Written by Richard Forrest, Company Secretary, SSP Business Continuity Sponsor – a customer’s perspective on Daisy services…
The Background
SSP is a leading global supplier of technology systems and services to the insurance industry. With more than 35 years of industry experience, and with a highly-motivated, experienced and talented workforce comprising more than 700 employees, we help shape the industry by enabling insurers, brokers and financial advisers to serve their clients more efficiently.
The Challenge
Over recent years, SSP’s operating model has significantly increased in complexity and the associated risk and impact profiles has also changed dramatically. Our business continuity management system needed an overhaul if it was to keep pace with our risk appetite, and the demands of our stakeholders. We decided to upgrade our business continuity management system to support the evolving requirements of our investors, our strategic objectives, our risk landscape and our customer base.
As an existing customer of Daisy’s business continuity and maintenance services, we approached our Daisy account manager to discuss the ways in which Daisy’s Business Continuity offerings could help us operate a robust, intelligent management system that would give us increased continuity competence and resilience across a growing organisation. We needed to increase our ability to respond successfully to disruptive incidents, as well as assuring ourselves and our stakeholders that we understood our operating model within our threat landscape. We also needed to know if we had sufficient controls in place to continue our business, to protect our customers’ businesses and to minimise the likelihood and impact of disruptions. And for competitive advantage we required demonstrable certification of management to international standards (ISO 22301).
Daisy met with us at our offices in Solihull and listened to the challenges we faced in relation to business resiliency. Over a period of time we had tried to put in place a business continuity system, however, without the luxury of dedicated resources this was problematic with key staff always being re-focussed onto more immediate priorities. Lack of consistent resource availability and experience in business continuity planning meant that results were inconsistent across the business and keeping things properly up to date was a real headache. Daisy consultants, using their Business Continuity as a Service (BCaaS) model, put together an initial scope of works which broke down the necessary activities so that with input from SSP, a programme of works could be developed. This was further refined to balance requirements with budget and to create a fixed scope of service with a fixed price.
The Solution
We chose Daisy’s BCaaS solution which included design and implementation of an economical business continuity management system tailored to our strategic objectives and risk appetite. Owned and steered by us, the management system would be administered and improved by Daisy’s industry-leading consultancy team. This service also utilises Daisy’s business continuity software “Shadow-Planner” in two main ways. Firstly the mobile app would put key responder guidance available on our mobile phones and within reach at time of need, and secondly the Shadow-Planner management tool would be used to gather and analyse risk and continuity data, and to track and monitor the business continuity management system (BCMS) and its outputs against our strategic risks and objectives.
The Result
Most recently, the BCMS proved its worth in early 2020 in response to the COVID-19 pandemic, when we used our well-rehearsed command, control and communications framework and our BC intelligence to implement staff relocation and work transfer strategies to keep our business going despite denial of access to buildings and absences of staff caused by lockdowns in all of the territories in which we operate. We’re quite proud that we achieved it within 72 hours of the point of invocation. Earlier continuity risk analysis generated by the Daisy-administered BCMS had already allowed us to boost our command, control and communications capabilities and showed where we needed a range of mitigations for our risk scenarios of concern. Subsequently we used our BCMS and risk management system to put those mitigations in place, so when COVID-19 hit we were already ready to deploy a number of the necessary strategies.
Thanks to the structures, strategies and plans developed jointly over the last few years by SSP and Daisy and specifically our BCMS, we have successfully expedited responses to a number of other disruptions. Training and rehearsals have prepared our teams to more confidently take command and control of incident responses and to make faster and better-informed decisions so the outcomes of our real or rehearsed incident responses are improving. Daisy’s Shadow-Planner mobile app has helped responders to access the guidance and contact details they need in the immediate term, and we’re now looking to extend its use by making technical recovery guidance and contacts available via the app too.
But it is the repeating lifecycle of BCMS activities that keeps awareness of threats and vulnerabilities on the management agenda and works to embed key management principles into SSP’s DNA. We saw immediate value during the first lifecycle as Daisy worked with us to standardise the approach to continuity risk management across our changing organisation. Standardisation allowed us a more consistent analysis of continuity risks and impacts and to access, leverage and spread responder and continuity expertise across the whole organisation. Daisy’s Shadow-Planner administration software does most of the administration for programme scheduling, document control and number crunching so our BC budget and people are released to focus on preparedness. As a result, we have increased our control of continuity risks and improved our conversations about it. These conversations have matured over time and now form part of wider conversations about, for example, emergency preparedness, command, control and communications, crisis management, disaster recovery and risk management. Daisy’s promotion of group-wide understanding of these wider disciplines has improved our adoption of key principles of organisational resilience into our daily thinking, and we believe Daisy’s management systems approach has provided us with demonstrable improvement of our system, competence and capability to meet international standards (ISO 22301).