Dr David Smith FBCI from the Business Continuity Institute outlines various approaches that can help companies prepare for a business continuity ‘event’, and explains the BCM life-cycle. In August 2002, the Financial Services Authority (FSA) expressed deep concern over the high percentage of its members who did not have a business continuity and/or crisis management capability. They emphasised that a robust, effective and fit-for-purpose preparedness is essential – and complacency is unacceptable – in the face of the challenges and threats that inevitably arise in today’s business climate. This warning is reinforced by the recently published research report1 of the Chartered Management Institute.

Business continuity management (BCM) is defined by the Business Continuity Institute (BCI) as ‘an holistic management process that identifies potential impacts that threaten an organisation and provides a framework for building resilience and the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities’. The BCI’s use of the term ‘business continuity management’ rather than ‘business continuity planning’ is deliberate because ‘planning’ implies there is a start and end to the process and can lead to unwanted planning bureaucracy. BCM is, by necessity, a dynamic, proactive and ongoing process. It must be kept up to date and fit for purpose to be effective. The key objectives of an effective BCM strategy should be to:  ensure the safety of staff;  maximise the defence of the organisation’s reputation and brand image;  minimise the impact of business continuity events (including crises) on customers/clients;  limit/prevent impact beyond the organisation;  demonstrate effective and efficient governance to the media, markets and stakeholders;  protect the organisation’s assets; and  meet insurance, legal and regulatory requirements. However, BCM is not only about disaster recovery. It should be a business-owned and driven process that unifies a broad spectrum of management disciplines (see Figure 6.1.1). In particular, it is not just about IT disaster recovery.

Too many organisations tend to focus all their efforts on IT because of its mission-critical nature, leaving themselves exposed on many other fronts. Because of its all-embracing nature, the way BCM is carried out will inevitably be dependent upon, and must reflect, the nature, scale and complexity of an organisation’s risk profile, risk appetite and the environment in which it operates. Inevitably, too, BCM has close links to risk management and corporate governance strategies. The importance of a holistic approach across these areas was reinforced in the Turnbull Report (1998). As an organisation can never be fully in control of its business environment, it is safe to assume that all organisations will face a business continuity event at some point. Although this simple reality has been etched in high-profile names such as Bhopal, Piper-Alpha, Perrier, Barings Bank, Challenger, Herald of Free Enterprise, Coca Cola, Exxon-Valdez, Railtrack, Canary Wharf, Enron, Anderson, Marconi, Landrover and the World Trade Centre, experience also teaches that it is the less dramatic but more frequent business continuity events that can be even more problematic to deal with. Unfortunately, it seems that many public and private organisations still think ‘it will not happen to us’.

Changing the corporate culture Ignoring business continuity issues can happen for a number of reasons, ranging from denial through disavowal to rationalisation. A process of ‘group think’ can develop, whereby an organisation genuinely starts to believe that their size, or some other feature, makes them immune to disaster. Or executives may firmly believe that insurance will cover them, without realising that insurance cannot indemnify against lost market share, loss of reputation or tarnished brands. Research shows that crisis-prone organisations tend to exhibit these tendencies seven times more often than crisis-prepared organisations. Whilst all individuals may make use of such defence mechanisms from time to time, the key difference is the degree, extent and frequency with which they are used. Changing such mindsets is not easy, and blindly implementing so-called ‘best practice’ business continuity techniques is not the best approach. As all organisations are different, techniques that work in one organisation will not necessarily work in another. Most executives tasked with addressing business continuity issues are keen to achieve quick wins, and the ‘tick box’ audit approach, which tries to copy successful strategies used elsewhere, is often adopted without consideration as to suitability. Underlying the ‘tick box’ approach is the persuasive belief that a structure, policy, framework and plan is all that is required. Whilst these are critical enablers, relying on structure alone tends to overlook the key issue – that it is people who actually deal with business continuity and crises. In this context, it is worth remembering (and reminding all senior executives) that ‘managerial ignorance’ is no longer an acceptable legal or moral defence if a crisis is handled badly. All managers should consider the following key questions that are likely to be asked in a subsequent inquiry:  When did you know there was a problem?  What did you do about it?  If you didn’t do anything, why not?  If you didn’t know there was a problem, why not?  What would you have done if you had known such a problem could exist?

Avoiding planning bureaucracy There is no doubt that some sort of business continuity plan is essential. The plan becomes a source of reference at the time of a business continuity event or crisis, and the blueprint upon which the strategy and tactics of dealing with the event/crisis are designed. In particular, it can provide essential guidance on damage limitation in those short windows of opportunity that often occur at the beginning of a crisis. Unfortunately, reputations and trust that have been built up over decades can be destroyed within minutes unless vigorously defended at a time when the speed and scale of events can overwhelm the normal operational and management systems. A further and critical reason for having a planning process is so that the individuals who are required to implement the plan can rehearse and test what they might do in different situations.

Scenario planning exercises are a very helpful technique for destruct-testing different strategies and plans. Having said this, it is simply not possible to plan for every eventuality, and if you try to, there is a great danger of creating ‘emergency’ manuals that are simply too heavy to lift. A trade-off needs to be achieved between creating an effective fit-for-purpose capability and relying on untrained and untried individuals and hoping they will cope in an emergency. The spanning of the gap between the plan and those who carry it out can be achieved by either formal tuition and/or simulations. The well-known maxim that a team is only as strong as its weakest link is worth remembering here. The exercising of plans, rehearsing of team members and testing of solutions, systems and facilities are the elements that provide and prove an effective and fit-for-purpose capability. However, simulations are not easy to devise, and because of this, many organisations do not venture beyond the development of a plan. They are, nevertheless the best way to avoid planning bureaucracy.

Using good practice guidelines – a different approach Because of the caveats listed earlier, the BCI’s ‘Business Continuity Management Good Practice Guidelines’ are not intended to be a restrictive, exhaustive or definitive process to cover every eventuality within BCM. Instead, they set out to establish the generic process, principles and terminology; describe the activities and outcomes involved; and provide evaluation techniques and criteria. These guidelines draw together the collective experience, knowledge and expertise of many leading professional members and fellows of the BCI and other authoritative professional organisations. In particular, the guidelines reflect the following BCM principles:  BCM and crisis management are an integral part of corporate governance;  BCM activities must match, focus upon and directly support the business strategy and goals of the organisation;  BCM must provide organisational resilience to optimise product and service availability;  As a value based management process, BCM must optimise cost efficiencies;  BCM is a business management process that is undertaken because it adds value rather than because of governance or regulatory considerations;  The component parts of an organisation own their business risk;  The management of the business risk is based upon their individual and aggregated organisational risk appetite;  The organisation and its component parts must be accountable and responsible for maintaining an effective, up-to-date and fit-for-purpose BCM competence and capability;  All BCM strategies, plans and solutions must be business-owned and driven;  All BCM strategies, plans and solutions must be based upon the business missioncritical activities, their dependencies and single points of failure identified by a business impact analysis;  All business impact analysis must be conducted in respect of business products and services in an end-to-end production context;  There must be an agreed and published organisation policy, strategy, framework and exercising guidelines for BCM and crisis management;  The organisation and its component parts must implement and maintain a robust exercising, rehearsal and testing programme to ensure that the business continuity capability is effective, up-to-date and fit-for-purpose;  The relevant legal and regulatory requirements for BCM must be clearly defined and understood before undertaking a BCM programme;  The organisation and its component parts must recognise and acknowledge that reputation, brand image, market share and shareholder value risk cannot be transferred or removed by internal sourcing and/or outsourcing;  BCM implications must be considered at all stages of the development of new business operations, products, services and organisational infrastructure projects;  BCM implications must be considered as an essential part of the business change management process;  The competency of BCM practitioners should be based and benchmarked against the 10 professional competency standards of the BCI;  All third parties, including joint venture companies and service providers, upon whom an organisation is critically dependent for the provision of products, services, support or data, must be required to demonstrate an effective, proven and fit-for-purpose BCM capability;  The standard terms and conditions of any outsourced and/or internal sourcing of products, services, support or data should reflect these good practice guidelines. Each organisation needs to assess how to apply the ‘good practice’, contained within the guidelines, to their own organisation. They must ensure that their BCM competence and capability meets the nature, scale and complexity of their business, and reflects their individual culture and operating environment.

Crisis management The key elements of a crisis management framework are slightly different to the BCM lifecycle, and include those set out in Figure 6.1.6, but the list should not be seen as restrictive or exhaustive. There are many advantages to adopting a modular approach to a crisis or business continuity situation, not least that it can be easily and quickly modified to suit local, national as well as global requirements. However, in managing any event it is critical to recognise that a successful outcome is judged by both the technical response, and the perceived competence and capability of the management in delivering the business response. The stakeholder perception should be seen as the critical success factor with an equal, if not more urgent, priority over the technical solution. Consequently, the acid test is to convincingly demonstrate an effective and fit-for-purpose business continuity and crisis management capability, and to continue business as usual. This is in contrast to the more familiar pattern of a fall and recovery of a business, which is more representative of the outdated disaster recovery and business resumption approaches.

Conclusions An organisation consists of people, and people at the top who give a cultural lead. As a consequence, business continuity and crisis management are not solely a set of tools, techniques and mechanisms to be implemented in an organisation. They should reflect a more general mood, attitude and type of action taken by managers and staff. Individual personalities play a crucial and critical role. It is the human factor that is frequently underestimated in BCM. This is of particular importance because the examination of the cause of business continuity events and crises usually identifies several warning signals that were ignored or not recognised. The key to a successful crisis and BCM capability is to adopt an holistic approach to validate each of the key building blocks of the process. The first task is always to identify the right people who are not bound as individuals or within the corporate culture. It is on these criteria that the success or failure of creating an effective and fit-for-purpose BCM capability will be determined. Having identified the right people, they should engage in the BCM planning process using the BCI Good Practice Guidelines and training via the exercise simulations of plans, rehearsal of people/teams and testing of systems, processes, technology, structures and communications. The organisation can assist this process by appointing a BCM ‘champion’ at a senior level whose role is to draw together, under a matrix team approach, representatives from the various organisation functions (eg human resources), together with a key line of business heads to ensure a co-ordinated approach. The key advantage of this approach is that it builds on what already exists and has been done, thereby enabling a ‘virtual capability’ that provides cost efficiency. A further benefit is that it ensures ‘buy-in’ throughout the organisation.

In adopting this methodology and regularly exercising, rehearsing and testing, the organisation maintains an effective up-to-date and fit-for-purpose BCM and crisis management capability. When a crisis hits the organisation everyone knows what to do and a smooth invocation of the plan takes place ensuring that the impact on mission critical activities is minimal. This article first appeared in the Quartile Review published in January 2003 by the Faculty of Finance and Management of the Institute of Accountant’s of England and Wales. Dr David Smith FBCI is Chair of the BCI Education Committee, member of the BCI Board and editor of the BCI Good Practice Guide to Business Continuity Management. The Business Continuity Institute’s mission is to promote the art and science of Business Continuity Management worldwide. The BCI promotes the highest standards of professional competence and commercial ethics in the provision, maintenance and services for Business Continuity Management (BCM). It provides an internationally recognised certification scheme for BCM managers and practitioners. The BCI Professional Recognition Programme creates a benchmark for the assessment of best practice in the field. There are now over 1250 members of the Institute working in 40 countries across the world. Members are drawn from all sectors including Finance, Government, Health, Transport, Retail and Manufacturing. The BCI is currently working with the FSA and UK Cabinet Office on good practice guides for BCM. For further information contact the Institute on Tel: +44 (0)870 603 8783; Email: TheBCI@btinternet.com; Website: www.thebci.org

Data recovery Don’t dice with your data, says Gordon Stevenson, Managing Director of Vogon International, and don’t panic in an emergency. If people are a company’s most valuable asset, then data comes a close second. As companies become more dependent on technology for all aspects of their operations, the information contained on computer disks and back-up tapes can mean the difference between continued success and failure. While most companies believe that their data is safe, many may not have set up even the most basic of back-up systems to protect it and data loss can happen to anyone.

How does data loss happen? Although data is a valuable commodity, not enough emphasis is placed on protecting this vulnerable asset from loss. While computer hardware and software are fallible, humans are notoriously even more so. Unfortunately many companies and individuals do not have – or do not put into practice – adequate back-up procedures, leaving themselves open to data loss. The majority of problems are caused by human error, such as accidentally overwriting back-up tapes, deleting important files, inadvertently formatting a hard disk or mishandling a laptop. Malicious data loss can also be an issue, particularly where companies fail to make appropriate use of passwords. While there needs to be a balance between the complexity and frequency of password change and the ease with which users can remember them, to have passwords – even at the basic user level – that are common knowledge makes a company unnecessarily vulnerable. It is not unusual to find a list of everyone’s password stored in an easily accessible place within an office, or even a board displaying ‘this week’s password’. Even if your staff are competent and trustworthy, hardware and software can still fail unexpectedly. Operating systems or packages may contain bugs or become corrupt, causing them to malfunction, with consequences such as overwritten data. Power surges from the power supply, or lightning, can also cause damage to computer equipment, and it is possible for the motor or the control board of a hard disk to burn out, locking its data inside, or for the disk just to fail. When disaster strikes on a larger scale, there is always the more dramatic risk of fire and water damage too.

Do nothing Unfortunately, many companies are not prepared for the reality of hard disk or tape failure and often make a bad situation much worse. Retrievable data is often lost through inappropriate attempts to recover it. Simply rebooting a computer can cause the data to be overwritten permanently, as the system creates temporary files in supposedly unused space. A physically damaged disk can become significantly more damaged, sometimes to the point of no data being recoverable. If a disk has ceased to function, the worst possible course of action is to attempt a DIY repair. To recover their contents, broken hard disks should be opened up in a laboratory environment using special tools and techniques. Even disturbing the screws on the casing of a drive can destroy critical alignments, making reading the data impossible, or perhaps causing the drive to crash if subsequently run. Therefore, when vital data has been lost, the most important first step is to leave everything alone.

Calling in the experts Whilst commercial data recovery tools exist, their use is not advisable as it is highly unlikely that a software tool written months ago, perhaps a continent away, can accurately diagnose the difference between a corrupted file system and a damaged head. These tools always provide a ‘best guess’ at what the problem is, and then give you the option to ‘go ahead and write to the media’, which is not a particularly safe thing to do. Sometimes it is necessary to write customised programs for individual recoveries. When data has been lost because of software corruption rather than physical damage, extracting and rebuilding the files is the major process in recovery. Data recovery experts, such as Vogon International, do not work directly on the damaged medium itself but use a technique called ‘imaging’ to create an exact copy of the entire contents of a disk.

This allows data to be manipulated and restructured independently of its source, and recovered data can be returned on whatever medium is requested. Tapes are a sequential storage medium and, as such, present their own specialist recovery problems. If a problem occurs at any point along the tape, this can prevent access to data beyond the damage. Recording errors can occur and tapes can also be accidentally overwritten in a way that effectively blocks the ability to read the surviving data. Tapes are also susceptible to snapping, crumpling and extremes of temperature.

Protecting yourself ‘Don’t panic’ is the first piece of advice to remember in a data loss emergency, and ‘do nothing’ – except call the experts – is the second. However, there are a number of simple steps you can take to protect your company against disaster.  Put in place a regular, reliable back-up regime and make sure that it is strictly implemented by trained personnel. This should include a verification process to make sure that the back-ups work and are recording the correct files.  Duplicate the back-up to a second type of media so that if one fails the other is available.  Monitor the back-up to ensure that it has taken place and watch out for signs of anything unusual in the way the system operates. Record on hard copy the results of back-ups to help make this comparison.  Keep at least one set of back-up tapes off site so that, if your premises burn down or are flooded, you will not lose your data. This is standard business continuity best practice and easy to implement.  Back up before installing any new software. This may be a chore but it is essential!  If possible, leave your systems on all the time in consistent environmental conditions – hardware failure happens most often at start-up and shut-down.  Keep up with technology. Back-up tapes that can only be read with a drive that hasn’t been manufactured since 1989 will be inaccessible when the elderly device breaks down. Computers are not infallible and any piece of hardware will eventually fail. No company would fail to protect its business premises by not installing smoke detectors, burglar alarms and fire extinguishers, or by leaving its doors unlocked overnight. Protecting data, and knowing what to do in the event of an emergency, should be as much a priority for all organisations. Vogon International has rapidly become a global leader in data recovery from all types of computer storage media, as well as data conversion and computer investigation. Its client base ranges from commercial business to law enforcement agencies and tax authorities throughout the EU, Asia and North America. With over 17 years’ experience, Vogon operates worldwide from its base in Oxfordshire, England. Vogon GmbH is based in Munich, Germany, and Vogon LLC is based in Oklahoma, USA; both are wholly-owned subsidiaries of Vogon International. For further information contact: Sandie Stevenson. Tel: +44 (0)1869 355 255, or see the website at www.vogon-international.com