Many people start the year by making lists. When you do this, it is always encouraging if this year's list does not begin with the things carried over from the previous year. However, some tasks are ongoing and need to be reviewed, refined and re-stated. So it is with business continuity management (BCM). My suggestions of what business continuity and risk managers need to consider in 2005 are designed to provide food for thought rather than being an exhaustive checklist. With luck, some of them might even make it onto your 'to do' list.
You have probably already implemented BCM into your organisation. This, I hope, includes a programme of plan maintenance, and testing and rehearsal activity, to make sure that things are kept up to date. But this process is often limited in its application. It may simply consist of a few nudges and tweaks to keep your business continuity capability on its pre-determined track, rather than adapting it to changing environments. The challenges I pose here may require a much wider review than simply changing a few names and updating telephone numbers. Some topics may cut to the very heart of your strategy for ensuring continuity and effective recovery following a disruptive event.
1: New risks
At its heart, the work of BCM is to use knowledge and understanding of risk and its impact on business to develop and implement a strategy that increases resilience and ensures the organisation can respond to, and recover from, a disruptive incident. If Donald Rumsfeld is correct, it is extremely difficult to form a coherent view of risk given that there are known knowns, known unknowns and unknown unknowns.
However much BCM has developed as a management discipline over the past 10 years, risk management has probably developed even more. One of the consequences of this development is that organisations are much better at identifying internal, operational risk and may believe this gives them a good understanding of all the risks they face. The challenge is to keep a watchful eye on the world around you and to consider which developments may lead to new and emerging risks. A simple example relates to the development of mobile phones with internal cameras. At what stage did your organisation start to think about the risk that people might enter your buildings and be able to photograph secure areas using just a simple phone?
2: Regulation
Historically, little if any legislation has directly addressed business continuity. Some countries do have regulatory frameworks that require certain organisations to manage risk or develop appropriate arrangements for ensuring continuity of certain processes. None of this applies in a consistent manner to all the countries within Europe - but things may be changing.
In the UK, the Civil Contingencies Act 2004 places an obligation on a range of organisations, mostly in the public sector, to undertake what might be thought of as business continuity activities (although this precise term is not used in the Act). Add to this the requirement placed on firms by some regulatory bodies (especially in the financial sector) and the 'opportunities' offered by the Capital Adequacy Directive within Basel II, and business continuity managers may find themselves in a different world.
3: Corporate governance
Although I fully accept that there are overlaps, I am choosing to draw a distinction between legislative or regulatory requirements, where organisations are required to put certain measures in place, and corporate governance, where organisations by and large develop (and report on) their own internal systems.
In the UK, implementing Turnbull's recommendations has not turned out to be too problematic. Across Europe, there is rather more concern about meeting the requirements of the Sarbanes-Oxley legislation. For BCM, the challenge is often one of getting to grips with the core content of each new initiative, finding out how it applies (or does not apply) and then being careful not to over-react or over-complicate what may be perfectly acceptable existing arrangements.
4: Standards
There has been much written about the need for standards in business continuity. The Business Continuity Institute (BCI) has long held a list of competencies for its members. More recently, a good practice guide (GPG) was developed which went a stage further and suggested a methodology for business continuity. Building on the foundations of the GPG there is now a more formal specification, PAS56, which some view as the first step to a recognised international standard.
And yet, any organisation that has embraced ISO17799 will already have an internationally recognised standard that references business continuity.
So too will those organisations that have developed their business continuity programmes in accordance with the methodology outlined within ITIL (IT Infrastructure Library). Against this backdrop, compliance with one standard may even lead to a non-conformity with others.
For the business continuity manager, especially one who has developed a method that closely reflects the nature, scale and risks within their own business, the challenge may be more about resisting change than embracing it.
5: Disaster recovery services (DR)
As part of their overall resilience/continuity/recovery strategies, many organisations across Europe utilise the services of specialist disaster recovery firms such as SunGard, IBM and Synstar. Historically, such firms have sited their work-area recovery sites in locations that reflect both the risks faced by business and the preferences of their customers. While few of the old risks (fire, flood, IT failure, and so on) have disappeared, some of the newer risks (large-scale terrorist attack, severe weather conditions) may result in a single incident that affects both the primary business site and the back-up site.
To protect against this happening, there may be increasing demand for work-area recovery sites that are situated well away from large population centres. Even assuming that the DR suppliers are able and willing to facilitate this, there will undoubtedly be cost implications, delays while such sites are developed and provisioned, as well as more complex logistic issues which have to be resolved when invoking or even testing the facility.
6: Supply chain
There are still many organisations leaving themselves at risk by not getting to grips with the resilience and recovery capabilities of their key suppliers. This is not a new issue; many firms wrote to their suppliers as part of their preparation for Y2K, but they were inclined not to analyse the results and accepted 'yes, we have a plan' at face value. Have things moved on? In many cases they have not.
Generally, business continuity plans are designed to protect critical processes, not provide for business as usual. Therefore it is important to understand whether delivery of a service or product that is highly important for your organisation is also considered a critical process by your supplier. The key question when talking to suppliers about their business continuity plans is not 'what will you do?' but 'what will you do for me?'
Buying decisions are seldom made on business continuity considerations alone, and cost is always an important consideration. In an enlarged Europe, the challenge for managers is to find ways of working with suppliers who may be able to offer a cost-effective service or product, but who may be less mature in their approach to business continuity.
7: Culture
As mentioned above, business boundaries have changed significantly over the past few years. My own organisation is often asked to roll out a business continuity methodology across Europe. This is not always an easy task.
While many business issues are the same regardless of the country concerned, there are often differences in approach.
Take, for example, initial responses to a fire. In some cultures, the accepted view is that one should simply sound the alarm and leave the building. Other cultures take a more hands-on approach, with people being expected to pick up an extinguisher and fight the fire.
Language is also an important factor, particularly for those organisations that operate across Europe. Plan templates will probably have been developed in whichever country hosts the head office. These may then need to be translated into local languages for completion and then translated back for quality assurance checks.
With regard to style, should the business continuity manager enforce the kind of formal, structured approach often displayed in northern Europe, or accept the more pragmatic, laid-back approach more usually found in warmer climes?
8: Working practices
Many organisations take security (both physical and information) extremely seriously, often displaying highly visible security systems (CCTV, barriers, scanning, ID checks and so on) within the main entrance. But how might these initiatives be undermined by the working practices behind the front door?
Many people use mobile phones and laptops in public places. I am sure many of us realise how easy it is to accidentally eavesdrop on a conversation, or to look over someone's shoulder as they work on their laptop to answer confidential emails or prepare board presentations.
With a growing number of people working from home, this presents an extra dimension to the control of access to systems, both during the normal working day and in the event of a disruption. While staff may understand that they will not be needed in the early stages of a recovery, how many will be tempted to log on and check their email? In a post-disruption environment, with limited bandwidth and perhaps of remote access points, will this interfere with the effectiveness of the recovery effort?
9: Succession planning
For many years, planning for the loss of people was a subject avoided by most firms. Even in a post-9/11 world, few organisations want to raise the consideration of having to react to an event which causes massive casualties among their staff.
But there are examples of smaller scale incidents: food poisoning of an entire shift after eating in the staff restaurant, flu-type viruses spread via the air conditioning system, small groups of specialist staff leaving en masse. The challenge for managers is to move succession planning forward, and to avoid the general HR perspective of grooming the next finance director, as well as the quality management system approach of documenting everything. They must consider practical, alternative methods of continuing critical processes not just with fewer, people, but with different people.
10: Stakeholder engagement
It may come as no surprise that BCM is not the most exciting of topics.
Within the general business environment, few young people survey the organisation around them and single out business continuity management as the role they aspire to. Business continuity is important, but it is seldom urgent.
Of all the challenges faced by BCM, ensuring that key stakeholders remain engaged and supportive may be the most important.
With the support of the business and of the board, it is possible to move forward on the issues outlined above. Without it, even the maintenance of a steady state will ultimately lead to decay in the value of business continuity arrangements over time. The good news is that simple activities will engage people. Things to consider are including directors in rehearsals, inviting customers to participate in or observe tests, conducting company wide call-out cascade exercises, or extending the fire drill to incorporate an ad hoc check of knowledge and awareness of recovery strategies. The possibilities are endless.
So, there you have my list of 10 key challenges to think about this year - and I have not even mentioned insurance!
- Steven Garrod is a consultant with Garrison Continuity, Tel: 01933 666800, E-mail: steven.garrod@garrisoncontinuity.com, www.garrisoncontinuity.com