Happy New Year 2008
I would like to take this opportunity to wish all our readers, friends and associates, as well as our enemies, a very happy & prosperous New Year 2008.
New cold virus kills – rarely
Health Officials are watching the highly potent strain that killed seven Oregonians in April
A new strain of a rare cold virus has caused 10 deaths in four states, including seven in Oregon, during the past one-and-a-half years, federal health officials said.
Oregon health officials called the new viral strain cause for concern but not cause for public alarm.
"This is not the common cold turning into the plague," said Dr. Gary Oxman, health officer for Multnomah, Washington and Clackamas counties. "That's not what's going on here. (Well, is it not “the cold” or not?)
"It's a virus that's recognized as causing pneumonia, and there appears to be a new strain making some people very sick in small numbers."
The new "bug" is a variant of a rare type of adenovirus, called Ad14, which was identified in 1955 and has been detected only rarely since. More than 50 types of adenoviruses can cause or mimic diseases including the common cold and pneumonia.
Like any new viral strain, the new version of Ad14 is of interest to infectious disease trackers, said Dr. Ann Thomas, an epidemiologist in the public health division of the Oregon Department of Human Services. "But it doesn't change what we do that much. It's not something the average person should be afraid of."
To put the risk in perspective, Thomas said that Ad14 is known to have killed 10 people, but complications from influenza kill more than 30,000 Americans a year. (I didn't know that?)
"If people are really worried," she said, "they should get a flu shot."
The best to way to keep Ad14 from spreading is the same as for flu, Thomas said. "Cover your cough, wash your hands and stay home."
The new variant has sickened at least 140 people in New York, Oregon, Washington and Texas, according to the CDC report.
The Oregon outbreak turned up in April, when state health officials learned of a cluster of cases at a Portland hospital and notified the CDC. They ultimately counted 31 cases in Oregon, including seven people who died of severe pneumonia. The next month, Washington state officials reported four hospitalized patients had the same mutated virus. One patient, who also had AIDS, died.
The illness also struck in Texas, where respiratory infections dubbed "boot-camp flu" sickened hundreds at Lackland Air Force Base in San Antonio. The most serious cases were blamed on the emerging virus; one 19-year-old trainee died.
The earliest known case of the mutated virus occurred in New York City in an infant girl who died last year when she was 12 days old.
CDC investigators reviewed the medical charts of 30 Oregon patients infected with the new variant of adenovirus. Of those, 22 required hospitalization and seven -- five of whom were men -- died, all from pneumonia. The patients included residents of seven Oregon counties and two Washington counties.
In search of clues about how the adenovirus is transmitted, health investigators studied the Oregon cases for characteristics they had in common. Nothing conclusive turned up.
With cold-and-flu season beginning, health officials expect to see more cases. The CDC warned state and local public health agencies to "be alert to the possibility of outbreaks caused by Ad14."
It really has put my mind at rest – NOT – to know that this virus only rarely kills.
We seem, however, to have a mutation of some virus here, if I am not mistaken, and no one, yet again, is willing to tell the world the truth.
Can we truth the governments and agencies tasked with protecting us?
Now, if Pirbright and the Food & Mouth Disease (Hoof & Mouth to our American cousins) is anything to go by then the governments cannot be trusted with viruses not the protection of the public from them, and I think we all should just make sure to have our own precautions and protections in place. If that means to wear a face mask, when there is a possibility of any such “bugs” being about, then so be it. Rather looking silly than being seriously ill or dead.
M Smith (Veshengro)
A new strain of a rare cold virus has caused 10 deaths in four states, including seven in Oregon, during the past one-and-a-half years, federal health officials said.
Oregon health officials called the new viral strain cause for concern but not cause for public alarm.
"This is not the common cold turning into the plague," said Dr. Gary Oxman, health officer for Multnomah, Washington and Clackamas counties. "That's not what's going on here. (Well, is it not “the cold” or not?)
"It's a virus that's recognized as causing pneumonia, and there appears to be a new strain making some people very sick in small numbers."
The new "bug" is a variant of a rare type of adenovirus, called Ad14, which was identified in 1955 and has been detected only rarely since. More than 50 types of adenoviruses can cause or mimic diseases including the common cold and pneumonia.
Like any new viral strain, the new version of Ad14 is of interest to infectious disease trackers, said Dr. Ann Thomas, an epidemiologist in the public health division of the Oregon Department of Human Services. "But it doesn't change what we do that much. It's not something the average person should be afraid of."
To put the risk in perspective, Thomas said that Ad14 is known to have killed 10 people, but complications from influenza kill more than 30,000 Americans a year. (I didn't know that?)
"If people are really worried," she said, "they should get a flu shot."
The best to way to keep Ad14 from spreading is the same as for flu, Thomas said. "Cover your cough, wash your hands and stay home."
The new variant has sickened at least 140 people in New York, Oregon, Washington and Texas, according to the CDC report.
The Oregon outbreak turned up in April, when state health officials learned of a cluster of cases at a Portland hospital and notified the CDC. They ultimately counted 31 cases in Oregon, including seven people who died of severe pneumonia. The next month, Washington state officials reported four hospitalized patients had the same mutated virus. One patient, who also had AIDS, died.
The illness also struck in Texas, where respiratory infections dubbed "boot-camp flu" sickened hundreds at Lackland Air Force Base in San Antonio. The most serious cases were blamed on the emerging virus; one 19-year-old trainee died.
The earliest known case of the mutated virus occurred in New York City in an infant girl who died last year when she was 12 days old.
CDC investigators reviewed the medical charts of 30 Oregon patients infected with the new variant of adenovirus. Of those, 22 required hospitalization and seven -- five of whom were men -- died, all from pneumonia. The patients included residents of seven Oregon counties and two Washington counties.
In search of clues about how the adenovirus is transmitted, health investigators studied the Oregon cases for characteristics they had in common. Nothing conclusive turned up.
With cold-and-flu season beginning, health officials expect to see more cases. The CDC warned state and local public health agencies to "be alert to the possibility of outbreaks caused by Ad14."
It really has put my mind at rest – NOT – to know that this virus only rarely kills.
We seem, however, to have a mutation of some virus here, if I am not mistaken, and no one, yet again, is willing to tell the world the truth.
Can we truth the governments and agencies tasked with protecting us?
Now, if Pirbright and the Food & Mouth Disease (Hoof & Mouth to our American cousins) is anything to go by then the governments cannot be trusted with viruses not the protection of the public from them, and I think we all should just make sure to have our own precautions and protections in place. If that means to wear a face mask, when there is a possibility of any such “bugs” being about, then so be it. Rather looking silly than being seriously ill or dead.
M Smith (Veshengro)
UK BUSINESS BETTER PREPARED FOR DISASTER
UK businesses are increasingly prepared for disruption or disaster according to BSI British Standards’ annual Business Barometer, published in November 2007.
The research found:
•81% of FTSE companies would expect to last up to one week before feeling serious detrimental effects following disruption or disaster
•Almost two thirds (63%) are very well prepared for serious IT failure
•Half of businesses surveyed are fully prepared for a forced office relocation
•Almost half (47%) are fully prepared for comprehensive supply chain failure
BSI’s annual survey of FTSE 250 companies shows that 71% recognise the importance of Business Continuity Management (BCM) in staying competitive and winning new business in the future. This is a 10% increase on 2006’s Business Barometer.
Mike Low, Director of BSI British Standards, said: “The scale of risk and opportunity in the FTSE 250 are enormous and these organizations are recognizing that BCM has to be at the heart of their operations. It’s also crucial for smaller organizations and those in other sectors to look seriously at how they would cope in the event of a disaster.
“This year’s Business Barometer shows improvement in the preparedness of organizations for serious failure of their infrastructure which is really positive but there is still room for improvement. That’s why BSI has today published BS 25999-2, Specification for Business Continuity Management, which enables organizations to verify their BCM plans through independent certification. The standard can be used in an organization of any size or sector and provides a mechanism to ensure that their partners and suppliers also have appropriate BCM procedures in place.
“In September, BSI also launched an Online BCM Assessment Tool, particularly useful for SMEs wishing to assess their BCM capabilities.”
Terror threats and natural disruption prompt review
Events of the last year have prompted many businesses to reconsider their approach to BCM:
•42% reviewed their approach to BCM following the London and Glasgow terror alerts in June 2007
•34% reviewed their approach to BCM following the widespread flooding throughout summer 2007
Despite an increase in overall preparedness on last year, the Business Barometer shows that more businesses would be affected by disruption or disaster more quickly than in 2006. 58% said that their business would be seriously affected in under a day, compared with 46% in 2006.
Chris Green, Chairman, Business Continuity Institute, and Chairman of the BSI business continuity committee, said: “The need for robust BCM standards such as BS 25999-2 is clear. By following the requirements of the standard, organizations can improve enterprise stability, increase job security and ensure the flow of money into communities. Without BCM standards in place, infrastructure and supply chains may be less secure and employment and economic growth placed at risk.”
Standards save Businesses
•Those companies already implementing British or international standards as a matter of course were found to be better prepared, with 56% saying that their business would be very well prepared for failure in the supply chain, compared with 47% overall.
•62% of businesses, compared with 46% in 2006, are required by customers to show that they have effective business continuity measure in place. 72% now ask all or some of their own suppliers to do the same.
Continual Improvement
BSI’s research shows that businesses are increasingly recognising the value of BCM. More companies are ‘very well prepared’ for;
•failure in the supply chain: 47% (45% in 2006; 18% in 2005)
•catastrophic IT failure: 63% (51% in 2006; 27% in 2005)
•forced business relocation: 50% in 2007 (41% in 2006; 15% in 2005)
BS 25999-2, Specification for Business Continuity Management, complements BS 25999-1, Guide to Business Continuity, published in November 2006. Part 2 has been developed by a broad based group of world class experts and specifies requirements for establishing, implementing, operating and improving a documented Business Continuity Management System. The requirements of BS 25999-2 are generic and intended to be applicable to all organizations, regardless of type, size and nature of business.
The certification industry is already committed to meeting business needs for certification to this standard in light of unprecedented demand.
The research found:
•81% of FTSE companies would expect to last up to one week before feeling serious detrimental effects following disruption or disaster
•Almost two thirds (63%) are very well prepared for serious IT failure
•Half of businesses surveyed are fully prepared for a forced office relocation
•Almost half (47%) are fully prepared for comprehensive supply chain failure
BSI’s annual survey of FTSE 250 companies shows that 71% recognise the importance of Business Continuity Management (BCM) in staying competitive and winning new business in the future. This is a 10% increase on 2006’s Business Barometer.
Mike Low, Director of BSI British Standards, said: “The scale of risk and opportunity in the FTSE 250 are enormous and these organizations are recognizing that BCM has to be at the heart of their operations. It’s also crucial for smaller organizations and those in other sectors to look seriously at how they would cope in the event of a disaster.
“This year’s Business Barometer shows improvement in the preparedness of organizations for serious failure of their infrastructure which is really positive but there is still room for improvement. That’s why BSI has today published BS 25999-2, Specification for Business Continuity Management, which enables organizations to verify their BCM plans through independent certification. The standard can be used in an organization of any size or sector and provides a mechanism to ensure that their partners and suppliers also have appropriate BCM procedures in place.
“In September, BSI also launched an Online BCM Assessment Tool, particularly useful for SMEs wishing to assess their BCM capabilities.”
Terror threats and natural disruption prompt review
Events of the last year have prompted many businesses to reconsider their approach to BCM:
•42% reviewed their approach to BCM following the London and Glasgow terror alerts in June 2007
•34% reviewed their approach to BCM following the widespread flooding throughout summer 2007
Despite an increase in overall preparedness on last year, the Business Barometer shows that more businesses would be affected by disruption or disaster more quickly than in 2006. 58% said that their business would be seriously affected in under a day, compared with 46% in 2006.
Chris Green, Chairman, Business Continuity Institute, and Chairman of the BSI business continuity committee, said: “The need for robust BCM standards such as BS 25999-2 is clear. By following the requirements of the standard, organizations can improve enterprise stability, increase job security and ensure the flow of money into communities. Without BCM standards in place, infrastructure and supply chains may be less secure and employment and economic growth placed at risk.”
Standards save Businesses
•Those companies already implementing British or international standards as a matter of course were found to be better prepared, with 56% saying that their business would be very well prepared for failure in the supply chain, compared with 47% overall.
•62% of businesses, compared with 46% in 2006, are required by customers to show that they have effective business continuity measure in place. 72% now ask all or some of their own suppliers to do the same.
Continual Improvement
BSI’s research shows that businesses are increasingly recognising the value of BCM. More companies are ‘very well prepared’ for;
•failure in the supply chain: 47% (45% in 2006; 18% in 2005)
•catastrophic IT failure: 63% (51% in 2006; 27% in 2005)
•forced business relocation: 50% in 2007 (41% in 2006; 15% in 2005)
BS 25999-2, Specification for Business Continuity Management, complements BS 25999-1, Guide to Business Continuity, published in November 2006. Part 2 has been developed by a broad based group of world class experts and specifies requirements for establishing, implementing, operating and improving a documented Business Continuity Management System. The requirements of BS 25999-2 are generic and intended to be applicable to all organizations, regardless of type, size and nature of business.
The certification industry is already committed to meeting business needs for certification to this standard in light of unprecedented demand.
Walking the Office Party Tightrope – A Risk-Assessment Checklist
The Christmas office party is a traditional element of many businesses but what potential risks do these annual events present and what guidelines should be in place to ensure that revelry doesn’t turn into regret?
David Honour - a risk expert and editor of continuitycentral.com together with Business Continuity Expo 2008 have put together a useful risk assessment checklist for risk aware managers wanting to keep their jobs in 2008!
Strange as it may seem, the office Christmas party is probably one of the biggest avoidable risks that many companies take. Many of the most risk-aware and best protected companies in the world seem prepared to throw an office party without conducting the sort of risk assessment that they would for any other aspect of their business.
WHAT ARE THE RISKS?
Litigation
Even if an organised office party takes place outside of working hours and away from company premises, the normal laws that protect workers and their rights still apply. If an employee is injured or abused in any way during an office party the company may well be legally liable. High risk areas include injuries, abuse and even death, due to alcohol and substance abuse. Additionally, the risks associated with date rape drugs, where a victim’s drinks are unknowingly spiked with tranquilising and memory impairing drugs such as Rohypnol, are an increasing concern.
There are various sensible mitigation measures that companies can take:
- Ensure that the company human resource policies and handbooks address these areas. Documents should state when and under what circumstances staff remain under employment conditions when away from company premises and out of office hours. It may prove useful to develop a specific HR policy that relates to office parties. Policies need to spell out the disciplinary measures that will be taken against staff who abuse alcohol or drugs during the event and who carry out other activities deemed as unacceptable.
- Send a friendly memo around staff prior to the party reminding them of their responsibilities and of what is acceptable and unacceptable behaviour.
- Remind managers that they have responsibilities for implementing the company's alcohol and substance abuse policy and that they should be ready to have a friendly word with any person who is becoming intoxicated.
- Consider making arrangements to get employees home after the event. A taxi-fare is a much cheaper option than a law-suit alleging that your company failed in its duty-of-care because a drunken employee had an accident making his/her own way home.
- Companies should conduct a formal risk assessment of the office party and document the mitigation measures that have been taken. If the company should face litigation following a party-related incident this will offer evidence that the company has acted responsibly and taken all reasonable measures to prevent the incident occurring.
- Ensure that your company insurance policies cover your Christmas party activities, including the legal liability pitfalls.
Premises damage
Parties that are held on office premises are prone to office equipment damage. Simple accidents can be very costly. For example, a glass of wine dropped onto computer equipment could result in expensive damage to the equipment but could also result in lost data and significant downtime.
In general, it is to be recommended that parties are held off-site. This avoids any additional work place risks associated with the event and may result in reduced, or joint, liability should a premises-related accident occur. It also often results in a better atmosphere, enhancing the positive effects that the party aims to engender. However, parties held off-site also bring the risk of damage and subsequent compensation payments. The risk is highest where an overnight hotel stay is offered to staff who have travelled from further afield. Emptied mini-bars and trashed hotel rooms are an expensive luxury.
Employee relations
This is perhaps the highest risk area and one of the most important for the smooth-running of the company. The better that employee-to-employee relationships and employer-to-employee relationships are, the stronger a company tends to be. Activities which damage these relationships need to be avoided and the office party is a minefield when it comes to this area. Potential long-term conflicts can arise from common office party behaviour such as one-night stands; sexual harassment; verbal abuse and staff fights.
Such issues are difficult to mitigate against, but again, a clear human resource policy outlining what is unacceptable behaviour and the sanctions that will be brought into force against offenders will help in some of these areas. Good human resource management after any incident will also help reduce the personal and corporate impact.
Issues can also arise if an office party is planned insensitively. For example, a party which follows a period of cost-cutting and redundancies may be seen by the remaining staff as in bad taste.
Religion can cause problems and sensitivity needs to be shown, especially when a party is linked to a religious event such as Christmas and Easter. It may be better to rename the Christmas Party as simply the ‘Office Party’ or the ‘Holiday Party’, and it is best to avoid any use of decorations with religious themes or messages. Making the party optional is a sensible policy, allowing staff who may feel uncomfortable celebrating a festival based-upon another religion to avoid the situation.
Reputational damage
This is another minefield, especially where clients and prospects are invited to office parties. Such guests will get to see the company’s employees without their professional ‘hats on’ and the resultant informality, when mixed with the lack of inhibition that alcohol consumption brings, can result in insulted clients and lost contracts.
Once again a well-crafted human resource policy will help in this area and a reminder memo beforehand can help place staff on-guard. Better still, consider making the party staff-only, keeping customers well away from the ‘danger zone’.
The most obvious, and bluntest form of risk reduction is simply not to have an office Christmas party, but despite the risks, there are also positive benefits to the festive event. It shows staff that they are important and that the company does not have a ‘Scrooge’ mentality. They can also be strong networking events. This coupled with the simple the fact that staff are enjoying themselves together and socialising outside their normal working environment can have positive benefits on morale and employee relations. The trick is to be able to manage the liabilities and the reputational risks without negating any positive morale benefits.
For more pearls of wisdom visit www.continuitycentral.com and be sure to visit Business Continuity Expo and Conference held at EXCEL Docklands from 2- 3rd April 2008 - the UK's definitive event for managing risk, resilience and recovery. This event will explore the solutions and best practice to ensure operational continuity and protect a company's interests before during and after an incident. For further information visit www.businesscontinuityexpo.co.uk
David Honour - a risk expert and editor of continuitycentral.com together with Business Continuity Expo 2008 have put together a useful risk assessment checklist for risk aware managers wanting to keep their jobs in 2008!
Strange as it may seem, the office Christmas party is probably one of the biggest avoidable risks that many companies take. Many of the most risk-aware and best protected companies in the world seem prepared to throw an office party without conducting the sort of risk assessment that they would for any other aspect of their business.
WHAT ARE THE RISKS?
Litigation
Even if an organised office party takes place outside of working hours and away from company premises, the normal laws that protect workers and their rights still apply. If an employee is injured or abused in any way during an office party the company may well be legally liable. High risk areas include injuries, abuse and even death, due to alcohol and substance abuse. Additionally, the risks associated with date rape drugs, where a victim’s drinks are unknowingly spiked with tranquilising and memory impairing drugs such as Rohypnol, are an increasing concern.
There are various sensible mitigation measures that companies can take:
- Ensure that the company human resource policies and handbooks address these areas. Documents should state when and under what circumstances staff remain under employment conditions when away from company premises and out of office hours. It may prove useful to develop a specific HR policy that relates to office parties. Policies need to spell out the disciplinary measures that will be taken against staff who abuse alcohol or drugs during the event and who carry out other activities deemed as unacceptable.
- Send a friendly memo around staff prior to the party reminding them of their responsibilities and of what is acceptable and unacceptable behaviour.
- Remind managers that they have responsibilities for implementing the company's alcohol and substance abuse policy and that they should be ready to have a friendly word with any person who is becoming intoxicated.
- Consider making arrangements to get employees home after the event. A taxi-fare is a much cheaper option than a law-suit alleging that your company failed in its duty-of-care because a drunken employee had an accident making his/her own way home.
- Companies should conduct a formal risk assessment of the office party and document the mitigation measures that have been taken. If the company should face litigation following a party-related incident this will offer evidence that the company has acted responsibly and taken all reasonable measures to prevent the incident occurring.
- Ensure that your company insurance policies cover your Christmas party activities, including the legal liability pitfalls.
Premises damage
Parties that are held on office premises are prone to office equipment damage. Simple accidents can be very costly. For example, a glass of wine dropped onto computer equipment could result in expensive damage to the equipment but could also result in lost data and significant downtime.
In general, it is to be recommended that parties are held off-site. This avoids any additional work place risks associated with the event and may result in reduced, or joint, liability should a premises-related accident occur. It also often results in a better atmosphere, enhancing the positive effects that the party aims to engender. However, parties held off-site also bring the risk of damage and subsequent compensation payments. The risk is highest where an overnight hotel stay is offered to staff who have travelled from further afield. Emptied mini-bars and trashed hotel rooms are an expensive luxury.
Employee relations
This is perhaps the highest risk area and one of the most important for the smooth-running of the company. The better that employee-to-employee relationships and employer-to-employee relationships are, the stronger a company tends to be. Activities which damage these relationships need to be avoided and the office party is a minefield when it comes to this area. Potential long-term conflicts can arise from common office party behaviour such as one-night stands; sexual harassment; verbal abuse and staff fights.
Such issues are difficult to mitigate against, but again, a clear human resource policy outlining what is unacceptable behaviour and the sanctions that will be brought into force against offenders will help in some of these areas. Good human resource management after any incident will also help reduce the personal and corporate impact.
Issues can also arise if an office party is planned insensitively. For example, a party which follows a period of cost-cutting and redundancies may be seen by the remaining staff as in bad taste.
Religion can cause problems and sensitivity needs to be shown, especially when a party is linked to a religious event such as Christmas and Easter. It may be better to rename the Christmas Party as simply the ‘Office Party’ or the ‘Holiday Party’, and it is best to avoid any use of decorations with religious themes or messages. Making the party optional is a sensible policy, allowing staff who may feel uncomfortable celebrating a festival based-upon another religion to avoid the situation.
Reputational damage
This is another minefield, especially where clients and prospects are invited to office parties. Such guests will get to see the company’s employees without their professional ‘hats on’ and the resultant informality, when mixed with the lack of inhibition that alcohol consumption brings, can result in insulted clients and lost contracts.
Once again a well-crafted human resource policy will help in this area and a reminder memo beforehand can help place staff on-guard. Better still, consider making the party staff-only, keeping customers well away from the ‘danger zone’.
The most obvious, and bluntest form of risk reduction is simply not to have an office Christmas party, but despite the risks, there are also positive benefits to the festive event. It shows staff that they are important and that the company does not have a ‘Scrooge’ mentality. They can also be strong networking events. This coupled with the simple the fact that staff are enjoying themselves together and socialising outside their normal working environment can have positive benefits on morale and employee relations. The trick is to be able to manage the liabilities and the reputational risks without negating any positive morale benefits.
For more pearls of wisdom visit www.continuitycentral.com and be sure to visit Business Continuity Expo and Conference held at EXCEL Docklands from 2- 3rd April 2008 - the UK's definitive event for managing risk, resilience and recovery. This event will explore the solutions and best practice to ensure operational continuity and protect a company's interests before during and after an incident. For further information visit www.businesscontinuityexpo.co.uk
Business Continuity – or is it? Are we missing the point??
By Dominic Hill, Consultant, Siemens Enterprise Communications Limited
There have been a number of papers and presentations recently looking at the nature of Business Continuity (BC) and tools used to deliver it – from the future of the BIA to the importance of building evacuations. With the imminent arrival of Part 2 of the British Standard for Business Continuity Management (BS 25999-2), there will be a defined management system – the BCMS - and a means of measuring performance of Business Continuity capabilities, should organisations choose to do so. But are we missing something? Have we created our own definition of continuity?
The Oxford English Dictionary (1999 edition) defines continuity as “the unbroken and consistent existence or operation of something over a period of time”.
In BS 25999-1:2006, business continuity is defined as “strategic and tactical capability of the organisation to plan for and respond to incidents and business disruptions in order to continue business operations at an acceptable pre-defined level”.
In this definition, the “unbroken and consistent existence” has been replaced with “plan for and respond to” and “continue”, words which imply reaction and recovery. If we look at the services offered within the BC/DR arena today, it is easy to see the focus on responding to incidents and recovering capabilities in:
This is laudable, nay essential, as the BC manager’s maxim should be “Expect the unexpected”! But do these services really provide continuity for the business? It could be argued that this is really business recovery, although for some that term has its own distinct meaning. Are we missing something? Would it not be even better to avoid the incident or business interruption in the first place, leaving the recovery for when there is no other option?
Why have a disaster if you can avoid it?
Many organisations spend a significant amount of money and effort on recovery capabilities and the associated plans, but neglect to address the issues that would make the operation more resilient and less in need of recovery in the first place. Could that money be better spent on disaster avoidance in the first place? To a degree the answer is going to be dependent upon the state of the organisation, its ability to change and the willingness, of those in charge, to accept risk.
A key tenet of BS 25999 is “embedding the BCM culture within the organisation” and this is probably the single most important thing when it comes to being pro-active about disasters. When a system, regardless of whether it is business or IT, is designed and operated with continuity in mind, the subsequent need to mitigate risks with recovery capabilities can be reduced.
Resilience: The unbroken operation
In order for a system to have unbroken operation, the threats to that operation must be reduced or removed. When BCM is a recognised part of the daily processes, and not something that gets retrofitted in the later stages of the system lifecycle, it is easy to consider these potential threats at the start of that lifecycle. Typically the causes of threats include:
Location of the system – This has a wide scope and should consider location at all levels – both physically (geographically and within the campus and building) and logically (within the organisation). Taking as an example a new IT system, are there opportunities to implement it in a location discrete from main user population as well as from physical risks arising from location and environmental factors.
From the business viewpoint, the who and how should be considered. Does the system require input from certain members of staff whose roles make them unlikely to be available at the same time? Is specialist knowledge vested in a single individual, thus creating a potential single point of failure?
Access to the system – Again this works at both physical and logical levels. Again considering an IT example, there is little point in implementing a new system and a corresponding recovery capability if the system is situated in a location that does not afford it appropriate protection – environmentally or from a physical security point of view. A classic technology example is siting critical equipment in an IT suite that is used by members of IT staff as a shortcut to other parts of the building. A large number of incidents arise from human error in some shape or form, accidents do happen.
Similarly from a business viewpoint – especially in these days of increased concerns over the safety of data – who has access to what, by what means and for what purpose must be considered. For example, are personnel records only available as paper copies – if so where are they held, is it secure?
Design of the system – A single IT system can look cheaper than a design that addresses potential single points of failure with some sort of redundancy of functionality. On paper that is. When the cost of the corresponding recovery capability is included the picture may be very different. Similar arguments exist for non-IT tasks, where the ability for multiple teams (possibly on different sites) to carry out the same activity can address not only loss of site scenarios but also loss of staff – whether through pandemic or other cause.
Systems documentation - or the lack of it - In today’s fast moving world it is not uncommon for less than ideal documentation to be produced during the development phases, as the pressure to deploy the system increases. Limited documentation leads to a potential lack of understanding of how things work, which increases the threat of mistakes. Furthermore it is very hard to maintain and protect the system if it is not clearly understood where the interdependencies lie and the possible impacts when changes occur around it.
Understanding the business is one of the four stages in B2 25999 and is as essential to the resilience aspects of BC as to the recovery aspects. Good systems documentation has a major part to play in this.
Control of changes to the system – most systems will, after an initial period, operate in a steady state, until something changes! This is especially true in IT, which due to the ever developing nature of the technology is probably subject to more change than most business processes – the changes occurring in the form of software patches, upgrades, hardware enhancements for capacity improvements etc. The same can also be seen in the non-IT space, where changes to business process manifest as the results of mergers and acquisitions or the outsourcing of parts of the operation. By controlling the way change occurs – especially considering the impacts from all aspects – the threat from change can be minimised.
When these areas are considered throughout the whole lifecycle of a system and appropriate decisions made, the result will be a more resilient system that is fit for the purpose for which it was intended. As with anything in the BC space, this is not rocket science, just common sense, but it appears to be something that is often ignored in favour of cheaper or short-term solutions or because the challenges are too great.
Challenges associated with implementing resilience
Implementing resilience can have significant challenges associated with it, including:
Total Cost of Continuity
This is a variant of the well known “Total cost of ownership” concept and is proposed here as a means to understand exactly what costs are incurred in providing true continuity for an organisation.
Typically organisations look at their recovery contracts, sum the costs and label the result as the cost of BC. This is misleading as it takes no account of the cost involved in setting up and maintaining BC within the organisation. In particular it ignores the cost of resources required for the exercising (testing) of recovery plans, both IT and non-IT. These costs can be quite considerable when the effort required for preparation and carrying out exercises across the different departments is considered, but they are often lost within the operational costs of the departments involved. Also. the more specialist the recovery processes the more resource is required, in addition to a potential for greater frequency of exercising (to ensure that all appropriate staff gain the necessary experience).
If a more realistic approach is taken and the resource and exercising costs (in particular) are included, the total cost of continuity may well look very different. This may provide sufficient justification for implementing a more robust design that negates the need for much recovery.
Outsourcing
More and more the outsourcing of discrete parts of operation is seen as a cost saving exercise. While this may be true, there may also be benefits in the form of decoupling those parts of the operation physically as well as logically. Resilience may be improved, but out of sight is out of mind as the saying goes – so the emphasis shifts to one of supplier management, which must be supported by carefully prepared and suitably detailed legal contracts. This is an area of BC that is experiencing rapid growth as organisations mature in their own continuity capabilities and start to look more closely at those suppliers (outsourcers included) on which they depend.
Change as a mechanism for delivering resilience (and hence continuity)
Applying changes to an existing system in order to improve resilience is rarely easy – especially if it involves withdrawing previous access. It is easy to argue that things “have always been done that way” and that disasters had not occurred so change is unnecessary. The point can be illustrated with statistics, but not conclusively, for either side! The governing factor must be what is best for the unbroken operation of the business in a fit for purpose solution.
Fortunately, change can work in favour of these attempts to achieve resilience. In the area of technology (not exclusive to IT) the need to refresh equipment every three or four years provides an opportunity to implement measures to improve resilience. Similarly in the business space, changes in process, whether brought about by technology or changes in business practice, can be used to improve resilience here too.
Summary
While the typical focus of BC today is arguably on recovery activities, there is much to be gained from the pro-active side of continuity – providing the unbroken operation in a way that is fit for purpose. Maybe the time has now come for attention to be paid to this much neglected area of BC; maybe it will be the next to mature? After all, why have a disaster if you don’t need to?
Siemens Enterprise Communications Limited will be exhibiting at the Business Continuity Expo and Conference held at EXCEL Docklands from 2- 3rd April 2008 - the UK's definitive event for managing risk, resilience and recovery. This event will explore the solutions and best practice to ensure operational continuity and protect a company's interests before during and after an incident.
For further information visit www.businesscontinuityexpo.co.uk
There have been a number of papers and presentations recently looking at the nature of Business Continuity (BC) and tools used to deliver it – from the future of the BIA to the importance of building evacuations. With the imminent arrival of Part 2 of the British Standard for Business Continuity Management (BS 25999-2), there will be a defined management system – the BCMS - and a means of measuring performance of Business Continuity capabilities, should organisations choose to do so. But are we missing something? Have we created our own definition of continuity?
The Oxford English Dictionary (1999 edition) defines continuity as “the unbroken and consistent existence or operation of something over a period of time”.
In BS 25999-1:2006, business continuity is defined as “strategic and tactical capability of the organisation to plan for and respond to incidents and business disruptions in order to continue business operations at an acceptable pre-defined level”.
In this definition, the “unbroken and consistent existence” has been replaced with “plan for and respond to” and “continue”, words which imply reaction and recovery. If we look at the services offered within the BC/DR arena today, it is easy to see the focus on responding to incidents and recovering capabilities in:
- The provision of disaster recovery services;
- The provision of work area recovery services;
- The variety of software to generate, maintain and disseminate plans;
- A plethora of communications tools allowing call cascades and other abilities.
This is laudable, nay essential, as the BC manager’s maxim should be “Expect the unexpected”! But do these services really provide continuity for the business? It could be argued that this is really business recovery, although for some that term has its own distinct meaning. Are we missing something? Would it not be even better to avoid the incident or business interruption in the first place, leaving the recovery for when there is no other option?
Why have a disaster if you can avoid it?
Many organisations spend a significant amount of money and effort on recovery capabilities and the associated plans, but neglect to address the issues that would make the operation more resilient and less in need of recovery in the first place. Could that money be better spent on disaster avoidance in the first place? To a degree the answer is going to be dependent upon the state of the organisation, its ability to change and the willingness, of those in charge, to accept risk.
A key tenet of BS 25999 is “embedding the BCM culture within the organisation” and this is probably the single most important thing when it comes to being pro-active about disasters. When a system, regardless of whether it is business or IT, is designed and operated with continuity in mind, the subsequent need to mitigate risks with recovery capabilities can be reduced.
Resilience: The unbroken operation
In order for a system to have unbroken operation, the threats to that operation must be reduced or removed. When BCM is a recognised part of the daily processes, and not something that gets retrofitted in the later stages of the system lifecycle, it is easy to consider these potential threats at the start of that lifecycle. Typically the causes of threats include:
Location of the system – This has a wide scope and should consider location at all levels – both physically (geographically and within the campus and building) and logically (within the organisation). Taking as an example a new IT system, are there opportunities to implement it in a location discrete from main user population as well as from physical risks arising from location and environmental factors.
From the business viewpoint, the who and how should be considered. Does the system require input from certain members of staff whose roles make them unlikely to be available at the same time? Is specialist knowledge vested in a single individual, thus creating a potential single point of failure?
Access to the system – Again this works at both physical and logical levels. Again considering an IT example, there is little point in implementing a new system and a corresponding recovery capability if the system is situated in a location that does not afford it appropriate protection – environmentally or from a physical security point of view. A classic technology example is siting critical equipment in an IT suite that is used by members of IT staff as a shortcut to other parts of the building. A large number of incidents arise from human error in some shape or form, accidents do happen.
Similarly from a business viewpoint – especially in these days of increased concerns over the safety of data – who has access to what, by what means and for what purpose must be considered. For example, are personnel records only available as paper copies – if so where are they held, is it secure?
Design of the system – A single IT system can look cheaper than a design that addresses potential single points of failure with some sort of redundancy of functionality. On paper that is. When the cost of the corresponding recovery capability is included the picture may be very different. Similar arguments exist for non-IT tasks, where the ability for multiple teams (possibly on different sites) to carry out the same activity can address not only loss of site scenarios but also loss of staff – whether through pandemic or other cause.
Systems documentation - or the lack of it - In today’s fast moving world it is not uncommon for less than ideal documentation to be produced during the development phases, as the pressure to deploy the system increases. Limited documentation leads to a potential lack of understanding of how things work, which increases the threat of mistakes. Furthermore it is very hard to maintain and protect the system if it is not clearly understood where the interdependencies lie and the possible impacts when changes occur around it.
Understanding the business is one of the four stages in B2 25999 and is as essential to the resilience aspects of BC as to the recovery aspects. Good systems documentation has a major part to play in this.
Control of changes to the system – most systems will, after an initial period, operate in a steady state, until something changes! This is especially true in IT, which due to the ever developing nature of the technology is probably subject to more change than most business processes – the changes occurring in the form of software patches, upgrades, hardware enhancements for capacity improvements etc. The same can also be seen in the non-IT space, where changes to business process manifest as the results of mergers and acquisitions or the outsourcing of parts of the operation. By controlling the way change occurs – especially considering the impacts from all aspects – the threat from change can be minimised.
When these areas are considered throughout the whole lifecycle of a system and appropriate decisions made, the result will be a more resilient system that is fit for the purpose for which it was intended. As with anything in the BC space, this is not rocket science, just common sense, but it appears to be something that is often ignored in favour of cheaper or short-term solutions or because the challenges are too great.
Challenges associated with implementing resilience
Implementing resilience can have significant challenges associated with it, including:
- Cost;
- Outsourcing/Supply chain management;
- How to get there from here
Total Cost of Continuity
This is a variant of the well known “Total cost of ownership” concept and is proposed here as a means to understand exactly what costs are incurred in providing true continuity for an organisation.
Typically organisations look at their recovery contracts, sum the costs and label the result as the cost of BC. This is misleading as it takes no account of the cost involved in setting up and maintaining BC within the organisation. In particular it ignores the cost of resources required for the exercising (testing) of recovery plans, both IT and non-IT. These costs can be quite considerable when the effort required for preparation and carrying out exercises across the different departments is considered, but they are often lost within the operational costs of the departments involved. Also. the more specialist the recovery processes the more resource is required, in addition to a potential for greater frequency of exercising (to ensure that all appropriate staff gain the necessary experience).
If a more realistic approach is taken and the resource and exercising costs (in particular) are included, the total cost of continuity may well look very different. This may provide sufficient justification for implementing a more robust design that negates the need for much recovery.
Outsourcing
More and more the outsourcing of discrete parts of operation is seen as a cost saving exercise. While this may be true, there may also be benefits in the form of decoupling those parts of the operation physically as well as logically. Resilience may be improved, but out of sight is out of mind as the saying goes – so the emphasis shifts to one of supplier management, which must be supported by carefully prepared and suitably detailed legal contracts. This is an area of BC that is experiencing rapid growth as organisations mature in their own continuity capabilities and start to look more closely at those suppliers (outsourcers included) on which they depend.
Change as a mechanism for delivering resilience (and hence continuity)
Applying changes to an existing system in order to improve resilience is rarely easy – especially if it involves withdrawing previous access. It is easy to argue that things “have always been done that way” and that disasters had not occurred so change is unnecessary. The point can be illustrated with statistics, but not conclusively, for either side! The governing factor must be what is best for the unbroken operation of the business in a fit for purpose solution.
Fortunately, change can work in favour of these attempts to achieve resilience. In the area of technology (not exclusive to IT) the need to refresh equipment every three or four years provides an opportunity to implement measures to improve resilience. Similarly in the business space, changes in process, whether brought about by technology or changes in business practice, can be used to improve resilience here too.
Summary
While the typical focus of BC today is arguably on recovery activities, there is much to be gained from the pro-active side of continuity – providing the unbroken operation in a way that is fit for purpose. Maybe the time has now come for attention to be paid to this much neglected area of BC; maybe it will be the next to mature? After all, why have a disaster if you don’t need to?
Siemens Enterprise Communications Limited will be exhibiting at the Business Continuity Expo and Conference held at EXCEL Docklands from 2- 3rd April 2008 - the UK's definitive event for managing risk, resilience and recovery. This event will explore the solutions and best practice to ensure operational continuity and protect a company's interests before during and after an incident.
For further information visit www.businesscontinuityexpo.co.uk
Don’t leave your keys on display
TWO thieves were caught stealing a car in Kent, England, after fishing its keys out of a hallway through a letterbox.
The bungled attempt has led police to warn people to keep their keys safe – and not display them to thieves through doors and windows.
A resident of a town in Kent was woken in the early hours of a morning and looked out of the window to see two men rolling his car down the driveway.
The car keys had, according to police, been fished out of the hallway using an “implement” through the letterbox of the property.
The advice therefore is and must be to take a few seconds to put keys in an out of sight place, perhaps a drawer or cupboard that isn’t near to an entrance door or to a window. A proper key cabinet, one that can be locked, maybe even, might be a good idea too. In that instance, if used diligently, one also always knows, theoretically, where the keys are when one wants them.
© Michael Smith (Veshengro), December 2007
The bungled attempt has led police to warn people to keep their keys safe – and not display them to thieves through doors and windows.
A resident of a town in Kent was woken in the early hours of a morning and looked out of the window to see two men rolling his car down the driveway.
The car keys had, according to police, been fished out of the hallway using an “implement” through the letterbox of the property.
The advice therefore is and must be to take a few seconds to put keys in an out of sight place, perhaps a drawer or cupboard that isn’t near to an entrance door or to a window. A proper key cabinet, one that can be locked, maybe even, might be a good idea too. In that instance, if used diligently, one also always knows, theoretically, where the keys are when one wants them.
© Michael Smith (Veshengro), December 2007
Subscribe to:
Posts (Atom)