I am pleased to announce our new paper 'Prospering in an era of uncertainty', which looks at the case for resilience – the capacity of a firm to survive and thrive in an era of uncertainty, and navigate through turbulence in the wider business environment.
Produced in association with the University of Oxford, we identify what drives resilience and how it serves the organisation in good times and bad, and identify emerging practices in leading organisations, before setting out a possible future agenda for developing resilience further.
Resilience not only helps to extend the focus beyond resistance to shocks to include responses, but it also supports longer-term thinking about new risks and opportunities. Those organisations that learn from failure and link different assets and processes through a strategic conversation will be well placed to not only exhibit resilience but exploit the opportunities.
Follow this link to access the paper, and also, if you wish, to take part in our survey on the subject:
Successive dry winters have left the Southern half of the UK with little water – for London and the South East we have officially been in a drought for many weeks. News stories suggest this drought, which appears to be spreading, could last up until Christmas.
Despite the warnings, a hosepipe ban and public awareness campaigns to save water you would think on driving through our cities that nothing much has changed. I was astonished at the weekend to see a queue outside my local car wash – I forgot how important it is to look your best whilst driving 90mph down the M40.
It is quite typical though of our response to these sorts of events – perhaps it’s a feeling the issue does not apply to them, or that it will be alright now we have had a few days of heavy showers. I recall the “swine flu” parties organised to deliberately infect children to give them immunity to the virus – this despite Government warnings and the increased chance of death, truly astonishing.
So what you might ask? I just won’t water my garden. But the impact is likely to be much greater than a brown lawn. If the standpipes arrive in our streets we all ought to be preparing now. You don’t really want to find out how important water is as a key resource supporting your operations when it is switched off. It’s not just lavatories either – do you know how dependant you are on water both at your site and within your supply chain? Perhaps your computer system cooled by mains water (as some are) or you use water within a manufacturing process.
The response is quite different to the loss of other essential utilities. The loss of electricity can be mitigated by generators, gas could, with some expense, be stored. For businesses that use large quantities of water additional storage is not a viable solution. You can’t easily buy from another supplier either.
The issue calls for a wider look at an organisation’s risks and the way it manages them. Business Continuity will help but it will not resolve the issue entirely, especially if the availability of water (and other natural resources) continues to dwindle. Businesses should be adopting a broader approach to their resilience, using Business Continuity principles coupled with risk management approaches to identify how future threats might be mitigated. In the case of a drought, this might mean adapting business processes rather than attempting to continue them as they are.
The drought is but one example of a growing external threat. I am sure you have all built sand castles as a child on the beach. Just as the tide comes in you work hard to prevent the sea from breaching your defences, except the sea will win and at some point you are resolved to move your sand fortress further inland. It feels like we are getting closer to the point where we all need to think hard about how our businesses will continue before our defences are breached and it’s too late.
Over the past ten years I have observed a disconnect that I continue to find fascinating.
Many organisations determine their business continuity risk exposures based largely upon predicted financial impacts. These calculations may include reputation and other facets which are in turn estimated in a USD or GBP value. The results help the organisation prioritise their response and often lead to investment choices. These are all predictions.
So, if an organisation has gone through the trouble of predicting costs, why don't they validate their predictions by calculating the cost of disruptions when they occur? It is like setting a sales target but not adding up what was sold - you just wouldn't do that.
I have a few ideas as to why this information is not collected. Even though big incidents get attention, management are usually so pleased to have recovered and so caught up in heralding their success that the cost of the impact is at best forgotten, at worst purposely avoided. Smaller but frequent incidents often get ignored, passed over as part of the background challenges that business face. Stressed teams think that it will be a mammoth task to calculate the costs so it is put on the “too difficult” pile.
It does not have to be a difficult task. It depends entirely on the organisation but for some, simple calculations would be all that is needed as the order of magnitude is more important than exact figures. For some it may be enough to use number of employees * hours of interruption * average employee salary = financial impact. Average sales during that period may be right for others. How about using the same calculation used to derive the risk assessment rating (assuming it was more than a guess)?
There are good reasons why I advocate this calculation. From my experience, one company that faced frequent but short duration power outages began adding up the costs of the outages and were able to compare that to the costs of commissioning a new substation to provide them with a more stable supply. Another was able to examine frequent IT system failures (admittedly they had to use a slightly more complex calculation to show a % productivity impact as they didn't lose all functionality) and determined that the costs of new equipment to prevent the failures was a fraction of the annual lost productivity. Building resilience and adding preventative measures are basic tools of successful Business Continuity / Disaster Recovery Management and using this information allows the organisation to better recognise savings.
I realise that this suggestion won't change the world but it should lead to a better understanding of how organisations are impacted by real incidents, will help inform the risk analysis process and direct investment to the types of incidents where the cost/benefit analysis yields the best results. I once suggested this approach to a head of BC and his initial reaction was to provide a long list of big companies that he worked at that didn't do the calculation - as if that was reason in itself to continue with his head in the sand, too scared to look. There are those that accept the idea more readily. I recall the first time I provided to executive management the calculation of lost productivity from a major incident in excess of $1 million - his expression was priceless.
Most commentary surrounding the euro crisis has focused on the upcoming economic effects. PwC's recent paper summarises both short term risks and medium term consequences. However, there is a simultaneous and equally negative risk of prolonged civil unrest as a direct result of the fiscal crisis. In November, the UK Treasury confirmed that contingency planning for a potential Euro collapse had been set in train. Concurrently the Foreign and Commonwealth Office is understood to have instructed Embassies and consulates to begin contingency planning for scenarios of political unrest including civil disturbances. Memories of Iran are all too fresh in memories.
Social and political consequences as a result of a possible euro collapse are inescapable but the extent and scale of the impacts is as yet unclear. Under its commitments to the Lisbon Treaty and the overall framework guidance of the Common Security and Defence Policy (CSDP), The European Union organised a crisis management exercise through late November to early December. The conclusion of that process will provide a gap analysis and areas for further improvement.
The Eurozone is not an area for which political unrest and contingency planning has been a fundamental concern or priority. Social instability has been predominantly short lived and any impacts usually restricted. A prolonged campaign of violence, instability and the vocalisation of social distress will challenge any organisation operating in the Eurozone. This, coupled with the financial effects of a currency collapse should fiscal controls to stave off a breakdown fail, could destabilise and potentially render any current contingency plans meaningless in the context of a region-wide unstable outlook.
With no genuine provision for member states to leave the union in a steady and organised breaking of their “contracts” to the rest of the organisation any attempts to exit their agreements and commitments would create resentment and hostility at the political level. For the man on the street how this filters down is only a concern if it directly reduces their quality of life at an individual level. Should this transpire we should expect civil unrest to become a recurring issue.
Ultimately, regardless of how realistic you consider this scenario, the situation provides a unique opportunity to review existing resilience arrangements using real concerns. Crisis management plans and resilience will be tested in the coming months and years; a test managed by a business in controlled conditions is the chance to test the strength and weaknesses that might arise. In the next blog we will consider the explicit effects on supply change management in the context of any political instability.
The UK public sector strikes on the 30 November had the potential to affect many people around the country. With at least 2 million workers due to walk out, and front line services, from airports to schools impacted, it is likely we all experienced some disruption.
In 6 months time, the UK is set for another period of disruption, this time as a result of the biggest sporting event in the World – the 2012 Olympics. Business will need to operate against a back drop of disruption to the transport network, supply chain, local infrastructure and staff absences.
Disruption could last for a period of 4 months. Staff may not be able to get into work, customers unable to access services and deliveries delayed. For some businesses though the Games provide an opportunity to generate more business.
Understanding the impacts and making preparations to ensure you can operate normally will be key to ensuring you can make the most of the Games.
2012 will be different. But how different? That’s where we can help. We have a team with experience in getting organisations ready for the Olympics. We have an in depth knowledge of the 2012 Olympic delivery programme and have implemented Olympic resilience at operational and strategic levels.
Ever more businesses and individuals are embracing social media to promote their products and services in a more informal and interactive way. Research by independent business studies shows that close to 83% of major corporations have adopted at least some form of social media strategy and those remaining looking at ways to establish that capability. Engaging social media is a subtle skill and the risks from poor execution are numerous. Loss of intellectual property, failure to clearly engage and the risk of misinterpreted statements are all business risk however failure to support its use opens a vacuum for other sources to fill the information gap. Social media is still immature and used improperly risks alienating the very people a company is attempting to engage.
While customers are receptive to the trend they have also eagerly welcomed the opportunity to respond directly when those services fail. It is a publicly available, open source customer complaints system that brands are unable to control. By the same token it is also a direct route to your customers and offers a unique opportunity for you to have the dialogue you want with the people directly purchasing your product or service. A link into the living room with a level of familiarity like never before. So what are the ways that the field of business resilience can capture this trend?
Horizon Scanning and intelligence Social media is an excellent tool towards horizon scanning, taking into account rising threats and emerging risks. Social media presents raw and unfiltered intelligence, the significance and accuracy of which is not always clear. However there are fewer more up to date sources of intelligence, setting out emerging trends, customer opinions and rapid emerging details from incidents like the recent London riots or ash cloud from which now both the public and press are acting as media filters.
In the business resilience field organisations have a dual opportunity to develop tools for anticipating and then responding to crises that might affect them. Recent civil disturbances, strike action and other disruptive activity across the UK capital was almost exclusively organised through social media and telephone networks. Businesses with a practiced horizon scanning capability anticipated and planned for the interruptions that occurred. Social media also presents a way in which a business can promote its resilient credentials, advertising its plans and providing an extra layer of reassurance to customers, clients and suppliers in times of crisis. These tools are increasingly a method for updating stakeholders and providing situational updates and demonstrating a real commitment and understanding of resilience.
Some of you are waiting with baited breath for Richard’s next instalment about the common pitfalls of the business continuity programme, but I’m afraid you’ll have to wait a little longer... In this series focusing on PwC’s BCM team’s personal experiences, we now look at Tom’s views on impact v Scenario...
“Floods, terrorism, economic crises, earthquakes…”…these are some of the words I associated with Business Continuity when I was first picturing my move in to this industry and indeed they are still the words I use when describing my job to people at the local. These descriptions attract a lot of interest and similarly drive my enthusiasm for explaining to people the role and relevance of BCM for businesses around the world.
Such disasters have a high profile, and it is a challenge to encourage people to think away from the large-scale incidents and try to relate to “less dramatic” incidents that may affect their businesses, jobs and also their livelihoods. This leads to one of the most important things I learnt in my first week – “understand that it is not about the scenario, it is about the impact”. The example used to explain this was the ash cloud in 2010 – whilst this scenario may not have previously been considered by most people, the impact of travel disruption should have been foreseeable and therefore recovery plans could have been in place.
With this advice, the mentality and explanations switch from the headline events to acknowledge the fact that the same impact can result from a range of smaller, “less extravagant” scenarios, most that will never reach the headlines, but can still do serious damage to the business. To engage senior managers, sometimes we need to switch our thinking to impacts that are in many cases more relevant and frequent.
Take the simple example of access to buildings: businesses should think ahead about what they would do if staff cannot get in to the building and how they then keep their most important services running. The focus does not need be on what causes this eventuality, which might range across snow, tube strikes, travel disruption, industrial action etc..At the end of the day, the impact still remains that staff cannot get in to the building. This should also prevent managers from spending unnecessary time planning for an endless list of possible scenarios with the same eventuality – this is where Business Continuity comes in. Many BCM managers see their top management only showing an interest in crisis scenarios, and it is difficult to engage them in what they perceive to be operationally focused BCM. Yet, by changing the focus from scenarios to impacts – taking into account what is important to the business such as reputation, strategy, regulation, finance etc - a great deal of time and effort can be saved on creating exhaustive lists of potential events and scenarios and it becomes easier to gain the enthusiasm and commitment from the board that you need to help drive forward an effective Business Continuity programme. There is a case for scenario planning to help support the organisation’s BC plans, however this should never be the start point for a successful Business Continuity programme.
To find out more about our thoughts on BCM and how it can help your business why not stop by our stall at the World Conference and Exhibition 2011, at Olympia 9 & 10 November.
It seems that a commonly asked question within the business continuity community is whether certification to BS 25999 is really that beneficial, particularly for SMEs. In fact, I wondered this same question a couple of years ago. Since then, I have gone through the certification process and have seen the direct results of certification. Over the next few blog posts I will try to provide some thoughts on whether it is indeed a suitable expense or a meaningless expenditure.
The key is to understand that BS 25999 certification is not for everyone. An organisation needs to ask itself some very simple questions before embarking on a programme that, if not thought about correctly, will provide little or no benefit to the organisation over that of simply aligning to the requirements of the standard. These are the sort of questions an organisation needs to ask itself:
What will BS 25999 certification achieve?
Would alignment to the principles of the standard achieve the same results?
Are the principals of the standard suitable for your organisation?
Certification is an ongoing programme, so can sufficient resources be invested now and in the future?
I found that being certified to BS 25999 does provide some benefits that are not seen through simply aligning to the standard. It was invaluable for marketing purposes – not only did certification offer proof to clients and prospective clients of a high standard of resilience, but it also demonstrated that the organisation was willing to go that extra mile for the client. My experience also taught me that certification does not need to be expensive as is often thought. State of the art solutions are not required for certification, it is about using what the organisation has available, identifying weaknesses and improving upon them. On top of this, certification resulted in lower insurance costs for the organisation. When considering these points, certification can result in a very cost-effective programme.
These benefits will only be realised if the common pitfalls can be avoided. These pitfalls can directly threaten the success of the business continuity programme unless they are avoided. It is worth noting that many organisations have gone for certification and been caught out by the same few pitfalls. In the next blog I will explain some of these pitfalls and how to avoid them.
Britain again faces the threat of mass walkouts by public sector workers. These are set to begin as early as November and could run indefinitely.
The GMB has stated that “we're not talking about a day out and a bit of a protest, because this is going to require days of action running through the winter, through into next year right into the summer."
Given this kind of warning, it makes sense for organisations to take a look now at how they intend to cope rather than waiting until events outstrip their ability to respond and recover when it does happen.
A small amount of consideration and planning now can avoid a great deal of headaches further down the line.
Proactive companies will already be thinking about how these walkouts may affect them specifically. School closures, transport disruption and lack of other public services upon which employees depend may result in increased absenteeism, supply chain disruption and reduced availability of goods and services.
Organisations would do well to take a look now at their work from home arrangements, transport arrangements, communication options and other potential opportunities to manage through such disruption.
They should question the level of confidence in their ability to handle the effects of strikes, and where plans and arrangements are already in place for this kind of event, check to see when they were last rehearsed.
Where organisations may not have specific business continuity or response plans in place to deal with Industrial action, they can draw on existing plans which are tried and tested. Many companies created plans for mass absenteeism in preparation for pandemic flu. Transport disruption was a significant factor during the severe weather last winter and companies can draw on this experience to prepare for industrial action.
At the very least, businesses should understand their key business processes, the likely impact of the disruption both to these and to the resources or services upon which they depend – particularly where organisations are heavily dependent upon extended supply-chains.
That said, with all of this discussion happening about a potential, rather than an actual, event it is important that organisations do not overplay this particular risk. There needs to be a level of pragmatism in the approach taken and a constant review of the developing situation will help inform any required response.
Regardless of what eventually takes place it is certain that it pays to be prepared. Even if industrial action is avoided other events can and will take place that can affect organisations in very similar ways; preparing simple and straight-forward business continuity plans well in advance is always a worthwhile investment.
Cyber-crime is not new. It is a fast evolving business - Yes, I am describing it as a business - but that is not new either. Like in so many businesses, and life in general, evolution rewards the adaptable and builds on strengths of those that can adjust.
Cyber criminals these days probably have MBAs. I know there are already operations that are structured with multiple units each playing a distinct roles such as the identification of targets (Research & Development: Vulnerability and Discovery Exploitation), Penetration/Capture/collection of information (Logistics: Botnet Deployment), product distribution (Sales: Criminal Actions).
These may be loosely banded at the moment but how long before they are streamlined? Will wholesalers be directed to pick their targets to satisfy the various sales channels (Business Development: Criminal Mobility) that have together set revenue targets and with whom they have built business plans? Will they begin to employ (or do they already have) assessors who look through the volumes of data they have captured and separate out PII to their identity or credit card fraud divisions. Intellectual property will be moved into the appropriate sector [car manufacturers in the far east are driving prices up this year while new energy technologies are down] for sale on the international market.
In fact all the divisions will operate on a global scale [Ransom as a revenue tactic seems to work best in the SME range in the Americas while blackmail (threat of media disclosure of captured information and therefore loss of company reputation) is producing record results in the FTSE 500 targets / European headquartered multinationals].
Revenues will grow. Competitors in this market may start targeting each other to steal what has already been stolen (is that a crime?). What about 'legitimate' bounty hunters, hired for a fee to steal back what was stolen? Is it better to pay a bounty hunter than it is to pay the people demanding a ransom? How will you know which is which? Cyber criminal businesses will "buy up" these bounty hunter operations (Investment: Money Laundering) and build a set of independence rules that separate them from their core operations, hedging their bets to ensure they get paid either way and driving innovation on both sides.
These scenarios are only partially fiction. The effects are real. And, they are really an issue for business continuity. In order for our businesses to survive, BC needs to evolve, embrace and incorporate more of the contributions made by other security disciplines. BC does not address cyber-crime issues directly but it is absolutely essential that our ties with other Risk and Security disciplines are strengthened so that the effects are dealt with. Through Crisis Management exercises businesses hone their decision making and public response mechanisms while vulnerability management experts provide advice and guidance on how to respond. Information security influence DR solutions by providing suitable controls into the technical solution design. Physical Security participate in the selection of the recovery site and it's controls.
Convergence isn't an option or a luxury, it is a necessity for survival.
