library

Taking Centre Stage

As part of the overall provision of UK civil protection Local Authorities, Emergency Services and parts of the NHS (Category 1 responders) in England and Wales are now required by law to have established effective business continuity management. They must ensure they can continue to perform their functions in the event of an emergency.

This relates to all the functions of a Category 1 responder, not just its civil protection functions. In order to help others in the event of an emergency, they first need to be able to keep their own crisis response capabilities going.

Phytopharm stock dives after bomb target broker quits

Shares in drugs company Phytopharm fell sharply after animal rights activists scared off its broker.

Canaccord Capital resigned as broker to Phytopharm yesterday – less than a month after a firebomb attack targeted its European finance director.

A website linked to the Animal Liberation Front claimed responsibility for planting the incendiary device which set fire to Michael Kendall’s car. The ALF says Phytopharm has links with animal testing group Huntington Life Sciences. HSL is a long-standing target for protesters.

Security fears at Indian Call Centre

Information  could have been used to clone credit cards

Police are investigating reports that an Indian call centre worker sold the bank account details of 1,000 UK customers to an undercover reporter.
The Sun claims one of its journalists bought the personal details from an IT worker in Delhi for £4.25 each.

They included account holders' secret passwords, addresses, phone numbers and passport details, it reports.

City of London Police has begun an investigation after being handed a dossier by the newspaper.

While the allegations made in the dossier are very serious, City of London Police would like to remind people that incidents of this kind are still relatively rare City of London Police

The centre worker reportedly told the Sun he could sell up to 200,000 account details each month.

Details handed to the reporter had been examined by a security expert who had indicated they were genuine, the paper said.

The information passed on could have been used to raid the accounts of victims or to clone credit cards.

'Reflect on decision'

More than one bank is thought to be involved in the fraud.

A police spokeswoman said officers were not yet aware of "the breadth of what we are going to be investigating".

"While the allegations made in the dossier are very serious, City of London Police would like to remind people that incidents of this kind are still relatively rare," she said.

The Amicus union said it had warned of the "data protection implications" of offshoring financial services.

"Companies that have offshore jobs need to reflect on their decision and the assumption that cost savings benefiting them and their shareholders outweigh consumer confidentiality and confidence," senior finance officer Dave Fleming said.

Continuity Forum Comment

In the past few months we have seen an increased media focus on the security of Electronic Banking Systems with both TV and Print news sources citing alarming lapses in the procedures followed.

While technology can go a long way to 'secure' information there remains for many the issue of the 'insider'.

Whilst a lot of time and money is spent combating external Security threats it appears as though there is still some way to go to protect the organisation and its stakeholders from the actions of someone on the 'inside'. Whatever the motivation, Greed or Revenge, the threat posed can be far greater both in financial terms and in damage to the Reputation of the organisation.

To help you consider the risks to your organisation we have listed below some of the common characteristics of the 'insider' below:

Insider Characteristics

The majority of the insiders were former employees.

• At the time of the incident, 59% of the insiders were former employees or contractors of the affected organizations and 41% were current employees or contractors.

• The former employees or contractors left their positions for a variety of reasons. These included the insiders being fired (48%), resigning (38%), and being laid off (7%). Most insiders were either previously or currently employed full-time in a technical position within the organization.

• Most of the insiders (77%) were full-time employees of the affected organizations, either before or during the incidents. Eight percent of the insiders worked part-time, and an additional 8% had been hired as contractors or consultants. Two (4%) of the insiders worked as temporary employees, and one (2%) was hired as a subcontractor.

• Eighty-six percent of the insiders were employed in technical positions, which included system administrators (38%), programmers (21%), engineers (14%), and IT specialists (14%). Of the insiders not holding technical positions, 10% were employed in a professional position, which included, among others, insiders employed as editors, managers, and auditors. An additional two insiders (4%) worked in service positions, both of whom worked as customer service representatives.

Insiders were demographically varied with regard to age, racial and ethnic background, gender, and marital status.

• The insiders ranged in age from 17 to 60 years (mean age = 32 years) and represented a variety of racial and ethnic backgrounds.

• Ninety-six percent of the insiders were male.

• Forty-nine percent of the insiders were married at the time of the incident, while 45% were single, having never married, and 4% were divorced.

• Thirty percent of the insiders had been arrested previously, including arrests for violent offences (18%), alcohol or drug related offences (11%), and nonfinancial/
fraud related theft offences (11%).

Organization Characteristics

The incidents affected organizations in the following critical infrastructure sectors:

• banking and finance (8%)

• continuity of government (16%)

• defence industrial base (2%)

• food (4%)

• information and telecommunications (63%)

• postal and shipping (2%)

• public health (4%)

In all, 82% of the affected organizations were in private industry, while 16% were government entities. Sixty-three percent of the organizations engaged in domestic activity only, 2% engaged in international activity only, and 35% engaged in activity both domestically and internationally.

Below we have outlined some of the effects on the organisation:

Consequences for Targeted Organizations

Key Findings

• Insider activities caused organizations financial losses, negative impacts to their
business operations and damage to their reputations.

• Incidents affected the organizations’ data, systems/networks, and components.

• Various aspects of organizations were targeted for sabotage by the insider.

• In addition to harming the organizations, the insiders caused harm to specific
individuals.

Supporting Data

Eighty-one percent of the organizations experienced a negative financial impact as a
result of the insiders’ activities. The losses ranged from a reported low of $500 to a
reported high of “tens of millions of dollars.” The chart below represents the percentage
of organizations experiencing financial losses within broad categories.
Percentage of Organizations Financial Loss

Direct Financial Loss   Percentage
$1 - $20,000   42
$20,001 - $50,000   9
$50,001 - $100,000   11
$100,001 - $200,000   11
$200,001 - $999,999   7
$1,000,001 - $5,000,000   9
Greater than $10,000,000   2

For the full 45 page Report or to comment on this piece please mail us HERE! or call Russell Price directly on +44 (0) 208 993 1599.

 

Think Tank says "US lacks adequate financial protection from Terror Acts", but its the UK too!

The terrorism insurance system in the United States is failing to provide businesses with adequate financial protection, leaving the nation vulnerable to economic disruption if there is a major terrorist attack, according to a RAND Corporation study issued earlier this week.

Citigroup loses data on 3.9 million customers

The banking firm has written to customers whose information was stored on computer tapes that were lost last month by courier UPS in transit to a credit office.

Kevin Kessinger, Citigroup's president of consumer finance in North America, said: "We deeply regret this incident, which occurred in spite of the enhanced security procedures we require of our couriers.

"There is little risk of the accounts being compromised because customers have already received their loans, and no additional credit may be obtained from CitiFinancial without prior approval of our customers, either by initiating a new application or by providing positive proof of identification. Beginning in July, this data will be sent electronically in encrypted form."

The tapes contained US customer data from CitiFinancial branch network operations and CitiFinancial Retail Services. The company said the tapes did not contain information from CitiFinancial Auto, CitiFinancial Mortgage or any other Citigroup business.

The company also believes the data has not been compromised and that none of the tapes contained details of CitiFinancial network customers in Canada or Puerto Rico.

"We are making every effort to ensure that our customers are aware of what we are doing and what we suggest they do to protect their identity. We are committed to ensuring that our customers have the support they need to monitor their credit and know how to respond should they identify any problems," added Kessinger.

Last week, the Japanese arm of investment firm UBS apologised for losing a hard disk that contained confidential data of 15,500 customers.

Continuity Forum Comment

There can’t be many people who haven’t had something ‘lost in transit’, but the experience of Citigroup shows that while mistakes can and will happen. The nature of today’s world means and the desire of media to report new stories means that within a few hours even a relatively minor problem will be seen by potentially tens of millions of people and you can be sure it will affect the way many view the organisation.

In most respects this simple process failure is a day to day occurrence, something lost or stolen, but carrying sensitive information, becomes a story reported widely and needing a measured response form the organisation affected. The clear statement and explanation from Citigroup shows to Customers that there is little on-going Risk to them and that the already strict procedures in place further reduces the Risk to clients.

Another detail that it is important to learn from is the issues was not created directly by Citigroup, rather it was a supplier of core services that was responsible for the loss despite the ‘added measures’ Citigroup had in place. This shows the importance of working with key partners in the Supply Chain to ensure on-going compliance withyour special procedures and to avoid supplier complacency creeping in. Failure to ensure that your policies and procedures are being adhered to can quickly undermine even the best plans and procedures and result in incidents like this or indeed far far worse problems.

Forum Statistic

  •  Fewer than 20% of Global 2000 companies work with their Key Supply Chain Partners to embed BCM and even fewer (7%) regularly include partners in Exercises and Rehearsals despite the knowledge of the risks.

    Ends
    _________________________________

    If you have any comments on this article or would like to find out more about the work of the Continuity Forum please contact Sara McKenna or Russell at the Continuity Forum directly on 020 8993 1599 or info@continuityforum.org

 

FORUM ACTIVITIES update

The Continuity Forum’s mission is to build the resilience of organisations internationally, regardless of size or sector, through education and the promotion of best practice in Business Continuity Management and its related disciplines. The Forum is dedicated to aiding the growth and the development of the Continuity sector and appropriate standards.

One of our key aims is to lobby government, regulators and industry to recognise the vital importance and contribution of Business Continuity Management and its related disciplines to organisations and the need to establish a culture of embedded Continuity

We support this aim by

· Encouraging the development of BCM through co-operation and collaboration with all organisations relevant to the development of the sector.

· Engaging government, regulators and trade bodies to promote BCM and encourage adherence to recognised standards for BCM and professional practice.

In support of this approach Continuity Forum has, the in past 12 months, has built upon existing relationships and established new relationships with appropriate organisations. Examples of these relationships and activities are shown below:

British Standards Institution (BSI) – Continuity Forum have been working with BSI on the proposal to create a BCM standard and will sit on the sub-committee that will create the new high level standard based on PAS 56. Continuity Forum is also exploring other possibilities for guides that related to elements of BCM.

Chartered Institute of Public Finance and Accountancy (CIPFA) is one of the leading professional accountancy bodies in the UK and the only one that specialises in the public services. It is responsible for the education and training of professional accountants and for their regulation through the setting and monitoring of professional standards. John Sharp is a member of the Resilience sub group on the Better Governance Forum providing BCM input.

Chartered Management Institute (CMI) – Continuity Forum, working with one of their Gold Members – Veritas, are supporting the sixth annual survey into Business Continuity Awareness amongst general managers to discover what the key causes behind business disruption have been over the past twelve months and explore the impact that these interruptions have had. The report will also offer insights into UK organisations' preparedness for disaster and track changes in attitudes since 1999. The research, scheduled to be launched in March in support of Business Continuity Awareness Week.

City of London Police – Continuity Forum has formed a relationship with the City of London Police and are working with them to ensure appropriate BCM advice is available through the Police website.

Civil Contingencies Secretariat – John Sharp has been an active member of the teams writing the draft guidance and regulations supporting the new Civil Contingencies Act. Initially he worked with the Civil Contingencies Secretariat on the background to the Bill and subsequently provided input to the BCM Planning and Promotion sections of the draft guidance.

European Telecoms Resilience and Recovery Association (ECTR2A) is a EU funded body with a remit to improve telecommunications resilience and suppliers and organisations. John Sharp is a member of the Advisory Board providing BCM input.

London Resilience Team – Government Office for London. John Sharp has been an active member of the LRT Business and Critical Infrastructure Teams. He currently sits on two working parties, one looking at how BCM can be included in new Corporate Governance regulations and the other concerned with improving the promotion of BCM to the wider business community across London. Continuity Forum is also working to ensure that LRT gain maximum exposure for its work during Business Continuity Awareness Week 2005, (13 - 18 March 2005).

Metropolitan Police – John Sharp has been a member of the Met Police executive team for BCM for some time, providing high-level advice on improving the continuity capabilities of the police service in the greater London area.

National Counter Terrorism Security Office (NaCTSO) is a specialist police organisation co-located with the Security Service in the National Security Advice Centre (NSAC). The organisation co-ordinates a nationwide network of specialist police advisors known as Counter Terrorist Security Advisors who can offer help on counter terrorism security. Continuity Forum has a long-standing relationship with NaCTSO proving help and assistance on BCM. The Forum is currently providing input on a new Security publication being produced by NaCTSO and London First.

National Infrastructure Security Co-ordination Centre (NISCC) is an interdepartmental organisation set up to co-ordinate and develop existing work within Government departments and agencies and organisations in the private sector to defend the CNI against electronic attack. Continuity Forum have established a relationship with NISCC to explore how the use of their new Warning, Advising and Reporting tool (WARP) can be used to improve the communication of BCM issues.

Scottish Business Crime Centre is a non-profit making organisation created in 1996 under the Business Crime Reduction Strategy for Scotland, to establish a unique partnership approach between the Police, business community and Government. The main function of the Centre is to provide practical advice to the business/commercial sectors on how to develop business crime reduction and prevention strategies. Continuity Forum is very active in providing BCM advice to the Centre and to their audiences.

In addition to the above activities Continuity Forum is working with many other organisations including ALARM, Bank of England, British Bankers Association. Business Link for London, CBI, City of London Emergency Liaison Team, Communications Managers Association, Federation of Small Business, FSA, Home Office, IoD, London Chambers of Commerce, London Connects and OFCOM.

Sixth Annual Chartered Management Institute Business Continuity Management Survey

CMI and Continuity Forum Research 


The Continuity Forum and the Chartered Management Institute have joined forces this year to undertake the 6th annual survey into Business Continuity Management.

Supported by Veritas this project will continue to provide the most detailed and extensive Research available into management attitudes towards BCM, which has proven key in supporting our Industry development.

Avian Flu Pandemic Adivice continued ....

Department of Health influenza pandemic planning assumptions

Based on previous pandemics and current internationally agreed arrangements co-ordinated by the WHO, UK Health Departments have agreed the following planning assumptions (further details in Chapter 4 of main Plan):

(i) Spread from the source country to the UK will take no more than three months. Once in the UK, it is unlikely that we will be able to stop the spread of pandemic influenza. Our aims are to slow its spread, at least in the short term, in order to buy time and spread the load on health and other services, and to reduce its impact.

(ii) Most people will be susceptible to the new virus, although not all will necessarily develop clinical illness. All ages will be affected, but children and otherwise fit adults could be at relatively greater risk should elderly people have some residual immunity from exposure to a similar virus earlier in their lifetime.

(iii) Vaccine will not be available in the early stages. A pandemic vaccine cannot be stockpiled in advance: it must be produced specifically for the virus concerned so development cannot start until the virus is known. Everything will be done to produce a vaccine as quickly as possible, but it is likely to take at least 6 months.

(iv) As vaccine becomes available it will be given according to nationally agreed priorities, starting with health care and other essential workers. Beyond that, the final decisions will be based on early information about the age groups being affected most severely. When vaccine supplies become more widely available, vaccination will be offered to the general population.

(v) Antiviral drugs are available for treating influenza, but even with a national stockpile, there will not be an unlimited supply. They may be used initially to try to contain small outbreaks. Later they will be used to treat certain narrowly-defined priority groups according to agreed guidelines in order to achieve the maximum health benefits.

(vi) Planning should be based on a cumulative total of 25% of workers taking some time off – possibly 5-8 working days - over a period of 3 months. This first wave is likely to be followed by a second wave of similar duration. The interval between each wave could be several weeks or months. Absenteeism may be more than this either due to a higher rate of illness, the need to care for sick family members or fear of exposure to infection. Past pandemic experience indicates that between 10-35% of the workforce may be absent from work. The absentee rate is expected to peak for 1-2 weeks at the height of the outbreak (around weeks 8 to 9).

(vii) Total deaths in the UK normally run at around 12,000 per week. During a pandemic, without effective interventions, total deaths are likely to gradually rise to 50% higher than normal at the peak of a pandemic wave, and then gradually decline. However, there is the potential for as many deaths in 12 weeks of a pandemic as in the rest of the year (around 600,000 excess deaths across the UK).

(viii) Slowing down the spread and reducing the number that will be affected in the first wave may be achieved by implementation of :

- Hygiene including respiratory hygiene and hand washing
- Travel advisories to restrict international travel to or from affected areas
- Health screening at UK ports
- Voluntary home isolation of cases
- Voluntary quarantine of contacts of known cases
- Staff rostering to minimise the impact on staffing if all contacts of a case in a work team are asked to remain in voluntary quarantine
- Local restrictions on the movement of people, eg in a local community or town
- Restriction of public gatherings, especially international mass gatherings
- School closures (recognising the impact this will have on maintaining the workforce in other sectors)
- The use of face masks by infected people (to reduce droplet spread), by those in contact with infected people or by the general public

These measures are being kept under review as public health interventions during a pandemic, and clear guidance will be issued by Health Departments, based on the advice of the UK National Influenza Pandemic Committee or guidance from the WHO or real time modelling as the evidence evolves or as need arises.

Some of these measures may be required as a result of staff absence or the general disruption, or may occur by default because of public concern or other considerations, such as concerns about possible exposure to infection when using public transport. Voluntary co-operation with recommended measures would be sought. Mandatory quarantine and curfews are generally not considered necessary and are not currently covered by public health legislation.

General advice to local authorities, educational establishments and businesses

For the purposes of business continuity planning, local authorities, educational establishments and businesses will wish to consider the likely effects of a pandemic on their organisations outlined above and the measures that may need to be taken to manage these. For example, by:

¨ Considering the likely impact on their organisations and businesses;

¨ Considering their needs to maintain continuity of core business activities and putting appropriate plans in place taking into account high levels of staff absences;

¨ Providing information to staff and students (this will be available on the Department of Health website and in printed form);

In addition, research on the spread of infectious diseases suggests that the spread of an influenza pandemic may be slowed down by:

¨ cancellation of public events; for example this may include large-scale national or international events held in the UK (involving inter-regional/UK and international travel by participants), such as sporting fixtures, concerts, competitions, conferences, agricultural shows, exhibitions. In practice, possible lack of ambulance cover due to increased health care pressures associated with a pandemic might result in the cancellation of such events;

¨ curbing unnecessary travel; for example this may include encouraging people to travel intra- and inter-regionally in UK only if absolutely necessary (as part of nationally-produced communication messages);

¨ if there was a particular flu hotspot in a region, local authorities may need to issue advice to the public about not travelling to and from that region.

Decisions on such actions will normally remain for local determination, based on advice and recommendations issued by Health Departments.

Particular advice to educational establishments

The pandemic virus may spread readily in schools and other education establishments (attack rates of up to 90% were reported in some boarding schools in previous pandemics). If this is confirmed as a characteristic of the virus, Health Departments will inform Education Departments to advise local education authorities and the education sector about measures to be taken to slow down spread of the virus. This advice would particularly apply to younger children, childcare settings and education establishments and may include closing down for a short period, and management of pupils/students travelling within, to and from the UK. Education Departments will assist in disseminating the advice to the various education sectors.

The decision on such closures will normally remain for local determination having regard for the possibility that such establishments may have insufficient staff and/or pupils/students to remain open and for the possible implications for increased work absence because of workers’ child-care responsibilities.

Department of Health
February 2005

MEMBERS AREA

ACCESS DENIED

Sorry … access to this area is reserved for Full Members of the Continuity Forum.

Membership of the Continuity Forum enables you to gain preferential access to our events, workshop, website and development activities saving you thousands of pounds. Membership of the Forum also enables you to access our research as well as gaining direct help and assistance in developing ‘in-house’ activities designed to boost the success of your BCM programme.

Membership of the Continuity Forum also helps ensure that your organisation is kept informed, engaged and involved in this rapidly developing sector.

The Continuity Forum has various membership categories tailored to suit your organisations needs and for further information on these please contact Ann Sharp directly on +44 (0) 208 993 1599 or via email at membership@Continuityforum.org

more info on the Continuity Forum

The Continuity Forum welcomes members from all fields who are are interested in, the field of Business Continuity Planning and Management, and its related disciplines. We provide a wide range of services designed to support your organisation in building effective 'Best Practice' BCM.

Continuity Forum acts as a bridge between organisations who have interest in promoting, delivering and utilising Business Continuity and Risk Management. By our actions, Continuity Forum encourages a uniform approach to the delivery of these critical disciplines. We provide an unbiased, non-commercial input to regulators, legislators, standards bodies, auditors, academic bodies and the media.

Continuity Forum has working relationships with:

· Civil Contingencies Secretariat
· Police, Fire and Security Services
· London Resilience Team
· Local Authorities inc. the City of London
· Auditors inc the Audit Commission
· Academic Institutions
· Professional Bodies
· Trade Bodies
· Transport Organisations
· Business Organisations inc. Business Links.
· Service Providers inc. Insurers
· Media
· Standards Bodies

Membership of the Continuity Forum entitles members to:

· Access and invitations to Forum Development Groups
· Access to our Online Forum Development Groups
· Access to our research programmes and data
· Networking
· Free advice on Continuity Related issues
· A voice in the Forum - make suggestions for programmes, events,
· Discussion topics
· White papers, articles and data of use to Continuity Professionals
· Opportunities for your own White Papers to be published

Membership of the Forum is open to:

Anyone who is involved in a professional, managerial or operational capacity (full or part time) in Business Continuity Management, and who is willing and able to contribute to the objectives of the Forum

Anyone with an interest in Business Continuity Management.

Anyone engaged accredited academic study (full or part time) related to the field of Business Continuity or Risk Management.

To find out about more about us and how we can help your organisation develop its BCM programme you can either call us on 020 8993 1599 or e-mail us directly at membership@Continuityforum.org

Insurers sharpen focus on BCM

Insurers sharpen focus on Business Continuity Planning

As forecast by the Continuity Forum, pressure is mounting on Business to ensure that Business Continuity Plans are at the heart of an organisations planning. Much of the reason is the fear from the sector that still too few organisations are developing an effective response to the risks facing Business, particularly with regard to major Terror attacks and other events, such as the Blackout in South London last winter and the Telecoms Failure in Manchester this Spring. The industry is also concerned about the effects of the recent weather events which have disrupted businesses across the UK and caused millions of pounds of damage.

The Times has recently reported (September 6th, 2004) that leading insurers, including AXA, have already held discussions with government to look at the possibility of introducing a legal requirement for BCM or other Business Interruption arrangements as a pro-active preventative step to control the scale of losses caused through events which would be covered through the companies normal Insurance provision.

The Times also reports that this move is part of a broader drive within government and the Insurance industry to shift more of the responsibility back from the Insurers to the organisations themselves. According to Times reporters, Elizabeth Judge and Christine Seib, there is a certain appeal (from some quarters at least) to this idea as they report government concerns over the costs arising from such events where the Treasury may end up footing the bill. In addition, these consultations highlight in the strongest terms the importance of BCM in reducing the costs of Business Disruption seen so far from the Insurance sector.

The Continuity Forum has already shown that while spending has risen across some areas of the sector there is still far too little being done generally in the UK business community, particularly outside of the closely regulated markets such as Finance.

A specific concern of the Continuity Forum is the level of planning within the SME sector, where the amount of knowledge on both the issues and resources available to develop planning are severely limited.

Experience in New York following 9/11 and generally in areas ravaged by the recent floods show these SME organisations are the most vulnerable to the effects of business disruption, suffering far more than their Multi-National cousins.

Indeed, most SME’s are failing to ensure even basic provision for disruption to their businesses and are also likely to have the lowest levels of appropriate Insurance cover or Business Continuity provision.

We feel however, that while these discussions with Government are most welcome as part of the development of the message to business, the insurance sector bears some significant responsibility for some of these issues. Many members and partners of the Continuity Forum continue to report a lack of willingness to ‘reward’ organisations who have taken steps to build their resilience by undertaking extensive planning and management programmes with more balanced policy premiums.

The latest Continuity Forum research soon to be published highlights that while Insurers are right to be worried, governments concern should be even higher as any payouts of claims actually represent far less than 50% of the actual cost following a Business Continuity Event. The resulting impact on what in fact are our most vulnerable organisations means that many never fully recover from even relatively minor, localised disruptions.

The Continuity Forum has been working hard throughout 2004 with various Public Sector and professional groups around the country to provide SME access to support and information as well as special targeted events geared to introduce BCM and its value to smaller organisations. This will continue to be a key feature of our activities.

If you have any comments on this article or on the work of the Continuity Forum or more information on our knowledgebase or our various research programmes and resources please contact Sara McKenna, John Sharp or Russell at the Continuity Forum directly on 020 8993 1599 or info@continuityforum.org

Corporate Responsibility

Writing a short piece highlighting the developments in Business Continuity is a challenge mainly due to the breath of the subject and the varied interests of those involved. Should the article concentrate on the IT and Infrastructure dimension, should it concentrate on issues such as Brand and reputation, the risks in the supply chain or on Turnbull and Corporate Governance. The scope can be huge and therefore a challenge to summarise in what has to be limited space.

You spend ages thinking about the various topics you could cover only to realise after the 3rd rewrite that the problem with the article is very similar to problems faced by companies in coming to terms with this rapidly developing business issue of Business Continuity - the scope and breadth of the subject means defining the starting point is the most important part of the entire process of both Business Continuity and writing this piece.

For some of you reading this you will already be Continuity planners with considerable experience, others, the majority in all likelihood, will be just starting on the road and with this in mind will concentrate on the Big Picture through a brief examination of the commercial drivers behind the development of Business Continuity and what it means for companies today.

Firstly, and to dispel a developing myth Business Continuity is not new, the principles have developed out of many fields which have proven their worth over the years countless times. Often. Continuity Planning and Management is cited as developing from Contingency Planning or Disaster Recovery; some would include other disciplines such as Crisis Communications, but the underlying principles are much simpler. It’s learning from previous experience and, importantly, applying that experience proactively throughout organisations with one aim; to make sure that the organisation is able to continue its core activities no matter what happens.

Over the years we have seen companies suffer in the public eye through the media, some of the causes are natural, attacks from Mother Nature which ahs been affecting much of Europe the Rest of the World causing disruption on a large scale. Others are social, such as the fuel crisis and still more are technological, IT failures or Hacker attacks and some are reputation based (remember Ratners and Perrier?).

The common theme that runs through these events is, for most organisations, that the disruption caused has impacted directly on their capability to conduct “business as usual” and that in many cases the organisation responds reactively to the situation generated often adding to the impact of the initial event. This leads to higher costs and a drop in productivity and even for relatively minor events the costs can mount alarmingly.

Business Continuity is an established practice that reduces this impact and tries to ensure that the organisation is available for business - no matter what.

For a company hit by a major disruption to cope ‘effectively’ what is the better position for the management to be in:

  • To react to situations without a plan as they arise?

or

  • To have developed and tested a range of planned measures geared to resolve the situation quickly and cost effectively with the least disruption to customers and personnel?

The answer is obvious and in today’s fiercely competitive markets the cost of getting it wrong can be huge, but I prefer to look at this way - the advantage of getting it right can be huge.

In research we have conducted we can show that for companies prepared the effects of similar events (ranging from Floods & Fire to IT failure) the difference in impact can be as much as 90% - so what’s the difference? Planning!

When companies are hit by events we often hear expressions such as ‘unforeseen’ or ‘surprise’, but what does this mean? It means they hoped it wouldn’t happen to them - but it did.

The vast majority of business disruption is caused by foreseeable events and failure to appreciate this single fact is the root cause of much of the commercial losses incurred. If it can happen it will happen, maybe not today, maybe not tomorrow but it will happen.

The difference between losing £1,000,000 and a business completely unaffected can be the development of effective Continuity Planning. As proof of this, in our Continuity and Recovery research, we found that for the average large company a major event occurred every 2.3 years. For those that had tested and maintained plans the figure was closer to 9 years and while numbers alone can be misleading that’s still 2 out of three events AVOIDED completely.

WHY?

Business Continuity is closely linked to professional management and ‘best practice’ principles, organisations that adopt Business Continuity are demonstrating a commitment to their business and customers which entails hoping for the best but also preparing for the worst. Through this process companies have highlighted where the risks for business interruption lie within their operations and taken preventative measures to reduce their risk profile and also ensure that measures are maintained to ensure service can continue during any event.

"53% of companies recover less than 25% of the total losses incurred via Insurance"

It doesn’t have to cost a fortune either the principle benefits can be gained from a Business Impact Analysis (BIA), which should highlight the Business Critical Paths to protect in your organisation. This should be firmly connected with the products, services and revenues of the company not focussed on internal issues that may have little bearing on the financial impact of the event.

"Fewer than 13% of companies undertake a regular Business Impact analysis"

What is the point of having protecting your financial records if all your customers have moved to other suppliers to fulfil orders you cannot meet? And recovering customers can be a time consuming and expensive process. Indeed our industry figures show the sales and opportunity cost to be the highest of any, post event.

"Fewer than 19% of FTSE companies have achieved compliance with the combined code"

The impact of business disruption is an important topic at strategic levels within regulators, legislators, investors and companies. Increasingly, failure to demonstrate ‘Risk Awareness’ is a sign of poor management standards. Through the ‘Combined Code’, FTSE companies are now required to demonstrate their Risk Awareness throughout the organisation though imbedded systems, which includes the supply chain, and report on this aspect of their operations in the annual accounts.

"84% of companies don ot identify risk through the supply chain even though 10% of events stem from this source"

With businesses increasing reliance upon technology it is vital that organisations examine their operations to highlight the measures will be effective in reducing or eliminating the potential for disruption or the risks posed as IT disruption causes well over 60% of recovery invocations. Don’t just concentrate on the core Finance Systems, consider the effect of disruption and the revenue earning connections with all the IT and Voice Systems in the organisation. In the last few years we have seen a tremendous growth in the use and importance of E.mail and E.commerce systems and alarmingly these systems are most often not included in the recovery or continuity planning. Perhaps the most overlooked area is Voice Communication with even Call Centres not having effective plans or measures in place in over 75% of sites.

Insurance

The Continuity Forum was the first to promote the direct linkage of Insurance and continuity practices. Our Continuity & Recovery 2000 report showed that few companies were able to see these connections, yet appropriate, thorough and company wide Continuity Management practices can clearly demonstrate to Insurers that risk mitigation has been carried out, enabling a lower risk profile.

Syndicate content

Business Continuity Forum creating Resilince and security

Creating Continuity... Building Resilience...