Our agony uncle responds to YOUR continuity questions during BCAW 2019.
Thank you for posing your questions to our Agony Uncle to share during Business Continuity Awareness Week. Here are those that have been happy to share their questions and the Agony Uncle’s responses for the benefit of anyone with similar questions or situations:
Samantha asks:
I have recently taken on responsibility for Business Continuity within a retail organisation that has a significant dependence on a large and varied supplier base, providing a variety of services and products into our business. Whilst due diligence has been conducted on the suppliers, the question about their preparedness has never been broached, working in the retail sector our lack of information is concerning me. How would you suggest I approach gaining confidence in my supplier base?
Dear Samantha:
Not knowing the resilience level that is present within your supplier base is a common discomfort for BC managers, and given the level of dependence you describe for your organisation I understand why you are concerned.
To understand the level of exposure your organisation has, I would start by categorising the suppliers you have into groups: either those with similar traits or as upstream and downstream suppliers. If you have completed a business impact analysis (BIA) recently you can then begin to layer information over these lists to prioritise them based upon the dependencies described by the business in your BIA. The next step would be to liaise with your procurement team, supplier/vendor management teams etc. to get their input on the contractual obligations of the suppliers and any issues experienced in the previous 12 months. This will help you to further refine the lists and establish which suppliers are key to your business.
Once you have a priority list of suppliers you should decide what information you are concerned with for each, the higher the priority the more attention you should spend on their preparedness and resilience. For the key suppliers (large suppliers, suppliers of critical services or unique suppliers) you should try to meet with them to discuss and review (where contractually feasible) their preparations. This will allow you more flexibility to focus on the details that most affect your business. This tends to be more productive than asking to review their BC plans which may not answer the questions you have about the specific services or products you receive.
The use of questionnaires with suppliers is also useful, particularly when you have a large supplier set to manage, my advice would be to make sure there is a quantifiable way of reviewing the responses so you can assess them more easily. Whilst qualitative data will yield more background if you have 100s or 1000s of responses to process, you may not be able to review and use that data effectively.
To summarise, understand your supplier types, use business insight to prioritise them and then gather information about their preparedness in a manner that befits the level of importance each supplier has to your business.
Tony asks:
I look after IT and business continuity for a growing Accountancy firm. I’ve heard that as well as a DR plan I’m supposed to have an incident management plan, an emergency management plan, a crisis management plan, a business continuity plan, an adverse weather plan, a pandemic plan and a cyber-attack plan? What are all these plans and do I need them all – or which ones? Our organisation is office based and all of our IT is in the cloud.
Dear Tony:
Thanks for your question – it is one that I have been asked (with even more variations on the types of planning required) many times.
Let’s start with emergency management, incident management and crisis management. In Business Continuity, incident management is often interchangeable with crisis management as a term, and it depends on the wording that your organisation uses to describe any event that has a significant adverse impact on your business that couldn’t be fixed satisfactorily by normal means. Some organisations categorise event levels, such as incident, major incident and crisis, with different levels of management/executive seniority managing each level of event, with different agendas, action lists and communications.
Think of an emergency as the first phase of the incident/crisis if there’s a physical event such as a fire at your office – i.e. Emergency Management ties in with the emergency response of the Emergency Services (Ambulance, Fire Service, Police).
Best practice is seen as having generic plans that can deal with any type of incident/crisis, but you could include specific additional detail in playbooks for scenarios such as adverse weather, cyber-attack and pandemic.
ITDR plans are a little different – you can divide these into an IT management-level plan which explains how the IT leadership team would manage the IT failure and recovery, and detailed technical recovery plans including instructions and screenshots for technical specialists to use.
It is important also, to be aware that whilst your IT is in the cloud, this doesn’t guarantee that you won’t be the victim of cyber-attack or that your IT services won’t need ITDR one day. Ask your cloud supplier what they are doing to protect you from cyber-attack, and do they plan for and test ITDR?
To summarise, I would recommend that you have:
- Crisis Management Plan (the plan used by your senior management team to lead your organisation and communicate effectively during a crisis. This incorporates emergency and incident management and can include playbooks for situations such as adverse weather and cyber-attack)
- Business Continuity Plan (with information on how to recover activities, including relocation)
- ITDR Plans (Including a management plan for the IT leadership team and technical recovery plans for technical staff to follow
Anthony asks:
My organisation has several operational and warehouse sites across the UK, where I have completed some local site based simulation exercises. Could you suggest a good scenario that I could use for a Crisis Simulation Exercise with the senior leadership team?
Dear Anthony:
The first thing to say is that any good scenario should be grounded in facts and reality as far as possible, the more plausible and realistic a scenario the better it will be received, particularly if the team in question have not completed an exercise for a long period of time.
Without more information, I cannot suggest a specific scenario for you, but I would suggest you consider the following when designing your exercise narrative:
- Consider basing it around a current risk to the business or recent near-miss, this will help to ground the scenario in reality and provide the opportunity to explore how it would have been handled. This can in turn address issues within the business that may have arisen at the time of the near-miss.
- Work with a member of the leadership team to deliver the exercise, bringing them on board can provide insight into risks and issues that the leadership are keen to explore making the engagement more meaningful for them. Perhaps ask that member to sit out of the simulation exercise acting as an observer or supporting the facilitation.
- Think about the impact(s) on the business that you want to explore first, then build a narrative to generate those issues for the Crisis Exercise. The impact of most incidents will affect one or more of Premises, People, Infrastructure or Supply Chain.
- Consider the team and their experiences, the approach and complexity of the simulation should be tempered to match the level of the team to ensure that they can learn from the session and be challenged to an appropriate level.
GB asks:
I have just completed a BIA review across my business, amassing 47 individual BIA documents, I am in the process of conducting my analysis of the data but wonder if you could give me any pointers on how I present this back to the business. (It’s been difficult and poorly received in the past.)
Dear G:
There are a number of challenges when trying to present large BIA data sets back to the business, the key is to consider the audience or audiences that you are presenting back to. There is no one size fits all, but it is rare that the full data analysis will be consumable. My approach has been to dissect the full data set into pieces for different audiences, whilst this represents a bit of additional work it does then allow you to have focused discussions with different parts of the business.
For example:
- Providing IT with the recovery time objectives (RTO) and recovery point objectives (RPO) requirements the business has for systems and the required equipment the business needs in recovery
- Talking through key supplier dependencies with procurement/partner managers
- Discussing equipment/premise requirements with Facilities to gauge if the contingency plans for office space and specialist equipment is sufficient
- Sharing Business Continuity specific risks with the Risk and Compliance function
- Providing the key findings and issues highlighted in the analysis to your steering committee/BC Programme sponsor in a concise manner to allow them to more easily make a decision on how to react to the findings
You will always have your full data set to back up the discussions should you need them, the strategic decisions made for your programme on the back of your findings will require the detail when you come to take action.
Mark asks:
We’ve invested a lot of money in IT resilience, do we still need IT disaster recovery?
Dear Mark:
If we see “IT resilience” as what you have in place to keep IT services running to avoid unplanned downtime (such as virtual machines, active/active technology, RAID protected disks) then the big question is “what do you do if the IT services still fail?” This is where IT disaster recovery comes in, where you recover IT services from data backups and then bring these recovered IT services online again. It’s important to prepare for both, as whilst developments in IT resilience reduce the risk of complete IT failure (an “IT disaster”), resilience tends to focus on replication of data, so data corruption or a virus would be replicated as well. ITDR would then be needed to recover IT services onto a separate (i.e. uninfected) network using backups that date back to before the virus infection took place.
Jon asks:
Our senior management team insists that every ITDR test we run is successful – is this realistic and how do we achieve it?
Dear Jon:
It’s ideal if every ITDR test is successful, but it’s important that this doesn’t come at the expense of watered-down testing, and/or test reports being worded to please the leadership team. It’s important that ITDR testing is thorough and that reporting shows the situation “warts and all” so that the organisation has a chance to identify issues and weaknesses and do something about it. In terms of measuring success, it helps to take a step back from focussing on the success or failure of individual tests and instead map out the test programme as a journey of continual improvement, which helps prepare the organisation for a real IT disaster/invocation. A complete failure at an ITDR test may be a “good” thing – if the organisation recognises what needs to be fixed and then fixes it and retests successfully as soon as possible.
Ellen asks:
“How do we test Crisis and Business Continuity plans and strategies (for example, our arrangements to work at another office), and how do we get the organisation on board to test?”
Dear Ellen:
For starters, let’s look at the ways in which we can validate BC. A drill is very focused on a specific activity (such as a fire drill to practice building evacuation), a test will have a measurable pass / fail outcome (such as an ITDR test or workplace relocation test) and an exercise will be a training activity designed to practice and build confidence (such as exercising the Crisis Management Team in the use of the Crisis Management Plan).
Whilst drills will be very specific and probably be organised through your Health and Safety / Security Manager, you can still introduce a BC twist to get people thinking. For example, find out when the next fire evacuation drill is and after everyone has evacuated hand out questionnaires to return to you or approach individuals and ask questions like – did they bring their purse/wallet, mobile phone and car keys with them? How would they get working again if it was a real fire and their laptop / desktop computer went up in smoke in the building? This gives you thought-provoking information to present to your leadership team. If you can’t find out when the drill will take place, then circulate a prepared email to all staff immediately after the drill when it happens.
Tests should be carefully prepared for by setting out what you are testing (including scope and objectives), how it will be tested (the method, staff and suppliers involved), how issues, lessons and timings will be recorded, and what the pass/fail criteria will be. This is best described in a test plan written and approved in advance so that everyone’s clear what’s being tested and what’s required of them. This should also clearly describe the risks of the test, and mention any change control records that have been raised. Also, think about how you’ll prove the success/failure of the test. For example, if you’re recovering IT systems in a closed DR network, will they be validated by the IT department. Or will business users also be involved to login and check the functionality of the recovered applications?
Whilst the test plan sets out what will happen, a test report is also important to describe whether the test passed when measured against the test criteria and to include issues, learnings and timings. Of course, you’ll need to be present at the test itself to record all of that. This is important to be able to record the test, to prove it happened and to have information for continual improvement. It’s important to see tests as part of a programme of continual improvement, or organisations can fall into the trap of being too ambitious and therefore introducing risk to the business.
Crisis management exercises run with the leadership team are a great way of generating engagement with the leadership team, to “get it” and then sponsor your BC programme. Take the time to research a plausible and relevant scenario to walk them through and ask them to talk through the thought processes and decisions they would take if it was real. Try to work with a member of the leadership team to help you prepare, to make sure you’re pitching the exercise in the most effective way. Try to get your leadership team together for half a day for the scenario but if there isn’t the appetite, get in front of them for 15 minutes and run a mini-exercise at a leadership team meeting, and use that to generate their interest for a larger exercise. As with tests, make a record of issues and lessons so that you can report back and make improvements after the exercise.