Business continuity communication – the weakest link?

Regus / URM Business Continuity Survey

Background

With the introduction of ISO 22301, the new International Standard for Business Continuity Management, Ultima Risk Management (URM) and Regus took the opportunity at the end of 2012 to conduct a survey with the objective of assessing the current status of Business Continuity (BC) in the UK and the likely impact of the new Standard. Of the 200 organisations who completed the survey, the vast majority were from the private sector and represented both manufacturing and service organisations. There was also a wide spread in terms of organisation size i.e. from SMEs to large corporates. The results provided some interesting insights into existing BC practices and, in particular, to those areas which represent the biggest challenges to UK businesses.

Impact of ISO 22301

Overall, there was quite a high awareness of ISO 22301, with 62% of survey respondents looking to comply or certify with the new Standard. One of the key perceived impacts of the Standard was in the use of ISO 22301 in tenders.

Nearly 2 out of 3 of respondents believed that ISO 22301 will become an essential requirement to bid for high value tenders and 58% believed the same to be true for general tenders. However, most respondents were not anticipating an immediate impact i.e. for those who anticipate it becoming a requirement, 57% were not expecting it to become essential for 3 years or more.

Senior Management Involvement

One of the positive � ndings was the high percentage of senior managers who were involved to some degree in BC, with only 2% reporting no involvement. Senior management involvement is widely recognised as a key requirement in any successful BC implementation and is featured prominently as a requirement in the new ISO 22301 Standard. Given this statistic, one could assume that Business Continuity is being given signi� cant focus within organisations. However, the survey points to a number of weaknesses in terms of BC arrangements.

Existence of Business Continuity Plans

It seems that whilst organisations are aware of the importance of BC, it can be argued they are not doing enough to plan and prepare for future incidents and events. This appears to be particularly true for SMEs, with 30% of those respondents with less than 50 staff reporting they had no Business Continuity plans (BCPs) in place (compared to 16% overall).

Smaller organisations may be thinking that such plans are not needed or they are not a priority. However, it is argued that having an effective response mechanism in place against different disruption scenarios , including loss of key staff, single points of failure and denial of access to key buildings/sites, are highly relevant issues for SMEs.

Any organisation, no matter what size or industry, would suffer some level of adverse impact in the event of a disruption. Many businesses may consider that people within their organisation are capable of ‘thinking on their feet’ and they would just ‘know’ how to deal with an incident, but there is a lot more to Business Continuity than just ‘thinking on your feet’. Furthermore, it begs the question of what happens ‘if those individuals capable of thinking on their feet are not available?’

Business Continuity planning includes ensuring the people involved with the response and recovery processes have the appropriate skills, competencies and have been trained to deal with an incident, no matter what form it may take. It also ensures that every key role within the process has a deputy who is also trained with the necessary skills and competencies, if required.

Regus / URM Business Continuity SurveyBusiness continuity communication – the weakest link?

Importance of Business Impact Analysis (BIA)

Whilst the statistic of 5 out of 6 responding organisations having BCPs in place may appear to be acceptable/impressive, it has to be questioned what the plans are based upon. There is little bene� t in having a BCP in place, if you are not protecting your key products and services. Before an organisation develops effective BCPs, good practice dictates that it needs to determine what it needs to recover - its ‘critical processes’. What really needs to be recovered and how quickly is best determined by assessing the impact of a disruption on the business, be that from a � nancial, operational, contractual or health and safety perspective. If an organisation does not know the answer to these questions, it is quite possible that any plans developed will be based on someone’s guess work, the wrong parts of the business or the wrong recovery requirements. The process of uncovering this information is called a business impact analysis, or ‘BIA’.

Of the 200 organisations surveyed, 26% said that they had not carried out a BIA. It can thus be hypothesised that of the 84% of respondents who reported having BCPs in place, some of these may be focussing their recovery efforts around the wrong business processes or incorrect recovery requirements.

Internal Communication

Apart from conducting BIAs, another critical (and often neglected) element of good practice BC is internal communication. What if employees don’t know what is contained within the BC plans or what their roles or responsibilities are in the event of a disruption? One of the key � ndings and concerns emerging from the Regus/URM survey relates to BC awareness levels. When asked what their biggest BC concerns were, 28% of all organisations surveyed reported ‘a lack of awareness of BC arrangements’. This � gure rose to 35% for those organisations with more than 250 employees. Only 46% of survey respondents indicated that they issued regular BC communications to their employees; for smaller organisations with less than 250 employees, this � gure fell to 32%.

Knowing that the plans exist is only one element of BC awareness though. Staff need to be given speci� c BC responsibilities and should be trained and participate in exercises to ensure that they are competent enough to carry those responsibilities out.

If an incident occurs, every organisation needs to know which members of staff (primary role holders and deputies) will keep the business going. Businesses of all sizes will bene� t from increased internal BC Communication.

External Concerns

Apart from internal communication issues, the Regus/URM survey also found that 27% of respondents reported that BC in the supply chain was their major external concern. Although 73% of all respondents had identi� ed their critical suppliers, far fewer organisations had taken proactive steps to address BC arrangements with them. It seems that the larger organisations have a slightly better handle on things. 52% of the organisations responding to the survey indicated that they had discussed the subject with their suppliers, but this fell to only 35% for businesses who employed less than 50 people. When asked whether they require their supply chain to have exercised / tested their plans, the numbers dropped drastically to 29% and 18% respectively.

An organisation is only as strong as its weakest link. It doesn’t matter how robust the BCPs and processes are, if an organisation’s critical suppliers cannot provide the level of service required.

Conclusion

The Regus / URM BC survey is a lesson to us all that organisations need to communicate about Business Continuity more regularly (whether internally or to their suppliers).

Identifi cation of critical processes (via BIA) is essential so that more appropriate BCPs can be developed.

Effective communication to staff through exercising, training and awareness is vitally important to ensure that should the unforeseen happen, everyone knows what their roles and responsibilities are and can focus on recovery and ensuring the business continues.

A more proactive approach when dealing with key suppliers will ensure that services continue in the event of an incident.

About Regus

Regus is the world’s largest provider of � exible workplaces, with products and services ranging from fully equipped of� ces to professional meeting rooms, business lounges and the world’s largest network of video communication studios. Regus enables people to work their way, whether it’s from home, on the road or from an of� ce. Customers such as Google, GlaxoSmithKline, and Nokia join hundreds of thousands of growing small and medium businesses that bene� t from outsourcing their of� ce and workplace needs to Regus, allowing them to focus on their core activities.

About Ultima Risk Management (URM)

Ultima Risk Management (URM) specialises in delivering consultancy and training in the areas of Business Continuity, information security and risk management. A particular niche skill of URM is in assisting organisations comply with the relevant British and International Standards, most notably ISO 27001 and ISO 22301 (and its predecessor BS 25999). To date, URM has assisted over 60 organisation from both the public and private sectors certify to these Standards. In addition, URM is also a Payment Card Industry Quali� ed Security Assessor (PCI QSA) which means that it has been certi� ed by the PCI Security Standards Council (PCI SSC) to assess organisations’ compliance to PCI DSS.

Regus / URM Business Continuity Survey – April 2013