When it comes to embedding BCM into the corporate culture, it’s important to recognise that there is no “one size fits all” for this activity. It has to be tailored to the company, its people and the business in which it’s involved. At each phase in the BCM life cycle, there are opportunities to create and enhance a BCM culture. Many of these opportunities are created not by the experts but by ordinary employees. This type of initiative should be encouraged because it shows that BCM is taking root.
There’s also a view that BCM should be implemented in controlled, well-tested phases rather than a concerted, company-wide initiative. Such an approach allows for the process to be constantly adjusted by taking into account feedback from each phase. (The five steps for implementing BCM are outlined in an earlier blog.)
It’s critical to ensure that the BCM programme is allowed to mould itself to the company and its people. In this way, abstract best practice becomes “how we do things here”, and that’s a very powerful way of ensuring that the plan remains current. At the same time, though, it’s also very important that the people who are ultimately responsible for the effectiveness of the BCM plan—the directors—are fully behind the rollout, and visibly support it.]]>
Six months later, headline earnings were down almost 100 percent. A company whose prospects had looked so bright soon lost its allure, and was ultimately delisted after only one year of trading on the AltX.
This spectacular fall from grace could not be attributed to anything dramatic like a terrorist attack or earthquake, but simply to a lack of effective operational risk management. The company was sunk by a combination of factors, including power outages, port congestion and poor harvesting practices—all operational risks that were, presumably, well understood within the company. Indeed, BCM planning could have ensured that there were simple and effective solutions in place, such as:
King III, the new Companies Act and the Consumer Protection Act all, in their different ways, highlight the responsibility of companies and their directors to ensure that risks are managed adequately. Despite this, BCM is often overlooked as the most effective way to identify and manage operational risks effectively. While the board retains ultimate responsibility for risk management as a whole, the executive management team is responsible for implementing the operational risk management framework approved by the board and itsdirectors. This framework should be implemented throughout the whole organisation, and all levels of staff should understand their roles and responsibilities with respect to operational risk management.
The alternative, as we have just seen, can be frightening!
Next time, to conclude this series, some thoughts on how to embed BCM into the organisation.]]>
Let’s begin by remembering how widely the effects of a disaster can be felt. If an individual company experiences a disruption, it can be devastating for the people who work it or rely on its products or dividends. But imagine large-scale disasters, like the Japanese tsunami or the bush fires in Australia,that put many businesses out of commission. If the companies cannot get back up and running quickly, the effects are multiplied because the tax base is affected and economic recovery delayed.
BCM is critical because it looks beyond dealing with the emergency itself. It takes into account what will be required to get the business up and running as soon as possible and keep it and its dependants working and contributing to the economy for the long term. The failure of BCM affects the company concerned, a number of people who will experience personal disasters when operations cease, as well as government.
One could even argue that BCM is not only a risk management process, but also as a basic human right because it provides:
BCM (or the lack of it) thus has far-reaching effects. In order to make it work, stakeholders across the business and its value chain all have to be involved: managers, process owners, strategic planners, project and procurement teams, key suppliers and directors all have to be involved in managing risk. It goes much deeper than just preparing for a major event—a flood, a terrorist attack or the like—but of preparing the business and its employees for anything. An effective BCM plan based on international best practice will generate the following six clear benefits:
Next time, a look at what BCM failure looks like.]]>
ContinuitySA recommends following the following five steps:
Next time, let’s look a little more deeply into BCM.]]>
It’s no surprise then that various disciplines have arisen to help companies manage the risks they face: IT risk, Information Security risk, Economic risk and Credit risk. But underpinning them is all is Business Continuity Management (BCM), which deals with operational risk. It’s aimed at ensuring that the business can continue to operate as normal as soon as possible after—or even during—a disruptive event. Such an event could be as dramatic as an earthquake or a revolution, or as mundane as sustained power outages or a flu epidemic.
South African businesses are fortunate in that they do not face many of the dramatic environmental risks that other parts of the world face, but we are highly susceptible to risks associated with emerging markets: industrial action, power and water shortages, service-delivery protests, inadequate infrastructure are all risks we face, and that can threaten long-term sustainability.
Whatever the risks, BCM looks at the people, processes, infrastructure and technology that the business needs to operate, and then identifies (and ranks) potential threats to each of them. It puts in place plans for responding if these threats become real, but it also establishes ways to avoid them. In so doing, it provides a framework for building organisational resilience.
In the end, by helping to ensure that the company can continue to operate, BCM protects the interests of stakeholders, and the reputation, brand and revenue-generating activities of the company.
Next time, the five steps to effective BCM.]]>
One of the oldest gambling strategies is the martingale. It is played on an even chance bet and consists of doubling a losing bet. In roulette, you wait for five red numbers in a row, and then you bet black. If red comes up again you double the bet on black. Black then comes up and you win. What are the chances of 10 red numbers in a row? To an un-informed person it seems like a no-brainer to make money. The problem is it is statistically floored. The so called ‘bad run’ occurs far more frequently than one thinks, and you will run out of money before the casino. Casinos make a fortune from people making this mistake. Are these so-called slight miscalculations that end up costing fortunes avoidable or predictable? The strange thing about the martingale is that people are betting on ‘change’, yet in business people ‘bet’ on ‘no change’. In both cases the assumptions are irrational.
Recently writers such as Malcolm Gladwell (David and Goliath; Blink), Dan Ariely (Predictably Irrational) and Hassim Nicolas Taleb (Black Swan; Anti-fragile) have spent a huge amount of time trying to predict success and failure. The common theme is that human beings are not rational. Decisions are made for emotional reasons and then there is an attempt to justify them after the event.
Gladwell goes to great pains to explain that a many failures occur because of a false assumption that appears to be true. ‘Authority is legitimate’, has cost countless lives by people doing what is right, enforcing the law. (David and Goliath). Taleb believes that a business should constantly be tested with small ‘shocks’ so that it can become resilient or ‘anti-fragile’. Like the martingale strategy, Taleb suggests that senior management is blissfully unaware of how many incidents actually occur on a regular basis. Management is lulled into a false statistical assumption, that since they have been around for 5, 10 or 15 years that they are infallible and they can withstand a severe disruption.
Business Continuity Management addresses many of these statistical false assumptions head on through doing an actual test. A common error is that all our staff can work from home. This is an assumption that can destroy a company if it is incorrect. In most cases it is an untested incorrect assumption. In 2001 9/11 there were 430 companies in the World Trade Centre from 28 different countries. Approximately 50 000 people worked there and 140 000 visited daily. 2 606 people died in the buildings (excluding passengers) (Statisticsbrain.com). ‘In New York City, approximately 430,000 jobs were lost and there were $2.8 billion in lost wages over the three months following the 9/11 attacks.’ ‘Approximately 18,000 small businesses were destroyed or displaced after the attacks.’ (Wikipedia). Physical infrastructure is statistically far more important than people realise. ‘The In 2007 The Department of Trade & Industry survey on disaster recovery, found that of the 60% of UK firms that had a disaster recovery plan, less than 50% had conducted live tests involving staff in the past year. The danger, say experts, is that many companies base their plans on misconceptions and false assumptions.’ (IT security: Disaster Planning and Business Continuity after 9/11. September 2007)
In the words of the lecturer, ‘To not consider a Business Continuity Plan is a statistical error that could cost you a fortune.’
For these reasons, ContinuitySA is finding that more and more companies are looking for backup solutions that are fully managed and monitored by a specialist service provider, and that do not use tape as the storage medium.
When it comes to backup technologies, ContinuitySA believes that the ideal solution should include an onsite backup and recovery vault at each major location. Because most restores are required within 48 hours (accidental deletions of files and data corruption due to software faults are the most common reason for restore requests) this facility is very convenient. As it uses the existing local-area network, backups and restores are very speedy.
The backup vault should be a purpose-built appliance that can scale easily as well as integrate with new technologies. It should be designed to check the integrity of backups, and compress and de-duplicate data.
The onsite vault should then be synchronised to an offsite recovery site. Providing the right kind of bandwidth is very important to ensure that backups can be completed as scheduled and replicated offsite quickly, with full encryption across the whole process. It’s very important that the recovery site has the necessary server infrastructure on which to perform the restore but also to provide workstations for employees in the event of a major disaster.
As an aside, bandwidth is one of the reasons why cloud restorations don’t work that well. Most companies would take weeks or even months to perform a total system restore over normal Internet connections!
There are fairly high technical specifications built into all of this, which is why so many companies are partnering with a specialist provider like ContinuitySA. Whoever the partner might be, though, it’s very important that the client be provided with user-friendly dashboards and reports to maintain oversight, and that the parties meet regularly to ensure that the backup strategy remains aligned with the overall IT and business continuity strategies.
Data is becoming a key corporate resource—it’s really time to make sure it’s protected adequately with the right backup solution.]]>
In an earlier blog we mentioned the importance of ICT and business working together, but the reality is that most organisations still have a long way to go in achieving this. One common problem that can manifest, is that when the business specifies that process A has be recoverable within, say, two days, ICT plans for two days without taking into account that the total 2 day timeframe has to include the recovery of the people who make the process happen—and where they will work.
The ICT and Business Continuity teams thus have to work closely in developing their plans, and the same principle holds true in exercising.
The second key point we want to make is somewhat more contentious. In the previous blog on exercising, we indicated that the ability to test the Business Continuity Plan in a flexible mannner was vital, partly because companies are risk-averse, and shy away from running a full interruption exercise. Their concerns are understandable and, for many, the risk of running a full interruption exercise on which something does go horribly wrong is too high, especially considering that the chances of a full interruption event actually happening are low.
However full-scale exercising of the ICT environment should at least be seriously considered when the stakes are high and time urgency is a key driver. The point is neatly illustrated via the Tale of Two Banks.
Bank A takes its ICT Service Continuity very seriously and periodically switches off its production servers and runs on its ICT Service Continuity systems for a full week. When the fateful day did eventually arrive, Bank A suffered a very public and massive IT outage, but it was able to get its systems up and running within five hours and ran on them for three months while its data centre was reconditioned.
Bank B, suffered the same problem and took a whole day to get back up—and was sued by its clients for nearly R1 billion for lost business. In the banking industry, minutes, not hours can cause irreparable damage to the organisation – financial, reputationally and in lost productivity.
The former had actual experience of what to do, and had used the opportunity of its periodic exercising to hone its performance; the latter had state-of-the-art equipment and facilities but no practical experience.
The Tale of Two Banks clearly demonstrates the return on investment that organisations can achieve if they put in the time and effort to prepare for, and exercise their ICT and Business Continuity solutions.
If you are interested in learning more about our tailored training and exercising solutions, please contact ContinuitySA on +27 11 554 8000 or click here and we will contact you.]]>
Because business is so dependent on ICT, it stands to reason that ICT’s ability to recover from a disruption is integral to the business’s ability to do so. Trouble is, ICT Disaster Recovery has traditionally been a highly technical discipline with scant attention paid to the needs of the business.
That’s all set to change as specialist ICT Continuity consultants like ContinuitySA take the lead in helping to move ICT professionals from the “Disaster Recovery” mind-set to a more framework orientated “ICT Service Continuity Management” approach. ICT Service Continuity Management addresses ICT Continuity in parallel with the wider Business Continuity Management Programme ensuring joint ICT and business objectives, outcomes and maximising synergies to ultimately reduce cost and effort.
The impetus behind this welcome move is the fact that the ISO22301 standard references ISO27031, a little-known standard for ICT Service Continuity Management, dating from 2011. The crux behind ISO27031 is to move the focus away from purely technical ICT recovery issues to look at ICT Service Continuity as holistic framework of steps that form an integral and interdependent cog in the Business Continuity Management Programme of work. (See Figure 1 for an bird’s eye view of ISO27031.)
For this reason, ContinuitySA offers a two-day course for ICT professionals structured around the ISO27031 standard for ICT Service Continuity Management. The course aims to bridge the gap between business and ICT, so that ICT Service Continuity Plans reflect the recovery needs of the business—and thus can motivate for the right level of budget allocation. Course attendees will receive training to enable them to understand the needs of business, perform a Business Impact Analysis for each component of the ICT system and then exercise the solution to provide assurance to the business that the ICT recovery is indeed achievable within the business required timeframes.]]>
But the time to find out that plans don’t work is not when the disruption has already occurred! If a plan hasn’t been exercised or tested, it’s just not a plan you can depend on.
One mistake many Business Continuity Plans make is to focus on total outages. That means they are often structured so that they can’t be tested piecemeal. Quite understandably, companies see a full interruption exercise involving the entire business as too risky, so testing never moves beyond a theoretical discussion based exercise—often leading to an unpleasant surprise when the plan does need to be invoked in practise.
In ContinuitySA’s view, therefore, a Business Continuity Plan must be able to be exercised in a flexible manner, starting with a theoretical discussion based exercise and then progressing in maturity into practical simulations and exercises. The plan and exercising thereof must also make provision for the fact that a department or even half a department may be sent offsite to the work-area recovery site for a day to see if they can, in fact, continue to function as planned.
This approach has the added advantage of familiarising staff with the components of their plan documents, the various logistical arrangements and communication requirements and what is truly expected of them should the plan be invoked. Exercising is an important and integral component of Business Continuity Management—and forms part of the five-day course mentioned in the previous blog.
In summary, training and exercising go hand-in-hand, ensuring that the ‘reaction is routine’ and that the recovery capability has been validated and proven! You don’t want to be counting the cost when it is too late…]]>