Skip navigation

Tag Archives: plans

A few days before the recent British Airways (BA) catastrophic IT failure I was in Kuala Lumpur, Malaysia, giving a talk at the second ASEAN Business Continuity Conference entitled “Building a Robust ITDR Plan”.

The main thrust of this talk was that as IT is at the heart of every organisation, ITDR is at the heart of Business Continuity, and that it is up to the organisation’s top management to ensure that its ITDR plans both meet the needs of the organisation and are known to work.

It appears that BA’s ITDR plans did not work, and although we don’t know whether the plans were appropriate for BA, the possibility is that they weren’t. In any event, the failure certainly came as a nasty surprise to BA’s top management.

I was asked to provide a closing thought to my talk on “Building a Robust ITDR Plan”, and I used a quote from Georges Clemenceau, the Prime Minister of France in the First World War, to sum up my ideas. For those of you who aren’t that aware of the catastrophe suffered by France in that war, it lost a generation of young men. Out of 8 million men conscripted, 4 million were wounded and 1 in 6 killed.

Georges Clemenceau said “War is too serious a matter to entrust to military men.”

I said “ITDR is too serious a matter to entrust to technologists.”

BA will have learnt that lesson, as France did, the hard way.

Cyber and terrorist attacks currently appear to dominate Business Continuity (BC) thinking, but over the weekend we had a classic example of a good old fashioned failure of a critical IT system causing major disruption and some resulting poor incident management that compounded the problem. The company involved was British Airways (BA), and I say poor incident management because this is what the public has perceived and what BA customers experienced. No doubt there will be an internal BA investigation into what went wrong, but as a BC professional I’d love to know about three aspects of the incident and BA’s response:

  1. How long did it take from the initial failure of the system for the IT support technicians to realise that they were dealing with a major incident, who did they escalate the incident to (if anyone), were the people designated to handle major incident contactable, and was the problem compounded by the fact that BA’s IT had been outsourced to India?
  2. The system that failed is so critical to BA’s operations that it must have had a Recovery Time Objective (RTO) of minutes, or at worst, a couple of hours. To achieve this, BA should have put in place a duplicate live version of the system (Active/Active). Either BA did not have such a recovery option in place (I’m guessing that they had a replica – Active/Passive), which implies that they failed to understand the need to have a very short downtime on the system, or it had not been properly tested and failed when required.
  3. Why were the communications with customers  (people who were booked on BA flights) handled so badly? BA must have a plan to communicate with passengers, but was this dependent on the very system that failed?

For me, even before the inquest takes place, the major lesson to be learned is that the effectiveness of an organisation’s BC and incident response plans can only be assured by actually using the plans and responding to incidents. If you don’t want to find this out in response to a real incident, then you need to run realistic and regular exercises so that every aspect of your response is tested and the people involved know what to do. It doesn’t matter how good your Business Continuity Management (BCM) process is, how closely aligned to ISO 22301 it is, how good the result of the latest BC audit, or how much documentation you have. It’s your ability to respond effectively and recover in time that matters.

BA have suffered damage to their reputation , how much is yet to be seen. They will have suffered financial damage, and when the London Stock Market opens for trading we’ll see how much it has affected their share price. Maybe BA do run realistic and regular exercises. If they do, they should have identified the issues with the systems and incident response that were encountered over the weekend and acted on the lessons learned.

 

 

As most people are only too well aware, the way that we find and use information is going through a radical and fundamental change, which is being driven by the Internet. What doesn’t seem to have permeated the world of Business Continuity though, is that this change is revolutionising the Business Continuity Plan.

Not too many years ago, in our house, we used to keep a telephone directory and combined bus and train timetable near our front door, close to where we had our telephone. Today, we have neither of those things, and if we want to find a telephone number or the time of a bus or train we’ll simply use the Internet, and rapidly find what we’re looking without wading through pages and pages of small print trying to decipher how the directory or timetable is organised before getting to the information that we want. We also had the depressing problem of finding out later on that we’d looked up the information in a document that was out of date, and that one of the family had inadvertently thrown away the new version and kept the old one.

Telephone directories and timetables are just two examples of documents that are being used by fewer and fewer people, and most of those are older people who find it hard to change a lifetime’s habits. Using printed documents to find information is becoming a thing of the past, as anyone who mixes with youngsters will confirm. Why then, do we persist with documents in the world of Business Continuity, what’s wrong with just finding the information that we need from the Internet?

The problems of document based Business Continuity Plans are only too well known. Unfortunately, more often than not, they are difficult to use in a crisis, contain unnecessary information, and are out of date. What we really need is something that is simple to use, delivers exactly what is required, and provides the latest information. That is an App.

An App is short for an Application, and is quite simply a piece of software designed to fulfil a particular purpose, and is downloaded by a user to a computing device from which it can be used. Apps can be used to obtain information, and when designed to provide the information required to respond to an incident, they are an ideal and powerful tool.

Don’t make the mistake of thinking that holding a Business Continuity Plan as a PDF document and making it available on the Internet via an App is the same thing as an App designed to enable someone to respond to an incident, it’s not. You don’t look up the time of a train on the Internet by opening up a PDF document and searching through it, do you?
A Business Continuity App can provide responders with clear, action orientated, and time-based direction, while allowing quick access to relevant and up to date support information. Exactly what we want to achieve.

This revolution has profound consequences for world of Business Continuity, and if you’d to find out what these are, then come and listen to me present at the BCI World Conference and Exhibition in November. The Business Continuity Plan, as a document, is dead, long live the Business Continuity App.

Another day, another politician that thinks that contingency plans shouldn’t be developed. This time it’s the head of the European Commission, Jean-Claude Juncker, who has told his officials not to work on contingency plans for Greece’s possible exit from the euro. Why? Apparently it’s because the plans could be leaked and cause turmoil in financial markets.

In other words, Europe’s top politician has effectively told everyone that he believes that Business Continuity planning is a dangerous discipline and that Business Continuity Plans should not be developed just in case they are leaked to the media.

Trying to sell the benefits of investing in Business Continuity is hard at the best of times, but now we have Jean-Claude Juncker and his helpful ideas. It’s not as bad as the person who once told me that he didn’t want to develop a Business Continuity Plan as it was tempting fate, but it’s getting close.

The Bank of England has just been heavily criticised in a report by Deloitte into the unprecedented day-long
collapse of its Real-Time Gross Settlements system last October. Deloitte that found that the Bank’s officials had never rehearsed what would happen in the event of the platform going down for any length of time, and to compound the problem, Deloitte also discovered that the three Bank of England executives with responsibility for the system were all out of the country on the day the outage happened. Not only did the system fail, but the Bank had virtually no crisis management plans in place to deal with the incident.

Unfortunately, in my experience of providing Business Continuity services to a wide variety of organisations over many years, one of the constant themes that I come across is  the failure to exercise recovery plans. It’s not a point blank refusal to run an exercise that’s the problem, instead it’s the constant postponement that eventually results in the failure to exercise a recovery plan.

All sorts of good reasons are given for postponing an exercise, from the understandable fact that everyone is just too busy at the present time to the ludicrous idea that the recovery shouldn’t be exercised until it is known to work (which came first, the chicken or the egg?) And so it goes on, month after month, year after year, with everyone saying that they intend to run an exercise, but with nobody committing to a date or time.

Don’t get me wrong, I do have clients that do exercise their recovery plans, but they are in a minority and they don’t exercise every plan as often as they should. I’ve tried all sorts of ideas to overcome this problem, but none of them seemed to have worked. Is this just a fact of life, or can something really be done to make sure that recovery plans are exercised on a regular basis?

As a Business Continuity professional, I was very disappointed to learn the other day that a major international organisation has publicly denied that it has a Business Continuity Plan (BCP) for the only product that it provides. Every other major international organisation that I come across is very proud of the fact that they have put in place measures to protect their product and services, and hence the interests of their stakeholders, by developing and maintaining effective BCPs.

And who is this organisation? None other than the International Olympic Committee (IOC). The IOC’s vice president John Coates described Rio’s planning as “the worst I have experienced”, and although the IOC has formed an emergency task force in a bid to bring Rio up to speed, he has denied reports in the London Evening Standard that London organisers had been contacted to see if the facilities built for the successful 2012 Games could be used again in two years’ time should the Brazilian city fail to reach its construction deadlines. “There’s absolutely no plan B,” he said. “There’s just absolutely no alternative of going back to another city. We’ll work through this and we’ll get to Brazil.”

Who needs Business Continuity eh? Just tell everyone that it won’t happen, and if it does, just work the the problems as they arise and carry on regardless.

 

Yesterday I finally got round to doing a job that I’d been putting off for weeks – updating my company’s Business Continuity Plan (BCP). The system that we use to manage Business Continuity, Mataco, had been regularly sending me reminders that it needed to be reviewed, but I’d been ignoring them because it wasn’t my top priority and besides, it’s an extremely boring job.

Now, my role in Merrycon is to provide Business Continuity consultancy, and the need to keep BCPs up to date is one of the things that I keep telling my clients that they need to do. I seem to spend significant amounts of time and effort helping clients set up structures and procedures to ensure that BCP maintenance is carried out in a timely and effective way, and in training client staff in how to update their BCPs. To be fair, I do advise my clients that it’s a task that people don’t like doing, but I regularly find myself in the position of criticising clients for not keeping their BCPs up to date.

So, the question is, how do I make the task of keeping BCPs up to date exciting? How do I make people want to spend time checking through their BCP to see what needs to be updated, then spend time updating the BCP, and then to spend time making sure that everyone has a copy of the new version of the BCP? I need the answer to this question not only for my clients, but for me as well.

I was recently asked by an insurance broker to help one of his clients develop a business continuity plan because the client’s insurer was insisting on a plan being developed if the risk was to be renewed. The client is a small family owned niche manufacturing company, that’s been in existence for over 100 years, and the managing director really didn’t see the point in developing a plan – and certainly was not keen on paying anyone to help him.

Because he needed the insurance cover he had to go ahead, but to make it more palatable, my broker friend came up with what was to me, a new concept in business continuity. He explained to me that what the client required was an entry level business continuity plan, and that maybe in later years this could be enhanced.

The client seemed satisfied that this was what he required, presumably because it implies something that is quick, easy, and cheap, but it has left me with a bit of a problem. I have a few ideas, and will be meeting with the client again shortly to work with him to create his entry level plan, but the definition of such a plan doesn’t immediately stand out in the business continuity standards and guidelines that I’m familiar with.

One of the questions that I ask delegates on the Business Continuity Management courses that I give is “What should the maximum size of a Business Continuity Plan (BCP) be, in terms of the number of pages?” The whole point of asking the question is to get the delegates to discuss the issues of plans not being used or maintained because they are too large and contain too much information. At a course I gave in London recently, one of the delegates stated that each of her company’s plans were on a single sheet of paper (printed on both sides). In response to a general sense of disbelief, she opened up her handbag and drew out an example, which was neatly folded down to the size of a cigarette packet!

We had just been covering what should be in a BCP, so we went back to the checklist to see if her single sheet plan contained all the things on the list, and it did. Everyone was very impressed and asked for copies so that they could go back after the course and try to achieve the same feat with their own plans. I was no exception.

I can now report that I have managed to get Merrycon’s BCP down to a single sheet of paper, and what’s more, it’s on a single side. This BCP really does contain all the information that it required to respond to an incident that might cause disruption to Merrycon, and I was quite surprised at how easy it was to take the existing 27 pages and reduce them down to one.

There are two secrets about how to do this. The first is to make sure that the recovery team is well trained in how to use the plan, which means that all the explanatory text that is found in the plan can be removed. The second is to minimise the contact and reference information held in the plan to only that which is really required in the first day or so and might not be immediately available elsewhere (such as details of  how to get to a recovery site – all you really need is the address and telephone number). All the rest of the contact and reference information that might be needed until computer systems have been recovered can be held on a secure website, or downloaded as a PDF file on to devices that can store such documents (such as a Blackberry). Simple.

 

I was attending a local Business Continuity Institute (BCI) forum the other day when someone mentioned the fact that there had been a ‘flu pandemic the other year. From a technical world health view this is correct, but from a Business Continuity (BC) perspective in the UK, I believe that this is dangerously misleading. As a consequence, I stated the view that as far as BC professionals are concerned, there was no ‘flu pandemic.

Why do I hold this view? Well, quite simply, the ‘flu pandemic did not cause any more disruption to UK organisations than the ‘flu normally does in any year. In other words, it was a “business as usual” type of disruption, which could be treated by local management as just one of those day to day issues that need to be handled. Yes, I know that lots of organisations, particularly in the public sector, convened weekly meetings of managers to monitor the situation, just in case they needed to invoke their Business Continuity plans (or special’Flu Pandemic plans), but the impact of the incident was very small.

It’s a bit like saying that an organisation suffered from a fire just because someone burnt the toast. Yes, technically there was a fire, but it would have been quickly put out, there would have been very little business disruption, and no Business Continuity plans would be invoked. It would be dealt with as a  “business as usual” type of disruption.

Does this matter? Well, yes, I think that it does. To talk about ‘flu pandemic in the way that it was being talked about at the BCI meeting implies that there had been a business disruption and  that Business Continuity plans had been successfully invoked. There was no significant business disruption , and although ‘flu pandemic teams met,  no Business Continuity plans were invoked. In other words, the threat of the ‘flu pandemic was not realised, even though there was, technically, a ‘flu pandemic.

My message is simple. Don’t fool yourself into thinking that your plans dealt with the threat. It didn’t happen.