Business continuity and the wider society

In a previous article I talked about business continuity in a changing world and how the changes to our world brought changes to the threats we face, how the financial sector continues to evolve and how the subject of business continuity itself was changing.  In this I largely considered the finance sector itself, but it is obvious that the sector is not isolated from the wider society.  So how does business continuity in the financial sector relate to the society at large?

In finance we see a mature business continuity capability and approach overseen in the UK by a regulator that seeks real engagement with the sector.  London is the leading financial centre in the world and global players all have a presence here, and many of the UK’s leading lights are global operations themselves with a presence across the globe.  There is widespread recognition of the inter-dependence of the organisations themselves, which is manifested through collaboration under the auspices of the BBA, SIBCMG and so on.  Every year, City and Financial Conferences runs a two day conference focused on business continuity where finance, regulator and external bodies discuss key topics on business continuity.  Here you might hear from O2 about the management of mobile phone networks following a major incident such as the bombings of 7th July 2005, or from London Regional Transport on their response.

In the UK public sector we can see a similar trend towards engagement with the wider community.  The Civil Contingencies Act (CCA) defines those who respond to major incidents in terms of level 1 responders (broadly speaking the blue light services and the local authorities) and level 2 responders who provide supporting services (such as utilities and transport).  In the UK ultimate command and control rests with COBR (the Cabinet Office Briefing Room) where the overall response and decisions lie with the Prime Minister.  More particularly, the CCA places an obligation on local authorities to promote business continuity to their local community and hence we see the public sector responders now having a statutory obligation to engage with, among others, the financial sector.

In the City of London, the Corporation of London has always been pro-active in promoting business continuity and offering practical assistance both in advance of and during incidents, not least because of the experiences of the IRA bombing campaigns.  The City is a small area with a dedicated police force and so integration of private and public sector responses, whilst non-trivial, is at least achievable.  However, many financial operations are carried out in other parts of the UK – after all both RBS and HBOS are head quartered in Edinburgh – and many have significant operations across the globe.  To me, this is where some problems start to arise.

The level of knowledge on business continuity in local authorities is, at best, variable.  Whilst there are some notable exceptions, many are still getting to grips with the subject and often have yet to fully address their own business continuity needs.  Some do not have any staff at all, whilst others may have staff but a minimal budget as the realities of public sector financing are that front line services receive any additional funding before business continuity.  Consequently, the degree of interaction that a financial sector organisation might obtain from local authorities can vary from fully engaged to non-existent.

Furthermore, those charged with the role in local authorities may have an academic knowledge of the subject but no practical experience and little idea of the maturity of the finance sector in the subject.  Consequently, the promotion of business continuity to the community has tended to fall to those who might be just starting on the subject, to SMEs who may not yet have considered business continuity.  When received by mature organisations such as those in finance, they read like “Janet and John” to readers who long ago progressed to Shakespeare.

When you then consider that many of the financial sector organisations have a considerable presence outside the UK, the picture becomes even more problematic.  The CCA applies in the UK only and there is no pan-European equivalent, and legislative obligations in most, if not all, countries are way behind the UK.  It should be no surprise then, that Governmental advice on business continuity will vary across the world.

Let me illustrate this by considering pandemic flu for a moment.  This is acknowledged to be a global threat in a globalized world and has been highlighted by the World Health Organization (WHO).  Financial sector organisations will therefore consider this, plan and respond on a global scale.  Policies, plans and management will all operate on a global scale in order to provide an effective and coherent response to a global event.  However, the public sector responses are organised by the Government’s of Nation States and although the expert advice provided by WHO and others is the same, the responses are different.  Even in Europe, where there might be an expectation of a co-ordinated response, there are differences in approach. Let me further illustrate by focusing just on the one issue of the use of masks in the event of a pandemic.

In the UK the Department of Health advice is clear that masks are unlikely to have any impact whatsoever on the spread of the disease and introduce as many issues as they resolve.  For instance, how do you safely dispose of the used mask?  A recent presentation from 3M considered that an organisation of 850 people would need 76,500 masks assuming that a mask lasted for one full shift.  Each person has to have a mask that is fitted to them, any facial hair makes them ineffective (e.g. beards or just fashionable stubble).  Therefore this organisation would need to store them, fit them, train people to use them, ensure that their HR policies were updated to reflect the obligation to wear them at work, provide guidance on wearing them travelling to and from work, arrange for collection and safe disposal and so on, all for something that the experts say will make no difference to the spread of the pandemic or the protection afforded to the individual.  So, let us assume then that the UK office decides not to purchase masks and will not have this as part of its response.

The science is no different in France, but the government there has commissioned mask production such that there will be capacity for everyone to have a limited number of masks.  It is clear then that the French response will therefore be different.  What does not seem clearly understood by the government responses is that in the typical global corporation, our colleague is just as likely to be in Paris, Frankfurt, New York, Singapore and so on as they are to be along the corridor.  Hence, the London-based dealer will wonder why his Paris-based colleague is sounding muffled on the telephone and on enquiry discover that everyone in the Paris office is now wearing masks.  One can immediately envisage the complications arising as staff ask for the same treatment - question why London staff are not protected and so on.

This simply illustrates that there is still a considerable development needed in governmental responses to match the needs of business continuity savvy global businesses.  So are there any signs that this is being recognised?  Well there are some.

At the International Disaster and Emergency Readiness (IDER) Conference in Rome in October 2006, there were representatives from the EU, the UN, FEMA and first responders from the UK and Italy as well as business representation.  The EU is starting to co-ordinate the response to large scale events such as earthquakes by co-ordinating the activities of member states and seeking to facilitate responses.  For instance if the UK has people but no means of transporting them to the site, another state could provide transport and the EU would facilitate this.

Rather more interesting is a proposed Publicly Available Specification (PAS) on continuity planning from the International Standards Organisation (ISO).  Whilst this enjoys the rather elaborate title of “Incident Preparedness and Operational Continuity Management” the substance of the proposed document would be familiar enough to those who have read BS 25999-1 or its predecessor PAS 56.  Where it is different is that it emerges from an ISO body that is considering “Societal Resilience” and as such it introduces the idea that our business continuity response cannot be considered in isolation from those around us.

The current draft says that an organisation should understand that cooperation with other organisations is essential for its own operational continuity and that an organisation should make an active contribution to community through cooperative effort with citizens and local governments.  Furthermore, it suggests that an organisation’s continuity management should be promoted and recognized as part of its social responsibility.

Whilst this is a draft of a proposed ISO PAS – i.e. not a full standard – this does illustrate some interesting thinking.  Here we can see the beginnings of a complimentary obligation to organisations to work with local authorities to that placed on local authorities in the UK through the CCA.

It is clear that at present we have two streams of thought; one where a mature industry is seeking to engage with its wider community including the authorities and infrastructure providers, and one where the public sector is seeking to engage with the business community.  It is clear that there are some problems at present, as illustrated by the pandemic flu example, but that should not discourage us from hoping that these two streams will gradually coalesce to bring about a more resilient society as a whole.

The connection of business continuity with both the wider society and an organisation’s corporate social responsibilities is likely to grow, and illustrates just how much business continuity infuses every part of an organisation. The business continuity manager in the finance sector is certainly destined for interesting times ahead.