archive

Communications failure causes widespread disruption

The UK is not alone in facing in facing a new age in terrorist threat, the risks around the world are greater than ever before and it is our responsibility to directly address the real dangers posed Business and residential customers across a wide area of the North West of England suffered the complete loss of both voice and data capability, in most cases for over a week, and a cascade effect was seen with data hosting and call centres located within the affected area extending the effects across Britain and other countries.

Avian Flu Pandemic Adivice continued ....

Department of Health influenza pandemic planning assumptions

Based on previous pandemics and current internationally agreed arrangements co-ordinated by the WHO, UK Health Departments have agreed the following planning assumptions (further details in Chapter 4 of main Plan):

(i) Spread from the source country to the UK will take no more than three months. Once in the UK, it is unlikely that we will be able to stop the spread of pandemic influenza. Our aims are to slow its spread, at least in the short term, in order to buy time and spread the load on health and other services, and to reduce its impact.

(ii) Most people will be susceptible to the new virus, although not all will necessarily develop clinical illness. All ages will be affected, but children and otherwise fit adults could be at relatively greater risk should elderly people have some residual immunity from exposure to a similar virus earlier in their lifetime.

(iii) Vaccine will not be available in the early stages. A pandemic vaccine cannot be stockpiled in advance: it must be produced specifically for the virus concerned so development cannot start until the virus is known. Everything will be done to produce a vaccine as quickly as possible, but it is likely to take at least 6 months.

(iv) As vaccine becomes available it will be given according to nationally agreed priorities, starting with health care and other essential workers. Beyond that, the final decisions will be based on early information about the age groups being affected most severely. When vaccine supplies become more widely available, vaccination will be offered to the general population.

(v) Antiviral drugs are available for treating influenza, but even with a national stockpile, there will not be an unlimited supply. They may be used initially to try to contain small outbreaks. Later they will be used to treat certain narrowly-defined priority groups according to agreed guidelines in order to achieve the maximum health benefits.

(vi) Planning should be based on a cumulative total of 25% of workers taking some time off – possibly 5-8 working days - over a period of 3 months. This first wave is likely to be followed by a second wave of similar duration. The interval between each wave could be several weeks or months. Absenteeism may be more than this either due to a higher rate of illness, the need to care for sick family members or fear of exposure to infection. Past pandemic experience indicates that between 10-35% of the workforce may be absent from work. The absentee rate is expected to peak for 1-2 weeks at the height of the outbreak (around weeks 8 to 9).

(vii) Total deaths in the UK normally run at around 12,000 per week. During a pandemic, without effective interventions, total deaths are likely to gradually rise to 50% higher than normal at the peak of a pandemic wave, and then gradually decline. However, there is the potential for as many deaths in 12 weeks of a pandemic as in the rest of the year (around 600,000 excess deaths across the UK).

(viii) Slowing down the spread and reducing the number that will be affected in the first wave may be achieved by implementation of :

- Hygiene including respiratory hygiene and hand washing
- Travel advisories to restrict international travel to or from affected areas
- Health screening at UK ports
- Voluntary home isolation of cases
- Voluntary quarantine of contacts of known cases
- Staff rostering to minimise the impact on staffing if all contacts of a case in a work team are asked to remain in voluntary quarantine
- Local restrictions on the movement of people, eg in a local community or town
- Restriction of public gatherings, especially international mass gatherings
- School closures (recognising the impact this will have on maintaining the workforce in other sectors)
- The use of face masks by infected people (to reduce droplet spread), by those in contact with infected people or by the general public

These measures are being kept under review as public health interventions during a pandemic, and clear guidance will be issued by Health Departments, based on the advice of the UK National Influenza Pandemic Committee or guidance from the WHO or real time modelling as the evidence evolves or as need arises.

Some of these measures may be required as a result of staff absence or the general disruption, or may occur by default because of public concern or other considerations, such as concerns about possible exposure to infection when using public transport. Voluntary co-operation with recommended measures would be sought. Mandatory quarantine and curfews are generally not considered necessary and are not currently covered by public health legislation.

General advice to local authorities, educational establishments and businesses

For the purposes of business continuity planning, local authorities, educational establishments and businesses will wish to consider the likely effects of a pandemic on their organisations outlined above and the measures that may need to be taken to manage these. For example, by:

¨ Considering the likely impact on their organisations and businesses;

¨ Considering their needs to maintain continuity of core business activities and putting appropriate plans in place taking into account high levels of staff absences;

¨ Providing information to staff and students (this will be available on the Department of Health website and in printed form);

In addition, research on the spread of infectious diseases suggests that the spread of an influenza pandemic may be slowed down by:

¨ cancellation of public events; for example this may include large-scale national or international events held in the UK (involving inter-regional/UK and international travel by participants), such as sporting fixtures, concerts, competitions, conferences, agricultural shows, exhibitions. In practice, possible lack of ambulance cover due to increased health care pressures associated with a pandemic might result in the cancellation of such events;

¨ curbing unnecessary travel; for example this may include encouraging people to travel intra- and inter-regionally in UK only if absolutely necessary (as part of nationally-produced communication messages);

¨ if there was a particular flu hotspot in a region, local authorities may need to issue advice to the public about not travelling to and from that region.

Decisions on such actions will normally remain for local determination, based on advice and recommendations issued by Health Departments.

Particular advice to educational establishments

The pandemic virus may spread readily in schools and other education establishments (attack rates of up to 90% were reported in some boarding schools in previous pandemics). If this is confirmed as a characteristic of the virus, Health Departments will inform Education Departments to advise local education authorities and the education sector about measures to be taken to slow down spread of the virus. This advice would particularly apply to younger children, childcare settings and education establishments and may include closing down for a short period, and management of pupils/students travelling within, to and from the UK. Education Departments will assist in disseminating the advice to the various education sectors.

The decision on such closures will normally remain for local determination having regard for the possibility that such establishments may have insufficient staff and/or pupils/students to remain open and for the possible implications for increased work absence because of workers’ child-care responsibilities.

Department of Health
February 2005

A rapidly shifting landscape of risk

Companies today face a rapidly shifting landscape when it comes to risk. The threat of a terrorist attack on an important location, ever more burdensome regulation and the trend towards moving operations to lower cost areas of the world are all shaping the risks that companies face.

Synstar to opens new Thames Valley business recovery centre

Hewlett-Packard, through Synstar, its UK-based business continuity company, is launching a new recovery centre on 25th May, 2005. This new business continuity centre is situated in Reading to serve the Thames Valley area.

The facility will offer in excess of 100 seats and boasts office, IT, telephone and communications facilities, as well as a data centre of over 10,000 sq ft.

Australian Prudential Regulation Authority publishes business continuity regulations

The Australian Prudential Regulation Authority (APRA) yesterday issued prudential standards on business continuity management for authorised deposit-taking institutions (ADIs) and general insurers.

The new prudential standards aim to ensure that ADIs and general insurers implement a ‘whole of business’ approach to business continuity management, appropriate to the nature and scale of their individual operations.

London Resilience publishes Strategic Emergency Plan for London

The Strategic Emergency Plan is a comprehensive overview of London's co-ordinated response to a catastrophic incident.

It comprises synopses of the key plans on which London's resilience is based - for example the Command and Control Protocol, the Communication Protocol, the Mass Fatalities plan, the large-scale evacuation framework and the Site Clearance plan.

India's offshore IT and call centre industry targeted by terror group

Wed, 2005-03-05

Indian police have uncovered plans by a Pakistan-based group to attack companies working in the offshore IT and call centre industry.

Members of the Lashkar-e-Taiba terror group engaged Police in New Delhi in an hour long shoot out resulting in the capture of two and the deaths of three members. Police later raided their base and found information revealing they had visited Bangalore in December to survey software companies as potential targets as well as AK56 rifles, ammunition and over 10kg of the explosive RDX.

BCM 2005 Survey - UK organisations are ‘sitting ducks’

Reseach finds that UK organisations are ‘sitting ducks’ as they fail to plan for major disruptions

07 March 2005

UK organisations admit they are failing to protect key assets and the ability to function in the face of major disruptions, according to research published today by the Chartered Management Institute. The 2005 Business Continuity Management Survey uncovered alarming inactivity, with organisations ignoring threats to their business, neglecting the needs of their managers, and not communicating plans with employees.

MEMBERS AREA

ACCESS DENIED

Sorry … access to this area is reserved for Full Members of the Continuity Forum.

Membership of the Continuity Forum enables you to gain preferential access to our events, workshop, website and development activities saving you thousands of pounds. Membership of the Forum also enables you to access our research as well as gaining direct help and assistance in developing ‘in-house’ activities designed to boost the success of your BCM programme.

Membership of the Continuity Forum also helps ensure that your organisation is kept informed, engaged and involved in this rapidly developing sector.

The Continuity Forum has various membership categories tailored to suit your organisations needs and for further information on these please contact Ann Sharp directly on +44 (0) 208 993 1599 or via email at membership@Continuityforum.org

more info on the Continuity Forum

The Continuity Forum welcomes members from all fields who are are interested in, the field of Business Continuity Planning and Management, and its related disciplines. We provide a wide range of services designed to support your organisation in building effective 'Best Practice' BCM.

Continuity Forum acts as a bridge between organisations who have interest in promoting, delivering and utilising Business Continuity and Risk Management. By our actions, Continuity Forum encourages a uniform approach to the delivery of these critical disciplines. We provide an unbiased, non-commercial input to regulators, legislators, standards bodies, auditors, academic bodies and the media.

Continuity Forum has working relationships with:

· Civil Contingencies Secretariat
· Police, Fire and Security Services
· London Resilience Team
· Local Authorities inc. the City of London
· Auditors inc the Audit Commission
· Academic Institutions
· Professional Bodies
· Trade Bodies
· Transport Organisations
· Business Organisations inc. Business Links.
· Service Providers inc. Insurers
· Media
· Standards Bodies

Membership of the Continuity Forum entitles members to:

· Access and invitations to Forum Development Groups
· Access to our Online Forum Development Groups
· Access to our research programmes and data
· Networking
· Free advice on Continuity Related issues
· A voice in the Forum - make suggestions for programmes, events,
· Discussion topics
· White papers, articles and data of use to Continuity Professionals
· Opportunities for your own White Papers to be published

Membership of the Forum is open to:

Anyone who is involved in a professional, managerial or operational capacity (full or part time) in Business Continuity Management, and who is willing and able to contribute to the objectives of the Forum

Anyone with an interest in Business Continuity Management.

Anyone engaged accredited academic study (full or part time) related to the field of Business Continuity or Risk Management.

To find out about more about us and how we can help your organisation develop its BCM programme you can either call us on 020 8993 1599 or e-mail us directly at membership@Continuityforum.org

Insurers sharpen focus on BCM

Insurers sharpen focus on Business Continuity Planning

As forecast by the Continuity Forum, pressure is mounting on Business to ensure that Business Continuity Plans are at the heart of an organisations planning. Much of the reason is the fear from the sector that still too few organisations are developing an effective response to the risks facing Business, particularly with regard to major Terror attacks and other events, such as the Blackout in South London last winter and the Telecoms Failure in Manchester this Spring. The industry is also concerned about the effects of the recent weather events which have disrupted businesses across the UK and caused millions of pounds of damage.

The Times has recently reported (September 6th, 2004) that leading insurers, including AXA, have already held discussions with government to look at the possibility of introducing a legal requirement for BCM or other Business Interruption arrangements as a pro-active preventative step to control the scale of losses caused through events which would be covered through the companies normal Insurance provision.

The Times also reports that this move is part of a broader drive within government and the Insurance industry to shift more of the responsibility back from the Insurers to the organisations themselves. According to Times reporters, Elizabeth Judge and Christine Seib, there is a certain appeal (from some quarters at least) to this idea as they report government concerns over the costs arising from such events where the Treasury may end up footing the bill. In addition, these consultations highlight in the strongest terms the importance of BCM in reducing the costs of Business Disruption seen so far from the Insurance sector.

The Continuity Forum has already shown that while spending has risen across some areas of the sector there is still far too little being done generally in the UK business community, particularly outside of the closely regulated markets such as Finance.

A specific concern of the Continuity Forum is the level of planning within the SME sector, where the amount of knowledge on both the issues and resources available to develop planning are severely limited.

Experience in New York following 9/11 and generally in areas ravaged by the recent floods show these SME organisations are the most vulnerable to the effects of business disruption, suffering far more than their Multi-National cousins.

Indeed, most SME’s are failing to ensure even basic provision for disruption to their businesses and are also likely to have the lowest levels of appropriate Insurance cover or Business Continuity provision.

We feel however, that while these discussions with Government are most welcome as part of the development of the message to business, the insurance sector bears some significant responsibility for some of these issues. Many members and partners of the Continuity Forum continue to report a lack of willingness to ‘reward’ organisations who have taken steps to build their resilience by undertaking extensive planning and management programmes with more balanced policy premiums.

The latest Continuity Forum research soon to be published highlights that while Insurers are right to be worried, governments concern should be even higher as any payouts of claims actually represent far less than 50% of the actual cost following a Business Continuity Event. The resulting impact on what in fact are our most vulnerable organisations means that many never fully recover from even relatively minor, localised disruptions.

The Continuity Forum has been working hard throughout 2004 with various Public Sector and professional groups around the country to provide SME access to support and information as well as special targeted events geared to introduce BCM and its value to smaller organisations. This will continue to be a key feature of our activities.

If you have any comments on this article or on the work of the Continuity Forum or more information on our knowledgebase or our various research programmes and resources please contact Sara McKenna, John Sharp or Russell at the Continuity Forum directly on 020 8993 1599 or info@continuityforum.org

Corporate Responsibility

Writing a short piece highlighting the developments in Business Continuity is a challenge mainly due to the breath of the subject and the varied interests of those involved. Should the article concentrate on the IT and Infrastructure dimension, should it concentrate on issues such as Brand and reputation, the risks in the supply chain or on Turnbull and Corporate Governance. The scope can be huge and therefore a challenge to summarise in what has to be limited space.

You spend ages thinking about the various topics you could cover only to realise after the 3rd rewrite that the problem with the article is very similar to problems faced by companies in coming to terms with this rapidly developing business issue of Business Continuity - the scope and breadth of the subject means defining the starting point is the most important part of the entire process of both Business Continuity and writing this piece.

For some of you reading this you will already be Continuity planners with considerable experience, others, the majority in all likelihood, will be just starting on the road and with this in mind will concentrate on the Big Picture through a brief examination of the commercial drivers behind the development of Business Continuity and what it means for companies today.

Firstly, and to dispel a developing myth Business Continuity is not new, the principles have developed out of many fields which have proven their worth over the years countless times. Often. Continuity Planning and Management is cited as developing from Contingency Planning or Disaster Recovery; some would include other disciplines such as Crisis Communications, but the underlying principles are much simpler. It’s learning from previous experience and, importantly, applying that experience proactively throughout organisations with one aim; to make sure that the organisation is able to continue its core activities no matter what happens.

Over the years we have seen companies suffer in the public eye through the media, some of the causes are natural, attacks from Mother Nature which ahs been affecting much of Europe the Rest of the World causing disruption on a large scale. Others are social, such as the fuel crisis and still more are technological, IT failures or Hacker attacks and some are reputation based (remember Ratners and Perrier?).

The common theme that runs through these events is, for most organisations, that the disruption caused has impacted directly on their capability to conduct “business as usual” and that in many cases the organisation responds reactively to the situation generated often adding to the impact of the initial event. This leads to higher costs and a drop in productivity and even for relatively minor events the costs can mount alarmingly.

Business Continuity is an established practice that reduces this impact and tries to ensure that the organisation is available for business - no matter what.

For a company hit by a major disruption to cope ‘effectively’ what is the better position for the management to be in:

  • To react to situations without a plan as they arise?

or

  • To have developed and tested a range of planned measures geared to resolve the situation quickly and cost effectively with the least disruption to customers and personnel?

The answer is obvious and in today’s fiercely competitive markets the cost of getting it wrong can be huge, but I prefer to look at this way - the advantage of getting it right can be huge.

In research we have conducted we can show that for companies prepared the effects of similar events (ranging from Floods & Fire to IT failure) the difference in impact can be as much as 90% - so what’s the difference? Planning!

When companies are hit by events we often hear expressions such as ‘unforeseen’ or ‘surprise’, but what does this mean? It means they hoped it wouldn’t happen to them - but it did.

The vast majority of business disruption is caused by foreseeable events and failure to appreciate this single fact is the root cause of much of the commercial losses incurred. If it can happen it will happen, maybe not today, maybe not tomorrow but it will happen.

The difference between losing £1,000,000 and a business completely unaffected can be the development of effective Continuity Planning. As proof of this, in our Continuity and Recovery research, we found that for the average large company a major event occurred every 2.3 years. For those that had tested and maintained plans the figure was closer to 9 years and while numbers alone can be misleading that’s still 2 out of three events AVOIDED completely.

WHY?

Business Continuity is closely linked to professional management and ‘best practice’ principles, organisations that adopt Business Continuity are demonstrating a commitment to their business and customers which entails hoping for the best but also preparing for the worst. Through this process companies have highlighted where the risks for business interruption lie within their operations and taken preventative measures to reduce their risk profile and also ensure that measures are maintained to ensure service can continue during any event.

"53% of companies recover less than 25% of the total losses incurred via Insurance"

It doesn’t have to cost a fortune either the principle benefits can be gained from a Business Impact Analysis (BIA), which should highlight the Business Critical Paths to protect in your organisation. This should be firmly connected with the products, services and revenues of the company not focussed on internal issues that may have little bearing on the financial impact of the event.

"Fewer than 13% of companies undertake a regular Business Impact analysis"

What is the point of having protecting your financial records if all your customers have moved to other suppliers to fulfil orders you cannot meet? And recovering customers can be a time consuming and expensive process. Indeed our industry figures show the sales and opportunity cost to be the highest of any, post event.

"Fewer than 19% of FTSE companies have achieved compliance with the combined code"

The impact of business disruption is an important topic at strategic levels within regulators, legislators, investors and companies. Increasingly, failure to demonstrate ‘Risk Awareness’ is a sign of poor management standards. Through the ‘Combined Code’, FTSE companies are now required to demonstrate their Risk Awareness throughout the organisation though imbedded systems, which includes the supply chain, and report on this aspect of their operations in the annual accounts.

"84% of companies don ot identify risk through the supply chain even though 10% of events stem from this source"

With businesses increasing reliance upon technology it is vital that organisations examine their operations to highlight the measures will be effective in reducing or eliminating the potential for disruption or the risks posed as IT disruption causes well over 60% of recovery invocations. Don’t just concentrate on the core Finance Systems, consider the effect of disruption and the revenue earning connections with all the IT and Voice Systems in the organisation. In the last few years we have seen a tremendous growth in the use and importance of E.mail and E.commerce systems and alarmingly these systems are most often not included in the recovery or continuity planning. Perhaps the most overlooked area is Voice Communication with even Call Centres not having effective plans or measures in place in over 75% of sites.

Insurance

The Continuity Forum was the first to promote the direct linkage of Insurance and continuity practices. Our Continuity & Recovery 2000 report showed that few companies were able to see these connections, yet appropriate, thorough and company wide Continuity Management practices can clearly demonstrate to Insurers that risk mitigation has been carried out, enabling a lower risk profile.

Biggest security headache just won't go away...

According to a recent poll, employees represent the biggest single threat to any company. And while temps have often come in for stick because of the threat more nomadic staff can pose, especially the sales team, with their eye on business critical data, that really needs to be watched - if only for their own sake. With a combined 33.3% Employee caused issues were the biggest threat feared and this was broken down into Employee error (17.2%)and Malicious Employee behaviour (13.1%) - meaning almost a third of respondents fear the activity, whether intentional or not, of their staff.

Spyware was next up, cited by 27.8 per cent of respondents, with viruses being cited by 20.5 per cent, followed by phishing (11.3 per cent) and hacking (10.5 per cent). Separate research from Unisys reveals that 51 per cent of security managers believe negligent or malicious employees are a significant threat to their business.

Mark Thomas, head of security at Logicalis, said: "One of the biggest problems is that everybody comes into a company on day one, signs the email and internet usage policy and that's the last they think about it."

Many companies have made a rod for their own backs by turning a blind eye to many behaviours which are technically in breach of the rules, he added. And he believes the problem is out of control, with a raft of consumer gadgets and portable storage devices travelling in and out of organisations each day and staff making free with email, IM and their internet access and storing illegal copyrighted files on the network. "If you walked out of your office four years ago with a 40Gb hard drive under your arm you would be arrested but that's exactly what people are doing every day." The problem, especially where companies losing track of their data is concerned, isn't helped by the form factor of increasingly scaled down storage devices. "The mediums are almost impossible to control and they will continue to grow in numbers. So companies have to secure their data."

The far and wide distribution of data outside the organisation also creates problems, said Gary Clark, VP EMEA at encryption specialist SafeNet. The more well-travelled data becomes, on phones, laptops, handhelds, over networks, site to site and on portable storage devices, the greater the chance it will be lost or stolen along the way. But before implementing any measures which will change and limit the way employees can interact with data within the organisation, companies need to make sure staff know why they are doing it, said Logicalis' Thomas. "They need to say, we're not doing this because we're being Big Brother. They need to convey the message as to why security is important and they need to get people to buy in to this."

Thomas added that companies could do worse than start with their sales team. Often the sales team will include the biggest gadget fans who act as their own administrator, he said. They are also frequently the ones with most direct access to business critical data which can be compromised either accidentally or maliciously. "It's the sales guys you need to watch, you need to know if they're emailing all your sales lists to their Hotmail accounts."

END


If you have any comments on this article or would like to find out more about the work of the Continuity Forum please contact Sara McKenna or Russell at the Continuity Forum directly on <b>020 8993 1599</b> or <a href="mailto:info@continuityforum.org">info@continuityforum.org</a>

 

 

MFI hit by IT Failure to the tune of £46m

In a new trading update MFI has now revealed the full scale of the problems estimating that an increased level of refunds has reduced customer orders by £30m since the introduction of the new supply chain systems in March. MFI has also taken a hit with a one-off cost of £16m on additional deliveries and call centre and technical costs resulting from the systems issues. An additional incremental investment of £8m per year will also now be pumped into additional supply chain resources, including staff.

Syndicate content

Business Continuity Forum creating Resilince and security

Creating Continuity... Building Resilience...