You are implementing a business continuity management system (BCMS) for the first time and you discover that one of the requirements is to conduct “internal audits”. What do you do? Who should be the auditor? Do they need to be trained? All valid questions (along with scores of others which you will doubtless ask yourself) which invariably will be rushed through without much thought into what is trying to be achieved (apart from a tick in the BCMS/certification box).
Done well, audits are an excellent way for your business to learn what’s working and what needs to be improved but done badly they soon become robotic and worse, potentially divisive. Internal audits are a requirement of any management system standard so if you are committed to implementing a meaningful BCMS you might as well do it properly from the outset.
In May 2012, the International Standardization Organization (ISO) published ISO 22301 – Business continuity management systems – Requirements. Although this standard was long in the making the response has been very positive - and with the promise of ISO 22313 – Business continuity management – Guidance – before the end of this year, it seems it was worth the wait.
ISO 22301 blends the requirements from several national standards, including those from the USA, Japan, Singapore, Canada and Australia. The similarity with BS 25999-2, however, is most evident. A comparison of the BS and ISO standards reveals little difference in the requirements. And in Clause 8 of the ISO, where the business continuity programme requirements reside, the text is identical in many places.
Business Continuity and Resilience are we getting the landscape right?
Imagine trying to describe or just outline what a Rhinoceros looks like to someone when you have only have seen a small part of the whole animal yourself, perhaps just a foot or an ear.
When you haven't seen the whole thing it makes it rather awkward or perhaps even impossible. Its certainly rather tricky eh? You could end up with a Donkey, a three toed Camel or indeed a host of bizarre critters. To describe a Rhino properly you have got to step back and get the whole picture. (We know this is usually done with elephants, but we prefer a rhino for this analogy... its an ear thing!)
We’re using this somewhat silly example to illustrate one of the most interesting topics emerging across the Risk and Business Continuity Sectors - Organizational Resilience!
A lot of people are talking about it and the discussion underway is really interesting.
Business Continuity is defined by the International Standards Organization as the:
"capability of the organization to continue delivery of services or products at acceptable predefined levels following disruptive incidents"*
*Source ISO 22300 Vocabulary
Why is Business Continuity important?
Organizations of all types and sizes, public and private are effected all the time by "disruptive incidents'. These can be extreme, such as a natural disaster or more likely something mundane, such as a burst water pipe, the loss of power or other services, ICT issues and other forms of incident that disrupts the normal work of the organization. The disruption caused usually impacts on the capability of the organization to perform its normal activities and as a consequence impacts on customers or other stakeholders, adding additional costs and creating the potential for losses in financial and even social terms.
No doubt your year has been busy, but spare a thought for Santa Claus Industries; its a not for profit organisation that through no fault of its own finds itself with some unique challenges and a logistics nightmare. Here's a Christmas Tale to tell of Santa Claus Industries' Continuity year.
Consider a complex manufacturing and logistics organisation, based at the North Pole, traditionally very busy around the 25th December.
As you might imagine, planning for this event takes all year - no sooner has Santa Claus sat down on Boxing Day then he's called to deal with all sorts of unplanned events that require attention.
There has been some fairly active discussion on a few of the industry forums recently about how standards such as BS25999 and ISO22301 are being seen as potentially even more 'red tape' by many businesses and SME companies in particular.
A key comment made was that many smaller organisations are under tremendous pressure at the moment, with more loaded on them by adding Business Continuity to the mix through the new ISO. It was summed up by the title … "It's unlikely that SME's will welcome the new standard with open arms".
While I have great sympathy with the position taken about the plethora of regulations, legislation and other seemingly nonsense GUMPF* that surrounds us and eats away our time, I confess unsurprisingly though it's very hard to agree this is at all valid when it comes to Business Continuity.
In August 2011, Gayle Hedgecock was the guest speaker at BANG! During an entertaining evening, she posed the question: "Just how many Continuity questionnaires must I fill in each year?"
In her case, it was scores of the things; others were lucky and had fewer to do, but it became clear that ALL the questionnaires were different, even though in reality they were asking the same questions. It was just that the questions were phrased slightly differently, or were in a different order. In some cases, they were asking questions that had little relevance to Continuity...
Over two days the London Cyber Conference 2011 delivered a truly international focal point to examine how our digital world is developing and share what needs to be done to keep the benefits, but remove some of the risks.
With over 700 people from 60 countries there really was a global presence and the issues discussed in the plenary and private sessions clearly communicated the breadth of the challenges being faced in cyberspace.
Frank Mahdavi of MIR3 looks at the how Mass Notification has become a mainstream Business Continuity tool.
The Evolution of Mass Notification
Events that Heralded the Need - The Cold War
Electronic mass notification gained prominence in 1963 when the U.S. government implemented the Emergency Broadcast System (EBS) to quickly warn the entire population of any emergency. In that era, school children routinely participated in nuclear bomb safety drills, and many of us recall a voice declaring over the television or radio, “This is a test of the Emergency Broadcast System. For the next 60 seconds … this is only a test,” followed by a loud, one-minute tone.
That system was replaced in 1997 by the Emergency Alert System (EAS), designed to enable the President of the United States to speak to the entire country within minutes. The EAS also relies on TV and radio, but includes analog, digital, terrestrial, and satellite broadcast. EAS is effective for reaching a very large geographical area, but it isn’t flexible enough to target a specific area such as a county, city, or neighbourhood. Better solutions were needed for Emergency and Business Continuity Personnel.
Working in the business continuity field can be challenging, even frustrating, but sometimes there are moments of clarity, a time when you realise why the challenges and frustrations are worth the stress.
Over the past few months we have been working towards the launch of VSAT - the vulnerability self-assessment toolkit with NACTSO. It hasn't been too easy. The public sector is under tremendous financial pressure and money is more than just a little tight. For 18 months, the Continuity Forum and NACTSO have been working against time and budget constraints to develop a shared vision, something that can make a real difference to the safety and resilience of all our communities.
For some time now question marks have been placed against airports and their Business Continuity and resilience capability. In the past year alone we have seen at close hand the global chaos caused by the volcanic ash cloud, while more recently we witnessed some of Europe’s leading airports struggle to maintain operational readiness during periods of heavy snowfall.
If we go back a little further there are other striking examples, all of which add to the pervading view that airports cannot cope effectively when placed under duress and that their Business Continuity need to be improved.
Does the phrase continual improvement turn you cold?
Do you feel under pressure to keep reinventing the Business Continuity Management System (BCMS) wheel?
What is continual improvement?
If you think that you have to find new ways to improve your Business Continuity system every day for the rest of your life, relax. Continual improvement is a state of mind as much as identifying tangible improvements.
Take a look at what is meant by the words continual and improvement.
Something to think about for all Business Continuity professionals ...
Murphy's law (distinct from, and often confused with Finagle's law or Sod's law) is a popular adage in Western culture, which broadly states that things will go wrong in any given situation in which error is possible. "If there's more than one way to do a job, and one of those ways will result in disaster, then somebody will do it that way."
It is most commonly formulated as "Anything that can go wrong will go wrong" and is something we have become all too familiar with in the Business Continuity Field!
Technically speaking, this latter definition is incorrect, given that it refers more accurately to the law of pessimism, Finagle's Law.
The Internet is a wonderful tool when it works, but we are increasingly at a loss when it encounters a problem. Steve Durbin, Global VP at Information Security Forum (ISF), looks at what organisations should be doing to minimise the risks and boost their Business Continuity , as a growing proportion of commercial transactions are performed online.