Is the PPRS list fit for purpose?
This week I should be writing about the horrific bombing of the civilians in Aleppo or the unfolding tragedy in Haiti after Hurricane Matthew, but I thought we might bury our heads in the sand and talk about PPRS (People, Premises, Resources and Suppliers)!
In teaching the Business Continuity Institute's (BCI) “Good Practice Guidelines” (GPG), one of the points we stress is that in business continuity we do not look at scenarios such as flood, fire, pandemics, but we look at the impact on our organisations' key assets, categorised by PPRS.
• People (skills and knowledge)
• Premises (buildings and facilities)
• Resources (IT, information, equipment, materials)
• Suppliers (products and services supplied by third parties)
We make the point in training that we should concentrate on the effect of an incident on PPRS, so it really doesn’t matter how our head office was destroyed whether it was flood, fire or terrorist attack. What matters in business continuity terms is that we have lost key assets and we need to implement our business continuity plans to deal with the situation.
The more I think about PPRS the more I see its limitations and I think it gives us too narrow a focus of incidents to deal with. I also think the business continuity manager should always be looking for opportunities to expand their role and to add value to their organisation and increase its resilience. In doing so they should be looking at a wide variety of different threats.
Some of the issues I see with PPRS are:
I think it is very much written for organisations which work in offices and does not really take into account the wider variety of different organisations. If you are looking at the business continuity of a large plant, such as an oil rig, car manufacturing plant or a refinery, you could describe them as premises but it is the content of the building which is important rather than the structure. An oil rig or a refinery may have office premises within them but they are not housed actually within a premises.
When you have key fixed structures within a building, like a CAT scanner within a hospital or fixed testing equipment within manufacturing, are these classed as ‘equipment’ under resources or are they ‘facilities’ within a premises.
Utilities and the provision of gas, water and electricity are key to most organisations but are they ‘resources’ or ‘suppliers’?
Raw material going into a manufacturing process, are they ‘materials’ or as they are often supplied by third parties, ‘suppliers’?
If you had a staff member kidnapped this could be managed using the organisations incident management or crisis plan, but in terms of the loss of one member of staff, this might be not considered a business continuity incident.
Product recall is mentioned in the GPG as a possible incident and can have a massive impact on an organisation, think Samsung Galaxy 7, but doesn’t fit neatly with the PPRS fold.
Cyber issues are not talked about within the GPG, and as we know it is the top threat of the moment. Although you can consider it as part of the threats to IT, its impact is much wider than that of your IT. Your systems may be up and working normally but your customer details could be being sold on the dark web. This is a reputation issue rather than a loss of IT.
Then there are all the issues associated with reputation management which although mentioned within the GPG, there is no structure for evaluating the wide range of possible issues which the organisation should consider. Once the issues are identified, mitigation measures can be put in place, monitoring to identify if they occur and plans can be developed for dealing with them.
I am not sure what the answer is, as the list of possible considerations needs to take into account, in the widest terms, the assets which could be lost and cause an incident, but also take into account intangible issues like reputation and issues such as kidnap and cyber breach. Perhaps we need to look to risk management to give us a better list of threats that we should be addressing.
If you have a better list than PPRS and would like to share it with the readership of this bulletin we would be very pleased to hear from you.