One of my clients disagrees with me about the advice that I’m giving on the location of the backup tapes for their computer systems. The systems are located in the same building as the client’s only office in a market town in the north of England, and the backup tapes are all held in a fire-proof safe on site. I have advised the client that the backup tapes should be held in a secure location off-site, at a distance that is appropriate for the scale of incident that the client is looking to survive. My client reckons that the chances of losing all the backup tapes are almost non-existent, and certainly not worth the cost of purchasing a secure off-site storage service.
In the end I felt so frustrated about the client ignoring my good advice that I decided to undertake, free of charge, a rigorous risk assessment to demonstrate the level of risk being run. This involved estimating the probability of all the events that might lead to the tapes being lost or access to them being denied for periods of time up to a month, multiplying the probabilities by the estimated loss to obtain an expected loss per event, and summing the expected losses to provide an expected loss per year. The client’s turnover is about £4m, and it is reckoned that the business could be sold for 2.5 times turnover, which makes the largest loss £10m. The client can work for a day without access to the data held in their computer systems, but after 2 days they would expect to be losing some £345,000 a day.
The end result of my analysis showed that the expected loss per year of leaving the backup tapes on site was £460.53, which is less than the yearly cost to my client of a secure off-site storage service. I reluctantly showed my calculations to the client, who predictably said “I told you so, it’s not worth arranging for the tapes to be stored off-site).
However, I still believe that the client should store the tapes off-site. It’s too big a risk for the client to run, no matter what the results of the risk assessment. So, am I right? If so, what an earth is the point of undertaking a risk assessment?
How frequently should an organisation update its Business Continuity Plans (BCPs)? This depends on many factors, but one thing is for sure, is should be more frequently than the two years that one of my clients has decided to wait before doing anything about the BCPs that I had helped build.
The person responsible for Business Continuity, who I had been working with when the plans were built, left the client towards the end of 2009, and had been trying to get the organisation to devote time and resource to getting the BCPs both updated and revised. He had not achieved much success, despite the fact that the client had gone through a major change that rendered most of the BCPs obsolete! Maybe that’s why he resigned and went to work for another organisation.
The client has eventually appointed someone else to take responsibility for Business Continuity, and they had contacted me about ensuring that all the BCPs that he had found were in the new format that I had helped the previous incumbent in the post to develop. I received the copies of the BCPs a few weeks ago, and had been waiting for my new contact to agree a new invocation procedure before undertaking the work and putting the new procedure into each BCP.
I completed this work today, and have been mulling over the fact that although all the BCPs are now in the same up to date format and have the new invocation procedure, they are in fact quite worthless as BCPs as the rest of the information is either out of date or quite simply incorrect. How many other organisations are in the same situation?
The client is about to go through another significant reorganisation and change that will significantly affect the products and services that it provides and the activities that it undertakes to provides its products and services. So, even if the BCPs had been keep up to date they would still have to be significantly changed. Has the client simply skipped one set of changes to save money?
I am now aware of a new word in the English language : Resiliency. I’ve now come across the term twice in as many days, and according to the online version of the Oxford English dictionary, it is a noun that is a derivation of the word Resilience. The second time that I saw its use was in a response to an article on Resilience, where it was stated that “Resiliency is a destination, an objective that you can reach in many different ways; at the end of that journey your organization is either resilient or it is not”. According to the Oxford English dictionary it means “the capacity to recover quickly from difficulties”.
I am not so sure that the capacity to recover quickly from difficulties is a destination that can be reached. It is rather a moving objective that an organisation can continuously work towards achieving, but any relaxation on the part of the organisation will result in it moving backwards away from the objective.
An organisation is either resilient or not, but this has to be in the context of the nature of the “difficulties” from which it has the capacity to recover quickly. No organisation that I’m aware of has the capacity to recover quickly from the destruction of the Earth itself, but many have the capacity to recover quickly from a power cut. An organisation can be resilient to some things, but not to others, and it never ceases to amaze me that so many Business Continuity Management (BCM) programmes fail to define the scale of the incident that the organisation is planning to survive. In my opinion, this should be defined as part of the Business Continuity policy statement.
I was amazed to learn that one of the “Big 4″ accounting and auditing companies is still pedalling the myth about the percentage of businesses that close down after being affected by a major incident. The usual form of this quote is “80% of businesses affected by a major incident close within 18 months”, but this company has a variation in its Business Continuity and Resilience Services brochure that states ” Nearly 50% of organisations who experience a disaster with no effective continuity plan, will cease trading within 12 months”.
Some years ago I wrote an article on the subject that was published on the Continuity Central website, following which I received numerous emails supporting my comments that it was a myth, and a few that provided me with suggestions as to where it might have originated. One reply in particular, from Andrew Hiles, listed a large number of sources.
I followed up all the references, and I didn’t find any evidence to support the myth. The end result was that Andrew Hiles and I wrote an article on the subject for Continuity Magazine, concluding that it is a myth.
I’m now going to write to the “Big 4” accounting and auditing company to find out if they have undertaken any research to support their quote or if they can refer me to the source. Somehow I get the feeling that they’ll be amending their brochure!
Today I’ve been providing a Business Continuity foundation course to employees of Deloitte in Brighton. Unfortunately, things have not gone quite according to plan. Do they ever?
The main problem has been that the course material, consisting of copies of all the slides and a workbook consisting of all the exercises went missing. They were delivered to the hotel in Brighton, and signed for, but then seem to have simply disappeared.
I learnt that this had happened when I started to deliver the training course. The immediate response from Deloittes was that they expected that I could cope as I was delivering a course on Business Continuity! Very funny, but actually they were right, I had anticipated this event and I could continue. However, I would only be able to use my work around for the first day, after which I really did need the materials.
Deloitte did, in fact, take it seriously, and Continuity Shop, on behalf of whom I’m delivering the course, implemented their contingency plan and emailed copies of this missing material to the hotel. As the disappearance of the material was the hotel’s fault (the person who took delivery and signed for the material doesn’t seem to know what’s happened to it), they have kindly reprinted it for me.
All in all a good result. I have demonstrated Business Continuity in action to the course delegates. The problem is, they probably think that it’s been staged!
Yesterday Merrycon received an enquiry via its website about an exercise of a Business Continuity Plan, and it reminded me of how often organisations spend time and effort developing a Business Continuity Plan only to decide that they can’t be bothered to try the plan out using an exercise. They seem to be happy to wait until they need to use the plan in response to a real incident to see if it’s suitable.
This is a bit like building an aeroplane and never testing it to see if it flies safely. Just wait until you need to use the aeroplane for the first set of passengers that have booked a flight, put all the passengers on board, and then try to fly the aeroplane for the first time. How many of those passengers would actually get on the aeroplane if they knew that they were going to be on the first test flight? Basically, it’s not a good idea to try a plan out for the first time in response to real situation, it’s an unnacceptable risk.
Why do so many organisations accept such a risk? I suspect it’s because they didn’t really see the need for a Business Continuity Plan in the first place, and only spent the time and effort required to build one because they had been forced to be a third-party, such as an insurance company. Because they really don’t believe they need to have a Business Continuity Plan, they’re not bothered that it hasn’t been exercised. And if they did suffer from an incident that caused disruption to their operations, they would probably not use the plan that they’d built – because they couldn’t rely on it!
So, getting an enquiry for an exercise is an encouraging sign that organisations are taking Business Continuity seriously. Or is it? On asking why the enquiry had been made, I was told that their insurance company had insisted that their plan was exercised. Some things never change.
All too often organisations skip over the need to undertake a Business Impact Analysis when developing a Business Continuity Plan, with the result that their plan has no firm foundation. I was therefore very pleased to be invited to a local UK resilience forum last week to present a proposal to run a Business Impact Analysis workshop for the members of the forum. I’m afraid that I can’t reveal the name the forum or the nature of the organisations represented, but the objectives of the workshop will be to identify any joint critical functions and their key interdependencies, provide an increased understanding amongst the partners, and enable better, targeted resilience planning.
This is a very enlightened approach, where a group of organisations that are actually in competition with each other are willing to get together to improve their joint resilience. When added to the fact that they realise the need to undertake a Business Impact Analysis to understand and document the impact of disruptions on their operations before developing resilience plans, it gives me great hope for the future. Quite a contrast to my reluctant would-be client.
Actually, it gets better. One of the organisations at the forum subsequently contacted me to ask for a proposal to implement Business Continuity Management as they don’t have anything in place at the moment. A rare example of an organisation deciding that implementing Business Continuity Management would be a good idea without being told to by a customer, regulator, auditor, or any other third-party. As I said, it gives me great hope for the future.
I have now had an opportunity to speak to the insurance broker who had put me in touch with the reluctant client to find out what was happening with regards to my quote to develop a Business Continuity Plan.
Apparently, the insurance company that had made a Plan a condition of insurance has now backed down and made having a Plan just a recommendation. They still expect the client to develop a Plan, but will continue to provide insurance cover if they don’t. The result, as I’m sure that you can guess, is that the client won’t develop a Plan.
A lot of my time as a consultant seems to be spent chasing people who don’t really want to implement Business Continuity Management, and I understand from practitioners that are employed as full-time Business Continuity Managers within individual organisations that they have the very same experience. It seems to come with the job.
Never mind, there’s always next year, and I have diaried the proposal for the client’s insurance renewal date – in the hope that the insurer will insist on a Plan next time round.
I didn’t get to speak to my reluctant client yesterday, but I’m awaiting a call back from the insurance broker to see what the situation is.
Today I’m pressing on with building a complete BCM case study based on a high street insurance broking company with 3 offices in the north west of England. I’m busy going through the Understanding the Organisation stage of the BCM process, and have started working on Threat Assessment.
My small case study has 40 critical activities, and I’ve identified 30 threats that I need to assess over 10 time periods of loss (for example, an earthquake that results in not being able to ue an office for a week). Multiplying up all the combinations (40 x 30 x 10) I have a grand total of 1,200 threat assessments to produce! I’m using Excel to help with the assessments, but it’s still going to take a long time. When I’ve finished I’ll be able to produce a report, which at say 10 threat assessments per page will be 120 pages long!
A reminder to call a potential client has come out of my follow-up system for today. It’s been four months since an insurance broker that I work with asked me to visit a local manufacturing and wholesaling company to provide a quote for developing a Business Continuity Plan. Apparently, the insurance company are threatening to withhold cover unless the company has an up to date, and exercised, Plan in place.
The company is privately owned, and the main shareholder, the Managing Director, really doesn’t want to spend any money developing a Plan. He doesn’t see the benefit, even though he’ll lose his insurance cover without it! The cost is less than £3,000 and a small amount of his time – to find another insurer that will give him equivalent cover, if he can find one, will be in excess of £10,000 per annum, plus a lot of his time.
I provided the company with a quote within a week of going to visit the Managing Director, and when I first called up to see what he thought of the quote he told me that his email system had failed and he hadn’t received it. After delivering a paper copy by hand, I called him again within a week and he hadn’t had time to read it. Then the government changed the tax rates on his product, and he was too busy to start the work, then it was year end and he was again too busy.
The company still has insurance cover, so I presume that he has told the insurance company that he is developing a Plan, but for various reasons has not been able to complete it. Last time I called he was just going on holiday, then I was busy with some other clients. Now it’s just before the main school holidays, and I bet that when I call him he’ll say that because he has lots of staff on holiday we’ll have to wait until September. I must admit that I’m running out of energy and enthusiasm, particularly when I know full well that once I’ve delivered and exercised the Plan he’ll never look at it again.