Happy New Year 2008
I would like to take this opportunity to wish all our readers, friends and associates, as well as our enemies, a very happy & prosperous New Year 2008.
Warwickshire St John Ambulance's new emergency response bicycles
In August 2006, St John Ambulance (SJA) in Warwickshire started to raise money to purchase Smith + Wesson bikes and all the medical kit as a means of responding to emergencies by their Warwickshire Cycle Response Unit. The bikes were delivered in July this year. Each bike carries first aid kit, oxygen, suction and an Automated External Defibrillator (AED). It has been known for one bike to carry entonox, an analgesic often called gas and air, rather than oxygen at sports events.
Eddie Stephenson, Unit Co-ordinator for Warwickshire Cycle Unit, has been speaking to the Emergency Management Portal.
"Normally we operate as a pair", he said. "We tried using our own bikes, but it didn't look good, different types of bike with various colours; we could only carry first aid kit around our waist, no AED, suction or oxygen."
It has been known for the unit to reach a casualty before a county ambulance. Earlier this year they attended a Marathon, two vehicles, a doctor and an ambulance, were sent to an unconscious patient. He couldn't be found, the cycle unit turned up and located the casualty, who couldn't be seen from the road. He was placed on oxygen after which the unit called for transport.
The cycle can also be set up as a first aid post; it doesn't have to be a mobile unit.
Mr Stephenson told us: "At the moment Warwickshire have 3 bikes, but we intend to make it 4 within 18 months."
Walking the Office Party Tightrope – A Risk-Assessment Checklist
The Christmas office party is a traditional element of many businesses but what potential risks do these annual events present and what guidelines should be in place to ensure that revelry doesn’t turn into regret?
David Honour - a risk expert and editor of continuitycentral.com together with Business Continuity Expo 2008 have put together a useful risk assessment checklist for risk aware managers wanting to keep their jobs in 2008!
Strange as it may seem, the office Christmas party is probably one of the biggest avoidable risks that many companies take. Many of the most risk-aware and best protected companies in the world seem prepared to throw an office party without conducting the sort of risk assessment that they would for any other aspect of their business.
WHAT ARE THE RISKS?
Litigation
Even if an organised office party takes place outside of working hours and away from company premises, the normal laws that protect workers and their rights still apply. If an employee is injured or abused in any way during an office party the company may well be legally liable. High risk areas include injuries, abuse and even death, due to alcohol and substance abuse. Additionally, the risks associated with date rape drugs, where a victim’s drinks are unknowingly spiked with tranquilising and memory impairing drugs such as Rohypnol, are an increasing concern.
There are various sensible mitigation measures that companies can take:
- Ensure that the company human resource policies and handbooks address these areas. Documents should state when and under what circumstances staff remain under employment conditions when away from company premises and out of office hours. It may prove useful to develop a specific HR policy that relates to office parties. Policies need to spell out the disciplinary measures that will be taken against staff who abuse alcohol or drugs during the event and who carry out other activities deemed as unacceptable.
- Send a friendly memo around staff prior to the party reminding them of their responsibilities and of what is acceptable and unacceptable behaviour.
- Remind managers that they have responsibilities for implementing the company's alcohol and substance abuse policy and that they should be ready to have a friendly word with any person who is becoming intoxicated.
- Consider making arrangements to get employees home after the event. A taxi-fare is a much cheaper option than a law-suit alleging that your company failed in its duty-of-care because a drunken employee had an accident making his/her own way home.
- Companies should conduct a formal risk assessment of the office party and document the mitigation measures that have been taken. If the company should face litigation following a party-related incident this will offer evidence that the company has acted responsibly and taken all reasonable measures to prevent the incident occurring.
- Ensure that your company insurance policies cover your Christmas party activities, including the legal liability pitfalls.
Premises damage
Parties that are held on office premises are prone to office equipment damage. Simple accidents can be very costly. For example, a glass of wine dropped onto computer equipment could result in expensive damage to the equipment but could also result in lost data and significant downtime.
In general, it is to be recommended that parties are held off-site. This avoids any additional work place risks associated with the event and may result in reduced, or joint, liability should a premises-related accident occur. It also often results in a better atmosphere, enhancing the positive effects that the party aims to engender. However, parties held off-site also bring the risk of damage and subsequent compensation payments. The risk is highest where an overnight hotel stay is offered to staff who have travelled from further afield. Emptied mini-bars and trashed hotel rooms are an expensive luxury.
Employee relations
This is perhaps the highest risk area and one of the most important for the smooth-running of the company. The better that employee-to-employee relationships and employer-to-employee relationships are, the stronger a company tends to be. Activities which damage these relationships need to be avoided and the office party is a minefield when it comes to this area. Potential long-term conflicts can arise from common office party behaviour such as one-night stands; sexual harassment; verbal abuse and staff fights.
Such issues are difficult to mitigate against, but again, a clear human resource policy outlining what is unacceptable behaviour and the sanctions that will be brought into force against offenders will help in some of these areas. Good human resource management after any incident will also help reduce the personal and corporate impact.
Issues can also arise if an office party is planned insensitively. For example, a party which follows a period of cost-cutting and redundancies may be seen by the remaining staff as in bad taste.
Religion can cause problems and sensitivity needs to be shown, especially when a party is linked to a religious event such as Christmas and Easter. It may be better to rename the Christmas Party as simply the ‘Office Party’ or the ‘Holiday Party’, and it is best to avoid any use of decorations with religious themes or messages. Making the party optional is a sensible policy, allowing staff who may feel uncomfortable celebrating a festival based-upon another religion to avoid the situation.
Reputational damage
This is another minefield, especially where clients and prospects are invited to office parties. Such guests will get to see the company’s employees without their professional ‘hats on’ and the resultant informality, when mixed with the lack of inhibition that alcohol consumption brings, can result in insulted clients and lost contracts.
Once again a well-crafted human resource policy will help in this area and a reminder memo beforehand can help place staff on-guard. Better still, consider making the party staff-only, keeping customers well away from the ‘danger zone’.
The most obvious, and bluntest form of risk reduction is simply not to have an office Christmas party, but despite the risks, there are also positive benefits to the festive event. It shows staff that they are important and that the company does not have a ‘Scrooge’ mentality. They can also be strong networking events. This coupled with the simple the fact that staff are enjoying themselves together and socialising outside their normal working environment can have positive benefits on morale and employee relations. The trick is to be able to manage the liabilities and the reputational risks without negating any positive morale benefits.
For more pearls of wisdom visit www.continuitycentral.com and be sure to visit Business Continuity Expo and Conference held at EXCEL Docklands from 2- 3rd April 2008 - the UK's definitive event for managing risk, resilience and recovery. This event will explore the solutions and best practice to ensure operational continuity and protect a company's interests before during and after an incident. For further information visit www.businesscontinuityexpo.co.uk
David Honour - a risk expert and editor of continuitycentral.com together with Business Continuity Expo 2008 have put together a useful risk assessment checklist for risk aware managers wanting to keep their jobs in 2008!
Strange as it may seem, the office Christmas party is probably one of the biggest avoidable risks that many companies take. Many of the most risk-aware and best protected companies in the world seem prepared to throw an office party without conducting the sort of risk assessment that they would for any other aspect of their business.
WHAT ARE THE RISKS?
Litigation
Even if an organised office party takes place outside of working hours and away from company premises, the normal laws that protect workers and their rights still apply. If an employee is injured or abused in any way during an office party the company may well be legally liable. High risk areas include injuries, abuse and even death, due to alcohol and substance abuse. Additionally, the risks associated with date rape drugs, where a victim’s drinks are unknowingly spiked with tranquilising and memory impairing drugs such as Rohypnol, are an increasing concern.
There are various sensible mitigation measures that companies can take:
- Ensure that the company human resource policies and handbooks address these areas. Documents should state when and under what circumstances staff remain under employment conditions when away from company premises and out of office hours. It may prove useful to develop a specific HR policy that relates to office parties. Policies need to spell out the disciplinary measures that will be taken against staff who abuse alcohol or drugs during the event and who carry out other activities deemed as unacceptable.
- Send a friendly memo around staff prior to the party reminding them of their responsibilities and of what is acceptable and unacceptable behaviour.
- Remind managers that they have responsibilities for implementing the company's alcohol and substance abuse policy and that they should be ready to have a friendly word with any person who is becoming intoxicated.
- Consider making arrangements to get employees home after the event. A taxi-fare is a much cheaper option than a law-suit alleging that your company failed in its duty-of-care because a drunken employee had an accident making his/her own way home.
- Companies should conduct a formal risk assessment of the office party and document the mitigation measures that have been taken. If the company should face litigation following a party-related incident this will offer evidence that the company has acted responsibly and taken all reasonable measures to prevent the incident occurring.
- Ensure that your company insurance policies cover your Christmas party activities, including the legal liability pitfalls.
Premises damage
Parties that are held on office premises are prone to office equipment damage. Simple accidents can be very costly. For example, a glass of wine dropped onto computer equipment could result in expensive damage to the equipment but could also result in lost data and significant downtime.
In general, it is to be recommended that parties are held off-site. This avoids any additional work place risks associated with the event and may result in reduced, or joint, liability should a premises-related accident occur. It also often results in a better atmosphere, enhancing the positive effects that the party aims to engender. However, parties held off-site also bring the risk of damage and subsequent compensation payments. The risk is highest where an overnight hotel stay is offered to staff who have travelled from further afield. Emptied mini-bars and trashed hotel rooms are an expensive luxury.
Employee relations
This is perhaps the highest risk area and one of the most important for the smooth-running of the company. The better that employee-to-employee relationships and employer-to-employee relationships are, the stronger a company tends to be. Activities which damage these relationships need to be avoided and the office party is a minefield when it comes to this area. Potential long-term conflicts can arise from common office party behaviour such as one-night stands; sexual harassment; verbal abuse and staff fights.
Such issues are difficult to mitigate against, but again, a clear human resource policy outlining what is unacceptable behaviour and the sanctions that will be brought into force against offenders will help in some of these areas. Good human resource management after any incident will also help reduce the personal and corporate impact.
Issues can also arise if an office party is planned insensitively. For example, a party which follows a period of cost-cutting and redundancies may be seen by the remaining staff as in bad taste.
Religion can cause problems and sensitivity needs to be shown, especially when a party is linked to a religious event such as Christmas and Easter. It may be better to rename the Christmas Party as simply the ‘Office Party’ or the ‘Holiday Party’, and it is best to avoid any use of decorations with religious themes or messages. Making the party optional is a sensible policy, allowing staff who may feel uncomfortable celebrating a festival based-upon another religion to avoid the situation.
Reputational damage
This is another minefield, especially where clients and prospects are invited to office parties. Such guests will get to see the company’s employees without their professional ‘hats on’ and the resultant informality, when mixed with the lack of inhibition that alcohol consumption brings, can result in insulted clients and lost contracts.
Once again a well-crafted human resource policy will help in this area and a reminder memo beforehand can help place staff on-guard. Better still, consider making the party staff-only, keeping customers well away from the ‘danger zone’.
The most obvious, and bluntest form of risk reduction is simply not to have an office Christmas party, but despite the risks, there are also positive benefits to the festive event. It shows staff that they are important and that the company does not have a ‘Scrooge’ mentality. They can also be strong networking events. This coupled with the simple the fact that staff are enjoying themselves together and socialising outside their normal working environment can have positive benefits on morale and employee relations. The trick is to be able to manage the liabilities and the reputational risks without negating any positive morale benefits.
For more pearls of wisdom visit www.continuitycentral.com and be sure to visit Business Continuity Expo and Conference held at EXCEL Docklands from 2- 3rd April 2008 - the UK's definitive event for managing risk, resilience and recovery. This event will explore the solutions and best practice to ensure operational continuity and protect a company's interests before during and after an incident. For further information visit www.businesscontinuityexpo.co.uk
Gloucestershire Constabulary rolls out Unifi software
Author: Antony Savvas
Gloucestershire Constabulary is deploying a new criminal justice system to help improve efficiency.
The force has chosen the Unifi system from SunGard Vivista as part of an upgrade to its previous SunGard system.
The Unifi system will bring the force up to date with the latest standards and technologies in the field and will be supported by a five-year support contract.
Unifi is a suite of integrated modules within a single application covering an array of police business processes, from crime, custody and case preparation through to the management of driving document productions, vehicle defect rectifications and road traffic collisions.
The system also collects intelligence derived from these activities and from other sources.
Built upon a single database, the application requires no interfacing between its own modules, which streamlines the solution and helps ensure uncomplicated support and easy maintenance.
All recorded data can be shared between modules without the need for multiple data entry, thus helping to make it more user-friendly and less time-consuming.
Gloucestershire Constabulary assistant chief constable, Mick Matthews, said, "We have successfully used SunGard's Unity system for the past ten years in support of operational policing functions.
"It has proved to be a robust and reliable system and we now look forward to using UNIFI, with its enhanced functionality and updated technology, in support of providing more effective and efficient services."
Source: Computer Weekly
Gloucestershire Constabulary is deploying a new criminal justice system to help improve efficiency.
The force has chosen the Unifi system from SunGard Vivista as part of an upgrade to its previous SunGard system.
The Unifi system will bring the force up to date with the latest standards and technologies in the field and will be supported by a five-year support contract.
Unifi is a suite of integrated modules within a single application covering an array of police business processes, from crime, custody and case preparation through to the management of driving document productions, vehicle defect rectifications and road traffic collisions.
The system also collects intelligence derived from these activities and from other sources.
Built upon a single database, the application requires no interfacing between its own modules, which streamlines the solution and helps ensure uncomplicated support and easy maintenance.
All recorded data can be shared between modules without the need for multiple data entry, thus helping to make it more user-friendly and less time-consuming.
Gloucestershire Constabulary assistant chief constable, Mick Matthews, said, "We have successfully used SunGard's Unity system for the past ten years in support of operational policing functions.
"It has proved to be a robust and reliable system and we now look forward to using UNIFI, with its enhanced functionality and updated technology, in support of providing more effective and efficient services."
Source: Computer Weekly
Business Continuity – or is it? Are we missing the point??
By Dominic Hill, Consultant, Siemens Enterprise Communications Limited
There have been a number of papers and presentations recently looking at the nature of Business Continuity (BC) and tools used to deliver it – from the future of the BIA to the importance of building evacuations. With the imminent arrival of Part 2 of the British Standard for Business Continuity Management (BS 25999-2), there will be a defined management system – the BCMS - and a means of measuring performance of Business Continuity capabilities, should organisations choose to do so. But are we missing something? Have we created our own definition of continuity?
The Oxford English Dictionary (1999 edition) defines continuity as “the unbroken and consistent existence or operation of something over a period of time”.
In BS 25999-1:2006, business continuity is defined as “strategic and tactical capability of the organisation to plan for and respond to incidents and business disruptions in order to continue business operations at an acceptable pre-defined level”.
In this definition, the “unbroken and consistent existence” has been replaced with “plan for and respond to” and “continue”, words which imply reaction and recovery. If we look at the services offered within the BC/DR arena today, it is easy to see the focus on responding to incidents and recovering capabilities in:
This is laudable, nay essential, as the BC manager’s maxim should be “Expect the unexpected”! But do these services really provide continuity for the business? It could be argued that this is really business recovery, although for some that term has its own distinct meaning. Are we missing something? Would it not be even better to avoid the incident or business interruption in the first place, leaving the recovery for when there is no other option?
Why have a disaster if you can avoid it?
Many organisations spend a significant amount of money and effort on recovery capabilities and the associated plans, but neglect to address the issues that would make the operation more resilient and less in need of recovery in the first place. Could that money be better spent on disaster avoidance in the first place? To a degree the answer is going to be dependent upon the state of the organisation, its ability to change and the willingness, of those in charge, to accept risk.
A key tenet of BS 25999 is “embedding the BCM culture within the organisation” and this is probably the single most important thing when it comes to being pro-active about disasters. When a system, regardless of whether it is business or IT, is designed and operated with continuity in mind, the subsequent need to mitigate risks with recovery capabilities can be reduced.
Resilience: The unbroken operation
In order for a system to have unbroken operation, the threats to that operation must be reduced or removed. When BCM is a recognised part of the daily processes, and not something that gets retrofitted in the later stages of the system lifecycle, it is easy to consider these potential threats at the start of that lifecycle. Typically the causes of threats include:
Location of the system – This has a wide scope and should consider location at all levels – both physically (geographically and within the campus and building) and logically (within the organisation). Taking as an example a new IT system, are there opportunities to implement it in a location discrete from main user population as well as from physical risks arising from location and environmental factors.
From the business viewpoint, the who and how should be considered. Does the system require input from certain members of staff whose roles make them unlikely to be available at the same time? Is specialist knowledge vested in a single individual, thus creating a potential single point of failure?
Access to the system – Again this works at both physical and logical levels. Again considering an IT example, there is little point in implementing a new system and a corresponding recovery capability if the system is situated in a location that does not afford it appropriate protection – environmentally or from a physical security point of view. A classic technology example is siting critical equipment in an IT suite that is used by members of IT staff as a shortcut to other parts of the building. A large number of incidents arise from human error in some shape or form, accidents do happen.
Similarly from a business viewpoint – especially in these days of increased concerns over the safety of data – who has access to what, by what means and for what purpose must be considered. For example, are personnel records only available as paper copies – if so where are they held, is it secure?
Design of the system – A single IT system can look cheaper than a design that addresses potential single points of failure with some sort of redundancy of functionality. On paper that is. When the cost of the corresponding recovery capability is included the picture may be very different. Similar arguments exist for non-IT tasks, where the ability for multiple teams (possibly on different sites) to carry out the same activity can address not only loss of site scenarios but also loss of staff – whether through pandemic or other cause.
Systems documentation - or the lack of it - In today’s fast moving world it is not uncommon for less than ideal documentation to be produced during the development phases, as the pressure to deploy the system increases. Limited documentation leads to a potential lack of understanding of how things work, which increases the threat of mistakes. Furthermore it is very hard to maintain and protect the system if it is not clearly understood where the interdependencies lie and the possible impacts when changes occur around it.
Understanding the business is one of the four stages in B2 25999 and is as essential to the resilience aspects of BC as to the recovery aspects. Good systems documentation has a major part to play in this.
Control of changes to the system – most systems will, after an initial period, operate in a steady state, until something changes! This is especially true in IT, which due to the ever developing nature of the technology is probably subject to more change than most business processes – the changes occurring in the form of software patches, upgrades, hardware enhancements for capacity improvements etc. The same can also be seen in the non-IT space, where changes to business process manifest as the results of mergers and acquisitions or the outsourcing of parts of the operation. By controlling the way change occurs – especially considering the impacts from all aspects – the threat from change can be minimised.
When these areas are considered throughout the whole lifecycle of a system and appropriate decisions made, the result will be a more resilient system that is fit for the purpose for which it was intended. As with anything in the BC space, this is not rocket science, just common sense, but it appears to be something that is often ignored in favour of cheaper or short-term solutions or because the challenges are too great.
Challenges associated with implementing resilience
Implementing resilience can have significant challenges associated with it, including:
Total Cost of Continuity
This is a variant of the well known “Total cost of ownership” concept and is proposed here as a means to understand exactly what costs are incurred in providing true continuity for an organisation.
Typically organisations look at their recovery contracts, sum the costs and label the result as the cost of BC. This is misleading as it takes no account of the cost involved in setting up and maintaining BC within the organisation. In particular it ignores the cost of resources required for the exercising (testing) of recovery plans, both IT and non-IT. These costs can be quite considerable when the effort required for preparation and carrying out exercises across the different departments is considered, but they are often lost within the operational costs of the departments involved. Also. the more specialist the recovery processes the more resource is required, in addition to a potential for greater frequency of exercising (to ensure that all appropriate staff gain the necessary experience).
If a more realistic approach is taken and the resource and exercising costs (in particular) are included, the total cost of continuity may well look very different. This may provide sufficient justification for implementing a more robust design that negates the need for much recovery.
Outsourcing
More and more the outsourcing of discrete parts of operation is seen as a cost saving exercise. While this may be true, there may also be benefits in the form of decoupling those parts of the operation physically as well as logically. Resilience may be improved, but out of sight is out of mind as the saying goes – so the emphasis shifts to one of supplier management, which must be supported by carefully prepared and suitably detailed legal contracts. This is an area of BC that is experiencing rapid growth as organisations mature in their own continuity capabilities and start to look more closely at those suppliers (outsourcers included) on which they depend.
Change as a mechanism for delivering resilience (and hence continuity)
Applying changes to an existing system in order to improve resilience is rarely easy – especially if it involves withdrawing previous access. It is easy to argue that things “have always been done that way” and that disasters had not occurred so change is unnecessary. The point can be illustrated with statistics, but not conclusively, for either side! The governing factor must be what is best for the unbroken operation of the business in a fit for purpose solution.
Fortunately, change can work in favour of these attempts to achieve resilience. In the area of technology (not exclusive to IT) the need to refresh equipment every three or four years provides an opportunity to implement measures to improve resilience. Similarly in the business space, changes in process, whether brought about by technology or changes in business practice, can be used to improve resilience here too.
Summary
While the typical focus of BC today is arguably on recovery activities, there is much to be gained from the pro-active side of continuity – providing the unbroken operation in a way that is fit for purpose. Maybe the time has now come for attention to be paid to this much neglected area of BC; maybe it will be the next to mature? After all, why have a disaster if you don’t need to?
Siemens Enterprise Communications Limited will be exhibiting at the Business Continuity Expo and Conference held at EXCEL Docklands from 2- 3rd April 2008 - the UK's definitive event for managing risk, resilience and recovery. This event will explore the solutions and best practice to ensure operational continuity and protect a company's interests before during and after an incident.
For further information visit www.businesscontinuityexpo.co.uk
There have been a number of papers and presentations recently looking at the nature of Business Continuity (BC) and tools used to deliver it – from the future of the BIA to the importance of building evacuations. With the imminent arrival of Part 2 of the British Standard for Business Continuity Management (BS 25999-2), there will be a defined management system – the BCMS - and a means of measuring performance of Business Continuity capabilities, should organisations choose to do so. But are we missing something? Have we created our own definition of continuity?
The Oxford English Dictionary (1999 edition) defines continuity as “the unbroken and consistent existence or operation of something over a period of time”.
In BS 25999-1:2006, business continuity is defined as “strategic and tactical capability of the organisation to plan for and respond to incidents and business disruptions in order to continue business operations at an acceptable pre-defined level”.
In this definition, the “unbroken and consistent existence” has been replaced with “plan for and respond to” and “continue”, words which imply reaction and recovery. If we look at the services offered within the BC/DR arena today, it is easy to see the focus on responding to incidents and recovering capabilities in:
- The provision of disaster recovery services;
- The provision of work area recovery services;
- The variety of software to generate, maintain and disseminate plans;
- A plethora of communications tools allowing call cascades and other abilities.
This is laudable, nay essential, as the BC manager’s maxim should be “Expect the unexpected”! But do these services really provide continuity for the business? It could be argued that this is really business recovery, although for some that term has its own distinct meaning. Are we missing something? Would it not be even better to avoid the incident or business interruption in the first place, leaving the recovery for when there is no other option?
Why have a disaster if you can avoid it?
Many organisations spend a significant amount of money and effort on recovery capabilities and the associated plans, but neglect to address the issues that would make the operation more resilient and less in need of recovery in the first place. Could that money be better spent on disaster avoidance in the first place? To a degree the answer is going to be dependent upon the state of the organisation, its ability to change and the willingness, of those in charge, to accept risk.
A key tenet of BS 25999 is “embedding the BCM culture within the organisation” and this is probably the single most important thing when it comes to being pro-active about disasters. When a system, regardless of whether it is business or IT, is designed and operated with continuity in mind, the subsequent need to mitigate risks with recovery capabilities can be reduced.
Resilience: The unbroken operation
In order for a system to have unbroken operation, the threats to that operation must be reduced or removed. When BCM is a recognised part of the daily processes, and not something that gets retrofitted in the later stages of the system lifecycle, it is easy to consider these potential threats at the start of that lifecycle. Typically the causes of threats include:
Location of the system – This has a wide scope and should consider location at all levels – both physically (geographically and within the campus and building) and logically (within the organisation). Taking as an example a new IT system, are there opportunities to implement it in a location discrete from main user population as well as from physical risks arising from location and environmental factors.
From the business viewpoint, the who and how should be considered. Does the system require input from certain members of staff whose roles make them unlikely to be available at the same time? Is specialist knowledge vested in a single individual, thus creating a potential single point of failure?
Access to the system – Again this works at both physical and logical levels. Again considering an IT example, there is little point in implementing a new system and a corresponding recovery capability if the system is situated in a location that does not afford it appropriate protection – environmentally or from a physical security point of view. A classic technology example is siting critical equipment in an IT suite that is used by members of IT staff as a shortcut to other parts of the building. A large number of incidents arise from human error in some shape or form, accidents do happen.
Similarly from a business viewpoint – especially in these days of increased concerns over the safety of data – who has access to what, by what means and for what purpose must be considered. For example, are personnel records only available as paper copies – if so where are they held, is it secure?
Design of the system – A single IT system can look cheaper than a design that addresses potential single points of failure with some sort of redundancy of functionality. On paper that is. When the cost of the corresponding recovery capability is included the picture may be very different. Similar arguments exist for non-IT tasks, where the ability for multiple teams (possibly on different sites) to carry out the same activity can address not only loss of site scenarios but also loss of staff – whether through pandemic or other cause.
Systems documentation - or the lack of it - In today’s fast moving world it is not uncommon for less than ideal documentation to be produced during the development phases, as the pressure to deploy the system increases. Limited documentation leads to a potential lack of understanding of how things work, which increases the threat of mistakes. Furthermore it is very hard to maintain and protect the system if it is not clearly understood where the interdependencies lie and the possible impacts when changes occur around it.
Understanding the business is one of the four stages in B2 25999 and is as essential to the resilience aspects of BC as to the recovery aspects. Good systems documentation has a major part to play in this.
Control of changes to the system – most systems will, after an initial period, operate in a steady state, until something changes! This is especially true in IT, which due to the ever developing nature of the technology is probably subject to more change than most business processes – the changes occurring in the form of software patches, upgrades, hardware enhancements for capacity improvements etc. The same can also be seen in the non-IT space, where changes to business process manifest as the results of mergers and acquisitions or the outsourcing of parts of the operation. By controlling the way change occurs – especially considering the impacts from all aspects – the threat from change can be minimised.
When these areas are considered throughout the whole lifecycle of a system and appropriate decisions made, the result will be a more resilient system that is fit for the purpose for which it was intended. As with anything in the BC space, this is not rocket science, just common sense, but it appears to be something that is often ignored in favour of cheaper or short-term solutions or because the challenges are too great.
Challenges associated with implementing resilience
Implementing resilience can have significant challenges associated with it, including:
- Cost;
- Outsourcing/Supply chain management;
- How to get there from here
Total Cost of Continuity
This is a variant of the well known “Total cost of ownership” concept and is proposed here as a means to understand exactly what costs are incurred in providing true continuity for an organisation.
Typically organisations look at their recovery contracts, sum the costs and label the result as the cost of BC. This is misleading as it takes no account of the cost involved in setting up and maintaining BC within the organisation. In particular it ignores the cost of resources required for the exercising (testing) of recovery plans, both IT and non-IT. These costs can be quite considerable when the effort required for preparation and carrying out exercises across the different departments is considered, but they are often lost within the operational costs of the departments involved. Also. the more specialist the recovery processes the more resource is required, in addition to a potential for greater frequency of exercising (to ensure that all appropriate staff gain the necessary experience).
If a more realistic approach is taken and the resource and exercising costs (in particular) are included, the total cost of continuity may well look very different. This may provide sufficient justification for implementing a more robust design that negates the need for much recovery.
Outsourcing
More and more the outsourcing of discrete parts of operation is seen as a cost saving exercise. While this may be true, there may also be benefits in the form of decoupling those parts of the operation physically as well as logically. Resilience may be improved, but out of sight is out of mind as the saying goes – so the emphasis shifts to one of supplier management, which must be supported by carefully prepared and suitably detailed legal contracts. This is an area of BC that is experiencing rapid growth as organisations mature in their own continuity capabilities and start to look more closely at those suppliers (outsourcers included) on which they depend.
Change as a mechanism for delivering resilience (and hence continuity)
Applying changes to an existing system in order to improve resilience is rarely easy – especially if it involves withdrawing previous access. It is easy to argue that things “have always been done that way” and that disasters had not occurred so change is unnecessary. The point can be illustrated with statistics, but not conclusively, for either side! The governing factor must be what is best for the unbroken operation of the business in a fit for purpose solution.
Fortunately, change can work in favour of these attempts to achieve resilience. In the area of technology (not exclusive to IT) the need to refresh equipment every three or four years provides an opportunity to implement measures to improve resilience. Similarly in the business space, changes in process, whether brought about by technology or changes in business practice, can be used to improve resilience here too.
Summary
While the typical focus of BC today is arguably on recovery activities, there is much to be gained from the pro-active side of continuity – providing the unbroken operation in a way that is fit for purpose. Maybe the time has now come for attention to be paid to this much neglected area of BC; maybe it will be the next to mature? After all, why have a disaster if you don’t need to?
Siemens Enterprise Communications Limited will be exhibiting at the Business Continuity Expo and Conference held at EXCEL Docklands from 2- 3rd April 2008 - the UK's definitive event for managing risk, resilience and recovery. This event will explore the solutions and best practice to ensure operational continuity and protect a company's interests before during and after an incident.
For further information visit www.businesscontinuityexpo.co.uk
Subscribe to:
Posts (Atom)