This week I look at why building capability is important for implementing your business continuity plan.
Building an Incident Team Competence Framework
This week I have been working on building an Incident Team Competence Framework for a client. It is two parts, the first part is a self-assessment of an incident team member’s knowledge of their organisation’s plans and procedures, their knowledge of the tools they use for incident management, their experience and their ability to perform their specialist incident role. There is an additional area of self-assessment which looks at their understanding of the organisation’s capability, which I have defined as “understanding the different types of incidents the organisation might face and the response plans and procedures for dealing with them”. In this bulletin, I would like to explore some ideas I have about business continuity capabilities. As with some of the other ideas I have written about, this is not yet fully formed, so I am discussing what I think now and would be grateful for any thoughts on the subject.
Capability as used by the UK forces
My idea of business continuity capability came from the forces. The UK’s armed forces have a number of military tasks they want to be able to carry out, based upon their assessment of risk, the type of conflicts they think they might have to fight, the locations of operations and possible adversaries. The tasks could range from their ability to fire nuclear missiles, to be able to conduct an amphibious operation and land forces from ships, down to the more low-level task of having the ability to build a bridge to enable forces to cross a river. When reading about these tasks it is clear they all require a ‘capability in order to be conducted.
Elements of capability
In order to have a nuclear deterrent, it is not sufficient just to have a nuclear missile. You need a submarine, people to operate the submarine, training, command and control, procedures, all of which put together, a capability, which allows you to achieve the task. Additionally, with a military bridge, you need bridging materials, equipment to build on and off-ramps, vehicles to transport the equipment, trained engineers and apparatus which can carry the weight of the vehicles that need to cross the bridge. The UK military uses the mnemonic TEPID OIL to remember all the elements which go into achieving a capability. The elements are:
- Doctrine and concepts
Sum of the whole which makes capability
The main point I want to make with talking about military capability is that if they want to achieve a task it is not just about going out and buying equipment, such as a military bridge. The equipment is only one part of the capability and from TEPID OIL you can see that a great number of other elements must come together to allow the army to be able to cross a river. Building capabilities are expensive and as all militaries have a limited budget, they must decide which ones they really need and which they won’t. If you choose the wrong ones, then you can try to cobble together the ability and equipment to try and achieve the task, but it will take you longer and your chance of success is reduced.
What is the relevance to business continuity?
What is the relevance to business continuity? In business continuity, you have a number of responses you want to achieve when an incident occurs, and you have to achieve them within a certain timeframe. The parts of the organisation to be recovered and the timeframes are identified during the ‘Analysis’ phase. As part of the ‘Design’ phase, we have to decide how we will carry out the recovery.
For instance, you might want to get a 500-person call centre back up and running within 12 hours for 100 staff. The best way to achieve this is to pay for Work Area Recovery (WAR). This will allow you to meet the tight timescale of 12 hours. You sign the contract, pay the money, do the odd bit of IT testing and believe then you can achieve the task of recovering 100 agents within 12 hours. I have seen this situation in regulated industries. They have to prove to their regulator that they have business continuity in place. So, they point to a work area recovery contract, which has not been properly tested and think that is sufficient to prove that they can recover their operations. To have the true ability to achieve a business continuity response, a number of elements have to come together to achieve the capability. This may not be my final list, but it is a start:
- Standby equipment or buildings – which you can use if you lose your existing one.
- Trained staff – staff all know their role in the new task and know-how to carry it out at the new location. They also know how to implement the plan.
- A plan – there is a plan in place which gives the details of how to implement recovery to the WAR.
- Command and control – a team who will manage the recovery.
- Infrastructure – which allows those working at the WAR to comment back into the organisation’s systems.
- Exercises and testing – to ensure that the response will work, both technically, taking into account the human element, and that the timescales can be achieved.
All these elements need to come together to give our organisation the capability to provide a response.
In terms of responses, many business continuity plans contain several responses, they could typically be in response to:
- Loss of a building
- Loss of IT
- Loss of people
- Loss of a key supplier
The organisation may have some additional plans which are dependent on their threats, geography, or type of services they provide. Additional plans could include:
- Cyber incident management plans
- Product recall
- Kidnap or travel security plans
- Hurricane plan
We need to make sure our response will work
The point I am trying to make is that as business continuity professionals, we need to make sure that if we want a response to work, we need to develop the capability to make sure that all the elements of implementing it after an incident are carried out. WAR response plans can be quite technically complex and so needs lots of technical practices. One of the responses we have learned over the last year is the ability to work from home. This has solved the business continuity problem of how you continue your business if you lose your building. If staff are going to return to offices after COVID-19, we need to make sure that we retrain the capability to work from home. When staff laptops are replaced, in 2-3 years, we need to ensure that they must not be replaced with desktops and at least once a year all staff should work from home to test that the response is retained.
Incident Team Competency Framework
This brings me back full circle to the Incident Team Competence Framework, and to the team’s personal self-assessment. As part of the assessment, we identify the responses which the organisation has in place and then ask the incident team members to self-assess their personal knowledge of each response and whether they know how to implement a response and are confident in how to do it. Checking that staff know how to implement a response plan is part of building the capability to ensure that that plan will work if required.
My challenge to you in this coming week is to think about the responses your organisation has in place, then to check that you have the capability to actually implement the response successfully. I think there is nothing more dangerous for a business continuity manager than everyone in the organisation thinking that they have a response all sorted and ready to go but when called upon the capability is not built and the recovery fails.