Skip navigation

Tag Archives: BCP

Finally, at long last, there appears to be some real evidence that Business Continuity (BC) works. After years of effort trying to debunk the 80% myth (80% of organisations that don’t have a BC plan fail withing 18 months of suffering from a major incident – or something similar), I’ve now seen some real research that demonstrates that BC does, in fact, have a beneficial impact.

The research takes the form of a study from IBM Security (conducted by the Ponemon Institute), which analyses the financial impact of data breaches. According to the study, leveraging an incident response team was the single biggest factor associated with reducing the cost of a data breach: saving companies nearly $400,000 on average (or $16 per record).  The study also found that the longer it takes to detect and contain a data breach, the more costly it becomes to resolve.

Admittedly, the study covers only cyber security, but at least it’s a start. It confirms the long held assumption in BC circles that being able to quickly and effectively activate a response team to handle an incident is one of the most effective ways of reducing the impact of the incident on the organisation.

Now all we need is for someone to widen the research to cover all disruptive incidents. Anyone want to do a PhD is BC?

The report can be downloaded at http://www-03.ibm.com/security/data-breach/index.html.

I have just attended a very good Business Continuity (BC) conference held in Malaysia by GRC Consulting Services in conjunction with the Business Continuity Institute (BCI), but I couldn’t help being concerned about the fact that the standards industry is producing more and more management systems standards in and around the subject of BC.

Why is this happening? Well, to my mind, there seem to be two drivers behind this trend, neither of which are good for BC.

The first one, which an increasing number of people seem to be talking about, is that the main bodies behind the development of all these standards have discovered a rich source of revenue and are now exploiting this for all that it’s worth. These bodies claim to be “not for profit”, but like many such organisations there are large numbers of people engaged in standards activities that derive considerable profit from the work that they do. The more standards that they produce the more these people profit from the work that they do.

This driver is simply the age old story of people making a profit when they can, and is not too dangerous as it will eventually come to an end when the people buying and using the standards come to realise what’s going on. The second driver though, it much more dangerous, as it strikes at the heart of BC and has the capacity to cause enormous damage.

This second driver is the desire to make something that is difficult, complex, and demanding, and which requires considerable skill and experience, simple to implement through a process that can be implemented by a management system. To see what I mean, you need look no further than BS 65000, the recently published Guidance for Organizational Resilience, which, to quote the body that produced it – “This landmark standard provides an overview of resilience, describing the foundations required and explaining how to build resilience.”

Organizational Resilience is something that every company continuously tries to achieve. It is nothing new, and has been an essential goal ever since the first company was founded. Few manage it over the long term, and the life of most companies is very short as the products and services that they produce become outdated and overtaken by new trends, ideas, and inventions. If explaining how to build resilience can be described in a short pamphlet and implemented by anyone with the capability to read and follow a set of procedures, then how come it was missed by so many millions of people involved in the running of the hundreds of thousands of companies that have failed?

The international standard for Organizational Resilience (ISO 22316) is due to publish in 2016, which must be a great relief for all those organisations that are struggling to survive in the ever more competitive markets in which they operate. All they now have to do is implement the standard, be audited for compliance, and get the certificate. So much easier than researching and developing new products, finding new markets, producing the products and services at competitive cost, controlling cash flow, hiring and maintaining the right people with the right skills, complying with ever increasing legislation, developing and enhancing reputation, etc.

 

I know that it’s only January, but this year’s prize for a misquote must go to Fire Security Ltd, who have stated the following on their website  “According to research by economic analysts Mel Gosling and Andrew Hiles, 70 per cent of businesses would fail after a fire – either by not reopening immediately after the blaze, or gradually dwindling in resources and effectiveness to close within three years”.

I have spent many years trying to debunk this myth, and some years ago Andrew and I jointly published our research on the much quoted statistic and its many variations (see http://www.continuitycentral.com/feature0660.html). Now I find that I’m being quoted as not only supporting the myth, but as having undertaken and published research showing it to be true!

How did Fire Security Ltd come to believe this? Is it deliberate, or a genuine mistake? I’m not one to believe in Machiavellian plots – the “cock-up” theory is usually right, but I’m struggling to understand how anyone could read the research that Andrew and I published and reach the conclusion that they did. Maybe someone from Fire Security Ltd had heard about the myth (most people have) and Googled it – only to find that we had done some research, and then just looked at the 2 line extract that Google provides and decided to quote us without going to or reading the link. Is that what passes for intelligent research nowadays?

I could become famous for proving that 80% of businesses that suffer from a major incident and do not have a business continuity plan go out of business within 18 months (not to mention being thought of as an “economic analyst”), which would be terribly ironic.

In case anyone out there has any doubt, I believe this statistic and its many variations to be not only a total myth, but absolute rubbish.

As most people are only too well aware, the way that we find and use information is going through a radical and fundamental change, which is being driven by the Internet. What doesn’t seem to have permeated the world of Business Continuity though, is that this change is revolutionising the Business Continuity Plan.

Not too many years ago, in our house, we used to keep a telephone directory and combined bus and train timetable near our front door, close to where we had our telephone. Today, we have neither of those things, and if we want to find a telephone number or the time of a bus or train we’ll simply use the Internet, and rapidly find what we’re looking without wading through pages and pages of small print trying to decipher how the directory or timetable is organised before getting to the information that we want. We also had the depressing problem of finding out later on that we’d looked up the information in a document that was out of date, and that one of the family had inadvertently thrown away the new version and kept the old one.

Telephone directories and timetables are just two examples of documents that are being used by fewer and fewer people, and most of those are older people who find it hard to change a lifetime’s habits. Using printed documents to find information is becoming a thing of the past, as anyone who mixes with youngsters will confirm. Why then, do we persist with documents in the world of Business Continuity, what’s wrong with just finding the information that we need from the Internet?

The problems of document based Business Continuity Plans are only too well known. Unfortunately, more often than not, they are difficult to use in a crisis, contain unnecessary information, and are out of date. What we really need is something that is simple to use, delivers exactly what is required, and provides the latest information. That is an App.

An App is short for an Application, and is quite simply a piece of software designed to fulfil a particular purpose, and is downloaded by a user to a computing device from which it can be used. Apps can be used to obtain information, and when designed to provide the information required to respond to an incident, they are an ideal and powerful tool.

Don’t make the mistake of thinking that holding a Business Continuity Plan as a PDF document and making it available on the Internet via an App is the same thing as an App designed to enable someone to respond to an incident, it’s not. You don’t look up the time of a train on the Internet by opening up a PDF document and searching through it, do you?
A Business Continuity App can provide responders with clear, action orientated, and time-based direction, while allowing quick access to relevant and up to date support information. Exactly what we want to achieve.

This revolution has profound consequences for world of Business Continuity, and if you’d to find out what these are, then come and listen to me present at the BCI World Conference and Exhibition in November. The Business Continuity Plan, as a document, is dead, long live the Business Continuity App.

There seems to be a growing under current of opinion that is seriously starting question the current direction of Business Continuity (BC). It is best summarised by three issues that have been identified by David Lindstedt: it isn’t evolving; executives aren’t engaged; and there aren’t any meaningful metrics. To these I would add a fourth issue, and this is that the profession seems to have backed itself into a standards corner.

By pure coincidence I’ve just come across a new way forward for BC whilst undertaking research for a paper that I’ll be presenting at this year’s BCI World Conference and Exhibition in London in November. The title of my paper is “The BC Plan is Dead!”, and whilst looking for a practical example of the ideas that I’ll be presenting, I came across a novel and exciting approach to BC that has been implemented by a major UK company. I don’t want to spoil the presentation, so I can’t reveal yet who it is and what I’ll be saying, but a representative from that company will, as part of my presentation, show a new approach that is measurable, adds value to the business, has the active support of the Top Executive, extends the traditional boundaries of BC to include all disruptive incidents, and puts BC in front of the Top Executive on a regular basis.

On the assumption that this new approach “holds water”  when publicly presented, I intend to explain and document it after the Conference. I have to admit that it’s not an approach that I’ve developed, I just stumbled across it. However, I’m so impressed by what I’ve seen that I believe that it needs to be properly put in front of Business Continuity professionals.

Despite my best efforts, I’m still unable to kill off the myth about “80% of companies without recovery plans failing within 18 months of having a disaster”. The myth comes in many statistical guises, and the latest example appears in a white paper from AVG, the online security company, which contains the quote from Touche Ross “The survival rate for companies without a disaster recovery plan is less than 10%”.

Depressingly, this quote is used by a large number of organisations that should know better, and is usually stated in the format “A Touche Ross study found that the survival rate for companies without a disaster recovery plan is less than 10%”. I have tried very hard to find this Touche Ross study, but to no avail. Touche Ross has not existed as a separate company since 1989 when it became Deloitte Touche , so this is hardly a recent study, even if it actually exists.

I have searched the Deloitte web site and cannot find any reference to the study in question, and have now made contact with Deloitte to ask if they can try and find the study, and whether or not they stand by the quote. Watch this space!

Finally, there is real concrete evidence that an organisation’s ability to recover is central to its immediate survival. Not its ability to recover after an incident, but its ability to demonstrate its recovery capability as perceived by others before any incident occurs. Business Continuity is now firmly center stage.

According to The Times, senior UK government officials “want the Co-operative Bank to be sold to a bigger player that could stabilise its IT system, which is feared to be so precarious that the bank could not cope with a serious problem.” For years I’ve been telling senior executives that not being able to demonstrate the existence of credible and tested Business Continuity arrangements could mean the difference between survival and failure, and now I can point to a real example. Business Continuity is not just for use in response to an incident – it must be demonstrable to interested parties well before any incident takes place.

Apparently, In the risk factors disclosed in its annual report, the Co-operative Bank has stated that “whilst a basic level of resilience to a significant data outage is in place, the bank does not currently have a proven end-to-end disaster recovery capability”. How many organisations can really hand on heart state that they have a proven end-to-end disaster recovery capability? Not that many.

Business Continuity has been practised in the banking industry for more than 25 years, and many of today’s accepted Business Continuity ideas and practices started in banking. Where banking leads in Business Continuity, other industries follow.

How long will it be before organisation’s in other industries are put at risk because they do not have a proven end-to-end disaster recovery capability?

Another day, another politician that thinks that contingency plans shouldn’t be developed. This time it’s the head of the European Commission, Jean-Claude Juncker, who has told his officials not to work on contingency plans for Greece’s possible exit from the euro. Why? Apparently it’s because the plans could be leaked and cause turmoil in financial markets.

In other words, Europe’s top politician has effectively told everyone that he believes that Business Continuity planning is a dangerous discipline and that Business Continuity Plans should not be developed just in case they are leaked to the media.

Trying to sell the benefits of investing in Business Continuity is hard at the best of times, but now we have Jean-Claude Juncker and his helpful ideas. It’s not as bad as the person who once told me that he didn’t want to develop a Business Continuity Plan as it was tempting fate, but it’s getting close.

The Bank of England has just been heavily criticised in a report by Deloitte into the unprecedented day-long
collapse of its Real-Time Gross Settlements system last October. Deloitte that found that the Bank’s officials had never rehearsed what would happen in the event of the platform going down for any length of time, and to compound the problem, Deloitte also discovered that the three Bank of England executives with responsibility for the system were all out of the country on the day the outage happened. Not only did the system fail, but the Bank had virtually no crisis management plans in place to deal with the incident.

Unfortunately, in my experience of providing Business Continuity services to a wide variety of organisations over many years, one of the constant themes that I come across is  the failure to exercise recovery plans. It’s not a point blank refusal to run an exercise that’s the problem, instead it’s the constant postponement that eventually results in the failure to exercise a recovery plan.

All sorts of good reasons are given for postponing an exercise, from the understandable fact that everyone is just too busy at the present time to the ludicrous idea that the recovery shouldn’t be exercised until it is known to work (which came first, the chicken or the egg?) And so it goes on, month after month, year after year, with everyone saying that they intend to run an exercise, but with nobody committing to a date or time.

Don’t get me wrong, I do have clients that do exercise their recovery plans, but they are in a minority and they don’t exercise every plan as often as they should. I’ve tried all sorts of ideas to overcome this problem, but none of them seemed to have worked. Is this just a fact of life, or can something really be done to make sure that recovery plans are exercised on a regular basis?

The prevailing view of the Business Continuity (BC) community is that the only benefits of not having a Business Continuity Plan (BCP) are that you’ll be saving a small amount of time and money, but with huge downsides if you ever suffer from an incident that causes major disruption to your operations. But this may have to be revised as a result of fire at a Dogs’ Home in Manchester in the UK last Thursday evening.

The fire, which was tackled by more than 30 firefighters, was a tragic event that killed about 60 animals. Some 150 dogs were saved, and from all the reports it looks as if the staff did not have a pre-prepared BCP. However, the public rallied round after the Dogs’ Home asked for people to provide temporary foster care for the rescued dogs. Large numbers of people turned up to help, volunteers at the site began collecting dog food, bedding and other items donated by the public, and a JustGiving account set up by the Manchester Evening News raised more than £1.2m. In fact so many people tried to turn up to help that the Cheshire Police tweeted: “High Volume of Vehicles at Cheshire Dogs Home to adopt dogs following the recent tragic fire. Avoid area if travelling.”

Volunteers are saying they have been overwhelmed by the response and that they now have rooms full of dog food, blankets, crates and baskets, and although many members of staff say they’re devastated by the fire, there’s a sense of optimism and comradeship as as fosterers turn up to take dogs home.

The net result seems to be that the Dogs’ Home is far better off than if they had had a BCP that clicked seamlessly into operation and hadn’t had to ask for help. So, before you decide to spend time and money on developing a BCP, ask yourself if you should just wait until an incident happens and hope that help and assistance will be provided by the public. Maybe this would only happen in the UK and to a Dogs’ Home. I wouldn’t recommend that a bank tries it!