BUSINESS CONTINUITY MANAGEMENT: BUILDING A …...certificate of assurance if they met the...

© Emergency Planning College ‘Assurance Against Adversity’

EPC Brief

United Kingdom Emergency Planning College:

Easingwold, York


Build Resilience

Provide Assurance

Protect Reputation

Deliver Capabilities

Resilience: What We Do


Building Resilience: The

Cycle Of Development

Plan

Train

Exercise

Review

Change


Working together effectively

Building Resilience: Our Expert

Capabilities

Critical Decision-making

Identifying & Learning Lessons

Public Comms Planning For Disasters

Managing Disaster & Threat Risk

Training Crisis Leaders

Designing & Delivering Exercises

Crisis Communications

Business Continuity Management

Cyber Threat Management

Joint Operations

Essential Skills For Support Teams

Crowd Safety Management

Counter

Terrorism

Crowded Places

© Emergency Planning College

Martin W Fenlon MBA BA (Hons) Dip BCM MBCI

[email protected]

Challenges Of BCM Within

An Ever-changing

Environment


Key Themes

6 –

Terminology…some personal views

Implementing BC into an organisation

Results from BC health checks

How good do you need to be – lessons from ‘High Reliability organisations

Where next for BCM?


holistic management process that identifies potential

threats to an organization and the impacts to business

operations that those threats, if realized, might cause,

and which provides a framework for building

organizational resilience with the capability for an

effective response that safeguards the interests of its

key stakeholders, reputation, brand and value-

creating activities ISO22301:2012

The Definition

7 –


REFERENCE: BCM Lifecycle 2013

8 – 21 April 2015


Response Timeline

9 –



What Is The Scope Of Your BCMS?


5th November 1605 – Guy Fawkes


State Opening Of Parliament


Relevance For Today?

Denial of premises

Denial of people

Denial of ICT

Denial of utilities

Denial of key suppliers


CLAIM… AND BE ABLE TO PROVE

Before the Event

Mark Scoggins LLP

15 –

“We assessed risk and response

and planned well”

“We were as ready as

we could reasonably be”

“Safety of people

came first by a very

long way”

“The top took and takes

a vigorous interest”

“Saving money was not

a consideration in safety”

“We did a good and

professional job”

1 2 3

4

8

5 6

7


Independent Internal Review (Findings)

17 –

While very resilient, most organisations were

dependent on mobile telephony to communicate

in a major disruption; contact details were only stored in the BlackBerry

and there was no ‘plan B’ if the system was lost

Reliance on BlackBerry

A significant number of BC practitioners had no formal

training for their role. Training was often ad hoc

rather than as part of a planned training strategy to maintain staff competence

Competency of BC staff

Training is about developing competent staff; exercising is about ensuring

the plan is fit for purpose. Most exercises seem to

focus on the initial incident management rather than on how the organisation would maintain its critical activities in the event of a prolonged

disruption

The narrow focus of exercises

Undertaking the IIR across government departments has identified a range of

descriptors for managing an incident. Some use Bronze, Silver and Gold; some add Super Gold or Platinum, others have levels one to

five or vice versa. While this might be appropriate for managing a disruption

faced by a single organisation, such varied

terminology may be confusing if a inter-agency

response is required

Terminology used


Independent Internal Review (Findings)

18 –

We found that a good incident management plan, tested

regularly, improved the confidence and commitment of

those involved with the BC capability

Robust Incident Management Framework

Some organisations have built up good relationships between

BC professionals and procurements professionals to

ensure key suppliers are selected on criteria which included their resilience

arrangements

Integrating BC requirements in procurement arrangements

One organisation has developed a ‘know the signs’ campaign to inform staff of the nature of a

particular incident. These include logos of representing, weather, transport, HR, ICT related issues, etc. The logo

pops-up on the staff member’s intranet before or during an

incident to inform them about the incident so that they can take the appropriate action

Effective IM Communications


Independent Internal

Review (Findings)

19 –

There are tensions that need to be managed by top

management such as the tensions between the need

for resilience (some redundancy in the system) and for economy (need to cut costs); between utility

(must be able to access data remotely) and security (the data must be secure). One organisation we reviewed

had invested in secure lap-tops to improve their

resilience. However, some staff left them in the office on ‘health and safety’ grounds as they felt they were too

heavy!

BC competing with other organisational

requirements

Some organises had developed BC champions to represent their business area

within the organisation. These champions meet on a

regular basis with the BC manager to review resilience arrangements and discuss

lessons identified from exercises or business disruptions. This active involvement of business

representatives helps ensure ownership of the BCM

capability throughout the organisation

Use of business unit champions

One organisation we reviewed publicly awarded

each business unit a certificate of assurance if

they met the requirements of their internal audit

processes. This helped celebrate success and

became a sort after accolade among the heads of

business units

Certificate of Assurance

•In the organisations where there was a good level of BC awareness we found

that there was usually a well written and widely read newsletter. Some use

humour and topical issues to keep resilience issue on the business agenda; the tone of such newsletters need to be appropriate to

the culture of the organisation

Effective newsletters


Incident Management

20 –

Rising tide

disruption v

sudden

impact


Roles And Responsibilities

How is membership of the IMT defined? (Core membership versus ‘best endeavours’ / ad hoc)

Have you got an IMT secretariat?

Who is in Charge? – IMT Chair

Is a Communications advisor part of the IMT?

Do you have a Chief of Staff Role?

Are crisis roles related to routine functions? (competences / resources / maintenance programme


Need To Grab People’s Attention...

Managing information in during an incident

Read out what you see in the next few slides…




How Many Letter F’s Are There?

FINISHED FILES ARE THE RE

SULT OF YEARS OF SCIENTI

FIC STUDY COMBINED WITH

THE EXPERIENCE OF

YEARS...


BCM And Cultural Change

26 – 21 April 2015


Preoccupation with failure

Reluctance to simplify interpretations

Sensitive to operations

Commitment to resilience

Deference to expertise

High Reliability Organisations

Weick and Sutcliffe (2005) Managing the Unexpected


Treat any lapse as a symptom that something is wrong

Encourage reporting of errors

Elaborate experiences of near misses for what can be learned

Are wary of the potential liabilities of success, including complacency, the temptation to reduce margins of safety, and the drift into automatic processing

1. Preoccupation With Failure


Take deliberate steps to create more complete and nuanced pictures – they simplify less and see more

Encourage boundary spanners who have diverse experience, scepticism toward received wisdom, and negotiating tactics that reconcile differences of opinion without destroying the nuances that diverse people detect

2. Reluctance To Simplify


Has an ongoing concern with the unexpected

Actively identified ‘latent failures’ – loopholes in the systems defences, barriers and safeguards that lie dormant until they align and cause an interruption

The ‘big picture’ is less strategic and more situational – enabling continuous adjustments that prevent errors from accumulating and enlarging

HROs are aware of the close tie between sensitivity to operations and sensitivity to relationships - staff are empowered to speak out

3. Sensitivity To Operations


4. Commitment To Resilience

HROs develop capabilities to detect, contain, and bounce back from those inevitable errors that are part of an indeterminate world

The signature of an HRO is not that it is error-free, but that errors don’t disable it

Resilience is a combination of keeping errors small and improvising workarounds that keep the system functioning


HROs push decision making down and around recognising that rigid hierarchies have their own vulnerabilities

Decisions are made on the frontline, and authority migrates to the people with the most expertise, regardless of rank

HRO’s differentiate between normal times, high-tempo times and emergencies and clearly signal which mode they are operating in

5. Deference To Expertise


Inte

lle

ctu

al B

uy-I

n

Emotional Buy-In Low

High

High

Thompson 1998

Weak links Loose cannons

By-standers Champions


The BCM Lifecycle...Does Your System Work?


Summary

An effective BC capability needs to be driven from the top (Policy, Management Review, etc)

Your BC capability needs to be proportionate to the risks you are facing

You need a BC manager / coordinator to maintain the BCMS – the BC manager’s job is ‘to help manager, manage’


Summary Cont…

While BC is a journey, not a destination, you still need clear milestones / basecamps to help monitor performance

BC is a necessary capability for a resilient organisation but it is not sufficient…BC needs to be integrated with the other business resilient components such as risk management, financial controls, business strategies, physical and information security, procurement arrangements, disaster recovery capability and supply chain management

© Emergency Planning College Challenges Of BCM Seminat – June 2016 37 –

Date post:	03-Jun-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

BUSINESS CONTINUITY MANAGEMENT: BUILDING A …...certificate of assurance if they met the...

Documents