20 in their 20s The future of business continuity

20 in their 20s The future of business continuity

The future of business continuity

th

2014 is the 20 anniversary of the Business Continuity Institute and while it may be an opportune occasion to reflect on how far on the industry has moved over the last two decades, it is more important to look to the future to see where it is going over the next few years. Who better to look at where the industry is heading than those who will perhaps be doing most to shape that future, those that are just starting out in their careers? 20 in their 20s is a series of essays written by business continuity professionals from across the world who are all still aged in their twenties, so all still with a long career ahead of them.

1

Forewords 2014 is the 20th anniversary of the Business Continuity Institute and one of the initiatives I set up during this commemorative year is what I liked to call my 2020 mission – not a look back at everything we have achieved over the previous twenty years, of which there is plenty, but rather a look forward to see what more we can achieve in the course of the next few years. Business continuity is still a relatively young profession and is therefore evolving over time to suit the needs of a changing environment, the challenges we face as BC professionals right now are perhaps not the challenges of the future. So what will these challenges be? Who better to describe them than those who will have to face them – the young members of our profession? ‘The future of business continuity’ is a compilation of stories from twenty BC professionals all in their 20s and still with a long career ahead of them. It is these young people, and many others like them, who are the future of our profession and the future of the Institute and it is encouraging to see that they are being given a voice, and it is insightful to read what they have to say.

Steve Mellish Chairman of the Business Continuity Institute (2012-2014) The threats that our organizations face are not the only changes we will see over the foreseeable future, the technology and methodology we use to combat these threats will also see significant change. The culture within organizations that allows us to work together to help overcome these threats will also change, or at least we would like to hope so. There are many challenges to be faced in an ever changing profession and it is encouraging to see that young people are prepared to take those challenges on. It is also encouraging to read so many stories from people, not everyone but many of them, who have started out in business continuity rather than slowly drifted into it during their career. Young people are the future of the industry and the Institute and that’s why it’s important to give them a voice, just as we have done with the Global Membership Council where we have reserved three seats for members under 35. With such a wealth of talent now joining the profession early on in their careers, it gives me great confidence in the direction that the industry is taking.

David James-Brown Chairman of the Business Continuity Institute

The future of business continuity

Contents From Quebec to Qatar Marie-Pier Desharnais, Qatar

4

Immense opportunities, massive challenges Jawwad Alam MBCI, Pakistan

5

The evolving threat of a technology driven world Nathalie Ezzedine AMBCI, Canada

7

Horizon scanning our future challenges Adam Barrett MBCI, United Kingdom

8

Using business continuity to manage your reputation Tanya Fischer CBCI, United States

10

Direct entry – the evolution of a profession Luke Bird MBCI, United Kingdom

11

But this is how we’ve always done it Stacy Gardner MBCI, United States

12

Using business continuity to help manage your supply chain Graham Clark MBCI, United Kingdom

13

Challenges in the business continuity industry Carmen Lee MCBI, Australia

15

Key challenges for business continuity professionals Nathan Doran AMBCI, United Kingdom

16

Sharing our passion for business continuity management Sarah O'Neill-Kara AMBCI, New Zealand

18

Learning from experience Alberto Mattia MBCI, Italy

19

Is outsourcing the answer? Scarlett Morgan AMBCI, United Kingdom

20

Our greatest challenge may be our biggest asset Jason McGee MBCI, Ireland

21

Finding and fostering the right talent Zoe Moulton AMBCI, Australia

22

Embedding business continuity across the organization Humbulani Sigidane CBCI, South Africa

24

Moving beyond the methodology and implementing capabilities that matter Jacqueline Rupert MBCI, United States

25

BCM on a budget Andrew Winkworth AMBCI, United Kingdom

27

The dangers of the cloud Laura Sweatman CBCI, United Kingdom

28

Demonstrating the value of a business continuity management programme Harriet Wood AMBCI, United Kingdom

29

3

The future of business continuity

From Quebec to Qatar By Marie-Pier Desharnais Marie-Pier Desharnais is an Affiliate Member of the BCI Head of Business Continuity at the Qatar Foundation having developed an interest in business continuity through experience of natural disasters. Her passion for travelling is how she ended up on Patong Beach in Thailand in December 2004 when the Tsunami hit. It was on that brutal morning that her interest in the field of Emergency and Disaster Management began. It also showed her what Business Continuity (BC) managers must endeavour to mitigate or recover from. Marie considers herself lucky – nearly 300,000 others were not – and it was that experience which has driven her desire to deepen her understanding of the phenomenon of natural disasters, and to draw lessons from the recovery efforts deployed in the aftermath of that disaster. She subsequently studied the impact of the Tsunami on the Maldives during her Masters studies in Post-disaster recovery, a country that is particularly highly vulnerable to all manner of natural disasters.

Even though I come from a background where Mother Nature is one of, if not THE biggest source of threats for contingency planners to worry about, the shift to the Middle East has certainly been quite a learning curve. In Quebec, the reasons for invoking BC plans frequently range from floods to strong winds, snow storms and ice storms, or forest fires and power outages, all of which can have severe implications during a period of intense cold. Qatar, however, does not suffer much from bad weather conditions, although it is located in one of the most arid regions in the world. Aside from the extreme heat in summer time, infrequent sand storms can sometimes leave drivers with reduced visibility, while the sand storms also create respiratory issues for outdoor workers, the weather is generally pretty stable. Rainfall is rare. However some sections of the roadways occasionally become substantially flooded on the rare event that it does rain, and this is the result of a built-up environment with a ineffective drainage system. Minor earth tremors from earthquakes across the Gulf in Iran and Pakistan are even rarer than rain showers. Some even pass unnoticed by the general population. Ultimately, the biggest threats for BC managers in Qatar and the rest of the Middle East are, from my experience, the man-made type. Fires, domestic and commercial gas (butane/propane) tank-related explosions, and cyber terrorism have been the most common threats in Qatar in recent years. The country is young and its laws and regulations framework is somewhat undeveloped or not optimally enforced. In addition, the country’s resources are stretched by a massive infrastructure development programme that may be surpassing the capacity of its authorities to regulate. In fact, it is believed that several of the fatal incidents that Qatar experienced during the last few years could have been avoided if more thorough / regular inspections had taken place. This challenge, coupled with the fact that there is generally an absence of a culture of preparedness, sets the bar high for any BC manager working in this region. The current lack of awareness towards BCM and its related dimensions is the origin of our daily battle to keep BCM on top of the agenda.

4

The future of business continuity As a matter of fact, working for an organization which is neither part of the financial sector, nor the oil and gas industry, has proved to be even more challenging as we are not required to comply with any regulation. Additionally, most of the organizations in the Middle East are composed of various nationalities. Increasing the awareness of BCM and the regular communication of key BC messages can be challenging in such a complex and multicultural context. Qatar’s population is made up of scores of nationalities, each with their own knowledge, or the lack thereof, of BC. The political horizon certainly brings its fair share of challenges as well. For a foreigner without an Arabic background, fully understanding the reality and being able to follow the evolution of conflicts in this region automatically means having to rely on a wide range of sources. And even with reliable and accurate sources, our comprehension of the facts may not always be perfect. A lack of previous relative exposure to these kinds of complex events, combined with a limited knowledge and first-hand experience of Middle Eastern conflicts means there are, in my opinion, real barriers to our understanding of the facts. It is therefore quite challenging to predict the magnitude of any given event even though it is partially our job to anticipate and measure its possible impacts. Nonetheless, working in this region presents some very unique opportunities. When I joined my current organization, there was no BCM programme in place and the Emergency Response and Crisis Management structure was still very young. The opportunity to develop, structure and implement such a programme from scratch is exciting. Each completed step definitely feels like a great accomplishment in an organization which is effectively starting with a blank sheet. Being one of the leaders of a positive change, and hopefully far-reaching and long-lasting change is thrilling. Knowing that each step accomplished towards developing the programme across the organization is leading us to a more resilient environment is quite a fulfilling feeling.

Immense opportunities, massive challenges By Jawwad Alam MBCI Jawwad Alam MBCI is an Information Security Professional and Information Systems Auditor currently working with a government body in Pakistan. His first exposure to business continuity came during his studies where there was a course on DRP and his first job required him to create a DRP for his organization. Jawwad has prepared BCPs as a consultant, an employee and has audited them when he was working with a ‘Big Four’ audit firm.

Disasters need not be catastrophe, any event with unfortunate consequences can be labelled as a disaster and business continuity planning is absolutely mission critical for organizations of today as there are many new threat agents lurking around internally as well as externally that may cause an event which shall have direct or indirect effects on an organization. Business continuity as a field has matured in certain countries however in developing countries like Pakistan this field can be labelled as infant. Very few organizations in Pakistan have started any sort of business continuity initiative, for most taking backups of an essential database is pretty much it. This brings us to the point of immense opportunities in the field of business continuity. Apart from financial institutions and multinationals operating in Pakistan it is rare to come across local industry running a business continuity programme.

5

The future of business continuity Business continuity can be sold to the Pakistani market if certain challenges are addressed. 1st Challenge: The number of professionals in this field are extremely few. Business continuity is not being taught at university level, therefore the entire new workforce being delivered by the academia is not aware of this field. This is because academia runs programmes that result in people getting jobs so if no job market exists then institutes will be encouraged to offer courses or specialisation in business continuity. 2nd Challenge: It’s a niche job market. Organizations do not employ core business continuity professionals as they do not see this as an independent field. Wherever there exists any programme it is dominated by database experts as many feel that backups are business continuity. The main reason for this is that the people who matter, the people who are in senior management roles are not either aware of what business continuity is or they do not understand its significance. 3rd Challenge: there is a lack of awareness. What is business continuity and what is its significance to an organization? If this question is posed to owners of businesses or top management of organizations, many would fail to adequately reply it. Is it their fault? No, it’s our fault, it’s the fault of entire business continuity community that has paid significant attention towards big countries but has taken minimal interest in spreading awareness in emerging markets. Every challenge can be responded to if analysed, prioritised and planned properly. To make the Pakistani market open to business continuity professionals and to make the local industry more resilient the world community needs to help. On their own the local business continuity professionals cannot survive in Pakistan which results in brain drain of whatever local qualified professionals are working in the Pakistani market. When awareness is spread, job opportunities will be created that in the short term can be filled by international market professionals while the local academia start preparing the next generation of business continuity professionals. Business continuity is a field with immense opportunities but with massive challenges. These challenges can be overcome by the collaboration of the international community with local community in spreading awareness of business continuity planning. This task should not be that difficult as Pakistan is at the forefront of global war on terror whose industry, organizations, businesses and most importantly the people have immensely suffered. Business continuity is the need of the hour, an issue that needs to be addressed to ensure local market survival.

6

The future of business continuity

The evolving threat of a technology driven world By Nathalie Ezzedine AMBCI Nathalie Ezzedine AMBCI graduated in 2008 from the University of Montreal, Canada, with a Bachelor of Science in Biology and joined Mead Johnson Nutrition that same year. She started as a specialist in the company’s Consumer Resource Center, later transitioned to the Order to Cash department and is now working as a Quality Assurance Associate. Nathalie’s varied background within Mead Johnson made her the perfect candidate to be the BCP Coordinator where she helped develop the BCP plan for the Canadian organization.

When I was asked to help develop a business continuity plan, little did I know that acronyms like BIA, RA, RTO, and MPTD would become my new dialect for the next couple of years. I also didn’t expect to discover a new science, new opportunities, and completely new ways to think about my organization. Following my initial BCP experience, my curiosity and ambition drove me to subsequently complete my Certificate of the Business Continuity Institute (CBCI). For the following year, I worked on developing BC Plans for additional markets, and was eventually able to achieve AMBCI status. In today’s continually evolving and connected world, I think the practice of business continuity is a critical element in business survival more than ever. In the current business environment, it is difficult for companies to identify all the potential threats and prepare for them. However environmental, terrorist and economic threats are genuine growing concerns, not only for our businesses but also in our personal lives. Earthquakes, bombing attacks, and recession alerts have now become routine and are here to stay. Another area of concern is an increasing reliance on technology and computer systems. Many people assume that data stored on a computer or in the cloud is secure. In reality, it has been repeatedly proven that technology is not fail proof, computer hacking is on the rise and new computer viruses are discovered daily. One cannot be cautious enough with data storage security because a company can lose credibility as a result of a single data breach. For this reason, every business should consider technology breaches as an additional threat as they develop their BCP. To ensure companies are prepared to face threats and properly mitigate risks linked to them, business continuity professionals agree that it is best to plan for the impact rather than the individual threat. Understanding your threats and keeping abreast of any new ones are key to successfully recovering from an incident. These threats can impact a company’s people, facilities and/or systems, so it is important to focus on these areas when developing your BCP. Additionally, be sure to consider any impact that the threat may have on your suppliers. Understanding the link and interdependency between your business and its suppliers will allow you to learn about your overall business and identify gaps that you can address while building your BCP. Proper and routine exercising ensures that you have truly closed all gaps, and is a crucial step to validate your BCP. I see business continuity training as a much valued attribute for young professionals in the corporate world. I truly believe it can help individuals stand out above their peers with similar CVs and qualifications. By having business continuity experience you become a better rounded individual with constant risk awareness. Being early in my career, the benefit AMBCI status offers is enormous and will continue to benefit me for the rest of my career.

7

The future of business continuity

Horizon scanning our future challenges By Adam Barrett MBCI Adam Barrett MBCI is a consultant at SunGard Availability Services, having previously worked within Financial Services, Telecommunications and Retail BC functions. He holds an MSc in Risk Analysis from King’s College London. Adam was recently elected to the BCI’s Global Membership Council as a Future Leader. What are the new threats facing an organization’s ability to operate and how can we summarise the challenge they present to BC Practitioners? As an individual, it's hard to gage what the 'next big threat' will be. We can, however, interpret the available data we have. This can be used to determine the key challenges we will face and inform the developments the profession requires. According to the BCI’s Horizon Scan 2014 report, the top threats we are looking to evaluate the implication of are: 1. Use of internet for malicious attacks 2. Influence of social media 3. New regulations and increased regulatory scrutiny 4. Prevalence and high adoption of internet-dependent services =5. Potential emergence of global pandemic =5. Increased Supply Chain Complexity The thematic connection between all of these items is their predominant basis in other specialist fields. They share similar challenges too. Rather than focus on the challenges we can explore potential developments or changes, which will aid tackling these potential threats:

Development Required

Use of internet for malicious attacks

Influence of social media

New regulations and increase regulatory scrutiny

Prevalence and high adoption of internetdependent service

Potential emergence of global pandemic

Increased Supply Chain Complexity

Wider awareness of specialist 'back-office' areas

Technological expertise

Increased Organizational Presence

Adapting existing models

Scenario specific planning

8

The future of business continuity Wider awareness of specialist 'back-office' areas: We are now looking to evaluate legal, public relations and supply chain issues more intensively than ever before. Though a concern for a considerable period of time (reflected in for example the ISO Standard), we are now expected to become far more involved and aware of these long-established specialist areas. We are to provide greater direction in planning for and responding to their issues. Arguably the capacity for the BC practitioner to do this has become greater, as the capability to resolve the 'traditional' resourcing requirement issues is becoming easier to overcome with shifts towards virtual desktop environments, virtual hosting machines, IP telephony and the wider availability of high-speed connectivity. This of course is under-pinned by well-established good practice for the management system itself. Greater technical expertise: The advent of a greater array of complex software on high-powered hardware, which have enabled greater recovery capabilities, require us to have a greater technical expertise. It's not only the solutions to our requirements that is demanding this, it's also the ’high adoption of internet-dependent services’ combined with the threat of the ‘use of the internet for malicious attacks’. Business operational areas are now better informed of the genuine risk posed by 'cyber threats.' The shift in perception that these risks are inevitable is resulting in greater guidance being sought on the availability solutions available to meet their recovery objectives. With the greater adoption of online services, the acceptance that malicious attacks will happen and combined with the need for the BC Practitioner to obtain the appropriate capabilities, an increase in technological expertise is essential. Increased organizational presence: Given the expectation that facilities management requirements will continue to be a lessening challenge and the need for greater involvement in other specialisms, it will become common for the BC practitioner to have highly-frequent engagements with technology, but also regular engagements with procurement, legal and corporate communications. This will see the further provision of expertise to tackle risks posed by new regulations, social media 'incidents', key suppliers etc. Adapting existing models: The shifts towards more complex hosting technologies and the interactive complexity of an organization’s critical processes will require a change in approach. BIAs will need to be able to capture far more technical information, BC policies should more often account for the internal and external factors as outlined in existing standards and plan review schedules include scenario specific plans. Extensive scenario planning: Strategy and planning for departmental disruptions should continue to become easier through sharing of good practice and aforementioned technology solutions. In contrast, there may be a need for greater scenario specific planning, as top management seeks to gain value from BC by mitigating against their organizations' most significant business interruption related risks, from the loss of key suppliers to the regular review of pandemic plans. It may be felt that there's nothing novel stated here and that perhaps even available standards go some way in providing guidance on managing these threats. On the other hand, I would ask you to consider the gap between how a BC practitioner is typically defined in a job description versus the dominant issues we are expecting to evaluate in the coming year. I would suggest there is need to continually assess the role BC is fulfilling and the expertise needed to do so, to enable a greater sharing of developments and good practice.

9

The future of business continuity

Using business continuity to manage your reputation By Tanya Fischer CBCI Tanya Fischer CBCI is from New York and recently graduated from Adelphi University with an MSc in Emergency Management through which she was able to take a business continuity class as part of the curriculum. When she took the business continuity course, she found her undergraduate studies in organizational communication combining with her graduate studies in emergency management made everything click. This is something she has become very passionate about, and is excited about starting a career in this exciting and growing field. As someone who is just starting out in the field of business continuity, and interviewing with organizations across the United States, I am foreseeing the biggest challenges for business continuity professionals will be advancing and evergrowing technology, and organizational buy-in. Technological advances are certainly beneficial with the advent and improvement of cloud computing, mobile devices, social media, and virtualisation. With data moving into cloud based computing and virtualisation, the risk of a breach of security increases. Hackers repeatedly find their way into corporate data, as with the recent Russian hackers who jeopardised organizational privacy for several hundred thousand websites. Additionally, power outages and connectivity disturbances put an organization at risk when their processes are digitised. Redundancies are necessary in order to reduce the risk of losing data when a disruption occurs, but these redundancies can become costly, especially when a company utilises offsite back-up systems, which is why cloud computing has become a more cost effective system. However, while cloud computing does simplify back-up and recovery, security and privacy are not ensured, and downtime and outages will still occur. These issues with moving to the cloud are compounded by the dependency on the third party vendors, which in turn, limits an organization’s control over the function and execution of the hardware and software. Social media and mobile devices are also a double-edged sword when it comes to business continuity. The prevalence of connectivity is certainly positive, but the power is now being removed from the confines of a secure office building or controlled public relations situation. The more of a presence a company may want to have on social media can become troublesome and may cause a disaster situation of its own. Numerous companies have suffered the inappropriate tweet, hijacked hashtag, or hacked account, for which damage control must be implemented. While these issues are generally more of a PR nightmare, they can also affect stakeholder relationships and bring to light the questionable security that is associated with social media. This ongoing evolution towards digital dependency creates a tumultuous future for business continuity. Business continuity management technology programmes that are out there are certainly making great strides to ensure more companies are capable of implementing business continuity, although organizational buy-in will still be a challenge. All too often, BCM isn’t seen as a top priority; important perhaps, but not the highest. With the recent economic crisis, many companies downsized their business continuity teams, and are in the process of rebuilding. Unfortunately, it may often take a company failing or experiencing significant loss for them to realise the importance of their business continuity team and plans. Fortunately for many organizations, industry standards are mandating that business continuity management be in place, however sustaining a robust programme and staff is not necessarily a top priority for all organizations. It is suggested that to garner organizational buy-in, business continuity practitioners should emphasise the benefits to implementing business continuity management and the consequences of not having a full-bodied programme in place. As one interviewer conveyed to me, the organization needs to determine on a scale of one to five what type of BCM programme they want to have; if it’s a five, they need more money and likely more business continuity personnel, but if it is not seen as a priority, a company will be satisfied with a three.

10

The future of business continuity It isn’t enough for an organization to just have plans in place, they need to have a whole programme set up in order to compete. If an organization lags behind their competitor, they will be overlooked. It has been an interesting experience interviewing for business continuity positions throughout the United States. The emphasis that each organization places on business continuity varies from one or two specialists to whole departments. Some programmes have been in place for several years while some are newly formed. It is becoming crucial to for organizations to implement and maintain their business continuity plans and processes in order to sustain a competitive advantage, and as such business continuity practitioners are going to need to deal with rapidly advancing technologies and have to defend their place in an organization.

Direct entry – the evolution of a profession By Luke Bird MBCI Luke Bird MBCI is a Business Continuity Executive at Atos BPS working on the National Savings & Investments Account (NS&I). He has spent the last few years in the public sector working on emergency planning and business continuity, inclusive of crisis management responsibilities. At Atos, his main responsibility is to ensure that the NS&I is able to maintain its ISO 22301 certification through provision of documented evidence as well as promoting a culture of business continuity throughout the organization. This is routinely achieved through supporting managers in writing their business continuity plans, providing awareness training, facilitating exercises to validate procedures and undertaking business impact analysis across the business. The business continuity landscape is changing... There’s a new and rapidly growing breed of professionals directly entering into the industry from universities and colleges. The very makeup of the profession is evolving as our membership moves away from those who were perhaps dropped in to business continuity almost by accident. The potential for continued growth in this area could lead to a dramatic shift in the number of BC purists emerging via this direct academic route. This is something that I believe the industry needs to be ready for. An increasing number of universities and colleges around the world are beginning to recruit students to undertake business continuity modules as part of their undergraduate degrees as well as offering post graduate programmes that are exclusive in content to our discipline. In the UK, the number of universities now offering either part or full business continuity related postgraduate courses has increased dramatically over the last decade. The briefest of searches online will cite the likes of Coventry, Leicester, Bucks and the University of East Anglia all offering variations of a similar course. If this period of growth is sustained until 2020 we could potentially witness an influx of individuals who are starting out in their careers without any other previous experience of working in industry. One of the greatest challenges we should expect to face with this in mind is our ability to bridge the gap between academic theory and vocational practice. As a hotly debated issue by politicians in the media, universities are churning out graduates at an impressive rate with questionable regard as to how far they equip their alumni with the vocational prerequisites. Much like any industry there is still an undeniable gulf between the cap and gown competency and the all-round professional and it would be short sighted of us to hope that the class of 2020 will simply learn as they go once they achieve their Diploma. How well are we currently communicating as a profession about what life is really like in the working world of business continuity? A great example of an initiative launched by The Chartered Insurance Institute was a website called ‘Disaster Risk' which is a fantastic resource devoted to outlining the skills and characteristics required to fulfil particular roles, as well as what they could expect to experience once employed. Perhaps the class of 2020 would benefit from a similar service? Speaking as a junior professional, I have personally felt the absence of this facility. This has led me to produce my own blog site called BlueyedBC which aims to share and collaborate with my peers about our industry experiences. The site has reached over 5000 visitors within 6 months which has led me to believe that there is a real appetite for something like this.

11

The future of business continuity Ultimately, I would expect that by 2020 our profession will have on offer a wider selection of cost effective training opportunities that add tangible value to our junior professionals but also combine a healthy hybrid of academic and vocational learning. We need to influence the development of vocational learning in the coming years so that newly qualified individuals are better equipped to begin their career than simply being able to recount the BC lifecycle and a handful of case studies. The BCI as a relatively young organization in its own right have made some positive steps towards dealing with this particular challenge via the introduction of its mentoring programme, mock exams, and masterclasses. Nevertheless, more work needs to be done to widen the focus of learning from theory to practical skills if this anticipated growth is realised.

But this is how we’ve always done it By Stacy Gardner MBCI Stacy Gardner MBCI is a Managing Consultant at Avalution Consulting, having joined the firm in 2006. She works with clients globally to design and develop their business continuity programs, emphasising the use of best practices, a blend of risk mitigation response and recovery techniques, and flexible, innovative approaches to preparedness. Stacy first got involved with business continuity by chance, as part of a college-required co-op program. As a Computer Science major, she started in a law firm’s Information Security group but moved over to business continuity to ‘help out’, where Stacy quickly found her niche and made her career within the field. Stacy was recently elected to the BCI’s Global Membership Council as a Future Leader.

I think the greatest challenge facing the business continuity profession is the mindset, “well, this is how we’ve always done it”, as well as practitioners taking a ‘bottom up’ approach when developing business continuity programmes. In order to truly understand and address business needs when developing business continuity programmes, the next generation of business continuity professional must become much more familiar with the business, specifically its strategy, products, services, obligations and customers. Our profession developed out of necessity in the 70s and 80s, to address the dependency on and real threat posed by a centralised technology hardware failure or data loss. Protecting the business from a loss of other resources – facilities, people, equipment and suppliers – followed, but often developed based on a specific threat or need. Many organizations didn’t even start thinking about what we now know as ‘business continuity’ until they themselves experienced a disruptive incident or close call, or were required to do so by a customer or regulator. As a result, many business continuity programmes have been pieced together to meet specific requirements, but often by people who weren’t ‘business continuity experts’ and often weren’t even business experts. Characteristics associated with these piecemeal programmes include threat-specific plans with unique response strategies for every type of possible threat. While this approach aligns with an unofficial business continuity motto ‘be prepared for anything’, it doesn’t enable a programme that truly understands the business in order to meet what the business needs. Threatspecific preparedness will not enable organizations to respond to the shifting risk environments of the future, mainly because the threat landscape continues to evolve. Threats globally are changing to be less predictable, more costly, and more visible. Globalisation has interlinked our world so that a catastrophic event in one geography may have cascading impacts across the globe. Organizations can no longer take the isolated approach of just planning for their own threats and preparedness, and business continuity practitioners can no longer take a threat-specific approach to planning.

12

The future of business continuity Business continuity practitioners should view their role not as a disaster preparedness expert, but seek to become a ‘business expert’ by analysing the vision and mission of their organization and customer dependency on their products and services, to understand the ‘why’ that should guide the programme. Our end goal as business continuity practitioners is not to prevent disasters or mitigate all risk (although those elements contribute), it’s to enable continuity of the business within required objectives. To adequately protect something, you must first understand it (and do so using a top-down approach). Using a top-down perspective of the organization provides strategic guidance to business continuity programmes that can often be far too tactical, and clarifies programme objectives prior to developing strategies and plans. This approach also provides an opportunity to get management involved early in the process, so that they can provide input and validate priorities, as well as provide insight on risk tolerance and acceptable loss. A top-down perspective also enables inclusion of the right departments or business units, and helps provide the business with validation on why business continuity is important and needs attention and support. Seeking to understand high-level organizational priorities and identifying business resources required to support organizational priorities allows strategic planning that can respond based on loss of resources (e.g. personnel, facilities, equipment, technology, suppliers, etc.), rather than a specific threat. An organization’s response strategies and plans should provide leadership with flexible, actionable guidance that can be used in any situation to control the situation, assess impacts to resources, select appropriate recovery strategies to address resource loss, and oversee the return-to-normal process. Taking the time to understand the business can also provide long-term programme maturation opportunities. Strategic organizational insight can present opportunities to align or integrate business continuity into other business initiatives, such as enterprise risk management, supplier management and decision-making, change control, and strategic decisions (e.g. moving facilities). This approach enables business continuity strategies and capabilities to change before or as the organization changes, rather than only on an annual basis, and can provide opportunities to mitigate unnecessary risk prior to implementation. Overall, in order to identify and meet the needs of global, ever-changing organizations and the threats they face, practitioners should seek to develop a mindset, and eventually a business continuity programme, that reflects strategic priorities, proactively mitigates risk based on business need, enables reactive, flexible response, and changes as the business changes.

Using business continuity to help manage your supply chain By Graham Clark MBCI Graham Clark MBCI is the Business Continuity Manager for DHL Supply Chain Europe, Middle East and Africa (EMEA) region. He is responsible for developing and maintaining the BCM agenda across 21 countries and 500+ sites. Graham graduated from Warwick University with a BEng in Civil Engineering and has been a member of the Business Continuity Institute (BCI) for the past five years. Today’s businesses are reliant on their supply chains being fully operational – no matter what. Yet as supply chains become leaner, more complex and global they face an increasing risk of disruption. In addition, over the past few years, disruptions in our globalised economy are becoming more common and this trend is expected to continue.

13

The future of business continuity Historically, businesses have focused on threats such as natural disasters (earthquakes, heavy snow etc) and operational risks such as power outages and unplanned IT failures. Whilst these still persist, we have also seen a significant rise in civil and political unrest across the globe such as the London riots, the Ukraine crisis and Thailand’s military coup. While some may blame globalisation for these supply chain disruptions, if managed correctly globalisation isn’t the problem; it’s a world of opportunities. If a disaster prevents companies from sourcing products from one country, globalisation gives companies the flexibility to source products from another. If done correctly, globalisation can actually protect companies against disruption. Since starting my career in business continuity, I believe that many companies claiming to focus on business continuity have simply been trying to fix the broken link in the supply chain when an incident occurs and then continue as usual. While this may have worked so far, it is not enough. Companies need to shift their focus from reactive to proactive risk management. They need to be prepared in advance of these disruptions. As a profession, to ensure these disruptions do not affect supply chains, we must take a long-term view of the problem and come up with a long-term answer. Even if you are able to fix the broken link in a supply chain and recover in the short term, you will still need to deal with after-effects such as the impact on your share price and shareholder value, on customer relationships and operational performance. The short-term view is short-sighted. As a profession we need to influence top management and key stakeholders to invest in this long term plan. A holistic approach to business continuity is also required across an end-to-end supply chain to ensure that all links in the supply chain are resilient. This task is not always simple with supply chains spanning the globe and potentially thousands of different factories, distribution centres and stores across many different countries. With globalisation making supply chains more complex, now more than ever, I see great potential for the use of new technologies and software to help provide end-to-end resilience across a business. Whilst Word, Excel and PowerPoint documents have historically been used to support local business continuity requirements for a single location, they can’t provide a live, integrated solution across the entire supply chain. Business continuity documents and procedures won’t however provide resilience on their own. We need to train people to be ready for the unpredictable, and then let them act autonomously. A business could have the best business continuity documentation in the world, but unless the team responsible for using them is competent, trained and empowered, they will fail. I believe that this can only be achieved if you instil a culture of continuous improvement in a business that encourages employees to find problems and solve them. With a culture like that, a disruption will be resolved as best it can on the frontline, and not after days of alignment within your organization. Over recent years business continuity has evolved from a ‘nice to have’ to a contractual requirement. Functioning supply chains are the lifelines of the modern world and the importance of business continuity can only increase in the near future.

14

The future of business continuity

Challenges in the business continuity industry By Carmen Lee MBCI Carmen Lee MBCI is a manager in KPMG’s Business Resilience based in Sydney. Carmen has over 10 years of experience as a medical emergency first responder and 7 years of experience providing business continuity, crisis management and service continuity consulting services to clients within the financial services and government sectors. Carmen takes an interest in developing better ways of managing disruption risk and is particularly interested in new approaches to quantifying and measuring organizational resilience.

Like doomsayers, we prepare organizations for the worse case event at the worst possible time. Sometimes, we even chuckle in glee when disaster strikes because, it is that one "I told you so moment" where we justify our planning and existence. And we wonder why people don't like sitting next to us. Everyone wants a seat at the metaphorical table, but no one wants to sit next to the pessimist crying out tales of failure spawned by ineffective governance, lack of investment and a dysfunctional relationship between business and technology. In an ever competitive environment, those who come bearing promises of measurable wealth are welcomed to the table. And those bearing news of imminent doom graphically represented in colourful matrixes of probability versus impact are forgotten until it is too late. For too long business continuity has ruled on fear, ‘what ifs’ and worse case scenarios. The greatest challenge for business continuity to overcome in the future is to maintain optimism: to changing our perspective of risk as a nuisance to a risk as an opportunity. This is in risk management standards today, but is something very few achieve. It's a difficult change, but it is critical in ensuring business continuity stays relevant as disruption risk increases in prevalence, but decreases in predictability. This change begins at the individual, changing our mindset and the way we personally see the world. Too many business continuity professionals are jaded and cynical, perhaps trodden down by bygone years of apathy or buried under reams of redundant plans that no one will ever read. It's easy to forget that business continuity is one of the rare disciplines that can sit across business and IT silos. From our perch, we have an opportunity to understand, challenge and change the way businesses do things to increase efficiency. A business impact analysis exercise can either be a mundane mandatory compliance activity, or it can be an opportunity to revisit business processes and allow employees to see the bigger picture. Change begins at the individual, and if we can be more personally optimistic, we're better people to work with, more appreciated and a more useful resource to our organizations. Optimism is infectious. As business continuity practitioners, we have the privilege of being able to touch on almost every part of an organization and its vendors and customers. The way we conduct ourselves and interact with our businesses with opportunities in mind allows us to positively influence the collective mentality of an organization. In the quest for efficiency, words like innovation, agile, DevOps and design thinking get thrown around a lot. In essence, they all involve decoupling people from set ways of thinking. Organizations these days need to be more nimble and responsive to customer demands in an ever competitive environment. There is no one better placed than the business continuity professional to connect the dots, to understand the interdependencies and impediments and also influence the future.

15

The future of business continuity By changing the way we think and how we interact with others, we open ourselves up to the right mindset for turning risks into opportunities. Organizations are now embracing cloud service providers, from infrastructure as a service to hosted enterprise email solutions. A decade ago, this would have been considered beyond the risk appetite of an organization and unacceptable. A change in thinking has allowed the adoption of these technologies to provide a more cost effective and resilient technologies. With a changed mindset, we start drifting away from the ‘cannots’ and we move towards the possibilities of the ‘can do’. Yes, there will still be a place for professional scepticism and caution. But the task of tackling personal and organizational optimism is a step towards the holy grail of true resilience, and a formidable challenge for business continuity professionals now and in the foreseeable future.

Key challenges for business continuity professionals By Nathan Doran AMBCI Nathan Doran AMBCI is a Business Continuity Consultant for Serco Global Services specifically and covers 13 UK sites along with Berlin, Krakow and Cape Town. Nathan began in Operational and People Management, but decided on a change of course into business continuity in 2010. After being involved in preparing a BCP in his previous operations role within Serco he found the topic very interesting and, by coincidence, a brand new BC role was created shortly after. He applied, and the rest as they say, is history!

The very nature of the world that we live in dictates an ever-changing operational environment for many, if not all, businesses. As business continuity professionals, an awareness of this evolving external world and its potential impacts on our organizations is vital to ensuring the successful analysis, implementation and maintenance involved in a Business Continuity Management System (BCMS). Macro-economic environment instability While the green shoots of financial recovery are becoming more visible, slow and inconsistent economic growth across many sectors continues to concern many organizations. While growth remains slow margins continue to be tight particularly for small to medium businesses, but also for large multi-nationals. In a tough financial climate, business continuity can easily be perceived as a ‘luxury’ or ‘a nice to have’ function by top management, as the focus shifts to attempting to increase revenue rather than internal spend to strengthen resilience. This is where the creativity of a BC professional is required to provide no or low cost strategic BC/DR options rather than pursuing costly channels of third party work area recovery or expensive investment in IT infrastructure. Putting time and effort into detailed analysis (particularly financial loss analysis) can be very persuasive to top management during austere times. By evidencing and quantifying the potential loss of revenue a major outage to the organization would have, top management are more likely to consider strategic options. Assigning financial risk against BC on the corporate risk register will also ensure that it remains tracked on a monthly/quarterly basis. When compiling the strategic options all avenues should be explored to offer a range of routes to pursue. Generally speaking offering a ‘full bells and whistles’ option with associated costs and a ‘we do nothing’ with associated financial risks, is likely to result in management taking the middle ground which could include remote working, re-prioritisation of service lines to free up office space or strategic recruitment into other sites to increase resiliency across the estate.

16

The future of business continuity Increasingly unpredictable climate change Barely a week goes by without the media reporting climate change activity, whether it is an unexpected heat wave, flash floods or record snow fall. As these random weather events continue to increase in frequency, so do the potential risks that are associated with them. Mitigating the risk of climate change to the business should take a two pronged approach based on the two key areas of risk – facilities and people. Work can be carried out (preferably with support from facilities teams) to risk assess sites for flood risk, power resiliency or building access single points of failure, before decisions can be made on flood defences, generators etc. Additionally it is always wise to have an understanding of what level of buildings insurance is in place to reduce the financial and resource impacts. Working with employees at all levels can prepare the organization for the challenge of transport and travel following storms/snow/heavy rainfall. Understanding geographical locations, main arterial routes to work and what alternatives are available enables better identification of workarounds. It can also help staff feel more valued and may lead to greater cooperation if/when required to put plans into action. While the general inference is that this type of challenge will continue to grow in the foreseeable future, one cannot lose sight of the difficulties that a large number of BC professionals encounter throughout different stages of the BC lifecycle irrelevant of business challenges. Lack of top management commitment Ultimately mitigation of BC risk is seldom cost-neutral or low cost and as a result, securing Board Level support for BC can prove difficult. Any impact to the bottom line figures to mitigate what many perceive to be ‘something that will never happen’ is a challenge all BC professionals face. This can be addressed by carrying out continuous BCM awareness across all key stakeholders to demonstrate how improved resilience can benefit them and their operation from improved legal and regulatory compliance or meeting contractual commitments, to revenue protection and staff welfare. Failure to create a business continuity culture A business can have extensively detailed BIAs, the best looking plans and the most knowledgeable and experienced staff in key roles within those plans, but the whole BC management system could fail without the support and understanding of the rest of the business. Integral to this is ensuring that BC thinking and risk mitigation is built into strategic decision making. This can determine where and how you recruit, for example, if there is a lack of resilience at a multi-site contract, rather than backfilling any attrition directly into the same site there may be a case to expand staffing numbers across other sites. This is lower cost than many other alternatives but relies heavily on BC being culturally embedded in order to be successful.

17

The future of business continuity

Sharing our passion for business continuity management By Sarah O’Neill-Kara AMBCI Sarah O’Neill-Kara AMBCI has worked for the New Zealand taxation authority, Inland Revenue, since 2007. Having finished university, gaining a Bachelor of Commerce and Administration and a Bachelor of Arts in International Relations, it was her father, himself an Emergency Manager, who suggested business continuity may be a field in which to use both of her qualifications. Sarah applied for the Advisor Business Continuity and Emergency Management role to look at embedding the lessons learnt following the Canterbury earthquakes in 2011 and was appointed on the basis of her knowledge of frontline services.

Coming into the world of business continuity it can appear that we have started on the back foot, and in a fast paced world BCM has to diversify or fear being left behind. The biggest challenge we will face in the foreseeable future is proving the value of our services in a resource competitive environment. We have to change the way we talk to people and work smarter, whilst remaining agile enough to keep up with technological expectations. Unfortunately, our success rides not on the efficiency ratings of the services we provide but rather the willingness of our clients to take ownership. I’m of the generation where finding a job straight out of university and sticking to it for the next 30 years is no longer expected, nor is it guaranteed, and this can diminish levels of motivation greatly. As a student I recall many parental pep talks based around a recurring theme of finding the passion for whichever subject an assignment had and why it was important to me – it worked. Now I find myself challenged to convince others to be passionate about business continuity, and I have an elevator speech relating business continuity to a family BBQ. This speech rarely gets the inspired response that I hope for, and while it makes sense to me, it lacks genuine meaning to the listener. We cannot continue to tell the same story; instead I encourage you to ask your clients what is important to them, and tailor your explanation to inspire them to be passionate about business continuity. In addition to making business continuity more relevant to our clients, it’s imperative that we work smarter by using what is already available to us – we simply have to ask for it. Ask your clients what outcome they want from implementing BCM and manage those expectations from the outset. We are responsible for giving them the tools to prepare themselves for disruptions in a way that is useful and not always in a traditional linear pattern. It’s important to acknowledge the tacit knowledge readily available in most businesses, where managing disruptions has been part of business as usual for years, and offering a simplistic method of capturing that information and challenging the existing assumptions as a means of improving what is already available. While we cannot offer a tick-box process we can work harder to make the process easier and tailored to our clients’ needs. Furthermore, business continuity has to be modern, accessible and simple to maintain. With shrinking budgets and drawn out procurement processes it can seem almost impossible to get access to up to date BCM tools. More often than not I provide helpful suggestions on types of technology that could be implemented to improve BCM although there are fewer helpful tips on how to justify obtaining such tools. There is an expectation that a small BCM team with no allocated budget will front up with all that is asked for. We have to work smarter at realigning this expectation to ensure that either reality is reflected or BCM is resourced to meet client needs. We are limited by our imaginations as to what future challenges exist, currently it seems we are not taking advantage of the complex environments within which we are working. It’s important to note that the nature of threats will not change but their complexity will increase, and it is flexibility that will ensure BCM has value.

18

The future of business continuity While change is slow, the demand and expectation for transformation is instantaneous, therefore the greatest challenge to BC professionals in the foreseeable future is ourselves. Diversification is crucial. We have to try different approaches to ultimately become multidisciplinary and play into the hands of those who need our services. To do so, we need to start asking the right questions, by being in the right place at the right time.

Learning from experience By Alberto Mattia MBCI Alberto Mattia MBCI is Managing Director at PANTA RAY and Secretary-General at HI CARE Association. Graduated in Economics and Finance at the Università Bocconi in Milan – Italy, Alberto has started his career in the US at BT Radianz and then JPMorgan Chase Bank. He has then worked as a Project Manager at Centrobanca (Corporate and Investment Bank of the UBI Banca Group) and as a Risk Manager at UniCredit Group. Funny story: I was once a freshly graduated banking professional, with very little working experience and a genuine aspiration for an astonishing career in some international financial institution. Given the current situation of global economy, this should be funny enough. Anyway, I was talking to my managers about my performance during the year and they seemed to be very happy about my job, until one of them stopped and said: “Well Alberto, it is not hard to be outstanding in this department!” – I was a risk manager at that time – “Too many middle-aged people who work here did not choose it. They have been assigned to this function just because they were unable to do business”. It may seem harsh to say and of course I met several excellent experienced risk managers as well, but he was right. The ongoing crisis and the financial statements of the most important banks all over the world clearly highlight a very long period with complete lack of concern on risk management. Now, as a business continuity professional, I find myself thinking about the challenges ahead and especially to demonstrate that young people do choose to work in this field. The first challenge I see as a person who actively took a career path into business continuity is the following: learn from the mistakes of risk management, invest in the development of our competencies and build a network to help spread the culture! Business continuity is definitely the most powerful organizational tool I know to ensure a sustainable growth to an enterprise, one that should be applied to any industry and it involves each function of an organization. Could you imagine a better field than this to make a 360° experience for a talented man or woman in his/her 20s? I am very excited about the opportunities offered by the business continuity segment to young professionals and I also do think we can contribute to the progress of this subject. In fact, my generation does not know the meaning of the world ‘unthinkable’ and we are quite used to quick changes. We hardly remember how was taking a flight before 9/11 or life without internet and smartphones. We are used to the fact that technologies and methodologies can get old in few years. We have been raised to be flexible and ready to adapt to any situation. We live a life of uncertainty, so nobody can understand better than us that resiliency is imperative. And here comes what in my opinion will be the greatest challenge to business continuity professionals in the foreseeable future: in a world where too many critical infrastructures still care about ‘service continuity’ only – which is just the top of the iceberg – how can we help make society to be resilient? How do we ensure the ‘social continuity’?

19

The future of business continuity This is something we have started developing in Italy through a project carried out by HI CARE Association. Starting from the assumption that crises are always local, we are building up a network of companies and security professionals that are willing to exploit synergies and share issues related to the continuity of their own businesses in specific areas. The initiative has two main aims: (i) share the ‘crisis management’ and ‘business continuity’ know-how with entities like schools, hospitals, etc. which are crucial to the welfare of the social fabric, but that might not have the same level of awareness on the importance of prevention and planning; (ii) coordinate the private and public sectors to act efficiently in case of a crisis. We are also sensitising the Italian public institutions on the opportunity to establish a sort of ‘Office of Emergency Management’ in systemically important cities (e.g.: Rome and Milan). Anyway, an entire book could be written on this topic and many others on all the challenges that we have on our way. The complexity of our society generates billion of threats that may affect the operations of an organization. We need to be prepared and have a holistic approach to business continuity, but I feel confident since I think we have all the ‘tools’ to succeed.

Is outsourcing the answer? By Scarlett Morgan AMBCI Scarlett Morgan AMBCI has worked for Nationwide Building Society for eight years and had a number of roles before becoming a Senior Consultant in Business Continuity three years ago. Scarlett felt she could apply the skills and knowledge she had acquired from her previous roles to ensure that the business could respond readily to incidents. Threats and challenges are faced by businesses continuously, as the landscape of technology and customer expectations changes. Working in the financial services industry, we are always horizon scanning and adapting our approach, should we face a significant incident impacting our existing customer base. As it stands, I feel there is one great threat (in terms of business continuity planning and the financial services), which is outsourcing/third party service suppliers. Outsourcing is an effective method of streamlining the business and shifting the risk to a supplier. Typically, the financial services move out the processing of less critical activities to a third party, which can have a positive effect on service level agreements, efficiency (for example, third parties in India have a longer working day than the UK) and cost. The benefits of outsourcing processes to a third party are obvious and plentiful, but it does beg the question – are we confident in that company’s ability to survive an incident and maintain its service levels, whilst protecting customer data? This is managed in numerous ways throughout the industry, but the general rule of thumb is that the financial services company maintains a level of control and review of the third party’s business continuity planning and DR capabilities. This can take the form of site visits through to dedicated resource being actively involved in the review of the BCP and testing schedule, which then satisfies the key control function. I have been resourced to a programme that primarily deals with the outsourcing of operational processes. Some stakeholders were under the impression that there is an industry standard approach to outsourcing and therefore looked to me to answer all of their questions. Which leads me to an important point – as we move closer and closer to most medium to large companies outsourcing activities/processes, are we as BC professionals missing a trick? Should we consider that while we cannot steer the business away from outsourcing, could we provide a better level of service and standard approach to BC planning for third parties?

20

The future of business continuity Preparing for a digital future is also a key change to consider. Within the financial services, the immediacy of payments and offering a 24/7 service is paramount and we’re seeing more customers using internet and mobile banking than entering branches. The customer expectation of being able to administer their accounts and make payments in a short space of time is increasing, which sees the need for robust DR planning and an effective incident management process. Contactless payments and Faster Payments are becoming the methods of choice in transferring funds and the industry needs to be equipped in not only servicing these customers but also instilling confidence that these payment types are accessible day and night. Interestingly, it isn’t just the younger generation utilising this functionality and we therefore need to step up our game by expanding the uses of internet and mobile banking – should a customer have to enter a branch to change their personal details? Should an existing customer have to go through a lengthy process to open a new savings account? As digital becomes the first point of call for customers, Disaster Recovery planning and BC planning will align as one, and incidents involving technology and reputation become the standard. And lastly, as BC professionals we come up against some heavy criticism and assumptions that our profession shouldn’t be regarded as that. I believe that it takes a certain type of person to be successful in this field, a person that has the ability to step back from the problem in hand and apply rules of logic and order. Culture is changing, businesses are starting to realise the potential in having effective BC planning in place for any eventuality and a strong incident management process embedded in the business.

Our greatest challenge may be our biggest asset By Jason McGee MBCI Jason McGee MBCI works as a divisional Business Continuity Manager for a large multi-national financial services firm providing strategic / tactical BCM support and guidance to 42 global locations. Jason did not start out in business continuity but rather as a customer service advisor. However the more exposure he received to BCM during this time, the more intrigued he became and quickly began to take on branch level responsibilities and before long found himself working in BC permanently. With any job, irrespective of sector, there are numerous challenges which professionals face on a continuous basis, with business continuity management it is no different. In considering what the greatest challenges are facing young BC professionals in the industry today, it lead me to delving deeper and deeper into my own personal experiences as well as macro challenges facing the industry as a whole. In order to truly define the greatest challenge facing young BC professionals, we need to first formulate the context around which the question is geared. With this in mind I decided to approach this question with two basic perspectives in mind; my own personal perspective and a macro/industry wide perspective. During my relatively short tenure within the BC profession (seven years) I have encountered various challenges ranging from organizational governance issues to budgetary constraints, however, the single greatest challenge I consider to be facing me personally is the constantly changing business environment. Unfortunately we are now all too familiar with the fact that times have drastically changed since the credit crunch (particularly within my field – Financial Services). Luckily for me, one of my greatest attributes is my ability to adapt and change as required and I resolutely believe this is a correlated consequence of me not being over exposed to the economic boom era where organizational change was deemed superfluous. Of course this a brash statement and I do not wish to imply all management of a certain age are reflective of this proclamation, however, based on my own personal experience within numerous companies, I cannot definitively say that it is pure fiction either as it simply is not the case.

21

The future of business continuity Companies are now expected to constantly adapt to the ever changing market with increased demands from regulators, clients and investors. So why does BC need to adapt to an ever changing market? One particular growth area within the Financial Services sector in particular is the surge in outsourced service agreements, mainly driven by lack of internal expertise and a need to reduce the cost base. Whilst outsourcing has its advantages it also places indirect pressures on BC professionals to maintain a static level of responsibility for the outsourced activity with less transparency in how the operation is undertaken. As such the BC professional must ensure that all of these outsourced activities are comprehensively managed with adequate levels of assurance (in relation to the outsourced service provider’s resilience) communicated regularly, as there is no legal dissolution of responsibility should an incident occur. This inevitably means augmenting the BC programme from its original state to now cater for these outsourced service providers as failure by incorporating KPIs, SLAs, contracts, penalties for breach, regular reporting, formalised incident response structure etc… into the outsourcing agreement. BC is now being viewed as an integral component of any successful company and this is becoming more and more prevalent with investors, clients and regulators not only demanding it be embedded but also seeking evidence of a company’s resilience. My own personal ethos is to push BC to the forefront of company culture to such a degree that it’s weighting on board agendas is almost equal to that of profit maximisation. So how can this be achieved? There are numerous aspects to this question (which if answered in detail would merit a full white paper) but in simple terms we need to listen to all of our interested parties as they have the power to make or break us dependant on our actions in response to their requests; act ethically and in the best interest of the company not simply in the interest of quick profits, highlighting that BC is a long term investment which has the potential to deliver huge returns – most notably the survival of the company after a major incident; and lastly, but most importantly, education. We must educate ourselves both within the BC field itself and our wider industry – become a certified BC professional and join local / international industry bodies to ensure you are implementing best practice to drive and promote BC within your company, this will in turn aid in educating all management in the importance of BC as they see the benefits of an effective BC programme through increased stakeholder confidence and reduced costs in responding to the ever increasing number of BC related events. What is possibly our greatest challenge can also be turned into our biggest asset – ourselves. We can make the change. The only environment young BC professionals know is the current harsh recession soaked environment which gives us the advantage through the inherent skill of knowing no different and accepting that change is necessary for survival.

Finding and fostering the right talent By Zoe Moulton AMBCI

Zoe Moulton AMBCI is a BCM specialist in the PwC Risk Services Melbourne practice. Zoe's career in consulting began over six years ago and for the past three years she has primarily worked on BCM projects for clients in Australia and South East Asia. Zoe works across industries such as financial services, utilities, transport, government, health and infrastructure to assist organizations to develop, implement and enhance sustainable resilience programmes. In considering the future challenges of my chosen profession, the following thought popped into my mind: “goodness gracious, do I really want to spend the next 20 years talking worst case scenario?!” Reflecting on the colleagues and clients I have worked with, and the methodologies, processes, standards, behaviours, concepts, tips and tricks I have learnt, this profession centres round people. Without people, who provides leadership? Who shares the corporate knowledge? Who builds relationships, good will and situational awareness?

22

The future of business continuity BCM is about people as much as it is about plans, frameworks, systems and materials that tick a box, satisfy an audit finding or meet a customer requirement. People in BCM are the delicate tomato sauce that binds a pizza base to a great variety of toppings. In my experience, BCM is best represented by: The person who can immediately gain the respect and control of a team or room and set the right direction The person who remembers how a similar incident played out in March 1987 The person who worked 19 hours straight after a critical system failure so that manual workaround processes ensured production safely met demand The person who, when an incident occurs, runs to the cupboard and puts on his Superman cape and underpants The person who identifies BCM as the lever for longer term major strategic investment decisions The person who remembers to order the sandwiches, orange juice and slippers (so that the ladies have more comfortable footwear) for the Crisis Management Team The person who throws in the ‘red herrings’ not to be antagonistic, but to contribute to a better outcome The person who can start talking about business continuity and (to everyone’s astonishment) still maintain a captive audience two hours later The person who can calm the man who has just discovered his ex-wife is listed as his next-of-kin in a contact list The person who is sought out daily to extinguish spot fires and call in favours from both internal and external contacts These are the people who are key to effective BCM and I believe this will not change much in the future. They are the sauce which glues the base (the BCM foundation or framework) to the toppings (the BCM tools, templates and other external factors). It is widely acknowledged that it is critical for an organization to have lists and plans that can immediately be accessed and referenced following a disruption. It is also accepted that there must be a general level of awareness across the organization of BCM concepts and arrangements. As organizations deal with rapid technological change, more stringent regulatory environments, increasingly complex and diverse supply chains and outsourcing models, it will be the type of people listed above who will save the day and steer the organization through adversity. One of the greatest future challenges facing BC professionals relates to the key ingredient – the pizza sauce. How do we continue to find and foster the strategic thinker, the carer, the enthusiast, the story teller, the educator, the diplomat, and the committed, loyal employee who is a part of the organization’s furniture? My own brief list above does not feature any generation Y or millennial representatives, (other people’s may). The wonderful characters in that list are all part of a segment of the workforce which will eventually make way for a new generation with different priorities and approaches to achieving their goals. The challenge of securing the right workforce for tomorrow to take the organization forward is not unique to BCM. What I think is special about BCM is the people / pizza sauce factor and the role we as BC professionals must play in transferring knowledge, sharing anecdotes and helping to embed behaviour patterns. The challenge for the next 20 years isn’t about talking worst case scenario to ensure a box is ticked, as I first thought when I began writing this article! Rather, the challenge revolves around opening the box and locating and helping the strategic thinkers, carers, enthusiasts, story tellers, educators and diplomats to realise and promote the relevance and value of BCM.

23

The future of business continuity

Embedding business continuity across the organization By Humbulani Sigidane CBCI Humbalani Sigdane CBCI specialises in project management by profession, having started out as a Business Continuity Management Administrator helping out in projects that embed BCM into an organization. He is currently working for T-systems South Africa in the capacity of Information Security Coordinator reporting to the Chief Security Officer and helping both the Business Continuity Manager and the Data Protection Officer at the same time. Let’s look at two important definitions: 1) Business continuity: The capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident (ISO 22300) 2) Business continuity management: A holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realised, might cause, and which provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities (ISO 22301:2012). In the past BC was not given much attention since all business was about profits and incidents where handled when and as they happened. Then came the millennium bug and businesses realised the need to prepare for continuity in the case of disruption. Today BC faces the challenge of embedding itself to the whole business operations instead of being seen as a standalone. Return on investment is a very sensitive and delicate issue in BC in many organizations where CFOs are all about numbers, so the question is: can we measure BC ROI? If so, what can we identify as the key measurables and how can we measure them? Organizations need an ingenious way to prove BC’s worth and not wait for an incident so that their capabilities and importance can be realised. ISO 31000 defines risk as “effect of uncertainty on objectives” and defines risk management as “coordinated activities to direct and control an organization with regard to risk.” BC and risk management need to learn to tango. Risk management is more concerned about the mitigation of the risk and impacts on the current business operations while on the other hand, BC worries about mitigation, current impact, effect of mitigation on future continuity. I’ll give an example of an organization where a risk was raised concerning the upgrading of uninterrupted power supply equipment; the risk was mitigated by postponing the upgrade to the near future on the basis of priority for the organization at that time and two years later the organization was faced with unavoidable power supply interruptions. To make matters worse, just because the organization knew that they had a BC Manager, BC was expected to handle the whole situation even after having been excluded from the decision not to upgrade the equipment’s. In this example the organization failed to see the importance of BC when all was good and realised the importance of BC when situation was bad again. Looking back at our two definition earlier, a few of things stand out: (1) continue delivery of products or services, (2) identifies potential threats, (3) reputation, brand integrity. BC has managed to address the current challenge of embedding BCM with guidelines such as the GPG 2013 and the ISO 22301. Although BC ownership remains and will continue to be a challenge in the future. BC cannot be outsourced; you can only get consultants to help.

24

The future of business continuity IT platforms are exponentially growing as the de-facto standard of business operation. As ISO 27031(Guidelines for information and communication technology readiness for business continuity) states: “Effective BCM is frequently dependent upon effective ICT readiness to ensure that the organization's objectives can continue to be met in times of disruptions. This is particularly important as the consequences of disruptions to ICT often have the added complication of being invisible and/or difficult to detect.” It has been a good challenge so far for organizations to embed BC and prove its ROI and now the next challenge is to embed BC into an environment where an ‘as long as it’s working’ attitude is prevalent. Cyber attack and DDoS (Distributed Denial of service) have introduced other points of disruption to business. ICT Recovery needs to feed into the BCMS structure. If organizations move forward with the view of BC as a standalone, IT recovery will come to the party with a wrong perception of its role in the holistic BC structure. BC will be expected to take ownership of IT recovery instead of helping as a facilitator and coordinator. In conclusion, working for an IT services outsourcing company myself, words such as cloud, big data and virtual workspace have put a twist into the organizations BC. Once you start talking BC, one has no choice but to consider the technical side of IT and its impact. As BC professionals we are now challenged to speak and understand the technical lingo in greater depth than before. BC talks to the DNA of an organization, which is why in most organizations it is seen as invasive. It addresses core issues which the organization has turned a blind eye. The only way to move forward is to keeping to our core values of resilience. As BC professionals let’s keep on doing what we’re doing and improve on it no matter the resistance we face from within our environment of operations.

Moving beyond the methodology and implementing capabilities that matter By Jacqueline Rupert MBCI Jacqueline Rupert MBCI is a Managing Consultant at Avalution Consulting, a management consulting firm focused exclusively on the delivery of global business continuity and IT disaster recovery solutions. Jacqueline has a Bachelor of Arts from Miami University (USA), and following graduation, began working for Avalution. For over six years, Jacqueline has consulted with organizations of all sizes and in nearly all industries. Jacqueline specialises in developing and implementing effective business continuity programmes aligned with international standards (namely ISO 22301), as well as identifying and developing information technology disaster recovery solutions. Since beginning my career in business continuity over six years ago, I have observed a number of challenges facing professionals regardless of industry, geography, and organizational sizes – from not receiving necessary resources to execute the programme, to not knowing if the organization has the ‘right’ level of preparation. When stepping back and looking at the root cause of these challenges, I believe there is one issue at the core of the profession that produces many, if not all, of these complaints: the inability for most organizations to obtain (and maintain) top management support. Why does this happen? I believe there are a number of reasons why professionals are unable to obtain top management support; however, two of the most common, prevailing reasons include: Focusing too heavily on the importance of executing and reporting on the execution of the business continuity methodology (for example, informing top management regarding the number of business impact analyses and plans) – remember, the methodology is a means to an end, not the end itself.

25

The future of business continuity Inability to develop a statement on and then deliver the value for the organization, meaning implementing appropriate business continuity capabilities – it’s not just about checking the box of having a ‘programme’ or a ‘plan’. How can it be overcome? So how do I propose that organizations move beyond the methodology and implement capabilities that matter, and along the way obtain top management support and engagement? Here are four practices that I have seen assist professionals in implementing effective, top management-supported business continuity programmes and capabilities that align to expectations: 1.

Develop and communicate the value proposition:

Top management sets the organization’s strategic objectives, and thus has the responsibility of delivering value to its customers and other interested parties. By identifying internal and external stakeholder requirements and expectations, professionals can easily translate business continuity concepts and outcomes to organizational objectives and strategy. Here are some questions you may ask yourself (and the organization) to develop your organization’s business continuity value proposition: What are the organization’s strategic objectives? How would a disruptive incident impact those objectives? Who are the organization’s stakeholders and interested parties? What are their expectations of the organization during a disruptive incident? What would the impact of missing those expectations be on the organization? 2.

Speak in terms of ensuring product and service delivery to customers:

Top management fulfils the organization’s strategic objectives by delivering products and services to customers and interested parties, consistent with their expectations. Additionally, top management often prioritises organizational investments and measures its success based on on-time, consistent, and effective product and service delivery. By communicating that the organization’s business continuity capabilities ensure the continuation and on-time delivery of products and services to customers, professionals can relate to top management in a way that recovery time objectives and plan documentation just cannot. 3.

Ensure recovery requirements and strategies meet top management’s expectations

By understanding the organization’s products and services, and management’s expectations regarding business continuity requirements, professionals can execute the methodology within those parameters – from scoping, to the business impact analysis, to strategy identification and implementation. This knowledge allows professionals to include appropriate organizational entities and resources in the planning effort, set recovery objectives that align with management requirements, and prioritise risk mitigation and recovery strategy investments. This approach ultimately ensures that the organization allocates the appropriate resources on business continuity capabilities that matter to top management. 4.

Report on programme performance based on actual capabilities

Reporting the programme’s performance based on whether or not the organization could deliver its products and services to stakeholders – consistent with business continuity requirements – during a disruptive incident assists professionals in maintaining management’s interest in business continuity. It also assists professionals in appropriately communicating and receiving buy-in for closing risks, gaps, and other corrective actions. What will the results look like?

26

The future of business continuity By moving beyond executing business continuity methodology without regard to how it relates to top management’s strategic priorities, professionals will not only see that the issues and challenges that they previously faced are eliminated (or greatly reduced), but they will also see the following results: Business continuity being embedded into the organizational culture Business continuity being integrated into day-to-day decision-making Increased attendance and engagement during management review meetings The organization building actual business continuity capability that matters to top management Overall improvement to business continuity readiness

BCM on a budget By Andrew Winkworth AMCBI Andrew Winkworth AMBCI is a Civil Contingencies Officer at Durham County Council, involved in both emergency planning and business continuity management. He is also a reservist with the Royal Navy and it was this background in training and exercising that really sparked his interest in planning for incidents. He is currently studying the final module of his DBCI and intends to progress to MBCI early next year. It can be generalised that the pace of change is increasing, as modern electronic and communication technologies brings us closer together at greater speed. The World Wide Web is 25 years old this year - two years younger than I am, and within this time it has still managed to fundamentally influence the majority of ways that we work and play. Mobile phones have gone from being a contradiction in terms to an essential life accessory in even less time. Technology is developing so quickly that children are often more capable with it than their parents. If we cannot keep up with our own children, how can we stay ahead of the competition? It may be dangerous to wholeheartedly embrace technology however, as reliance is also vulnerability. If a single point of failure is affected, such as one of the many datacentres flooded during Hurricane Sandy, then an entire organization can be immobilised. The practice of BCM has developed hugely in the past twenty years. An offshoot of IT disaster recovery has evolved into an integral part of the management of many businesses. It is almost a cliché that flexibility is as important to an organization as resilience. The ability to absorb impacts and continue despite disruption is at the core of BCM. In military circles the saying ‘improvise, adapt and overcome’ is often quoted, which has obvious application in business continuity management. When faced with a problem, a complete answer is rarely available in a list of FAQs. The answer probably lies in using standard procedures, augmented with appropriate actions to suit the occasion.

27

The future of business continuity When we look to the future, as professionals involved in judging risk we are drawn to immediately identify threats. But what if we start with looking at our strengths? BCM practices have undoubtedly improved, but what about the practitioners? As business continuity matures and develops ever further into a distinguishable, standalone profession, so newcomers to the discipline are increasingly embarking on their first career rather a second or third. Previously many practitioners had a background in IT and disaster recovery, so had a detailed knowledge of that area of operations. If you are not blessed with this background however, how can you develop effective plans for this key area of your organization? A modern practitioner therefore has to be an effective facilitator of the development of appropriate plans, rather than being a subject matter expert in each field. The example of IT knowledge can be replaced with any number of other examples of technical expertise within key business areas; this could be anything from knowledge of COMAH procedures to financial regulations. I am currently employed in the public sector and a key current challenge is delivering effective BCM ‘on a budget’. The ability to communicate the importance of BCM is never more important than in an environment when expenditure is carefully scrutinised. We have to be intelligent with our planning, as measures that are only to be used in an emergency, can be viewed as luxuries that can easily be trimmed from the budget without affecting core activities. Therefore the old adage of ‘sweating the assets’ has never been more applicable. BCM measures must be integrated into normal operating procedures, not just for use in emergencies. This has the added benefit of raising the awareness and familiarity of BCM measures within the workforce. It is well documented that a greater number of organizations in many sectors are turning to outsourcing to achieve greater value for money and it will be interesting to see whether public bodies will outsource their requirements for BCM, some of which are statutory requirements. As BCM is adopted by an increasing number of organizations across the world, the opportunities for practitioners are growing and developing in tandem. The future may not always be discernable, but it is certainly exciting.

The dangers of the cloud By Laura Sweatman CBCI Laura Sweatman CBCI is an Emergency Management Officer at Surrey County council where she is working to improve their resilience in regards to developing business continuity arrangements. Laura took on this role having completed her degree in Environmental Hazards and Disaster Management at Kingston University and taken on two disaster management projects as a volunteer with Tearfund and the British Red Cross. Working in a climate which is plagued by the continuous conflict between providing the best service possible to residents verses the constant pressure to save money; the cloud appears to be a beneficial solution to this issue. It appears to offer the opportunity to improve collaborative working across many organizations, as well as reducing the costs of complex IT and telephony systems, through shared procurement. In terms of Business Continuity planning, the use of the cloud seems to be a sensible way forward and not an unwise solution to adopt. If an organization, or organizations across one or more geographical areas, can all work on the same system based in the cloud, then the ability of staff to be more flexible in where they work can only enhance work area recovery options, as the number of choices for relocation options expands. When complex IT fixes are no longer required to make a back up facility suitable, the uptake of systems which use the cloud seems inevitable.

28

The future of business continuity The cloud also enhances the ability to share resources, such as staff for example. If an organization is disrupted in some way and the need to re-focus staff attention is focused on delivering a critical activity then it will be much easier to form mutual aid agreements between departments/organizations if staff are able to access their own systems from other locations, especially if these are standardised. A prevalent need demonstrated across the UK by incidents such as the flooding which occurred between December 2013- February 2014. In terms of cost benefit analysis the cloud seems like a cost effective option to adopt, especially in organizations where savings need to be made, yet protection to customers must be guaranteed. The need to enhance contingency options is a challenge that professionals will face in the years to come in the business continuity world, especially as the complexity of the threats we face increases, particularly as we consider the potential consequences of cyber attacks and effects of climate change to cause large and sometime even unprecedented events. Nevertheless this comes with its dangers. The most prevalent being that an increasing reliance on the cloud means that it could become one large single point of failure, which could severely affect not just one, but multiple facets of an organization, or organizations and their delivery of services across wide areas, if they are all reliant on the same cloud based systems. This is even more of concern if contingency arrangements are tied up in the use of the cloud too. A future challenge to BC professionals is therefore how we weigh up the benefits of the cloud verses the potential risks that it may pose. We will need to ensure that we have robust solutions in place to deal with cloud failures, or cyber attacks, as these may have severe consequences to organizations, even geographical areas, depending on how this is used. On the other hand, it may also be challenge to find something as good as the cloud in terms of providing so many options for business continuity planning. It is essential for all business continuity professionals as we move forward to keep in the mind the risks that this type of working poses, as much as its benefits. We must challenge the suppliers of these systems to ensure that robust contingency and recovery options are in place. We must also make sure that we are in good communication with service representatives within our own organizations who are exploring these options of working, particularly those involved in partnership working forums. We must be the voice that challenges this way of working and must be the forward thinkers in adopting solutions to such beneficial, but potentially risky single points of failure, which in my opinion will be one of the greatest challenges to business continuity in the foreseeable future.

Demonstrating the value of a business continuity management programme By Harriet Wood AMBCI Harriet Wood AMBCI took on responsibility for Business Continuity at Marston’s Plc in 2007, having decided to carve out a career for herself rather than going to university. Marston’s are the leading brewer of premium cask and bottled beers in the UK. They also have an estate of over 1700 pubs. Harriet is based at their Head Office in Wolverhampton but travels around their five breweries and eight distribution sites looking after BC. When I first applied for my role I thought that the job description sounded great – “work for a well-known company”, “develop a newly-created role”, “travel throughout Marston’s wide distribution network” – but at the age of 19 I had to Google ‘business continuity’ before attending the interview, because I didn’t know what the term meant.

29

The future of business continuity Seven years later, when I tell people that I am a “Business Continuity Co-ordinator” there is at least a polite nod of recognition. Despite undoubtedly huge advances in awareness since the BCI’s founding in 1994, I believe that general understanding of our discipline is still the greatest challenge we face. Specific threats – Ebola, volcanic ash, impending strikes – will come and go, and the principles of being resilient will fundamentally remain the same. Business continuity managers are well practised at dealing with these diversities. It is our strength. What we are perhaps less skilled at is defining our own roles. With the concept of ‘resilience’ being a hot topic it seems to me that this may be our best chance to demonstrate clearly what we actually do for the businesses we support. With the time constraints that we all face it is easy to become the name at the bottom of a system generated email or to be viewed as ‘just another auditor’. If we can endeavour to be known around the business, to build a clear identity for ourselves so that even those who perhaps only see us once or twice a year will remember who we are and what we do, then I believe that many of the issues that we worry about will be improved. When asked to consider the challenges facing the business continuity world I initially thought of cyber security, supply chain resilience and the like. I then stopped and thought that if we can get the balance right in our selfpublicity, people will know not just who to approach when they are about to go out to tender on a new contract, or invest in new software, but will also know that there is a real, tangible benefit to having that conversation. Maybe the reason we struggle to get buy-in is our approach. But what is the solution? Speaking as an in-house business continuity professional, I would like to see more people in my position model their roles on the approach taken by external consultants. Consultants sell their services by convincing the business that they can do something for them and add real value rather than the other way round. If we approach business units in the same way and speak to them in their own terms about what they would like to achieve then I believe we are less likely to come up against the negative attitudes to business continuityrelated activities that many of us are disheartened by. Perhaps we could ask ourselves “Can we become business partners?”, “Can we help departments as if they are our individual clients?” This approach would hopefully result in a culture where we are approached for advice and assistance rather than one where we are constantly pushing departments to engage with us. Instead of repeatedly requesting documents that time-starved department heads struggle to see the benefit of, we could move towards a system where our requirements were supported by managers who understand our work and the value that it adds because we understand theirs. There was a recent documentary made about the brewery that I work at. It showed little snippets of the everyday comings and goings of brewers, engineers and draymen – the little incidents that threaten to interrupt the vital flow of beer to the nation. When my family and friends watched the series they asked “Wasn’t that all about what you do?” Absolutely – and none of those incidents caused a real problem for the business. The more that people can understand that we are there to make their lives easier rather than more difficult the better…and that’s down to us to communicate.

30

Business Continuity Institute 10-11 Southview Park Marsack Street Caversham RG4 5AF United Kingdom +44 (0)118 947 8215