Adjusting the risk radar
One of the most negative legacies which resulted from the high profile terrorist attacks such as 9/11, Delhi, the London bombings etc has been that by their nature of being capital city focused events the vast majority of organisations, and especially the small and medium enterprises, have see such attacks as a media event which, though terrible in their actions and consequences are so remote as to not be an inclusive factor on their risk radar and so subsequently almost ignored.
Such a view is fully understandable but breeds complacency and a narrowness of thought and understanding which simply promotes the view of “When bad things happen they won’t hurt me!”
Not if but when
UK plc cannot afford such complacency which ignores the threat that terrorist activity could take place in any UK provincial city or town. A threat that those with a clearer understanding of the long term believe this as not an if this could occur, but when. As part of the Civil Contingencies Act 2004 there is a requirement for certain organisations e.g. infrastructure organisations, local authorities, emergency services etc to have Business Continuity plans in place and so strengthen both their resilience to threats and by doing so the resilience of the UK. Indeed this act requires local authorities to not just have such plans but to also promote the discipline of Business Continuity to business in their area.
Business resilience refers to the ability of enterprises to adapt to a continuously changing business environment. Resilient organisations are able to maintain continuous operations and protect their market share in the face of disruptions such as natural or manmade disasters.
There have in recent times been, and as I write continue to be, a number of significant natural events which have had a direct impact upon many businesses and of all shapes and sizes. Events such as volcanic ash, the 2011 Japanese earthquake and tsunami, plus last year’s floods in Thailand, all of which directly impacted upon the supply chain for many UK organisations. Such events have seemingly been more localised this year with the multiple incidents of significant flooding in many parts of the UK affecting locations which have not experienced such an event for many, many years.
Improving resilience
These activities and events have and continue to develop a growing interest in mitigating risk and improving organisational resilience to cope with incidents which may affect the organisation but enable the business to continue. As the business strategies for dealing with threats have developed so in turn we have seen clear activities which have, with continual and ongoing improvement, set out to protect business and enable it to respond to a crisis. These activities can, I suggest, be put forward as four clear generations of development.
1st Generation - Contingency Planning. The original and commonly used in WWII; 2nd Generation - Disaster Recovery. Developed as Information Technology became established in business; 3rd Generation - Business Continuity. A more holistic approach to encompass business operations and processes, and 4th Generation - Business Resiliency. Extends the boundaries of protection across the organisation.
This fourth and latest generation has taken on a significant challenge as it encompasses much of today’s model of business. It is however, one which can be used to reinforce the value of taking clear positive action in the protection and crisis management skills of any organisation.
The disciplines of risk management, business continuity planning and disaster recovery planning have played critical roles in helping businesses achieve parts, but not all, of the objective of business resilience.
Historically in most organisations the primary objective of disaster recovery planning has been limited to protecting IT infrastructure and services from unexpected events and disasters. Business continuity planning extended the boundaries of disaster recovery planning to the protection of business operations and processes. The objective of a business resilience program is larger than risk management, business continuity planning and disaster recovery planning. A business resilience program extends the boundaries of protection by including within it the ability to managing an incident, build intelligence by exercising plans plus, and hugely important, having the capability and skills to communicate in a crisis.
Such communication must be both internally to employee’s etc but also externally to relevant stakeholders, the most important of whom may be customers or, for some, industries regulators.
BCM History
Looking back at the history of Business Continuity Management (BCM) there are clear milestones mapping its development. I recall clearly the release by the British Standards Institute (BSi) of Publicly Available Specification 56 (PAS 56) Guide to Business Continuity Management in 2003 and just how welcome this was for those of us seeking best practice examples to refer to when setting up company or corporate wide Business Continuity Management System (BCMS). True this first pass at establishing the idea of a standard had its faults but fundamentally it was a recognised publicly available document which for the first time set out the structure and expectations of a BCMS in a clear and relatively simple way.
Following a great deal of work by the hands of expert practioners, working as dedicated volunteers under the support structure of the BSi technical committee BCM/1, PAS56 was developed and enhanced to become BS25999-1 Business Continuity Management Part1: Code of Practice. Followed in November 2007 by BS25999-2 Business Continuity Management Part 2: Specification. It is to BS25999-2 that many businesses both in the UK and abroad have become certified. So popular has this standard become that it is the 2nd highest seller of BSi products, second only to ISO9001. These documents, used in association with the Business Continuity Institutes ‘Good Practice Guide for BCM’, another document created and importantly regularly updated by dedicated volunteer expert practioners, have proved to be the backbone of BCM not just in the UK but across many countries.
New standard
Other countries have not sat idly by as Business Continuity Management has developed and several have created their own country standards including the United States, Australia, Singapore and Canada. Such developments prompted the need for a single international standard and so today we have ISO22301 Societal Security – Business Continuity Management systems – Requirements. Which will in time, it is predicated around 18 months from the official release of ISO22301, replace the then to be withdrawn BS25999-2.
This new standard in many ways encompasses everything which is needed within a Business Resilience program and market research by a number of certification bodies have indicated that a fast growing number of organisations are seeking to have their current, or as is often the case, new BCMS certified to it.
A key reason for this surge of interest is that more and more organisations are insisting that their suppliers should be as resilient as themselves. Spinning out of the requirements of the Civil Contingences Act mentioned earlier has been the view taken by many of those organisations affected by the act that if they are expected to have a BCMS by law then those who supply to them, or who wish to supply to them, should have this by right and are required to supply evidence of this.
The effect of such a requirement has been to drive the principles and good practices of business resilience across many supply chains and this is now becoming understood by more and more organisations as a must have business discipline rather than an luxury for the day when something may or may not happen.
No matter how resilient an organisation may become internally, without the corresponding resilience of its critical suppliers it will remain at serious risk of loss of business and possible closure due almost entirely to the failures of others.
About the Author
Colin Ive’s experience in Disaster and Business Continuity Management was gained in over 40 years of business, including 26 years as a fire officer commanding a busy fire station in England. Following this, he became the chief risk & continuity manager with global responsibility at Nokia. A Member of the Business Continuity Institute and qualified Lead Auditor for ISO9001 & BS25999 he is an ‘in demand’ presenter at many European and USA Business Continuity and Business Resilience Conferences.
Related Features
Partners
 |
 |
 |
 |
 |
 |
 |
 |
digital issue
