This week, I’m providing an in-house 5 day business continuity training course to a group of business continuity coordinators for a large UK company. These things raise my spirits as they demonstrate a company that is not only taking business continuity seriously, but is paying money and putting time aside to ensure that those involved in the implementation of business continuity are properly trained and equipped for their role.
This is very much out of the good practice mould, and the company is to be applauded. However, despite getting this important and costly element right, they have managed to stumble over something that is quite simple and cheap to get right.
On the first day of the course I was describing the BCM Policy to the delegates, and naturally asked them about their own company’s BCM Policy. None of them had seen or heard of it, despite the fact that I know that it has been produced and contains all the usual things that you would expect in such a document. Why hadn’t they seen it? It’s not a highly secure document, in fact its available to any stakeholder. It appears that the document has been in existence for some time, and although it may once have been circulated to all those with some kind of a role in implementing business continuity, it now seems to sit passively in a central folder waiting to be accessed by anyone who is interested.
All the company needs to do is to provide the BCM Policy to relevant staff on a periodic basis, and in particular when someone is newly appointed to a business continuity role. Simple, cheap, but easy to forget.
In Greek mythology, the Lernaean Hydra was a serpent-like water beast that had nine heads, and for each head that was cut off it grew 2 more. In business continuity, the 80% Myth is a statistic that has been made up to scare organisations, and for each quote that is identified as being bogus two more appear in publications produced by otherwise respectable organisations.
I have just been sent a brochure from a company that offers disaster recovery services that contains the quote “80% of businesses affected by a major incident either never reopen, or close within 18 months (Axa 2007 report)”. I am contacting the company that produced the brochure to find the reference to the Axa report, and if this quote is in that report then I’ll be contacting Axa to find the source of the statistic.
About 2 months ago I contacted one of the “Big Four” accounting firm about a similar statistic in their business continuity brochure. They said that they would investigate the source and get back to me – as yet I’ve heard nothing! I must follow this up.
Following our initial problems in getting Merrycon’s European recovery site operational, Merrycon is now successfully operating from its recovery site. We will continue to do so for another week before moving back to the UK.
The exercise has confirmed the two key things that Merrycon tells it clients about recovery – undertake a test to ensure that the recovery plan actually works, and have a backup plan in case something goes wrong during the test. Fortunately we take our own advice seriously. If we’d had to use the recovery plan it would have failed, but now we have ironed out all the problems we are confident that it will work. Also, the test has not had an adverse effect on Merrycon’s operations because we had a backup plan that kicked in and worked whilst we sorted out the communications problems with our recovery site.
The test has been a success, and has provided useful experience that we can pass on to our clients about the need for exercising business continuity arrangements.
This week, Merrycon is undertaking a test of its European recovery site in Spain. When I say test, I actually mean a full live relocation test, something that very few companies ever do.
We are only a small company, but as we provide Business Continuity services outside the UK, we decided to ensure that Merrycon could recover from an incident that affected the whole of the UK. We already have a recovery site in Hong Kong, but we wanted something closer to home.
Working with an agent that we have in Spain, we had established both voice and data telecommunications at our designated recovery site, and the purpose of the test was to move the operations to Spain to see if they worked. As I always tell my clients, you never know if it’s going to work until you’ver tried it, and you don’t want to do that for the first time in response to a real incident.
Sure enough, despite our agent informing us that everything was working OK, it wasn’t. Telefonica, the ex government telecomm company in Spain, had assured us that everything was connected and working. It wasn’t. We had to activate our recovery plan for the failure of our test to ensure that Merrycon could continue to operate as normal – always have a plan to recover from a test failure.
One of the critical success factors for an implementation of Business Continuity is the ability to identify the critical products and services and to put in place measures that will enable those critical products and services to be available within their Maximum Tolerable Period of Disruption (MTPD). This though, is a very one-dimensional view. For many organisations, their customers will tolerate a critical product or service not being available when they need it, as long as the failure is not experienced too often.
An example of this is the situation that Merrycon has experienced during the rehearsal of its European recovery site. We are staying at a small hotel near Ronda, in Andalucía. This first stage of the recovery is going well as the hotel has a good Internet connection and Merrycon’s ability to be able to send and receive email without interruption seems to be working well. However, lunch at the hotel provided the example of the one-dimensional view of MTPD.
One of the critical products and services for any hotel has to be providing red wine with a meal. Today though, the hotel that we are staying at did not have any red wine! For Spain, this is unheard of, and should signal the impending demise of the hotel. If this situation carried on for a period of time, then the hotel would get a bad reputation and nobody would come to stay at it.
Seemingly, this is a classic example of an MTPD. However, their reputation will not be ruined until the lack of red wine becomes a normal event, and this will only happen when customers keep coming across the problem. Red wine is delivered to the hotel on a regular basis, so it’s not the length of time that red wine is unavailable that’s important, it’s the number of times that it’s not available that matters. In this case, it’s the Maximum Number of Times of Unavailability of a product or service is what’s important – the MNTU, not the MTPD.
One of my clients has told me that their emergency and business continuity planning arrangements have been the subject of no less than 10 audits over the past 6 months. At first, I thought that this had to be an exaggeration, but they gave me a list of the audits showing the organisation that undertook each audit and the dates. Each organisation on its own seemed to have a valid reason for doing an audit, but taken together it is an absurd situation.
If I told you that the client in question is part of the UK’s National Health Service (NHS), and that all the organisations undertaking the audits were in the UK’s public sector, then you might start to see why the new UK coalition government wants to cut down on the government bureaucracy that seems to have grown unchecked over the last few years. Something is very wrong when so many organisations, from essentially the same parent organisation, spend so much time and effort auditing the emergency and business continuity planning arrangements of what is, at the end of the day, quite a small part of the NHS.
Too much checking, and not enough doing?
The collapse into administration of Connaught, the UK social housing maintenance company, and the potential loss of up to 10,000 jobs, has reminded me of why business continuity is so low down on the priority list of so many businesses. Essentially, Connaught ran out of money. They hadn’t really been making any money for some time, but had managed to post profits by manipulating the reporting of revenue and costs whilst borrowing money to cover the shortfall in cash flow.
One of the most important thing for any business is cash flow, and a key part of this is ensuring that you get enough revenue. It’s a bit like a swimmer keeping their head above water, fail to do so and you’ll drown. Cash flow and revenue generation is therefore fundamental to the survival of any business, and of a much higher priority than producing plans for situations that might never occur.
Many businesses are operating in this situation – survival mode. This is what the management concentrates on, and it’s no good trying to convince them to introduce business continuity as they just won’t be interested. Trying to do so is a bit like trying to convince someone who’s drowning to learn how to swim the butterfly stroke when all they’re trying to do is to stay afloat.
Business continuity is for businesses that have managed to get their cash flow under control and can see that in the long-term their revenue will outweigh their costs. Don’t get me wrong, I don’t think that business continuity is an optional luxury. It’s just that if your priority is short-term survival because your revenue is too low, then implementing business continuity is something that will have to wait. Once you’ve got the urgent problem under control then you can start to think about longer term survival.
The new ASIS standard (SPC.1-2009) states that organisations need to implement a prevention and deterrence program to ‘avoid, eliminate, deter or prevent the likelihood of a disruptive incident’. Now, this is all very well for incidents that can be controlled, but for the majority of natural events there’s very little that an organisation can do – or so you might think.
Once I started to think about it more carefully though, I realised that there is something that an organisation can do to avoid natural disasters such as floods, earthquakes, and volcanic eruptions. This is to move its operations to a part of the world where there is little or no chance of such events disrupting their operations.
Now, how far will organisations be prepared to go to become compliant with the new ASIS standard? If you operate in San Francisco, should you avoid an earthquake by moving your operations out of the earthquake zone? Similarly, if you are based in Docklands in London, should you avoid a flood by moving your operations out of the flood zone? What is acceptable under the ASIS standard? Can an organisation just ignore the fact that “the big one” could happen at any time?
Today, where I live in the lake district, in the north of England, the weather is perfect. Not too hot, not too cold, but just right. It is probably the last warm day that we’re going to get until next spring. So I have declared a company holiday, and my company secretary and I are having a long lunch in the grounds of Merrycon’s headquarters (don’t worry, I’m married to the company secretary).
After a few glasses of wine, I started to talk about the blog that I wanted to write for today, and I came up with lots of really boring subjects. However, the company secretary, who’d just been reading the Times, suggested that I should write about the Stig’s business continuity plan.
For those of you who lead a sheltered life, the Stig is the anonymous racing driver in the TV series Top Gear, starring Jeremy Clarkson. Apparently, the Stig has a contract with the BBC that ensures that he remains anonymous, so retaining an air of mystery and intrigue, but according to the article in the Times, he has recently revealed his identity so that he can profit from the publicity to sell his “story”.
So, what does the company secretary mean by has the Stig got a business continuity plan? Does she mean has he got a plan to continue with his character once he has been revealed and the BBC are no longer interested in employing him on Top gear, or does she mean has the BBC got a contingency plan to create a new anonymous Stig in his place?
In my opinion, one of the more depressing aspects of working as a Business Continuity consultant is that I continually find myself working with, and being taken for, a “doom and gloom merchant”. This is someone who trades on trying to convince both people and organisations that their world is increasing threatened by such things as wild weather caused by global warming, terrorism, and worldwide pandemics.
To a certain extent this is true, I do trade on the fact that incidents will happen that cause disruption to organisations. However, what I do not do, and this is what infuriates me, is to claim that such events are becoming ever more frequent and that unless we all start to take drastic action we are all doomed to destruction.
I have not investigated the evidence, so I do not really know if the probability of disruptive events is increasing, decreasing, or is just the same as it was in the past. I actually doubt that anyone has really investigated the evidence because accurate historical records that would enable a global view of such events to be analysed over a sufficiently long period of time do not exist. What I do know though, is that we live in a very much less disruptive period that we have in the past 100 years (if you doubt this, just consider what the chances of disruption were to an organisation operating in Europe, China, or Japan, between 1939 and 1945).
What has changed though, is the inter-dependency of organisations, the revolution in acceptable standards of welfare, and the reliance on IT and telecommunications that has made every organisation more vulnerable to disruption. These are the real reasons for an increasing need for Business Continuity, not an increased threat of wild weather caused by global warming, terrorism, or worldwide pandemics.