Around the world, the need to plan for business continuity only continues to grow. How would you react if your Intranet went down or you were unable to make a mobile call in the event of a disaster?
When “it hits the fan”, risk assessment and security are core elements of this plan. Rinske Geerlings joins us to discuss the importance of having a creative and innovative business continuity plan that has end-to-end benefits for everyone in the organisation.
How do you define Business Continuity Planning?
Rinske: I have a slogan and it’s “If it hits the fan, what is your plan?”
It’s an elevator statement but it’s also actually the simplest way to express to people what we’re dealing with here. Theoretically, if you look at the ISO 22301 standard, the definition is “the capability of an organisation to continue delivery of products or services at acceptable predefined levels, following a disruptive incident”.
It’s all about pre-agreeing what is time-critical to your business – what you have to keep doing. It’s about pre-defined levels of what is acceptable and setting the right priorities, because when something major happens you have to be selective about what you’re going to recover first.
You find in this the emergence of a new term – the Minimum Business Continuity Objective (MBCO). This is a bit different from what we did in the past which was all about time, ie how long you can be down or how quickly you need to recover. The MBCO says to what ‘degree’ you could go part-way. For example, if something dramatic happens and I’m a call centre that’s normally opened from 8am-8pm, perhaps in the first two weeks following an incident, I might look at opening from 9am-5pm or 8am-12 in order to sustain my business at an acceptable level for a certain period of time.
In the past decade, have there been any significant activities or events that have prompted this redefinition or has the process simply evolved?
Rinske: I think the current process reflects the experience that we’ve had with actual disasters, compliance and the testing of these plans over time.
The experience of the floods in Queensland and Northern NSW and bushfires and heat waves in Victoria, stressed that we can’t ask for the luxury solutions straight away.
The APRA standard for the finance industry introduced in 2005 forced banks and insurance companies to make plans – and test these plans. It prompted those in the industry to be realistic and more innovative in their approach to business continuity, not only in terms of compliance, but also in terms of responding to real events.
Testing proves that people still have to invest in manual workarounds. Manual workarounds let us get back to a level which isn’t 100% but it’s a degree that is acceptable to our clients, stakeholders, shareholders and the general community.
What’s important when incorporating manual workarounds in your plan?
Rinske: The documentation of manual workarounds is very important as it isn’t simply about how things were done in the past, say using a fax, the post or a hard-copy form, when the Internet is down. I’ve found that it’s common to make the assumption that people actually know how perform certain manual tasks when testing proves they don’t.
At one stage, one of our clients had a plan to use two-way walkie talkies if the mobile network went down. Of course, the walkie talkies were hard to locate in a dusty box in some corner of the office. Testing found that new and younger staff had not been trained how to use these and guess what, there was no procedure written down.
Plus, some scenarios go on for longer than you planned and manual workarounds let you do something rather than nothing. Given the magnitude of an event – say, it’s your building and/or your people and your systems and/or your suppliers that are affected – you may need to extend the planned manual workaround – so documentation, training and testing are very important.
How often would you recommend an organisation tests and reviews its plan?
Rinske: The right answer is that organisations implement some rhythm or test calendar. Don’t just make it an annual event because the auditors are coming around. Make it second nature.
Don’t always aim for a full end-to-end testing as most companies cannot do live testing for practical and productivity reasons. For a large scale BCP test, my recommendation is that it’s better to aim for partial testing of one/more ‘end to end’ processes say, every 6-12 months, rather than ‘resource based testing’ such as ‘all the IT’. The business process approach (e.g. an entire customer service ‘flow’ from a customer phoning up, to the right person handling the call from an alternate workplace, to a transaction being logged and the customer’s issue resolved) is usually far more insightful than just testing all IT recovery aspects but not the staff facilities, phone systems and other items that are part of a time-critical process.
I’ve found that in organisations that have a rhythm or natural regularity of testing, we see different aspects of the plan being tested more frequently. For instance, a recovery test of some of the IT systems every February, a crisis management scenario test in a boardroom setting every May, a walk-through of some of the time-critical business process recovery plans in August, and a full end-to-end test in November.
Don’t always focus on the one type of testing. Break it into manageable chunks. Do the different types of testing in a way that people can manage it as part of their everyday operations.
There’s a general rule – don’t conduct destructive testing.
Live testing always has a risk to the ‘live operations’ associated with it, so don’t make that risk unacceptable. Keep it manageable by reducing the scope of the test to one or two business processes at any time. Be creative in managing this risk, meaning it’s not just one annual test but a series of partial tests throughout the year.
How does a BCP fit into a business’ existing risk management profile and security procedures?
Rinske: My Masterclass at the National Security conference later this month will highlight how this interaction would ideally work.
Business continuity has two core elements to it, with risk assessment being one of these (the other one being Business Impact Analysis or BIA). There’s a step in risk assessment where you look at what things could happen, what are the core consequence scenarios that we should plan for, what are the likelihoods and possible impacts of those scenarios.
Security fits in here. Security is one of the sources of risk, but it is also one of the controls that you put in place. For example, a source of risk might be people breaking into your warehouse. One of the solutions on the preventative side in your risk matrix would be having CCTV or security guards in place.
Security and risk both fit into the BCP process, almost in an integrated way. If BCP was the big bubble, risk assessment is a smaller bubble and security is a sub-bubble or sub-category within risk assessment.
There are other sub-categories. For instance Business Impact Analysis and risk assessment also overlap. If you just looked at your processes and tried to assess the potential impact, you would need to know what sort of risks or scenarios you’re planning for and look at your critical processes and the impact if these don’t continue as per normal.
In terms of business critical assets, information and intelligence would feature quite high in most organisations’ priority list. In terms of specifically addressing data, are there any organisations or institutions that are leading the way in terms of continuity planning?
Rinske: Within my client group, I would say that organisations who deal with sensitive financial information and identity information such as credit card information are more inclined to look at protecting data with information security standards such as ISO 27000 as part of their risk assessment.
The health sector, this time linked to identity with health records, is also quite focused on data security.
There are some organisations, irrespective of their sector, that do this better than others.
Is BCP dependant on the organisation or type of business activity?
Rinske: Yes – absolutely.
For example, there are certain sectors that are heavily dependent on IT such as banks, insurance companies and superannuation funds. Protecting the IT systems is a major concern in this sector with the dominant thought being that all long as the systems are running, you can be creative with the rest of the plan. Whereas, say, the ambulance service would prioritise vehicles, a good phone system and skilled people over the IT system as being time-critical to perform their core activity of arriving at a scene and saving a life.
Each plan is fundamentally different for each business that we deal with, which is why we need to be creative. We can certainly use ideas that are specific to an industry and incorporate industry best practice.
For instance, manual workarounds are not viable for all industries. The manufacturing industry can’t just send staff to work from home. They need a facility, warehouse, specific equipment and raw materials that can’t be replicated at home. In that sector, we usually look for reciprocal arrangements or hiring a space which is a challenge for most as the physical building is so specific to their business activities.
These businesses would almost by default have to go for a completely different strategy where they look at producing a similar outcome for the client or customer but in a completely different way.
For a printing company, this could mean producing a digital platform to distribute a document instead of printing a hardcopy somewhere else.
You sometimes have to look completely outside the box for solutions, which is why I love the work I do. Our consultants are trained to be innovative whilst still complying with industry standards and guidelines such as ISO22301 and ISO31000. Safeguarding an organisation’s reputation/brand is at the core of our work, so BCP resonates from top to bottom. Engaging all levels in an organisation is part of the skill set required to be exceptional at this work.
Places such as the UK have standardised business continuity management though specific British Standards and here in Australia, Standards Australia has published the Business Continuity Standard AS/NZS 5050:2010. Are standards the start or end of a BCP?
The biggest risk with standards is when people view them as simply being an auditable task that requires a tick in the box for compliance and certification and they don’t really inspire the enthusiasm of the workforce that has to live and breathe business continuity. Using standards that way is like viewing business continuity as a ‘stick’ and I believe it should have some ‘carrots’.
We’re trying to protect people’s lives with business continuity. We’re trying to ensure that salaries are paid if the system’s down. We’re trying to provide security for staff if there’s been a fire in the building by ensuring that there’s a job to go to afterwards. These concerns have nothing to do with standards, but with the end-to-end benefits for everyone in the organisation.
Standards can be a risk when people see than as auditable pieces of documentation and don’t emphasis the benefits.
Moving from compliance to enthusiasm, how important is to create the right culture and get buy-in for from all levels in your organisation?
Rinske: This is extremely important – especially at all levels. When I run an exercise or disaster simulation with clients, I encourage them to ensure that it’s fun for participating staff and at a time of the day that they can handle it well… and we try to link business continuity to their own lives during the exercise. This will create more of a culture of support.
So too at the senior level – if I don’t identify the benefits of the process to the C-level managers, we will always be pushing the process uphill and it will only start to slide down as soon as the pushing stops. Top management support, buy-in and enthusiasm are essential ingredients in any industry and in any organisation.
If you were creating a BCP for Australia, what would you identity as the country’s current threats and challenges?
Rinske: A look at recent news and media will highlight that economics and issues such as trade and budgets are amongst Australia’s largest challenges.
Business continuity tends to acknowledge that these issues are threats. If Australia was a company and I was charged with going in to do a BCP, issues such as foreign exchange rates, fluctuations and competitive threats would be acknowledged as part of the best practice risk assessment model. However because they’re slower moving threats that are linked to the day-to-day business strategy, we wouldn’t make detailed plans for these in terms of BCP.
Looking specifically at Australia, the critical impact scenarios which are relevant to BCP could be summarised as:
Real disasters tend to be a combination of the impacts of these 5 core consequence scenarios. It’s important to not only focus on natural disasters. In terms of the number of things going wrong, statistics suggest that external factors such as natural disasters and other external events only account for about 20% of the whole spectrum. The other 80% reflects incidents caused by lack of training, mismanagement and other aspects that – to a high degree – a business (or in this case the entire country) can prevent.
Rinske Geerlings has been specialising in Business Continuity (BC) Planning, Disaster Recovery (DR) and business process implementations for 15 years. She built extensive hands-on experience during permanent roles in banking, as well as Senior Management consulting and training roles. Her company Business As Usual has successfully competed against the Big Four, resulting in major BCP projects across the globe. Rinske’s passion for making a difference in people’s working conditions ‘and beyond’ has seen her travel to places including East Africa, Asia and the Middle East to train organisations in BCP.
Using best practice templates, video exercises and practical assignments, Rinske will be highlighting the interaction between business continuity and security plans during our Masterclass in Sydney on the 28 May 2014.