BUSINESS CONTINUITY MANAGEMENT IN THE PUBLIC SECTOR A ROUGH GUIDE Introduction 1. Recently many organisations both public and private have directed much more time, money and effort towards protecting service delivery and ensuring business continuity. This increased impetus can be attributed, in some part, to the unexpected but positive side effect of the Millennium Bug, where organisations focused on being prepared for the Millennium Date Change Period. 2. Many organisations, working under pressure to meet the 01 January 2000 deadline, were compelled to identify risks to their business and the means to mitigate against such risks. Contingencies', or alternative ways of working to ensure continued delivery of critical business, should some major interruption occur, were planned. Liaison with other organisations such as suppliers, customers and partners was embarked upon to identify interdependencies. Application of these business continuity techniques meant that organisations were able to plan not only for the more predicable effects of Y2K but also for the more far reaching and knock on effects, which could have occurred. 3. Although the Y2K date change has come and gone many organisations can congratulate themselves, but should resist viewing their efforts in respect of business continuity in an historical context, as plans and procedures still have currency today. Organisations can take full advantage of their Y2K planning, using it as a springboard towards a more comprehensive approach to business continuity. Assessments and plans should be revisited with the following questions in mind: Have all business critical functions been considered, not just those that were operational during the millennium date change period? Are plans capable of being invoked at any time? (Millennium Operating Regimes could be updated with procedures, which take account of normal working and stand-by arrangements.) Have plans and procedures been thoroughly tested and validated? If the answer to any of the above is no, then the organisation has more to do to fully subscribe to Business Continuity Management (BCM). Time was at a premium in the run up to Y2K but now, in the absence of such pressures, organisations that have identified a need to adopt a more comprehensive approach to business continuity will have the opportunity to do so. However, it must also be remembered that an emergency or other interruption to critical business can occur at any time and without warning. 5. Before describing what BCM is, it is important to state exactly what it is not. It is not simply another term for Disaster Recovery Planning, which traditionally has concentrated on the restoration of facilities after a major incident eg. loss of computing or telecommunications and loss of a building or plant through fire or flood.
The responsibility for such disaster plans rested with the various business functions, typically IT, estates and security. In some respects disaster recovery can be viewed as a reactive process whereby the organisation reacts to the emergency once it has occurred. The Emergency Planning Society in the Guide to Business Continuity Planning (1997), notes that in many incidences this approach proves to be too little too late. 6. BCM, in contrast, is a holistic approach which, examines the organisation as a whole and is concerned with anticipating things which could go wrong and takes planned and rehearsed steps to protect the business from such events. It involves the co-ordination and integration of all planning processes across departments and the presentation of a confident image to the outside world. It is a strategic tool which, once understood, exercised well and with commitment from the whole organisation, can safeguard service delivery, maximise opportunity through a crisis, and so proactively demonstrate competent management and enhance positive reputation. 7. The Business Continuity Institute (BCI) identified the following ten disciplines which it considered essential to any BCM process. No particular significance should be attributed to the order in which these disciplines are presented, except that project initiation must be the start point. (i) Project Initiation and Management. This involves establishing the need for a Business Continuity Plan (BCP), including obtaining management support and the organisation and management of the project to completion within agreed time and budget limits. Its not too difficult to demonstrate a need for BCM where evidence has shown that every 5 years, 20% of organisations will suffer a major disruption through fire, flood or storm, power failures, terrorism or IT failures. An ever litigious society coupled with recent legislative developments places responsibility firmly on organisations to demonstrate substantive evidence of foresight and preparedness. It has been promulgated that organisations have a duty of care and looking on business continuity as 'nice to have' is a dereliction of that duty (CBI, Business Continuity Management). Once the need for Business Continuity has been established it is vital to obtain long term commitment to it by convincing senior management that once armed with this tool they will be able to survive their own organisational Nemesis. An accurate assessment of what is involved in terms of staffing, expenditure and time needs to be clearly stated. Projects have floundered because senior management have not had realistic expectations of the level of resources required. A Business Continuity Planning Team should be selected from fully committed senior managers who will be prepared to drive the project forward. Business Continuity Managers should also be selected to oversee the preparation of individual department or business unit plans, which will form the building blocks of the overall business continuity response. Teams must be clear about the aims of the project and must accept ownership for it; it is their plan and their expertise which is required to determine what is critical to the survival of the organisation.
(ii) Risk Evaluation and Control. This involves the determination of events and environmental surroundings that can adversely affect the organisation, the damage caused by these events and the controls needed to mitigate against the effects of potential loss. Risk avoidance measures should be determined where possible on the basis that prevention is better than cure. Cost -benefit analysis can be used to justify expenditure on controls to mitigate risks. The modern business environment is characterised by an ever-increasing range of risks where emergencies come in all shapes and sizes.' Natural hazards include storms, floods, subsidence and building collapse, lightning and snow. Man-made hazards include, operator error, explosion, fire, chemical spillage. smoke or water damage, power failure, telecommunications failure, strikes, fraud, arson, malicious damage, bombs, media speculation and castigation, and crippling litigation. (iii) Business Impact Analysis (BIA). This discipline is of fundamental importance to, BCM and involves the identification of the impacts on business from emergency or other interruption scenarios along with techniques that can be used to quantify and qualify such impacts. Critical business functions, their recovery priorities and interdependencies should be established so that the recovery time objectives can be set. The BIA prioritises the I what if t scenarios identified by the risk evaluation by not only identifying how the emergency will affect the individual department involved but the organisation as a whole. The process is proactive in that it identifies the key or business critical functions of an organisation and the likely threats to those functions. The differentiation between critical functions and more peripheral functions means that planning effort can then be directed at ensuring such key functions can continue whatever the circumstances. It is important to realise that this approach is not only concerned with large-scale emergencies such as fire or flood. Generic BCP also covers arrangements to deal with smaller but equally devastating events such as loss of key systems or key personnel. (iv) Developing Business Contingency Strategies. This involves determining and selecting alternative business recovery operating strategies which will allow recovery within the appropriate timeframe, as identified by the BIA, whilst at the same time maintaining the organisation's critical functions. Recovery strategies for those business risks which cannot be prevented should be developed. Establishing the what, how and when is necessary at this stage. Options for alternative methods and locations of working should be determined together with interim measures to protect each department's immediate business processes, with each business unit being responsible for its own contingencies. Critical timescales for restoring core functions and the schedule of priorities are fundamental. (v) Emergency Responses and Operations. This involves the development and implementation of procedures for responding to and stabilising the situation following an emergency or interruption. It will include establishing and managing an emergency operations centre for use as a command centre during the emergency.
Instructions on the allocation of responsibility and decisions on internal and external communication procedures are vital and should be carefully documented. Everyone involved in the response must know automatically what to do, where to go and who to contact in any time of emergency. Otherwise confusion will abound and any advantage will be lost. (vi) Developing and implementing the business continuity plans. This involves the design, development and implementation of a BCP which will provide recovery within the recovery time objective. All plans, whether departmental or generic, must address the issues affecting people, accommodation, systems, critical information and services to ensure that core business can continue. Plans must be available 24 hours a day, 365 days a year and should be action orientated, crisply written, easy to follow and contain no information that is not required in an emergency situation. Areas that should be covered are; emergency definition and declaration and invocation arrangements for the plan, emergency response, resumption of operations under standby arrangements, resumption of business as usual Plans should detail; roles, responsibilities and reporting requirements, key personnel, other essential contacts and appropriate contact information, action plans with key priorities and timescales for recovery, alternative locations how to find them and relevant security arrangements, lists of resource requirements for recovery and how to get them, logging forms which are used to maintain an audit trail for any subsequent inquiry. (vii) Awareness and Training Programmes. This involves the preparation of a programme to raise corporate awareness and enhance the skills mix required to develop, implement, maintain and execute the BCP. All staff in the organisation must be made aware of the BCP, whether or not they are going to participate in the actual response. Everyone must feel that they have a role to play in the continuation of the organisation's business even if it is simply responding to a telephone call at home asking them to return to work. These factors are the
essential prerequisites to success and this is perhaps best illustrated by quoting Eisenhower, 'plans are nothing, planning is everything'. (viii) Maintaining and Exercising Business Continuity Plans. This involves the pre-planning and co-ordination of exercises to test the plan and the evaluation and documentation of lessons learned from such exercising. Processes should be developed which validate contingency capabilities and the BCP document, in accordance with the organisations strategic direction. Plan validation or verification of its effectiveness can be achieved through comparison with a suitable standard eg. BCI, Evaluation Criteria for Business Continuity Plans where the results of this process should be reported in a clear and concise manner. Once plans have been developed they should not be viewed as a panacea for all emergencies. They are of little real value unless they are rehearsed and validated. Before progressing to live exercises it is often useful to test arrangements by realistic table-top exercises which will identify any problems overlooked in the planning stages. Individual or departmental plans should be tested first and once these are working well the full business continuity response can be exercised. Planning must be viewed as a dynamic process which grows with the organisation and not one which is a once and for all activity. Individual plans, which underpin the Business Continuity Plan, are of vital importance and must be kept current. (ix) Public Relations and Crisis Co-ordination. This involves the development, coordination, evaluation and exercise of plans for media liaison and plans for communication with (and as necessary, trauma counsel/ingot) employees, their families, key customers, critical suppliers and corporate management during emergency situations. All stakeholders are kept informed on an as-needed basis. (x) Co-ordination with Public Authorities (and Outside Bodies). This involves the establishment of procedures and policies for co-ordinating continuity and restoration activities with other public authorities while at the same time ensuring compliance with applicable statutes or regulations. The roles and responsibilities of other organisations, who may be involved in dealing with an emergency, must be well known eg. the role of the emergency services and the restrictions they may place on the organisation in the aftermath of a major incident. Contingency arrangements must be agreed with all major suppliers and specialist arrangements with outside bodies (eg. salvage companies) well understood. 8. This phenomenon of preparing to deal with the unknown is evidenced in both the private and public sectors. Industry was swift to recognise the benefits of business continuity but government has also contributed to its promotion, through a number of Home Office publications and the Home Office Emergency Planning College has hosted a number of business continuity events. The subject was placed firmly on the political agenda by the Prime Minister, Tony Blair, in the run up to the Millennium.
Conclusion 9. This paper is offered with the intention of provoking the thought processes of readers; it is not intended to be a definitive guide to BCM and should not be taken as such. There are many excellent texts available providing guidance on this complex subject. Details of the ones used in the compilation of this note are provided in Annex A. 10. Investing in BCM is wise, where the resulting resilience and risk reduction reduce everyday outages and provide flexibility in day-to-day operations. However the level of continuous commitment necessary if an organisation is to fully subscribe to BCM should not be underestimated. Adoption of BCM by an organisation has been likened to staring into the abyss, defending the organisation's essential business from every possible risk, risks that collude, conspire and wait for technology to assist them in exploitation of any flaw. Annex A 1. CBI (1999) Business Continuity Management Caspian Publishing Ltd. 2. Emergency Planning Society (1997) - Business Continuity Demystified 3. Business Continuity Institute (1999) - Evaluation Criteria for Business Continuity Plans 4. Hiles, A et al (1999) - The Definitive Handbook of Business Continuity Management J Wiley & Sons Ltd. 5. CCTA (1995) - A Guide to Business Continuity Management - HMSO