Skip navigation

Tag Archives: standards

Cyber and terrorist attacks currently appear to dominate Business Continuity (BC) thinking, but over the weekend we had a classic example of a good old fashioned failure of a critical IT system causing major disruption and some resulting poor incident management that compounded the problem. The company involved was British Airways (BA), and I say poor incident management because this is what the public has perceived and what BA customers experienced. No doubt there will be an internal BA investigation into what went wrong, but as a BC professional I’d love to know about three aspects of the incident and BA’s response:

  1. How long did it take from the initial failure of the system for the IT support technicians to realise that they were dealing with a major incident, who did they escalate the incident to (if anyone), were the people designated to handle major incident contactable, and was the problem compounded by the fact that BA’s IT had been outsourced to India?
  2. The system that failed is so critical to BA’s operations that it must have had a Recovery Time Objective (RTO) of minutes, or at worst, a couple of hours. To achieve this, BA should have put in place a duplicate live version of the system (Active/Active). Either BA did not have such a recovery option in place (I’m guessing that they had a replica – Active/Passive), which implies that they failed to understand the need to have a very short downtime on the system, or it had not been properly tested and failed when required.
  3. Why were the communications with customers  (people who were booked on BA flights) handled so badly? BA must have a plan to communicate with passengers, but was this dependent on the very system that failed?

For me, even before the inquest takes place, the major lesson to be learned is that the effectiveness of an organisation’s BC and incident response plans can only be assured by actually using the plans and responding to incidents. If you don’t want to find this out in response to a real incident, then you need to run realistic and regular exercises so that every aspect of your response is tested and the people involved know what to do. It doesn’t matter how good your Business Continuity Management (BCM) process is, how closely aligned to ISO 22301 it is, how good the result of the latest BC audit, or how much documentation you have. It’s your ability to respond effectively and recover in time that matters.

BA have suffered damage to their reputation , how much is yet to be seen. They will have suffered financial damage, and when the London Stock Market opens for trading we’ll see how much it has affected their share price. Maybe BA do run realistic and regular exercises. If they do, they should have identified the issues with the systems and incident response that were encountered over the weekend and acted on the lessons learned.

 

 

Advertisements

I have just attended a very good Business Continuity (BC) conference held in Malaysia by GRC Consulting Services in conjunction with the Business Continuity Institute (BCI), but I couldn’t help being concerned about the fact that the standards industry is producing more and more management systems standards in and around the subject of BC.

Why is this happening? Well, to my mind, there seem to be two drivers behind this trend, neither of which are good for BC.

The first one, which an increasing number of people seem to be talking about, is that the main bodies behind the development of all these standards have discovered a rich source of revenue and are now exploiting this for all that it’s worth. These bodies claim to be “not for profit”, but like many such organisations there are large numbers of people engaged in standards activities that derive considerable profit from the work that they do. The more standards that they produce the more these people profit from the work that they do.

This driver is simply the age old story of people making a profit when they can, and is not too dangerous as it will eventually come to an end when the people buying and using the standards come to realise what’s going on. The second driver though, it much more dangerous, as it strikes at the heart of BC and has the capacity to cause enormous damage.

This second driver is the desire to make something that is difficult, complex, and demanding, and which requires considerable skill and experience, simple to implement through a process that can be implemented by a management system. To see what I mean, you need look no further than BS 65000, the recently published Guidance for Organizational Resilience, which, to quote the body that produced it – “This landmark standard provides an overview of resilience, describing the foundations required and explaining how to build resilience.”

Organizational Resilience is something that every company continuously tries to achieve. It is nothing new, and has been an essential goal ever since the first company was founded. Few manage it over the long term, and the life of most companies is very short as the products and services that they produce become outdated and overtaken by new trends, ideas, and inventions. If explaining how to build resilience can be described in a short pamphlet and implemented by anyone with the capability to read and follow a set of procedures, then how come it was missed by so many millions of people involved in the running of the hundreds of thousands of companies that have failed?

The international standard for Organizational Resilience (ISO 22316) is due to publish in 2016, which must be a great relief for all those organisations that are struggling to survive in the ever more competitive markets in which they operate. All they now have to do is implement the standard, be audited for compliance, and get the certificate. So much easier than researching and developing new products, finding new markets, producing the products and services at competitive cost, controlling cash flow, hiring and maintaining the right people with the right skills, complying with ever increasing legislation, developing and enhancing reputation, etc.

 

I have been further convinced of the need for the Business Continuity (BC) profession to get back to its fundamentals by the juxtaposition of the publication by the Business Continuity Institute (BCI) of a comprehensive list of legislation, regulations, standards and guidelines in the field of Business Continuity Management (BCM) and the experience of many business that were affected by the recent floods in the north-west of England.

Some small businesses, mainly those that operate and serve very local markets, have temporarily closed until their premises can be refurbished, but others are up and running and continuing to trade even though their premises were badly flooded. The businesses that are back up and running had implemented BC, but not in the way envisaged by the BC profession through its standards and guidelines.

These businesses had taken steps to ensure that they could recover from incidents like the recent flooding by doing such things as backing up their data, implementing cloud computing, knowing where they could obtain replacement premises and equipment, being able to redirect their telephones, and having adequate insurance cover. They are also managed by people who know how to respond to incidents, are committed to the continued success of their business, and know what needs to be recovered by when without having to read a plan.

None of these businesses had implemented a formal BCM programme, none of them had followed any guidelines, and none of them had implemented a Business Continuity Management System (BCMS) or been certified to a BCM standard.

The publication by the BCI of a comprehensive list of BCM legislation, regulations, standards and guidelines is very useful, and I’m not decrying it. But, and it is a very big but, the purpose of BC is to enable organisations to be resilient to incidents that affect their ability to operate. The people who own and run business in the north-west of England that had taken steps to ensure that they could recover from the recent flooding are practising the fundamentals of BC, and by and large have never even heard of BCM legislation, regulations, standards and guidelines.

Don’t get me wrong, there’s nothing wrong with BCM legislation, regulations, standards and guidelines, but they are not the end in itself. I sometimes think that BC professionals lose sight of this.

Reading about one of the causes of the catastrophic failures at Mid Staffordshire NHS Trust, which lead to more than 1,200 patient deaths, reminded me of a similar issue that plagues many implementations of Business Continuity Management (BCM) programmes. This was the Trust’s concentration on achieving targets that would enable them to get a good rating from the NHS auditors rather than the most important objective, which was to ensure that patients left hospital in a better state of health than when they were admitted.

The issue in many BCM implementations is that organisations are looking to get a good rating from their auditors by doing all the things that a standard states they should do rather than the working to achieve the most important objective, which is to improve the organisation’s resilience.

Setting targets based on readily measurable things is straightforward, and allows auditors to identify whether or not an outcome has been achieved, or how close it is to being achieved. Setting targets on things that it’s difficult to measure is problematic, and gives auditors a major problem when making an assessment. Unfortunately, the trend in many sectors over the past 20 years has been to rely more and more on these measurable targets when assessing performance, and to ignore the most important target. BCM has been no exception – achieving compliance against BS 25999 or ISO 22301 is commonly seen as the main objective, not becoming more resilient.

Hopefully, what has happened at Mid Staffordshire NHS Trust will be the start of the end of relying on peripheral, measurable targets, and the world will move back to looking at how well an organisation is achieving its critical objectives. Don’t bet the house on it though.

For my sins, I’m helping the Business Continuity Institute with the update of its Good Practice Guidelines. Actually, I volunteered to help, and despite the frustrations it’s well worth the effort. However, it can lead to you to doubt your own sanity at times. Today is one of those days, as I’m thinking about the difference between Strategic, Tactical, and Operational Business Continuity issues.

Organisations operate at three levels. Strategic is where decisions are made, policy is determined, and resources allocated. Tactical is where operations are coordinated and managed. Operational is where activities are undertaken.

By definition, managing Business Continuity is Tactical. It is where the process of Business Continuity Management (BCM) is managed. The activities undertaken when implementing BCM, such as developing a plan, are Operational.

So far, so good, but isn’t managing BCM just an activity? If it is, then it must be Operational, not Tactical. Does this matter, is it relevant, or is it just semantics? Am I losing the will to live?

 

ISO 22301 is a standard for Business Continuity Management Systems. The key word here is “Systems”, which is why the standard contains more about management systems than it does about Business Continuity. It is not a standard for Business Continuity, and so many people seem to think.

This is all understandable and quite logical, but what defeats me is why ISO 22301 contains so much about risk. ISO has already published a standard for the implementation of risk management, ISO 31000, and is busy working on a whole series of standards under the 31000 heading. Why then, should risk form such a significant part of a standard on Business Continuity Management Systems?

Risk Management and Business Continuity Management are related disciplines, and their implementation should be be coordinated and complementary. The links between the two need to be clearly identified in each standard, but I can’t really see the point of putting a statement in ISO 22301, which is supposed to be about Business Continuity, that says “Top management shall ….. by defining the criteria for accepting risks and the acceptable levels of risk”. This is Risk Management, not Business Continuity. By all means put a statement into ISO 22301 that says that an organization should implement Risk Management, but that’s all it needs.

The long awaited ISO 22301 has finally been published, and despite all the hype that’s been built up over the past year, the reaction of the Business Continuity world has been fairly muted. This is probably due to the fact that its content has been known for a long time, and that is says nothing new about the subject.

I would go further than this though, and contend that it says very little about Business Continuity, and an awful lot about management systems. Anyone who is looking to the standard for help on implementing Business Continuity is going to be very disappointed. However, its companion, ISO 22313, the guidance for Business Continuity, is expected to contain a lot more information. Let’s hope so.