SlideShare a Scribd company logo

Business continuity and crisis management

Sig SG
Sig SG
1 of 7
Download to read offline
MANAGEMENT QUARTERLY January 2003 R I S K – O P E R AT I O N S Business continuity and crisis management No organisation can have complete control over its business environment. It is therefore essential for companies to have a business continuity manage- ment (BCM) and crisis management capability, in case of crisis or disaster. Dr David Smith outlines various approaches that can help companies pre- pare for a business continuity ‘event’, and explains the BCM life cycle. In August 2002, the Financial Services q limit/prevent impact beyond the organisa- Authority (FSA) expressed deep concern over tion; Most the high percentage of its members who did q demonstrate effective and efficient gover- organisations not have a business continuity and/or crisis nance to the media, markets and stakehold- face a management capability.1 They emphasised ers; business that a robust, effective and fit-for-purpose q protect the organisation’s assets; and continuity preparedness is essential, and complacency is q meet insurance, legal and regulatory ‘event’ at unacceptable, in the face of the challenges requirements. some point and threats that inevitably arise in today’s business climate. This warning is reinforced However, BCM is not only about disaster by the recently published research report of recovery. It should be a business-owned and the Chartered Management Institute.2 driven process that unifies a broad spectrum of management disciplines (see Figure 1 on Business continuity management (BCM) is page 28). In particular, it is not just about IT defined by the Business Continuity Institute disaster recovery. Too many organisations (BCI) as ‘an holistic management process that tend to focus all their efforts on IT because of identifies potential impacts that threaten an its mission-critical nature, leaving themselves organisation and provides a framework for exposed on many other fronts. building resilience and the capability for an effective response that safeguards the interests Because of its all-embracing nature, the way of its key stakeholders, reputation, brand and BCM is carried out will inevitably be depen- value creating activities’. dent upon, and must reflect, the nature, scale and complexity of an organisation’s risk pro- The BCI’s use of the term ‘business continu- file, risk appetite and the environment in ity management’ rather than ‘business conti- which it operates. Inevitably, too, BCM has nuity planning’ is deliberate because ‘plan- close links to risk management and corporate ning’ implies there is a start and end to the governance strategies. The importance of a process and can lead to unwanted planning holistic approach across these areas was rein- bureaucracy. BCM is, by necessity, a dynam- forced in the Turnbull Report (1998) ic, proactive and ongoing process. It must be kept up-to-date and fit-for-purpose to be As an organisation can never be fully in con- effective. trol of its business environment, it is safe to assume that all organisations will face a busi- The key objectives of an effective BCM strate- ness continuity event at some point. gy should be to: Although this simple reality has been etched in high-profile names such as Bhopal, Piper- q ensure the safety of staff; Alpha, Perrier, Barings Bank, Challenger, q maximise the defence of the organisation’s Herald of Free Enterprise, Coca Cola, Exxon- reputation and brand image; Valdez, Railtrack, the Canary Wharf bombing, q minimise the impact of business continuity Enron, Anderson, Marconi, Landrover and events (including crises) on the World Trade Centre, experience also customers/clients; teaches that it is the less dramatic but more FACULTY OF FINANCE AND MANAGEMENT 27
January 2003 MANAGEMENT QUARTERLY R I S K – O P E R AT I O N S Figure 2 The unifying process BUSINESS CONTINUITY MANAGEMENT Environmental management Supply chain management Communications and PR Knowledge management Emergency management Facilities management Crisis management IT disaster recovery Risk management Human resources Health and safety Security frequent business continuity events that can blindly implementing so-called ‘best practice’ be even more problematic to deal with. business continuity techniques is not the best Unfortunately, it seems that many public and approach. As all organisations are different, private organisations still think, ‘it will not techniques which work in one organisation happen to us’. will not necessarily work in another. Most executives tasked with addressing business continuity issues are keen to achieve quick Changing the corporate culture wins, and the ‘tick box’ audit approach, which tries to copy successful strategies used Ignoring business continuity issues can hap- elsewhere, is often adopted without consider- pen for a number of reasons, ranging from ation as to suitability. denial through disavowal to rationalisation. A Many process of ‘group think’ can develop whereby Underlying the ‘tick box’ approach is the per- organisations an organisation genuinely starts to believe suasive belief that a structure, policy, frame- believe it will that their size, or some other feature, makes work and plan is all that is required. Whilst not happen to them immune to disaster. Or executives may these are critical enablers, relying on structure them. firmly believe that insurance will cover them, alone tends to overlook the key issue – that it without realising that insurance cannot is people who actually deal with business con- indemnify against lost market share, loss of tinuity and crises. reputation or tarnished brands. In this context, it is worth remembering (and Research shows that crisis-prone organisations reminding all senior executives) that ‘man- tend to exhibit these tendencies seven times agerial ignorance’ is no longer an acceptable more often than crisis-prepared legal or moral defence if a crisis is handled organisations.3 Whilst all individuals may badly. All managers should consider the fol- make use of such defence mechanisms from lowing key questions that are likely to be time-to-time, the key difference is the degree, asked in a subsequent inquiry: extent and frequency with which they are used. q when did you know there was a problem? q what did you do about it? Changing such mindsets is not easy, and q if you didn’t do anything, why not? 28 FACULTY OF FINANCE AND MANAGEMENT
MANAGEMENT QUARTERLY January 2003 R I S K – O P E R AT I O N S q if you didn’t know there was a problem, Using good practice guidelines – why not? a different approach q what would you have done if you had known such a problem could exist? Because of the caveats listed earlier, the BCI’s ‘Business continuity management good prac- tice guidelines’ are not intended to be a Some sort of Avoiding planning bureaucracy restrictive, exhaustive or definitive process to continuity cover every eventuality within BCM. Instead, plan is There is no doubt that some sort of business they set out to establish the generic process, essential continuity plan is essential. The plan becomes principles and terminology; describe the a source of reference at the time of a business activities and outcomes involved; and provide continuity event or crisis, and the blueprint evaluation techniques and criteria. upon which the strategy and tactics of deal- ing with the event/crisis are designed. In par- These guidelines draw together the collective ticular, it can provide essential guidance on experience, knowledge and expertise of many damage limitation in those short windows of leading professional members and fellows of opportunity which often occur at the begin- the BCI and other authoritative professional ning of a crisis. organisations. In particular, the guidelines reflect the following BCM principles: Unfortunately, reputations and trust that have been built up over decades can be q BCM and crisis management are an integral destroyed within minutes unless vigorously part of corporate governance; defended at a time when the speed and scale q BCM activities must match, focus upon and of events can overwhelm the normal opera- directly support the business strategy and tional and management systems. goals of the organisation; q BCM must provide organisational resilience A further and critical reason for having a to optimise product and service availability; planning process is so that the individuals q as a value based management process BCM who are required to implement the plan can must optimise cost efficiencies; rehearse and test what they might do in dif- q BCM is a business management process ferent situations. Scenario planning exercises that is undertaken because it adds value are a very helpful technique for destruct-test- rather than because of governance or regu- ing different strategies and plans. latory considerations; q the component parts of an organisation Having said this, it is simply not possible to own their business risk; the management of plan for every eventuality, and if you try to, the business risk is based upon their indi- there is a great danger of creating ‘emer- vidual and aggregated organisational risk gency’ manuals that are simply too heavy to appetite; lift. A trade-off needs to be achieved between q the organisation and its component parts creating an effective fit-for-purpose capabili- must be accountable and responsible for ty and relying on untrained and untried indi- maintaining an effective, up-to-date and viduals and hoping they will cope in an emer- fit-for-purpose BCM competence and capa- gency. bility; q all BCM strategies, plans and solutions The spanning of the gap between the plan must be business owned and driven; and those who carry it out can be achieved q all BCM strategies, plans and solutions Scenario by either formal tuition and/or simulations. must be based upon the business mission planning The well-known maxim that a team is only as critical activities, their dependencies and exercises are strong as its weakest link is worth remember- single points of failure identified by a busi- helpful in ing here. ness impact analysis; destruct- q all business impact analysis must be con- testing The exercising of plans, rehearsing of team ducted in respect of business products and strategies and members and testing of solutions, systems services in an end-to-end production con- plans and facilities are the elements that provide text; and prove an effective and fit-for-purpose q there must be an agreed and published capability. However, simulations are not easy organisation policy, strategy, framework to devise, and because of this, many organisa- and exercising guidelines for BCM and cri- tions do not venture beyond the develop- sis management; ment of a plan. They are, nevertheless the q the organisation and its component parts best way to avoid planning bureaucracy. must implement and maintain a robust FACULTY OF FINANCE AND MANAGEMENT 29
January 2003 MANAGEMENT QUARTERLY R I S K – O P E R AT I O N S exercising, rehearsal and testing pro- outsourced and/or internal sourcing of gramme to ensure that the business conti- products, services, support or data should nuity capability is effective, up-to-date and reflect these good practice guidelines. fit-for-purpose; q the relevant legal and regulatory require- The structure and format of the guidelines is ments for BCM must be clearly defined based upon the most frequently asked ques- and understood before undertaking a BCM tions in relation to BCM, which are listed in programme; Figure 2 (below). The BCM life q the organisation and its component parts cycle has been must recognise and acknowledge that rep- created as an utation, brand image, market share and The BCM life cycle interactive shareholder value risk cannot be trans- process tool ferred or removed by internal sourcing The BCI principles and frequently asked ques- and/or outsourcing; tions have been drawn together to create the q BCM implications must be considered at BCM life cycle (see Figure 3, opposite), an all stages of the development of new busi- interactive process tool to guide the imple- ness operations, products, services and mentation of an effective BCM process. organisational infrastructure projects; The six stages of the life cycle in more detail q BCM implications must be considered as are set out in Figure 4 (opposite). an essential part of the business change management process; The guidelines have been used to generate a q the competency of BCM practitioners tool for evaluating the BCM process, which should be based and benchmarked against takes the form of a spreadsheet current state the 10 professional competency standards assessment (benchmark) workbook (see Figure of the BCI; 5, on page 32). The workbook enables and q all third parties including joint venture facilitates good practice compliance evalua- companies and service providers, upon tion, current state assessment gap analysis, whom an organisation is critically depen- assurance and benchmarking (process and dent for the provision of products, ser- performance). vices, support or data, must be required to demonstrate an effective, proven and fit- Each organisation needs to assess how to for-purpose BCM capability; and apply the ‘good practice’, contained within q the standard terms and conditions of any the guidelines, to their own organisation. They must ensure that their BCM competence and capability meets the nature, scale and complexity of their business, and reflects their Figure 2 BCM questions individual culture and operating environment. GUIDELINE COMPONENT MOST FREQUENTLY ASKED HEADING QUESTIONS Crisis management PURPOSE q Why do we need to do it? The key elements of a crisis management OUTCOMES q What will it achieve? framework are slightly different to the BCM lifecycle, and include those set out in Figure 6 COMPONENTS q What do we need to do to it? (page 32), but the list should not be seen as q What does it consist of? restrictive or exhaustive. There are many (ingredients) advantages to adopting a modular approach METHODOLOGIES AND q What are the tools we need to a crisis or business continuity situation, TECHNIQUES to do it? not least that it can be easily and quickly modified to suit local, national as well as PROCESS q How is it done? global requirements. q How do we do it? FREQUENCY AND TRIGGERS q When should it be done? However, in managing any event it is critical to recognise that a successful outcome is PARTICIPANTS q Who does it? judged by both the technical response, and q Who should be involved? the perceived competence and capability of DELIVERABLES q What is the output? the management in delivering the business response. The stakeholder perception should ‘GOOD PRACTICE’ q How do we know if we have be seen as the critical success factor with an EVALUATION CRITERIA got it right? equal, if not more urgent priority over the 30 FACULTY OF FINANCE AND MANAGEMENT
MANAGEMENT QUARTERLY January 2003 R I S K – O P E R AT I O N S Figure 3 The business continuity management life cycle Understanding your business 1 Exercising, Business maintenance 5 2 continuity and audit strategies BCM 6 Programme management 4 3 Develop and Building and implement a embedding BCM response BCM culture Figure 4 The six stages of the life cycle in more detail 1 UNDERSTANDING q Business impact analysis. 5 EXERCISING, q Exercising of BCM plans. YOUR BUSINESS q Risk assessment and control. MAINTENANCE q Rehearsal of staff, BCM teams. AND AUDIT q Testing of technology and 2 BCM STRATEGIES q Organisation (corporate) BCM BCM systems. strategy. q BCM maintenance. q Process level BCM strategy. q BCM audit. q Resource recovery BCM strategy. 6 THE BCM q Board commitment and PROGRAMME proactive participation. 3 DEVELOPING AND q Plans and planning. q Organisation (corporate) BCM IMPLEMENTING A q External bodies and organisa- strategy. BCM RESPONSE tions. q BCM policy. q Crisis/BCM event/incident q BCM framework. management. q Roles, accountability, q Sourcing (intra-organisation responsibility and authority. and/or outsourcing providers). q Finance. q Emergency response and oper- q Resources. ations. q Assurance. q Communications. q Audit. q Public relations and the media. q Management information sys- tem (MIS): metrics/scorecard/ 4 BUILDING AND q An ongoing programme of benchmark. EMBEDDING A education, awareness and q Compliance: legal/regulatory BCM CULTURE training. issues. q Change management. FACULTY OF FINANCE AND MANAGEMENT 31
January 2003 MANAGEMENT QUARTERLY R I S K – O P E R AT I O N S Figure 5 The BCM process Maturity level STAGE 1: UNDERSTANDING YOUR BUSINESS Organisation strategy Operational and Critical business factors (Mission critical Business outputs and deliverables 1 business objectives activities) (Services and products) STAGE 2: BUSINESS CONTINUITY MANAGEMENT STRATEGIES Organisation (corporate) BCM Process level BCM strategy Resource recovery BCM strategy 2 strategy STAGE 3: BUSINESS CONTINUITY SOLUTIONS AND PLANS Business continuity plans Resource recovery solutions and plans Crisis management plan 3 STAGE 4: BUILDING AND EMBEDDING A BCM CULTURE BCM culture and Education and culture BCM training 4 awareness programme building activities programme STAGE 5: EXERCISING, MAINTENANCE AND AUDIT OF BCM Exercising of BCM Maintenance of BCM Audit of BCM 5 STAGE 6: BCM PROGRAMME MANAGEMENT BCM programme BCM policy BCM assurance 6 management technical solution. Consequently, the acid test is to convincingly demonstrate an effective Figure 6 Crisis management and fit-for-purpose business continuity and crisis management capability, and to continue business as usual. This is in contrast to the BUSINESS RISK CONTROL more familiar pattern of a fall and recovery of q Monitoring. a business, which is more representative of the q Prevention. outdated disaster recovery and business q Planning and preparation. resumption approaches. q Crisis identification. ASSESSMENT Conclusions q Crisis evaluation (including an evaluation criteria). An organisation consists of people, and people INVOCATION AND ESCALATION at the top who give a cultural lead. As a conse- quence, business continuity and crisis man- MANAGEMENT AND RECOVERY agement are not solely a set of tools, tech- niques and mechanisms to be implemented in CLOSURE AND REVIEW an organisation. They should reflect a more q Formal closure. general mood, attitude and type of action q Ongoing issues, eg investigation and litigation. taken by managers and staff. q Post crisis review and report. Individual personalities play a crucial and crit- IMPROVEMENT ical role. It is the human factor that is fre- q Implementation of approved post crisis review quently underestimated in BCM. This is of report recommendations. particular importance because the examina- tion of the cause of business continuity events 32 FACULTY OF FINANCE AND MANAGEMENT
MANAGEMENT QUARTERLY January 2003 R I S K – O P E R AT I O N S and crises usually identifies several warning appointing a BCM ‘champion’ at a senior level signals that were ignored or not recognised. whose role is to draw together, under a matrix The key to a successful crisis and BCM capabil- team approach, representatives from the vari- ity is to adopt an holistic approach to validate ous organisation functions eg human People are the each of the key building blocks of the BCM resources, together with key line of business key to life cycle and process. heads to ensure a co-ordinated approach. The successful key advantage of this approach is that it BCM The first task is always to identify the right builds on what already exists and has been people who are not bounded as individuals or done thereby enabling a ‘virtual capability’ within the corporate culture. It is on these cri- that provides cost efficiency. A further benefit teria that the success or failure of creating an is that it ensures ‘buy-in’ throughout the effective and fit-for-purpose BCM capability organisation. will be determined. Having identified the right people, they should engage in the BCM plan- In adopting this methodology and regularly ning process using the BCI Good Practice exercising, rehearsing and testing the organisa- Guidelines and training via the exercise simu- tion maintains an effective up-to-date and fit- lations of plans, rehearsal of people/teams and for-purpose BCM and crisis management capa- testing of systems, processes, technology, bility. When a crisis hits the organisation structures and communications. everyone knows what to do and a smooth invocation of the plan takes place ensuring The organisation can assist this process by that the impact on mission critical activities is Further reading and references Whilst the guidelines are predominantly designed for the q ‘Major incident procedure manual’, BCM practitioner the following publications are strongly London Emergency Services Liaison Panel, (5th Edition) recommended as introductory reading by directors and Metropolitan Police, London (1999) senior managers of all organisations: q ‘Wider than IT’ q ‘Communicating out of a crisis’ Leather, G, Continuity (2001), Vol 5, Issue 1, p4-5 Bland, M, Macmillan Press Ltd, London (1998) (ISBN 0- 333-72097-0) q ‘Crisis Management : A diagnostic guide for improving your organisation crisis preparedness’ q ‘Getting Started’ Mitroff, II and Pearson, CM, Jossey-Bass, San Francisco Business Continuity Institute, BCI, Worcester(2001) (1993) (ISBN 1-55542-563-1) q ‘BCM: A strategy for business survival’ q ’BCM – preventing chaos in a disaster’ Business Continuity Institute, BCI, Worcester (2002) Power, P, Department of Trade and Industry, London (1999) q ‘An introduction to BCM’ Central Computer and Telecommunications Agency, The following video should also be considered as introduc- HMSO, London (1995) (ISBN 0-11-330669-5) tory viewing by all managers and staff within an organisa- tion: q ‘A risk focused review of outsourcing in the UK retail banking sector’ q ‘Back to business: planning ahead for the unexpected’, Financial Services Authority, London (2001) Business Continuity Institute (2001). q ‘How resilient is your business to disaster’ Home Office, HMSO, London (1996) References q ’Heeding the lessons of 9/11' Honour, D, International Journal of BCM (2001), Vol 2, Issue 1. ‘FSA working paper on Business Continuity manage- 1, p13-17 ment’ Financial Services Authority, London (2002) q ‘Business continuity’ Institute of Directors, Director Publications Limited, 2. ‘Business continuity and supply chain management’ London (2000) (ISBN 0-7494-3563-1) Chartered Management Institute (2002). q ‘The impact of catastrophes on shareholder value’ 3. Transforming a crisis-prone organisation’ Knight, RF and Pretty, DJ, Oxford Executive Research Pauchant,TC and Mitroff II (1992), Jossey-Bass, Briefings, Templeton, College (2000) San Francisco. FACULTY OF FINANCE AND MANAGEMENT 33

Recommended

Poster eatis final eng
Poster eatis final engPoster eatis final eng
Poster eatis final engluke9999
 
Symantec Solutions
Symantec SolutionsSymantec Solutions
Symantec Solutionstwelling
 
EMS ERP_Vibhor_13
EMS ERP_Vibhor_13EMS ERP_Vibhor_13
EMS ERP_Vibhor_13Vibhor Raut
 
Valuendo Erm In An Extended Environment (March 2007)
Valuendo Erm In An Extended Environment (March 2007)Valuendo Erm In An Extended Environment (March 2007)
Valuendo Erm In An Extended Environment (March 2007)Marc Vael
 
Delivering Business Value By Applying Agile Principles To Business Continuity...
Delivering Business Value By Applying Agile Principles To Business Continuity...Delivering Business Value By Applying Agile Principles To Business Continuity...
Delivering Business Value By Applying Agile Principles To Business Continuity...Ken Collins
 
Business continuity management fundamentals update
Business continuity management fundamentals updateBusiness continuity management fundamentals update
Business continuity management fundamentals updateExo Futures
 
Assess Your Business Continuity Management Process
Assess Your Business Continuity Management ProcessAssess Your Business Continuity Management Process
Assess Your Business Continuity Management ProcessAnand Subramaniam
 
BC Components and CM Lifecycle
BC Components and CM LifecycleBC Components and CM Lifecycle
BC Components and CM LifecycleZaszou
 

Recommended

Poster eatis final eng
Poster eatis final engPoster eatis final eng
Poster eatis final engluke9999
 
Symantec Solutions
Symantec SolutionsSymantec Solutions
Symantec Solutionstwelling
 
EMS ERP_Vibhor_13
EMS ERP_Vibhor_13EMS ERP_Vibhor_13
EMS ERP_Vibhor_13Vibhor Raut
 
Valuendo Erm In An Extended Environment (March 2007)
Valuendo Erm In An Extended Environment (March 2007)Valuendo Erm In An Extended Environment (March 2007)
Valuendo Erm In An Extended Environment (March 2007)Marc Vael
 
Delivering Business Value By Applying Agile Principles To Business Continuity...
Delivering Business Value By Applying Agile Principles To Business Continuity...Delivering Business Value By Applying Agile Principles To Business Continuity...
Delivering Business Value By Applying Agile Principles To Business Continuity...Ken Collins
 
Business continuity management fundamentals update
Business continuity management fundamentals updateBusiness continuity management fundamentals update
Business continuity management fundamentals updateExo Futures
 
Assess Your Business Continuity Management Process
Assess Your Business Continuity Management ProcessAssess Your Business Continuity Management Process
Assess Your Business Continuity Management ProcessAnand Subramaniam
 
BC Components and CM Lifecycle
BC Components and CM LifecycleBC Components and CM Lifecycle
BC Components and CM LifecycleZaszou
 
Virtualisation:- Business Continuity Solution or Enabler
Virtualisation:- Business Continuity Solution or EnablerVirtualisation:- Business Continuity Solution or Enabler
Virtualisation:- Business Continuity Solution or Enablersubtitle
 
The RM To BC Route Presentation Notes John Agius 21052012
The RM To BC Route Presentation Notes John Agius 21052012The RM To BC Route Presentation Notes John Agius 21052012
The RM To BC Route Presentation Notes John Agius 21052012John Agius
 
Valuendo Erm In An Extended Environment (March 2007)
Valuendo Erm In An Extended Environment (March 2007)Valuendo Erm In An Extended Environment (March 2007)
Valuendo Erm In An Extended Environment (March 2007)Marc Vael
 
Donato Kiniger-Passigli - MULTI-HAZARD PREVENTION AND PREPAREDNESS BUSINESS C...
Donato Kiniger-Passigli - MULTI-HAZARD PREVENTION AND PREPAREDNESS BUSINESS C...Donato Kiniger-Passigli - MULTI-HAZARD PREVENTION AND PREPAREDNESS BUSINESS C...
Donato Kiniger-Passigli - MULTI-HAZARD PREVENTION AND PREPAREDNESS BUSINESS C...Global Risk Forum GRFDavos
 
Internal audit requirement
Internal audit requirementInternal audit requirement
Internal audit requirementabhijitsingh007
 
Business Continuity Management
Business Continuity ManagementBusiness Continuity Management
Business Continuity ManagementDiane Christina
 
PD25888: Recovery Planning
PD25888: Recovery PlanningPD25888: Recovery Planning
PD25888: Recovery PlanningBSI British Standards Institution
 
Solvency II - Programme Assurance
Solvency II - Programme AssuranceSolvency II - Programme Assurance
Solvency II - Programme Assurancegainline
 
Getting our risk management right on track 2011 dc
Getting our risk management right on track 2011 dcGetting our risk management right on track 2011 dc
Getting our risk management right on track 2011 dcDiane Christina
 
B288
B288B288
B288performanceweb
 
Knowledge Management and Risk Management Connection explained with Unilever
Knowledge Management and Risk Management Connection explained with UnileverKnowledge Management and Risk Management Connection explained with Unilever
Knowledge Management and Risk Management Connection explained with UnileverMuthu Kumaar Thangavelu
 
Exploring the link between Organsiational Resilience and Crisis Management
Exploring the link between Organsiational Resilience and Crisis ManagementExploring the link between Organsiational Resilience and Crisis Management
Exploring the link between Organsiational Resilience and Crisis ManagementAlex Serrano
 
Riskpro Iso 31000 Services
Riskpro Iso 31000 ServicesRiskpro Iso 31000 Services
Riskpro Iso 31000 ServicesRahul Bhan (CA, CIA, MBA)
 
Riskpro Iso 31000 Services
Riskpro Iso 31000 ServicesRiskpro Iso 31000 Services
Riskpro Iso 31000 ServicesRahul Bhan (CA, CIA, MBA)
 
Riskpro Iso 31000 Services
Riskpro Iso 31000 ServicesRiskpro Iso 31000 Services
Riskpro Iso 31000 ServicesRahul Bhan (CA, CIA, MBA)
 
Riskpro Iso 31000 Services
Riskpro Iso 31000 ServicesRiskpro Iso 31000 Services
Riskpro Iso 31000 ServicesRahul Bhan (CA, CIA, MBA)
 
Riskpro Iso 31000 Services
Riskpro Iso 31000 ServicesRiskpro Iso 31000 Services
Riskpro Iso 31000 ServicesRahul Bhan (CA, CIA, MBA)
 
Managing Threats in a Dangerous World
Managing Threats in a Dangerous WorldManaging Threats in a Dangerous World
Managing Threats in a Dangerous WorldChartered Management Institute
 
Solvency II IT Impacts
Solvency II IT ImpactsSolvency II IT Impacts
Solvency II IT ImpactsAli BELCAID
 
TripleTree eDiscovery
TripleTree eDiscoveryTripleTree eDiscovery
TripleTree eDiscoveryChris Hoffmann
 

More Related Content

Similar to Business continuity and crisis management

Virtualisation:- Business Continuity Solution or Enabler
Virtualisation:- Business Continuity Solution or EnablerVirtualisation:- Business Continuity Solution or Enabler
Virtualisation:- Business Continuity Solution or Enablersubtitle
 
The RM To BC Route Presentation Notes John Agius 21052012
The RM To BC Route Presentation Notes John Agius 21052012The RM To BC Route Presentation Notes John Agius 21052012
The RM To BC Route Presentation Notes John Agius 21052012John Agius
 
Valuendo Erm In An Extended Environment (March 2007)
Valuendo Erm In An Extended Environment (March 2007)Valuendo Erm In An Extended Environment (March 2007)
Valuendo Erm In An Extended Environment (March 2007)Marc Vael
 
Donato Kiniger-Passigli - MULTI-HAZARD PREVENTION AND PREPAREDNESS BUSINESS C...
Donato Kiniger-Passigli - MULTI-HAZARD PREVENTION AND PREPAREDNESS BUSINESS C...Donato Kiniger-Passigli - MULTI-HAZARD PREVENTION AND PREPAREDNESS BUSINESS C...
Donato Kiniger-Passigli - MULTI-HAZARD PREVENTION AND PREPAREDNESS BUSINESS C...Global Risk Forum GRFDavos
 
Internal audit requirement
Internal audit requirementInternal audit requirement
Internal audit requirementabhijitsingh007
 
Business Continuity Management
Business Continuity ManagementBusiness Continuity Management
Business Continuity ManagementDiane Christina
 
Solvency II - Programme Assurance
Solvency II - Programme AssuranceSolvency II - Programme Assurance
Solvency II - Programme Assurancegainline
 
Getting our risk management right on track 2011 dc
Getting our risk management right on track 2011 dcGetting our risk management right on track 2011 dc
Getting our risk management right on track 2011 dcDiane Christina
 
Knowledge Management and Risk Management Connection explained with Unilever
Knowledge Management and Risk Management Connection explained with UnileverKnowledge Management and Risk Management Connection explained with Unilever
Knowledge Management and Risk Management Connection explained with UnileverMuthu Kumaar Thangavelu
 
Exploring the link between Organsiational Resilience and Crisis Management
Exploring the link between Organsiational Resilience and Crisis ManagementExploring the link between Organsiational Resilience and Crisis Management
Exploring the link between Organsiational Resilience and Crisis ManagementAlex Serrano
 
Solvency II IT Impacts
Solvency II IT ImpactsSolvency II IT Impacts
Solvency II IT ImpactsAli BELCAID
 

Similar to Business continuity and crisis management (20)

Virtualisation:- Business Continuity Solution or Enabler
Virtualisation:- Business Continuity Solution or EnablerVirtualisation:- Business Continuity Solution or Enabler
Virtualisation:- Business Continuity Solution or Enabler
 
The RM To BC Route Presentation Notes John Agius 21052012
The RM To BC Route Presentation Notes John Agius 21052012The RM To BC Route Presentation Notes John Agius 21052012
The RM To BC Route Presentation Notes John Agius 21052012
 
Valuendo Erm In An Extended Environment (March 2007)
Valuendo Erm In An Extended Environment (March 2007)Valuendo Erm In An Extended Environment (March 2007)
Valuendo Erm In An Extended Environment (March 2007)
 
Donato Kiniger-Passigli - MULTI-HAZARD PREVENTION AND PREPAREDNESS BUSINESS C...
Donato Kiniger-Passigli - MULTI-HAZARD PREVENTION AND PREPAREDNESS BUSINESS C...Donato Kiniger-Passigli - MULTI-HAZARD PREVENTION AND PREPAREDNESS BUSINESS C...
Donato Kiniger-Passigli - MULTI-HAZARD PREVENTION AND PREPAREDNESS BUSINESS C...
 
Internal audit requirement
Internal audit requirementInternal audit requirement
Internal audit requirement
 
Business Continuity Management
Business Continuity ManagementBusiness Continuity Management
Business Continuity Management
 
PD25888: Recovery Planning
PD25888: Recovery PlanningPD25888: Recovery Planning
PD25888: Recovery Planning
 
Solvency II - Programme Assurance
Solvency II - Programme AssuranceSolvency II - Programme Assurance
Solvency II - Programme Assurance
 
Getting our risk management right on track 2011 dc
Getting our risk management right on track 2011 dcGetting our risk management right on track 2011 dc
Getting our risk management right on track 2011 dc
 
B288
B288B288
B288
 
Knowledge Management and Risk Management Connection explained with Unilever
Knowledge Management and Risk Management Connection explained with UnileverKnowledge Management and Risk Management Connection explained with Unilever
Knowledge Management and Risk Management Connection explained with Unilever
 
Exploring the link between Organsiational Resilience and Crisis Management
Exploring the link between Organsiational Resilience and Crisis ManagementExploring the link between Organsiational Resilience and Crisis Management
Exploring the link between Organsiational Resilience and Crisis Management
 
Riskpro Iso 31000 Services
Riskpro Iso 31000 ServicesRiskpro Iso 31000 Services
Riskpro Iso 31000 Services
 
Riskpro Iso 31000 Services
Riskpro Iso 31000 ServicesRiskpro Iso 31000 Services
Riskpro Iso 31000 Services
 
Riskpro Iso 31000 Services
Riskpro Iso 31000 ServicesRiskpro Iso 31000 Services
Riskpro Iso 31000 Services
 
Riskpro Iso 31000 Services
Riskpro Iso 31000 ServicesRiskpro Iso 31000 Services
Riskpro Iso 31000 Services
 
Riskpro Iso 31000 Services
Riskpro Iso 31000 ServicesRiskpro Iso 31000 Services
Riskpro Iso 31000 Services
 
Managing Threats in a Dangerous World
Managing Threats in a Dangerous WorldManaging Threats in a Dangerous World
Managing Threats in a Dangerous World
 
Solvency II IT Impacts
Solvency II IT ImpactsSolvency II IT Impacts
Solvency II IT Impacts
 
TripleTree eDiscovery
TripleTree eDiscoveryTripleTree eDiscovery
TripleTree eDiscovery
 

Business continuity and crisis management

  • 1. MANAGEMENT QUARTERLY January 2003 R I S K – O P E R AT I O N S Business continuity and crisis management No organisation can have complete control over its business environment. It is therefore essential for companies to have a business continuity manage- ment (BCM) and crisis management capability, in case of crisis or disaster. Dr David Smith outlines various approaches that can help companies pre- pare for a business continuity ‘event’, and explains the BCM life cycle. In August 2002, the Financial Services q limit/prevent impact beyond the organisa- Authority (FSA) expressed deep concern over tion; Most the high percentage of its members who did q demonstrate effective and efficient gover- organisations not have a business continuity and/or crisis nance to the media, markets and stakehold- face a management capability.1 They emphasised ers; business that a robust, effective and fit-for-purpose q protect the organisation’s assets; and continuity preparedness is essential, and complacency is q meet insurance, legal and regulatory ‘event’ at unacceptable, in the face of the challenges requirements. some point and threats that inevitably arise in today’s business climate. This warning is reinforced However, BCM is not only about disaster by the recently published research report of recovery. It should be a business-owned and the Chartered Management Institute.2 driven process that unifies a broad spectrum of management disciplines (see Figure 1 on Business continuity management (BCM) is page 28). In particular, it is not just about IT defined by the Business Continuity Institute disaster recovery. Too many organisations (BCI) as ‘an holistic management process that tend to focus all their efforts on IT because of identifies potential impacts that threaten an its mission-critical nature, leaving themselves organisation and provides a framework for exposed on many other fronts. building resilience and the capability for an effective response that safeguards the interests Because of its all-embracing nature, the way of its key stakeholders, reputation, brand and BCM is carried out will inevitably be depen- value creating activities’. dent upon, and must reflect, the nature, scale and complexity of an organisation’s risk pro- The BCI’s use of the term ‘business continu- file, risk appetite and the environment in ity management’ rather than ‘business conti- which it operates. Inevitably, too, BCM has nuity planning’ is deliberate because ‘plan- close links to risk management and corporate ning’ implies there is a start and end to the governance strategies. The importance of a process and can lead to unwanted planning holistic approach across these areas was rein- bureaucracy. BCM is, by necessity, a dynam- forced in the Turnbull Report (1998) ic, proactive and ongoing process. It must be kept up-to-date and fit-for-purpose to be As an organisation can never be fully in con- effective. trol of its business environment, it is safe to assume that all organisations will face a busi- The key objectives of an effective BCM strate- ness continuity event at some point. gy should be to: Although this simple reality has been etched in high-profile names such as Bhopal, Piper- q ensure the safety of staff; Alpha, Perrier, Barings Bank, Challenger, q maximise the defence of the organisation’s Herald of Free Enterprise, Coca Cola, Exxon- reputation and brand image; Valdez, Railtrack, the Canary Wharf bombing, q minimise the impact of business continuity Enron, Anderson, Marconi, Landrover and events (including crises) on the World Trade Centre, experience also customers/clients; teaches that it is the less dramatic but more FACULTY OF FINANCE AND MANAGEMENT 27
  • 2. January 2003 MANAGEMENT QUARTERLY R I S K – O P E R AT I O N S Figure 2 The unifying process BUSINESS CONTINUITY MANAGEMENT Environmental management Supply chain management Communications and PR Knowledge management Emergency management Facilities management Crisis management IT disaster recovery Risk management Human resources Health and safety Security frequent business continuity events that can blindly implementing so-called ‘best practice’ be even more problematic to deal with. business continuity techniques is not the best Unfortunately, it seems that many public and approach. As all organisations are different, private organisations still think, ‘it will not techniques which work in one organisation happen to us’. will not necessarily work in another. Most executives tasked with addressing business continuity issues are keen to achieve quick Changing the corporate culture wins, and the ‘tick box’ audit approach, which tries to copy successful strategies used Ignoring business continuity issues can hap- elsewhere, is often adopted without consider- pen for a number of reasons, ranging from ation as to suitability. denial through disavowal to rationalisation. A Many process of ‘group think’ can develop whereby Underlying the ‘tick box’ approach is the per- organisations an organisation genuinely starts to believe suasive belief that a structure, policy, frame- believe it will that their size, or some other feature, makes work and plan is all that is required. Whilst not happen to them immune to disaster. Or executives may these are critical enablers, relying on structure them. firmly believe that insurance will cover them, alone tends to overlook the key issue – that it without realising that insurance cannot is people who actually deal with business con- indemnify against lost market share, loss of tinuity and crises. reputation or tarnished brands. In this context, it is worth remembering (and Research shows that crisis-prone organisations reminding all senior executives) that ‘man- tend to exhibit these tendencies seven times agerial ignorance’ is no longer an acceptable more often than crisis-prepared legal or moral defence if a crisis is handled organisations.3 Whilst all individuals may badly. All managers should consider the fol- make use of such defence mechanisms from lowing key questions that are likely to be time-to-time, the key difference is the degree, asked in a subsequent inquiry: extent and frequency with which they are used. q when did you know there was a problem? q what did you do about it? Changing such mindsets is not easy, and q if you didn’t do anything, why not? 28 FACULTY OF FINANCE AND MANAGEMENT
  • 3. MANAGEMENT QUARTERLY January 2003 R I S K – O P E R AT I O N S q if you didn’t know there was a problem, Using good practice guidelines – why not? a different approach q what would you have done if you had known such a problem could exist? Because of the caveats listed earlier, the BCI’s ‘Business continuity management good prac- tice guidelines’ are not intended to be a Some sort of Avoiding planning bureaucracy restrictive, exhaustive or definitive process to continuity cover every eventuality within BCM. Instead, plan is There is no doubt that some sort of business they set out to establish the generic process, essential continuity plan is essential. The plan becomes principles and terminology; describe the a source of reference at the time of a business activities and outcomes involved; and provide continuity event or crisis, and the blueprint evaluation techniques and criteria. upon which the strategy and tactics of deal- ing with the event/crisis are designed. In par- These guidelines draw together the collective ticular, it can provide essential guidance on experience, knowledge and expertise of many damage limitation in those short windows of leading professional members and fellows of opportunity which often occur at the begin- the BCI and other authoritative professional ning of a crisis. organisations. In particular, the guidelines reflect the following BCM principles: Unfortunately, reputations and trust that have been built up over decades can be q BCM and crisis management are an integral destroyed within minutes unless vigorously part of corporate governance; defended at a time when the speed and scale q BCM activities must match, focus upon and of events can overwhelm the normal opera- directly support the business strategy and tional and management systems. goals of the organisation; q BCM must provide organisational resilience A further and critical reason for having a to optimise product and service availability; planning process is so that the individuals q as a value based management process BCM who are required to implement the plan can must optimise cost efficiencies; rehearse and test what they might do in dif- q BCM is a business management process ferent situations. Scenario planning exercises that is undertaken because it adds value are a very helpful technique for destruct-test- rather than because of governance or regu- ing different strategies and plans. latory considerations; q the component parts of an organisation Having said this, it is simply not possible to own their business risk; the management of plan for every eventuality, and if you try to, the business risk is based upon their indi- there is a great danger of creating ‘emer- vidual and aggregated organisational risk gency’ manuals that are simply too heavy to appetite; lift. A trade-off needs to be achieved between q the organisation and its component parts creating an effective fit-for-purpose capabili- must be accountable and responsible for ty and relying on untrained and untried indi- maintaining an effective, up-to-date and viduals and hoping they will cope in an emer- fit-for-purpose BCM competence and capa- gency. bility; q all BCM strategies, plans and solutions The spanning of the gap between the plan must be business owned and driven; and those who carry it out can be achieved q all BCM strategies, plans and solutions Scenario by either formal tuition and/or simulations. must be based upon the business mission planning The well-known maxim that a team is only as critical activities, their dependencies and exercises are strong as its weakest link is worth remember- single points of failure identified by a busi- helpful in ing here. ness impact analysis; destruct- q all business impact analysis must be con- testing The exercising of plans, rehearsing of team ducted in respect of business products and strategies and members and testing of solutions, systems services in an end-to-end production con- plans and facilities are the elements that provide text; and prove an effective and fit-for-purpose q there must be an agreed and published capability. However, simulations are not easy organisation policy, strategy, framework to devise, and because of this, many organisa- and exercising guidelines for BCM and cri- tions do not venture beyond the develop- sis management; ment of a plan. They are, nevertheless the q the organisation and its component parts best way to avoid planning bureaucracy. must implement and maintain a robust FACULTY OF FINANCE AND MANAGEMENT 29
  • 4. January 2003 MANAGEMENT QUARTERLY R I S K – O P E R AT I O N S exercising, rehearsal and testing pro- outsourced and/or internal sourcing of gramme to ensure that the business conti- products, services, support or data should nuity capability is effective, up-to-date and reflect these good practice guidelines. fit-for-purpose; q the relevant legal and regulatory require- The structure and format of the guidelines is ments for BCM must be clearly defined based upon the most frequently asked ques- and understood before undertaking a BCM tions in relation to BCM, which are listed in programme; Figure 2 (below). The BCM life q the organisation and its component parts cycle has been must recognise and acknowledge that rep- created as an utation, brand image, market share and The BCM life cycle interactive shareholder value risk cannot be trans- process tool ferred or removed by internal sourcing The BCI principles and frequently asked ques- and/or outsourcing; tions have been drawn together to create the q BCM implications must be considered at BCM life cycle (see Figure 3, opposite), an all stages of the development of new busi- interactive process tool to guide the imple- ness operations, products, services and mentation of an effective BCM process. organisational infrastructure projects; The six stages of the life cycle in more detail q BCM implications must be considered as are set out in Figure 4 (opposite). an essential part of the business change management process; The guidelines have been used to generate a q the competency of BCM practitioners tool for evaluating the BCM process, which should be based and benchmarked against takes the form of a spreadsheet current state the 10 professional competency standards assessment (benchmark) workbook (see Figure of the BCI; 5, on page 32). The workbook enables and q all third parties including joint venture facilitates good practice compliance evalua- companies and service providers, upon tion, current state assessment gap analysis, whom an organisation is critically depen- assurance and benchmarking (process and dent for the provision of products, ser- performance). vices, support or data, must be required to demonstrate an effective, proven and fit- Each organisation needs to assess how to for-purpose BCM capability; and apply the ‘good practice’, contained within q the standard terms and conditions of any the guidelines, to their own organisation. They must ensure that their BCM competence and capability meets the nature, scale and complexity of their business, and reflects their Figure 2 BCM questions individual culture and operating environment. GUIDELINE COMPONENT MOST FREQUENTLY ASKED HEADING QUESTIONS Crisis management PURPOSE q Why do we need to do it? The key elements of a crisis management OUTCOMES q What will it achieve? framework are slightly different to the BCM lifecycle, and include those set out in Figure 6 COMPONENTS q What do we need to do to it? (page 32), but the list should not be seen as q What does it consist of? restrictive or exhaustive. There are many (ingredients) advantages to adopting a modular approach METHODOLOGIES AND q What are the tools we need to a crisis or business continuity situation, TECHNIQUES to do it? not least that it can be easily and quickly modified to suit local, national as well as PROCESS q How is it done? global requirements. q How do we do it? FREQUENCY AND TRIGGERS q When should it be done? However, in managing any event it is critical to recognise that a successful outcome is PARTICIPANTS q Who does it? judged by both the technical response, and q Who should be involved? the perceived competence and capability of DELIVERABLES q What is the output? the management in delivering the business response. The stakeholder perception should ‘GOOD PRACTICE’ q How do we know if we have be seen as the critical success factor with an EVALUATION CRITERIA got it right? equal, if not more urgent priority over the 30 FACULTY OF FINANCE AND MANAGEMENT
  • 5. MANAGEMENT QUARTERLY January 2003 R I S K – O P E R AT I O N S Figure 3 The business continuity management life cycle Understanding your business 1 Exercising, Business maintenance 5 2 continuity and audit strategies BCM 6 Programme management 4 3 Develop and Building and implement a embedding BCM response BCM culture Figure 4 The six stages of the life cycle in more detail 1 UNDERSTANDING q Business impact analysis. 5 EXERCISING, q Exercising of BCM plans. YOUR BUSINESS q Risk assessment and control. MAINTENANCE q Rehearsal of staff, BCM teams. AND AUDIT q Testing of technology and 2 BCM STRATEGIES q Organisation (corporate) BCM BCM systems. strategy. q BCM maintenance. q Process level BCM strategy. q BCM audit. q Resource recovery BCM strategy. 6 THE BCM q Board commitment and PROGRAMME proactive participation. 3 DEVELOPING AND q Plans and planning. q Organisation (corporate) BCM IMPLEMENTING A q External bodies and organisa- strategy. BCM RESPONSE tions. q BCM policy. q Crisis/BCM event/incident q BCM framework. management. q Roles, accountability, q Sourcing (intra-organisation responsibility and authority. and/or outsourcing providers). q Finance. q Emergency response and oper- q Resources. ations. q Assurance. q Communications. q Audit. q Public relations and the media. q Management information sys- tem (MIS): metrics/scorecard/ 4 BUILDING AND q An ongoing programme of benchmark. EMBEDDING A education, awareness and q Compliance: legal/regulatory BCM CULTURE training. issues. q Change management. FACULTY OF FINANCE AND MANAGEMENT 31
  • 6. January 2003 MANAGEMENT QUARTERLY R I S K – O P E R AT I O N S Figure 5 The BCM process Maturity level STAGE 1: UNDERSTANDING YOUR BUSINESS Organisation strategy Operational and Critical business factors (Mission critical Business outputs and deliverables 1 business objectives activities) (Services and products) STAGE 2: BUSINESS CONTINUITY MANAGEMENT STRATEGIES Organisation (corporate) BCM Process level BCM strategy Resource recovery BCM strategy 2 strategy STAGE 3: BUSINESS CONTINUITY SOLUTIONS AND PLANS Business continuity plans Resource recovery solutions and plans Crisis management plan 3 STAGE 4: BUILDING AND EMBEDDING A BCM CULTURE BCM culture and Education and culture BCM training 4 awareness programme building activities programme STAGE 5: EXERCISING, MAINTENANCE AND AUDIT OF BCM Exercising of BCM Maintenance of BCM Audit of BCM 5 STAGE 6: BCM PROGRAMME MANAGEMENT BCM programme BCM policy BCM assurance 6 management technical solution. Consequently, the acid test is to convincingly demonstrate an effective Figure 6 Crisis management and fit-for-purpose business continuity and crisis management capability, and to continue business as usual. This is in contrast to the BUSINESS RISK CONTROL more familiar pattern of a fall and recovery of q Monitoring. a business, which is more representative of the q Prevention. outdated disaster recovery and business q Planning and preparation. resumption approaches. q Crisis identification. ASSESSMENT Conclusions q Crisis evaluation (including an evaluation criteria). An organisation consists of people, and people INVOCATION AND ESCALATION at the top who give a cultural lead. As a conse- quence, business continuity and crisis man- MANAGEMENT AND RECOVERY agement are not solely a set of tools, tech- niques and mechanisms to be implemented in CLOSURE AND REVIEW an organisation. They should reflect a more q Formal closure. general mood, attitude and type of action q Ongoing issues, eg investigation and litigation. taken by managers and staff. q Post crisis review and report. Individual personalities play a crucial and crit- IMPROVEMENT ical role. It is the human factor that is fre- q Implementation of approved post crisis review quently underestimated in BCM. This is of report recommendations. particular importance because the examina- tion of the cause of business continuity events 32 FACULTY OF FINANCE AND MANAGEMENT
  • 7. MANAGEMENT QUARTERLY January 2003 R I S K – O P E R AT I O N S and crises usually identifies several warning appointing a BCM ‘champion’ at a senior level signals that were ignored or not recognised. whose role is to draw together, under a matrix The key to a successful crisis and BCM capabil- team approach, representatives from the vari- ity is to adopt an holistic approach to validate ous organisation functions eg human People are the each of the key building blocks of the BCM resources, together with key line of business key to life cycle and process. heads to ensure a co-ordinated approach. The successful key advantage of this approach is that it BCM The first task is always to identify the right builds on what already exists and has been people who are not bounded as individuals or done thereby enabling a ‘virtual capability’ within the corporate culture. It is on these cri- that provides cost efficiency. A further benefit teria that the success or failure of creating an is that it ensures ‘buy-in’ throughout the effective and fit-for-purpose BCM capability organisation. will be determined. Having identified the right people, they should engage in the BCM plan- In adopting this methodology and regularly ning process using the BCI Good Practice exercising, rehearsing and testing the organisa- Guidelines and training via the exercise simu- tion maintains an effective up-to-date and fit- lations of plans, rehearsal of people/teams and for-purpose BCM and crisis management capa- testing of systems, processes, technology, bility. When a crisis hits the organisation structures and communications. everyone knows what to do and a smooth invocation of the plan takes place ensuring The organisation can assist this process by that the impact on mission critical activities is Further reading and references Whilst the guidelines are predominantly designed for the q ‘Major incident procedure manual’, BCM practitioner the following publications are strongly London Emergency Services Liaison Panel, (5th Edition) recommended as introductory reading by directors and Metropolitan Police, London (1999) senior managers of all organisations: q ‘Wider than IT’ q ‘Communicating out of a crisis’ Leather, G, Continuity (2001), Vol 5, Issue 1, p4-5 Bland, M, Macmillan Press Ltd, London (1998) (ISBN 0- 333-72097-0) q ‘Crisis Management : A diagnostic guide for improving your organisation crisis preparedness’ q ‘Getting Started’ Mitroff, II and Pearson, CM, Jossey-Bass, San Francisco Business Continuity Institute, BCI, Worcester(2001) (1993) (ISBN 1-55542-563-1) q ‘BCM: A strategy for business survival’ q ’BCM – preventing chaos in a disaster’ Business Continuity Institute, BCI, Worcester (2002) Power, P, Department of Trade and Industry, London (1999) q ‘An introduction to BCM’ Central Computer and Telecommunications Agency, The following video should also be considered as introduc- HMSO, London (1995) (ISBN 0-11-330669-5) tory viewing by all managers and staff within an organisa- tion: q ‘A risk focused review of outsourcing in the UK retail banking sector’ q ‘Back to business: planning ahead for the unexpected’, Financial Services Authority, London (2001) Business Continuity Institute (2001). q ‘How resilient is your business to disaster’ Home Office, HMSO, London (1996) References q ’Heeding the lessons of 9/11' Honour, D, International Journal of BCM (2001), Vol 2, Issue 1. ‘FSA working paper on Business Continuity manage- 1, p13-17 ment’ Financial Services Authority, London (2002) q ‘Business continuity’ Institute of Directors, Director Publications Limited, 2. ‘Business continuity and supply chain management’ London (2000) (ISBN 0-7494-3563-1) Chartered Management Institute (2002). q ‘The impact of catastrophes on shareholder value’ 3. Transforming a crisis-prone organisation’ Knight, RF and Pretty, DJ, Oxford Executive Research Pauchant,TC and Mitroff II (1992), Jossey-Bass, Briefings, Templeton, College (2000) San Francisco. FACULTY OF FINANCE AND MANAGEMENT 33