Skip navigation

Another day, another politician that thinks that contingency plans shouldn’t be developed. This time it’s the head of the European Commission, Jean-Claude Juncker, who has told his officials not to work on contingency plans for Greece’s possible exit from the euro. Why? Apparently it’s because the plans could be leaked and cause turmoil in financial markets.

In other words, Europe’s top politician has effectively told everyone that he believes that Business Continuity planning is a dangerous discipline and that Business Continuity Plans should not be developed just in case they are leaked to the media.

Trying to sell the benefits of investing in Business Continuity is hard at the best of times, but now we have Jean-Claude Juncker and his helpful ideas. It’s not as bad as the person who once told me that he didn’t want to develop a Business Continuity Plan as it was tempting fate, but it’s getting close.

The Bank of England has just been heavily criticised in a report by Deloitte into the unprecedented day-long
collapse of its Real-Time Gross Settlements system last October. Deloitte that found that the Bank’s officials had never rehearsed what would happen in the event of the platform going down for any length of time, and to compound the problem, Deloitte also discovered that the three Bank of England executives with responsibility for the system were all out of the country on the day the outage happened. Not only did the system fail, but the Bank had virtually no crisis management plans in place to deal with the incident.

Unfortunately, in my experience of providing Business Continuity services to a wide variety of organisations over many years, one of the constant themes that I come across is  the failure to exercise recovery plans. It’s not a point blank refusal to run an exercise that’s the problem, instead it’s the constant postponement that eventually results in the failure to exercise a recovery plan.

All sorts of good reasons are given for postponing an exercise, from the understandable fact that everyone is just too busy at the present time to the ludicrous idea that the recovery shouldn’t be exercised until it is known to work (which came first, the chicken or the egg?) And so it goes on, month after month, year after year, with everyone saying that they intend to run an exercise, but with nobody committing to a date or time.

Don’t get me wrong, I do have clients that do exercise their recovery plans, but they are in a minority and they don’t exercise every plan as often as they should. I’ve tried all sorts of ideas to overcome this problem, but none of them seemed to have worked. Is this just a fact of life, or can something really be done to make sure that recovery plans are exercised on a regular basis?

The prevailing view of the Business Continuity (BC) community is that the only benefits of not having a Business Continuity Plan (BCP) are that you’ll be saving a small amount of time and money, but with huge downsides if you ever suffer from an incident that causes major disruption to your operations. But this may have to be revised as a result of fire at a Dogs’ Home in Manchester in the UK last Thursday evening.

The fire, which was tackled by more than 30 firefighters, was a tragic event that killed about 60 animals. Some 150 dogs were saved, and from all the reports it looks as if the staff did not have a pre-prepared BCP. However, the public rallied round after the Dogs’ Home asked for people to provide temporary foster care for the rescued dogs. Large numbers of people turned up to help, volunteers at the site began collecting dog food, bedding and other items donated by the public, and a JustGiving account set up by the Manchester Evening News raised more than £1.2m. In fact so many people tried to turn up to help that the Cheshire Police tweeted: “High Volume of Vehicles at Cheshire Dogs Home to adopt dogs following the recent tragic fire. Avoid area if travelling.”

Volunteers are saying they have been overwhelmed by the response and that they now have rooms full of dog food, blankets, crates and baskets, and although many members of staff say they’re devastated by the fire, there’s a sense of optimism and comradeship as as fosterers turn up to take dogs home.

The net result seems to be that the Dogs’ Home is far better off than if they had had a BCP that clicked seamlessly into operation and hadn’t had to ask for help. So, before you decide to spend time and money on developing a BCP, ask yourself if you should just wait until an incident happens and hope that help and assistance will be provided by the public. Maybe this would only happen in the UK and to a Dogs’ Home. I wouldn’t recommend that a bank tries it!

As a Business Continuity professional, I was very disappointed to learn the other day that a major international organisation has publicly denied that it has a Business Continuity Plan (BCP) for the only product that it provides. Every other major international organisation that I come across is very proud of the fact that they have put in place measures to protect their product and services, and hence the interests of their stakeholders, by developing and maintaining effective BCPs.

And who is this organisation? None other than the International Olympic Committee (IOC). The IOC’s vice president John Coates described Rio’s planning as “the worst I have experienced”, and although the IOC has formed an emergency task force in a bid to bring Rio up to speed, he has denied reports in the London Evening Standard that London organisers had been contacted to see if the facilities built for the successful 2012 Games could be used again in two years’ time should the Brazilian city fail to reach its construction deadlines. “There’s absolutely no plan B,” he said. “There’s just absolutely no alternative of going back to another city. We’ll work through this and we’ll get to Brazil.”

Who needs Business Continuity eh? Just tell everyone that it won’t happen, and if it does, just work the the problems as they arise and carry on regardless.

 

I’ve just had an interesting customer experience that is probably the very opposite of what Business Continuity (BC) is supposed to be about. Instead of ensuring that it could continue provide its essential services, an airport taxi company that I was booked with charged me, the customer, an additional amount because their telephone system failed!

I was flying back from Hong Kong to Manchester via Dubai when the flight from Hong Kong was delayed by 4 hours because of a tropical hailstorm over Hong Kong, causing me to miss the connection in Dubai. I was due to be picked up at Manchester Airport by the airport taxi company from the original flight, and the agreement that I had with them was that if I needed to change the pick-up time then there would be an additional charge unless I gave them at least 12 hours notice.

Dutifully, I called their contact number using my mobile, but after one ring the connection was terminated. In all I tried 15 times until, in desperation, just before I boarded the new flight that I had been re-scheduled on to from Dubai to Manchester I called our house cleaner to see if she was available to actually go to the airport taxi company in person to tell them that my pick-up time needed to be changed.

Fortunately, my cleaner was available and went to the airport taxi company where I called her mobile and spoke to the company on her mobile. By this time, of course, the 12 hour limit had passed, but the company acknowledged that there was a problem with their contact phone line and I did manage to re-arrange the pick-up time.

When I finally arrived at Manchester Airport I was given a letter by the driver informing that there would be an extra charge because I failed to advise the company of the change in arrangements in time, but because their contact phone wasn’t working they would give me a discount.

So, they had a failure of the phone system, and they wanted me, the customer, to pay an additional charge because they did not manage to provide continuity of an essential service.

As you can imagine, I won’t be using this company again.

Just when you thought that the Business Continuity (BC) profession had grown up and stopped quoting bogus statistics about the effects of not having Business Continuity Plans along comes another report trying to scare management with fairy stories.

This time the story comes from non other that the Business Continuity Institute (the BCI), which has published a paper called “Counting the Cost” as part of Business Continuity Awareness Week, in which the author states that “Figures show that 40%-60% of businesses without a BC plan never reopen after a significant incident, and the response for the first 10 days are critical to survival”. These figures come from something published on a website called visual.ly, and are totally unsubstantiated, as are all such statistics.

The author cautions the reader that “This report aims to be descriptive rather than normative. The figures cited come from surveys conducted by the BCI and other organisations (eg. IBM, Ponemon Institute, etc.), which also acknowledge the same limitations. Hence, statistical inferences cannot be applied to this data.”

If you can’t make statistical inferences about data, then don’t use the data! Pretty simple really.

Maybe, just maybe, some time in the future, the BC profession will grow up and realise that you can’t just go around quoting unsubstantiated statistics about the benefits of BC.

Resiliency, or rather Business Resilience, seems to be the flavour of the month in the Business Continuity and Risk industries. Apparently, businesses are moving away from having separate silos for Security, Risk, Health & Safety, Business Continuity, etc., and are bringing all these related disciples under the heading of resiliency and are appointing a Head of Resilience.

This all sounds quite good, and is for once a piece of joined up thinking, except that the idea of Resiliency goes beyond these operational areas to the idea of ensuring that the business itself is resilient, which takes the discipline into the areas of leadership, reputation, innovation, product development, marketing, etc.. In other words, it seems to be about everything that the business does, and that a single manager should be appointed to ensure that the business should remain resilient in the changing environment in which it operates.

Now, tell me if I’m wrong, but I thought that this was actually the point of a Board of Directors. One of the prime responsibilities of a Director of a company according to UK law is to “try to make the company a success, using your skills, experience and judgement”. In other words it is the responsibility of every Director of a company to ensure that the company is resilient – it should not be delegated to a manager as Head of Resilience.

The Business Continuity and Risk industries should either start talking about Operational Resilience, or stop talking about Resiliency.

Yesterday I finally got round to doing a job that I’d been putting off for weeks – updating my company’s Business Continuity Plan (BCP). The system that we use to manage Business Continuity, Mataco, had been regularly sending me reminders that it needed to be reviewed, but I’d been ignoring them because it wasn’t my top priority and besides, it’s an extremely boring job.

Now, my role in Merrycon is to provide Business Continuity consultancy, and the need to keep BCPs up to date is one of the things that I keep telling my clients that they need to do. I seem to spend significant amounts of time and effort helping clients set up structures and procedures to ensure that BCP maintenance is carried out in a timely and effective way, and in training client staff in how to update their BCPs. To be fair, I do advise my clients that it’s a task that people don’t like doing, but I regularly find myself in the position of criticising clients for not keeping their BCPs up to date.

So, the question is, how do I make the task of keeping BCPs up to date exciting? How do I make people want to spend time checking through their BCP to see what needs to be updated, then spend time updating the BCP, and then to spend time making sure that everyone has a copy of the new version of the BCP? I need the answer to this question not only for my clients, but for me as well.

I was recently asked by an insurance broker to help one of his clients develop a business continuity plan because the client’s insurer was insisting on a plan being developed if the risk was to be renewed. The client is a small family owned niche manufacturing company, that’s been in existence for over 100 years, and the managing director really didn’t see the point in developing a plan – and certainly was not keen on paying anyone to help him.

Because he needed the insurance cover he had to go ahead, but to make it more palatable, my broker friend came up with what was to me, a new concept in business continuity. He explained to me that what the client required was an entry level business continuity plan, and that maybe in later years this could be enhanced.

The client seemed satisfied that this was what he required, presumably because it implies something that is quick, easy, and cheap, but it has left me with a bit of a problem. I have a few ideas, and will be meeting with the client again shortly to work with him to create his entry level plan, but the definition of such a plan doesn’t immediately stand out in the business continuity standards and guidelines that I’m familiar with.

I received a telephone call from a client the other day. They wanted to know if I could give them a copy of their Business Continuity Plan in Microsoft Word, and update the section on IT recovery. Apparently, the person who was calling me needed to include the Plan in a proposal to a potential customer, and only had a PDF version that was three years out of date. This individual was not the person who was responsible for updating the Plan, which is produced as a PDF document from a proprietary Business Continuity system. I explained that I did not have access to that system, and that she should talk to the person who was responsible for the maintenance of the Plan. Besides, I knew nothing about their current IT recovery. Apparently, the person who was responsible for updating the Plan was on holiday. Could I do something for her as she had to have the Plan updated to send out the next day! Talk about leaving things to the last minute.

Being a helpful sole I told her that if someone could send me details of their current IT recovery then I could produce an updated version of the Plan for her in Word, but once the person responsible for updating the Plan returned from holiday it really needed to be updated properly using the  proprietary Business Continuity system. She told me that they were prepared to pay for the work, and that the cost wasn’t really an issue. This was a licence to print money, but I didn’t charge them more than I normally would have done as I wanted to keep the client. They obviously needed further assistance.

I converted the Plan from a PDF to Word, included the IT recovery details that were sent to by their IT expert, changed the date on the Plan (not to today’s date, that would be a bit too obvious to the potential customer) and returned it with warning that it was out of date and needed to be properly updated.

Now, is this typical of most organisations? Do they update their Plan only when someone asks to see it?