Everything you want to know about business continuity

Business continuity is still effectively a voluntary activity for most organisations and it is left to the rather general diligence requirements of the Companies Act in the UK and the re

you want to know

about Business

Continuity

eeffffeeccttiivveellyy

The risks for businesses today are increasing all the time, as are the consequences of

incidents and interruptions Too many companies lose time, customers and income

because of circumstances beyond their control Companies that have a business

continuity plan are able to not only minimise their losses and retain their clients, but also

win new business!

Everything you want to know about Business Continuity will show you how to develop a

modern response to the operational risk landscape and how to prepare your organisation

for interruptions to your key activities, minimising the impact on your bottom line,

reputation and credibility You will be able to identify and assess the risks to your company

and put in place a ‘fit-for-purpose’ business continuity plan which will enable you to meet

the expectations of your customers and stakeholders in the event of an unforeseen

incident.

This practical book will guide you through domestic and international standards relating

to business continuity, with particular reference to ISO22301 Companies achieving

certification under the Standard will communicate to their stakeholders their

commitment to uninterrupted supply Your company will enjoy greater customer loyalty

and be more competitive, enabling you to retain and win more business!

TToonnyy DDrreewwiitttt held a number of technical, commercial and senior management positions

before becoming a full-time management consultant 10 years ago He was one of the first

consultants in the UK to achieve full certification under BS25999-2 Tony has been a

practising business continuity consultant, trainer and technical expert since 2001 and is

a professional member of the Business Continuity Institute.

Everything you want to know about Business Continuity is Tony’s third ITG publication and

follows the successful BS25999: A Pocket Guide and A Manager’s Guide to BS25999.

BBuuyy tthhiiss bbooookk aanndd ggaaiinn tthhee ttoooollss yyoouu nneeeedd ttoo ffuuttuurree pprrooooff yyoouurr bbuussiinneessss!!

TM

TM

TM

www.ebook3000.com

Everything You Want to Know About

Business Continuity

Everything You Want to Know About Business

Continuity

TONY DREWITT

omissions, however caused Any opinions expressed in this book are those of the author, not the publisher Websites identified are for reference only, not endorsement, and any website visits are always at the reader’s own risk No responsibility for loss or damage occasioned

to any person acting, or refraining from action, as a result of the material in this publication can be accepted by the publisher or the author

Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored

or transmitted, in any form, or by any means, with the prior permission

in writing of the publisher or, in the case of reprographic reproduction,

in accordance with the terms of licences issued by the Copyright Licensing Agency Enquiries concerning reproduction outside those terms should be sent to the publishers at the following address:

First published in the United Kingdom in 2012

by IT Governance Publishing

ISBN 978-1-84928-201-7

Business continuity (BC) is a fairly new concept in many organisations, with the probable exception of banks and some other financial institutions that have traditionally been much more reliant on computer systems than many others and so have had ‘disaster recovery’ arrangements in place for quite some years

As attitudes to what is acceptable in business, government and even the voluntary sector change, there is simply more pressure on more of us to do something about business continuity But many people feel that they are already doing the majority of what business continuity comprises; however whilst they are probably doing some of it, it is unlikely that they are doing most of it

Business continuity is still effectively a voluntary activity for most organisations and it is left to the rather general diligence requirements of the Companies Act (in the UK) and the relevant state incorporation laws in the USA, as well as the requirements for listed corporations, to provide statements of internal control and risk management However, there is growing pressure and expectation upon organisations of all types to formalise their operational resilience by way of business continuity arrangements, though for many the term ‘resilience’ is arguably more appropriate – as we shall see later

Of course, the ultimate in resilience would include spare everything! People, workplaces, information and communication systems, processing facilities and so on; all running and fully maintained, just waiting for you to

‘invoke‘ should the need arise Even the very few

companies that could afford this don’t have it; it simply doesn’t make any economic sense

At the other end of the spectrum are the many organisations that have given no real thought to what might happen if there were some significant interruption to their daily activities; as the world changes their negligence of these risks will continue to become more and more unacceptable

On the day I started writing this book, Japan suffered one of the most severe earthquakes in its history and the resulting tsunami wrought devastation upon Sendai and surrounding areas, dominating world news for some time Like the World Trade Center attack in 2001 and others since then, this latest disaster will have more and more people thinking about whether they should finally do something about business continuity, or perhaps review what they already have in place

But whatever the reason for addressing business continuity now, readers of this book will want to know that there isn’t anything else out there; that they haven’t missed something important to do with business continuity that isn’t covered

in this book

Business continuity isn’t like, for example, financial accounting There are no statutory, or even standard, methods for doing it And whilst there are guidelines and now even a few national standards, it is still largely up to each organisation to decide how it is going to implement its resilience arrangements So there are a number of approaches to the various parts of a ‘reasonable’ business continuity programme; there is the intuitive approach and the analytical approach, both of which are covered But there are few very fundamental differences between any of the approaches that I have ever come across, so I am

confident that there isn’t anything else out there, of real value, that this book doesn’t cover I have been to numerous conferences and presentations from people who call themselves ‘thought leaders’, and have not come across any thinking, ideas or philosophy regarding business continuity that is fundamentally at odds with what is covered in this book

If you act on everything in this book and get the Board’s cognisant approval for those actions, your organisation should have an entirely reasonable and fit-for-purpose set

of BC arrangements that sit well with today’s corporate governance and corporate social responsibility requirements, codes and expectations

ABOUT THE AUTHOR

Tony Drewitt is a business continuity practitioner and a professional member of the Business Continuity Institute (BCI) He has been a practising consultant, trainer and technical expert in the field of operational risk management and business continuity management (BCM) since 2001, working with a diverse range of organisations of all sizes to put in place effective and sustainable business resilience arrangements and crisis management capabilities

Tony started his career as a mechanical engineer in manufacturing industry and has since held a range of technical, commercial and senior management positions before becoming a full-time management consultant 10 years ago He was one of the first consultants in the UK to achieve full certification under BS25999-2, and delivers a range of business continuity foundation courses and masterclasses for a wide variety of organisations throughout the UK

Tony is the author of the already successful ITG

publications BS25999: A Pocket Guide and A Manager’s

Guide to BS25999

ACKNOWLEDGEMENTS

My thanks to Lita Cuen of LCRisq, San Diego, California for helping me with the US corporate governance aspects of this book

We would like to thank John Kyriazoglou, CICA, M.S., B.A (Honours), International IT and Management Consultant, for his helpful feedback when reviewing the manuscript

Introduction 14

Does it really matter? 16

Corporate governance and CSR 17

DR, BC, BCP or BCM? 18

Chapter 1: The Operational Risk Landscape for Business and Other Organisations 19

Weather 22

Energy 23

Operational risk management 24

The risk management process 26

Chapter 2: What Does BCM Actually Achieve? 28

Tangible benefits 30

Chapter 3: An Incredibly Short History: Early DR to 2011 BCM 37

Continuity and resilience 40

Chapter 4: The Role of Standards and Independent Validation 41

Business continuity standards 42

Other standards 45

Compliance 47

Supply chain 47

Corporate governance 48

Chapter 5: The Management System Approach versus a Simple BC Plan 49

Chapter 6: Planning the BCMS 53

What is a BCMS? 53

Chapter 7: Identifying the Organisation’s Requirements 58

Risk assessment 58

Business impact analysis 71

Chapter 8: Strategy and Options 100

Contingencies 102

Physical infrastructure 103

Information 106

People 108

Seasonality 109

Incident level 109

Output 110

Chapter 9: Incident and Crisis Response 111

Incidents, crises and disasters 111

The response organisation 114

The response team 119

Competencies 123

Response plans 128

Communications 131

Full recovery 136

Insurance 137

Chapter 10: The Assurance Process 140

Exercise programme 144

Maintenance programme 150

Audit programme 151

Management review programme 153

Continual improvement 155

Summary 156

Chapter 11: BCM as a Competitiveness/Assurance Tool 157

The insurance argument 157

Cost-effectiveness 158

Peace of mind 159

Chapter 12: Tools and Software 160

The BC software market 161

What to look for in BC software 161

Chapter 13: The New World of Sustainability 174

BIA 174

Business as usual 175

Incident response 176

Chapter 14: How to Do It 178

Visible programme 179

Awareness 179

Certification 189

Summary 190

Appendix 1: Acronyms 192

Appendix 2: Business Continuity Policy 193

Policy statement 193

Appendix 3: A Simple Risk Register 204

Appendix 4: Incident Response Plan 209

Use of this plan 210

The crisis management team (CMT) 212

Recovery time objectives 213

Response and recovery activities 214

Ending the business continuity phase 215

Appendix 5: Scenario Plan 216

Appendix 6: Activity Recovery Plan 218

Appendix 7: Document Review and Control Procedure 221

General 221

Version control 221

Retrieval and distribution 225

Appendix 8: Corrective and Preventive Actions Form 227

Appendix 9: Exercise Methodology/Procedure 229

Desktop exercise 229

Full exercise 230

IT DR exercise 230

Continuous improvement 231

Reporting requirements 231

Exercise programme 231

Appendix 10: BCM Software Vendors 233 Appendix 11: Suggested Software Enquiry Form 235 Appendix 12: BCM Audit Programme and Procedure 239 Appendix 13: IT Disaster Recovery Plan/Procedure 244

Recovery time objectives 244

ITG Resources 258

INTRODUCTION

Business continuity (BC) is a relatively new discipline, although people running organisations have been doing increasing amounts of the things that make up BC since the Industrial Revolution The risks haven’t changed that much, but the way that we, as a society, think about risks has There are some newer risks, of course, particularly those to

do with computers and information technology systems, but those have really grown at the same pace as the technologies themselves; it is simply that we are now more aware of many of the risks, and our attitude to how acceptable they are has changed

This book is aimed at people involved in the running of all types of organisation; whether a private sector ‘for profit’ company, public service or voluntary sector organisation,

or even the defence forces, all organisations exist to fulfil a purpose, even if that purpose is not the generation of financial wealth and its distribution to owners, stakeholders

or anyone else

Actually, all organisations work more or less the same as a company, or corporation; they have people and other resources with which they do, or make, things for customers, or people that they call something else The organisation’s income doesn’t always come directly from those customers, but it does come from somewhere and if the organisation doesn’t do what it is supposed to be doing, then the time will come when its income reduces, or even stops altogether

So the principles of risk management should be the same for any organisation, and while some may measure their risks in different ways, it is ultimately the supply, or availability, of resources and money that enables any organisation to meet the corporate governance requirements

of the modern world

Ultimately, most of us need three things: our health, other people and money Money enables us to acquire everything else that we need apart from our health and other people And so whilst many organisations, particularly in the public and voluntary sectors, may state that their primary purpose

is something other than ‘the bottom line’, ultimately it is money that enables them to be the best, or biggest, or the

‘brand leader’, or to serve their community, or anything else that they wish to do

Business continuity is a way, the most comprehensive way,

of ensuring that any organisation can protect the interest of its customers and owners by ensuring that everything reasonable is done to make it resilient to unexpected, or unforeseen, situations that prejudice its ability to do what it does

But this is selective; it is for each organisation to decide whether, for example, it wants to see the loss of a major contract as a BC scenario If a major customer stops buying, and paying for, the organisation’s products or services, does it matter why? If they stop buying because their factory or offices have been burned down, is that really any different from them doing so because they have found another supplier?

It is ultimately a matter of policy that each organisation decides whether loss of business is a scenario that should be

included within its BC arrangements, as well as similar scenarios, such as loss of a key supplier

Although risk is interwoven in everything an organisation does, this book looks in depth at one of the three fundamental types of risk: what we are calling operational risk

The three types of risk are:

1 that the organisation ceases to be viable due to adverse levels of business, profitability, cost fluctuations and compliance with relevant legislation, contracts and codes;

2 that the organisation’s viability is jeopardised because it engages in some activity that its customers haven’t directly asked for;

3 that the organisation is viable, but its ability to operate is reduced or removed by some unexpected situation, incident or materialised threat

Most organisations base their BC arrangements only on the third category, most often referred to as operational risk, and this is the approach that the rest of this book is based upon

Does it really matter?

Many people think that BC isn’t worth the effort and expenditure But that is usually based on intuition, although

in some cases it may also be true Most organisations have some ingredients in place anyway, such as insurance, stocks

of raw materials, spare equipment and locks on the doors, but to write down some sort of plan as to how they would respond in the event of an interruption might seem too much effort, or even a ‘waste of time’ However, for the

great majority it will almost certainly be worthwhile looking at the organisation to assess its true resilience to the unknown and putting in place a plan that enables relevant people to make the best decisions in the event that something does go wrong

Corporate governance and CSR

The way that the world now thinks about risks is very different from how it was in the middle of the last century

In those days, people in charge were assumed to know what they were doing, and if things went wrong it was still assumed that they had done their best But now, in business and institutions of all types, we are expected to be able to account for everything we do and to be able to prove what

we knew and when There is also a much higher level of expectation that people running organisations plan for the unexpected, be it in terms of financial control, business performance, changing markets and other external factors, and things that simply stop the organisation from doing what it wants to do, or rather what is being asked of it by its customers, clients or stakeholders

The growth of democratic philosophy and values has also spawned the concept of corporate (and) social responsibility (CSR), so whereas corporate governance is primarily aimed at protecting the interests of the organisation’s shareholders, CSR is about everybody else

In thinking about CSR we have to ask ourselves the question: ‘who would care if the company (and its factories/offices/assets) went up in smoke?’

We know that the shareholders would care, but their

But would anyone else care? Probably, yes If there were absolutely no mitigation measures in place, then all of the company’s employees and their families would care Suppliers and, in many cases, customers would also care CSR also extends to things like environmental impact, so

an incident that might make an environmental impact on the adjacent community and/or its ecosystem should also fall under the scope of CSR Risks of this nature may already be addressed in health and safety, environmental or other risk management approaches, but often it is a BC project that identifies this type of risk and brings it to the company’s attention

The point is that there are CSR-based reasons for putting

BC arrangements in place and, importantly, for making sure that those arrangements are fit for purpose

DR, BC, BCP or BCM?

These are some of the acronyms commonly used in this field, meaning respectively disaster recovery, business continuity, business continuity plan(ning) and business continuity management

BCM is now broadly accepted as the most comprehensive approach to organisational resilience, and whilst this book does go on to refer to some of the selective, cut-down and intuitive approaches, its principal theme is whether and how to ‘do’ BCM

CHAPTER 1: THE OPERATIONAL RISK LANDSCAPE FOR BUSINESS AND OTHER

ORGANISATIONS

Most people in management and senior jobs have a good understanding of risks: what they are, how they are managed and even how to measure them But there remains

in many organisations a blurring of definition about types

of risk and who is responsible for them, as well as all sorts

of risk that haven’t even been identified

Like not having insurance, this is usually only a problem if something actually goes wrong, and in the minds of most people that is really rather unlikely The majority of people tend to be concerned about things that have gone wrong before – and not for others, but for themselves That is human nature

Typically, in commercial or ‘for profit’ organisations, risk

is divided into ‘core business’ and ‘other’ categories Core business risks nearly always get far more attention and usually quite rightly But let’s look again at the three types

of risk put forward in this book:

1 that the organisation ceases to be viable due to adverse levels of business, profitability, cost fluctuations and compliance with relevant legislation, contracts and codes;

2 that the organisation’s viability is jeopardised because it engages in some activity that its customers haven’t directly asked for;

3 that the organisation is viable, but its ability to operate is reduced or removed by some unexpected situation,

These risk types aren’t concerned with the cause, or hazard – that comes later – but they should enable most people in

an organisation’s management to decide whether all risks should be dealt with by one person or department, or whether there are some different groupings of risks that fall into separate areas

The business of risk management is not necessarily as straightforward as some other organisational activities; there is no single approved method, either statutory or otherwise The Institute of Risk Management (IRM) puts

forward ‘A Risk Management Standard’ as opposed to ‘The

Risk Management Standard’ or even just ‘Risk Management Standard’

This standard refers to internally and externally driven risks and suggests a number of specific risks in each of four

types (see Figure 1).1

1 A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO31000 (AIRMIC, Alarm, IRM, 2010)

Figure 1: Risk types suggested by AIRMIC, Alarm & IRM’s

sorts of risk that are relevant to business continuity, it’s worth considering a couple of examples of threat types that transcend both core business and operational risks:

Weather

Exceptional weather conditions can affect companies in a number of ways:

1 It can affect the demand for products or services

In 2010 the UK experienced its coldest December for 120 years, coinciding with expected peak demand in the retail sector The effect on the ‘high street’ was significant and despite the impending increase in the VAT rate from 17.5%

to 20% due on 4 January 2011, retail sales dipped substantially whereas, many might have expected them to increase as shoppers anticipated the post-Christmas VAT

increase (Figure 3)

Figure 3: UK retail sales index, Nov 2009–Jan 2010

Source: National Statistics Online

This is an example of a core business risk driven by the environmental threat of extreme weather

2 It can cause a disruption to the company’s operational capabilities

The same threat presented an operational risk for the Royal College of Nursing’s RCN Direct service based in South Wales, as both its telephone call centre and substantial mailing activities were suspended.3

So a number of retail companies will have recorded extreme or adverse weather conditions as a threat, and, therefore, risk, to core business, whereas other organisations like the RCN would have treated the same threat as a cause of operational disruption and, therefore, an operational risk

Energy

The supply and price of hydrocarbon fuels used in electricity generation can affect companies in at least two ways:

1 Most companies, especially manufacturers, use electricity But as the demand for hydrocarbon fuels rises, which then leads to increases in price, so the cost

of electricity, which forms part of the cost of manufacturing products, rises also As a result, some manufacturers may face the risk that they can no longer remain competitive in the market This is an example of

a strategic core business risk

2 There also exists the risk that, as demand for hydrocarbon fuels increases, the ability of generators to convert those fuels into electricity may become unstable, potentially leading to electrical power cuts and the inability to manufacture products This is an example of

an operational risk with the same root cause as the previous strategic risk, the hydrocarbon fuel market

Operational risk management

It is for each organisation, when considering all of its risks,

to decide which are to be treated as interruption risks and so form the basis of the business continuity arrangements Clearly no organisation should put contingency arrangements in place for a threat that it does not face, but

at the same time it should also be aware that certain threats may result in more than one type of risk

But there are some risks which may be considered operational that are unlikely to give rise to an actual interruption to, or significant reduction in, operational activities These may include, for example:

• health and safety – in terms of accidents and incidents;

• security – such as the theft or loss of equipment, facilities or information;

• efficiency or productivity

Again, it is for each organisation to decide whether it wants

a fully integrated ‘enterprise’ level risk management system

or a number of independent systems, or frameworks, that deal with specific types of risk The fully integrated approach may make sense in some respects, but in others it

is probably counterintuitive for a system that on the one hand deals with the fast-moving risks of something like

foreign exchange trading (including in organisations for whom foreign exchange trading is not core business), and

on the other with risks, such as health and safety, employment law or information security

In a probable majority of organisations, there will already

be some existing risk management arrangements in place covering a number of aspects of the organisation, and as business continuity gets onto the corporate agenda it may well be ‘added’ onto the responsibilities of an existing team

or manager and so almost by default acquire its own risk framework – if, indeed, risk management is to include any kind of formalised approach

But the opportunity to integrate disparate risk management activities should not be overlooked There might well be opportunities to improve the efficiency and effectiveness of risk management, and it is often the case that directors and senior managers acquire a better understanding of the organisation’s overall risk profile if they can see everything

in a consistent format There are also examples of a risk control, or mitigation, measure being put in place for one type of risk that then presents a new, or increased, risk in another category For example, changing an escape route to reduce a fire-related risk could present a new information security risk

The introduction of business continuity as a new activity or management discipline is often a catalyst for the organisation dramatically to improve its management of risks, particularly those which have previously been paid little attention and of which the Board has limited awareness

The risk management process

A fairly common failing on the part of directors is that although they are aware of certain risks and may have decided to tolerate them for the time being, they don’t keep any written record of these risks and, in the event something goes wrong, they cannot then account for the fact that one of these risks materialised and cause some loss

or injury This is an exposure that the majority of directors simply don’t need; ignoring a risk that you could be expected to have known about is not good, but making assessment of a risk and noting that you cannot do anything about it at the moment puts you in a much stronger position

if and when called to account for it

The risk management process is described in some detail in

Chapter 7 because it is a key component of a BC

management system, but it should be understood that business continuity is a key subset of operational risk, which itself is a key component in enterprise risk

management, illustrated in the diagram in Figure 4:

Figure 4: Business interruption risks in the context of

enterprise risk and activities

Needless to say, the example risks in this diagram are just that; some of the operational risks may represent business interruption risks also, but it is likely to vary between organisations

A BCM programme is likely to be the most successful if it

is not allowed to exist in a ‘silo’, and is seen by everyone in the organisation as a key part of the enterprise (or organisation-wide) risk management process This is more than likely to bring gains in terms of efficiency, conflict avoidance and reduction in expenditure (or executive time)

CHAPTER 2: WHAT DOES BCM ACTUALLY

Do we now wear seat belts in cars because:

• They are there?

• It is a requirement of the law?

• We value our safety and our lives, and we know that road traffic accidents do happen?

Those of us who can remember the introduction of seat belt laws will also probably recall that we either wore them anyway, or started wearing them if we thought we were going to get caught Despite the law and the extensive

‘clunk–click’ media campaign in the UK, there were many drivers and passengers who preferred not to wear them But today, a probably majority of us wear seat belts because it makes sense from a safety risk point of view

Some similar thinking may well apply to business continuity as another ‘thing’ that we should, and in some cases must, do But if it is not required by law, then why do it?

Some organisations, in the UK, are required by law, directly and indirectly, to put business continuity arrangements in place:

• Category 1 responders under Clause 2(1)(c) of the Civil Contingencies Act 2004 are required to ‘maintain plans

for the purpose of ensuring, so far as is reasonably practicable, that if an emergency occurs the person or body is able to continue to perform his or its functions’

• Regulated firms under the Financial Services Act are effectively expected to have demonstrable BC arrangements in place along the lines of the Financial Services Authority’s Business Continuity Management Practice Guide

• Solicitors and solicitors’ firms are required under Rule 5.01(1)(k) & (l) of the Solicitors’ Code of Conduct 2007

to provide:

o for the continuation of the practice of the firm in the event of absences and emergencies, with the minimum interruption to clients’ business, and

o for the management of risk.4

In addition to this, companies listed on the London Stock Exchange (LSE) are required under the Disclosure and Transparency Rules to disclose a description of their principal risks and uncertainties This brief statement leaves open to interpretation whether or not companies need to mention their operational risks, or simply their trading risks; however, a review of some reports that have been filed indicates that operational risks are generally included But this issue quite probably falls into the same ‘comply or explain’ category as corporate governance, and any company’s suggestion that the risk of it not being able to carry on its business because of operational interruptions –

as opposed to financial or market conditions – is not a

principal risk would, in the event of such a risk

materialising, probably be challenged very strongly

So it is implicit within the LSE’s rules that companies should have demonstrable arrangements in place to mitigate principal risks, which include business interruption risks, for which the ‘optimal’ mitigation strategy must include BCM

But these are organisations in which the state already intervenes to an extent, usually to protect the interests of private individuals, and so it is most unlikely that any new statutory requirement will emerge for any type of organisation, particularly in the private sector, to put in place demonstrable BC arrangements

There is no single reason why any organisation should put

in place BC arrangements – which, of course, will include

‘formalising’ existing measures that weren’t previously called business continuity – but an important part of a best-practice BC management system is a statement of objectives And if these objectives aren’t largely to do with benefits, then there is probably something not quite right

Tangible benefits

The question ‘what does BCM actually achieve?’ must, of course, be answered The following are the key things that the majority of organisations should be looking for as a result of developing and implementing a good BCM programme:

Cost effectiveness

The Pareto Principle: many organisations achieve only 20%

of a really good set of BC arrangements by expending something like 80% of the effort, if they adopt the ad hoc

intuitive approach Those that invest the remaining 20% of the effort in a best-practice BCM approach are likely to achieve a further 80% of the benefits Of course, this principle isn’t exact and another way of putting it is that by investing the additional 20% effort in the preferred approach, something like a further 80% of the benefits might be achieved

BCM offers the best opportunities to ‘think of’ things that could go wrong and ways of both preventing and mitigating them – avoiding the somewhat classic statement: ‘we didn’t think of that’

If done well, it will also result in the regular maintenance of plans, contingencies and other arrangements, so that they remain as up to date and fit for purpose as possible

The point is that most organisations are already investing in resilience arrangements of one sort or another, and this investment is often much more effective if it becomes part

of the investment in BCM

A BCM programme should also result in proper ordination of often disparate resilience or preparedness arrangements into a cohesive whole This can bring the added benefit that existing risk control measures and resilience arrangements which may be inappropriate are reviewed and adjusted to become appropriate and, therefore, cost effective

co-Competitiveness and the supply chain

There are those who insist that not having a BC plan or a

BC management system can lose you business; I have yet

to hear of a situation where one supplier loses out to

However, there is a growing number of organisations that,

as part of their supplier assurance process, also a relatively recent innovation, want to know about their suppliers' resilience to things that everyone knows can go wrong We don’t think it unusual that they should demand this sort of assurance about things like information security, environmental impact or ethical stance, so why should it be anything other than normal to seek proper assurance as to how suppliers will ensure continuity of supply or service when the unexpected happens?

It may be happening slowly, but more and more larger organisations are requesting information about the resilience of suppliers’ BC arrangements, so having a demonstrably good set of arrangements must represent a component in competitiveness

But more than this, a supplier who lets its customers down

in the event of an interruptive incident can no longer get away with ‘it wasn’t our fault’ and business that might have taken a year or so to win could subsequently be lost for perhaps five years or so There is anecdotal evidence that suppliers who let their customers down to a degree, but can show and, most importantly communicate, that they did have BC arrangements in place and had ‘thought of’ it, secure a greater degree of loyalty and support from their customers, both in the immediate term and when it comes

to renewing contracts at a later date

Organisations that secure some of their business through the tendering process are quite likely to find, at some point

in the near future, that qualification criteria start to include business continuity or resilience arrangements and it is not inconceivable that some will start to stipulate certification under BS25999, or its successor ISO22301, as a criterion

This happened in the 1980s and 1990s with BS5750, which was superseded by ISO9000 series, the quality management system standard, and it happens today with ISO27001 (information security) and other standards

No organisation that hasn’t already developed a good BC management system would be able to secure certification quickly enough to meet this criterion; it is a strategic planning issue for companies engaged in this type of supply mechanism

Corporate governance and directors’ liabilities

Corporate governance has been around for a long time and

it could be argued that the old-fashioned sense of ‘duty’ and doing the right thing largely prevented companies, or their directors, from engaging in major fraud or other corporate wrongdoing And whilst there have been laws surrounding the incorporation of companies since the Joint Stock Companies Acts of 1844 and 1856, there seems to have been an ‘unwritten’ approach to the governance of companies

The first written code on corporate governance in the UK, also the first in the world, was produced in 1992 by the Cadbury Committee, convened at the Government’s request following a number of corporate scandals, such as Polly Peck, BCCI and Maxwell Communications.5 This sea change in thinking about corporate responsibility has brought with it a need for accountability whenever anything goes wrong and there have been a succession of revised codes in the UK, all pointing to the continuing dilution of

the somewhat exclusive privilege held by directors and the rights of ordinary people to have their dues

However, a founding principle of UK corporate governance codes is ‘comply or explain’,6 meaning that boards are expected to know what to comply with and how to do it, as opposed to there being a comprehensive set of detailed rules

Until quite recently, UK directors’ duties were based upon

an expectation that they would always act in the company’s best interests, and the judgement of whether they had done

so became a matter of opinion for lawyers and judges Previously, directors had a duty to act ‘in good faith and in the best interests of the company’

But the Companies Act 2006 includes new legislation (which came into force on 1 October 2007) regarding directors’ duties to apply a level of diligence in line with their higher level of expertise and, whilst there isn’t any specific wording about business continuity in the Act, it is

nonetheless now a criminal offence for any director not to

exercise reasonable care, skill and diligence in respect of the whole company, not just his or her department or division

Whilst business continuity and its management does benefit from a certain amount of skill, knowledge and experience, the risks that it should be there to mitigate are not particularly specialised and in most organisations a director would be reasonably expected to aware of such risks So to simply assume that someone else is taking care of what

6 P Provan, camagonline website, June 2010, Institute of Chartered Accountants of

happens if a major incident occurs, or, worse, to assume that nothing could ever go wrong because it hasn’t before, could be regarded as negligent

As far as penalties are concerned, again many directors are somewhat in the dark – many thinking that the worst that could happen to them is to be disqualified to act as a director

However, this is not the case, and although the Companies Act 2006 does not include any penalties for failing to undertake directors’ duties correctly, enforcement of the Act would be by way of an action against the director in question for breach of duty

Whilst such an action can only be brought by the company (which would usually require the other directors to support the action) or by the liquidator (should things go that badly), there is now new legislation that allows an individual shareholder to bring a Derivative Action

The spirit of the Act is that each director should use their knowledge and skill in the best interests of the company and it is, therefore, not really acceptable for any director to pretend that they couldn’t have known about the existence

of fairly obvious business interruption risks or, more importantly, the lack of any arrangements to mitigate them Ultimately, negligence and failure to act appropriately would be dealt with by the common law, but the key point

is that individual directors can face personal liability and are not necessarily protected by the limited company

A great many directors have limited experience of anything going wrong and because there is no mandatory qualification or test of ability for anyone becoming a

being taken care of The discussion of risks by boards is often limited to core business risks, such as trading performance; to some operational risks, such as health and safety; and to risks related to new legislation, such as the Corporate Manslaughter and Corporate Homicide Act

2007

But the fact remains that if something goes wrong boards may be called to account for whether or not they had taken reasonable steps to mitigate the risk(s), which by definition existed before the incident

Those that can say, and demonstrate, that they had some plans and arrangements that were reasonably well thought out and maintained must be in a significantly better position than those that cannot

This is the real test of whether the BC arrangements are good enough No plan or BC management system can delivery zero disruption and zero impact, and even if things don’t go entirely as hoped for, the fact that due consideration was given to the risk(s) and the measures (BC arrangements) to mitigate those risks should ensure that directors are protected against any claim

CHAPTER 3: AN INCREDIBLY SHORT HISTORY:

EARLY DR TO 2011 BCM

In truth, the existence of business continuity as a management discipline, or activity, is simply the result of recognition by people running organisations that something could go wrong And, whilst this has always been the case,

as the world has become more sophisticated and technologically complex, there is more to go wrong, more malevolence, and we just happen to be entering a time when natural hazards appear to be more prevalent and more severe But the distinct management activity of addressing the risks of things going wrong really began when mainframe and minicomputers started to be used by increasing numbers of companies and other large organisations, throughout the 1970s and 1980s After a few failures, managers started to think that they were so exposed to the impact of the failure of these rather unreliable systems that they should develop contingencies

to deal with the eventuality

So, seeing the commercial opportunity, some of the large computer vendors also developed a range of services, essentially selling the availability of spare machines in the event that their equipment went wrong Whilst we may be able to see parallels to this in many facets of daily life, many companies became so dependent upon their computer systems that they simply couldn’t leave to chance the availability of something that would enable them to resume the activities that were utterly dependent on the hardware in question

From this we can see why the word ‘continuity’ became the

eventual de facto term; because only the computer system

had failed, the organisation could simply continue what it had been doing once a replacement system was in place This was recovery from the disaster of mainframe failure, and so the term ‘disaster recovery’, or DR, came into common use and, in many respects, it still means more or less the same thing: provision of alternative IT systems to enable the organisation to resume its operational activities But, as increasingly reliable mainframes and minis were replaced by even more reliable personal computers and local area networks, people who had been engaged in the

DR world started to realise that there was more to go wrong

in their organisations than just the computer system

The thinking behind business continuity had to come from somewhere and its IT roots are entirely understandable But just as we may think, ‘why didn’t anyone think of that before’, it was the need to do something about the relative precariousness of computers that spawned the ideas to extend this more formalised thinking about resilience to other parts of the organisation Using the safety belt analogy once more: these only became compulsory in the front seats of cars in 1983 and in 1991 in the rear seats, yet they had been fitted to most cars for 30 or more years prior

to that time In the USA, penalties for not wearing seat belts were introduced 16 years after their fitting was mandated From the 1980s, some of the large computer manufacturers that had developed DR service offerings – often a mainframe or minicomputer on the back of a lorry (truck) – responded to the changing market by developing similar PC-based services, including the provision of dedicated recovery centres with both IT system and desk workspace

facilities Other providers entered the market, supplying only these DR services, and whilst the market has very much polarised over the past 10 years or so, there remains a number of companies offering a range of BC recovery services as well as consultancy and advice services

The Disaster Recovery Institute (DRII) was founded in

1988 in the USA and in the UK the Business Continuity Institute (BCI) was established in 1994; both are international organisations and both enable the transfer, or sharing, of knowledge and expertise between BC practitioners and experts Both organisations offer practitioner certification and associated training; however, they have also moved more into the commercial space, offering non-certification training and other services The establishment of these two institutes contributed to the establishment of BC or BC management as a distinct management activity, or discipline, and underpinned its gradual spread to more and more organisations

In the 21st century, the BCI’s main thrust is to encourage more and more organisations to take up business continuity management (BCM), not least so that it and some of its members can sell more membership and professional services

The development of BCM, as opposed to disaster recovery, signalled its use across all, or most, of the organisation, so that contingencies and plans were being developed to do with resources other than IT systems It started spreading because more people were aware of it – it often seemed ‘a good idea’ to those running organisations with no particular pressure to take up BCM – and as this realisation grew

‘organically’ it also became a basis for larger companies to

supply chain became one of the key propagators of BCM,

as, in certain cases, did regulation

Many people who became dedicated BC or DR practitioners really wanted an accepted standard that would give credibility to their profession and form the basis upon which it would be much easier to justify the adoption of BCM

In 2003, the British Standards Institute published a

‘publicly available specification’, PAS56: Guide to Business Continuity Management, which was based on the BCI’s Good Practice Guidelines

Continuity and resilience

During the first decade of this century, the spread of BCM was arguably fastest amongst ‘information processing’ organisations; that is, those predominantly based upon offices, computers and telephones, all of which are relatively easy to replace at short notice The growth of data archiving providers also facilitated this growth so that many companies could simply back up their essential data in a variety of ways and rely on some contingent set of physical resources to accommodate them should the worst happen Because PC-based networks and desk-based workspace are generic in nature, organisations without such physical activities as manufacturing became predominant adopters

of BCM, simply because it is so relatively easy to do