Continuity & Resilience Agony Aunt: Your Questions Answered

Agony Aunt Eugina Pierre responds to YOUR continuity questions during BCAW 2020…

Thank you for posing your questions to our Agony Aunt to share during Business Continuity Awareness Week. Here are those that have been happy to share their questions and the Agony Aunt’s responses for the benefit of anyone with similar questions or situations:

Question:

I have been struggling over the past year with IT changes impacting my BC Programme. There seems to be no real link between the BC programme and IT. What is the best way to overcome this?

Answer:

I think the Business Continuity Manager has three tools to employ to address this common problem, the Business Impact Analysis, Change Management and Risk Management.

An effective BIA will allow you to identify the business need placed upon an IT system or asset (in terms of resilience and recoverability), and allow you to compare requirement against capability, therefore highlighting gaps to your IT team. But this is only looking at the current situation of course, so I would suggest that the next tool is effective Change Management.

The Business Continuity Manager needs to have a close relationship with the IT Change Board, ideally being part of the sign off process of any change – how can you assure the resilience of the organisation if you don’t know about changes? Attend the change board, have a relationship with the people running the process, use your expertise to help shape an acceptable outcome. Ideally, you should also be involved at the point that new services are designed to make sure that resilience and recovery strategies are factored in at the outset rather than as an afterthought.

Lastly, ensure that any gap or issue identified is recorded on your risk register. This will then allow those in the business empowered to make decisions to consider all the facts and decide to act, or not as the case may be, based upon their appetite. At that point at least you have made the issue visible and people can make an informed choice. You can then accommodate the final position into your planning.

Question:

Work from Home (that perhaps became the only solution for almost all organisations during this Covid-19 Pandemic) is “Intrusion of the Corporate in the Home” – do you agree?

Answer:

Work from home could be deemed as an “Intrusion of Corporate in the home” by employees if an organisation fails to provide the appropriate equipment to physically allow staff to work from home and implement the security measures to ensure its safety. Otherwise, employees may eventually perceive work from home as a burden and “intrusion in the home”. For example, employees may come to this conclusion if the organisation has not provided work laptops, PCs or supporting equipment but expect employees to work from their personal device. As a result, employees may expect more from their companies going forward if they are expected to work from home regularly and long term. For instance, employees going forward may expect their Wi-Fi, printer, ink, anti-virus software, desk and chairs to be provided by their organisation (more than the usual). The other factor to consider with work from home is the health & safety of the worker in that environment (such as ergonomic chairs to ensure no back injuries etc.) Otherwise, over time, staff may become more reluctant to work from home if they are expected to incur these associated costs both personally and physically.

Also, for me, the biggest issue with work from home as a strategy is the increased security risk. The organisation will go from one single controllable point of risk (the network) to a significant number of uncontrollable risk points (employee’s home internet connection and potentially their home device). As a result, employees may feel if they are processing work-related information on their personal devices which they do not normally do, there is a greater risk of them being a target for cyber-attack within their home which may compromise their other personal devices used in the home. To conclude, the more security and physical controls an organisation puts in place for their employee’s the less likely the employees will perceive this as an “Intrusion of the Corporate in the home” and the better for the organisations own security.

Question:

Covid-19 will likely have exposed many weaknesses in many organisation’s preparedness to deal with such an event, and may have clearly highlighted the extent, or lack of, preparedness in place. How do you think those responsible for increasing organisational resilience (for increasing responder competence and capability e.g. in the disciplines of emergency response, crisis management, continuity and recovery), should prepare for criticism of their programmes and programme outcomes?

Answer:

For illustrative purposes, let’s assume the person responsible for managing the resilience programme is the BC Manager. Therefore, from their experience, they should be looking to arrange a Post Incident Review (PIR) with pivotal parts of the organisation who were either involved or impacted by the crisis. This will enable the BC Manager to create a safe environment for open discussions and constructive feedback on what went well and what didn’t go so well, whereby risks will be identified and lessons learnt. The information captured could then be implemented as part of the programme to ensure continuous lifecycle of improvements and closure of risks. Besides, where someone might regard negative feedback on the programme as a “weakness”, the fact that it has been highlighted should be taken positively as a desire for further preparedness in that particular area and to strengthen the programme.

In addition to this, the BC Manager should look to ascertain external information e.g. by networking with other BC industry experts or attending industry specific conferences to identify common gaps and impacts experienced by similar companies or the wider industry as a result of COVID-19. This will be helpful for the BC Manager to determine whether most of the organisations gaps which constitute to the “weaknesses” are internally or externally driven and most importantly, help to identify the themes of went wrong. This could help the BC manager to make better informed decisions on solutions and thus budget and resources in order to improve the programme. It will also mean that the BC manager may be able to discover best practise and implement widely used controls to the programme adopted by other organisations (this will still need to be fit for purpose for your organisation). In summary, COVID-19 has highlighted that prior to the crisis many organisations did not invest in planning for a country-wide lockdown, for mass-concurrent homeworking or for compensating for mass staff absence – very few indeed considered the scenario of ‘a total loss of customer for more than a month or the collapse of the entire customer base’. The scope of preparedness programmes is defined by organisational risk appetite, so any expression of dissatisfaction with the current level of preparedness should be taken as simply an indicator of a potential change in risk appetite which warrants further investigation and treatment and a valuable opportunity to seek investment to improve the programme.

Question:

What is your opinion on Adaptive Business Continuity – should we all be scrapping the BIAs?

Answer:

Adaptive Business Continuity is an interesting concept, and should be applauded as a way to make people think about modernising the industry’s approach to BC. However, I think that many seasoned business continuity professionals are by nature ‘adaptive’, tailoring their approach based on what works for their business or their clients. I believe that the Business Impact Analysis definitely still has a place in a modern BC programme, but it needs to be appropriate. Many practitioners do fall into the trap of overcomplicating the process, creating a burden for themselves and their network of respondents within the business. I think the BIA should be adapted to fit your specific requirements and outcomes, capture information that is going to be used in your programme and plans, but nothing more. Keep it as simple and as relevant as possible because people will lose interest.

Question:

What is the difference between a BC Plan and a Crisis Plan and can they be the same document? We are a fairly small business with no BC manager and it seems overkill to have different documents.

Answer:

The documents have differing scopes, purposes and audiences traditionally. A Crisis Plan outlines the processes to respond to a major incident or adverse situation across an organisation, comprised of senior managers from across the business using the plan to help make strategic decisions and manage the crisis. The Business Continuity Plan (BCP) typically is a guide used in the event of a crisis applicable to areas of an organisation as opposed to whole organisation e.g. a department or office, containing more specific response strategies. BCP’s could be implemented at a variety of levels within an organisation depending upon the scope of the plan in question. Operational leads for the target business area tend to use these documents to manage the implementation of the recovery processes. Both documents will be intended for use during a crisis and are based upon pre-agreed processes, they differ in terms of the level of detail (high level vs low level) and aimed at different audiences.

In response to your latter question, yes, you can combine both plans and for smaller organisations it is often more practical to do so. When bringing the processes and information together, my tips would be:

  • Consolidate data and think about the layout to avoid repetition and creating a document that is too unwieldly to use.
  • Create sub-groups or teams within the plan to allow for a scaled response to varying crises with clear direction on how to escalate further if necessary.
  • Keep the data you hold within the plan at the right level for the purpose it is intended, summarising key data gathered in your BIA and leaving the low-level detail within the individual BIAs for reference, any supporting information that you do wish to have to hand include as appendices.
  • Conduct a Plan Walkthrough with all those concerned with new Combined BC & Crisis Plan so they become familiar with the new plan, the logistics of how the team(s) will work together (and separately at times) and most importantly their roles and responsibilities.
  • Last but not least, utilise the Crisis Exercise to test whether the Plan itself is feasible as a combined document.

Question:

Our business has a “legacy” IT system which is actually still core to the business to some extent. Backups are taken and there is a DR plan, but it hasn’t had a full test for years. It should be decommissioned in a year and replaced with a newer IT system. The easiest course of action seems to be to do nothing and wait for the new system, what do you think?

Answer:

Following good ITDR practises, the best course of action would be to put controls in place as opposed to do nothing whilst you await the new IT service. There are two key risks to consider around this point that your organisation needs to consider:

  • What would the impact be if the legacy IT service had a major outage (which needs IT disaster recovery) before the migration to the new service
  • What level of continued exposure to risk would there be if migration to the new IT service were delayed

There are a number of factors that could influence the decision to test or not test the ITDR capability of this system, my advice would be that as a minimum you seek to facilitate a technical workshop with the IT team. The aim would be to understand how to recover the legacy system and if the technical arrangements and equipment are in place. Prompt the team by asking questions around; the impact of a service outage, the level of confidence they have that the service could be recovered, how out of date the data be if recovered from backups. The impact and business appetite for the risk should drive the decision around your situation, not necessarily the timescales that the risk will exist for.

Question:

In light of the COVID-19 pandemic we are living through this year and possibly beyond, what are the learning points businesses can take to improve their pandemic preparedness in future?

Answer:

I would suggest that the two things we have learned the most about are our people and our technology.

Our people are our most important asset. A happy, healthy and productive workforce is paramount to the resilience of the organisation, especially in times of crisis. What we have found in the current pandemic is that most of our staff are extremely resilient, but not all have adapted to the change in working practices, and in some cases the isolation of working from home has resulted in unforeseen issues relating to mental and physical wellbeing, creating stresses for those who are vulnerable or carers for example. Going forward we should be factoring in who can, and most importantly cannot adapt to these changes. By factoring this in, an organisation can plan more effectively before a pandemic, and help staff adapt, providing support, tools, and activities for their people during the pandemic. When the dust settles, having more in-depth knowledge of your people will allow you to effectively plan for a phased recovery, taking into consideration the various needs of your staff and how best to bring them back into a more regular working pattern. Questionnaires are a good tool I have seen employed to regularly ‘take the temperature’ of the workforce, allowing for greater insight and assisting your planning.

In the current pandemic, we have all taken a massive leap in terms of our ability to work more flexibly away from an office environment, our IT teams seemingly performing miracles to get us all online – but not everything has worked. We now fully understand what can, and again almost as importantly, cannot be carried out from home and we must learn from that. The technology to work from anywhere has been around for decades, so why weren’t we all doing it all already? There are reasons why some roles cannot and should not be carried out away from a controlled environment (access to restricted systems and data, security, privacy, compliance, lost productivity, heavy interaction with other teams etc.). We have accepted certain compromises because we have found ourselves in an extreme situation but going forward, we have no excuses to accept these compromises because we now know about them. Our planning now needs to reflect that – put in place the processes and tech fixes now that protect us, but also have alternative mechanisms in place to support roles that need more oversight and control, such as planning to adapt your offices into socially distanced or separated working environments.

One final useful tool – Horizon Scanning. Looking further in advance to understand what challenges are ahead and preparing for them is always preferable to reaction. Many organisations were caught napping when Covid-19 hit and were complacent.

Question:

Following the Covid-19 outbreak, I’ve now got near to 100% of my staff capable of working from home with laptops and softphones. Is this a sustainable strategy going forward and does it introduce any other risks I need to think about?

Answer:

To conclude whether the work from home as the only strategy is viable, I suggest you assess in detail your existing environment with regards to the nature of your business, regulatory requirements, long term impacts to critical services, customers, staff etc. Consider using tools to aide your analysis and decision making, such as PESTLE (Political, Economic, Social, Technological, Legal and Environmental) analysis to help you understand the profound impact of the strategy on your organisation. And the SWOT analysis (Strengths, Weaknesses, Opportunities and Threats) to identify the internal and external factors.

The key risks which stand out to me are; having one strategy in place increases the risk of a single point of failure, and although you may be able to put a last-minute strategy in place it will not be tested in advance to ensure it works. Though it’s not advisable to have several strategies in place for every eventuality, I suggest there is a balance and therefore at least one other alternative strategy, i.e. transfer staff to another site to help spread the risk. Secondly, a single strategy may not meet the needs of all staff from a welfare perspective. It may not be feasible for the critical product or service, whereby there is a regulatory need, e.g. for onsite documentation storage in the fireproof cabinet, onsite printing collection of deeds, telephony recording etc. With increased work from home comes increased cyber risks. So IT will need to ensure increased education and awareness to staff in relation to cybersecurity scams and enhance information security and compliance to eradicate any work from home “short cuts” implemented by IT or staff.

To conclude, companies should look to have a considered, adaptable and prepared approach by having alternative and tested strategies in place to deal with the forever changing environment, which may present new risks and challenges.