Agony Aunt Eugina Pierre responds to YOUR continuity questions during BCAW 2020…
Thank you for posing your questions to our Agony Aunt to share during Business Continuity Awareness Week. Here are those that have been happy to share their questions and the Agony Aunt’s responses for the benefit of anyone with similar questions or situations:
Question:
I have been struggling over the past year with IT changes impacting my BC Programme. There seems to be no real link between the BC programme and IT. What is the best way to overcome this?
Answer:
I think the Business Continuity Manager has three tools to employ to address this common problem, the Business Impact Analysis, Change Management and Risk Management.
An effective BIA will allow you to identify the business need placed upon an IT system or asset (in terms of resilience and recoverability), and allow you to compare requirement against capability, therefore highlighting gaps to your IT team. But this is only looking at the current situation of course, so I would suggest that the next tool is effective Change Management.
The Business Continuity Manager needs to have a close relationship with the IT Change Board, ideally being part of the sign off process of any change – how can you assure the resilience of the organisation if you don’t know about changes? Attend the change board, have a relationship with the people running the process, use your expertise to help shape an acceptable outcome. Ideally, you should also be involved at the point that new services are designed to make sure that resilience and recovery strategies are factored in at the outset rather than as an afterthought.
Lastly, ensure that any gap or issue identified is recorded on your risk register. This will then allow those in the business empowered to make decisions to consider all the facts and decide to act, or not as the case may be, based upon their appetite. At that point at least you have made the issue visible and people can make an informed choice. You can then accommodate the final position into your planning.
Question:
Work from Home (that perhaps became the only solution for almost all organisations during this Covid-19 Pandemic) is “Intrusion of the Corporate in the Home” – do you agree?
Answer:
Also, for me, the biggest issue with work from home as a strategy is the increased security risk. The organisation will go from one single controllable point of risk (the network) to a significant number of uncontrollable risk points (employee’s home internet connection and potentially their home device). As a result, employees may feel if they are processing work-related information on their personal devices which they do not normally do, there is a greater risk of them being a target for cyber-attack within their home which may compromise their other personal devices used in the home. To conclude, the more security and physical controls an organisation puts in place for their employee’s the less likely the employees will perceive this as an “Intrusion of the Corporate in the home” and the better for the organisations own security.
Question:
Covid-19 will likely have exposed many weaknesses in many organisation’s preparedness to deal with such an event, and may have clearly highlighted the extent, or lack of, preparedness in place. How do you think those responsible for increasing organisational resilience (for increasing responder competence and capability e.g. in the disciplines of emergency response, crisis management, continuity and recovery), should prepare for criticism of their programmes and programme outcomes?
Answer:
In addition to this, the BC Manager should look to ascertain external information e.g. by networking with other BC industry experts or attending industry specific conferences to identify common gaps and impacts experienced by similar companies or the wider industry as a result of COVID-19. This will be helpful for the BC Manager to determine whether most of the organisations gaps which constitute to the “weaknesses” are internally or externally driven and most importantly, help to identify the themes of went wrong. This could help the BC manager to make better informed decisions on solutions and thus budget and resources in order to improve the programme. It will also mean that the BC manager may be able to discover best practise and implement widely used controls to the programme adopted by other organisations (this will still need to be fit for purpose for your organisation). In summary, COVID-19 has highlighted that prior to the crisis many organisations did not invest in planning for a country-wide lockdown, for mass-concurrent homeworking or for compensating for mass staff absence – very few indeed considered the scenario of ‘a total loss of customer for more than a month or the collapse of the entire customer base’. The scope of preparedness programmes is defined by organisational risk appetite, so any expression of dissatisfaction with the current level of preparedness should be taken as simply an indicator of a potential change in risk appetite which warrants further investigation and treatment and a valuable opportunity to seek investment to improve the programme.
Question:
What is your opinion on Adaptive Business Continuity – should we all be scrapping the BIAs?
Answer:
Question:
What is the difference between a BC Plan and a Crisis Plan and can they be the same document? We are a fairly small business with no BC manager and it seems overkill to have different documents.
Answer:
In response to your latter question, yes, you can combine both plans and for smaller organisations it is often more practical to do so. When bringing the processes and information together, my tips would be:
- Consolidate data and think about the layout to avoid repetition and creating a document that is too unwieldly to use.
- Create sub-groups or teams within the plan to allow for a scaled response to varying crises with clear direction on how to escalate further if necessary.
- Keep the data you hold within the plan at the right level for the purpose it is intended, summarising key data gathered in your BIA and leaving the low-level detail within the individual BIAs for reference, any supporting information that you do wish to have to hand include as appendices.
- Conduct a Plan Walkthrough with all those concerned with new Combined BC & Crisis Plan so they become familiar with the new plan, the logistics of how the team(s) will work together (and separately at times) and most importantly their roles and responsibilities.
- Last but not least, utilise the Crisis Exercise to test whether the Plan itself is feasible as a combined document.
Question:
Our business has a “legacy” IT system which is actually still core to the business to some extent. Backups are taken and there is a DR plan, but it hasn’t had a full test for years. It should be decommissioned in a year and replaced with a newer IT system. The easiest course of action seems to be to do nothing and wait for the new system, what do you think?
Answer:
- What would the impact be if the legacy IT service had a major outage (which needs IT disaster recovery) before the migration to the new service
- What level of continued exposure to risk would there be if migration to the new IT service were delayed
There are a number of factors that could influence the decision to test or not test the ITDR capability of this system, my advice would be that as a minimum you seek to facilitate a technical workshop with the IT team. The aim would be to understand how to recover the legacy system and if the technical arrangements and equipment are in place. Prompt the team by asking questions around; the impact of a service outage, the level of confidence they have that the service could be recovered, how out of date the data be if recovered from backups. The impact and business appetite for the risk should drive the decision around your situation, not necessarily the timescales that the risk will exist for.
Question:
In light of the COVID-19 pandemic we are living through this year and possibly beyond, what are the learning points businesses can take to improve their pandemic preparedness in future?
Answer:
Our people are our most important asset. A happy, healthy and productive workforce is paramount to the resilience of the organisation, especially in times of crisis. What we have found in the current pandemic is that most of our staff are extremely resilient, but not all have adapted to the change in working practices, and in some cases the isolation of working from home has resulted in unforeseen issues relating to mental and physical wellbeing, creating stresses for those who are vulnerable or carers for example. Going forward we should be factoring in who can, and most importantly cannot adapt to these changes. By factoring this in, an organisation can plan more effectively before a pandemic, and help staff adapt, providing support, tools, and activities for their people during the pandemic. When the dust settles, having more in-depth knowledge of your people will allow you to effectively plan for a phased recovery, taking into consideration the various needs of your staff and how best to bring them back into a more regular working pattern. Questionnaires are a good tool I have seen employed to regularly ‘take the temperature’ of the workforce, allowing for greater insight and assisting your planning.
In the current pandemic, we have all taken a massive leap in terms of our ability to work more flexibly away from an office environment, our IT teams seemingly performing miracles to get us all online – but not everything has worked. We now fully understand what can, and again almost as importantly, cannot be carried out from home and we must learn from that. The technology to work from anywhere has been around for decades, so why weren’t we all doing it all already? There are reasons why some roles cannot and should not be carried out away from a controlled environment (access to restricted systems and data, security, privacy, compliance, lost productivity, heavy interaction with other teams etc.). We have accepted certain compromises because we have found ourselves in an extreme situation but going forward, we have no excuses to accept these compromises because we now know about them. Our planning now needs to reflect that – put in place the processes and tech fixes now that protect us, but also have alternative mechanisms in place to support roles that need more oversight and control, such as planning to adapt your offices into socially distanced or separated working environments.
One final useful tool – Horizon Scanning. Looking further in advance to understand what challenges are ahead and preparing for them is always preferable to reaction. Many organisations were caught napping when Covid-19 hit and were complacent.
Question:
Following the Covid-19 outbreak, I’ve now got near to 100% of my staff capable of working from home with laptops and softphones. Is this a sustainable strategy going forward and does it introduce any other risks I need to think about?
Answer:
The key risks which stand out to me are; having one strategy in place increases the risk of a single point of failure, and although you may be able to put a last-minute strategy in place it will not be tested in advance to ensure it works. Though it’s not advisable to have several strategies in place for every eventuality, I suggest there is a balance and therefore at least one other alternative strategy, i.e. transfer staff to another site to help spread the risk. Secondly, a single strategy may not meet the needs of all staff from a welfare perspective. It may not be feasible for the critical product or service, whereby there is a regulatory need, e.g. for onsite documentation storage in the fireproof cabinet, onsite printing collection of deeds, telephony recording etc. With increased work from home comes increased cyber risks. So IT will need to ensure increased education and awareness to staff in relation to cybersecurity scams and enhance information security and compliance to eradicate any work from home “short cuts” implemented by IT or staff.
To conclude, companies should look to have a considered, adaptable and prepared approach by having alternative and tested strategies in place to deal with the forever changing environment, which may present new risks and challenges.