Business Continuity Management

05 January 2012

Determining the Cost of Service Impacts

Over the past ten years I have observed a disconnect that I continue to find fascinating.

Many organisations determine their business continuity risk exposures based largely upon predicted financial impacts. These calculations may include reputation and other facets which are in turn estimated in a USD or GBP value. The results help the organisation prioritise their response and often lead to investment choices. These are all predictions.

So, if an organisation has gone through the trouble of predicting costs, why don't they validate their predictions by calculating the cost of disruptions when they occur? It is like setting a sales target but not adding up what was sold - you just wouldn't do that.

I have a few ideas as to why this information is not collected. Even though big incidents get attention, management are usually so pleased to have recovered and so caught up in heralding their success that the cost of the impact is at best forgotten, at worst purposely avoided. Smaller but frequent incidents often get ignored, passed over as part of the background challenges that business face. Stressed teams think that it will be a mammoth task to calculate the costs so it is put on the “too difficult” pile.

It does not have to be a difficult task. It depends entirely on the organisation but for some, simple calculations would be all that is needed as the order of magnitude is more important than exact figures. For some it may be enough to use number of employees * hours of interruption * average employee salary = financial impact. Average sales during that period may be right for others. How about using the same calculation used to derive the risk assessment rating (assuming it was more than a guess)?

There are good reasons why I advocate this calculation. From my experience, one company that faced frequent but short duration power outages began adding up the costs of the outages and were able to compare that to the costs of commissioning a new substation to provide them with a more stable supply. Another was able to examine frequent IT system failures (admittedly they had to use a slightly more complex calculation to show a % productivity impact as they didn't lose all functionality) and determined that the costs of new equipment to prevent the failures was a fraction of the annual lost productivity. Building resilience and adding preventative measures are basic tools of successful Business Continuity / Disaster Recovery Management and using this information allows the organisation to better recognise savings.

I realise that this suggestion won't change the world but it should lead to a better understanding of how organisations are impacted by real incidents, will help inform the risk analysis process and direct investment to the types of incidents where the cost/benefit analysis yields the best results. I once suggested this approach to a head of BC and his initial reaction was to provide a long list of big companies that he worked at that didn't do the calculation - as if that was reason in itself to continue with his head in the sand, too scared to look. There are those that accept the idea more readily. I recall the first time I provided to executive management the calculation of lost productivity from a major incident in excess of $1 million - his expression was priceless.

Posted at 10:06 AM in Nathaniel Small | Permalink | Comments (0)

13 December 2011

Breaking up is hard to do - Civil Unrest

Most commentary surrounding the euro crisis has focused on the upcoming economic effects. PwC's recent paper summarises both short term risks and medium term consequences. However, there is a simultaneous and equally negative risk of prolonged civil unrest as a direct result of the fiscal crisis. In November, the UK Treasury confirmed that contingency planning for a potential Euro collapse had been set in train. Concurrently the Foreign and Commonwealth Office is understood to have instructed Embassies and consulates to begin contingency planning for scenarios of political unrest including civil disturbances. Memories of Iran are all too fresh in memories.

Social and political consequences as a result of a possible euro collapse are inescapable but the extent and scale of the impacts is as yet unclear. Under its commitments to the Lisbon Treaty and the overall framework guidance of the Common Security and Defence Policy (CSDP), The European Union organised a crisis management exercise through late November to early December. The conclusion of that process will provide a gap analysis and areas for further improvement.

The Eurozone is not an area for which political unrest and contingency planning has been a fundamental concern or priority. Social instability has been predominantly short lived and any impacts usually restricted. A prolonged campaign of violence, instability and the vocalisation of social distress will challenge any organisation operating in the Eurozone. This, coupled with the financial effects of a currency collapse should fiscal controls to stave off a breakdown fail, could destabilise and potentially render any current contingency plans meaningless in the context of a region-wide unstable outlook.

With no genuine provision for member states to leave the union in a steady and organised breaking of their “contracts” to the rest of the organisation any attempts to exit their agreements and commitments would create resentment and hostility at the political level. For the man on the street how this filters down is only a concern if it directly reduces their quality of life at an individual level. Should this transpire we should expect civil unrest to become a recurring issue.

Ultimately, regardless of how realistic you consider this scenario, the situation provides a unique opportunity to review existing resilience arrangements using real concerns. Crisis management plans and resilience will be tested in the coming months and years; a test managed by a business in controlled conditions is the chance to test the strength and weaknesses that might arise. In the next blog we will consider the explicit effects on supply change management in the context of any political instability.

Posted at 11:02 AM in Jaime Burnell | Permalink | Comments (0)

01 December 2011

One day v four months of disruption. Has business prepared?

The UK public sector strikes on the 30 November had the potential to affect many people around the country. With at least 2 million workers due to walk out, and front line services, from airports to schools impacted, it is likely we all experienced some disruption.

In 6 months time, the UK is set for another period of disruption, this time as a result of the biggest sporting event in the World – the 2012 Olympics. Business will need to operate against a back drop of disruption to the transport network, supply chain, local infrastructure and staff absences.

Disruption could last for a period of 4 months. Staff may not be able to get into work, customers unable to access services and deliveries delayed. For some businesses though the Games provide an opportunity to generate more business.

Understanding the impacts and making preparations to ensure you can operate normally will be key to ensuring you can make the most of the Games.

2012 will be different. But how different? That’s where we can help. We have a team with experience in getting organisations ready for the Olympics. We have an in depth knowledge of the 2012 Olympic delivery programme and have implemented Olympic resilience at operational and strategic levels.

Posted at 11:38 AM in Leigh Farina | Permalink | Comments (0)

31 October 2011

Emerging Social Media tools for Business resilience

Ever more businesses and individuals are embracing social media to promote their products and services in a more informal and interactive way. Research by independent business studies shows that close to 83% of major corporations have adopted at least some form of social media strategy and those remaining looking at ways to establish that capability. Engaging social media is a subtle skill and the risks from poor execution are numerous. Loss of intellectual property, failure to clearly engage and the risk of misinterpreted statements are all business risk however failure to support its use opens a vacuum for other sources to fill the information gap. Social media is still immature and used improperly risks alienating the very people a company is attempting to engage.

While customers are receptive to the trend they have also eagerly welcomed the opportunity to respond directly when those services fail. It is a publicly available, open source customer complaints system that brands are unable to control. By the same token it is also a direct route to your customers and offers a unique opportunity for you to have the dialogue you want with the people directly purchasing your product or service. A link into the living room with a level of familiarity like never before. So what are the ways that the field of business resilience can capture this trend?

Horizon Scanning and intelligence
Social media is an excellent tool towards horizon scanning, taking into account rising threats and emerging risks. Social media presents raw and unfiltered intelligence, the significance and accuracy of which is not always clear. However there are fewer more up to date sources of intelligence, setting out emerging trends, customer opinions and rapid emerging details from incidents like the recent London riots or ash cloud from which now both the public and press are acting as media filters.

In the business resilience field organisations have a dual opportunity to develop tools for anticipating and then responding to crises that might affect them. Recent civil disturbances, strike action and other disruptive activity across the UK capital was almost exclusively organised through social media and telephone networks. Businesses with a practiced horizon scanning capability anticipated and planned for the interruptions that occurred. Social media also presents a way in which a business can promote its resilient credentials, advertising its plans and providing an extra layer of reassurance to customers, clients and suppliers in times of crisis. These tools are increasingly a method for updating stakeholders and providing situational updates and demonstrating a real commitment and understanding of resilience.

Posted at 01:04 PM in Jaime Burnell | Permalink | Comments (0)

17 October 2011

Impact vs Scenario

Some of you are waiting with baited breath for Richard’s next instalment about the common pitfalls of the business continuity programme, but I’m afraid you’ll have to wait a little longer... In this series focusing on PwC’s BCM team’s personal experiences, we now look at Tom’s views on impact v Scenario...

“Floods, terrorism, economic crises, earthquakes…”…these are some of the words I associated with Business Continuity when I was first picturing my move in to this industry and indeed they are still the words I use when describing my job to people at the local. These descriptions attract a lot of interest and similarly drive my enthusiasm for explaining to people the role and relevance of BCM for businesses around the world.

Such disasters have a high profile, and it is a challenge to encourage people to think away from the large-scale incidents and try to relate to “less dramatic” incidents that may affect their businesses, jobs and also their livelihoods. This leads to one of the most important things I learnt in my first week – “understand that it is not about the scenario, it is about the impact”. The example used to explain this was the ash cloud in 2010 – whilst this scenario may not have previously been considered by most people, the impact of travel disruption should have been foreseeable and therefore recovery plans could have been in place.

With this advice, the mentality and explanations switch from the headline events to acknowledge the fact that the same impact can result from a range of smaller, “less extravagant” scenarios, most that will never reach the headlines, but can still do serious damage to the business. To engage senior managers, sometimes we need to switch our thinking to impacts that are in many cases more relevant and frequent.

Take the simple example of access to buildings: businesses should think ahead about what they would do if staff cannot get in to the building and how they then keep their most important services running. The focus does not need be on what causes this eventuality, which might range across snow, tube strikes, travel disruption, industrial action etc..At the end of the day, the impact still remains that staff cannot get in to the building. This should also prevent managers from spending unnecessary time planning for an endless list of possible scenarios with the same eventuality – this is where Business Continuity comes in.
Many BCM managers see their top management only showing an interest in crisis scenarios, and it is difficult to engage them in what they perceive to be operationally focused BCM. Yet, by changing the focus from scenarios to impacts – taking into account what is important to the business such as reputation, strategy, regulation, finance etc - a great deal of time and effort can be saved on creating exhaustive lists of potential events and scenarios and it becomes easier to gain the enthusiasm and commitment from the board that you need to help drive forward an effective Business Continuity programme. There is a case for scenario planning to help support the organisation’s BC plans, however this should never be the start point for a successful Business Continuity programme.

To find out more about our thoughts on BCM and how it can help your business why not stop by our stall at the World Conference and Exhibition 2011, at Olympia 9 & 10 November.

Posted at 11:26 AM in Thomas Wootton | Permalink | Comments (0)

05 October 2011

Successful strategies for certification

It seems that a commonly asked question within the business continuity community is whether certification to BS 25999 is really that beneficial, particularly for SMEs. In fact, I wondered this same question a couple of years ago. Since then, I have gone through the certification process and have seen the direct results of certification. Over the next few blog posts I will try to provide some thoughts on whether it is indeed a suitable expense or a meaningless expenditure.

The key is to understand that BS 25999 certification is not for everyone. An organisation needs to ask itself some very simple questions before embarking on a programme that, if not thought about correctly, will provide little or no benefit to the organisation over that of simply aligning to the requirements of the standard. These are the sort of questions an organisation needs to ask itself:

What will BS 25999 certification achieve?
Would alignment to the principles of the standard achieve the same results?
Are the principals of the standard suitable for your organisation?
Certification is an ongoing programme, so can sufficient resources be invested now and in the future?

I found that being certified to BS 25999 does provide some benefits that are not seen through simply aligning to the standard. It was invaluable for marketing purposes – not only did certification offer proof to clients and prospective clients of a high standard of resilience, but it also demonstrated that the organisation was willing to go that extra mile for the client. My experience also taught me that certification does not need to be expensive as is often thought. State of the art solutions are not required for certification, it is about using what the organisation has available, identifying weaknesses and improving upon them. On top of this, certification resulted in lower insurance costs for the organisation. When considering these points, certification can result in a very cost-effective programme.

These benefits will only be realised if the common pitfalls can be avoided. These pitfalls can directly threaten the success of the business continuity programme unless they are avoided. It is worth noting that many organisations have gone for certification and been caught out by the same few pitfalls. In the next blog I will explain some of these pitfalls and how to avoid them.

Posted at 10:31 AM in Richard Mapes | Permalink | Comments (0)

15 September 2011

Could the UK soon be facing the Winter of Discontent?

Britain again faces the threat of mass walkouts by public sector workers. These are set to begin as early as November and could run indefinitely.

The GMB has stated that “we're not talking about a day out and a bit of a protest, because this is going to require days of action running through the winter, through into next year right into the summer."

Given this kind of warning, it makes sense for organisations to take a look now at how they intend to cope rather than waiting until events outstrip their ability to respond and recover when it does happen.

A small amount of consideration and planning now can avoid a great deal of headaches further down the line.

Proactive companies will already be thinking about how these walkouts may affect them specifically. School closures, transport disruption and lack of other public services upon which employees depend may result in increased absenteeism, supply chain disruption and reduced availability of goods and services.

Organisations would do well to take a look now at their work from home arrangements, transport arrangements, communication options and other potential opportunities to manage through such disruption.

They should question the level of confidence in their ability to handle the effects of strikes, and where plans and arrangements are already in place for this kind of event, check to see when they were last rehearsed.

Where organisations may not have specific business continuity or response plans in place to deal with Industrial action, they can draw on existing plans which are tried and tested. Many companies created plans for mass absenteeism in preparation for pandemic flu. Transport disruption was a significant factor during the severe weather last winter and companies can draw on this experience to prepare for industrial action.

At the very least, businesses should understand their key business processes, the likely impact of the disruption both to these and to the resources or services upon which they depend – particularly where organisations are heavily dependent upon extended supply-chains.

That said, with all of this discussion happening about a potential, rather than an actual, event it is important that organisations do not overplay this particular risk. There needs to be a level of pragmatism in the approach taken and a constant review of the developing situation will help inform any required response.

Regardless of what eventually takes place it is certain that it pays to be prepared. Even if industrial action is avoided other events can and will take place that can affect organisations in very similar ways; preparing simple and straight-forward business continuity plans well in advance is always a worthwhile investment.

Posted at 02:00 PM in Richard Mapes | Permalink | Comments (0)

01 September 2011

Converged Security

Cyber-crime is not new. It is a fast evolving business - Yes, I am describing it as a business - but that is not new either. Like in so many businesses, and life in general, evolution rewards the adaptable and builds on strengths of those that can adjust.

Cyber criminals these days probably have MBAs. I know there are already operations that are structured with multiple units each playing a distinct roles such as the identification of targets (Research & Development: Vulnerability and Discovery Exploitation), Penetration/Capture/collection of information (Logistics: Botnet Deployment), product distribution (Sales: Criminal Actions).

These may be loosely banded at the moment but how long before they are streamlined? Will wholesalers be directed to pick their targets to satisfy the various sales channels (Business Development: Criminal Mobility) that have together set revenue targets and with whom they have built business plans? Will they begin to employ (or do they already have) assessors who look through the volumes of data they have captured and separate out PII to their identity or credit card fraud divisions. Intellectual property will be moved into the appropriate sector [car manufacturers in the far east are driving prices up this year while new energy technologies are down] for sale on the international market.

In fact all the divisions will operate on a global scale [Ransom as a revenue tactic seems to work best in the SME range in the Americas while blackmail (threat of media disclosure of captured information and therefore loss of company reputation) is producing record results in the FTSE 500 targets / European headquartered multinationals].

Revenues will grow. Competitors in this market may start targeting each other to steal what has already been stolen (is that a crime?). What about 'legitimate' bounty hunters, hired for a fee to steal back what was stolen? Is it better to pay a bounty hunter than it is to pay the people demanding a ransom? How will you know which is which? Cyber criminal businesses will "buy up" these bounty hunter operations (Investment: Money Laundering) and build a set of independence rules that separate them from their core operations, hedging their bets to ensure they get paid either way and driving innovation on both sides.

These scenarios are only partially fiction. The effects are real. And, they are really an issue for business continuity. In order for our businesses to survive, BC needs to evolve, embrace and incorporate more of the contributions made by other security disciplines. BC does not address cyber-crime issues directly but it is absolutely essential that our ties with other Risk and Security disciplines are strengthened so that the effects are dealt with. Through Crisis Management exercises businesses hone their decision making and public response mechanisms while vulnerability management experts provide advice and guidance on how to respond. Information security influence DR solutions by providing suitable controls into the technical solution design. Physical Security participate in the selection of the recovery site and it's controls.

Convergence isn't an option or a luxury, it is a necessity for survival.

Posted at 10:52 AM in Nathaniel Small | Permalink | Comments (0)

18 August 2011

Should risk assessments better reflect customer needs?

You could argue that trust is what holds our society together – without it we have no personal credibility, our companies have no value and our Governments no authority to govern. We have been treated to a series of macro case studies over the past few months showing how the simple loss of trust from key stakeholders can bring down, or undermine an entire system. The Greek, Irish and Portuguese governments have experienced this and so too, to a certain extent, has News International which chose to close down the UK’s most profitable and widely distributed daily newspaper following revelations about the use of phone hacking.

So it appears that trust matters but who decides when trust has been lost and how do we measure its impact before it goes? The answers to both of these questions are absolutely fundamental to an organisation’s risk management arrangements, but are often overlooked in the risk assessment process. I am frequently asked to review risk management approaches on behalf of our clients and I can count on one-hand the number of times I have found a good example of where reputational impacts are adequately measured.

It should not be hard but I guess it is easier to focus on quantitative data – hard financial figures, number of casualties etc, rather than engage in a debate that, unchecked, can become a little nebulous. Perhaps this says more about the mind of the average risk professional.

Risk management in many organisations has come to resemble an engineering process with strict rules and methods that are enforced from the centre and applied verbatim. Where reputation is quantified you often see the impact being linked back to quantitative statistics – a defined amount of negative reporting in the press, sanctions imposed by a regulator etc. Where do our customers come in? Surely they deserve to be recognised for the ultimate dependence we have on them, rather than measuring a secondary or tertiary impact. Ultimately, if you mess up, your customers will look elsewhere – the fines from a regulator or the bad press you receive are just symptoms of an impact that have already materialised.

The problem with this is that risk management can too easily become a compliance exercise with risk registers being completed with little thought being given to the end result. In addition, methodologies are often skewed towards measuring impacts, particularly reputation, that have occurred in the past meaning assessments can never really be adequately applied to address future risks.

I started this blog by talking about the inadequacy of many risk methods in addressing reputational impacts of risk. However, the principles of much of what I have said can be carried forward to improve the measurement of other risk impacts. By reducing the emphasis on a rules based, statistics heavy process and moving towards, and this may be unpalatable for some, the feelings of our customers and stakeholders to gauge the impact of reputational damage, risk assessments can become more real and finely linked to the needs of our customers.

Posted at 09:39 AM in James Crask | Permalink | Comments (0)

12 August 2011

What have businesses done to work through the riots?

James Crask, a contributor to the PwC Business continuity blog, was on BBC radio 5 and the BBC News channel. Hear his thoughts on the riots and how Business Continuity could have helped business'.

Listen to BBC radio five live interview

Download and watch BBC News interview

Posted at 03:48 PM | Permalink | Comments (0)