July 2003 Mfg.Trust

Mfg.Trust is a monthly feature of the
            NCMS InfraGard Manufacturing Industry Association
                        Infrastructure assurance for manufacturers
                                    Powered by NCMS.

This month – EXPECTING THE UNEXPECTED
Business Continuity in an Uncertain World

See the Resources Page for this Story 

Editor's Preface:

This month we return to a topic we covered one year ago. Back then we made a special issue of the InfraGard Manufacturing Industry Association’s (IMIA) Corner.Office (members only) feature story broadly available. We did this because we believed the story had special merit, and special significance to the NCMS IMIA effort. This is about protecting your own critical infrastructure – your business.

This past look at Business Continuity Planning (BCP) featured an interview with David Spinks, EDS’ director of Information Assurance for Europe, Middle East and Africa, and an extensive Resources page. The excellent article is completely valid today. You can find it at http://trust.ncms.org, in the Publications Index tab under July 2002.

This month’s issue will stress the high level perspective in the field – the ‘business’ in business continuity – rather than the technology. It will also point to resources that allow smaller businesses to plan for robust business continuity without spending large sums.

Efficient online training in the closely related Crisis Management area is available from NCMS at http://products.ncms.org/classes.htm

Editor

BUSINESS CONTINUITY IN AN UNCERTAIN WORLD

Imagine a balance beam in the organization of your business. At one end we optimize for efficiency - at the other end for robustness. Seldom can we have both at the same time. Competitive pressures drive organizations to be ‘efficient.’ We can be thankful that some are not.

It is those ‘inefficient’ organizations (actually, efficient in a different way) that can come up with the resources to win a war, beat a disease, or handle a disaster.

‘Building-in’ business continuity, making it a part of the way you run your business, rather than having to ‘firefight’ any emergency, helps you offer ‘business as usual’ in the quickest possible time. Thus, business continuity is not just a plan, a consultant, or an expert – but a mindset. With the right mindset, you can avoid becoming a statistic. You must manage risk, not just assess it.

There are important pros and cons to locating all of any important resource or function – customer service, manufacturing, medical records, or spare parts – in one place. Any company with two customer service offices already has started a business continuity plan.

“Business Continuity Management is a holistic management process that identifies potential impacts that threaten an organization and provides a framework for building resilience and the capability for an effective response which safeguards the interests of its key stakeholders, reputation, brand and value creating activities.” …so says the Business Continuity Institute (see Resources Page).

They have it right. Their carefully worded statement bears scrutiny. It is a holistic management process. It safeguards reputation and brand, as well as building resilience.

Effective Plans

David Spinks tells us that a very effective BCP plan operates on three levels globally:

- “The first level is where the Board of Directors operates, as it looks at the long term impacts of the crisis on the business. This includes (like it or not) the immediate need to communicate with the press, the media and if necessary with governments at a global level.
- There is second level, which is looking at the recovery of either a site or geographical area.
- The third level is putting out the fire, because that is quite important.

What we find is that too many technical people only consider the third level. They only consider the technical response to it and they forget that in a major crisis somebody has to be at the gates talking to the press, talking to the media, reassuring the local community, and dealing with the longer-term aspects of an event.”

Effective Managing

If you reread the paragraph above, then the necessity of corporate buy-in becomes clear. There is no sense in starting a business continuity effort without it. If the plan is just owned by the security or IT departments, if it is technical rather than holistic, then it will likely fail during a crisis.

What is even more important than the plan itself is the planning process, which has led to the development of the plan. The planning process gives business managers an opportunity to consider how to deal with crisis issues by changing their everyday operations. By changing their everyday operations, leaders learn to manage risk, not just assess it. This is the process by which small companies, which can react more quickly, can create robust business processes that can survive difficulty.

Steps to Follow

Last year’s feature story should be consulted for the steps to follow in a BCP effort.
Specific advice for the smaller enterprise is found in the booklet “Expecting the Unexpected: Business Continuity in an Uncertain World” The first entry in the LINKS section below will take you to this excellent resource.

The BCP team must first identify threats and conduct a risk assessment, which will help to design the areas on which the plan should focus as it impossible to avoid or mitigate all risk.

Once the risk assessment has been done, one has to manage the risks. Preventive, detective and reactive means have to be put in place in order to protect the company. For example, it might be possible to transfer risks by using insurance, contracting out some services, implementing safeguards and controls and so. High impact, but low probability risks that cannot be mitigated are prime candidates for Business Continuity Planning.

Then, a business impact analysis will help to define the critical business processes. This helps focus resources in order to recover from an incident.

These analyses provide the material for a plan. The plan must be implemented and tested. The importance of testing is highlighted in last year’s feature. Poor testing is a frequent flaw in BCP efforts.

Conclusion

This topic contains the same themes that you will see in almost every InfraGard Manufacturing Industry Association publication: ‘holistic,’ ‘management-level,’ ‘not just a plan, but a mindset.’ All NCMS’ infrastructure security efforts with industry align with this core theme.

Businesses should have BCP in place in order to resume functionality, and procedures in place in case of an incident which affects the company and which will enable them to recover far quicker and with less losses than a company who disregards such plans, thinking ‘it would never happen to us.’

Even though there are costs involved, it is well worth having such plans as it will save the business during an incident and help it react in an ordered and timely matter.

Links

Expecting the Unexpected: Business Continuity in an Uncertain World
A simple BCM booklet, based on BCI principles is now available for Small and Medium Enterprises (SMEs) http://www.thebci.org/London%20Firsts.pdf

http://trust.ncms.org see Publications Index

If you liked Mfg.Trust, please forward it to a colleague in your company!

For questions, comments, or for NCMS Alliance Partners to request their own FREE subscription to Mfg.Trust, send email to customercare@ncms.org

To unsubscribe, please send an email to listserv@listserv.ncms.org and insert the words "unsubscribe mfgtrust", without the quotes, in the BODY of the message. This is a moderated list.