Monthly Archives: September 2011

Business Continuity and the joy of getting it right

Effective resource allocation can come from Threat Assessment as the starting point for Business Continuity

I was encouraged to hear that  Business Continuity adoption amongst managers has risen 2011 vs 2010, according to the CMI Business Continuity Survey 2011

As I read the data, I wondered about the level of threat perceived in some categories. This looks to have resulted in issues being added to BC plans for some businesses, such as Terrorist Damage. I can understand that if this kind of incident were to occur then it is extremely serious and may halt all business. Clearly lots of businesses felt the same way – they perceived major threat and scoped it in to their BC plans. However not as many perceived or scoped the Loss of Water/Sewerage and its potential impact on business. This affected 9% of the businesses surveyed. I am glad I didn’t have occasion to be visiting or working at any of the businesses that experienced Loss of Water or Sewerage…

Another point this data this raised was Extreme Weather, the percentage of businesses who experienced disruption due to Extreme weather, far outstripped the percentage who had perceived or scoped it as a threat.

I find these results to be compelling reasons to take the Threat Assessment approach. Businesses are all impacted by tightening budgets and stretched resource. Placing resource in the right areas and making sure you have all angles covered in your BC plan is even more vital if your resource is tight. Leaving something out of scope because you have not perceived it as a serious threat, such has extreme weather, could cost your business substantially.

On talking to a colleague, one of our Consultants, about this survey he also pointed out the Supply Chain result,

“Only one third (34%) of respondent organisations identified
supply chain disruption as a threat and even fewer (26%) have included this
within the scope of their business continuity response.  Highlighted by
the tragic events in Japan earlier this year and codified in the new ISO 28002
Standard (Resilience in the Supply Chain) we hope strengthened supply chain
planning comes out stronger in follow up studies.”

You can also see this disparity at work when you look at some of the more ‘people or opinion’ based categories. More than half of the surveyed businesses (53%) perceived Loss of Skills to be a major threat and yet only 30% had in in scope. This is even more pronounced when you look at Damage to Reputation/Brand with 51% identifying a major threat and only 24% putting it in scope.

Perceiving a threat is a small part of the equation, getting it in proportion and then making sure you know what other threats your business’ continued operation faces, is vital.


Given the interest in Business Continuity as an enabler, I have an update which you may also find useful. It is a set of FAQ’s and soon it will be posted on our website along with a Jargon Buster.


What is business continuity?

Business continuity is a series of steps organisations take before an interruption has occurred to reduce the impact of an incident, regardless of its cause or effect.

Is business continuity the same as disaster recovery?

Like most professions business continuity management has its own vocabulary which can be confusing to the initiated (see our business continuity jargon buster).  To make matters worse there is not always universal agreement as to which definition is right and some of these terms are hotly debated within the business continuity community!  However most business continuity professionals agree that disaster recovery relates to the restoration and resumption of technology, whilst business continuity (as the name suggests) is wider and also includes people, buildings, information and equipment.

So who should have responsibility for business continuity in an organisation?

There is no one single answer to this and it will depend on the nature (scale, composition and interdependencies) of your organisation.  In most organisations IT will be a critical component to the maintenance and resumption of business services during a disruption (see disaster recovery – above) which will make it very difficult for them to take responsibility for everything else. So unless your senior management can be assured that IT can implement a technology-neutral approach to business continuity it may be advantageous that responsibility for business continuity sits outside of IT.

Advent IM can recommend options for the location of business continuity responsibilities within your organisation.

We already have a business continuity plan.  Do we need to do anything else?

It depends.  Business continuity plans are one of those things that can quickly become outdated and obsolete.  If the plan reflects the needs of the business, is regularly tested and everyone knows what they need to do in the event of an incident then well done – there is not much else to do!  Otherwise you probably need to do a bit more to make your plan a living document.

Advent IM can recommend ways of improving, embedding and testing your business continuity plans.

We are a category 1 or 2 responder under the Civil Contingencies Act.  Do we have to do anything else?

The Civil Contingencies Act 2004 (CCA04) makes it a legal requirement for some public authorities (or those carrying out the role of a public authority) to maintain plans for the purpose of assuring, so far as is reasonably practicable, that if an emergency occurs they are able to continue to perform their functions.  As above, if your planning reflects the needs of the business, is regularly tested and everyone knows what they need to do in the event of an incident then you should give yourself a pat on the back.  If not, then you probably need to do more.  Either way you should consider getting an independent and professional review of your business continuity arrangements.

What is BS25999?

BS25999 is the British Standard for business continuity management since 2006.  The standard is based on underlying principles and is not-prescriptive meaning it is scalable to all organisations, regardless of their size or nature and most approaches to business continuity share common ground with BS25999.  Some organisations choose to align themselves to the standard whilst others choose to become fully accredited.  Depending on the organisation there are benefits and disadvantages to both and we can advise what is best for you and your organisation.  BS25999 is scheduled to be replaced by international standards (ISO22399 / ISO22301) 2012 but the new standards will almost certainly be significantly based on BS25999 anyway.  There is no statutory requirement for BS25999 compliance or accreditation but some organisations (e.g. the finance sector and public authorities) mandate the requirement for business continuity planning.

Business continuity sounds expensive and time consuming.  Are there any benefits?

Firstly it does not have to be expensive.  A lot of good business continuity work focuses on making sure everyone knows what is in place and what they have to do in the event of an incident and does not necessarily involve spending lots of money!  Also, business continuity does not have to be time consuming.  In all but the largest organisations business continuity management is often part of someone’s existing job role rather than a dedicated function, although a good business continuity management system will have inputs from across the organisation, rather than just being the product of one or two individuals.  The benefits of a well conceived and properly delivered system of business continuity management can include:

  • Cost reduction:Business continuity management can help identify opportunities for;  improved resource allocation, risky interdependencies, inefficient business processes, lower      insurance premiums and significantly reduced costs in the event of an incident occurring.
  • Increased performance:  Proven resilience can be a prerequisite to winning business and can provide         opportunities for improving collaborative working and hardening systems and  processes.
  • Reputation: Improved business continuity management can assure clients, stakeholders and employees that you are a professional organisation who behaves professionally.


Advent IM joins the blogosphere…

Security has been in the mainstream press quite a lot recently. None of the coverage has been particularly positive. OK, that’s an understatement.

Against a backdrop of lost patient data discs, children’s files turning up in filling cabinets at second hand office furniture dealers and other mind boggling events, Advent IM has taken to the blogosphere to bring comment, opinion and information.

But its not all bad. Businesses and organisations are seeing the benefit of ISO27001 and really getting to grips with the controls it puts in place to manage so many risks.

As the blog grows we hope to get comment and input from valued contributors. Build relationships and generally push the agenda of using Threat and Risk Assessment based process to make good practice, best practice.

Ellie – Advent IM