BCM bang for your buck

Nigel Allen reviews some of the many presentations given at the inaugural BCM World Conference and Exhibition held in London

In the current economic climate, the focus for everyone is very much on squeezing out as much bang from every single buck as they possible can. In my opinion, and those of a number of people that I spoke to, I do not think that delegates at the inaugural BCM World Conference and Exhibition could have expected any more bang.

Over two days, delegates were able to take advantage of some 46 key presentations in the auditoriums, plus a further 43 presentations held on the exhibition floor, while during the breaks could view the wares on display on 44 exhibitions stands. On the evening before the event began, BCI members had an opportunity to meet with their fellow members over a plate of traditional London fare, namely ‘Pie & Mash’, while the Gala dinner provided an excellent setting in which to discuss the events of the first day.

Once again, the event succeeded in attracting business continuity practitioners from across the globe representing a wide array of business sectors and providing an unrivalled platform for networking and sharing BCM best practice. The aim of this article is simply to give a brief series of snap shots from a selection of presentations given at the event in an effort to reflect the diversity of knowledge being shared over the two days.

The cyber crisis
A rather dishevelled-looking James Royds of Infosec, but bearing an uncanny resemblance to Bob Geldof, took to the stage to give a passionate speech on the growing threat of cyber crime. Using his ‘disguise’ to illustrate the ease with which our identities can be stolen via the internet, James warned delegates that such online criminal activities were “raging unchecked along the highways of the online world”.

He warned that the world was facing a global threat which was akin to the perfect storm. Cyber criminals, he said, are conducting their activities on a scale simply not thought possible only a few years ago, with global gains from such acts exceeding that of drug trafficking at $1trn. One in four computers, he added, are currently infected with software which allows the criminal to use the machines for their own purposes and to extract whatever information is contained within them. The criminals are “scornful of geographical boundaries” and are using much more sophisticated techniques to carry out their criminal acts than the methods being employed by business and governments to stop them.

Yet despite this, the standard response of most organisations is to try and sweep the issue under the carpet – “and as a result the wretched cycle continues!” One of the primary stumbling blocks in tackling this issue, James told delegates, is the behaviour of individuals when they are online. “While they are our greatest asset, we must also acknowledge that they can be our weakest link.” He urged organisations to invest in educating and training their staff in how to operate in a safe manner when on their computers and how to protect themselves when online.

He highlighted the fact that too few organisations are aware of the steps which they can take to protect themselves. From a BCM perspective, he urged practitioners to apply the same techniques which they apply to other disruptive events to that of cyber crime. “An important step,” he said, “is to understand what the causes and the consequences of this disruption are. If we can apply these same techniques to the cyber world them we have grounds for hope.”

An effective response, he concluded, requires a collective approach combining information security practitioners, BCM professionals and risk managers. “The BCM community needs to seize the opportunity to help co-ordinate a collaborative approach to help tackle this problem.”

Strain on the supply chain
“Supply chain resilience is an organisation resilience issue”, Antonio Ribeiro of Det Norske Veritas told delegates in his opening address on day one of the BCM conference. Over the last 20 years, he said, supply chains have becoming an increasingly important mechanism in enabling companies to improve organisational efficiency and reduce costs. However, the increasing complexity of such chains and our growing reliance upon them has made us more vulnerable to any potential disruptions. Furthermore, with rising budgetary constraints, companies have sought ways of reducing their supply chain spend through measures such as consolidation and renegotiating supplier contracts which are also serving to make such networks more fragile.

As a result, supply chain resilience has clearly become a BCM challenge that must be addressed. “This is an important challenge in the new business environment created by the financial crisis,” he said, adding that the economic downturn has resulted in a “trust deficit” in companies by consumers. 

A further issue that must be factored into the supply chain equation is that of sustainability. Antonio highlighted areas such as environmental issues, corporate responsibility, product quality and business ethics which all fall under the sustainability remit. “One thing is certain – the impact of a supply chain disruption associated with a sustainability issue will have a major impact on your reputation and your stakeholder relations.” Antonio flagged up two issues in particular which could hit a company’s reputation: the use of child labour by suppliers within the chain; and the extent to which your suppliers are extending the size of your carbon footprint as the world looks to tackle climate change.

Antonio highlighted gaps which he said existed in our approach to supply chain resilience, including: a failure to see supply chain issues as BCM issues; a simplistic approach to tackling sustainability issues; an inability to effectively classify our critical suppliers; and a limited engagement with suppliers and an over-reliance on their resilience claims. Organisations, he added, also tend to give limited consideration to the potential reputational issues posed by sustainability-related incidents in their supply chains.

“There are three main areas which define supply chain resilience success,” he said. First is an understanding of the supply chain risks faced. Organisations need to view their supply chains from a more strategic perspective and consider the wider scope of risks posed, particularly in relation to sustainability. He urged companies to consider sustainability when ascertaining their definition of criticality.

Second is managing the supply chain risks effectively. This he said is not an end, but a process. It is about understanding the sustainability implications of supply chain decisions and embedding the concept into your key functions, such as ERM, procurement and communications. He urged a collaborative approach and emphasised the fact that supply chains are built on relationships and said that companies should seek to use their influence over their suppliers to help manage the risks faced.

Third, he concluded, is assuring stakeholders. It is essential that you know who your key stakeholders are, their knowledge of these issues and what is key to them. Be proactive and be able to demonstrate your commitment to managing these issues. Be transparent in everything that you do and consider how best to communicate your supply chain sustainability efforts to the outside world.

Learning the lessons
In his presentation, Gareth Jones of KPMG gave a detailed insight into the many ways of facilitating the learning process in the aftermath of an incident. He began by asking delegates how often they conducted a debrief after an incident. Some 80% said ‘always’, just over 18% responded ‘sometimes’ and the remainder were willing to admit that they never conducted a debrief. Of those who did, Gareth asked in how many organisations is the requirement to conduct a debrief a formal statement within their BCM policy, to which 42% said that it was in their policy.

Gareth told delegates that he had been involved in researching the issue of learning within the context of BCM. His research had focused on how BCM manager learn, what processes and tools were used, the role played by isomorphic learning, and looked at ways in which BCM learning processes could be improved. The research showed that overall BCM learning is generally ad-hoc, with most learning processes not automated. There were mixed conclusions in relation to isomorphic learning, with issues of confidentiality proving a major barrier; while in terms of improving the situation, most called for a more prescriptive approach.

He said that as practitioners, we devote a lot of effort to making the case for change in our discipline, calling for more resources, greater levels of professionalism etc. “But if we are not doing the learning element properly then we are missing a real case for change.”

Citing studies carried out by Toft & Reynolds on learning from disasters, Gareth highlighted the importance of “active learning” or “double-loop learning”. Simply knowing something is not good enough if you are not going to use the knowledge to your benefit. So often, he said, after an incident you will find people saying “I knew that was going to happen!” to which the obvious response is, “Well, why didn’t you say something?” That is why it is important to put in place systems to allow you to harvest any potential signals of an incident on the horizon.

In making the case for deliberate learning, Gareth said that increasingly the issue of liability is being raised should failure to learn from an incident result in a subsequent issue occurring. Other issues included the competitive advantage it can provide and the role that it plays from a governance perspective. However, stumbling blocks can include the difficulties of overcoming a ‘blame culture’, tackling the issue of unwillingness to disclose failure and the fact that it will require resources. “No one is saying that this process is going to be easy,” Gareth warned.

Turning his attention to the practical considerations, Gareth said that the objective of any debrief should be to generate a frank and critical view of what went wrong in order to learn from it. This should be conducted within days of the event, as the window of information will close rapidly, and where possible should be conducted in a neutral environment and with an independent party. The debrief should involve those directly involved in the incident and those who are accountable/responsible. The overall aim, he concluded, is to “achieve a positive outcome”. It is therefore imperative that the process creates a case for change or those involved will become disillusioned with the process.

Spread the word
Despite warning delegates that he was not a ‘morning person’, within minutes of standing to speak Bob Geldof had grabbed the full, undivided attention of every person in the room.

In his 30 minute speech, he focused on communication and the flow of information in today’s global society. He explained that, while we have developed into a global civilisation, in effect we all live within our own particular space and are quite insular. In this social structure, the web has become a central component in terms of how we exchange information. While describing it as being “in a primitive state”, Bob said that it has played a major role in facilitating the rapid change in society that we have witnessed in recent years, and has in effect helped create a beehive society, in which we use it as a means to pass on information. However, he continued, it is this very structure, the hive-like global network, where change can happen in the blink of an eye, that has contributed to the financial crisis we are experiencing today.

“The future,” Bob said “is unknown, but that does not mean that we cannot anticipate what it might bring.” He highlighted the fact that the credit crisis was anticipated, yet many of us considered those who warned of its arrival as simply an annoyance. We must be constantly aware of change, he urged, and striving to ensure that it is balanced with the needs of society if it is to be managed properly.

Turning to his work in Africa, Bob said that the continent was going through a period of rapid change, as the population increasingly moved from rural areas into towns and cities. Central to this period of transition was their ability to communicate using mobile telephones. In fact, the nation is now has one of the largest mobile phone industries in the world. Through mobiles and laptops, social life is changing radically in the region as they use the technologies to formalise supply chains and create virtual currencies.
This increasing interconnectivity, he explained, provides us with a means of ensuring that the opportunities afforded by the world we live can be shared more widely. The technologies we have at our disposal, he concluded, such as the internet and mobile telephones are helping to enforce a level of global co-operation. Only through this co-operative approach and by sharing information can we put in place the structures which need to be in place to tackle this rapid period of change that we have entered.

BCM boom in Asia
Henry Ee of BCP Asia began his presentation by giving delegates a brief overview of the size and cultural diversity of the Asia region, which covers some 29.9% of the global land mass and approximately 60% of the world’s population. Placing BCM into this picture, Henry explained that in the early 1990s, it was found primarily in the financial sector. However, the emergence of more stringent corporate governance requirements served to push business continuity out into the wider business community, initially into healthcare and telecoms, and then further into most business sectors in recent years.

This evolution has been facilitated by events such as 9/11 and the SARS virus, but also by the emergence of new standards and guidelines in the field of BCM. Henry listed a range of these, from the Hong Kong Monetary Authority’s BCM Guidelines issued in December 2002, to the Singapore Standard SS 540: 200 on business continuity management. The discipline, he added, had also been influenced strongly by international developments such as BS25999.

The development of BCM, however, is limited by a number of factors, Henry explained. First and foremost is the confusion over what BCM actually is, with many confusing it with disaster recovery, crisis management, insurance and even simply evacuation plans. In addition, the multiple languages, cultures and religions that are represented in the region also serve as stumbling blocks, particularly where the cultures do not promote the sharing of information or discourage thinking about ‘worst case scenarios’.

However, compliance requirements and the growing awareness of the financial benefits of BCM are helping to overcome these issues. In fact, governments in the region are offering funding to subsidise BCM implementation, particularly to help businesses become more resilient in the face of swine flu. Henry concluded by saying that there are a number of positive BCM trends emerging in the Asia region, particularly with more and more countries implementing new standards and guidelines and the fact that Asia has one of the highest levels of companies seeking certification under relevant BCM standards.

A round of applause
I have been to numerous conferences dedicated to various market sectors and industry disciplines over the years and always the sign of a good event is the number of delegates who are still in the room for the final presentation. As David Hutcheson, MBCI, of Glenn Abbot, took to the stage at the end of day two to discuss the issue of pandemic it was to the sound of applause from a well filled room.

Biography
Nigel Allen is editor of Continuity