© Emergency Planning College ‘Assurance Against Adversity’
EPC Brief
United Kingdom Emergency Planning College:
Easingwold, York
© Emergency Planning College ‘Assurance Against Adversity’
Build Resilience
Provide Assurance
Protect Reputation
Deliver Capabilities
Resilience: What We Do
© Emergency Planning College ‘Assurance Against Adversity’
Building Resilience: The
Cycle Of Development
Plan
Train
Exercise
Review
Change
© Emergency Planning College ‘Assurance Against Adversity’
Working together effectively
Building Resilience: Our Expert
Capabilities
Critical Decision-making
Identifying & Learning Lessons
Public Comms Planning For Disasters
Managing Disaster & Threat Risk
Training Crisis Leaders
Designing & Delivering Exercises
Crisis Communications
Business Continuity Management
Cyber Threat Management
Joint Operations
Essential Skills For Support Teams
Crowd Safety Management
Counter
Terrorism
Crowded Places
© Emergency Planning College
Martin W Fenlon MBA BA (Hons) Dip BCM MBCI
Challenges Of BCM Within
An Ever-changing
Environment
© Emergency Planning College
Key Themes
6 –
Terminology…some personal views
Implementing BC into an organisation
Results from BC health checks
How good do you need to be – lessons from ‘High Reliability organisations
Where next for BCM?
© Emergency Planning College
holistic management process that identifies potential
threats to an organization and the impacts to business
operations that those threats, if realized, might cause,
and which provides a framework for building
organizational resilience with the capability for an
effective response that safeguards the interests of its
key stakeholders, reputation, brand and value-
creating activities ISO22301:2012
The Definition
7 –
© Emergency Planning College
REFERENCE: BCM Lifecycle 2013
8 – 21 April 2015
© Emergency Planning College
Response Timeline
9 –
© Emergency Planning College
© Emergency Planning College
What Is The Scope Of Your BCMS?
© Emergency Planning College
5th November 1605 – Guy Fawkes
© Emergency Planning College
State Opening Of Parliament
© Emergency Planning College
Relevance For Today?
Denial of premises
Denial of people
Denial of ICT
Denial of utilities
Denial of key suppliers
© Emergency Planning College
CLAIM… AND BE ABLE TO PROVE
Before the Event
Mark Scoggins LLP
15 –
“We assessed risk and response
and planned well”
“We were as ready as
we could reasonably be”
“Safety of people
came first by a very
long way”
“The top took and takes
a vigorous interest”
“Saving money was not
a consideration in safety”
“We did a good and
professional job”
1 2 3
4
8
5 6
7
© Emergency Planning College
Independent Internal Review (Findings)
17 –
While very resilient, most organisations were
dependent on mobile telephony to communicate
in a major disruption; contact details were only stored in the BlackBerry
and there was no ‘plan B’ if the system was lost
Reliance on BlackBerry
A significant number of BC practitioners had no formal
training for their role. Training was often ad hoc
rather than as part of a planned training strategy to maintain staff competence
Competency of BC staff
Training is about developing competent staff; exercising is about ensuring
the plan is fit for purpose. Most exercises seem to
focus on the initial incident management rather than on how the organisation would maintain its critical activities in the event of a prolonged
disruption
The narrow focus of exercises
Undertaking the IIR across government departments has identified a range of
descriptors for managing an incident. Some use Bronze, Silver and Gold; some add Super Gold or Platinum, others have levels one to
five or vice versa. While this might be appropriate for managing a disruption
faced by a single organisation, such varied
terminology may be confusing if a inter-agency
response is required
Terminology used
© Emergency Planning College
Independent Internal Review (Findings)
18 –
We found that a good incident management plan, tested
regularly, improved the confidence and commitment of
those involved with the BC capability
Robust Incident Management Framework
Some organisations have built up good relationships between
BC professionals and procurements professionals to
ensure key suppliers are selected on criteria which included their resilience
arrangements
Integrating BC requirements in procurement arrangements
One organisation has developed a ‘know the signs’ campaign to inform staff of the nature of a
particular incident. These include logos of representing, weather, transport, HR, ICT related issues, etc. The logo
pops-up on the staff member’s intranet before or during an
incident to inform them about the incident so that they can take the appropriate action
Effective IM Communications
© Emergency Planning College
Independent Internal
Review (Findings)
19 –
There are tensions that need to be managed by top
management such as the tensions between the need
for resilience (some redundancy in the system) and for economy (need to cut costs); between utility
(must be able to access data remotely) and security (the data must be secure). One organisation we reviewed
had invested in secure lap-tops to improve their
resilience. However, some staff left them in the office on ‘health and safety’ grounds as they felt they were too
heavy!
BC competing with other organisational
requirements
Some organises had developed BC champions to represent their business area
within the organisation. These champions meet on a
regular basis with the BC manager to review resilience arrangements and discuss
lessons identified from exercises or business disruptions. This active involvement of business
representatives helps ensure ownership of the BCM
capability throughout the organisation
Use of business unit champions
One organisation we reviewed publicly awarded
each business unit a certificate of assurance if
they met the requirements of their internal audit
processes. This helped celebrate success and
became a sort after accolade among the heads of
business units
Certificate of Assurance
•In the organisations where there was a good level of BC awareness we found
that there was usually a well written and widely read newsletter. Some use
humour and topical issues to keep resilience issue on the business agenda; the tone of such newsletters need to be appropriate to
the culture of the organisation
Effective newsletters
© Emergency Planning College
Incident Management
20 –
Rising tide
disruption v
sudden
impact
© Emergency Planning College
Roles And Responsibilities
How is membership of the IMT defined? (Core membership versus ‘best endeavours’ / ad hoc)
Have you got an IMT secretariat?
Who is in Charge? – IMT Chair
Is a Communications advisor part of the IMT?
Do you have a Chief of Staff Role?
Are crisis roles related to routine functions? (competences / resources / maintenance programme
© Emergency Planning College
Need To Grab People’s Attention...
Managing information in during an incident
Read out what you see in the next few slides…
© Emergency Planning College
© Emergency Planning College
© Emergency Planning College
How Many Letter F’s Are There?
FINISHED FILES ARE THE RE
SULT OF YEARS OF SCIENTI
FIC STUDY COMBINED WITH
THE EXPERIENCE OF
YEARS...
© Emergency Planning College
BCM And Cultural Change
26 – 21 April 2015
© Emergency Planning College
Preoccupation with failure
Reluctance to simplify interpretations
Sensitive to operations
Commitment to resilience
Deference to expertise
High Reliability Organisations
Weick and Sutcliffe (2005) Managing the Unexpected
© Emergency Planning College
Treat any lapse as a symptom that something is wrong
Encourage reporting of errors
Elaborate experiences of near misses for what can be learned
Are wary of the potential liabilities of success, including complacency, the temptation to reduce margins of safety, and the drift into automatic processing
1. Preoccupation With Failure
© Emergency Planning College
Take deliberate steps to create more complete and nuanced pictures – they simplify less and see more
Encourage boundary spanners who have diverse experience, scepticism toward received wisdom, and negotiating tactics that reconcile differences of opinion without destroying the nuances that diverse people detect
2. Reluctance To Simplify
© Emergency Planning College
Has an ongoing concern with the unexpected
Actively identified ‘latent failures’ – loopholes in the systems defences, barriers and safeguards that lie dormant until they align and cause an interruption
The ‘big picture’ is less strategic and more situational – enabling continuous adjustments that prevent errors from accumulating and enlarging
HROs are aware of the close tie between sensitivity to operations and sensitivity to relationships - staff are empowered to speak out
3. Sensitivity To Operations
© Emergency Planning College
4. Commitment To Resilience
HROs develop capabilities to detect, contain, and bounce back from those inevitable errors that are part of an indeterminate world
The signature of an HRO is not that it is error-free, but that errors don’t disable it
Resilience is a combination of keeping errors small and improvising workarounds that keep the system functioning
© Emergency Planning College
HROs push decision making down and around recognising that rigid hierarchies have their own vulnerabilities
Decisions are made on the frontline, and authority migrates to the people with the most expertise, regardless of rank
HRO’s differentiate between normal times, high-tempo times and emergencies and clearly signal which mode they are operating in
5. Deference To Expertise
© Emergency Planning College
Inte
lle
ctu
al B
uy-I
n
Emotional Buy-In Low
High
High
Thompson 1998
Weak links Loose cannons
By-standers Champions
© Emergency Planning College
The BCM Lifecycle...Does Your System Work?
© Emergency Planning College
Summary
An effective BC capability needs to be driven from the top (Policy, Management Review, etc)
Your BC capability needs to be proportionate to the risks you are facing
You need a BC manager / coordinator to maintain the BCMS – the BC manager’s job is ‘to help manager, manage’
© Emergency Planning College
Summary Cont…
While BC is a journey, not a destination, you still need clear milestones / basecamps to help monitor performance
BC is a necessary capability for a resilient organisation but it is not sufficient…BC needs to be integrated with the other business resilient components such as risk management, financial controls, business strategies, physical and information security, procurement arrangements, disaster recovery capability and supply chain management
© Emergency Planning College Challenges Of BCM Seminat – June 2016 37 –