March/April 2011 ISSN 2046-5874 (Online)

Controlling the flow Mitigating disruption from water-related risks

All pulling together A collaborative approach to the supply chain

A measuring stick for BCM Establishing success metrics for your strategy

A new standard for business continuity? A close-up look at the draft ISO 22301 document

Visit the BCI website www.thebci.org Your core team’s recovered and productive. What’s the other 60% up to?

AVAILABILITY SERVICES RECOVER ANYWHERE

At the time of disaster, your ability to maintain productivity and profitability by recovering as many members of staff in the shortest time frame and at the lowest cost to company, is mission critical. Not wanting to dent their finite budgets, most organisations stop at their core team, potentially leaving 60% or more of the workforce sitting around with nothing to do. But it’s business as usual with SunGard Availability Services’ Recover Anywhere solution; a virtualised, as opposed to physical off-premise environment, this solution allows you to recover more people, more cost-effectively, regardless of location. You can have more people than you ever imagined up and running with full virtualised desktop and telephony capability, along with secure browser access in next to no time. No dongles, no delays, just productive users and contented customers. Request a demonstration today by calling 0800 143 413 www.sungard.co.uk/recoveranywhere

SunGard and the SunGard logo are trademarks or registered trademarks of SunGard Data Systems Inc. or its subsidiaries in the U.S. and other countries. All other trade names are trademarks or registered trademarks of their respective holders. Editor’s Note & Chair’s Column

An array of This is your BCM colour captain speaking

In this issue of Continuity, which has been published Last issue, I introduced a theme which I imagine all in advance of Business Continuity Awareness Week, in the crisis management and business continuity we have looked to include as diverse a mix of articles community will recognise as being critical to the as we could manage to shoe horn in. outcome of successful crisis management – effective communications. The list of topics covered is extensive, ranging from the risks posed by water shortage and water ‘stress’ and the dangers of I recently returned from a trip to the Middle East during which failing to implement an effective succession planning programme, a passenger threatened a ‘terror incident’ on board. These two through to measuring the success of your resilience strategy words were a master stroke of understatement by a highly trained and the benefits of building stronger relationships between BC captain, in complete control of his brief, designed to down-play practitioners and procurement. The editorial provides a blend the true extent of our predicament. His briefing, which at no stage of theoretical and practical, compiled by a broad spectrum of suggested a passenger had threatened to blow up the plane, was industry practitioners representing different sectors, territories and, designed to ensure everyone remained calm and that there was in some cases, disciplines. no cause for panic. It worked; no one panicked and everyone remained calm. That we should choose to display such an editorial array of colour in this particular edition is important. Our aim is to An hour before his carefully choreographed announcement (and encapsulate, to the extent that one can in a single magazine, un-be-known to any of the passengers on board), we had picked just how expansive and all-encompassing the discipline of BCM up a tail on the edge of UK airspace: two Typhoon jets with orders is; to illustrate the fact that an effective strategy must permeate to “take the plane down” if it deviated from its course. 150 miles every part of your organisation; to show how this embedding into from the aircraft was ordered to divert to Stansted because the organisational culture can be measured; and furthermore to there was “a security incident at Heathrow”. No one suspected demonstrate that by achieving this it is contributing significantly we might be the problem. It was the hallmark of a highly effective to the on-going success of the organisation. communications plan being played out in a real crisis.

This effort to put on show the diverse, expansive, all- As we taxied to the hijack holding area it became clear that we encompassing nature of business continuity is at the core of were the problem. And yet, in an incident lasting about six hours, BCAW. The event has grown significantly in stature year-on-year passengers remained remarkably calm, almost stoical – as if this and is now supported by some of the leading figures from across irregular event and the apprehension of a passenger was all in a the discipline and outside it, who give of their time and effort to day’s work. This I ascribe to a highly trained and well rehearsed participate in activities such as forums, webinars, roundtables and crew working together in a crisis for the benefit of their passengers. compiling research. We were told just enough and at regular intervals to ensure that The event seeks to provide practitioners with the materials our consensus remained intact, allowing decision-makers across and the information they need to better display the benefits a network of vital stakeholders to wrestle with the consequences of BCM to those within their own organisations; while at the of what would have been a very tough decision indeed had the same time promoting the discipline directly to those who have aircraft tried to land at Heathrow. no connection at present with it. The goal is not simply to demonstrate the best of BCM to those who already acknowledge The response of the captain and his crew attracts my huge the value it provides, but also to facilitate its promotion to those admiration and only comes from rigorous training and effective who have not yet done so. communications so vital to maintain confidence and consensus.

Nigel Allen is editor of Continuity James Royds FBCI is the Chairman of the BCI

March/April 2011 Continuity  Contents March/April 2011

COVER STORY Nigel Allen explores growing concerns regarding the gap between water demand and water supply, and highlights the importance of measuring your exposure to this under-pressure resource PAGE 26 Demonstrating the success of your BCM strategy Measurements of resilience not only help organisations to understand how robust they are, but also 15 help to make a business case for resilience, explains Amy Lee Continuity Business Continuity Institute 10 Southview Park Marsack Street Caversham Berkshire RG4 5AF United Kingdom

Continuity is the magazine of the Business Continuity Institute and is published six times a year. Editor: Nigel Allen Tel: +44 (0) 118 947 8215 Email: [email protected] Advertising Sales: Geoff Howard & Rebecca Jackson Tel: +44 (0) 161 743 3551 18 32 35 Email: [email protected] & [email protected] Art Director: Mary Schoales Consulting Editor: David Honour Continuity is printed by Headley Brothers Ltd, Ashford, 01 Editor’s note 18 Managing supply strain 32 ISO 22301 – A new Kent, UK and is published by the Business Continuity Institute. & Chair’s column Colin Ive discusses the risks standard for business BCI Chairman: James Royds FBCI posed by an increasingly continuity? BCI Vice-Chairman: Chris Oliver FBCI 04 News supplier-reliant world and Hilary Estall takes a closer look BCI Central Office explores how managers can Telephone +44 (0) 118 947 8215 or contact: at the proposed ISO standard, secure boardroom backing for highlighting the initial Executive Director: Lorraine Darke 08 BCM Bureau their resilience efforts Email: [email protected] reactions to the document, What impact do you think the and considers whether it is a Technical Director: Lyndon Bird FBCI Email: [email protected] new ISO 22301 will have on 20 The supply trinity: BCM- positive move forward the discipline of BCM? Administration Manager: Jan Gilbert procurement-supplier Email: [email protected] Nigel Allen highlights the 35 The essence of Head of Events: Lucy Burns 10 All pulling together importance of forging strong organisational continuity Email: [email protected] Continuity speaks to links between business Paul Kirvan drives home Events Administrator: Lucy McDonnell Néstor Alfonzo Santamaría continuity and procurement Email: [email protected] the importance of effective and Matt Innerd about the in order to develop a more succession planning and asks Head of Campaigns: Lee Glendon CBCI growing importance of resilient supplier network Email: [email protected] why some organisations simply supply chain management do not get it Partnership Acount Manager: Simon Piatt for Local Authorities and the Email: [email protected] 24 When the well runs dry establishment of the London Continuity discusses the 38 Can you prove it’s Membership Officer: Helen Simm Supply Chain Resilience Group Email: [email protected] alarming findings of a recent embedded? Membership Administrator: Lynn Forrest report on water stress with Alex Hindson looks at Email: [email protected] 12 A measuring stick for Kimberlee Myers and considers embedding business continuity Subscriptions Administrator: Daniel Saunders business continuity the implications for global management as a route to Email: [email protected] John Robinson looks at BCM supply chains creating a risk aware culture Finance Manager: Kate Curry success metrics and proposes and explores the parallels Email: [email protected] a set of criteria against which 26 Controlling the flow between BCM and ERM Technical Consultant: David Lloyd companies may establish Nigel Allen explores growing Tel: +44 (0) 1306 883986 the effectiveness of their Email: [email protected] concerns regarding the gap 40 Business Continuity continuity strategy between water demand and The views expressed in Continuity are not necessarily those of the Awareness Week 2011 water supply, and highlights Business Continuity Institute. Continuity discusses the main 15 Demonstrating the the importance of measuring All efforts have been taken to ensure the accuracy of the aims and objectives of BCAW information published in Continuity. However, the publisher success of your your exposure to this under- with Lyndon Bird accepts no responsibility for any inaccuracies or error and BCM strategy pressure resource omissions in the information produced in this publication. Measurements of resilience © Business Continuity Institute. No information contained in not only help organisations to 29 The need for integration 42 BCI News this publication may be used or reproduced without the prior permission of the Business Continuity Institute. understand how robust they In part two of his article, are, but also help to make a Brendon Young explains why, 44 Soap Box business case for resilience, if not properly understood, risk explains Amy Lee cannot be correctly reported ©iStockphoto.com/lorrainedarke

2 CONTINUITY March/April 2011 ©iStockphoto.com/lorrainedarke eBRP Solutions Supply ChainRiskAssessment Supplier, Supply, Production Products, Customers ‘What if?’Analysis Reporting Toolkit eRAPS Data GatheringWizards Integrated Notification Plan Development Impact Analysis Process Modeling Risk Assessment Impact AnalysisSurvey www. Weighted Averages Approval Workflow eBRP.net Reporting CommandCentre Beyond eBIA Dashboards Gantt Charts Collaboration Decision Support Incident Management Business asUsual 888.480.3277 News

Science must influence risk assessment the Cabinet on risk assessment and review the NRA. UK committee highlights disconnect between scientific advice and NRA Commenting on the report, Andrew Miller MP, committee chair, said: “The current approach smacks of closing the stable door after the horse has bolted. Science is not just something to reach for when a crisis happens, it must be integral to the whole planning process and unfortunately the government still hasn’t got it quite right.” The report highlights the volcanic ash cloud event in April 2010 as a clear example of the disconnect between scientific advice and risk assessment, stating that the potential for disruption to aviation due to natural catastrophes was highlighted by earth scientists but this was not included in the 2009 risk assessment process. The committee also raised concerns about how risk is communicated to the The UK’s House of Commons Science Assessment (NRA), and that such advice public, highlighting the way the risks and Technology Committee has issued is mainly only sought in the aftermath of posed by the H1N1 virus were delivered a report criticising the government’s a particular incident. and the use of the concept of ‘reasonable levels of emergency preparedness and The committee has called for scientific worst case scenario’. Miller said: “The highlighting the fact that scientific advice evidence to be used at all stages of risk government should emphasise the range does not play a sufficiently prominent assessment by the government, and and likelihood of various possibilities to the role in planning for such events. furthermore that the GCSA be required public, with a concept of ‘most probable The report, entitled “Scientific advice to assess all risks in the NRA that require scenarios’ becoming familiar to the and evidence in emergencies” states scientific input before the assessment is public’s understanding of risk. Reasonable that there is too much of a disconnect signed off. The report also supports the worst case scenarios are potentially between the Government Chief Scientific establishment of a new independent misleading as people think they describe Adviser (GCSA) from the National Risk scientific advisory committee to advise something that is likely to happen.”

NIST releases guide on information risk planning

New publication ‘fundamentally changes how we manage information security risk’

The US National Institute of Standards and Technology (NIST) has released a new

publication aimed at helping organisations to more effectively integrate information ©iStockphoto.com/lorrainedarke security risk planning into their mission-critical functions and overall goals. The publication, entitled “Managing information security risk: Organisation, mission, and information system view” (NIST Special Publication 800-39) is based upon a three- tiered, risk-management approach that, according to Ron Ross, NIST Fellow and one of the principal authors of the publication, “fundamentally changes how we manage information security risk at the federal level.” Ross states that SP 800-39 promotes a holistic approach to managing risk at the information system level in which determining what needs to be protected is based on the organisation’s core missions and business functions. In the case of a power plant tied to the distribution grid, for example, the manager must ensure that its computer security keeps hackers from interfering with the plant’s power generation or getting into the power grid. The goal is to ensure that strategic considerations drive investment and operational decisions with regard to managing risk to organisational operations (including mission, function, image and reputation), organisational assets, individuals, other organisations (collaborating or partnering with federal agencies and contractors) and the nation. “SP 800-39 is about building more secure information systems which will ultimately allow senior leaders and executives to better understand the mission and business risk brought into their enterprises by the ever-increasing use of, and dependence on, information technology and network connectivity,” Ross says. The publication is the fourth in the series of risk management and information security guidelines being developed by the Joint Task Force Transformation Initiative, a joint partnership among the Department of Defense, Intelligence Community, NIST and the Committee on National Security Systems.

 Continuity March/April 2011

News

Complexities of virtualisation for SMEs

Managing migration and back-up a challenge for smaller businesses

SMEs must be aware of the potential risks posed by the rapid adoption of virtualisation and the associated complexities of managing migration, back-up and recovery between physical, virtual and cloud environments, according to Acronis, a provider of back-up and security solutions. The warning stems from the results of the Acronis Global Disaster Recovery Index, which shows that 73% of small-to-medium-sized companies US updates legislation to secure worldwide agree that virtualisation has either completely or partially changed critical cyber infrastructures the way the business manages its backup and disaster recovery. While the introduction of virtualisation was fuelled by server consolidation Government will not have authority and cost efficiencies, this so-called next phase or second generation of to shut down internet virtualisation adoption poses challenges to traditional backup and recovery processes as users struggle to implement known backup and disaster recovery US Homeland Security and Governmental Affairs practices in a new hybrid environment. Committee Chairman Joe Lieberman, ID-Conn., Seth Goodling, virtualisation practice manager at Acronis, said: “The Ranking Member Susan Collins, R-Me., and Federal introduction of server and workstation virtualisation was not about back-up, it Financial Management Subcommittee Chairman Tom was largely driven by cost and consolidation. As we progress into widespread Carper, D-Del., authors of comprehensive cybersecurity virtualisation adoption, IT managers are learning that traditional physical legislation, have introduced updated legislation to server back-up solutions are inadequate for virtual machine backup, and secure the country’s most sensitive and critical cyber maintaining separate back-up strategies for physical and virtual confuses the infrastructures and protect Internet freedom. backup scenario even more.” The Cybersecurity and Internet Freedom Act Goodling added: “Many traditional back-ups are agent-based, which explicitly states that “neither the President, the means that an application is required and consumes precious virtual machine director of the National Center for Cybersecurity and processing resources. Simultaneous initiation of agent-based back-ups can Communications or any officer or employee of the US cause serious virtual machine disruptions, including total failure of the government shall have the authority to shut down the underlying physical host.” Internet.” It also provides an opportunity for judicial review of designations of our most sensitive systems and assets as “covered critical infrastructure.” Joe Lieberman said: “We want to clear the air

ERM uptake continues to rise once and for all. As someone said recently, the ©iStockphoto.com/lorrainedarke term ‘kill switch’ has become the ‘death panels’ of Deloitte study highlights increase the cybersecurity debate. There is no so-called ‘kill in programme implementation switch’ in our legislation because the very notion is antithetical to our goal of providing precise and There has been a marked increase in targeted authorities to the President. Furthermore, it is the number of organisations which have impossible to turn off the Internet in this country. This adopted enterprise risk management legislation applies to the most critical infrastructures programmes in recent years, according to that Americans rely on in their daily lives – energy the seventh edition of Deloitte’s global risk management survey. transmission, water supply, financial services, for The survey, which was conducted during the third quarter of 2010, example – to ensure that those assets are protected in found that 79% of respondents reported that they had an ERM programme case of a potentially crippling cyber attack.” in place or were in the process of implementing one, up from 59% in Susan Collins said: “The threat of a catastrophic 2008. The report stated that the greatest challenges in implementing cyber attack is real. Attacks are happening now. In an effective programme, highlighted by approximately a quarter of March 2010, the Senate’s Sergeant at Arms reported institutions as extremely or very challenging, were integrating data across that the computer systems of the Executive Branch the organisation and cultural issues. agencies and the Congress are now under cyber attack The study also found that the position of chief risk officer continued to an average of 1.8 billion times per month. The annual become increasingly prevalent, with 86% of respondents having a CRO or cost of cyber crime worldwide has climbed to more equivalent position, up from 73% in 2008 and 65% in 2002. The CRO has than $1trn globally.” also gained a high profile in the organisations, reporting at either board Commenting on the country’s increasing level or to the CEO (or both) at 85% of institutions. 51% of respondents dependence on the internet, Tom Carper said: reported that the board of directors conducts executive sessions with the “While in most cases this powerful technology has CRO, compared to 37% in 2008. transformed our daily life for the better, unfortunately It was also reported that, following the global financial crisis, the bad actors – from common criminals to foreign importance of incorporating risk management considerations into terrorists – have identified cyber space as an ideal performance evaluations and compensation decisions has been widely 21st century battlefield. We have to take steps now to discussed, but 37% of institutions reported that they had completely or modernise our approach to protecting this valuable, substantially done so for business unit personnel. but vulnerable, resource. We also have to balance The survey is based upon the responses of 131 financial institutions our need for security in this new frontier with our from around the world – including retail and commercial banks, democratic values of freedom and liberty. This insurance companies, and asset managers – with aggregate total assets of legislation strikes that careful balance – providing the more than $17trn. tools that America needs to better protect cyber space while additionally protecting our civil liberties.”

 Continuity March/April 2011 ©iStockphoto.com/lorrainedarke k k k Continuity invites three leading market practitioners each representing a different sector or country to provide their expert opinion on a key issue currently impacting on the BCM arena kkkkk

BCM Bureau k k k What impact do you think the new ISO 22301 will have on the discipline of BCM?

JOANNE GAGNON AMBCI BRIAN HENRY FBCI Joanne Gagnon is the BCI Spain area representative and a freelance BCM Brian Henry is managing director of Caridon Business Solutions consultant, based in Barcelona, Spain [email protected] [email protected] www.caridon.za.net

In my opinion countries tend to fall into one of two categories There is a buzz of conversation around the coffee shops of when it comes to standards and certification: those that support the BCM world in advance of the release of ISO 22301. As and see value in the use of standards and those that are ‘neutral’ is often the case, this buzz includes a fair amount of mis- in their approach to them. I would say that Spain falls into information, misunderstanding, expectation and speculation the former category in this regard, as it is a country that has a on the new standard. positive outlook on the role of standards and certification. But do we need another standard when we already have Although I am not aware of any exact figures, I can say that the BCI’s Good Practice Guidelines, BSI’s BS 25999 and BS while some Spanish companies use standards issued by BSI 25777, or the many other national BC frameworks? Will the and ISO, they primarily focus on those issued by AENOR ISO standard be better? Will it be more comprehensive? No- (Asociación Española de Normas), the Spanish Association for one seems too sure, but the expectation is that it will at least standardisation and certification. Most ISO and BSI standards incorporate the essence of the BSI standards. are aligned in one way or another with one of the schemes of AENOR and are then used to certify organisations. For example, Let’s consider the roles of professional and standards bodies the Spanish association has agreed to adopt BS 25999 as an and why so many are setting standards for the same issues. In ‘official’ AENOR/Spanish standard. However, in some instances my opinion, as long as there are different nations, territories, the association has chosen to develop its own standard as has cultures, economic communities and languages, there will also been the case in many other countries. always be differences of opinion on what is required or constitutes good practice. This is where ISO fits in. The theory The positive attitude of Spanish organisations towards not only is that ISO is the ‘catch-all’ for standards from all regions, standards, but also the guidance provided in the BCI’s Good disciplines and industries. It represents a collective agreement Practice Guidelines (GPG), was clearly demonstrated when on the way things should work most effectively. BS 25999 was launched in Spanish. Organisations highlighted the fact that far from competing, the two organisations It is also the role of ‘external’ entities to facilitate this collective were transmitting a business continuity message that was agreement. Supply chain managers and related bodies, for complementary and perfectly aligned. Companies also noted example, are very conscious of the issues faced in terms of the recent adaptation of the GPG served to more closely align managing the resilience of their suppliers. However, in my it to the principles and vocabulary of the standard. A number opinion, it is the BCI, an independent organisation, that is the of organisations have sought to align their systems with the most visible in promoting how to tackle these issues through standard and more are expected to do so going forward. activities such as the supply chain continuity road shows. Equally, it was the Bank of International Settlement and not the At present, however, there are only a relatively small number manufacturing industry that first declared the governance issue of organisations in Spain that have achieved certification to of the continuity of critical supplies. In these examples, we BS 25999 Part 2. Business continuity management, it must be have numerous disciplines – finance, procurement and BCM acknowledged, is still at a very early stage of development in – all identifying the same challenges. Yet it is clearly the role Spain. One of the reasons for this is that the ability to improvise of ‘external’ bodies to take the role of setting standards and is very much a part of the Spanish culture and also people’s accepted practice. approach to potential incidents is often one based on “Well, we’ll cross that bridge when we come to it.” In such an environment, Therefore my expectation of ISO 22301 is that it should promoting the benefits of BCM can be a real challenge. ratify the best practice aspired to by those of us who have endeavoured to implement BS 25999 and BS 25777, and In my opinion, in response to the question posed, I would elevate BCM good practice principles as an indicator or expect companies in Spain to continue to favour the standards differentiator for organisations seeking trusted trading partners. and schemes produced by AENOR and ISO standards which are adopted by them. ©iStockphoto.com/lorrainedarke

8 CONTINUITY March/April 2011 ©iStockphoto.com/lorrainedarke along with20,000housesinthesurroundingsuburbs,andcreatedsignificantdisruptionforfamiliesorganisations. affecting many partsofthecountry. Mostrecently, thefloodsinQueenslandinundatedcentral businessdistrictofBrisbane, Lately, businesscontinuityhasreceived unaccustomed attentionin Australia largelyduetothesuccessionofnatural disasters [email protected] Tim Janes is director of FulcrumRisk Services andpresident of the Business Tim Janes and guidelines. We have offeringsfromfederal government our landaboundswithbusinesscontinuitystandards,handbooks For a relatively smallpopulationofjustover 21millionpeople, arouse interestandraise awareness. We canhopethattheintroductionofISO22301willcontinueto community, it didprovoke abroaderdiscussionofthesubject. to achieve widespreadacceptanceinthebusinesscontinuity standard, AS/NZ2 5050. Although AS/NZ2 5050hasfailed stimulated by thearrival inmid2010ofthebusinesscontinuity Locally, businesscontinuityawareness hadalready been prepare forthedevastating consequences. unaware thatwellestablishedmethodsexistedtohelp them such events, bothnatural andman-made,butwerepreviously now deeplyaware ofthehugepotentialfordisruptionfrom and motivation tothemany Australian organisationsthatare affected individuals. What ISO22301may offerareideas The arrival ofISO22301may offerlittlerelieftotheflood MBCI C ontinuity Institute Australasian has climbedsteadilytoward thesummitof‘Mount ISO’,ithasled Some have commentedthatasthebusinesscontinuitydiscipline would allcomeunderonesetofrules. business continuityrulestofollow, undertheproposalthey insurers andlifecompanieshadseparate butvery similar standards intoone. Where previously Australian banks,general consolidate itsthreeexistingbusinesscontinuityprudential the Australian financialservicesregulator, hasproposedto A recentexamplereflectsthismove towards simplicity. APRA, intended universal applicability. to simplifythechoice over which modeltofollow, given its business continuity. For theundecided,ISO22301may help cause adilemmafororganisationsunversed intheworld of agencies, regulators,standardsandadvisory bodies. This can and acceptanceforthediscipline,thosewho practice it. should notbelamentedifitbuildswidercommunityunderstanding the lossofcomfortablebutobscureacronyms andvocabulary to adilutionoffamiliartermsandprinciples.Speakingpersonally Chapter March/April 2011

Continuity

,

 All pulling together Continuity speaks to Néstor Alfonzo Santamaría and Matt Innerd about the growing importance of supply chain management for Local Authorities and the establishment of the London Supply Chain Resilience Group

Local Authorities are facing numerous Matt: A number of BC professionals, resources across London to make sure that challenges as they strive to maintain including myself, have already taken the we deliver the best level of service to the service delivery levels in the face of course. What we are looking to achieve public. We’ve also benefited hugely from increasing budgetary constraints. How is is a standard approach to how we audit senior management buy-in across the Local this impacting on their ability to maintain suppliers. Once an audit has been carried Authorities in London. supply chain resilience? out, other Authorities can then review the findings and recommendations, and either What would you say are the overall aims Néstor: The Corporation chose to accept them or put any queries to and objectives of the group? is, strictly speaking, not a local authority the audit team who will address them to the although of course we have local authority supplier if necessary. Matt: The aim of the group is to develop and powers and responsibilities (among other Néstor: We are standardising the enhance resilience in the supply chain of functions), but as the provider of local way we look at BCM by adopting a London Local Authorities by implementing a government services for the square mile collaborative approach. In fact, during systemic and consistent approach to audits (City of London) we must acknowledge Business Continuity Awareness Week, BSI of critical supplier or contractor business that these challenges have certainly representatives will be speaking at the City continuity arrangements. focused everyone’s attention on the supply Business Library about how the standard Néstor: Essentially, we are looking to chain and encouraged Local Authorities can help achieve consistency. standardise the way we look at the supply to look more closely at their suppliers. It chain and also the questions that we ask of has also prompted a lot of innovation on The City of London Corporation and the our suppliers about they can continue to this front and greater collaboration across 32 have established the deliver their services. Also we want to make London, as we all look to share resources London Supply Chain Resilience Group. sure that we embed a BC focus into the and best practice. This has helped reduce What were the original drivers behind this procurement process – not just at the point any duplication of work to strengthen the and how was the group set up? of contract but throughout the process. supply chain. Matt: By working more collaboratively Matt: The issue of resilience in the Can you explain how the group is we are also reducing the impact of our supply chain has been a key topic for BC structured and how it operates? efforts on suppliers. So instead of ten Local practitioners in Local Authorities for many Authorities contacting the one supplier to years, and was regularly discussed at Néstor: The group meetings are hosted request evidence of their BC activities, they various meetings and networking events. It on a monthly basis by one of the central are only contacted by one Authority which has become increasingly prominent on the London Boroughs and are chaired by a BC can then share its findings. risk register due to the fact that more and practitioner from outside of central London. Néstor: Furthermore, by streamlining more we are using suppliers to deliver core Matt is the chair of the group and Amy these processes, you can generate greater services. What we became aware of was the Jiggens, business continuity manager for the value for money, as the cost of achieving fact that on many occasions a number of Borough of Croydon, is the vice chair. We compliance with these requirements Authorities were sourcing the same service also have representatives from each of the which are normally incorporated into the from one supplier. In fact, in one instance six Local Resilience Forums, which ensures supplier’s fees will be reduced as they don’t 29 Boroughs were using the same supplier. that all Local Authorities are represented at have to comply with numerous different We therefore proposed the setting up of the meeting as the LRF person will report demands. the London Supply Chain Resilience Group back to their counterparts in the various to the Local Authority Panel (LAP), which Boroughs in their area. So, in effect we are introducing a is part of the London Regional Resilience standardised approach to the way in which Forum, who gave their support to the group. From a practical perspective, how have Local Authorities audit their suppliers. The group itself, however, is practitioner-led participants benefited from being part of Would that be correct? and I report on our activities to the Forum at the group? their quarterly meetings. Néstor: We are doing a lot of work in order Néstor: From a senior management buy- Matt: One of the main ways in which to align our activities with BS 25999. In in perspective, we have been extremely participants have benefited is that we, as fact, we have set up a lead auditor course lucky that Chris Duffield, Town Clerk and BC professionals, have all gained a better in partnership with the British Standards Chief Executive of the City of London, who understanding of how procurement and Institution to train Local Authority personnel also chairs the LAP, has been a driving Local Authorities buy and commission across London in how to audit against the force behind this and is committed to services – this is an area we have tended standard. ensuring that we share best practice and to have very little involvement in. We ©iStockphoto.com/lorrainedarke

10 Continuity March/April 2011 ©iStockphoto.com/lorrainedarke

©iStockphoto.com/lorrainedarke recently gave a presentation onthe on behalfofcouncils inLondon.Ialso a think-tankwhich lobbies government organisations, such asLondonCouncils, depth discussionswitharange ofdifferent Authority websites. chain, viachannels such astheLocal will thenbepushedoutintothesupply standardised approach. This information be usedby Local Authorities toensurea list ofconsistentmessageswhich canthen supply chain bestpractice andtocompilea present istogatherinformationrelating information which itcompiles. The planat can mostcertainlyaccesssomeofthe Matt materials itgenerates? member companiesaccessany ofthe outside ofitsmembershipandcannon- Does thegroupinteract withorganisations of Local Authorities. understanding ofthesupplychain activities capabilities andenhancingouroverall our resources; boostingourresilience are: sharingbestpractice; combining of participationintheresiliencegroup activities weretakingplace inthecapital. which showed what supplychain resilience Local Authorities andareportwas produced to develop asurvey thatwentouttoall33 and theCityofLondonworked together Royal BoroughofKensington andChelsea chain resilience.Onbehalf ofthegroup, London arealready doingintermsofsupply understanding ofwhat organisations across partners andsuppliers. use theseskillstocarryoutauditsonkey to BS25999,andwewillthenbeable across the Authorities certifiedasauditors course, therewillbeanumberofpeople the leadauditorscourse. As aresultofthe continuity inthesupplychain. to work towards embeddingbusiness with procurementandcontract managers capabilities throughliaisingmoreclosely have thereforebeenabletouseourBC We have alsohadanumber ofin- In short,themosttangiblebenefits Néstor As Imentionedpreviously, thereisalso : Companiesoutsideofthegroup : We have alsogainedagreater issue ofcompetitive advantage prove too work intheprivate sector, orwould the Do you thinkthatsuch anapproach would what wearedoingwitha wider audience. provides uswithanotherway ofsharing Institute’s supply chain workshops. This Corporation hasbeeninvolved withthe closely withtheBCIandCityofLondon Group. Society BusinessContinuity Awareness Commerce andtheEmergency Planning Safety Scheme, theOffice ofGovernment Cabinet Office,theConstructionHealth& Institute ofPurchasing andSupply, BSI,the discussion withinclude:theChartered range ofdifferentresilienceclauses. embedded incontracts, rather thanhaving a as standardBCMclausesthatmightbe asked attheprocurementstage,aswell standardised setofquestionsthatcanbe which wecanwork togethertoproducea process. We thereforediscussedways in regard toenhancingefficienciesinthis also reviewingprocurementpractices with supply chain. The procurement groupis our resilienceprocessesinrelationtothe promoted thebenefitsofstreamlining of thefindingsourLondonsurvey and the Local Authorities. Imadethemaware represents procurementpractitioners across Heads ofProcurementGroupwhich activities oftheresiliencegroupto particular core services to a lot of businesses. are anumberof companiesthatdeliver lot moreresilient. value andmakestheoverall supplychain a information onBCMaddsagreat dealof are doinginthisareaandsharing your BCM. Exploringwhat your competitors have beensetuptosharebestpractice on there arealready anumberofgroupsthat doing, such asfinancialservicesorretail, industries withintheprivate sectorare to theprivate sector. Ifyou lookatwhat what wearedoingthatcanbetransferred Néstor much ofastumblingblock? Néstor Other organisationsthatwearein If you lookinparticularattheCity, there : There arecertainlykeyelementsof : We have alsobeenworking the effortsthatwearemakingonpublic Authorities alsoserve theprivate sector. So of thesuppliersthatserve theLocal bar forthewhole supplychain. questions oftheirsuppliersthiswillraise the together andstartsaskingastandardseriesof not have much impact,butifthesectorgets about theirsupplier’s BCcapabilitiesitwill these organisationsstartsaskingquestions management, securityorcatering.Ifoneof same supplierforservicessuch asfacilities Many oftheseorganisationshave the community viatheCityBusinessLibrary. these findings available tothebusiness group generates morereportswewillmake human aspects.Inaddition,astheresilience business continuity, andelementssuch as with BSItodeliver anumberoftalkson more aboutBCM. We willalsobepartnering London asaresource forbusinessestolearn promoting theCityBusinessLibrary in expect toseefromorganisations. to gaugewhat BCcapabilities theywould a BCplantheycanrefertothisguidance rather thansimplyaskingforevidenceof on what businesscontinuity issothat able toproduceguidanceforcompanies a usefulmeansofdoingthis. We willbe communities. The resiliencegroupprovides to promoteBCbusinessesinourlocal a dutyundertheCivil Contingencies Act supply chain resilience‘snowball effect’. the private sector. Itwilleffectively createa ramifications forsupply chain resilienceon sector sidewillalsohopefullyhave positive It isalsoimportanttonotethatanumber Néstor Matt www.hounslow.gov.uk/business_continuit of the London Supply for the LondonBorough of Hounslowandchair Matt Innerd is the businesscontinuity officer Ma www.cityoflondon.gov.uk/businesscontinuit C planning officer for the Néstor A. Alfonzo Santamaría iscontingency Néstor A. Alfonzo Sant orporation tt Innerd : As Local Authorities wealsohave : DuringBCAW, wewill be March/April 2011 Chain R City of London amaría Industry Q&A

esilience Continuity AMBCI Group

y y 11 effectiveness oftheircontinuitystrategy proposes asetofcriteriaagainstwhichcompaniesmayestablishthe John Robinson looksatBCMsuccessmetricsand continuity business for stick measuring A 12 strategy, settingscopeanddeveloping asetofindicators” “To definesuccess we needtoknow what we mean by

C on tinuity

Ma rch/April 2011 is asoundunderstanding oftheenvironment, targets andsatisfy stakeholders.Key toallthis and operational variables requiredtomeetthose Business strategies definethemixofexternal levels ofattainmentover one,threeorfive years. a mission,visionandobjectives defined by of businessstrategy. Organisationsusuallyhave point where simplicitymay itselfbecomeacriticalsuccessfactor. interactions weneedtoconsideriscorrespondinglylarge,the or strategy. There arepotentiallymany oftheseandtherange of markets, laws andregulations,orinternallyby organisationalpolicy timeframes. Otherrulesincludethoseimposedexternallyby set shouldderive fromtheBIAasatableofacceptablerecovery and constraints –thatwesomehow have tosolve. The corerule be defined by asetofsimultaneousequations–freedoms,rules resources andfamiliarcomplexitiesforBCanalysts. multiple overlapping requirementsandconstraints onrecovery to any strategies wedefineforcriticalactivities. Together, theyimply use, adaptorignoretherulestheyimply. They areofferedinaddition practice butarenotabsoluteandwehave discretionover whether we guidance. These aretacticalelementsthatindicative ofgood provides amixofresilienceandrecovery measures,optionsand stakeholders. Each ischaracterised inslightlydifferentterms,and them aspeople,premises,technology, information,suppliesand timeframes, costandtheconsequencesofinaction. success (“themostappropriatestrategy”) onachievement ofBIA options andresources foreach criticalactivity andpredicates and following anincident”.Itadvises ustoconsiderstrategic purpose isto“provide continuityfor[its]criticalactivities during It includesresiliencewithinthestrategy remitandstatesthatits by anorganisationthatwill ensureitsrecovery andcontinuity”. BS 25999-1definesabusinesscontinuitystrategy asthe“approach Establishing themetrics since absolutesuccesscriteriamay vary betweenorganisations. are tobecomparable, wealsoneedtomakeany metricsuniversal strategy, settingscopeanddeveloping asetofindicators. And ifthese an incident. To definesuccessweneedtoknow what wemean by secondly, becausedeficienciesmay translate intocrisisfollowing as governance, regulation,confidenceandcommonsense; recovery capability–firstly, forpeacetimebeneficialreasonssuch H Another standpointistotreatcontinuity strategy asananalogue This tellsusthattheshapeofasuccessfulstrategy canprobably The standard goesontoidentifystrategic resources andcategorises organisation tounderstandtheprobableeffectiveness ofits 100% oraretheregaps?Clearly, itisimportantforany ow goodisyour continuitystrategy? Doesitscore

defines recovery targets over ashortened a condensed,focusedevaluation that the BIAasourmissionplan. This provides converge onanendgoal. reference, allowing activity outcomesto the organisation.Itprovides aframe of reflected inmoredetailedplansacross success thatcanbecommunicatedand strategy isthatitprovides arecipefor A keybenefitofawell-definedbusiness that determineswhat isandisn’t possible. capability andvalue chain –aframework exit withascoreandlist think of. This meansyou shortcoming you can point ormoreforeach significant yourself tenforeach test,erodinga to buildagoodscore,initiallyaward organisations. Second,insteadofaiming set ofqualitiesthatcanapplytomost checklist andusesanabstraction, a First, itsteersclearofanoperational strategy. There aresomecaveats, however. the successofyour organisation’s continuity criteria againstwhich you mightestablish these two viewpoints,offeringasetof The conclusion ofthispapercombines Criteria forsuccess and purposesetby thestrategy andBIA. seamlessly withaunifiedsenseofdirection at amoregranular level, allintegrating resources areorganisedanddeployed beneath itanddescribehow peopleand any circumstances. Detailedplanssit recovery criteriacanbemetreliablyunder our preparedresponsesotheorganisation’s continuity strategy. Itdefinesthe shapeof condensed recipeforsuccess–our timeframe. Underpinningthisisasimilarly For business continuitywecantake

©iStockphoto.com/lorrainedarke ©iStockphoto.com/lorrainedarke

©iStockphoto.com/lorrainedarke resilience sensitive risks with strategies. authorisation Take Setting risk-based successcriteria viewed • • adapt toaddressuniquesituations? Flexibility • • • strategy consistentlyandasintended? Clarity • • • depth thanothers? Balance • • • the organisationandallaspectsofresourcing? continuity-threatening situations,allareasof Scope • • • • governance andriskcriteria? Diligence – • • • strategy willwork inpractice? Practice your response. of subsidiaryscopingquestionstoguide your organisation.Each testhasashortlist of areasforimprovement thatisspecificto prescription and flexibility? Does itjustifythe balancebetween with closedsetsofscenarios)? Is iteffects-based(asopposed to dealing ambiguous inany area? Is itvague, misleadingorpotentially descriptions? Does itusediagrams andclear Can itbeassimilatedquickly? justify variations? Does itapplyrisk-basedtechniques to under-played? Are thereaspectsthatareconsistently ways strategy isapplied? Are theresignificant variations inthe Is any omission justifiable and authorised? critical activities andresource types? Does itincludecomponentsforall maximum reasonablescope? Does strategy interpretpolicy to and controls? acceptable risk, relevant laws, regulations Does itsatisfyallpolicy statementsof for each riskaddressed? Does itconsiderallapplicabletreatments unacceptable residualimpacts? Does itleave thepossibilityof residual risks? Does itleave any unacceptable make? What assumptionsdoesyour strategy How certainareyou andwhy? What level ofassurance doyou have? or unproven? What isitscurrentstatus;live, draft

and a two –Doesitcover allforeseeable

–Doreadersalways interpret strong

as – Are someareascovered in more –How confident are you that your

to has

–How quickly andeasilycanit identical

programme more

The

Does itmeetallrelevant risk

a

risk of

first completely

and

successful funding.

appetite;

organisations

organisation

has

that

cash

Arguably,

than reactive lags it

flow has

the

the

is with

accepted

constraints. cash-rich

the

business plan. second.

identical

first

The

almost

strategy

due

and second • • allowing value tobedemonstrated andforming abasisforresilience. A repeatablemeansofmeasuringsuccessisclearlybeneficial, It involves doingthings,spendingmoneyandmakingchanges. on abest-value outcome. can bedelivered fromwithinyour managementsystem,converging on thisbasisshouldgive you ascoreandlistofimprovements that organisation anditsstakeholders. A robustself-critical evaluation evaluation where successisdefinedinacontextset by the However, theprincipleissound,offeringaframework forself- • • Integrity • • • People • • Integration • • • Value • • • Resource • by theorganisationanditsstakeholders” self-evaluation where successisdefinedinacontextset “The principleissound,offeringaframeworkfor

It continuity Formulating continuitystrategy isanintenselypractical activity. You may ofcoursewishtovary thedefinitionsofferedhere. Is ittestedunderavariety ofrealisticconditions? Is italways keptup-to-dateandfuture-proofed? Is itcovered by astrongmanagementsystem? Is itprotectedfrompeoplewho shouldnotseeit? Do alltherightpeopleknow aboutitandhow touseit? Do alltherightpeoplecontributeto,reviewandchallenge it? Is italignedwiththeorganisation’s businessstrategy? continuity plansandstrategies? Is itadequatelyreflectedincriticalsuppliersandstakeholders’ Is itadequatelyreflectedininternalcontinuityplans? with suppliers? Does itencourage competitionandreflectnegotiation Does itpromoteresearch intoalternatives? Does itchallenge alltimeframe assumptions? all criticalresource andservicecomponents? Does itclearlymapallrequirementsandavailability optionsfor categories, allcriticalactivities andallcriticalinterdependencies? Does itidentifyandapplyrulesforrestoringallbroadresource Does itsatisfyallBIAtimeframe andservicelevel rules? the strategy? Does itidentifydecisionoptionsandexplainhow toadapt

to has has [email protected] John R John RRobinson

–Doesitdeliver acceptablegovernance withinbudget? – why your strategyisunique to you all

delays

– Are therightpeopleinvolved

may is a a

–How goodaretheassurance mechanisms? continuity –How rational isthesystemforstrategy decision-making?

board mature super- –Doesitlinkwithothercriticalplansandstrategies? obinson ismanaging director of INONILimited

be

in k

FBCI www.inoni.co.u strategy We only and Both being choose provides Successful

present liquidity

addresses can

over-stated,

the

delivers

a be

comprehensive,

strategy

£1m

the viewed

k since ?

headline

board

option.

an

the each

can’t as identical

of

latter successful,

option The

risks, each

be

balanced

former

based because

risk

another with

represents

ROI

resolving

March/April 201

on three

because

solution.

that

but

a £2m Measuring resilience

simple

possible

one the is

to and

all it

Both same costs feels

risk

checklist. it

1 the

can strategies;

Continuity appetite

organisations the last £1m face

afford.

risks

at

value. and

£5m

are each

13    '  '    '   ") %   ") %    '   ' ,   , , #' #' - -   ' '

' '   

 !$ " #" !  !  #  !    !  "!   #    !$    " $   !! ! !    !$   !$# # "! #  & .  . "!' . ('! . !',! . !',! .

  %$(% !'&  +%&! &'(&  &(## % %&& %' ***'"%

" &(## %& 



  "           !    "" & . !"! . !%&'!! . .    "  ''! '"" "& +'%! " (!'"!&     (## %&      " '!$(& (,(%!& '"% #!!& !!' %&& &(## ,  " "% # !& ! ! %&&

©iStockphoto.com/lorrainedarke Measuring resilience

Demonstrating the success of your BCM strategy Measurements of resilience not only help organisations to understand how robust they are, but also help to make a business case for resilience, explains Amy Lee

any organisations seek to ensure they can However, despite the business benefits of resilience and BCM, organisations recover from crises; but is recovering and still struggle to allocate resources to improving resilience. This is primarily due Msurviving enough? For most organisations, as to the difficulty of demonstrating progress or success in this area. Organisations well as for customers, consumers, shareholders and the allocate their budgets based on balancing costs and benefits as well as the general public, surviving and recovering from a crisis is moral case, and because resilience is difficult to measure, the business case for simply not enough. Organisations want to thrive, while it simply isn’t quite there yet. stakeholders expect businesses to identify and mitigate potential problems, and to improve and grow through Why should we measure resilience? a crisis. Resilience is therefore critical to the ability of Resilience is an outcome and an organisational goal, while business continuity companies to meet such demands. management is a tool that organisations can use to achieve it. Many organisations try to evaluate the effectiveness of their business continuity programmes as part The resilient organisation of reviewing their BCM budgets, or to understand the effectiveness of the BCM Resilient organisations are able to identify, plan for strategies that they have used. However, most choose to measure the tool (BCM) and mitigate potential threats, and respond adaptively rather than the intended outcome (resilience). If we want to develop a business to disruption in such a way that can even create case for investment or to evaluate the effectiveness of a BCM project, it makes opportunities and find the potential ‘silver lining’ of crises. sense that we measure the extent to which it has produced resilience. In addition to the link between resilience and crisis, such This raises a number of issues. How do we measure resilience and how can organisations also perform better during business as usual that help to evaluate BCM? Through research being undertaken by the Resilient periods. A resilient organisation is able to flex and adapt Organisations Research Programme in New Zealand we are moving a step to changes as they develop, and generate opportunities closer to answering these questions. and gain advantage over less adaptive competitors. In a competitive business environment where A tool to measure resilience organisations often either struggle to keep up with The Resilient Organisations Research Programme, which is being conducted at demand or to stay in business, it’s easy to see why the University of Canterbury in New Zealand, has developed a tool to measure resilience – adapting to changing conditions and and compare organisations’ resilience. The tool, which is a web-based survey, developing innovative solutions to new and persistent measures resilience using a suite of 13 resilience indicators. These indicators can

©iStockphoto.com/lorrainedarke ©iStockphoto.com/lorrainedarke problems – has so much potential. be seen in Table 1 and are grouped into two dimensions – planning and adaptive

March/April 2011 Continuity 15 capacity. The planning dimension is perhaps the one out of the 13 indicators as well as overall resilience. The research team also that most people associate with BCM and covers issues gave each organisation a resilience benchmark which expresses where their such as senior management buy-in, formal planning and score sits and enables them to gauge their resilience in relation to other exercising, as well as the organisation’s understanding of organisations. The computer consultancy’s resilience benchmark was 7%. This resource dependency. The adaptive capacity dimension means that 6% of the organisations that took part achieved a lower resilience covers more social and cultural issues, such as score and 93% of organisations achieved a higher resilience score. Given communicating across silos, innovation, decision-making this comparison the computer consulting company knows that they need to and how organisations monitor their environment. improve their resilience to keep up.

Planning Adaptive capacity 100 92.86% 90 85% Proactive posture Leadership 81.25% 80 75% 75% 70% Planning strategies Staff engagement and involvement 70 66.67% 58.33%

Score 60 Participation in exercises Situation monitoring and reporting % 50 41.67% Recovery priorities Minimisation of silos 40 External resources Internal resources 30 25% 20 18.75% 18.75% 16.67% Decision making 10 0 Innovation and creativity Planning Strategies Participation in Exercises Proactive Posture Capability and Capacity of External Resources Recovery Priorities Silo Mentality Capability and Capacity of Internal Resources Staff Engagement and Involvement Information and Knowledge Leadership, Management and Governance Structures Innovation and Creativity Devolved and Responsive Decision Making Internal and External Situation Monitoring Reporting

Information and knowledge

Table 1: Indicators of organisational resilience

The resilience measurement tool was developed and tested using data from organisations in Auckland, New Zealand. As many staff as possible from organisations of all sizes and industry sectors were asked to take part in the research. It was important to ensure that we got as many of the staff in each company to take part as this would help to ensure that the results represented the reality of the situation in the organisation rather than the opinion of the BC manager or senior executive. This also means that the tool tests how successfully BCM planning Indicators of organisational resilience has been embedded into the organisations’ culture. Graph 1: Resilience results for a computer consulting company The resilience results Graph 1 shows the resilience results for a computer consulting company, and highlights its resilience 100 90 strengths and weaknesses. The information in the graph 80 illustrates that the company’s main strengths lie in its 70 ability to monitor and evaluate its operating environment, Score 60 and to use this information to feed into business % 50 decisions. Staff within the organisation are engaged in 40 managing the organisation’s resilience and are able to use 30 their skills and knowledge to adapt to situations as they 20 arise. This includes a clear ability to manage and share 10 0 information within the organisation, and a vision of what Planning Strategies Participation in Exercises Proactive Posture Capability and Capacity of External Resources Recovery Priorities Silo Mentality Capability and Capacity of Internal Resources Staff Engagement and Involvement Information and Knowledge Leadership, Management and Governance Structures Innovation and Creativity Devolved and Responsive Decision Making Internal and External Situation Monitoring Reporting Overall Resilience the organisation should always recover to. While the organisation is broadly focused on being able to respond to the unexpected, the lack of formalised planning is a resilience weakness. As a small organisation it may be difficult to invest resources in developing plans and testing these through exercises. However, given the size of the organisation, this may actually make such activities quite easy to do. Staff should discuss roles and responsibilities during a crisis, emergency notification and consider possible scenarios. Creativity is the key to developing a more formalised planning schedule which utilises the organisation’s Computer Consulting Company Average Property and Business Services Sector limited resources; this could also involve working with Average Auckland Organisation other organisations such as suppliers or partners. Graph 2 provides a comparison of the computer Indicators of organisational resilience consulting company’s results with the average resilience results of other organisations in their industry Graph 2: Comparative results for a computer consulting company sector and in Auckland as a whole. This shows that they are lagging behind the average scores for their industry sector and Auckland as a whole for eight ©iStockphoto.com/lorrainedarke

16 Continuity March/April 2011 Measuring resilience Case Study

Utilising resilience information Information about an organisation’s resilience strengths and weaknesses, and a measure of its resilience at any given time, can be used in a number of ways. The information can be used to feed into decision-making processes about what issues or strategies should be tackled next, and to evaluate the effectiveness of resilience strategies or investments. In the example of the computer consulting company, the organisation can use the information about their resilience strengths and weaknesses to make decisions about future BCM activities. For example, they now know that their planning strategies, whether or not they have a plan and the level of planning completed, are particularly weak. To address this they could formalise their current planning, and develop a BCM policy which reflects their business as usual goals. This provides the organisation with a robust Building your methodology for designing and managing their BCM programme, and also links the BCM ‘tool’ with its intended resilience ‘outcome’. resilience is “ is provides the organisation with a robust methodology for designing our speciality and managing their BCM programme, and also links the BCM ‘tool’ with its intended resilience ‘outcome’” Emergency Crisis Business Where next? Planning Management Continuity As the resilience measurement tool is developed and tested by organisations around the world, our understanding of how the indicators of resilience come together to produce resilience will improve. Measurements of resilience not only help organisations Bespoke solutions to meet to understand how resilient they are and to map a strategy forward to new levels of resilience, but also empower them to evaluate your continuity needs: investments and make a business case for resilience. Another exciting finding to come out of the Resilient Organisations Research Programme was that there is a link between • Review and Audit • Incident Management organisations’ resilience and their cash flow, profitability and return • Policy • BCI-endorsed Training on investment. While the research cannot yet demonstrate which one causes the other, the data suggests that the higher the resilience score • Business Impact Analysis • Exercising of an organisation as measured by the tool, the higher its cash flow, • Risk Assessment • Programme Management profitability and return on investment are likely to be. Now that the links between an organisation’s resilience and these various financial • Strategy • ICT Continuity components are being investigated, executives, managers and board • Planning • ICT Testing members are suddenly much more interested – and so am I!

AMY LEE Amy Lee is a director at Stephenson Resilience and a member of the Resilient Organisations Research Programme www.stephensonresilience.co.uk www.resorgs.org.nz

t: 0845 094 2117 [email protected] www.steelhenge.co.uk ©iStockphoto.com/lorrainedarke

'IVXM½IHXS&7 Managing supply strain Colin Ive discusses the risks posed by an increasingly supplier-reliant world and explores how managers can secure boardroom backing for their resilience efforts

am delighted to be contributing to this reducing the cost of that function, brought with it an increased risk of failure edition of Continuity with its special and so an increased risk of damage to the original business. Ifocus upon the hugely important issue It has been my experience that outsourcing has been widely used in the of business continuity in the supply chain. headlong rush to drive down costs. This has in turn added an increased number I have in recent years seen just how much of critical suppliers to an organisation’s supply chain. On its own, this brings value a highly resilient supply chain brings additional risk but what is often forgotten is the likelihood of the company to an organisation. taking on the newly outsourced function in turn outsourcing an element of it. The principle of a resilient supply chain Thus extending the chain, quite possibly without the knowledge of the original should be of interest to any organisation, business, and adding further risk to an operation. as no matter how much work is conducted A simple example of this is: internally on managing risk and securing the business, if the resiliency of the supply chain is weak the organisation is exposed to events outside of its control which could severely damage or even destroy it. A focus Company Company Company Company therefore upon critical suppliers having verified, exercised and up to date business A B C D continuity plans in place will dramatically reinforce such resilience.

A competitive market Competition to provide goods and services from overseas businesses has grown strongly Company A has all IT functions e.g. support, servers and software in recent years and as a result international management operating in house. Then it decides to reduce costs and trade has expanded like never before. It outsource this to reputable supplier B. Supplier B in turn decides to outsource is easy to argue, however, that extending the data management part of this to company C which will also own the the geographical reach of, for example, servers upon which the data will reside. In turn C places these servers in a a previously in-house, and quite possibly data centre, not their own data centre, but in a leased area of a data centre

on-site, function has, whilst quite likely operated by company D. ©iStockphoto.com/lorrainedarke

18 Continuity March/April 2011 ©iStockphoto.com/lorrainedarke

©iStockphoto.com/lorrainedarke I recognisedas being writtenby myself! of which was obtaineddirectlyfromtheinternet andcertainpassagesofwhich provided me,following my requests,aplanofaround250pages,clearlymuch My personalexperienceofthis was when asupplierfromthesubcontinent plans andtextfromavariety ofsources theyhave foundontheinternet. of BCMandhassimplyassembled adocumentby cutand pastingexample which hasbeenputtogether by someonewithno understandingoftheconcept I have personalexperienceofasupplierproviding such adocument,plan plans which willcomplywiththesestandards. What isunacceptableis,and etc, theycould,ifsuitableandacceptabletothecustomer, beusedtodevelop that where therearemore‘local’standardsavailable i.e.Singapore, Australia provided forexampleby theBCI,isavailable toanyone withinternetaccess. many partsoftheworld andwhere thisisnotreadilyavailable onlinee-learning, meaningful plan. The goodnewshere,however, isthattraining isavailable in robust, realisticandthereforesuitablesolutiontothecreation ofaneffective and internet andusingitwithoutany understandingisclearlynotgoingtoprovide a assurance ofasuppliersabilitytocontinue‘dobusiness’intheevent ofacrisis. establish what ithastodo meetacustomer’s demandsandexpectationsseeking certification tothestandard. in understandingwhat isrequired toachieve complianceand,ifneeded, formal websites. All readilyavailable toany individual intheworld interested information, reviewsandopinionsinavariety oflocationsfromchat roomsto standard. This inturnhasgenerated agreatdealoforganicgrowth ofonline than someotherBCstandards. to BCM. The resultingdocumentthereforecouldbeconsideredlessrigorous consideration anumberofdifferentmembercountries’individual approaches much ofBS25999init;but, aswithallISOstandards,hashadtotakeinto date forthisis,Iunderstand,expectedtobeduring2012. before afinal version usefulforauditingcanbecreated. The latestpublication sure thatprogressisbeingmadeonthisnevertheless itcouldstillbesometime publication oftheISObusinesscontinuitystandard,22301. The BC world have beenwaiting, someofuspatiently, forseveral years forthe A standardsapproach which are not” to establishjustwhichsuppliersare criticaland business impactanalysisshouldbeundertaken “As withanyapproach toBCMathorough one tochoose. is tocompareitwithaBCMstandard. This however, raises theissueofwhich most certainly! The simplestmethodofevaluating thisqualityandeffectiveness companies tohave goodqualityandeffective BCplansinplace?Inmy view strategy, hasbecomeincreasinglycommon.Isitreasonabletoexpectsuch companies, oftenfollowing anorganisation’s decisiontopursueanoutsourcing that theyhave actuallythoughtofthispoint. suppliers, ifidentified,have. Onemay noteherethatthiscouldbethefirsttime establish what planstheyhave andinturnwhat planstheirown critical operations which inturnarecriticaltothecontinuationofbusiness. those whose productorservice,oncelost,would have animmediateimpacton who eitherprovide thelifebloodofanorganisation.For exampleITservices,or money ispaid–farfromit. The BIAshouldscrutinisecarefullythosesuppliers We shouldnoteherethatacriticalsupplierisnottheonetowhom themost be undertakentoestablishjustwhich suppliersarecritical andwhich arenot. As withany approach toBCM,athoroughbusinessimpact analysisshould Clarifying what iscritical So stronglyhave Ifeltregardingthisprinciple ofimproving resilience Although Ihave writtenabove inclear supportofBS25999,Iwould add I hastenatthispointtoclarifythatsimplygatheringsuch datafromthe There isthereforenoreasonwhy any businessinany partoftheworld cannot BS 25999hasbecomeawidelyknown, respectedandeasilyavailable Fortunately, ISO22301,fromtheavailable drafts, hasincorporated As already mentionedtheprovision ofgoodsandservices by overseas Once identifiedsuch criticalsuppliersshouldthenbeapproached to While Iam to shouldsuch suppliersencounter acrisis. view oftherisksorganisationisexposed critical supplierstothebusiness,aclear present, following aBIAwhich hasidentified BC practitioner to approach theboardand business. There isaclearopportunityforthe especially asthereshouldbezerocosttothe gain boardroomsupportfortheirwork, powerful arguments when seekingto continuity managertoprovide further supply chain enablestheinternalbusiness Developing theprinciple ofaresilient The backing oftheboard resilience ( developing bestpractice onthisissueof and practitioner processes which are Chain’ toaddresstheevolving academic ‘Business ResilienceintheSupply that Ihave setupanannualconference, www.thebci.org the SupplyChainworkshops canbefoundat Details offurtherBCIBusinessContinuityin Note load upandstartfiring! from thisalltoocommonplacemalaiseisto Thus my recommendationtothosesuffering need forBCMwithintheirorganisation. convince seniormanagementteamsofthe could bethe‘silver bullet’neededtofinally business continuityinthesupplychain it was suggestedthatdriving thisneedfor Chain’ workshop IfacilitatedinNew York BCI ‘BusinessContinuityintheSupply critical tothebusiness. protecting thesupplyofgoodsandservices simply forthemtohelpyou tohelpthemby for morecashtofundyour activities but senior managementasthereisnodemand Such anapproach shouldbeattractive to supplier –arguablywhere itbelongs. supply chain resiliencedirectly tothe the responsibilityandcostofimproving but alsotheircustomers. This thenpasses place which protectnotjustthemselves and proven businesscontinuityplansin critical suppliersshouldhave established up withyour solution. That isthatall During therecent,andhighlysuccessful, With theriskspresentedthen follow at www.codrim.co [email protected] C Colin Ive olin Ive MBAisprincipalconsultant C oDrim www.BRiSC2011.com MBCI / m m

March/April 2011 ).

Supply chain

Continuity

19 The supply trinity: BCM-procurement-supplier Nigel Allen highlights the importance of forging strong links between business continuity and procurement in order to develop a more resilient supplier network

here is little doubt that the risks posed by supplier failure given when one considers the risks, both financial and reputational, currently sit higher on the risk register of the majority of posed by disruption to key suppliers. However, it is often the case Tcompanies than they have in many years. A combination of that this connection is not made and as a result there is the potential the ongoing impact of the financial climate on supplier numbers and for weakness in the chain right from the initial tendering process. service delivery, coupled with a spate of major disruptive events such West states that this disconnect has stemmed from the fact that as extreme weather conditions, swine flu and the volcanic ash cloud, traditionally companies have kept the two disciplines in their own has served to test the robustness of many supply chain strategies and distinct silos, resulting in what he describes as a “misalignment in some cases found them wanting. But has this fact had a positive in their respective objectives”. However, the drive to embed BCM knock-on effect on efforts to enhance resilience in the chain? into an organisation’s culture which has emerged in recent years, is serving to bridge this gap. “Business continuity is no longer simply Checking the chain the preserve of one person or team,” he adds, “but now has much According to Vincent West mbci, head of business continuity at greater cross-functional involvement; a fact which is helping to Aon, “We have certainly seen evidence of supplier failure becoming overcome this disconnect.” an increasingly prominent risk”, a fact which he adds is supported Elaine Heyworth, head of risk management at Everything by recent studies by the BCI which have identified supplier failure as Everywhere, believes that the responsibility for forging these links a key concern for respondents. However, Grant Foster, head of ERM lies squarely at the door of the BC practitioner. “The business at Aon, while concurring that there is now much greater awareness continuity person has to build the relationship. If you are responsible of the impacts of supply chain failure, believes “[companies] for BCM, then it is your responsibility to market the ‘product’ to the are only beginning to recognise the additional work that will be supply chain manager or the procurement manager.” required to put in place the measures needed to tackle these issues.” Talking specifically about developments in his own organisation, Consider the incentive David Window AMBCI, enterprise resilience manager at United In addition to the disconnect between these two disciplines, a further Utilities, says that he has witnessed a much greater focus on BCM factor that may be affecting the robustness of the supply chain is the in recent years. Whereas once “some simple checks on a vendor’s way in which procurement teams are incentivised. Unsurprisingly, financial stability prior to contracting” as enough, now he says that the goal of most procurement teams is to create the most efficient “the emphasis has moved to one of managing the current contracted supply system in the most cost-effective manner, and in such an supply chain, including tier two vendors. We are becoming far more environment the resilience capabilities of a particular supplier will robust from a BC perspective in our selection process.” often be a secondary consideration if they are considered at all. “Procurement departments often report into finance functions,” Procurement and BCM explains Kieran Brocklebank, head of strategy and performance in A key facet of the ability of an organisation to embed resilience the supply chain and commercial team at United Utilities, “and they into its supply chain is the strength of the relationship which exists occasionally do not see the value of having robust supply chains. between business continuity and procurement. That BCM should Finance tends to deal with real and short-term costs (budget cycles play an active role in the procurement process would appear to be a are typically 6-12 months) and not potential disruptive events. This

20 Continuity March/April 2011 ©iStockphoto.com/lorrainedarke procurement effortssimplyendupas‘tick-box’ actions. To make these assertions. value, withouttakingthenecessarystepstoconfirm validity of willing toaccepttheBCcapabilityassertionsofsuppliersatface is implantedinthecontract, thecontracting company isthen too This also raises theissue ofwhether, oncetheresilienceclause Knocking ondoors balance againsttherisksandpotentialimpactofthatcontract failing.” increase incosttotheclientwhich needstobeweighedinthe off tothevendor. However, thiswillalmostcertainlyresultinan potential thatstrengtheningacontract ensuresthattheriskisbacked related clauses.Furthermore,hebelieves thatthereisalways “a contract basistoreviewthepotentialimplicationsofany resilience- cost componentsareadheredto. demands, while beingprescriptive enoughtoensureyour timeand devise theirown solutionformeetingthecontractor’s particular the clausepermitssufficientflexibilitytoenablesupplier ensure thislevel ofservice.” Itisthereforeabalancingactinwhich at alltimes,butgive thesupplierfreedom tochoose how they adds. “Itshouldstatethelevel ofserviceyou requirefromthem level ofresilience tothesupplierrelationship.” related clausesinthecontract willnotcostanything andwilladda and highlightsthefactthat“theadditionofacoupleresilience- practitioner be“an enabler”inthisprocess“rather thanadisabler” to success.Itisthereforeimportant,shebelieves thattheBC organisation andasaresulttheincentive toreducecostiskey Heyworth isvery consciousofthebusinesscomponentany In thecontract includes mitigatingany lossessufferedfromadisruptive event.” tomorrow andthroughout thewhole ofthecontract period,which managers arebetterincentivised iftheylookatcostreductiontoday, performance demands. As David Window pointsout,“supplychain contract relationship, includingresiliencerequirementsandsupplier purely ontheinitialcontracting stagebutonthefulllifecycle ofthe options. Procurementteamsmustbeencouraged tofocusnot from thevery start tocounterthispotentialdroughtinrecovery options atyour disposalshouldoneofyour suppliers fail.” the chain. As thepoolshrinks,sotoodoesrange ofrecovery highlights thefactthatitis“reducingnumberofsuppliersin supply chain ofthispushforgreaterefficiency, Aon’s Grant Foster can drive procurementdepartmentstoconsidercostsonly.” Grant Foster believes thatthisisoftenwhat happens.“Many David Window insiststhatlegaladvice besoughtonacontract by “For me theresilienceclauseshouldnotbetoospecific,” she It isimperative thatBCisfactoredintotheprocurementprocess Commenting onthenegative affectsontheresilienceof Supply chain management partnership advert_final.indd 1 • • Organisation benefits and their associatedcolleagues: within the partnership organisation professional BCMpractitioners the participating organisation, which bringsmany benefits to is through the BCIPartnership Corporate membership of the BCI should join organisation Why your • • Colleague benefits • • Practitioner benefits gain industry & leadership be reports access membership awareness receive form contribute forums access and and surveys seen delegate products savings opinion to exclusive Partner and and to coalition a & be group of to wide engage white on speaks discounts fees), BCI roundtable part Affiliate conferences partnership range that activities papers of workshops, in on this conducts debate of behalf status unique discussions resources and (exhibiting webinars with of to advertising benefit research The BCIPartnership the thought gain your including BCM to and from peers help InterRisk Research Institute& Consulting Inc United Nations Children’s Fund(UNICEF) Perry Johnson Consulting Inc of Japan Manchester Fire &Rescue Services The Royal Bank of Scotland NV International Nuclear Services Leicestershire County Council proud to name the following Lockheed Martin Corporation Computer Warehouse Group Ginsen Risk Solutions Co Ltd raise awareness of business Zurich Global Corporate UK FalconStor Company Japan organisations asPartners: BSI Management Systems as a discipline and we are The BCIPartnership was continuity management TUV Rheinland Japan Ltd DNV Business Assurance eBRP Solutions Network Walk the Walk Solutions Avanti Communications Continuity Systems Ltd Newcastle City Council established in2007 to Shell InternationalLtd G4S RiskManagement Steelhenge Consulting Milton Keynes Council ING InsuranceBerhad AON Risk Consulting Needhams 1834Ltd Garrison Continuity Andersen Steinberg CMA Lab Japan Inc 6 Alpha Associates Continuity Central BCC Management Airwave Solutions Genzyme Europe RiskLogic PtyLtd GlaxoSmithKline Hewlett-Packard Continuity Shop BP International Tetronik GmbH COOP Systems Simedia GmbH Link Associates MCCH Society Bureau Veritas Euro Car Parks Prudential plc SGS Japan Inc NTT Facilities 4C Strategies ContinuitySA BAE Systems VocaLink Ltd AON Hewitt Statoil ASA ABN Amro Lloyds TSB Royal Mail ClearView Getronics Cassidian Vocal Ltd eBay Inc Eaga plc Deloitte Bechtel Savant Elciem Protel PWC DSM ACS IBM 11/3/11 09:13:35 BT Supply chain management

it work, you need to be precise about what you want from the to the resilience of the supply chain. In her organisation, she heads supplier from a business recovery perspective,” but acknowledges up a BCM centre of excellence which manages resilience across that in most cases the “default setting is simply to ask for evidence the company via a network of BC contacts within the various of BC planning.” West concurs, adding that “you need to have directorates. “It should be the same structure for your suppliers,” someone involved in this process who understands the supply she believes. “Establish who are the BC contacts within the various chain and the implications of supplier failure, supplying the suppliers and build a support network across your supply chain. procurement department with the information that they need.” Ideally, get them all around a table to participate in a desktop “Often the issue is a resource issue,” says Heyworth, “you simply exercise; although competitive advantage issues may mean that this can’t go out and check the BC assertions of every company. In is not possible and you may have to work with them individually.” our organisation, we have identified our key suppliers and we Collaboration, she adds is vital to “limiting the impact of managing audit them regularly on a range of areas, including: BCM, security, the supply chain on your resources. I sell BC to my suppliers in the health and safety, risk management and service provision.” Moving same way I sell it to the various directorates in my organisation – by forward, she adds that at Everything Everywhere they are looking making them aware of the value that it brings to their own business.” to conduct scenario testing with their key suppliers by working together with them on a desktop exercise. Making the connection United Utilities operates a process whereby a series of questions The figures speak from themselves when one considers the frequency are addressed to their suppliers at an appropriate level. “As the and impact of supply chain disruption from both a bottom line and risks and potential impacts from a loss of a supplier increase,” brand perspective. The findings of the BCI’s ‘Supply Chain Resilience says Kieran Brocklebank, “we delve deeper into that supplier’s 2010’ survey make a very strong case for reviewing the resilience capability to respond to an event. For more critical suppliers, we of your supplier network. Almost two thirds of respondents had robustly test their plan in ‘dress rehearsal’ events.” experienced at least one supply chain disruption during the previous It is also important to consider the extent to which you can apply twelve months, with the average figure being five and some reporting the same BC stipulations across the supplier board. While a large, over 52 disruptions. Of those who used “low cost country solutions”, multinational organisation with a wealth of resources may be able this figure rose to 83%, due mainly to transport issues and supplier to ensure stringent RTOs, the same may well not apply for an SME. insolvency. For 10% of companies affected by a disruption the “I would never demand a level of resilience from a supplier that financial hit topped €500,000, while 20% acknowledged that their I did not think they were able to achieve,” says Heyworth. “It is brand and reputation had been negatively impacted. important that, while the resilience-related clause that we include It would appear from the experts who have commented in this in the contract will not change, the requirements of the clause are article that to strengthen the supply chain you must strengthen the appropriate to the size of the supplier that we are dealing with.” links between BCM, procurement and supply. Build the relationship between business continuity manager and procurement manager

Supporting your supplier to ensure that your primary point of contact with your suppliers is ©iStockphoto.com/lorrainedarke Once these resilience requirements have been clearly stipulated fully aware of the importance of supplier resilience to the success in the contract, is it then solely the responsibility of the supplier to of the organisation. Embed resilience into the contract so that it ensure that they can achieve these? If the supplier is critical and yet takes hold right from the start of the supplier relationship and the is struggling to meet the RTOs stated, should the organisation come standards will be upheld throughout the life of the relationship. to their aid and assist them in achieving the supplier benchmark Invest in your critical suppliers to ensure that they invest in the they have set? success of your organisation – if you categorise them as critical to “It is inappropriate to insist on strict adherence to standards without your business then you cannot afford to have them fail. offering to assist suppliers to meet your requirements,” believes David Window. “We take a proactive approach to this through our Full Relationship Management Programme and we take an active role in Nigel Allen growing vendors’ capabilities creating benefits for all parties.” Nigel Allen is editor of Continuity Elaine Heyworth believes that a collaborative approach is central

All contributors to this article – Kieran Brocklebank, Grant Foster, Elaine Heyworth, Vincent West and David Window – were asked to provide a series of recommendations which they would make to any organisation looking to enhance their supply chain. Below is a summary of these recommendations:

• Invest time in making a model of your supply possible in the selection process. This means clauses that you use and offer these to the chain, which tracks revenue streams, inventories understanding the criticality of the potential procurement teams to put in their contracts. and establishes how much buffer time you contract and the markets that you are By doing this, it means that there is very little have in your processes. This model can be used contracting with for your procurement people to have to do to test scenarios based on key suppliers, sites, • Embed BC principles in contract specifications, • Once in contract, engage in supplier processes and changes in market demand, and and terms and conditions; but only to the relationship management to maintain or use this information to reassess critical points extent that it is appropriate to the risk and improve suppliers’ BC capabilities and to (supplier, location product) in your chain potential impacts associated with it. Do not ensure that your plans are aligned • The BC manager must go to the overburden suppliers by insisting on levels of • Make sure that you partner with your procurement department and sit down with preparedness which are inappropriate to the suppliers to ensure that they meet your them. Don’t simply wait for them to come to potential impact of losing supply resilience needs. Be there to help them if they you – put yourself forward! • It is important that you keep things simple need it. It must be a collaborative approach • Deal with business continuity as early as and straightforward. Limit the number of BC with all parties gaining value from the process

22 Continuity March/April 2011           %'# "   

  (+"%& (' (%%'!(%&(%' '%!%% "!&!'&*    ##'($$%$##'( *  "" "%%! $)(* )()) $& ' !% '%&') *"'*''$) ) &' " ' ()%"   '"+$)%*( $((   %$) $* ),&') ) %$'( )$% !!!(" $% )*$ '# $# !%" )$% !!! )*$ '# $# '%!%% "!&!'&* !%+ ! '!&  $!$%%"  )&)#'( % !"$%"# ')%'%$%$ ' &"$ " '!&*% !  )%+#' '# $#                               

The complete alternative water supply and management service Water Direct provides wholesome drinking water wherever and whenever a piped supply is unavailable or unusable. Event or emergency supply, 24/7 Contingency planning, dedicated drinking water tankers, temporary storage, bottled water and container bank. Nationwide coverage, rapid response www.water-direct.co.uk Tel: 0845 345 1725

March/April 2011 CONTINUITY 23 When the well runs dry Continuity discusses the alarming findings of a recent report on water stress with Kimberlee Myers and considers the implications for global supply chains

Can you explain what is meant by the term What are the key factors contributing to evapotranspiration due to climate change, ‘water stress’ and how it differs from water increasing levels of water stress and what and vice versa, many areas will be at risk of shortage? impacts are we seeing on business and increased flooding. communities located in ‘high risk’ areas? Taking into account these future predictions Water stress and water shortage are very will be critical for the continued success of similar terms. However, water stress may still Key contributing factors to water stress businesses that depend on water both directly exist in countries or areas where water is include an increasing number of users, and indirectly for support systems. Business not physically in shortage. This may have to economic development, water waste and can and should seize the opportunity to be do with, for example, the number of users, climate change to name a few. Climate a water innovator by exploring new ways misuse or access to water resources. Water change is particularly interesting because of using less water and using water more stress arises from an imbalance between the precise estimation of future impacts efficiently. Successful businesses should enact water use and available water resources. is uncertain and it may result in drought programmes of corporate citizenship, acting It has been estimated that in 1995 about in some areas and flooding in others. as an educator and responsible user of water 1.76 billion people were living under severe Increasing population and therefore resources in partnership with governments water stress. This figure is likely to rise to demand for water resources, in conjunction and civil society. 2.8 billion people in 48 countries in 2025 with lower levels of precipitation will according to current estimates. Of these contribute to water stress levels. Maplecroft produces a ‘Water Stress 48 countries, 40 are situated in the Middle Water security is and will continue to be Index’. Firstly, can you explain how this East and North Africa (MENA grouping of a key concern for individuals, governments index is compiled? countries) or sub-Saharan Africa. In the and corporations. Businesses depend on Middle East high population growth rates and water directly for processing, energy, cooling Physical water stress occurs where shortages of renewable water supplies have and cleaning, and indirectly to support their demand exceeds 40% of total renewable the potential to exacerbate tensions over workforce. Therefore, levels of water stress water resources. The Water Stress Index water rights or force riparian states into more can substantially impact on production evaluates the ratio of total water use (sum negotiated stances to reduce the scope for costs, thereby determining the availability of domestic, industrial and agricultural scenarios that benefit none. In many regions, of a key resource. It also has reputational demand) to renewable water supply, which rapid population growth, urbanisation and implications for a business if disputes over is the available local runoff (precipitation economic growth on current trends will resources occur, particularly between less evaporation) as delivered through result in increased water demand whilst business operations and local communities. streams, rivers and shallow groundwater. renewable water supplies diminish as a result Many water-stressed areas will be It does not include access to deep of climate change (as a result of less rainfall further affected this century by lowering subterranean aquifers of water accumulated and higher rates of evapotranspiration). precipitation levels and increased over centuries and millennia. ©iStockphoto.com/lorrainedarke

24 Continuity March/April 2011 Water shortage

The Water Stress Index can be interpreted “In the Middle East high population growth rates and shortages to represent the risk posed by the demands of competing users on the total renewable of renewable water supplies have the potential to exacerbate water supply of a country. The Water Stress tensions over water rights” Risk Index features 159 countries. Index values are divided into four risk categories energy, cooling and cleaning, and these China, which are home to the cities of to aid interpretation: extreme (>0.0-2.5), needs can directly compete with those of Beijing, Tianjin and Shanghai, water high (>2.5-5.0), medium (>5.0-7.5) and local communities. Both governments and supplies are being used at a higher rate low (>7.5-10.0). Each of these categories business therefore have a responsibility to than available supply. This has prompted is shown on the map in a different shade. explore and develop new efficiencies to the planning of the South-to-North Water Countries are also assigned a rank, based on save water, prevent diversion away from Diversion Project, a scheme to transfer their relative position in each index, where local populations and their livelihoods and water from the wet south to the dry north. the country ranked 1 is the highest risk. to ensure that prices do not rise. The water stress issue in both India and The application of the index is to Wealthy countries are also vulnerable China is especially important to business provide a strategic overview of the current in ways that are often associated with as many companies have crucial facets of situation of physical water stress at global, poorer undeveloped countries. Maplecroft’s their supply chains based there. The issue continental, regional and national levels. It water stress map identifies vast swathes of of water stress is more and more becoming does not take account of future projections, Australia as ‘extreme risk’. The issue has a critical component to business operations water management policies, such as particular resonance in the south, as it is in these countries. desalination, or the extent of water re-use. subject to increasing climate variability characterised by declining rainfall. Do you think that there is sufficient Can you summarise the key findings of the South Australia has nearly 1million km² interaction between governments, latest study? at ‘extreme risk’ of water stress, which companies and communities in the affected represents 12.8% of the total land area. Poor areas to help tackle the issue of water stress? At a national level, the Water Stress Index water governance in the past compounded identifies the Middle East and North African the situation by over-allocating surface Water stress has implications for where and countries of Egypt (1), Kuwait (2), UAE (3), and ground water, which has negatively how companies should operate, as well for Libya (4) and Saudi Arabia (5) as exposed impacted many rivers and watersheds. the sustainability of their activities. Business to the most overall risk. Water stress in Subsequently, there is competing user requirements will increasingly compete this region is not surprising as it only demand from the agricultural, domestic, with and have negative impacts upon local receives 1% of the world’s precipitation, industrial and mining sectors. communities and their environments unless of which 85% is lost, for example through business takes the initiative to introduce evaporation. However, the key economies The fact that China and India are listed as integrated water management programmes of Australia (19), India (29), China (40) and ‘high risk’ areas should be of concern to and ensures the conservation of water for USA (51) have all been rated as ‘high risk’ those organisations which are outsourcing all. Governments, companies and investors due to massive ‘extreme risk’ areas of water activities to these territories. Would you need to be part of the solution. stress, where demand is exceeding 80% of say there is sufficient awareness of this total renewable water resources. threat amongst such organisations? Is there For those supply chain managers who will Expanding populations, such as India’s, sufficient information available on this issue? now begin reviewing their suppliers in light which grew 1.4% in 2009 according of this information, what advice would you to the IMF, together with rising global In India and China, high demand for give them to assist them in their efforts? temperatures, indicate that water stress will water is driven by expanding populations continue to be a challenge for governments, and rising industrial and agricultural Whilst nations may be able to mitigate business and society. Access to water is use. The latest available figures from the and adapt to water stress to varying crucial to all livelihoods, but shortages are UN’s Food and Agricultural Organisation degrees, businesses have an important often felt most quickly by the poor due to estimate the annual growth in industrial role to play. Agriculture, mining and their heavy dependence on agriculture. water withdrawal in India at 8.91%, whilst energy sectors will likely remain water Business, as mentioned previously, depends municipal water withdrawal in China is intensive. Water use will continue to be more directly on water for processing, rising at 10.38%. In north and eastern limited in terms of quality and quantity, whilst other concerns of water derive from Water Stress Index regulatory environments (rules of use), financial concerns (costs and penalties) and reputational issues associated with overall mismanagement, including irresponsible and inequitable use. Businesses need to have a firm understanding of national water profiles, water weaknesses in their supply chains and ways to foster best practice.

Kimberlee Myers Kimberlee Myers is an environmental analyst at Maplecroft [email protected] www.maplecroft.com © Maplecroft ©iStockphoto.com/lorrainedarke ©iStockphoto.com/lorrainedarke

March/April 2011 Continuity 25 he findings of the 2030 Water Resources Group, controlling an organisation set up to highlight the growing Trisks of water resource scarcity and whose members include McKinsey & Company, the World Bank Group, Coca Cola and Nestlé SA, paint a stark the flow picture of the expanding gap between water demand and water availability. In its report, “Charting our water future”, the group states that by 2030, based on average Nigel Allen explores growing economic growth with no efficiency improvements factored in, “global water requirements would grow concerns regarding the gap from 4,500 billion m3 today (or 4.5 thousand cubic kilometres) to 6,900 billion m3.” This figure, it states, is between water demand and some 40% above the amount of accessible and reliable water supply currently available. water supply, and highlights At present, agriculture accounts for just over 70% of global water withdrawal, the report claims, with this the importance of measuring figure expected to drop to 65% by 2030. Industrial withdrawals, on the other hand, are set to rise from your exposure to this 16% to 22% over the next 19 years, primarily due to growth in China, which at present accounts for 40% of “the additional industrial demand worldwide”. India under-pressure resource will see its withdrawal levels rocket to 1.5 trillion m3 by 2030, with current supply sitting at 740 billion m3, due mainly to increased domestic demand.

Checking the water levels As the gap expands and the ramifications of this supply and demand misalignment become evermore apparent through operational disruptions either within an organisation or along its supply chain, and governmental pressure to manage diminishing water supplies through more stringent licensing requirements, the risks – both financial and reputational – will clearly escalate. However, despite this the fact that very few companies currently monitor their own water usage or that of their suppliers, even in high water risk regions, shows that most organisations are failing to acknowledge the potential threat posed to their operations by the decline in this essential resource. A benchmarking study of 100 companies entitled “Murky waters? Corporate reporting on water risks” published by Ceres, a network of investors and environmentalists, UBS and Bloomberg revealed that despite increasing global water-scarcity issues, most major companies in water-intensive industries “have weak management and disclosure of water-related risks and opportunities”. The study found little if any information on water risks or water-related performance data in the financial accounts of most companies, nor do they provide information on local level water data, even for those parts of their operations in “water-stressed regions”. “Most companies provide basic disclosure on overall water use and water scarcity concerns, but their focus and attention so far is not nearly at the level needed given the enormity of this growing global challenge,” said Mindy Lubber, president of Ceres, following the release of the study last year. “Our global economy runs on water and in many parts of the world this finite resource is under threat. Companies must do more to disclose their potential exposure from this issue and their strategies for responding.” However, a more recent study conducted by the Carbon Disclosure Project on water disclosure found that the risks and opportunities posed by water-related issues are rising up the corporate agenda. The report, compiled by Environmental Resources Management,

found that of the 175 of the 500 largest companies ©iStockphoto.com/lorrainedarke

26 Continuity March/April 2011 ©iStockphoto.com/lorrainedarke

©iStockphoto.com/lorrainedarke is farlargerthan theiroperational one,afactwhich will influencetheirefforts their footprintas pertheirguidelines,willfind thattheirsupplyc usage forproductsandprocesses, aswellforconsumersandsuppliers. series ofmeasuresforassessing water impact,showing how tocalculatewater the University of Twente intheNetherlands.Itisfirst‘scientificallycredible’ sustainable andefficientuseof fresh water, inconjunctionwithscientistsfrom non-profit foundationmadeup of over 130partnersestablishedto promotethe Footprint Assessment Manual”,was compiledby the Water Footprint Network, a policymakers, NGOsandscientists. The standard,issuedaspartofthe“Water Standard” hadreceived internationalsupportfromarange oflargecorporations, end ofFebruary, when itwas announcedthatthefirst“Global Water Footprint efforts tobenchmark resultswillbepointless. employing thesamemethodologyincalculatingtheirwater footprint,thenany and calculatinghave notbeenformallystandardised.Ifcompaniesare internally andthroughtheirsupplychain isthattheprocessesfordefining a clearpictureofwhich companiesareusingwhat amountofwater, both As isoftenthecase,oneofstumblingblocks facedineffortstoestablish What sizeisyour footprint? community engagement;andtransparency” management; collective action;publicpolicy; operations; supplychainandwatershed “The mandatefocusesonsixkeyareas: direct policy dialogueandimplementation.” leadership fromgovernments, andbusinesscanplay aconstructive roleinboth through changes ininternal managementalone.Futurewater securityrequires quality andreliabilityofwater resources, companies cannotreducetheirrisk ensure theiraccesstowater inthelongterm. With increasedthreattosupply, and fortheenvironment isalsointhebestinterestofcompaniesworking to line isthatwhat isgoodfor communities,forpublicwater management, UN GlobalCompactandheadoftheCEO Water Mandate,said:“The bottom public. Commentingontheguidance,Gavin Power, deputydirectorofthe the widercommunitythroughgreatintegration withrelatedbodiesandthe advice toorganisationshelpmitigatewater risks,bothinternally andin business engagementwithwater policy” which provides strategic andpractical management underthesixheadings. which detailhow theyareendeavouring toenhancetheirwater resource required tocompileannual“CommunicationsonProgress-Water” reports engagement; andtransparency. Those companieswhich signuptoitare and watershed management;collective action;publicpolicy; community and otherstakeholderstoaddressthisglobalwater challenge.” priority, andtowork withgovernments, UNagencies,non-governmental agencies up tothemandate“have aresponsibilitytomakewater-resources managementa Compact CEO Water Mandate,apublic/private initiative inwhich thosewho sign implement such projects.Perhaps themostprominenthasbeenUNGlobal disclosure ofwater sustainabilityeffortsandtoencourage companiesto There have beenanumberofinitiatives launched tohelpstimulategreater The CEO Water Mandate rising water prices,finesandlegalactionsduetopollution. drought, floods,dropsin water qualityresultinginpre-treatmentrequirements, “detrimental impacts”duetowater-related risks,withdisruptioncausedby their supplychains. Inaddition,39%ofrespondentshadalready suffered risks withintheirown organisation,only53%couldsay thesamefor level, while 89%have developed specific water policies,strategies andplans.” “responsibility forwater-related issuesliesattheboardorexecutive committee in theFTSEGlobalEquityIndexSerieswhich responded, 67%reportedthat According tothenetwork, themajorityofthose companieswhich assess The move towards astandardised approach took one stepfurtheratthe In November 2010,thebody releasedthefirst“Guidetoresponsible The mandatefocusesonsixkeyareas:directoperations; supplychain The study alsofoundthatwhile 96%wereabletopinpointwater exposure hain footprint more sustainableuseofwater resources.” to mitigatethese…andinsodoingwork towards a risks acrossitsvalue chain, makeappropriatemeasures organisation inorder“tobetterunderstandthewater that theyhadbeenusingitextensively acrosstheir for internationalbrewerycompany SABMiller, said group sustainabledevelopment projectsmanager effective responsestrategies.” the supplychain, assessingitssustainability, anddevising understanding water consumptioninoperations andin an emergingandurgentbusinessneedforameansof laid outinthe Water Footprint Assessment Manualfills business operations andinthesupplychain. The method supply cancurtail–oreven shutdown –activities in is vitaltoourbusiness:poorwater qualityorinsufficient Corporation’s sustainablebusinessadvisory, said:“Water global businesslineleaderfortheInternationalFinancial Commenting onthestandard,Monika Weber-Fahr, their shouldertoeffortsimprove water efficiency. number ofmajorinternationalorganisationsputting strategies aspartof thesupplierselectionprocess. into supplieragreements,orassessingwater efficiency proposes theintroductionofwater-related components that influencingexternalpartiesisnotaneasytask,it to reducetheirwater impact. While acknowledging supply chain couldprovide amuch greater challenge. relatively straightforward process, extending this into your usage inthecontextofyour own organisationmay bea you areexposedtothatproblem. While assessingwater scale oftheproblemandtoassessextentwhich problem, thefirststageinthatprocessistoquantify corporate concerns. As withany efforttotackle a will becomeevermore prominentinthelistofmajor water resources coupledwithincreasingpollution efficiency andreduceriskswillincreaseaccordingly. quickly andclearlydemonstrate theireffortstoenhance of water risksgrows, theabilityoforganisationsto water-related events rise,andthepublic’s awareness shareholder concernsover supplychain disruptionfrom prominent componentofgovernment policy, efficiency requirementsbecomeanincreasingly friendly formatwhich includesvisuals. As water companies toproducewater-related dataina user- focus theirmitigationeffortsaccordingly. particular sitesorforspecificsuppliersenablingthemto tool alsohelpspinpointpotentialwater issueseitherat measurement’ intermsofreflectingpotentialrisks. The the locallevel ismoreeffective thana‘volumetric water consumptiondatawith availability dataat water basinlevels. The councilstatesthatcomparing sanitation availability information”atbothcountryand to comparewater usagewith “validated water and for SustainableDevelopment, thetoolenablesusers Water Tool”. Developed by the World BusinessCouncil and makeinformedwater decisions isthe“Global water risksbothforglobal operations andsuppliers, An alternative toolavailable tohelpbusinessassess Also commentingonthestandard,David Grant, The standardhasreceived strongbacking, witha There islittledoubtthattherisksposedby declining One othercomponentofthetoolisthatitallows Nigel Allen iseditor of Nigel Allen Continuity March/April 2011 Water shortage

Continuity

27 2 8 CONTINUITY March/April 2011 WWW.F24.COM Business Continuity Management Business Continuity Crisis Management Alerting Incident The key alerting tool for FACT24.

©iStockphoto.com/lorrainedarke Accounting and risk management

The need for integration In part two of his article, Brendon Young explains why, if not properly understood, risk cannot be correctly reported

n determining how to appropriately integrate accounting and possible to envision probable futures through scenario analysis risk management, with a view to improving reporting, it is and to determine appropriate strategies, with the aim of enhancing Inecessary to understand the fundamental nature of risk. Whereas responsiveness to change. accounting is traditionally concerned with the recording of historical fact, risk management is concerned with future uncertainty. From a Forensic analysis of risk management accounting perspective, there would appear to be an With regard to management control, a more forensic analysis overt relationship between budgetary control and risk management. is required in order to identify causality and hence determine Indeed, risk management may be regarded as providing a more what changes to the system are necessary2. In order to gain a forensic view in support of management accounting. more forensic perception of risk it is of assistance to consider Although risk is concerned with future uncertainty, it is initially fundamental risk categories. Although there are an infinite number assessed through analysis of historical losses, which produces the of different risks, they can all be grouped into three fundamental well-recognised positively skewed long-tail distribution. The worth risk types: people, systems and processes, and external events. of such a distribution depends upon the quality of data and its In addition, it is helpful to consider two other risk categories: relevance to existing and future activities1. Whilst this analytical cumulative interactive risks and random events3. Each category has approach appears to ignore causality, it does in fact tacitly assume different loss distribution characteristics: the system is in balance both internally and externally (i.e. that People risks: People risk occur, primarily, due to: all future losses will be due to the same historical causal factors, 1. Deliberate wilful action, by employees or external persons whatever these may be). (e.g. fraud or malicious damage), and Under Basel guidance, banks are required to carryout an 2. Errors due to normal adaptive human behaviour or to fatigue. analysis of historical loss data in order to determine the level of People risks are best controlled through sound corporate regulatory capital to be held (arbitrarily and questionably, set governance, adoption of appropriate professional standards, prompt at a one in one-thousand year event i.e. a 99.9% confidence management action, and the diligence of honest, well-trained and level). However, in reality, both the organisation and the business appropriately motivated employees. environment in which it operates are constantly changing. Hence, Systems and process risks: Systems and process-based risks are although the distribution of historical loss-data represents reality of an inherent nature and, therefore, the recurrence of losses will be (and is therefore of considerable worth since it is the only real unavoidably in the absence of change to the system itself. This type of truth) it needs to be adjusted in order to reflect possible futures. risk will produce a clear loss-distribution signature. Internal auditing Whilst it is clearly impossible to precisely predict the future, it is is appropriate to ensure adherence to predefined systems. However, it should be recognised that auditing will not reduce system-based risk since only a change to the actual system will do this. “Both are concerned with ‘impact’, External events: External factors can be expected to impact however, risk management is concerned differently on different organisations. Major external events may lead to systemic losses and are, therefore, of particular interest to with ‘frequency’ and impact whereas BCM regulators. Unfortunately, the future occurrence of such events is unlikely to be detected through the analysis of historical data. Alan

©iStockphoto.com/lorrainedarke ©iStockphoto.com/lorrainedarke is concerned with ‘time’ and impact” Greenspan, former chairman of the Federal Reserve, stated that

March/April 2011 Continuity 29 pre-emption remains a major challenge: “The important lesson is the survival model for proportional risks, called the Cox model, that bank regulators cannot fully or accurately forecast whether, together with Bayesian Networks, can be used. for example, sub-prime mortgages will turn toxic, or a particular tranche of a collateralised debt obligation will default, or even if Modelling the potential effects of risk the financial system will seize up. A large fraction of such difficult It should be recognised that profit, and similarly cashflow and forecasts will invariably be proved wrong.” capital requirements, are not singular. Consequently, there exists a Cumulative interactive risks: A catastrophic loss event may result need to report not only the expected value but also the probability from the accumulation and interaction of a number of lesser errors distribution. Risk management seeks to reduce the distribution- and weaknesses (from all or any of the above classes). It is unlikely spread of losses and contain them within set bounds. In addition, that data alone will indicate the possibility of this type of risk. it enables efficiency and effectiveness to be enhanced, resulting in Diligent and prompt management action is necessary to prevent the improvement of the expected value and a reduction in volatility. build-up of a chain of events. Whilst improvement in the expected value is important, it is also Randomness: A major loss may be totally random in nature. necessary to avoid unwanted extremes. Such risks are unique, totally unpredictable and non-recurring. Consequently, data analysis will not indicate the probability of the Profit is not singular next event nor its magnitude. If present in historical loss-data, random events lead to distortion of an organisation’s overall loss distribution Probability curve. The uniqueness of random events, often referred to as black swans4, requires that they be treated as a separate risk class. Predicting a random event is to accurately predict the future; an impossible task.

BCM supports risk management For those events that are by nature unpredictable, approaches other than data analysis and auditing are necessary. Business continuity management is a widely accepted approach for addressing potential major risk events. The approach originated outside the accounting field and is particularly useful in that it promotes -ve Expected Profits 0 Profit resilience and responsiveness. It is important because it deals with interconnectivity and is sensitive to the need to get beyond prescriptions for single organisations acting in isolation from one Possible range for actual profit outcome another5. The basic aim of BCM is to ensure that adequate planning exists to maintain continuity of service to customers, and to ensure Modelling has developed considerably in recent years and is survival of the organisation itself. increasingly being used for examining the potential impact of risk The relationship between BCM and risk management is not on financial performance. Historically, improvement in modelling well understood. Both are concerned with ‘impact’, however, risk can be seen to have resulted from four separate stages management is concerned with ‘frequency’ and impact whereas of development: BCM is concerned with ‘time’ and impact. The significance of this 1. Traditional financial budgeting: This is based on one set of lies in the fact that measurement of risk in terms of frequency and assumptions about the future. It, therefore, merely gives one impact may not be sufficient, since if a service (mission critical possible deterministic outcome. activity) is interrupted it is necessary to determine how long it 2. Sensitivity analysis and stress testing: The next generation of will take to restore that service (recovery time objective) and what models used ‘what-if’ analysis to undertake sensitivity analysis level of resources will be required to reach an acceptable default and stress testing. In addition to the expected outcome, the best functionality standard (recovery point objective). and the worst cases were also identified. Since BCM is primarily concerned with the management of 3. Stochastic modelling: Rather than being limited to fixed values external (high impact, low frequency) tail events, there is very little and results, stochastic modelling takes into account probability data available for quantification purposes. However, academic and enables a range of possible outcomes to be considered. work is currently taking place to determine how statistical models 4. Dynamic modelling: By incorporating feedback loops and may be used to analyse interruptions and define the timeframe for decision theory, a model can take into account management recovery. This work includes, amongst other things, examining how responses and thus adapt to changing situations. This allows

“This work recognised the limitations of static, backward-looking accounting reports when attempting to assess future liquidity in a changing environment” ©iStockphoto.com/lorrainedarke

30 Continuity March/April 2011 Accounting and risk management

alternative decisions to be evaluated and the range of outcomes, Fundamentally, there exists a need to challenge existing thinking under each decision path, compared. and develop new methodologies and corrective actions. The Dynamic financial analysis (DFA) is a well-established financial importance of this should not be under-estimated; the potential gains modelling approach, widely used within the actuarial profession are significant. A reduction in costly regulatory bureaucracy and the and the insurance sector6, which lends itself to the investigation of opportunity to redirect resources towards more innovative value- risk7. It grew out of scenario planning work pioneered by the Rand creating activities could significantly increase shareholder-value. It Corporation, with the methodology later being adapted by the should be recognised that in the absence of market solutions, the British and Finnish working groups investigating insolvency in the alternative scenario10 is one of ‘Low Trust Globalisation’. In extremus, insurance industry8. This work recognised the limitations of static, this would be a legalistic world, devoid of active shareholders and backward-looking accounting reports when attempting to assess rating agencies, with ever-changing intrusive rules; a world in which future liquidity in a changing environment. uncertainty leads to short-term portfolio optimisation. DFA enables a holistic view to be taken and provides a (Endnotes) methodology for evaluating and better controlling an organisation’s The work of the Finnish working risk profile. Consideration can be given to both historical and 1 Young, B. and Coleman, R., 2009, party is summarized in Pentikainen, “On the Solvency of Insurers,” assumed loss-event distributions together with the possible Operational Risk Assessment – The commercial imperative of Classical Insurance Solvency impact of extreme events. Assumptions regarding diversification a more forensic and transparent Theory, J.D. Cummins and RA. and correlation can be evaluated. Specifically, DFA enables an approach, Wiley. Derrig, Eds., pp. 1-49, Finland: Kluwer Academic Publishers, 1988. organisation to gain a more informed understanding of the possible 2 Our main interest must be in the risks (and opportunities) faced under a range of scenarios and thus changeable and controllable’. The work of the United Kingdom identify those alternatives that add the greatest marginal benefit. Reason J., 1997. working party was reported in two papers: Coutts & Devitt, It differs from classical scenario testing of business plans in that 3 Basel II uses a 7x8 matrix of risk- “The Assessment of the Financial it is more forensic and allows a larger number (many thousands) event types and business lines. Strength of Insurance Companies of scenarios to be generated. In essence, DFA seeks to model 4 Taleb N. N.; Fooled by randomness: the reactions of an organisation in response to a large number of – Generalized Cash Flow Model,” The hidden role of chance in life Financial Models of Insurance inter-related risk factors, with a view to analysing the impact of and in the markets; second edition; Solvency, J.D. Cummins and R.A. alternative decisions on financial performance. Thomson Texere, 2004. Derrig, Eds., pp. 1-37, United Although financial modelling offers considerable benefits, it 5 Power, M.K., 2010 Kingdom: Kluwer Academic should be remembered that a model is, by definition, merely a 6 One of the main proponents of Publishers, 1989, and Daykin, et. simplification of the real world. There are a number of possible DFA is the research committee al., “The Solvency of a General limitations that need to be taken into account: of the Casualty Actuarial Society Insurance Company in Terms • The model may be incomplete (CAS), http://www.casact.org/ of Emerging Costs,” Financial • The model may be incorrectly specified research/drm/ Models of Insurance Solvency, J.D. Cummins and R.A. Derrig, Eds., • Complexity can lead to Model Risk 7 Tripp M. H. et al. Quantifying pp. 87-151, United Kingdom: • Scenarios may no longer be appropriate Operational Risk in General Kluwer Academic Publishers, 1989. • The model may become obsolete Insurance Companies. GIRO 9 Enhancing the auditor’s • Models can be costly and require a high level of Working Party, Institute of Actuaries, March 2004. contribution to prudential interpretational skill regulation, Discussion Paper 10/3, 8 An amalgam of both the UK and June 2010, Joint FSA FRC paper. Challenge existing thinking Finish approaches is presented in detail in: Daykin, Pentikainen, and 10 http://www-static.shell.com/ Intellectual failure, resulting from a misunderstanding of risk, has Pesonen, Practical Risk Theory for static/aboutshell/downloads/our_ resulted in misdirection. It would appear that banks are victims Actuaries, pp. 546, Chapman & strategy/shell_global_scenarios/ of both misguided regulation and inflexible systems. They have Hall, 1994. exsum_23052005.pdf been captured by mechanistic approaches, such as ERM, which drive out cognitive reasoning, leading to ossification. Whilst it is easy to blame the regulators for misdirection, and indeed they are culpable, it should be recognised that banks are currently not Brendon Young doing enough with regard to enhancing control and reporting. Brendon Young is professor of risk management at Birmingham City University Fundamentally, it is incumbent upon management to clearly Business School and chairman of the Operational Risk Research Forum demonstrate an organisation’s responsiveness to change and its resilience to unexpected events. BCM is important in this respect and has considerable potential. However, the relationship between BCM and risk management is not widely understood. A joint paper by the UK Financial Services Authority and the Financial Reporting Council, entitled ‘Enhancing the auditor’s contribution to prudential regulation’9, suggested that “auditors need to challenge management more”, and that the FSA has “questioned whether the auditor has always been sufficiently sceptical and has paid adequate attention to indicators of management bias.” As a consequence the FSA has proposed sweeping new powers over auditors of listed institutions. Given the importance of auditor independence, it would be perverse if the audit firm became a captured agent of the regulator. It should be recognised that auditing and risk management alone are insufficient. As Darwin stated, responsiveness is the key factor. The need, therefore, is to create a regulatory approach that focuses

©iStockphoto.com/lorrainedarke on substance rather than form; the warning from the IMF should not simply be ignored (see Part 1).

March/April 2011 Continuity 31 ISO 22301  A NEW STANDARD FOR BUSINESS CONTINUITY? Hilary Estall takes a closer look at the proposed ISO standard, highlighting the initial reactions to the document, and considers whether it is a positive move forward

he end of last year saw the publication the final version of an international standard. It of ISO/DIS 22301 Preparedness and comes down to a voting system. Does this result TContinuity Management Systems in a less rigorous set of requirements? Possibly. – Requirements. The DIS, or to give it its proper title, Draft International Standard, is now Initial reaction to ISO 22301 available for public comment. The window of Those of you who favour BS 25999-2 will be opportunity to formally comment is limited to pleased to know that the proposed ISO standard five months (ISO closing date is 26 April 2011) has drawn on the requirements of the British but if you wished to comment through the BCM/1 standard quite significantly. Also, and not Technical Committee, the closing date was 28 surprisingly, the ISO is structured around the February. So, is there anything in the new ISO elements of a management system. standard that might give cause for comment? However, ISO, through a committee known as JTCG TF1 is currently looking at ways to Why have an ISO standard for BCM? ‘standardise’ management systems further. The It is generally accepted that BS 25999 has been intention moving forward is to have a single a welcome yardstick by which to establish a format for all future ISO standards which will recognised method of implementing business make it easier for organisations with multiple continuity arrangements within an organisation. management systems, to manage and maintain It has been read and, in many countries, actively them. Standard terminology and headings will used, to help drive through a culture of business become the norm. ISO 22301 is set to be one continuity. Some countries have gone further of the first international standards to follow and produced their own ‘local’ standards to this route; but as the DIS shows, there is still reflect cultural and commercial requirements much work to be done in order to finalise an within their region. So, do we really need an appropriate format! Watch this space. international standard as well? The now familiar ‘Plan Do Check Act’ cycle The short answer is yes. Whilst there will remains a feature as does the need for continual always be organisations which prefer to operate improvement. In fact, there is now greater focus within more regional boundaries, we are now on maximising the outputs of the management such a commercially diverse world that for some, system controls through ‘monitoring’ (it even anything less than an international approach to has its own definition now), ‘measuring’ and the business (continuity) just won’t wash with top setting of performance ‘metrics’. management. The point is that organisations must For those of you with a keen eye, you will make their own choice on applying whichever also have noticed that the title of ISO 22301 “ e point is that standard works best for them. One proviso to this is ‘Preparedness and Continuity Management being supply chain pressure to adopt a particular System’. The ISO encourages us not only to organisations must standard. consider the business continuity needs of our International Standards (ISOs) are by their organisation but also the need for preparedness. make their own very nature, based on a consensus of varied This added level of pro-activity should be opinions. The ISO committee responsible for welcomed. The requirement for preparedness choice on applying 22301 is called ISO/TC 223. It is made up of now extends to the organisation having to: whichever standard 30 member countries. Language and cultural • Identify and document its “…supply chains, differences to name but two examples should not stakeholder relationships and the potential works best for them” be underestimated when it comes to agreeing impact related to a disruptive incident” ©iStockphoto.com/lorrainedarke

32 CONTINUITY March/April 2011 ©iStockphoto.com/lorrainedarke within anISOstandard. who willnotbeusedtoseeingsuch demands number ofareas.Notleastthe certificationbodies it. This willundoubtedly attract comments froma as goodpractice butquiteanothertoinsistupon particular document.Itisone thing tosuggestthis assessment processinaccordance withthis but instructstheorganisationtoestablisharisk (Risk ManagementPrincipalsandGuidance) standard notonlycrossreferstoISO31000 an approach isuseful. wanting, thishastobearequirementwhere such area withinorganisationswhich isfoundtobe prescriptive, ascommunicationisfrequentlyan those stakeholders. Whilst thismay seemover well asrespondingtocommunicationsfrom with stakeholders(internalandexternal)as procedures forareassuch ascommunications required toestablish,implementandmaintain Organisations are,amongstotherthings, ‘Communication andConsultation’. heading ‘businesscontinuityoptions’! with; therequirementremains,now underthe the termsanddefinitions,ithasbeendoneaway because thisphrase isnolongerlistedwithin disruption, don’t befooledintothinkingthat the conceptofmaximumtolerable periodof For those readerswho continuetostrugglewith (in termsofrisk)andincidentbecomes‘event’. we seetheintroductionofword ‘protection’ albeit withsomenewterminology. For example, document theirconclusions. these issuesinmoredepthaswellactually organisations willnow beaskedtoconsider implied inBS25999-2,butbasedontheabove, • •

These nuancescontinue throughoutthe One alarmingintroductionisthattheISO Pleasingly, there isasectioncalled The technical contentremainslargelysimilar, Some oftheserequirementswerepreviously Identify anddocumentits‘riskappetite’ objectives’ Identify anddocument‘stakeholders’ change, thedocumentwilleitherbeissuedas national bodiesduringthethirdquarterof2011. produced andcirculated amongsttherespective made totheDIS. A reviseddocumentwillbe reviewed by ISO/TC223and ‘accepted’changes to follow oneoftwo routes.Commentswillbe for change, publicationof ISO 22301islikely Depending onthelevel ofcommentandneed Going forward more subjective aspectsofthestandard. auditors adapttheirskillstoassessingsomeofthe is forsure,itwillbeinterestingtoseehow the changes having beendulyvoted on.Onething piste, it’s likely togothroughwiththe‘approved’ committee considersthestandardtoofaroff level anddepthofcriticismissuch thatthe ISO attention andfurtherconsideration. Unlessthe on BS25999-2aswellaspectsthatstillrequire that ISO/DIS22301containsbothimprovements through coordinatedforumsindicateaconsensus yet. Essentially, feedback thathasbeengathered focusing toomuch attention onthedetail,just its metamorphosis,thereislittlebenefiton document, butasthedraft standardundergoes publication ofthe standard. coming fromthe certificationbodiespriorto 22301. Detailsofthiswillhopefully beforth which intendtotransfer fromBS25999-2 toISO apply atransitioning processfororganisations continue down thispath.Certificationbodieswill certification toBS25999-2,you shouldalso you areintheprocessofapplyingfororseeking system itshouldcontinuealongthisroute. Also, if implement itsbusinesscontinuitymanagement delay publicationtothethirdquarterof2012. standard inthefirstquarterof2012. A DIS2will FDIS islikelytoresultinfinalpublicationofthe draft where onlyeditorialchanges canbemade. public comment, or an FDIS, which will be a final a DIS2,which willrequireanotherperiodof If your organisationisusingBS25999-2to Thereafter anddependingonthelevel of March/April 2011 appropriate format!” order tofinalisean work tobedonein there isstillmuch the DISshows, this route; butas standards tofollow first international to beoneofthe “ISO 22301isset P www.pslinfo.co.u lead auditor, director, Hilary HIL erpetual Solutions AR Y E ES stall, I BCM standards T A LL RC CONTINUITY SBC A k BC I L imited MS 33 Invest wisely in BCM - www.ascure.com

www.bcmhelpdesk.org

Invest wisely in Education - www.bcmacademy.be

“When planning for business con- tinuity, remember Noah started building the ark before it began to rain.” Succession planning

THE ESSENCE OF ORGANISATIONAL CONTINUITY Paul Kirvan drives home the importance of effective succession planning and asks why some organisations simply do not get it

n the early days of business continuity, then known succession planning ought to be a key activity in our as disaster recovery, the focus was primarily on BCM programmes. Irecovering technology so organisations could continue to function. As BCM evolved, the focus Why should BC professionals get involved? expanded to include business processes, their Isn’t succession planning a human resources issue? Yes, interdependencies on internal and external entities, and and as BC professionals we need to partner with HR the staff to manage them. In this article, we will explore to leverage our expertise with theirs and establish true the role that succession planning plays in this system. people continuity. First, when performing a business impact analysis, we need to include HR, since a proper What is succession planning? BIA must include the roles and responsibilities of all There are many different views on this subject. employees, not just senior executives. According to Douglas Weldon, FBCI, vice president Susan Young believes this partnership is important at Thomson Reuters and president of the BCI’s USA because, “BCM professionals must ensure that the Chapter, “Succession planning ensures continuation succession planning process within an organisation is of company leadership regardless of incidents that understood. Be sure to speak to HR first” she said, “and could cause a short – or even long-term interruption during the BIA process, address succession planning as of their roles in these critical leadership positions.” a specific set of BIA questions, since recovered business Susan Young, MBCI, a risk management professional processes, desks, computers and telephones at a recovery working in the financial services industry in London, site are useless if there are no people to run them.” adds, “It entails the identification of internal people LaRocca, a former HR professional, adds: “In addition within an organisation who have the potential to fill key to HR holding the keys to the ‘how we pay people leadership roles. It is considered in a long-term context, during a disaster’ issue, BCM professionals should in terms of career planning, retention of key staff and partner with HR to identify key talent. Identifying organisational continuity.” recovery teams and backup talent is a large part of BCM In another key context, Robbie LaRocca, Ed.D., “Most firms… and it dovetails perfectly with succession planning.” MBCI, director of business continuity programs at where client More importantly, she added, “BCM professionals Remlu, and a board member of the BCI’s USA chapter, should ensure that HR has its own recovery team so it notes, “The aging population, declining birth rates, relationships can and be able to assist in recovering the business.” economic expansion, pandemic, geopolitical issues, are a key work stoppages – the cause does not matter – begs the Why is succession planning missing? question: How do we keep mission-critical functions factor, do Most decision-makers agree succession planning is running if we lose key employees?” not deal important. But why doesn’t it go much further than Kathleen Lucey, FBCI, president of consultancy firm that? Even if there is never a terrorism episode, or a Montague Risk Management and vice chair of the BCI’s with client large technology glitch or crisis, there will always be Global Membership Council and vice president of the succession a need to pass the baton of firm, practice or client BCI’s USA chapter, notes that succession planning is relationship leadership. According to Phyllis Weiss for everyone. “It’s not just the executives – what about planning until Haserot, president of Practice Development Counsel, an organisation’s support staff ranging from cafeteria the need is “Most firms, particularly in professional services, where workers to technical experts who have unique skill sets client relationships are a key factor, do not deal with that are difficult to replace? How do you replace them?” staring them client succession planning until the need is staring them

©iStockphoto.com/lorrainedarke Clearly, as business continuity professionals, in the face” in the face. The need to move quickly may preclude

March/April 2011 CONTINUITY 35 Succession planning making a well-thought-out decision and transition • Necessary leadership attributes change with plan. Lack of foresight on succession can lead to costly circumstances. Align succession plans and business business disruptions.” goals and review them periodically. In a Wall Street Journal interview, Susan M Gianinno, • Balance timing: plan enough lead time, but don’t chairman and CEO of the advertising firm Publicis drag the process and transition on, producing a ‘lame USA, discussed how she picked her successor and duck’ situation. why firms typically neglected this crucial activity. “A • Try to keep personalities out of the selection lot of people don’t want to deal with the fact that they process; focus instead on the benefits to clients and won’t be here forever. I think they aren’t confident in stakeholders. themselves, and I think it’s about them being insecure. • Assess client and stakeholder needs in the BIA I don’t think they trust those under them. This is a very process and recommend enhancements to these ego-driven business. There isn’t a lot of mentoring in relationships vis-à-vis the professional staff. our industry, and it’s a big issue.” Of her own situation, • Identify the primary and secondary skills needed by a she said, “I have a responsibility to make sure the future successor as part of the selection process. of this business is secure.” So she started a search for • Build teams that complement the skills and strengths her successor three to five years before she plans to step needed. down, selected a president and chief executive for the • Consider the ‘unpredictable’ and define procedures firm and is planning her exit. to handle these situations. We can identify other reasons that prevent firms from • Identify significant future roles for the person being succession planning, including: ‘succeeded’, particularly if that person will remain in • People don’t usually like to accept that crises will the firm. occur and these could lead to losses of talent and • Integrate succession planning into the BCM revenue; process, thereby linking the process into operational • Lack of suitably configured compensation policies. resiliency issues. They don’t address leadership of client teams or • Recognise that succession planning is not a one-time practice groups except in rewards for initially event, but rather an ongoing process, and that it can bringing in the business; new policies are needed; be a focal point for positive change. • Lack of sufficient communication among personnel Robbie LaRocca adds, “In addition to succession who deliver services, whether owing to time planning policies, research the Internet to locate forms, pressures, personal style, or trust issues. This can be action plans, competency models, surveys and more. addressed by governance policies that put succession The most important thing is that those who orchestrate processes in place following a disruptive incident. the process are good facilitators, know the business and the organisations they are planning for and know the The case for succession planning right questions to ask.” Some of the basic questions to Robbie LaRocca provides an example of this. “Leaders ask during initial succession planning are: at MBNA in Manhattan allowed several of their top • How deep into the organisation does succession executives, including the CEO, to ride together in a planning need to go? helicopter. Shortly after takeoff from the 34th Street • Will the focus be on external/internal talent or both? Heliport, the helicopter malfunctioned and landed in • Will those selected be told they are high potential? the East River. Fortunately, no one was killed. However, Why or why not? if you add up the cost to replace executives (or other • What criteria will be used to identify the talent? key talent) including the roughly 34% premium for • Will the SP program focus on selecting future leaders head-hunter fees, and the length of time required to hire or developing talent or a combination of both? the right candidate (not to mention the insurance payout • What exactly will you do to develop the talent you for accidental death) the costs can be staggering.” identify? “Succession planning is in reality just a special case Additional strategies for succession planning include of the normal BCM process,” notes Doug Weldon. “It’s early identification of key employees and their roles, fundamentally a no-brainer,” adds Kathleen Lucey. So cross-training of staff in key activities as identified what else can be done to raise the visibility of succession during the BIA, inclusion of succession planning in BCM planning? According to Susan Young, “BCM can add an exercises, and promotion of succession planning as part extra dimension to the succession planning process as it “As BCM of initiatives to build BCM into the organisation’s culture. can help identify key staff to lead in a crisis – where key professionals Succession planning is the very essence of business skills will be tactical and operational rather than strategic.” continuity and resilience. Any instance in which a Even more important, we should ask what the risk is of we owe it to customer relationship can be lost is a business disruption not having succession planning. LaRocca notes, “People management and a significant threat to revenues and service delivery. get promoted, take other jobs, retire, and die – they move Lack of suitably trained and experienced staff to replace on for any number of reasons. It is extremely optimistic, to ensure that key staff can mean the difference between survival and if not outright foolish, to assume that your key talent the unique failure. As Kathleen Lucey says, “You don’t want to lose will stay forever.” As BCM professionals we owe it to the magic that is embodied in your employees – the magic management to ensure that the unique expertise of key expertise of that makes your company special.” For BCM professionals employees is protected, even if they are no longer present. key employees it’s time to create a sense of urgency on this issue.

Steps for succession planning and BCM is protected, Paul Kirvan FBCI Now that we have good reason for adding succession even if they Paul Kirvan, CISA, CISSP is a member of the BCI planning to our BCM duties, how do we add this to our USA Chapter Board BCMS? Begin by incorporating the following principles, are no longer as defined by Phyllis Weiss Haserot: present” [email protected]

36 Continuity March/April 2011 917_business_continuity_qp_ma_Layout 1 28/02/2011 17:17 Page 1

KEEPYOUR BUSINESSSAFE A clear and simple template-based approach to producing a practical business plan that ensures the safety of your business. With wide appeal, this book covers all stages and issues in the BCM process, not just the IT perspective. £20.95 ISBN 978-1-906124-72-4 November 2010 Enter BCM3 online to get 10% discount before 30 April 2011.

Available online at: www.bcs.org/bookshop and in all good bookshops. Tel: +44 (0)1793 417 440 Email: [email protected]

+RXVHVRI3DUOLDPHQW Valuing diversity, equality and fairness

2I¿FHRIWKH&KLHI([HFXWLYH

%XVLQHVV5HVLOLHQFH&RRUGLQDWRU  H[FHOOHQWEHQH¿WV )L[HG7HUPIRU\HDUVZLWKWKHSRVVLELOLW\RIH[WHQVLRQ

This is an exciting opportunity to work at the heart of Westminster, 7KHSRVWZLOOEHEDVHGLQWKH2I¿FHRIWKH&KLHI([HFXWLYHRIWKH supporting Parliament in achieving standards of best practice in House of Commons, which supports the Clerk of the House and developing, maintaining and monitoring our business resilience. &KLHI([HFXWLYHLQFDUU\LQJRXWKLVFRUSRUDWHUHVSRQVLELOLWLHV The successful candidate will work with departments across the Parliamentary service to ensure the maintenance of effective, up to 2WKHUEHQH¿WVLQFOXGHGD\VDQQXDOOHDYHLQWHUHVWIUHHVHDVRQ date business continuity plans and a robust incident management WLFNHWORDQFKLOGFDUHYRXFKHUVFKHPHGLVFRXQWHGPHPEHUVKLSRI framework, with the aim of ensuring Parliament becomes a centre WKHLQKRXVHJ\PDQGZLGHYDULHW\RIUHIUHVKPHQWRXWOHWV of excellence for business resilience. 9LVLWZZZKRXVHRIFRPPRQVFDUHHUVRUJXNIRUDQDSSOLFDWLRQ $VSDUWRIDVPDOOSURIHVVLRQDOWHDP\RXZLOOJDLQWKHFRQ¿GHQFH SDFNRUZULWHWR+D\V3XEOLF6HUYLFHVUG)ORRU of internal and external stakeholders through effective oral and 6RXWKDPSWRQ6WUHHW/RQGRQ:&5/5 written communication. You will be expected to develop effective relationships across and outside the organisation, using tact, &DOO(PDLO+RXVH2I&RPPRQV#KD\VFRP diplomacy and the ability to deal convincingly with staff at all levels. 5HIHUHQFHQXPEHU&ORVLQJGDWH0DUFK Prioritising your workload to ensure short, medium and long term demands and deadlines are met is essential. The successful FDQGLGDWHZLOOKDYHSURIHVVLRQDOFHUWL¿HGPHPEHUVKLSRIWKH Business Continuity Institute.

PSEC-03065-7_HoP_Continuity_Mag_BUSINESS_RES_CO_HALF_09_03_V3.indd 1 04/03/2011 10:10 March/April 2011 Continuity 37 Can you prove it’s embedded? Alex Hindson looks at embedding business continuity management as a route to creating a risk aware culture and explores the parallels between BCM and ERM

was motivated to consider the parallels to think about this more deeply. Having done some digging, debating and benchmarking, that exist between the key challenges in I found myself a leading member of the ‘Use and Embedding’ project workstream, being Iimplementing both business continuity expected to delivery something workable. and enterprise risk management having read some very interesting articles in the Developing the seven embedding tests December copy of Continuity. ‘Embedding’ I eventually concluded it would be very hard to come up with tangible measures of is one of those words, like ‘enterprise’ embeddedness – it is very much the same problem as measuring a risk culture2 – but it – everyone uses it, everyone is ‘at it’, but might be possible to create a series of ‘tests’ to demonstrate whether it had been achieved. what does it actually mean? A series of extensive discussions with stakeholders across the organisation resulted in the You cannot turn the page of a continuity following ‘seven tests’ listed in Figure 1. or risk magazine without reading about the importance of ‘embedding’ to the success Test Is risk management Meaning of any programme. Interestingly working for an insurance organisation faced with 1 Sponsored Leadership clearly sponsor and challenge activity meeting Solvency II regulatory requirements, the ‘Systems of Governance’ requirements 2 Owned Ownership accepted and acted upon at all levels under Pillar 2 of these regulations require us to demonstrate ‘use and embedding’. 3 Decisive Influences key decisions This is known as the ‘Use Test’. Simply put 4 Communicated Outcomes are visible and actively discussed the regulators are saying, “If you think your models and processes are so good that we 5 Integrated Part of day-to-day core processes and procedures should rely on them for regulation, they are good enough for you too; show us how 6 Valued Pride and commitment drives continuous improvement you have embedded them in your decision making.” Not surprisingly this is not being 7 Sustained Robust, reproducible and not dependent on single individuals focused on by advisory organisations1. Figure 1 – The seven embedding ‘tests’ Is it embedded yet? I was recently asked by senior executives What are the embedding tests? to come up with a way of measuring Let’s focus more closely on the key elements of the seven tests: ‘embeddedness’ [sic] across the Sponsored – This is all about ensuring that there is executive and board-level support organisation. My first reaction was, “Great for the programme and this is maintained over time. Leaders should challenge and be – you have got what this is all about.” My demanding, rather than just saying the right things occasionally. Evidence of embedding second reaction was, “Well surely you would include board and management committee minutes, staff magazines, websites and know whether it is embedded or not, don’t business plans. you?” The answer obviously came back Owned – If someone is a ‘risk owner’, they should positively feel the accountabilities of “Yes, but can you please prove it, and better ownership, and this should be linked to their performance management and reward. This still document it for us.” could be evidenced through performance reviews, personal objectives and remuneration

This left me going off into a dark room committee minutes. ©iStockphoto.com/lorrainedarke

38 CONTINUITY March/April 2011 Test 7 6 5 4 3 2 1 Sustained Valued Integrated Communicated Decisive Owned Sponsored Is riskmanagement Robust, reproducibleandnotdependentonsingleindividuals Pride andcommitmentdrives continuousimprovement Part ofday-to-day coreprocessesandprocedures Outcomes arevisibleandactively discussed Influences keydecisions Ownership acceptedandacteduponatalllevels Leadership clearlysponsorandchallenge activity Meaning

©iStockphoto.com/lorrainedarke reasons including having aweaker riskcultureorthatthey hadbeenrecentlyacquired and hadthemost work todoachieve theobjectives set. This was forarange of establishment ofanimprovement orembeddingplanfortheorganisation. level ontheembeddingscale(level 4)by agiven targetdate. This grid formedthebasisof a coursefortheorganisationas awhole. We forexamplewereaimingtoachieve acertain by many tobemoreabout a‘journey’rather thanadestination. The aimthereforeistoplot organisation was startingfrom. This hascertainlycapturedmanagement’s attention. being scoredby thebusinesscontinuityorriskfunctiontogaina‘baseline’ofwhere the tracked over time. This gridcanbeproducedasatop-down assessmentwitheach entity is fairly simple but relies on those using it to consider the seven tests to reach their conclusions. elements, entitiesandfunctionscanbescoredona5-pointscalesho have founditpossibletolookathow farthesehave beenembedded. Against each ofthese need tobeadoptedandimplementedinorderstartdrive aconsistentriskculture,we how farthemessagehasbeenreceived, processedandintegrated intobusiness activities. for rollingouttheoverall framework toallentitiesandfunctions. This helpsto determine of ways. The way wehave usedthisapproach istousethetestsinconjunctionwithaplan This is allvery interesting buthow isitused inpractice? Well itcouldbeusedinanumber Why isthisuseful? is‘atuses it,everyone it’, butwhat doesitactuallymean? ‘Embedding’ isoneofthosewords, like‘enterprise’ –everyone training anddevelopment programmes play animportantroleinachieving thisgoal. business continuityprocesseswould beagoodstartingpointinthiscase,butalsosustained are resilienttolossofkeypeople. A successionplanforallkeyroleholdersintheriskor improvement inriskmanagementinformationandsupport. might includetheextenttowhich managementareconstantly driving anddemanding satisfied, itislikelytheothershave hadtobeaddressedsomemeaningfullevel. Evidence that agendaitemasquickly aspossible?Insomeways thisisthe‘goldentest’.Iftest they impatienttodrive improvement andmakeiteven better, ordotheywant togetthrough impact analysisreports?Dotheytakeprideinthequalityofprocessandoutcomes? Are factored intonewproductlaunches oracquisitionduediligence? planning, budgetingandstrategy settingcycle, andcan thisbeevidenced?How isrisk to gainany longtermtraction. Are risk andresilienceconsideredaspartofthebusiness needs tobeacoredisciplineintegrated intoday-to-day businessprocessesandactivities intranet sitesand meeting minutes. open toevidence,butexamplesofevidencemightinclude:cascadedcommunication, transparently discussed. Clearlycommunicationtakesmany forms,notallofwhich are need totalkaboutrisksandBCM.Itneedsbeontheagenda,andopenly include minutedmanagementdecisions,butalsothepaperssupportingbusinessproposals. was actively influenced by riskinformation? The mostobvious source ofevidence would management decisionsthenitislargelywindow dressing. What was thelastdecisionthat Level ofembeddingandcriteria The analysisallows somekeyelementstobedrawn out.Someentitieswerestruggling Risk and continuity have many things in common, one of which is that they are recognised This resultsinanembeddinggridfortheorganisation,providing ascorecardthatis By breakingtheframework (eitherERMorBCM)intoasmallnumberofkeyelementsthat Sustained Valued Integrated Communicated Decisive 1 2 3 4 5 There isalevel ofawareness orunderstandingbutnoactionhasbeen taken. Implementation isplannedbutnotdelivered. Implementation hasbeencompletedinkeyareas. Approaches areadoptedandimproving butnotfullyembedded. business processesandstrategies. Approaches tomanagingriskandensurecontinuityarefullyembeddedinday-to-day –Domanagementvalue theoutcomessuch asriskinformationandbusiness –ERMandBCMareallvery interesting,butiftheydonotinformsignificant –Clearlyweneedtopractice what wepreach andensureourprocesses –Riskmanagementisnotaseparate industryorinsomecasesafunction.It – You can’t embedthingsiftheyareacloselyguardedsecret.People Figure 2–Embeddingcriteriascoring wn inFigure 2. The scale but mostmeasurethedesignofprocesses management maturitymodelsinexistence, and efficiently. There areanumberofrisk advise themonhow todothiseffectively organisation. As professionalsweneedto can embedriskmanagementintheir It isself-evidentthatonlymanagement responsibility ofappropriateprofessionals. Embedding riskorresilienceisnotthesole Why isthisimportant? better stilldocumentitpleaseforus.” challenge –“Canyou pleaseprove it,and it ishopedthatwecananswer ouroriginal playing itback tomanagementandboards repeating theembeddinggridassessmentand assessment questionnaire.Byperiodically entity managementitselfthroughaself- of ‘embeddedness’have beendoneby the and embedding,subsequentevaluations to drive thisareaforward appropriately. implementation planagreedforallentities from thecentreandbasedonaconsistent issue, requiringaconcertedresponsedriven issues wefoundhighlightedagroup-wide improvement plan.Ontheotherhandsome or establishedandrequireadedicated 2 1 Endnotes commitment andfocusonembedding. answer tohelpmaintainmanagement’s helpful toprovide atangibleandtimely out when thegoinggetstough, anditis implementation. This questionoftencomes management andmotivational aspectsof think morecarefullyaboutthechange more ofasocialscience. We needto risk andcontinuitymanagementis ‘processes’ butasweallarenow learning, benchmarking hasbeendone around how everyone elsedoesthis.Much peers andcompetitors,aswellasking to know how theycomparetotheir benchmarking. Managersoften want described aseffectively proving internal benchmarking ishelpfuland thetools level withinorganisation. to allow theevaluation ofadoptionanentity corporate level. Few have beendeveloped and frameworks ortheirimplementationat Because thisprocessisallaboutownership It isalsoclearthatpeer-to-peer December 2010,pp28-29. Culture, RiskManagementProfessional, Hindson, A (2010),Developing aRisk management withinanorganisation. approach todemonstrate embeddingofrisk risk cultureunderSolvency II– A powerful Towers Watson (2011),Insights–Measuring [email protected] Management where heiscurrently chairman. plc. Heisa fellow of the Institute of Risk Alex Hindsonishead of group riskat Amlin Alex Hindson March/April 2011 MBCI

k BCM &ERM Continuity

39 Lyndon BiRD FBCi Lyndon Bird, MSc, FRSA, MIoD, is international technical director at the BCI [email protected]

How would you sum up the aims and objectives of Business Continuity Awareness Week?

The clue is in the title really – it’s about raising awareness of BCM. The primary aim of the event is to promote the many benefits of an effective business continuity strategy to a new audience. We are essentially looking to provide an educational platform upon which those new to the discipline can learn more about it from a range of experienced business continuity practitioners. The event is also designed to encourage participants to take what they have learned from the various activities during the week back into their own organisations so that they can promote BC practices to their colleagues in a more proactive way. Historically, internal BCM awareness initiatives have been rather limited. Hopefully, the activities during BCAW will provide them with more effective awareness raising techniques.

When was the first BCAW launched and what format did the event take?

The idea to have a week focused on raising BCM awareness was floating around for a number of years, but the first official event took place in 2002. This was not just a BCI-led event, but involved a number of different organisations. The problem we had was choosing the best week and in the end we decided to attach the event to a major related exhibition and conference in London. Our aim was to attract both interest from businesses and media attention by linking BCAW to the exhibition. As this was only a two-day event, we spent the remainder of the week on activities designed to encourage companies to undertake their own awareness raising efforts. I must admit, it was a bit hit and miss. While on the whole, it was relatively low key, we did Business Continuity manage to get a number of large corporations involved in the process and they ended up conducting their own internal events. We also managed to generate some media coverage. Awareness How would you say the event has evolved? The event has certainly become a key date on the BCM calendar, particularly in the last few years,

and now it is much more of a global undertaking. ©iStockphoto.com/lorrainedarke

Week40 Continuity March/April 2011 2011 ©iStockphoto.com/lorrainedarke international interaction. Intotal, wewill more webinars this timeandalsoagreater similar tolastyear, althoughtherewillbe On thewhole themixthisyear willbe introduced intothisyear’s event? What newelementsoractivities have been more comprehensive foundations. that theywillbuildtheirstrategy onmuch operational components,weareensuring continuity remitextendsbeyond the to BCMaware ofthefactthatbusiness Furthermore, by makingthosewho arenew operational sideofbusinesscontinuity. of thosewho arestillfocusedonthe we needtomove thethinkingforward organisations arealready atthislevel, but • • • business continuityinthecontextof: business resilience. played by thedisciplineincontextof raise awareness ofthestrategic-level role buildings, technology and people, andto outdated viewofBCMasbeingsolelyabout We want togetaway fromthetraditional, are lookingtobroadcastduringtheweek. There are primarily three messages which we What istheprimaryfocusofBCAW 2011? a numberofinternationalwebinars. conduct aglobalvideoconferenceandhad Last year, for example, wewereableto the event sourced fromallover theworld. broad range ofactivities andmaterialsfor involvement hasenabledustodevelop a create aninternationalevent. This greater other countriescameonboardtohelpus BCAW. Oncewebecamemoreproactive, bullet andtookonaleadroleinorganising event. However, two years agowebitthe of afacilitatorrather thandictatingthe the event. We saw ourroleasbeingone did notinitiallywant totakeownership of which createdanumberofproblems. event thattiedin with particularactivities, we werealltryingtoselectweeksforthe such astheUS,Canadaand Australia, and events werealsobeing heldincountries it isnolongeraUK-focusedevent. Similar tied totheweekofexhibition. on thetimingofevent rather thanbeing two legs.Italsomeant thatwecoulddecide create anevent that couldstandonitsown place. What thismeantwas thatwehadto originally ‘piggy-backed’ nolongertakes to thisisthefactthatevent thatwe One thing,ironically, which hascontributed Some BCprofessionalsandtheir The three messagesfocusontheroleof I would addatthis pointthattheBCI One otherthingthathaschanged isthat risk oversight Transparent corporate governance and Protecting value andreputationinacrisis operational resilience Competitive advantage through The event isdesignedtobefunaswell cater foralllevels ofBCprofessionalism? How istheevent structuredanddoesit competitive edgetotheactivity. will begiven ascore–sothereiscertainly incident, andtodemonstrate thiseach team successful theteamisatmanaging challenges. The aimistomeasurehow on how theteamapproaches each ofthese incident, which willdevelop depending of challenges stemmingfrom theoriginal IT director. They willbefacedwithaseries include theCEO, theHRmanagerand someone withinthecompany. Roleswill each memberoftheteamplays thepartof which affectsaparticularorganisationand the world. compete withorganisationsfromacross capabilities andgives themachance to six players totestouttheircrisismanagement designed forbusiness.BC24allows teamsof new online incident simulation training game available toBCImembersfollowing BCAW. with reportsfromtheevents beingmade place intherun-uptoandduringBCAW, In addition,two roundtables willtake experts fromBCMandinsurance sector. based ona9-monthprojectworking with interruption insurance andBCMis which looksatthelinkbetweenbusiness has beenproducedby theBCIPartnership Group; andproviding newguidancewhich produced by aBCIPartnership Working issuing apaperonthetopicofresilience material inconjunctionwithourpartners; also bereleasingarange ofnewresearch practitioners. During theweek,wewill topics affectingtheindustrywithother particular BCissuesanddiscussany new on LinkedInandwillallow peopletoraise new BCAW Forum, which willbehosted via theBCAW website. will alsoberecordedandavailable to posequestionsthepresenters. These the week,duringwhich peoplewillbeable have over 30webinarpresentationsduring can dointheir own organisations which at makingpeople aware ofthingsthat they down-type approach, butrather isaimed continuity strategies. This isnotatop designed tohelppeoplewiththeir business on thepractical sideofBCMandare a numberofactivities which arefocused this year’s event, theweek alsoincludes internal events. will allow themtoconducttheirown materials fromtheBCAW websitewhich example, peoplecandownload aseriesof to getinvolved inBC-relatedactivities. For aims toprovide peoplewithanopportunity the BCIpreaching aboutBCM,butrather it informative. BCAW isnotdesignedtobe Other excitingelementswillincludea The event willalsosee thelaunch ofa While thereisastrategic elementto

It revolves aroundascenario organised invarious differentcountries. collaboration, withnumerousevents being friends throughouttheworld. their experienceswithcolleaguesand to communicatewitheach otherandshare provides isanopportunity forthesepeople is inthetensofthousands. What BCAW involved globallyinbusinesscontinuity world, buttheactual numberofpeople members fromover 90countriesinthe membership includeswellover 5,500 represent aglobalcommunity. The BCI clearly demonstrate thatBCpractitioners but theprimarygoalofweekwillbeto numerous nationalevents thattakeplace, BCAW be aninternationalevent. There are It isessentialfromtheBCI’s perspective that and how important isthisfact? flavour tothepresentationsandactivities, To what extentisthereaninternational understanding ofbusinesscontinuity. or thosesimplylookingtogetabetter levels, whether experiencedprofessionals the event tohave animpactonpeopleatall have worked inothercompanies. We want resilient one. involved inmakingtheircompany amore organisations anduseittogeteveryone wealth ofinformationback intotheirown but itisuptoparticipantstakethis research papersandguidancedocuments, a range ofdiscussionforums,materials, activities forward. The event willprovide week istocatalysepeopletaketheirBC what wearehopingtodo during this queries, theyshouldcontacttheBCIdirectly. further informationorhave any particular online simulationgame.Iftheyrequireany forum, thenumerouswebinarsandBC24 how peoplecangetinvolved, includingthe the various events thataretakingplaceand website, which provides anoverview ofall The first portofcallshouldtheBCAW would you suggesttheygetinvolved? a moreproactive roleinBCAW 2011,how For those BCprofessionalswishingtoplay people who arenotmembers oftheBCI. Also someoftheactivities arebeingrunby This is criticaltothesuccessofBCAW. will takeplacefrom21March to25March. Business Continuity Awareness Week 2011 The event isvery much aninternational One finalpointI would makeisthat For furtherinformation, pleasegoto: March/April 2011 www.bcaw2011.co

BCAW 2011 Continuity mar ch 21-25,2011

41 m

BCI News

BCM WORLD CONFERENCE AND EXHIBITION 2011 9 – 10 NOVEMBER, LONDON

Website launched and call for papers released Although November seems a long Pre-register time away, plans for the BCM now to play BC24 World Conference and Exhibition www.bcaw2011.com 2011 are already in progress. Taking place on the 9 and 10 November 2011 at its new venue BC24 GAME Olympia, London, the third World Conference event looks set to be One of the real innovations for this the biggest and most successful yet. year’s Business Continuity Awareness The website is up and running Week is BC24 at www.bcm2011.com, so you can now book your delegate places at the Super Early Bird rate (save £250 on the standard rate for bookings made and paid for before the 30 April 2011) as well as viewing the call for papers, the deadline for submissions for which is 7 April. A number of organisations have already confirmed their exhibition stands and many others are considering their options of both exhibiting and sponsoring. If your organisation is interested in these opportunities, please e-mail [email protected]

SUCCESS FOR BCI WORKSHOPS IN THE US

Having been extensively trialled in the UK, 2011 became the year to roll out the BCI Workshops internationally. The first three workshops in the ‘Supply Chain Roadshow’ have been conducted in New York, Dallas and San José to great critical acclaim. The BC24 is an online incident simulation weather attempted to thwart us, first of all a severe storm warning in New York and game for six players, which is free to then Dallas – Fort Worth Airport closed because of ice; but BCM practitioners are a play. It concentrates an extended incident hardy breed and the majority of those scheduled to attend managed to fight through the scenario into a short period of time. climate conditions to spend a very productive day engaging with their peers. We hope the game helps members Led by Colin Ive MBCI, these workshops attained maximum scores in most areas with their in-house awareness raising from the majority of delegates. Feedback included: activities by providing a good reason to get together with otherwise busy people and improve awareness of the need and “Enjoyed workshop which “Extremely beneficial – will benefit of effective BCM. It may also was interesting, interactive take this info back to pilot our provide a basis to reflect on your own and good value” “It was well supply chain’s organisation” programme. The game is very flexible and worth the cost!” allows people to play in their own time as well as from any location with an Internet connection. The game is also being “Very informing & thought promoted beyond the BCI community, to provoking. Useful information “Group discussion was very allow newcomers to gain familiarity with received that will inform supply chain BC issues and benefits. considerations in my organisation” effective and interesting. Valuable to hear from The game is open for anyone to play, so please do join in – there is a ‘Leader different BC practitioners Board’ for the competitive among you and in different industries” “Met all my concerns” prizes for the top three teams. While we do not want to give too much away, the scenario is based on a flooding incident as well as supply chain failure. Players are faced with a series of choices The BCI is extremely grateful to CitiBank, Dallas Forth Worth International and through the game, the choices made are eBay for their generous support of these events. scored and outcomes may differ depending The BCI has had interest from members all round the globe and hope to be able on choices made. to schedule more workshops in 2012. The 2011 future programme can be found at A briefing paper on the game is www.thebci.org/aboutworkshops.html where resources and presentations from the available to download from the BCAW 2011 events can also be downloaded. website at www.bcaw2011.com where Please make a date in your diary for future workshops in the Supply Chain Roadshow: you can also register to play. Seattle – 5 May Calgary – 10 May Toronto –12 May Bangalore, Delhi, We would also like to thank our Sponsored by Sponsored by IBM Sponsored by Kuala Lumpar and sponsors, PwC, ClearView and Bureau Microsoft Canadian Tire Shanghai – TBC. Veritas without whom it would not have been possible to develop this game. ©iStockphoto.com/lorrainedarke

42 CONTINUITY March/April 2011 HOW Consultancy PREPARED Training Simulation ARE YOU? Exercises

With 25 years of excellence, LINK is the smarter approach to Risk Management Crisis Management • Business Continuity • Crisis Communications +44 (0)20 3178 7762 • [email protected]

To advertise in this space contact Rebecca Jackson +44 (0)161 743 3551 [email protected]

    the business continuity summer school 15-18 AUGUST 2011 www.continuityshop.com

[email protected] +44 (0) 161 743 3555 The Soap Box provides you the reader with an opportunity to speak your mind on the issues impacting on your discipline. To air your views contact Nigel Allen at [email protected]

Will social media channels always be one step ahead of crisis communication plans?

Just consider this one fact: The amount of bandwidth available in one simulation was on YouTube. It was now a fact. second today is the same as the whole year of 1998. SNCF’s press office was inundated: How many people were killed, where did it happen, etc? The increase in the speed at which information is transmitted is the biggest jump since the telephone and compares with Guttenberg’s The second is the ‘manufactured crisis’. Greenpeace invention of the printing press. This has huge and obvious implications for tried this with Nestlé by saying that palm oil – used business continuity and crisis management plans and procedures. in certain food products – was threatening gorillas by using a web-based ad campaign. Moving quickly, In the good old days, say 20 years ago, one usually had what was called the company coped well, but organisations have the ‘golden hour’ to deal with a crisis. A team could be assembled to to be very fleet in order to counter this sort of put together a carefully constructed statement and this would still be campaign – and it’s not easy. viewed as a quick reaction. They might use telex (if you’re over 50, you’ll remember that) or fax, which we will soon find only in museums. So how does a company deal with social media in crisis management and business continuity? In today’s world, you can have a tweet in the air in 30 seconds – if you are The answer is the same as it has always been, but slow on the keypad. You can update your blog in a minute, have a picture with a twist. Ten years ago, I would have given you on Facebook in less time and send footage from your camera or mobile simple advice: Be prepared – the Boy Scout rule. phone to as many TV stations as you want. And this is just one person It still applies. But nowadays, one has to not only transmitting information in two minutes. Naturally, this is retransmitted be prepared, but to anticipate and this is the key again and again and, within five minutes, half the world can be aware. to keeping up with social media. As the old rugby Organisations, like cuckolded husbands, are often the last to know what saying goes: “Get your retaliation in first.” is happening because they are not an integral part of the arena in which the information is being shared and this is why they appear to be a step Take a day out to imagine the worst case scenario. behind the social media world. Do a number of exercises. For example, put yourself in the place of activists and think what they would But there is another crucial difference. Reputable media would not just be doing; what forums they would be using. Think ‘run with a story’. of the impossible, not just what is likely. Get in real actors and create a simulation that will really “Organisations, like cuckolded husbands, are often the last to challenge you. know what is happening because they are not an integral part In the world of social media, everything is possible, of the arena in which the information is being shared” even if it is impossible, and companies need to be aware and ready. There was an old adage in journalism: “If in doubt, leave it out”. (In Welcome to a brave new world. fairness, there was another one which said: “Never let the facts get in the way of a good story”). The problem is that the first rule has gone and the second one is the norm because of a change in the way that news is created and used. We are all journalists now. Tom Curtin Tom Curtin is chief executive of Curtin&Co and author of This has frightening consequences for crisis management managers. A ‘Managing a Crisis’. He is also a visiting professor on the rumour becomes a fact. And rumours are very hard to pull back. You do topic at IMD in Lausanne not even need an event to have a crisis. The French national rail company [email protected] SNCF decided to run a crisis simulation where one of its high-speed TGV www.curtinandco.com was shown being derailed in a very realistic video. Within minutes this ©iStockphoto.com/lorrainedarke

44 Continuity March/April 2011 The most valuable Business Continuity training course you could attend!

BCI Understanding BCM Principles & Good Practice Implementing a Business Continuity Program? • Gain practical knowledge and proven tool sets the industry experts use. • Cut through the complexity with a simple to follow ‘step by step’ process. • Be involved hands-on as a case study builds a BC Plan through practical breakout sessions. Want your Business Continuity experience recognised and internationally accredited? • Sit for the Certificate of the Business Continuity Institute and gain the CBCI status. • Gain membership of the worlds most respected Business Continuity representative body – 12 months free Affiliate Membership (After conclusion of course. New members only)

Places Limited - Book Now and WIN!!!

London 6 - 10 June 2011 International Course Schedule for 2011 London 24 - 28 Oct 2011 Sydney, AU 9 May - 13 May London, UK 6 Jun - 10 Jun The most valuableBook your Business place in London Continuity and mention training courseBrisbane, AU you could20 Jun -attend!24 Jun this ad to go into the draw for £250 Canberra, AU 11 July - 15 July of accommodation vouchers. Brisbane, AU 22 Aug - 26 Aug Comments made by a participant at our recent Leeds course; Sydney, AU 12 Sep - 16 Sep Wellington, NZ 26 Sep - 30 Sep “The Best BCM course I have attended by far. A well structured, logicalImplementing course which awas Business so helpful in Continuity assisting me to Program? achieve my Melbourne, AU 10 Oct - 14 Oct goals. I would have no doubts in recommending the course, which London, UK 24 Oct - 28 Oct is beneficial to beginners or people with experience wishing to Canberra, AU 7 Nov - 11 Nov develop further. It is delivered by an experienced BC Practitioner who Brisbane, AU 21 Nov - 25 Nov balances the content of the course really well with a practical and Sydney, AU 5 Dec - 9 Dec Wantholistic approach.your Business Thank you JBTGlobal.”Continuity S.L. experience - Derbyshire recognisedPolice and internationally accredited?

For more information call Louise 0780 701 7940 or email [email protected] Visit our website for full course details www.jbtglobal.com/bci-courses.html Risk Management Corporate Security Consulting Business Continuity Places Limited - Book Now and WIN!!! Management Regulatory Expert Assistance Business FocussedInternational Course Schedule Practical for 2011 Compliance Auditing JBT also offers consulting and mentoring services specialising in: Crisis & Emergency Management Book• Business your place Continuity in London Management and mention• Corporate Security this• adIncident to go and into Emergency the draw Management for £250 • Project Management and Design Project Management • Risk Management • Regulatory Compliance Auditing & Design of accommodation vouchers. Business Intelligence For further information about our services email us obligation free [email protected] & Investigation

Training

www.jbtglobal.com/bci-courses.html Risk Management Corporate Security Consulting Business Continuity Management

Regulatory Compliance Auditing JBT also offers consulting and mentoring services specialising in: Crisis & Emergency Management

Project Management & Design Business Intelligence [email protected] & Investigation

Training A Telecoms Resilience Breakthrough

GemaTech’s New Portable Recovery Unit “The PRU” can be deployed within four hours of us being alerted to your organisation’s loss of incoming calls - no matter where your business is located in the UK. And the best part for subscribers? If you don’t use it - you don’t pay anything else!

Think of it like insurance. In return for a yearly subscription we will deploy “PRUs” in strategic locations around the UK and guarantee to have a “PRU” installed and activated in your serving carrier’s exchange within four hours of your request to invoke, following the loss of your incoming calls.

You’re in control too, because all your DDI call plans can be managed by GemaTech with the invitation to update your call re-routing plans on a monthly basis, and that’s to ALL individual DDIs re-routing to any number of alternative numbers and devices.

Nobody knows when Pandora will open her box next and what devastation will be unleashed. But can you afford not to look into ours? Think inside the box, and take the first step towards Telecoms Resilience today. GemaTech staff are ready and waiting to answer your questions. The next time Pandora opens the box, you’ll wish you’d subscribed to ours. GemaTech’s Portable Recovery Unit.

The ‘PRU’ 0800 328 8354 www.gematech.com/continuity

GemaTech will be exhibiting at EPS Conference 16th &17th June 2009 The Telecoms GemaTech (UK) Ltd, Telford House, Hamilton Close, Houndmills, Basingstoke, Hampshire RG21 6YT. Tel: 0845 345 3333 Fax: 0845 345 8711 E-mail: [email protected] Continuity Specialists