archive

Event - Secure in the Knowledge - Bristol 4th October

Category Business Continuity Event _________________________________

Regional Launch Secure in the Knowledge

Date - 4th October - 08:30 to 12:00 Location - The Council House, College Green, Bristol

Following on from our “Ship Shape & Bristol Fashion" Event in May this year, the Council is pleased to announce that they will be hosting the Regional Launch of "Secure in the Knowledge" Business advice booklet and video.

Produced in partnership by the National Terrorism Security office and London First. The Launch will be hosted in the unique setting of the main conference hall in Bristol City Council House, and will include a Senior Figure from the Security world, along with accredited speakers and experts in the field of Business Continuity and national security.

Bristol is the regional capital of the South West and is home not only to many major businesses but also to over 13,000 small enterprises, providing employment and holding responsibility for many thousands of people.

It is expected that this prestigious event will attract a large audience, offering potential networking with businesses of all sizes in the local area. We urge early registration.

The morning event is offered free of charge to delegates and is aimed at offering businesses in the area unbiased and straightforward advice on Security, Business Continuity Management and Resilience Planning. Delegates are being invited from the Bristol and the SW region, and other interested parties. Please note that registration is required. 


Event - Pan London Authority Forum - inaugral meeting 29/9

Category Business Continuity Event _________________________________

Pan London Authority Forum 

Date - 29th September 2005 - London Please note this is a PRIVATE Forum delivered through our Public Sector Support programme. Attendees will be representatives of the 33 London Boroughs and/or relevant and connected partners only

THESE SESSIONS WILL BE STRICTLY GOVERNED BY THE CHATHAM HOUSE RULE Creating a Pan London Local Authority community for BCM Introduction The CCA was laid before parliament at the end of July 2005 together with regulations and guidance covering England. By Nov 15 2005 local authorities have to comply with the act, with the exception of the duty to promote BCM to wider community that comes into force on the 15th May 2006.

Special Event - Secure in the Knowledge - Resilience in the South East - 25/10

Resilience is defined as 'as the ability of the community, services, area or infrastructure to withstand the consequences of an incident'.

Business Continuity Seminar and Resilience Exhibition 25th October 2005 - Camberley Theatre - 09.30 - 14.00

> Business Continuity & Insurance - Event 20th Sept - London

Special Insurance Event 

Preference will be given in the first instance to Full Forum members and partners. Please note that this event is strictly hosted under CHATHAM HOUSE RULES.

Location: London Date: 20th September 2005 Special Presentation Event

Securing corporate premises: Some useful tricks to keep your business safe

Security in the workplace 

In recent years an increasing chunk of companies corporate security or business continuity budget has been spent on maintaining back-up sites where data can be stored or from which the business could be run in an emergency. However, security consultants point out that risk management begins at home with measures to safeguard company headquarters, branches, factories and greenfield sites.

For new buildings, once the nature of the risks to the business has been assessed, this means careful planning of the layout and configuration of the site or office and security professionals should be part of the process.  “Security needs to be incorporated at the earliest possible stage,  says Paul Burry, a senior consultant at Control Risks which advises clients on their physical security measures.  “In project teams security should be in there from the start - and it should not be the retro-fit or the bolt on later.  

BCM 2005 Survey UK organisations are sitting ducks

Reseach finds that UK organisations are sitting ducks as they fail to plan for major disruptions

07 March 2005

UK organisations admit they are failing to protect key assets and the ability to function in the face of major disruptions, according to research published today by the Chartered Management Institute. The 2005 Business Continuity Management Survey uncovered alarming inactivity, with organisations ignoring threats to their business, neglecting the needs of their managers, and not communicating plans with employees.

The research, published in association with the Continuity Forum and VERITAS Software, does, at least, reveal increased levels of awareness about potential dangers to business. More than half (51 per cent) have a business continuity plan (BCP) in place a slight increase on each of the previous three years. However, the study also demonstrates varying attitudes to risk across business sectors and organisation size. Continuity management is most widespread amongst the banking sector and in organisations with a turnover of more than £11 million.

Threats to business Managers were asked to identify the threats most likely to have an impact on their organisation. Almost three-quarters (70 per cent) suggested that loss of IT capability was their top concern. Reflecting the tight labour market, managers also identified loss of skills (56 per cent) and loss of people (55 per cent) as major threats to their business.

It has also become clear that UK businesses are sitting ducks as most plans fail to cater for the disruptions being experienced by organisations. Despite an increase in incidents relating to loss of people (up to 41 from 25 per cent) and skills (up to 28 from 20 per cent) to hit organisations over the last twelve months, only a handful of BCPs cover staff issues.

Mary Chapman, chief executive of the Chartered Management Institute, commented "it is a matter of concern that many organisations still fall short when it comes to implementing thorough business continuity management strategies. However, the rising awareness of corporate governance responsibilities, and in particular the demands of the new Operating and Financial Review regulations should ensure that managers focus on the impact and cost that the loss of staff and services can have"

Demands for continuity management

A significant shift has also occurred over the past year, with external drivers influencing the extent of business continuity management (BCM). Corporate governance is considered the key reason (34 per cent, up from 24 per cent in 2004), followed by demands from insurers (25 per cent), central government (22 per cent) and auditors (20 per cent).

Encouragingly, in 27 per cent of organisations, the Board leads business continuity management. Budgetary control has also shifted into mainstream business operations, with 38 per cent of organisations ensuring BCM budgets are held at director. The research indicates that now only 9 per cent of organisations give financial control of BCM to risk managers and 5 per cent to IT directors, recognising the need to prioritise business continuity.

Dr David J Smith, principal consultant at EMEA BCM Practice at VERITAS Software, says: “When the number of remote workers increases, IT departments are under more pressure to ensure that core systems are always available; or can be recovered quickly should a system failure occur. Whilst UK businesses are making investments in this area, surprisingly few are communicating business continuity plans to staff - even though they recognise the need to do so. Disaster Recovery research in 2004 highlighted that there was a lack of regular rehearsals completed by businesses to ensure that such plans are comprehensive enough and it appears from this survey that there is still a long way to go before this practice becomes standard.

Inadequate preparation Respondents expressed anxiety over the lack of a communication chain about business continuity plans. Of those organisations with a plan in place, only 58 per cent regard their employees as a key audience to share continuity details with. Only 1 in 4 organisations have an awareness programme for all staff and just over half (53 per cent) provide additional training for specific, relevant, employees. The research also indicates that organisations do not rehearse the effectiveness of their BCPs.

In 2005, one-fifth of organisations admitted they never test their plan and, of those with a plan in place, only 52 per cent meet the minimum recommended frequency of rehearsing BCPs once a year.

The finance sector is most likely to ensure plans are robust, and the manufacturing sector comes bottom of this year's BCM rehearsal league table. Worryingly, the research indicates that business continuity management is still not part of UK organisation performance culture.

A total of 86 per cent claimed their rehearsals revealed shortcomings and 13 per cent admitted these problems had not been addressed. Nearly two-thirds (58 per cent) do not even measure BCM performance and 40 per cent of organisations with turnover of less than £10 million do not audit their continuity programme. The Continuity Forum, says: “The evidence suggests a small but consistent growth in business continuity management. Having a plan is not enough! Major steps still need to be taken as too many organisations are scraping by with inadequate and untested plans that expose them to unnecessary risk."

Further information, including case studies, can be obtained from: Chartered Management Institute:Mike Petrook / Gemma Bird Tel: 020 7497 0496 Outside office hours: 07931 302 877 Email: press.office@managers.org.uk Website: www.managers.org.uk

NOTES TO EDITORS As the champion of management, the Chartered Management Institute shapes and supports the managers of tomorrow, helping them deliver results in a dynamic world. The Institute helps set and raise standards in management, encouraging development to improve performance. Moreover, with in-depth research and regular policy surveys of its 74,000 individual members and 480 corporate members, the Institute has a deep understanding of the key issues. The Chartered Management Institute came into being on 1 April 2002, as a result of the Institute of Management being granted a Royal Charter.

The Continuity Forum is a member-focused organisation committed to building the resilience of organisations internationally, regardless of size or sector, through education and the promotion of best practice in Business Continuity Management and its related disciplines. The Forum is dedicated to aiding the growth and the development of the Continuity sector and appropriate standards. More information about Continuity Forum can be found at www.continuityforum.org

About VERITAS Software VERITAS Software, one of the 10 largest software companies in the world, is a leading provider of software to enable utility computing. In a utility computing model IT resources are aligned with business needs, and business applications are delivered with optimal performance and availability on top of shared computing infrastructure, minimizing hardware and labour costs. With 2003 revenues of $1.75 billion, VERITAS delivers products and services for data protection, storage & server management, high availability and application performance management that are used by 99 percent of the Fortune 500. More information about VERITAS Software can be found at www.veritas.com. Copyright © 2004 VERITAS Software Corporation. All rights reserved. VERITAS, the VERITAS Logo, and Storage Replicator are trademarks or registered trademarks of VERITAS Software Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

BSI Committee commences work and the Forum launches new Standards discussion group

Today at the Institute of Directors the British Standards Institution team charged with translating the current PAS56 guidance for Business Continuity into a full British Standard met for the first time formally.

The group comprises the Business Continuity Institute and the Continuity Forum, as well as a range of representatives from industry and government.

Terrorism: Companies yet to find the right balance between insurance and management

Hundreds of actors found themselves hired for an unusual performance earlier this month - faking illness. The actors, part of the US’s largest ever terrorism drill, played people suffering from the effects of a biological agent. The drill, during which officials staged a car bomb and a chemical attack in Connecticut, involved hospitals, investigators, politicians and consultants. On a smaller scale similar exercises are carried out by companies concerned to test the resilience of their operations to terrorism attacks. But while such exercises are becoming more common in the corporate world, consultants and insurance brokers argue that many companies are not sufficiently focused on the threat of terrorism. “In looking at some of the polls over the past few years and asking what factors keep boards awake at night, terrorism doesn’t even appear in the top 10,” says Rob Preston, consultant crisis management at Aon, the global insurance broker. “People see operational risk and loss of intellectual property as more critical than terrorism - and we think that’s probably wrong.” Part of the problem is that no pattern of attacks has yet emerged on which to base risk assessments with regard to terrorism. While events such as the World Trade Center attacks of 2001 and the Madrid bombings of 2004 have demonstrated the power of terrorists to wreak destruction, the global nature of terrorist networks makes it difficult to predict the location of future attacks or whether their frequency will increase. Nevertheless, argues Mr Preston, this is no reason for companies to bury their heads in the sand. What they should be doing, he says, is assessing risk by looking not only at the potential threats but the vulnerability of their own operations to those threats. “You can’t do anything about threat, but you can do something about vulnerability,” he says. “There’s physical side, such as blast proofing or CCTV, but also at board level, companies should look at business vulnerabilities like a choke point in the supply chain.” In addition, the threats vary considerably from country to country with different organisations choosing different targets and a variety of methods through which to attack those targets. "People see operational risk and loss of intellectual property as more critical" While catastrophic attacks tend to dominate the headlines, it is often forgotten that, for example, India regularly suffers attacks from separatist groups. “Companies have to be aware of how vulnerable they are,” says Alastair Morrison, chairman of Kroll Security International. “If you have to go into a country such as Indonesia, where there have been incidents against western interests, you have to think about how much at risk you are.” This will determine what a company should spend on measures to reduce the impact of terrorist attacks and on insurance coverage, says Stephen Ashwell, terrorism underwriter at Hiscox. “If you are a cheese farm in Finland, it is pointless spending millions of dollars on security.” By contrast, a business located in the centre of a big metropolitan area would need to take a different approach. “It’s clear that the platform of al Qaeda wants mass casualties on the front page. So anyone with public access or in large shopping areas is particularly at risk and they should look to security systems and at what their contingency plans should be,” he explains. “But any spending has to be commensurate with the risk.” Of this spending, a large proportion remains tied up with insurance. In this area, companies are finding that the access to and affordability of terrorism coverage have eased considerably in recent years, with far greater capacity in the market than there was immediately after the attacks of September 11. However, Mr Ashwell believes that many companies have not yet found the right balance between insurance coverage and risk management measures such as disaster recovery and business continuity plans.“Some of them may be tending to buy too much insurance, or too little, because they haven’t looked at that side of things,” he says. Nevertheless, there is evidence that more companies are taking terrorism threats into account when making investment decisions. “In the past, the question was ‘is the project viable and can we make money from it?’ But now you’re having major input from the security side,” says Mr Morrison. “So while a project makes sense financially, people are asking about the risk to installations of terrorists taking over, or people being killed because there’s a war going on.” Mr Morrison believes that terrorism is moving up the board agenda, with sophisticated companies appointing senior level executives to tackle managing risk in this area. Much of this pressure is coming from a recognition that security is part of corporate governance. “It’s forcing people to think these things through and the board has to go through the scenarios of what might bring down the business,” says Mr Morrison. “So the chairman and board are listening to their security people far more than they ever did before.”

Creating Continuity ... Building Resilience ...

If you would like to know more about how your organisation can get involved and benefit from working with the Continuity Forum, please email us HERE! or call on + 44 (0) 208 993 1599. ____________________________ ***Back to Home page ***

Outsourcing: Get a grip on all the links in the chain

By Paul J Davies

ARCHIVED 2005

Outsourcing and offshoring have become a mainstream strategic option for many corporations looking to cut costs. Hundreds of thousands of IT jobs have been exported from western Europe and the US to countries such as India, while tens of thousands of call centre jobs have gone from the UK alone. But the ever increasing popularity of such moves belies the considerable risks involved.

According to Sam Samaratunga, a partner in Risk Assurance Services at PwC, 25 per cent of IT outsourcing contracts fail within the first two years with the rate rising to 50 per cent over five years - and this includes domestic outsourcing.

When companies send contracts offshore the risks are compounded. Offshoring risks range from the large political event threats such as terrorism, political violence and war to the more subtle, including political discrimination, regulatory considerations and cultural issues.

Matthew Strong, a partner at Jardine Lloyd Thomson, the insurance broker and risk consultancy, says few countries will unilaterally confiscate company assets, but unexpected renegotiation of a licence to operate remains a danger. China and India are among the most popular of offshoring destinations due to an abundance of well-educated but cheap labour.

However, their relative modernity and stability is far from assured, says Charles Keville, a director of Aon Crisis Management, a unit of Aon insurance brokers. “Very recently, China said it could declare war on Taiwan while two years ago everyone thought there could be imminent nuclear war between India and Pakistan," he says. Sure enough, just as the countries agree on a peaceful bus route through Kashmir, trouble has flared again.

For the apocalyptic situations insurance is the only safety net but, according to Strong, losses are still likely. Coverage for asset confiscation, for example, is capped at about £1bn, he says, although companies can still mitigate losses by arranging cover with a number of providers. "Cultural problems are both common and hard to mitigate, especially in customer-facing operations" The more common threats, where insurance is also an option, involve a whole gamut of service interruptions.

Depending on your company, these will be more or less important to your business, says Mr Keville. For an online travel company with IT services abroad, a long interruption would be likely to cause a painful loss of business, not just at the time but when affected customers are considering which site to visit in the future. However, the same kind of interruption is not likely to be nearly as sensitive for an online directories business.

One of the most important things, whether you are concerned about serious peril or just a hiccup, is to have good contingency planning in place. When it comes to insurance, most companies will take out a policy to cover the costs of re-establishing operations quickly, whether that be back at home or at another offshore site. Mr Keville says that, because of this, it may only take a policy for £5m or £10m to protect a business. But while you can insure against errors, continuity of service, even fraud, there are plenty of risks that are far harder to quantify and so very difficult to insure.

Cultural risks are both incredibly common and hard to mitigate, especially when it comes to customer facing operations. Capital One, the credit card company, found this to its cost when it cancelled a telemarketing deal with an Indian call centre company because it discovered that workers had misled customers with spurious offers of credit. Dell was also forced to reverse its policy and shift a number of customer support jobs back to the US because a significant number of customers complained that they had difficulty understanding Indian accents. As Mr Samaratunga says: “If you've broken down in Aylesbury and end up speaking to someone in India there's a good chance they are not going to be able to relate to you or your situation very well."

Customer frustration can lead easily to customer loss. But if outsourcing is pursued with phased implementation of contracts that have been well prepared with a proper understanding of the rationale for pursuing the move and a firmly established cost base, many problems can be avoided. Companies need to understand all the links in the chain of outsourcing, Mr Samaratunga says.

Outsourcing contractors can delegate some elements further to a subcontractor and a company needs to ensure that all elements of the chain will be contractually obliged to it. Another problem, particularly with IT contracts, is the hidden costs that a company can realise too late have previously been absorbed by departments other than the internal IT department but then can crop up as part of the outsourcing contract. But one of the biggest reasons for failure is that companies underestimate the amount of effort and control that is needed to ensure that outsourced service agreements are fulfilled.

A call centre strategy that works

Aviva, the UK's largest insurer has been one of the leaders in attempting to cut costs by offshoring call centre jobs to India, along with Prudential, HSBC and others. It has created 3,700 jobs in India already and plans to increase this to about 7,000 by the end of 2007. While it may have aroused the ire of Amicus, the UK union for white collar workers, the strategy has not yet run into any serious problems or caused an exodus of customers. Simon Machell, director of customer service, says the group began researching possibilities for offshoring call centres in 2002 and quickly decided not to open a new location itself in some faraway place.

The company decided on a three stage model in which it would find a partner to build the business and operate it with an option for Aviva to bring it under the group umbrella at a later date if it progressed well. This approach was a good way to minimise the cultural risk because it provided a cheap escape route if Aviva's customers did not take to the service or if the contracts were not fulfilled to the group's satisfaction.

“If we had set it all up ourselves and in one or two years had to unwind it because it wasn't working, it would have been very expensive, Mr Machell says. He says the group spoke to about 70 different companies in India before choosing, ranging from individual entrepreneurs who would be starting almost from scratch, to very large companies. “We chose a company called EXL the first time. They had done similar stuff with large US insurance companies and so had the knowledge of the industry as well as the capacity. The contracts are set so that a company such as EXL can run the business for a minimum of three years, allowing it time for to make a return on its investments but, after that period, Aviva can effectively take the operations back when it wants, Mr Machell says.

Mr Machell adds that the business continuity risks it faces in India are slightly more complex, but essentially much the same as it would face with a domestic call centre.

 


Status of risk managers: A dramatic change in relationships

By Ellen Kelleher
Published: April 15 2005 16:03 | Last updated: April 15 2005 16:03

Six months have passed since regulators first went on a crusade to rid the insurance sector of improper practices and so much has changed. The Greenbergs are no longer the insurance industry’s reigning dynasty. Brokers have stopped accepting kickbacks from favoured insurers.

The accounting practices at American International Group, the biggest insurer in the world, are drawing intense scrutiny and, as regulators uncover more improprieties, companies are leaning on risk managers to assess the quality of their insurance programmes. The profile of these executives - who were once anonymous operators in most organisations - has been raised considerably.

“Chief financial officers are beginning to ask risk managers a lot more questions,” says Andrew Barile, an industry consultant. When Eliot Spitzer, the New York attorney general, sued Marsh, the world’s biggest insurance broker last October, directors and senior managers at Fortune 500 companies put pressure on risk managers to either drop Marsh or justify retaining its services. Risk managers were in the hot seat for failing to pick up on the bid-rigging alleged to have taken place at Marsh.

Most were aware that brokers had been accepting special bonuses from certain insurers and the threat of shareholder lawsuits posed concern. Risk managers ceded considerable control to brokers over the last decade, analysts say. In the 1990s, Marsh and others moved to take a more hands-on approach to the complicated business of structuring policies and began offering a wider variety of services such as risk management, research and consulting. As a result, the role of risk managers became more passive.

But the current investigation has changed the relationship between brokers and risk managers dramatically. Bob Hartwig, chief economist at the Insurance Information Institute, reports that the awareness of risk managers “has increased substantially” in the wake of Mr Spitzer’s investigation. As one analyst says: “The leverage in the relationship has changed. It will never be the same.”

A study by PwC suggests companies should delegate more responsibility to risk managers. Analysts say the most effective ones handle risk modelling strategies and thoroughly evaluate alternative insurance options such as captives in addition to the usual tasks of signing off on standard insurance programmes.

“Everybody involved in monitoring risk of all kinds should have a genuine influence over decision-making,” the PwC report states.

"Scandals have put the spotlight on managers’ roles and reputational risk"

In recent months risk managers have begun to ask tough questions about fees and commissions and how brokers place coverage. “What used to happen is brokers and risk managers would meet for dinner and later risk managers would write letters authorising brokers to place the coverage. Now the process is becoming a lot more formal. The bar has been raised because directors and senior managers are demanding it,” says Mr Barile. One reason why ties between risk managers and brokers were close was that modestly-paid risk managers often defected to brokers in search of higher salaries. Leaving for brokerages often allowed them to double or triple their pay.

“In recent years, their compensation hasn’t reflected their contribution to corporations,” Mr Barile says. Some predict risk managers will be paid more as their duties expand.

“There’s potential for higher rewards. Many businesses have become very aware of the importance of these jobs,” Mr Hartwig says. The Public Risk Management Association, (Prima) a US trade group for risk managers, reports a surge in interest in its training programmes. Among other things, the group tries to educate risk managers in the public sector about insurance markets and alternative risk financing. It suggests companies recruit managers with business degrees or graduate degrees in public administration and risk management.

“The role of the risk manager has evolved over the last couple of years and become more sophisticated. And all the regulatory issues have emphasised why the profession is so important,” says Jim Hirt, Prima’s executive director. The importance of hiring risk managers first rose to prominence following the attacks of September 11, 2001. “Since September 11, more companies and municipalities have begun to come to Prrima for educating on risk management,” Mr Hirt says. Following the September 11 attacks, the market hardened and prices rose. Risk managers were under pressure to try to control these costs. Risk managers were making some of companies’ most important decisions between the years 2000 and 2003 when the market hardened,” Mr Hartwig says.

Enron, WorldCom and other corporate scandals have also put the role in the spotlight as companies struggle to figure out how to handle the threat of reputational risk. The net result of these scandals has been new regulation. After the passage of the Sarbanes-Oxley act, companies are taking it upon themselves to interpret rules in the strictest possible way to avoid further potential problems. But for risk managers, this comes at a potential cost. They have complained the focus on box-ticking compliance with the new rules can act as a sort of tax and leaves them with less time to guard against less quantifiable threats, such as risk to reputation.

Nike: Sporting chance of getting it right

By Ross Tieman
Published: June 24 2005 13:52 | Last updated: June 24 2005 13:52

Geoff Taylor has been thinking about enterprise risk and maintaining business continuity for more than two decades.

As the director of Risk Management at US sporting goods manufacturer and retailer Nike for Europe, the Middle East and Africa, he is in the front line of ensuring a prominent American brand can continue to deliver its promise to customers, and profits to its shareholders.

And yet the core risks to business continuity that concern him most are workaday issues.

“The most important thing for us is to protect the supply chain,” he says, “making sure that customers get the products that they require at the right time in the right place.”

This down-to-earth assessment of the chief hazards to continuity at Nike is fascinating, because it puts the headline hazards in context.

Nike has been criticised for labour conditions in the factories of its low cost suppliers and, like every iconic US brand, could be a focus for those who vent their spleen on US foreign policy against assets of its corporations.

Says Mr Taylor: “This is an underlying issue for any US domiciled business. One of the things we like to think is that through sport and sports sponsorship people connect with the brand in a way that they would not, perhaps, for McDonald’s or Coca-Cola.”

Since joining Nike three years ago, after a career that began in insurance underwriting and spanned risk management roles at US contractor group Bechtel Group and jeans maker Levi Strauss, Mr Taylor has overseen a classic risk management strategy.

From Nike’s regional headquarters in Hilversum in the Netherlands he and his 15-strong team have focused on so-called Tier 1 risks: spanning environmental, safety and health issues at the region’s 174 facilities, ranging from stores to a massive distribution centre.

"Today’s generation of business continuity specialists are working with a much broader spectrum of management"

These elements are then broken down into issues of security, business continuity and insurance and claims. The core aim, he says, is to prevent incidents happening in the first place, but then to ensure there are back-up plans in place to ensure business continuity should an event occur. “If something does happen, we have an emergency plan to cover most eventualities,” he says. This too will have three parts: crisis management, business recovery and finally workplace or information technology recovery.

Picking out any single overriding threat to business continuity is impossible, he says. “There is a raft of things that could happen,” from an incident at an external transport contractor to a warehouse fire.

Every conceivable possibility has to be assessed, ranked and, if necessary, planned for. “We continuously and constantly analyse different risks and, working with the people in the business, assess their possible impact,” he says.

Most of the consultation is with operational managers. Language difficulties across such a culturally-diverse region preclude direct consultation of shop floor staff, though Mr Taylor will walk through the facilities to assess possible hazards.

Where there are significant costs involved, he has to persuade his bosses to stump up the cash to protect against them, and put in place contingency plans to ensure continuity.

“Generally management are pretty supportive,” he says, “but we have to support our ideas and explain why we want to behave in a particular way.”

That explains why he reckons good communication skills are essential to a good business continuity manager.

That and resilience. “Often, what we do is not seen as a priority,” he says. “There is often a view that it has never happened, so it will never happen.” So determination and persuasion are needed to ensure business continuity planning is accepted and implemented. That is particularly true, he says, because of the way risk management and business continuity planning are evolving.

Where once companies focused on insurable risks, today’s generation of business continuity specialists, better trained and resourced, are working with a much broader spectrum of management colleagues, from health and safety specialists to the legal department and brand protection executives.

“Risk management and business continuity are becoming more professional,” he says. Nike has yet to suffer any serious continuity threat in its Europe, the Middle East and Africa region. Yet the company is determined not to be caught out.

“Risks are continuously evolving,” says Mr Taylor, “and so is our planning”.

Foreign companies: Coping with corruption

By Tom Warner
Published: June 24 2005 13:52 | Last updated: June 24 2005 13:52

The World Economic Forum’s business conference in Kiev this month heard reassuring messages from Ukraine’s leaders about intentions to tackle what may be the biggest business continuity issue for foreign investors in the former Soviet Union: bureaucratic corruption.

President Viktor Yushchenko said his administration had replaced 18,000 bureaucrats and would sack others who did not live up to his no-bribes standards.

But it might be worth listening to the advice of a specialist in dealing with corruption. “From a company’s point of view, getting personal is a very dangerous game to play. I can’t think of any case where I would advise it,” says John Bray, a consultant at Control Risks Group.

Even when top authorities are committed to tackling corruption, co-operating is not always easy. At the conference, investors attending a panel on corruption delicately broached the subject. “I don’t pay bribes but my wife’s family’s company does,” says one businessman.

Mr Yushchenko’s team “needs a lot of help from the business community”, says Gerald Parfitt, a senior partner at PwCs’ Kiev office, which also offers crisis management consulting. “It is very difficult to cure corruption once it’s in the nature of society.”

There are strategies that help. One of the most important, according to Mr Bray, is patience: “In Ukraine and other parts of the former Soviet Union, you need to be investing for the longer term. If you need something in a hurry, you’re vulnerable.” Mr Bray advises companies to play for time while coming up with “alibis” – reasons why the company is unable to pay. For example, your local office is unable to make spending decisions without approval from the head office. You are obliged to document and explain all payments and record them in the company’s accounts. Laws in your home country prohibit bribing.

Sometimes, a firm response is all that is required. If a bureaucrat is holding up some kind of permission, he may cave in to persistent nagging.

When making the decision to turn to a powerful person for help, one should be aware that one will usually later receive “some kind of bill,” Mr Bray says.

For example, a politician may ask for a job for one of his friends.

Keeping one’s nose clean is particularly crucial if one lands in a dispute with a competitor or former partner. In the former Soviet Union, these tend to involve harassing law suits and planted reports in the media designed to wreck a rival’s reputation, usually with the goal of pressuring the rival into making some kind of deal.

Mr Bray says such problems require individually tailored responses, but companies can join together to address the underlying systemic weaknesses by taking part in business associations and lobbying the government.

The goal is to change the incentive system for bureaucrats and politicians alike, he says.

“One hopes that in the future politicians will gain power by bringing good companies into their constituencies. That’s something nobody would have to be embarrassed about.”

Staff communication: An ear to the ground

By Ross Tieman
Published: June 24 2005 13:52 | Last updated: June 24 2005 13:52

When UK business continuity managers gathered a couple of weeks ago in Brighton for the annual conference of the Association of Insurance and Risk Managers, one topic was on everybody’s mind: mounting importance of employee consultation.

The introduction in April of the Information and Consultation regulations gave staff the right to be involved in business continuity planning in organisations of more than 150 people wherever it affects their jobs.

Not that companies necessarily needed compulsion to talk to staff about continuity issues. A survey of 2,000 members of Britain’s Business Continuity Institute found in March that protecting employees was the paramount incentive for organisations to engage in business continuity planning.

Philip Carter, senior manager in the enterprise risk group at adviser Deloitte, says the two most striking emerging trends in business continuity planning are accelerating the speed of recovery after incidents and ensuring companies and organisations can recover from any blow to their human capital, particularly the knowledge staff have.

It is easy to understand why knowledge management is becoming a priority for Europe’s business continuity managers. It does not take a big disaster involving loss of life to cause disruption.

Take, for example, a small IT department employing three people responsible for a business critical system. One takes maternity leave, a second resigns for a job elsewhere and the third breaks a leg playing football.

Without a business continuity system that includes knowledge management the company could struggle to find someone who understands the system.

Early assessments of human risk inevitably focused on senior managers and those whose jobs put them in the front line – such as expatriate staff working for a defence contractor in Saudi Arabia, for example.

But as companies slim down and industrial and support functions become automated key personnel whose loss can affect efficiency are found throughout the organisation.

"By talking to staff, they are going to get better insights into ways to make workplaces safer and ensure business continuity"

One way to tackle the problem is to ensure ready access to personnel records that show who has knowledge of key processes or clients gained in an earlier role. Come what may, says Mr Carter, companies are finding they must duplicate knowledge. “No matter now much you might like to you can’t protect your people from all the hazards of life.”

Organisations are also increasingly obliged to listen to their staff. This does not come easily. Business continuity managers, says Mr Carter, tend to deal with other managers though “we do occasionally use shop floor people to understand, say, what the mechanical issues are with a particular piece of machinery”.

Unions believe they have more to contribute. They say employees have as much interest in ensuring business continuity as managers.

Hannah Reed, senior employment rights officer at the Trades Union Congress in London, says improving consultation over continuity planning offers “a win-win opportunity for employees and companies alike”.

In the past, she says, some companies and organisations paid only lip service to their declared principles of consultation. The new regulations, she believes, will encourage them to listen more closely to staff. And “by talking to staff, they are going to get better insights into ways to make workplaces safer and ensure business continuity”.

In practice it seems companies recognise consultation is important but take a pragmatic view on how much effort to invest in planning for contingencies they hope will never happen.

Mike Lewis, Group Risk Director at global music group EMI, says consulting managers and those with responsibility for particular locations is essential to identify continuity risks and achieve the best solutions.

”We polled a number of key managers in our core businesses and key locations before finalising our recovery strategy,” he says. “That helps you get it right.”

That done, EMI was able to produce a global business recovery strategy that includes assessment of the recovery strategies of key suppliers, such as the manufacturers of compact discs.

During the past 24 months, after a risk assessment presented to its board audit committee, EMI overhauled recovery planning. In particular it evolved plans to ensure security of copyrighted music and recordings, ensuring the catalogue in which much of the company’s value is encapsulated, is well protected.

Some provisions of the standard are universal: evidence of effective procedures for evacuating a building or dealing with a medical emergency is required at every location. But in other respects deployment can vary. “We don’t necessarily need the same arrangements for continuity in Indonesia or Columbia as we do in Britain or the US,” Mr Lewis says.

“Cost benefit analysis is among the tools we use.”

Storage: No back-up means storing up trouble

By Andrew Baxter
Published: June 24 2005 13:52 | Last updated: June 24 2005 13:52

The terrorist attacks of September 11, 2001 focused the minds of chief executives and chief information officers on the nightmare scenario of being without their IT systems, however temporarily, and losing corporate data, perhaps permanently, as a result of an event beyond their control.

As each year goes by there is more data to lose. Estimates suggest the amount of data held by companies is rising by 50 to 100 per cent a year. E-mails alone add millions of data items a day to the average company’s volumes of electronic data storage.

Just to complicate matters, losing data as the result of disruption or error can have more serious consequences because of compliance regulations such as the US Sarbanes-Oxley Act.

The reality, however, is that companies’ back-up and data recovery routines tend to be triggered by events more prosaic than cataclysmic.

“One of the most common incidents involves things like floods and water damage,” says Simon Gay, consultancy practice leader at Computacenter, the IT infrastructure services provider. He recalls visiting one company in the UK whose data centre was situated below ground and was put out of action by flood.

Area exclusions, where the police cordon off streets because of an event such as a fire or a siege, can also be more than just an annoyance, he says. Having a back-up data centre little more than 1km away, as was the case with one company caught up in such an incident, proved to be less than inspired.

Losing data permanently appears to be rare, and depends on the type of storage system installed, while its importance depends on the type of business involved, says Alastair McAulay, a managing consultant at PA Consulting Group, the management and technology consultancy. He recalls one financial services company that suffered little more than an hour’s power outage, but was left with a permanent hole in its historical data sets.

Recovering quickly from an event of this sort is what corporate back-up and recovery systems are for. But the complexity of modern data storage systems means there is no simple solution, nor are companies starting from the same point. “Most organisations’ data centres have evolved and are continuing to evolve,” says Mr McAulay.

He points out that incidents are more likely to involve parts of an organisation rather than the whole company and this can make decision making in a crisis more difficult and complex. Another financial services client suffered from simultaneous, multiple power failures at the end of last year and while it had back-up arrangements, switching over to them in those situations is never as straightforward as it seems, says Mr McAulay.

Carolyn DiCenzo, a vice-president at Gartner Research, the IT researcher, says improving recovery remains a priority for most companies. One area of concern that emerged from a recent Gartner survey involved data protection for remote offices where only 22 per cent of respondents were satisfied with their recovery solution.

“Recovery is often a problem for remote offices, with back-ups not being done properly or not usable for some reason when needed,” says Ms DiCenzo.

Both Ms DiCenzo and Mr Gay at Computacenter say companies should take advantage of new disc based technologies to back up data, rather than rely on conventional tape based technologies. “Anyone relying on tape based recovery woefully underestimates the time taken to recover,” says Mr Gay. “It’s a triumph of hope over experience.”

The cost of disc technology is tumbling while the technology is improving, he adds. Many companies have attempted to solve data storage problems by buying more capacity, says Mr McAulay, but a better solution is to have a data storage manager to control the amounts of data and ensure only what is necessary is kept. “Companies should be asking themselves ‘What data should we recover in an emergency? What do we prioritise?’ and no vendor solution will give them that sense of priority,” he says.

Mr Gay agrees, pointing out that too few business continuity plans involve the business.

“Companies need to understand what is critical in the event of a disaster,” he says. “There is a lack of steer from the business, and to say ‘everything is critical’ is nonsense.”

The Risk Advisory Group:

At the heart of a growing industry

By Mark Huband Published: June 24 2005 13:52  

Helping businesses help themselves is no longer the benevolent act it may have seemed in the aftermath of the September 11, 2001 terrorist attacks. A sense of common purpose prevailed as private sector advisers, government agencies and companies themselves sought to address the threat to business operations in the months after the attacks in the US. But in the more than three years that have since passed the roles and outlooks of all forces in the provision of security have changed.

Syndicate content

Business Continuity Forum creating Resilince and security

Creating Continuity... Building Resilience...