Business continuity communication– the weakest link?Regus / URM Business Continuity Survey
Regus / URM Business Continuity SurveyBusiness continuity communication – the weakest link?Background Existence of Business Continuity PlansWith the introduction of ISO 22301, the new It seems that whilst organisations are aware of theInternational Standard for Business Continuity importance of BC, it can be argued they are not doingManagement, Ultima Risk Management (URM) and enough to plan and prepare for future incidents andRegus took the opportunity at the end of 2012 to events. This appears to be particularly true for SMEs,conduct a survey with the objective of assessing the with 30% of those respondents with less than 50 staffcurrent status of Business Continuity (BC) in the UK reporting they had no Business Continuity plans (BCPs)and the likely impact of the new Standard. Of the 200 in place (compared to 16% overall).organisations who completed the survey, the vast Smaller organisations may be thinking that such plansmajority were from the private sector and represented are not needed or they are not a priority. However, it isboth manufacturing and service organisations. There argued that having an effective response mechanism inwas also a wide spread in terms of organisation size i.e. place against different disruption scenarios , includingfrom SMEs to large corporates. The results provided loss of key staff, single points of failure and denial ofsome interesting insights into existing BC practices access to key buildings/sites, are highly relevant issuesand, in particular, to those areas which represent the for SMEs.biggest challenges to UK businesses. Any organisation, no matter what size or industry, wouldImpact of ISO 22301 suffer some level of adverse impact in the event of a disruption. Many businesses may consider that peopleOverall, there was quite a high awareness of ISO 22301, within their organisation are capable of ‘thinking on theirwith 62% of survey respondents looking to comply or feet’ and they would just ‘know’ how to deal with ancertify with the new Standard. One of the key perceived incident, but there is a lot more to Business Continuityimpacts of the Standard was in the use of ISO 22301 than just ‘thinking on your feet’. Furthermore, it begsin tenders. the question of what happens ‘if those individualsNearly 2 out of 3 of respondents believed that capable of thinking on their feet are not available?’ISO 22301 will become an essential requirement Business Continuity planning includes ensuringto bid for high value tenders and 58% believed the the people involved with the response and recoverysame to be true for general tenders. However, most processes have the appropriate skills, competenciesrespondents were not anticipating an immediate and have been trained to deal with an incident,impact i.e. for those who anticipate it becoming a no matter what form it may take. It also ensures thatrequirement, 57% were not expecting it to become every key role within the process has a deputy who isessential for 3 years or more. also trained with the necessary skills and competencies, if required.Senior Management InvolvementOne of the positive findings was the high percentageof senior managers who were involved to some degreein BC, with only 2% reporting no involvement. Seniormanagement involvement is widely recognised as a keyrequirement in any successful BC implementation andis featured prominently as a requirement in the newISO 22301 Standard. Given this statistic, one couldassume that Business Continuity is being givensignificant focus within organisations. However, thesurvey points to a number of weaknesses in termsof BC arrangements.
Importance of Business Impact Analysis (BIA) External ConcernsWhilst the statistic of 5 out of 6 responding Apart from internal communication issues, theorganisations having BCPs in place may appear to be Regus/URM survey also found that 27% of respondentsacceptable/impressive, it has to be questioned what reported that BC in the supply chain was their majorthe plans are based upon. There is little benefit in external concern. Although 73% of all respondents hadhaving a BCP in place, if you are not protecting your identified their critical suppliers, far fewer organisationskey products and services. Before an organisation had taken proactive steps to address BC arrangementsdevelops effective BCPs, good practice dictates that with them. It seems that the larger organisationsit needs to determine what it needs to recover - its have a slightly better handle on things. 52% of the‘critical processes’. What really needs to be recovered organisations responding to the survey indicated thatand how quickly is best determined by assessing the they had discussed the subject with their suppliers, butimpact of a disruption on the business, be that from a this fell to only 35% for businesses who employed lessfinancial, operational, contractual or health and safety than 50 people. When asked whether they require theirperspective. If an organisation does not know the supply chain to have exercised / tested their plans, theanswer to these questions, it is quite possible that any numbers dropped drastically to 29% andplans developed will be based on someone’s guess 18% respectively.work, the wrong parts of the business or the wrong An organisation is only as strong as its weakest link.recovery requirements. The process of uncovering this It doesn’t matter how robust the BCPs and processesinformation is called a business impact analysis, or ‘BIA’. are, if an organisation’s critical suppliers cannot provideOf the 200 organisations surveyed, 26% said that they the level of service required.had not carried out a BIA. It can thus be hypothesised thatof the 84% of respondents who reported having BCPs Conclusionin place, some of these may be focussing their recoveryefforts around the wrong business processes or incorrect The Regus / URM BC survey is a lesson to us allrecovery requirements. that organisations need to communicate about Business Continuity more regularly (whether internally or to their suppliers).Internal Communication Identiﬁcation of critical processes (via BIA)Apart from conducting BIAs, another critical (and often is essential so that more appropriate BCPs canneglected) element of good practice BC is internal be developed.communication. What if employees don’t know whatis contained within the BC plans or what their roles or Effective communication to staff through exercising,responsibilities are in the event of a disruption? One training and awareness is vitally important to ensureof the key findings and concerns emerging from the that should the unforeseen happen, everyone knowsRegus/URM survey relates to BC awareness levels. what their roles and responsibilities are and can focusWhen asked what their biggest BC concerns were, on recovery and ensuring the business continues.28% of all organisations surveyed reported ‘a lack A more proactive approach when dealing with keyof awareness of BC arrangements’. This figure rose suppliers will ensure that services continue in the eventto 35% for those organisations with more than 250 of an incident.employees. Only 46% of survey respondents indicatedthat they issued regular BC communications to theiremployees; for smaller organisations with less than 250employees, this figure fell to 32%.Knowing that the plans exist is only one element of BCawareness though. Staff need to be given specific BCresponsibilities and should be trained and participate inexercises to ensure that they are competent enough tocarry those responsibilities out.If an incident occurs, every organisation needs toknow which members of staff (primary role holders anddeputies) will keep the business going. Businesses of allsizes will benefit from increased internalBC Communication.
About Regus Regus is the world’s largest provider of flexible workplaces, with products and services ranging from fully equipped offices to professional meeting rooms, business lounges and the world’s largest network of video communication studios. Regus enables people to work their way, whether it’s from home, on the road or from an office. Customers such as Google, GlaxoSmithKline, and Nokia join hundreds of thousands of growing small and medium businesses that benefit from outsourcing their office and workplace needs to Regus, allowing them to focus on their core activities. About Ultima Risk Management (URM) Ultima Risk Management (URM) specialises in delivering consultancy and training in the areas of Business Continuity, information security and risk management. A particular niche skill of URM is in assisting organisations comply with the relevant British and International Standards, most notably ISO 27001 and ISO 22301 (and its predecessor BS 25999). To date, URM has assisted over 60 organisation from both the public and private sectors certify to these Standards. In addition, URM is also a Payment Card Industry Qualified Security Assessor (PCI QSA) which means that it has been certified by the PCI Security Standards Council (PCI SSC) to assess organisations’ compliance to PCI DSS.Regus / URM Business Continuity Survey – April 2013