How vulnerable are public sector systems?

This synopsis by Dr David J. Smith MBA LL.B(Hons) FBCI former Editor of the Business Continuity Management (BCM) Good Practice Guidelines 2002 and a key contributor to the British Standards Institute BCM Good Practice Publicly Available Specification (PAS56) 2003 outlines various approaches that can help organisations prepare for business/service availability and continuity.

In particular the article addresses the following issues within the context of business/service resilience and continuity:

Ensuring more secure government systems

Emerging risks - reassessing your position

Business resilience and rebuilding infrastructure

These issues emphasise that a robust, proactive, effective and appropriate level of preparedness is essential, and complacency is unacceptable, in the face of the challenges and threats that inevitably arise in today's national and global business and service provision environment.

Business Continuity Management (BCM) is defined by the British Standards Institute (BSI) as: an holistic management process that identifies potential impacts that threaten an organisation and provides a framework for building resilience and the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities.

The key objectives of an effective BCM strategy should be to provide organisation resilience that specifically includes 

ensuring the safety of staff

maximising the defence of the organisations reputation and brand image;

minimising the impact on customers/clients;

limiting/preventing impact beyond the organisation;

demonstrating effective and efficient governance to the media, markets and stakeholders;

protecting the organisation assets;

and meeting legal, regulatory and insurance requirements.

Whilst many commentators within the public sector describe the differences between the public and private sector I firmly believe the management discipline of Business Continuity Management is common to both. However, in recognising the differences in the raison d'etre of both the public and private sectors it is perhaps helpful to consider BCM as Service Continuity Management in respect of the public sector.

Within this context it is recognised that both sectors are producing either a service or product for consumption by either an internal or external customer or client. As no organisation can have complete control over its environment it is probably safe to assume that all organisations will face a business continuity situation at some point.

Although this simple reality has been etched in high-profile names such as Asian Tsunami (2004), Bhopal, Perrier, Barings Bank, Challenger, Coca Cola (Dasani), Firestone Tyres, Ford Pinto, Exxon-Valdez, Enron, Worldcom, Marsh McLellan, Sudan 1, Bali, Oaklahoma, Bird Flu, Slapper Worm, Sumitomo Bank (£220 million - Hackers key logging) and 9-11, experience also teaches that it is the less dramatic but more frequent incidents that can be even more problematic to deal with. Unfortunately, it seems that many public and private organisations still think, it will not happen to us or if it does it will not be as bad as we think.

As a result of this faulty cultural group think it is critical they have an effective Business Continuity Management (BCM) and crisis management capability.

Ensuring more secure government systems

The term system should not be considered in the narrow context of information technology (IT) but in the broader terms of a holistic approach to the functioning of the organisation and contains six elements that are linked to corporate governance (see figure 1). This approach is typically illustrated by Porters value chain and ensures the provision of the minimum level of continued output of services and/or products acceptable to an organisation in achieving its business aims and objectives. Figure 1: The six key constructs of business continuity  

Source: Dr David J Smith 2001 The issue of more secure systems initially requires the identification of business/service critical activities; their interdependency(ies) and external dependencies within the supply chain including possible single points of failure via a Business Impact Assessment (BIA). These are the prere’quisite building blocks in developing and considering any strategy or solutions in respect of government systems. The prerequisite building blocks include the key issues of recovery time objectives (RTO), recovery point objectives (RPO), level of functionality, service and risk appetite (see figures 2 and 9) that lead to the inevitable questions of cost, and provision of evidence to establish compliance with legislation, regulation and good practice. It should be noted that the level of business/service continuity can be influenced or dictated by legislation and/or regulation.