO22301.

My experience was that the business in Eastern Europe that I worked for needed to comply with various standards and regulations and business continuity management was beginning to be the latest fashionable topic.

Returning to the parent company in England, I was suddenly considered an expert because I had actually read the existing standard - "Dave can write us a plan" I was told. Oh dear! No ten pillars of business continuity (PAS56); no BCM Lifecycle (BS25999); just "write us a plan." This was post 2000 and the millennium bug scare which had achieved a lot in some respects, but also suggested that BCM was exaggerated to create a cottage industry.

So have we truly progressed? The point in time when business continuity management moved forward for me, I can now see clearly was driven by the right Top Management influencers driving it. Even then however, the dark side of 'minimum compliance' versus 'budget availability' was always present.

I’m proud to say I now tutor the topic for the BCI via one of its top training providers and in doing so I meet people from many business sectors from Directors to BC Coordinators, and yes, some of those who have been volunteered.

I still see in some of the biggest and multi-facetted global organizations a culture centred on compliance; equally I see huge amounts of dedication, expertise and frustration from people hugely committed to business continuity management.

So what incenses me?

The fact that we still use dramatic events to explain the concept of business continuity. As impacting as they are, and perhaps getting more frequent, I'm incensed that we still think this is how to promote this topic.

The fact that we are often still at loggerheads with the risk industry and that we struggle to embrace each other’s discipline to a common objective.

The fact that we as an Institute analyze supply chain continuity each year and come up with very similar data, yet we still do not have the means to change those findings through a common understanding of the issues.

Finally, the fact that whenever you attend forums, presentations are largely centred around statistics that depict the frequency of events and a series of pictures showing how bad things can get, invariably with no evidence of what we can do to make things practically better.

So, what is the solution and what are you doing about it I hear you say. My view is simple, but the solution may be a little more complex.

Organizations in this day and age have to be commercially driven, be they charities, public sector or private sector, small medium or global; they have to be commercially efficient. Top Management are driven by success often evidenced by financial targets.

The most common phrase I hear when discussing business continuity management and disruptive events is “what’s the chances of that happening?” the classic response borne out of risk appetite and risk attitude. Why spend budget on an unlikely event?

Top Management speak of 'risk' - they can comprehend this because it’s built in to us all from birth. Planning is counter intuitive, reacting is natural.

Something we all must do, and I try to, is promote the concept of business continuity as a value adding, commercially driven, essential part of a successful organization. This includes understanding your Top management’s appetite and attitude to risk, their maximum attitude to disruption (over time).

When it comes to procurement and managing supply chain continuity, Top Management need to understand the 'Risk/resilience Assessed Total Cost of Ownership'.

As an Institute, as BC professionals, we need to place business continuity at the top table by giving Top Management reasons to adopt it based on commercial efficiency, not compliance.

This cultural shift that the BCI Good Practice Guidelines tell us is so hard to measure will happen if we present commercial evidence as to why Top Management need business continuity management.
My part in this transition is to constantly discuss business continuity management in terms of a commercial imperative and offer solutions and concepts, not statistics and photographs.

David Window is the Managing Consultant of Continuity 22301 Ltd in Cheshire, UK.

A nice cup of tea

I do like a nice cup of tea. In fact tea is pretty near the top of my all time favourite drinks list. Five or six cups a day is the norm when I’m at home or in the office. And I have to say that Mrs Oz does make a cracking cuppa.

When I’m out and about, though, I tend to drink coffee. That’s because generally other people’s tea isn’t anywhere near as good as Mrs Oz’s. In fact, in my humble opinion, a surprisingly large number of people don’t have the faintest idea of how to make a decent cup of tea.

My brother thinks there’s no such thing as a bad cup of tea (perhaps that’s because his tea making capability is distinctly average – don’t tell him I said so though!) but I beg to differ. In fact, I’m sat drinking one right now in a hotel with my breakfast and wondering why I didn’t order coffee instead.

A bad cup of tea is, in my view, worse than no cup of tea at all. It might have all the ingredients (not that there are many) but if it’s not done right it can be awful.

In a similar(ish) vein, my view is that a bad business continuity plan is as bad as – and possibly worse than – no plan at all. A bad plan might seem to have all the right ingredients but, as with a cup of tea, if they’re not put together properly, the results can be somewhat disappointing. And, as with a bad cup of tea, the only time you really find out how unpalatable the results are is when you come to try it.

So, at the risk of being contentious, my advice would be the same in both cases – if you can’t make a decent one (or find someone who can), it’s probably not worth bothering at all!

Andy Osborne is the Consultancy Director at Acumen, and author of Practical Business Continuity Management.
You can follow him on Twitter and his blog or link up with him on Linked In.

Are we ready for significant power outages?

Have a quick look around you and see what is powered by electricity in your buildings, pretty much everything. We need to start asking questions, questions like:

1. Can we maintain Power for all our critical services through generator provision? Remembering that accessibility to large quantities of fuel becomes difficult without electricity.
2. Are we up to date with our alternative power supply testing regimes?
3. If our plans include the hire of generators, will they be available to you? Have you an agreement in place? Remember that everyone might want one.

The power outages may be localised meaning staff can work from other sites, therefore:

1. Have we alternative sites and are staff able to work remotely?
2. Can we switch sites/are staff happy to move?
3. Do we have a home working policy?

There are no hard and fast answers to this and you will no doubt be mindful that the only way to respond is to be aware, plan and test. I think this may well be the biggest issue facing practitioners over the next 18 months, being prepared for power loss on a grand scale is no mean feat, but with careful consideration of this issue in your plans between now and whenever will no doubt assist in your response.

Steve deBruin is the Business Continuity Lead at North Somerset Council, UK.

Developing a response for the unexpected

“The only thing harder than planning for an incident, is having to explain why you didn't.”

 

John Bartlett CBCI, DBCI

A number of organisations believe that, somehow, they are different and unlikely to experience or suffer from an incident, the “it will never happen to me” attitude. More often than not, they are wrong. No organisation wants to be affected by an incident or expects it, but that does not mean that they should not consider and plan a response in case it does happen. 

Developing and implementing a response to incidents and disruptions is at the core of Business Continuity. It can determine how your organisation is perceived and whether your business survives. It consists of ensuring the appropriate plans are developed and communicated; the required infrastructure and facilities are implemented to support the plans; and completing the necessary risk treatments to achieve the desired Business Continuity strategy defined and agreed (see previous article).

Stages

No matter what the incident or serious disruption, there are five overlapping stages of the response, each of which needs to be considered and included within the planning. These stages are:

Emergency – the immediate response and actions that should be considered and if necessary taken, for example evacuation of a building;

Incident Management – the management and coordination of a response to an incident, for example deciding priorities and communicating with stakeholders.

Continuity – the initial response to ensure that essential activities can continue at their minimum level (as defined in the Continuity Requirements Analysis).

Recovery – the actions and activities required to recover additional important activities and increase the essential activities up to a sustainable level above the minimum level.

Resumption – the activities and actions required to return the organisation back to its desired state of operation, which is considered to be “normal” operations. This stage is sometimes referred to as the “Return to normal” stage.

Within each of these stages, most organisations will need to consider activities that fall within either a strategic, tactical or operational context. These three levels should be considered and addressed for each of the 5 response stages above.

Plans

Once you have discussed and decided on appropriate responses for your organisation, the appropriate individuals to be involved in each context (strategic, tactical and operational) should be identified along with how decisions, actions and communication will operate between them. The responses and corresponding structure should then be documented.

The purpose of a Business Continuity Plan (BCP) is to provide guidance, not to be too prescriptive, detailed and complex. This will defeat its purpose, reduce the likelihood of it being used and make it time consuming to maintain. A BCP should include all the necessary and essential information, but be concise, accessible and easy to follow. There is no “one size fits all” definitive structure that is appropriate for all organisations, but there are numerous examples of BCP’s on the internet. The ones which are appropriate for you will depend upon your organisation. However, Business and BCM knowledge should be combined to determine the optimum Business Continuity response structure for your organisation, and each plan should have an owner, be regularly reviewed, tested and validated - then updated if necessary.

Within large organisations it is reasonable to expect there to be a number of different plans covering aspects of the recovery stages, for example a Crisis/Incident Management Plan, Business continuity/recovery plans for each department, IT disaster Recovery plan and a “return to normal” plan. These may be complimented with specialist plans or procedures to deal with different types of incident such as evacuation, product recall, stakeholder/media communication, social media management, pandemics (not to be confused with specific threat scenarios). Within small organisations or SMEs, a number of these plans may be combined together.

Infrastructure and facilities

All Business Continuity responses and strategies will require resources, including people, infrastructure and facilities, whether the strategy is to operate from someone’s home, or commercial premises. Someone will need to do something and will need to use something to do it. The BIA and CRA previously undertaken will identify the essential items required and how quickly they are required; the agreed strategy will define how they should be provided. The essential part in planning and implementing the response is to ensure these requirements can be provided when needed, and the necessary provisions are implemented and tested to ensure this can happen.

Technology is at the core of most businesses these days and most organisations struggle to operate without it. Whether it be a large data centre with multiple, complex servers, data storage and communication links, or whether it is simply a GSM, laptop and internet connection. Developing a response, includes implementing the strategy for technology and proving its capability to support the business during the response stages. This may be spare GSMs, a backup data centre, replication of data storage, spare maintenance parts, additional supplies of PCs, laptops and printers or duplicate communication links.

In addition to the technology, people require somewhere to work and facilities to assist their working. This is true of a Crisis/Incident response team and also the people required to continue essential business activities. Facilities may include office space, desk, chair, telephone, fax, photocopier, filing cabinets and such forth. If the organisation is involved in manufacturing, there may also be a requirement for plant and machinery. These should be identified and provisions implemented to ensure they can be available when required.

Risk Treatment

As part of achieving the desired and agreed business continuity strategy, it is important that the agreed treatment for business continuity risks have been implemented, thereby reducing the likelihood or impact if certain incidents or disruptions do occur. The response plans should integrate into the risk treatment plans and ensure methods are implemented to identify when a risk materialises and the point at which escalation is required in case it develops into an incident or disruption which requires activation of part or all of the response plans. The risk treatments should also be regularly reviewed and monitored to ensure they are still appropriate and achieve the desired results.

Not what it seems

I was walking my dog, Barney recently when someone stopped to say hello. To him, not me – he’s always the first one that people talk to, I can’t think why. “I love Springer Spaniels”, she said, when she eventually acknowledged my presence, “in fact I have two myself”. 

Andy Osborne
Consultancy Director, Acumen
Author of Practical Business
Continuity Management

"Actually he's a Field Spaniel" I replied, to which she asked "are you sure? He looks like a Springer".
 

I pointed out that whilst his markings are quite Springer-like, Field Spaniels are generally a bit shorter, a bit stockier and a bit squarer-faced than Springers (and a tad more expensive, but I kept that one to myself as I thought she might take it the wrong way).

“Oh” she responded, “he does look like a Springer though”.

This conversation isn’t at all unusual. In fact it’s quite a regular occurrence. On a slightly different, though related note, when my kids were quite young, a similar(ish) thing used to happen with monotonous regularity. They looked quite alike to the casual observer and would sometimes be mistaken for twins. That in itself was fairly understandable I suppose, but we’d occasionally have some bizarre conversations as a result.

One day my wife was in a local supermarket, with both boys in tow. At the checkout the woman behind her asked if they were twins. ”No, there’s twenty months between them”, my wife replied.

“Are you sure?” asked the woman, “they certainly look like twins”.

“No, they’re not twins” my wife replied, but the woman was having none of it and continued to dispute my wife’s assertions. Somewhat exasperated, Mrs Oz said “Look, I was there at the birth of both of them and I’m pretty sure I remember. They definitely aren’t twins.”

At which point the woman turned to the checkout operator and said “Would you say they’re twins?”

In a similar vein, it’s very easy for the uninitiated to assume that something that looks a bit like a Business Continuity plan actually is one. After all, it says ‘Business Continuity Plan’ on the front cover and it seems to have the sort of information in it that you’d expect to see.

But sometimes you have to look past the superficial bits to get to the reality. Sometimes, when you dig a bit, it becomes apparent that what, on the surface, is a convincing looking Business Continuity plan doesn’t actually have any substance to it – perhaps because it’s based on assumptions that have never been validated (or are just plain wrong); or because despite the fact that it contains lots of names and ‘phone numbers, those named have little if any awareness of the plan or their roles and responsibilities within it; or because it’s never been tested; or because it’s full of holes. Still, it looks a bit like a Business Continuity plan so it must be one, mustn’t it?

There’s a saying that goes something like “if it looks like a duck, walks like a duck and quacks like a duck, it’s probably a duck”. Which may well be true. In fairness though, there’s really no mistaking a duck. But if it looks a bit like a Springer, walks a bit like a Springer and barks a bit like a Springer, it might just be a Field Spaniel. And just because two kids are about the same height and both have blonde hair it doesn’t necessarily mean they’re twins.

…And just because a document looks a bit like a Business Continuity plan it doesn’t necessarily mean it really is one.

If you would like to find out more about how to write a Business Continuity plan, the BCI offers a one-day training course entitled "Writing Business Continuity Plans".