Business Continuity Management

By Sev McGinty

We come to that time again when days get lighter and birds become more infectious... With the recent news of bird flu and reports by the World Health Organisation of its spread around the world, we think it's a good time to dust off the plans we have all made and just check they are up to date.

For example, areas that you could look at could be to make sure contact details are up to date within your communication cascade, refreshing the knowledge of designated individuals on their roles and responsibilities, reviewing your procedures to ensure they remain relevant and/or reflect any organisational changes, testing and exercising these procedures to ensure they are fit for purpose, and confirming designated resources are still available and accessible.

If all else fails, don't share a drink with a chicken and make sure you identify your critical activities, consider the risks, develop your plans, and exercise, exercise, exercise.'

Sev McGinty:
Contact by email | Tel: 020 7804 3099

By Charley Newnham

Imagine you’ve no experience of Risk, Business Continuity or Health and Safety, but have been put in charge of these areas at a new company. You have no staff to assist; the websites that will be most useful charge for access and the books you ordered will take 2 weeks to reach you. The CEO wants an outline of your approach now.

This was almost exactly the tale we heard at an industry event recently. We asked how the individual responded:

“We have to manage risks, and I know we have to have plans to deal for risks we can’t mitigate, and I know we have to test plans to check they work. I asked for a list of risks staff could think of. I sorted them with the most important ones at the top and we did a few exercises, just pretending each one had happened. At the end of each session I wrote a Standard Operating Procedure on what we’d do if the scenario occurred, using what we learned at the exercise and going back later to make sure they still made sense. We just need to professionalise it before a big client comes down in a couple of weeks and asks us to talk about it using business terminology.”

This proves that a good dose of common sense results in something we’ve been preaching for a while: an integrated approach to all things Risk and BCM.

Our friend knew instinctively that to manage uncertainty he needed to understand the risks, mitigate or manage them, and have a plan for those that materialised. With no resources he had no choice but to prioritise work according to the likelihood and impact of the risk. With little subject-matter expertise and an injection of common sense, he’s building an integrated operational risk framework.

We could help him streamline and harden his planning, and introduce a degree of robustness that he’s lacking at present.  However, we’d endorse sticking with the integrated approach stumbled upon by accident.

The siloed approach leaves gaps in intelligence resulting in less effective or efficient mitigation arrangements. An integrated solution is more robust and sustainable and is simply common sense in organisations keen to maximise their resources.

Charley Newnham:
Contact by email | Tel: 0117 928 1156

By Dale Johnston

As everyone knows, a business without an online presence is probably not maximising the social, commercial and competitive opportunities available.   However, those that do face a growing number of cyber attacks.  The risks to businesses are amplified by the ever increasing connectivity and diversity of technology.

According to the latest report from the World Economic Forum’s Global Risk Report 2013, many cyber related risks such as “cyber attacks, critical systems failure, massive incident of data fraud/theft and massive digital misinformation” are both likely and will have a major impact in the world over the next 10 years.

Although government and its bodies remain targets for both cyber warfare and hactivism, businesses are also becoming attacked.  Infrastructure such as power grids and waterworks and any connected device is potentially a target.

Cyber attacks are becoming complex, technologically advanced, and highly skilled. And whilst hackers have continued to develop a potent skill set, the most basic security holes that are still utilised to gain access to critical systems and no one can deal with ‘zero-day’ attacks.

We need to think beyond traditional security measures, towards a more real-time defence and incorporating understanding of people’s behaviours. Choosing not to invest in this area is risky when we consider the increase in attacks, and the financial and reputational loss suffered by businesses.  In recent weeks 48 large businesses have been breached including the likes of Apple and Facebook.  This has been hugely damaging to their reputation.

Understanding the risks to your businesses’ technology and having plans in place for “disaster” recovery is vital for any agile business.  Don’t fall into the trap of thinking that assigning the problem to the technology/IT department on its own is enough, as the repercussions from an attack will show you how wide ranging the damage can be.

Dale Johnston:
Contact by email | Tel: 020 721 33017

When weighing up the decision to invest in planning for weather disruption to your business it seems folly to bury your head in sand, as it has probably already been blown away! Extreme weather events have become a more common feature in our lives, and both their likelihood and extremity is increasing.

The onset of the hurricane Sandy battering the East Coast of America shows the kind of impact extreme weather can have on one of the most advanced countries in the world.  Many large firms invested in disaster recovery and planning measures after the 9/11 attacks, with continuous data replication backed up to data centres located elsewhere in the country or cloud based system. 

Whilst these investments were crucial, Sandy has reminded us how fragile infrastructure is to failure and how dependent we are on its availability– a similar lesson was learned in the UK following severe flooding in 2007.

Many businesses are building capacity into infrastructure to cope with future climate volatility.  In China for example, new high-speed railway lines have been built to withstand extreme cold weather and ensure business continuity in weather conditions: as low as -39.9 degrees Celsius in the winter and 40 degrees Celsius in the summer.

Although predicting extreme weather patterns can be a challenge, good business continuity can help mitigate or reduce operational impacts and a broader approach to resilience can help an organisation consider a joined up approach to tackling the problem.  

You cannot plan for every logical scenario and certain issues will be outside a business’s control, such as the continuity of important public infrastructure.  However, assessing existing Business Continuity arrangements, influencing the environment in which they operate in, and challenging whether the business strategy is right for a changing world are the broad areas to focus on.

It is time to assess your exposure to climate risks and adapt to the situation facing your organisation. Readiness and agility to ensure your business does not give its (better prepared) rivals a competitive advantage will be the difference between recovery and failure.

In July 2012, India experienced a series of power cuts which left 700 million people without electricity, dwarfing any other outage in the past 50 years.  Given the dependence of the UK of outsourcing to this region, is this something we should be worried about, and are there any lessons to be learnt?

Although the power sector in India has undergone significant development since gaining independence in 1947, a growing shortfall between supply and demand continues to widen with current figures indicating that 30o million people do not have access to electricity.  The  state of the power infrastructure means major investment is needed to prevent disruptions becoming worse.

For those with access to electricity, power cuts have long been a part of every-day life.  In 2010, blackouts and power shedding interrupted irrigation and manufacturing across the country.   The regularity of power cuts pushed most large organisations and industries into developing contingency arrangements, specifically emergency power supplies.  Because of this, most organised industries do not face the direct impacts of a grid failure.  However, they do experience the indirect effects in the form of delays or the shutdown of public transport and street lighting, as examples. 

So what was the impact to the UK from the July power cuts?  Surprisingly little!   Whilst smaller domestic businesses  were disrupted, large businesses invoked their Business Continuity plans to ensure that services to global clients ran as usual, benefitting from the investments made in backup diesel generators.  This meant that IT and call centre functions off-shored from the UK were largely protected from the outages, thanks to BCM arrangements.

However, it would be a mistake for Western countries to assume that this couldn’t happen closer to home.  Countries, such as the US and UK, have aging power infrastructures coming under greater pressure with higher demand for air-conditioning and other electrically driven appliances, coupled with the effects of global warming and population increases.  Uninterrupted power cannot be taken for granted.  Investment in our Business Continuity capabilities to ensure that we are adequately protected from disruption to key supplies will pay large dividends when disruption inevitably occurs.

During my few weeks working with the BCM team I began to learn the foundations of a good, and not so good, Business Continuity plan. In order to understand this new subject I did what I always do; liken it to something related to everyday and in this instance - cooking.

A Business Continuity Plan can be seen as a recipe, which brings together the right ingredients, at the right time to produce a desired result. These recipes can have very different ingredients or instruction but the fundamental processes, as with culinary skills, are the same and can be relied upon again and again.

Consider the Béchamel sauce – a simple roux, [for those not familiar, this is a combination of butter and flour] combined with milk which can then be adapted for an endless array of sauces – cheese, brandy, rum, added to lasagne, fish pie, the list goes on.

During discussions of what to include in a plan, I realised that it’s not just the actions that need to be included, but specific instructions of how that action is going to happen, what resources are required, and when, in relation to the other actions, it should be completed – therefore providing the recipe to respond to the disruption at hand.

When you open Delia’s ‘How to Cook’, she doesn’t say “bung it in a pan and hope for the best”, instead she gives you the step by step instruction that any wobbly kneed new cook requires to make something that is edible with minimal stress.  That, I have realised, is what a good BCM plan tries to achieve – not just the action, but the HOW that action can be completed.

To go to all the effort to write a plan, but fail to give the right instructions and guidance, makes the plan useless and ineffective, and at a time of crisis, no one can make head or tail of what they are doing.  There is nothing worse than after half an hour of sweating over the stove; the recipe has not given you guidance on how to finish – for example place in the oven until cooked. How do you know when it is cooked? How long for? What temperature? Bake for 20 minutes, at 200^oC, until crisp and golden, is considerably more helpful, and helps you avoid the dreaded blackened signs of burning failure.

Finally the BCM plan should be exercised. The BCM plan needs to become that reliable recipe; that one when no matter who is coming for dinner, or how little warning you have, you know it will work.  A brand new recipe when the future in-laws are coming for dinner could lead to a much more stressful situation, not knowing what is going to happen or if the meal will even be edible.  In the event of a crisis, the team need to know what they are doing to minimise any extra stress in an already stressful environment and exercising will help ensure this.

Once complete and exercised all that is left to do is ensure the ingredients are in the cupboard and the recipe is close to hand, should a disaster strike.

I am pleased to announce our new paper 'Prospering in an era of uncertainty', which looks at the case for resilience – the capacity of a firm to survive and thrive in an era of uncertainty, and navigate through turbulence in the wider business environment.

Produced in association with the University of Oxford, we identify what drives resilience and how it serves the organisation in good times and bad, and identify emerging practices in leading organisations, before setting out a possible future agenda for developing resilience further.

Resilience not only helps to extend the focus beyond resistance to shocks to include responses, but it also supports longer-term thinking about new risks and opportunities. Those organisations that learn from failure and link different assets and processes through a strategic conversation will be well placed to not only exhibit resilience but exploit the opportunities.

Follow this link to access the paper, and also, if you wish, to take part in our survey on the subject:

http://www.pwc.co.uk/governance-risk-compliance/publications/prospering-in-an-era-of-uncertainty-the-case-for-resilience.jhtml

Successive dry winters have left the Southern half of the UK with little water – for London and the South East we have officially been in a drought for many weeks.  News stories suggest this drought, which appears to be spreading, could last up until Christmas. 

Despite the warnings, a hosepipe ban and public awareness campaigns to save water you would think on driving through our cities that nothing much has changed.   I was astonished at the weekend to see a queue outside my local car wash – I forgot how important it is to look your best whilst driving 90mph down the M40. 

It is quite typical though of our response to these sorts of events – perhaps it’s a feeling the issue does not apply to them, or that it will be alright now we have had a few days of heavy showers.  I recall the “swine flu” parties organised to deliberately infect children to give them immunity to the virus – this despite Government warnings and the increased chance of death, truly astonishing.

So what you might ask? I just won’t water my garden.  But the impact is likely to be much greater than a brown lawn.  If the standpipes arrive in our streets we all ought to be preparing now.  You don’t really want to find out how important water is as a key resource supporting your operations when it is switched off.  It’s not just lavatories either – do you know how dependant you are on water both at your site and within your supply chain?  Perhaps your computer system cooled by mains water (as some are) or you use water within a manufacturing process.

The response is quite different to the loss of other essential utilities.  The loss of electricity can be mitigated by generators, gas could, with some expense, be stored.  For businesses that use large quantities of water additional storage is not a viable solution.  You can’t easily buy from another supplier either. 

The issue calls for a wider look at an organisation’s risks and the way it manages them.  Business Continuity will help but it will not resolve the issue entirely, especially if the availability of water (and other natural resources) continues to dwindle.  Businesses should be adopting a broader approach to their resilience, using Business Continuity principles coupled with risk management approaches to identify how future threats might be mitigated.   In the case of a drought, this might mean adapting business processes rather than attempting to continue them as they are. 

The drought is but one example of a growing external threat.  I am sure you have all built sand castles as a child on the beach.  Just as the tide comes in you work hard to prevent the sea from breaching your defences, except the sea will win and at some point you are resolved to move your sand fortress further inland.  It feels like we are getting closer to the point where we all need to think hard about how our businesses will continue before our defences are breached and it’s too late.

Over the past ten years I have observed a disconnect that I continue to find fascinating. 

Many organisations determine their business continuity risk exposures based largely upon predicted financial impacts.  These calculations may include reputation and other facets which are in turn estimated in a USD or GBP value.  The results help the organisation prioritise their response and often lead to investment choices.  These are all predictions.

So, if an organisation has gone through the trouble of predicting costs, why don't they validate their predictions by calculating the cost of disruptions when they occur?  It is like setting a sales target but not adding up what was sold - you just wouldn't do that.

I have a few ideas as to why this information is not collected.  Even though big incidents get attention, management are usually so pleased to have recovered and so caught up in heralding their success that the cost of the impact is at best forgotten, at worst purposely avoided. Smaller but frequent incidents often get ignored, passed over as part of the background challenges that business face.  Stressed teams think that it will be a mammoth task to calculate the costs so it is put on the “too difficult” pile.

It does not have to be a difficult task.  It depends entirely on the organisation but for some, simple calculations would be all that is needed as the order of magnitude is more important than exact figures. For some it may be enough to use number of employees * hours of interruption * average employee salary = financial impact.  Average sales during that period may be right for others.  How about using the same calculation used to derive the risk assessment rating (assuming it was more than a guess)?

There are good reasons why I advocate this calculation.  From my experience, one company that faced frequent but short duration power outages began adding up the costs of the outages and were able to compare that to the costs of commissioning a new substation to provide them with a more stable supply.  Another was able to examine frequent IT system failures (admittedly they had to use a slightly more complex calculation to show a % productivity impact as they didn't lose all functionality) and determined that the costs of new equipment to prevent the failures was a fraction of the annual lost productivity.  Building resilience and adding preventative measures are basic tools of successful Business Continuity / Disaster Recovery Management and using this information allows the organisation to better recognise savings.

I realise that this suggestion won't change the world but it should lead to a better understanding of how organisations are impacted by real incidents, will help inform the risk analysis process and direct investment to the types of incidents where the cost/benefit analysis yields the best results.  I once suggested this approach to a head of BC and his initial reaction was to provide a long list of big companies that he worked at that didn't do the calculation - as if that was reason in itself to continue with his head in the sand, too scared to look.   There are those that accept the idea more readily.  I recall the first time I provided to executive management the calculation of lost productivity from a major incident in excess of $1 million  - his expression was priceless.

Most commentary surrounding the euro crisis has focused on the upcoming economic effects.  PwC's recent paper summarises both short term risks and medium term consequences.  However, there is a simultaneous and equally negative risk of prolonged civil unrest as a direct result of the fiscal crisis. In November, the UK Treasury confirmed that contingency planning for a potential Euro collapse had been set in train.  Concurrently the Foreign and Commonwealth Office is understood to have instructed Embassies and consulates to begin contingency planning for scenarios of political unrest including civil disturbances.  Memories of Iran are all too fresh in memories.

Social and political consequences as a result of a possible euro collapse are inescapable but the extent and scale of the impacts is as yet unclear. Under its commitments to the Lisbon Treaty and the overall framework guidance of the Common Security and Defence Policy (CSDP), The European Union organised a crisis management exercise through late November to early December. The conclusion of that process will provide a gap analysis and areas for further improvement.

The Eurozone is not an area for which political unrest and contingency planning has been a fundamental concern or priority. Social instability has been predominantly short lived and any impacts usually restricted. A prolonged campaign of violence, instability and the vocalisation of social distress will challenge any organisation operating in the Eurozone. This, coupled with the financial effects of a currency collapse should fiscal controls to stave off a breakdown fail, could destabilise and potentially render any current contingency plans meaningless in the context of a region-wide unstable outlook.

With no genuine provision for member states to leave the union in a steady and organised breaking of their “contracts” to the rest of the organisation any attempts to exit their agreements and commitments would create resentment and hostility at the political level. For the man on the street how this filters down is only a concern if it directly reduces their quality of life at an individual level. Should this transpire we should expect civil unrest to become a recurring issue.

Ultimately, regardless of how realistic you consider this scenario, the situation provides a unique opportunity to review existing resilience arrangements using real concerns. Crisis management plans and resilience will be tested in the coming months and years; a test managed by a business in controlled conditions is the chance to test the strength and weaknesses that might arise. In the next blog we will consider the explicit effects on supply change management in the context of any political instability.