Business Continuity Management: From Risk To Resilience

Knowledge Capital Partners Executive Research Report

Business Continuity Management: From Risk To Resilience Dr. Daniel Gozman Henley Business School University of Reading D.Gozman@henley.ac.uk

Professor Leslie Willcocks The Outsourcing Unit Department of Management The London School of Economics and Political Science l.p.willcocks@lse.ac.uk Andrew Craig The Outsourcing Unit Associate Researcher The London School of Economics and Political Science Andrew.craig@carig.co.uk

May 2017

1

Research on Business Continuity Management Research Objective: The researchers at Knowledge Capital Partners aim to assess the current and long-term developments and impacts of business continity management practices on client organizations. New adopters want to know what the effective practices really are. Those who have incurred disruptions in business continuity want to know what to do better next time. Mature adopters want to learn about advanced practices. Researchers can help educate potential and mature adopters by objectively researching actual Business Continuity Management practices in client and service provider firms, by assessing the practices that work, the risks associated with omissions, and extracting lessons on delivering value from effective BCM practices.

Acknowledgements: “Business Continuity Management: From Risk To Resilience’ by Daniel Gozman, Leslie Willcocks, and Andrew Craig is one of the research reports papers delivered from this research project. We appreciate and thank the many customers, providers, and advisors interviewed for this research. We also acknowledge and thank Trizma senior management for their participation and support of this work.

2

3

Business Continuity Management: From Risk To Resilience

Introduction: The Big Picture, The Growing Problem Over time, the impact of business disruption to whole industries and the economic well-being of states has become more recognised. Following a series of natural disasters and acts of terrorism, leading to the disruption of business activities, in the 1980s and 1990s contingency planning and disaster recovery became increasingly seen as a ‘necessary evil’ and a ‘cost of doing business’. But all too often the business continuity management (BCM) solutions that were developed for business and business services, particularly information technology, were seen merely as another form of technology driven ‘back-up’. BCM initiatives typically remained siloed within the IT department. However, over time, as processing power increased, costs of data storage decreased and systems and networks became faster and much more interconnected through the internet and software integration technologies, new risks emerged both internally and externally. These risks are shown schematically in Figure 11. This means that traditional siloed approaches to BCM have become outmoded, even though still very current today. In a separate KCP Executive Briefing we provide six major case examples of how a siloed approach to BCM has become highly risky, and we provide detailed lessons on how to develop corporate resilience in the face of a business world of systemic risk.

1 http://www.bankofengland.co.uk/financialstability/fsc/Documents/FSAWorkingPaperonBCM.pdf

4

Figure 1: Examples of risks to business continuity (Source: FSA Working Party) Inadequacies in BCM strategy become very serious when the costs of contemporary disruptive events are considered2. Just focusing on the world of Information Technology, outage costs can be significant and varied (see Figure 2). A study conducted by IBM on professionals dependent on the consistent availability of IT found the cost of IT/telecommunications outage varied from US$1.04 million to US$14.25 million over a 24 month period. Meanwhile minor incidents, on average, cost US$53,210 per minute of downtime. Further losses due to reputation-related costs may reach US$5.27 million for substantial incidents. A survey by the Business Continuity Institute (BCI) found that 57% of respondents were concerned about the effects of adverse weather on their operations , while insurer Munich Re calculated, in 2013, that insurance payouts for weather-related damage in the United States cost US$12.8 billion3.

2 For examples see also the cases in Gozman, D., Willcocks, L. and Craig, A. (2017) Business Continuity Management Part 2: Cases and Lessons. LSE Outsourcing Unit Working Paper 17/04 April 3 http://www.iii.org/assets/docs/pdf/MunichRe-010714.pdf

5

Figure 2: Common threats ranked in terms of economic Impact 4 (IBM Global Technology Services 2013)

Defining Business Continuity Management As a consequence of the emergence of viruses and hacking activities, as well as an increasing number of high profile failures a growing consensus emerged that responses to these new forms of disruption required a business-led response termed BCM (Business Continuity Management). IT analyst firm Gartner describes Business Continuity Management Planning (BCMP) as: “a broad disaster recovery approach whereby enterprises plan for recovery of the entire business process. This includes a plan for workspaces, telephones, workstations, servers, applications, network connections and any other resources required in the business process5.” More recently, governments and regulators have focused on the role of BCM in mitigating the impacts of disruptive events on society and have sought assurance that systemically important stakeholders have appropriate practices in place. Correspondingly, as supply chains become increasingly integrated, through middleware, ERP and CRM systems, firms became more dependent on one another. Businesses increasingly sought assurances that suppliers and partners were robust and resilient to the point where products and services could still be delivered even when the unforeseen occurred. Recognising the impact of business disruption on society, in 2012 the International Standards Organization’s (ISO) technical committee for ’Societal Security’ (ISO/TC 2236) developed, ‘ISO 22301’ - an international standard for BCM. Appendix B summarises this and related ISO standards. In contrast to Gartner’s process focused definition, ISO defined from a products and service perspective defining BC as: 4 IBM Global Technology Services (2013a). The economics of IT risk and reputation: What business continuity and IT security really mean to your organisation. Portsmouth, UK: IB

5 http://www.gartner.com/it-glossary/business-continuity-management-planning-bcmp-software/ 6 ISO/TC 223 developed International standards that aim to increase societal security, i.e. protection of society from and response to incidents, emergencies, and disasters caused by intentional and unintentional human acts, natural hazards, and technical failures. An all-hazards perspective is used covering adaptive, proactive and reactive strategies in all phases before, during and after a disruptive incident. The area of societal security is multi-disciplinary and involves actors from both the public and private sectors, including not-for-profit organizations. - http://www.iso.org/iso/home/news_index/news_archive/news.htm?refid=Ref1602

6

‘the capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident’. ISO also highlighted the need for a: ‘holistic management process’ that, ‘…identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities.‘

Both Gartner and ISO’s definitions highlight the need to focus on protecting critical processes to ensure business resilience and the undisputed delivery of products and services. The key is well-defined, integrated management processes. These must address four critical areas. The first is, ‘Business Continuity’ and focuses on relocation of staff and processes. The second is ‘Disaster Recovery’ to ensure the recovery and continuity of IT systems. The third is ‘Emergency Responses’ to ensure safety and protect life. The fourth is termed ‘Crisis Management’ and focuses on business protection7. Today, the need to focus on resilience is firmly in the headlights of senior policy makers and managers. Take the United Kingdom (UK) as an example. In November 2015, the UK Chancellor of the Exchequer announced £1.9 billion would be made available for tackling cybercrime by 2020. In 2017, at the opening of the new National Cyber Security Centre (NCSC) building in central London, the current UK Chancellor of the Exchequer commented that: “The cyberattacks we are seeing are increasing in their frequency, their severity, and their sophistication” At the opening the NCSC head highlighted that in three months the new organization had already handled 188 ‘high level’ cyber-attacks and commented that: "We will help secure our critical services, lead the response to the most serious incidents and improve the underlying security of the internet through technological improvement and advice to citizens and organisations… This will include finding vulnerabilities in public sector websites, stopping spoof emails, and taking down thousands of phishing websites in the UK. 8” As new threats emerge it has never been more important for firms to be able to manage disruptive events effectively, and - equally importantly - be able to demonstrate such capabilities. A report by the Ponemon Institute in 2013 9 found the average cost of cyber-attacks and data breaches at $11.6 million annually. Participant organizations reported costs ranging from $1.3 million to $58 million to resolve attacks and breaches. Since that report these figures have been rising dramatically year on year. 7 https://www.drii.org/whatisbcm.php 8 http://www.wired.co.uk/article/national-cyber-security-centre-open-gchq 9 https://media.scmagazine.com/documents/54/2013_us_ccc_report_final_6-1_13455.pdf

7

Business Risks and the Value of BCM Business risk is understood here as the probability of something happening multiplied by the resulting cost or benefit if it does 10. With business continuity management, we are particularly interested in a) the likelihood of an adverse event occurring b) the size and impact of that adverse event, and c) how the risk hazard can be mitigated, and converted into a favourable outcome through BCM practices. An important point about risk needs to be made here. The key fact about risk communication is that there is a very low correlation between a risk’s “hazard” (how much harm it’s likely to do) and its “outrage” (how upset it’s likely to make people). One primary task of our work on BCM is what Sandman 11 calls “precaution advocacy”. To put it bluntly, where hazard is high and perception/outrage low, we need to alert insufficiently informed or upset people to serious risks. Our research shows this is particularly needed when encouraging companies to adopt more resilient business continuity management practices. We find organizational understanding of contemporary business risks, especially their systemic nature, very under-developed in business practice. This becomes a serious problem, because it means that if companies do not fully understand the risks they are facing, they also will not fully appreciate the benefits from adopting BCM practices. In practice, however, while policy makes note and mandates the benefits to society from adopting effective BCM, there naturally also flow many business benefits. The BCI conducted a survey from 2009-2010 of 221 BCM practitioners 12. The respondents were significant budget holders or influencers for BCM products and services including alternative accommodation, ICT back-up, Virtual Private Networks (VPN), Employee Assistance programmes (EAP) for mitigating effects of trauma and crisis, Messaging/notification systems, BCM programme management products and services, transport costs and escrow products and services. The survey’s purpose was to identify the tangible benefits that organizations enjoy through the introduction of BCM practices. The first stage was to establish the sorts of disruptive events that regularly occurred. Figure 3 outlines respondent answers to the question: ‘What have been the impact(s) on your organization of disruptive events?’ The question included options to comment on positive outcomes of the recovery/response related to the firm’s BCM programme. 10 See Lacity, M. and Willcocks, L. (2017) RPA and Risk Mitigation: The Definitive Guide. (SB Publishing, Stratford). Available at www.sbpublishing.org

11 Sandman, P. (2017). Introduction and Orientation WWW.Psandman.com, accessed 12th February 2017. 12 http://www.thebci.org/index.php/businesscontinuity/cat_view/1-business-continuity/7-business-case-forbusiness-continuity

8

Figure 3: Impacts of disruptive events (Source: BCI survey)

A key finding of the survey was that BCM practices were being applied to high impact high low frequency events, such as terrorist attacks or earthquakes, but also to more mundane and frequent events also. The main advantages of BCM were cited as ‘reduced impact of incidents’ and ‘faster recovery from incidents’. 82 % of respondents felt that their programmes mitigated the impacts of disruption. The survey found a correlation between the geographical spread of a firm and a greater number of disruptive events reported. In line with BCM evolution from an IT process to a business process, the IT director was found not to be the dominant reporting manager. 26% of BCM practitioners reported to the CEO or managing director, others reported to the finance director, chief risk officer or IT director. The manufacturing sector was found to see the main benefits of BCM in terms of faster recovery and increased customer confidence, while the finance sector viewed the main benefit as meeting regulatory obligations. Figure 4 outlines respondents’ answers to the question, ‘How would you describe the business benefits of BCM to your organization?’ 9

Figure 4: The business value of BCM (BCI survey) Clearly, there are significant benefits in investing in BCM practices. However, this conclusion does not lead to a straightforward wholesale adoption of every BCM practice detailed in our two papers. For example, a 2011 paper by the UK Governments’ Office for Science (GOS) focused High Impact Low Probability Risks and highlighted the need to invest in mitigating risks while balancing associated costs. The report argued that: 

   

Organizations should conduct a cost benefit analysis to inform decision making and to understand what level of risk is acceptable to the organization and what corresponding level of investment and allocation of resources is appropriate to the firm’s risk appetite. Mitigation measures may outweigh the costs of the damage caused. Different types of risk will require different forms of analysis - therefore organizations should consider multiple scenarios. BCM measures adopted may not be able to entirely mitigate the risks and so residual damage costs may be incurred. While BCM practices may entirely eliminate damage from smaller events up to the design threshold of the practices employed, such measures may also reduce the damage from larger events.

Figure 5 shows how there is a point, where the red (cost of repairing the damage) and blue (costs of mitigation practices) lines cross, where it is no longer economically viable to invest in mitigation measures.

10

Figure 5 Damage costs vs mitigations costs (Source: GOS) 13

A further driver for BCM adoption is that customers should require potential vendors to demonstrate they have robust Business Continuity Management programs in place. Requests for Proposals will frequently stipulate that firms outline their BCM strategies when responding. Often regulatory obligations require robust supply chains, for example in health or financial services. Therefore suppliers to regulated firms must be able to demonstrate resilience. Additionally, firms with a resilient supply chain will respond to disruption better than their competition. Therefore outsourcing suppliers with resilient BCM practices will be more attractive to their larger client organizations. To put it another way, the benefits of outsourcing may be diluted if the supplier does not have robust and demonstrable business continuity plans, In addition, to demands placed on vendors by clients, BCM is also driven by the need to maximize insurance coverage. Analysing the potential lost profit and fixed costs incurred in the event of a disruptive incident can help quantify the amount of insurance cover required. This is particularly important where there is a need to reimburse a customer’s or supplier’s profits lost from an interruption to the business supply chain. Additional insurance may also help maintain operations after an accident until normal operations are restored 14. Overall, the picture emerges of a current and pervasive need for organizations to facilitate resilient operations and the consistent delivery of products and services through BCM. BCM practices cover a diverse range of stakeholders, industries and types of practices. BCM practices can help firms protect their reputation and develop resilience when unexpected adverse circumstances arise. 13 https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/278526/12-519-blackettreview-high-impact-low-probability-risks.pdf 14 https://drii.org/whatisbcm.php

11

Risks may emanate externally or from inside the business. BCM helps protect the firm’s brand, reputation and consistent delivery to customers, reduce downtime and the cost of recovery in the event of an incident, and demonstrates regulatory adherence, and contributes to reducing insurance premiums. All this suggests that practitioners need guidance on risks and effective risk mitigation practices in the area of business continuity management. Actually, there is a large body of knowledge that practitioners can draw upon already, in terms of professional institutions, standards of best practice and industry specific regulations, and these are outlined in the next section. These are doubly important because they also contribute to the standards to be complied with imbedded in BCM regulations.

The First BCM Move – Leveraging Institutions, Standards And Regulations In this section we establish that practitioners need to understand leading BCM institutions, pragmatically adopt appropriate key standards and respect regulations that impact upon their risk profiles and company BCM practices. In a later paper, Business Continuity Management Part 2: Cases and Lessons, we detail our research findings on six case histories where recommended and mandated practices were not applied sufficiently, and draw up a range of action principles emerging from this BCM research project. Understanding Key Institutions In 1988, the Disaster Recovery Institute (DRI) was founded in the USA and is based in New York City. This organization’s purpose is to: “help organizations around the world prepare for and recover from disasters”. The DRI currently (2017) has certified over 14,000+ professionals through training conducted in 50 countries. 15 The DRI provides training around BCM and holds and annual conference as well as promoting the current relevant ISO standards. In 1989, the U.K. Department of Trade and Industry (DTI) established a working group to produce a code of good practice for IT security and published the User Code of Practice standard in 1989. This standard was essentially a list of security controls. Following the formation of the BCI, in 1995, the British Standards Institution (BSI) published BS 7799 also written by the DTI. This standard focused on IT security and evolved into ISO/IEC 17799 Information security management (2000) and then developed into various ISO 27K 16 standards listed in Appendix B. The ISO 27K standards are underpinned by ISO 27001:2013, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security 15 https://thedrifoundation.org/about/ 16 Herbane, B., 2010. The evolution of business continuity management: A historical review of practices and drivers. Business history, 52(6), pp.978-1002.

12

risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature 17. Emergent cybersecurity risks ensure such standards are increasingly relevant to firms wishing to avoid operational disruption. Figure 6 summarizes the areas of best practice outlined ISO 27001. (Clauses 1-4 of the standards address structure, glossary, and are omitted from the Table).

5. Information security policies. 5.1 Management direction information security

6. Organisation of information security 6.1 Internal organisation 6.2 Mobile devices and teleworking

10. Cryptography 10.1 Cryptographic controls

11. Physical and environmental security 11.1 Secure areas 11.2 Equipment

15. Supplier relationships 15.1 Information security and supplier relationships 15.2 Supplier service delivery management

16. Information security incident management 16.1 Management of information security incidents and improvements

7. Human resources security 7.1 Prior to employment 7.2 During employment 7.3 Termination change of employment

12. Operation security 12.1 Operational procedures and responsibilities 12.2 Protection from malware 12.3 Backup 12.4 Logging and monitoring 12.5 Full operational software 12.6 Technical vulnerability management 12.7 Information Systems audit considerations

17. Information security aspects of business continuity 17.1 Information security continuity 17.2 Redundancies

8. Asset management 8.1 Responsibility for assets 8.2 Information classification 8.3 Media handling

13. Communication security 13. 1 Network security management 13.2 information transfer

18. Compliance 18.1 Compliance with legal and contractual arrangements 18.2 Information security reviews

9. Access control 9.1 Business requirements of access control 9.2 User access management 9.3 User responsibilities 9.4 Systems and applications access control

14. Systems acquisition development and maintenance 14.1 Security requirements Information Systems 14.2 Security and development and support processes 14.3 Test Data

Figure 6: ISO 27001 Areas of Best Practice18

17 https://www.iso.org/standard/54534.html 18 https://www.iso.org/obp/ui/#iso:std:iso-iec:27002:ed-2:v1:en

13

Within the UK the BCI was established in 1994, its purpose - similar to the DRI - is to, “promote the art and science of business continuity management.” In order to assist organizations to plan for and manage small and large scale disasters both man-made and natural. Its stated vision is: “To be the Professional Body of choice for resilience professionals.” Members of the BCI benefit from guidance and support from fellow members and also professional training and certification programmes. Currently (2017), the BCI has over 8,000 members in 100 countries globally across 3,000 organizations in the public, private and third sector 19.

In addition to the DRI and BCI, a third professional institution was created in 2005 based in Singapore. The Business Continuity Management Institute (BCMI). The BCMI: “promotes and develops the disciplines of Business Continuity Management (BCM), Crisis Management, Crisis Communication and Disaster Recovery Planning (DRP) for a variety of industries and clients around the world”. BCMI has trained over 3000 professionals from 40 countries derived from over 850 companies in industries ranging from Oil & Gas, Healthcare, Utilities, and Manufacturing, to Banking & Finance, Technology (IT) and Telecommunications 20. Figure 7 outlines BCMI’s planning methodology. This figure also highlights the differentiated bodies of knowledge required to structure and install efficient BCM (e.g. project management and business analysis).

Figure 7: BCM Planning Methodology (Source: BCMI)21. 19 http://www.thebci.org/index.php/about/generalinfo 20 http://www.bcmpedia.org/wiki/Business_Continuity_Management_Institute_(BCM_Institute) 21 http://www.bcmpedia.org/wiki/BCM_Planning_Process_or_Methodology

14

As can be seen, taking BCM seriously requires key capabilities and a great deal of sustained organization and management.

Adopting Standards All three institutions based in the USA (DRI), Europe (BCI) and Asia-Pacific (BCMI) promote ISO 22301 - a standard developed in 2012 for BCM. Over time, different standards had emerged for BCM globally (e.g. UK BS 25999). However, organizations with international operations began to struggle with the complexity and cost of managing different regional standards. Therefore ISO 22301 was created. According to ISO: “ISO 22301 is a management systems standard for BCM which can be used by organizations of all sizes and types. These organizations will be able to obtain accredited certification against this standard and so demonstrate to legislators, regulators, customers, prospective customers and other interested parties that they are adhering to good practice in BCM. ISO 22301 also enables the business continuity manager to show top management that a recognized standard has been achieved.� For ISO 22301, Figure 8 summarises the major benefits and issues.

Figure 8: ISO 22301 Business Issues and Benefits (Source: BSI) 22 The ISO 22031 standard adopts a standardised structure which allows consistency with other related standards e.g. ISO 9001 (quality). ISO 14001 (environmental) and ISO 27001 (Information security). ISO 22301 is divided into 10 clauses beginning 22 https://www.bsigroup.com/LocalFiles/en-GB/iso-22301/resources/iso-22301-features-benefits-2016.pdf

15

with scope, normative references, and terms and definitions followed by seven clauses outlining best practice23 24. It is useful to analyse these in detail in order to establish the foundations for a business continuity management program. Context: External and Internal Analysis - The fourth clause addresses the context of the organization and involves conducting internal and external analysis to understand the firms’ contextual environment and needs and also to set the scope of the management system’s boundaries. Firms should seek to understand the stakeholder interests and requirements including regulators, staff and customers. Furthermore, both legal and regulatory obligations must be understood and what the implications of compliance are for the management system’s scope. Leadership - The fifth clause addresses Leadership and the need for senior management to ensure necessary resources are available and that appropriate skilled people are employed to implement and maintain the BCMS. A further responsibility for senior managers is to implement appropriate policies and related governance and control practices. Planning Activities - The sixth clause addresses planning activities. Specifically, actions to address risks and opportunities as well as BCM plans and objectives. This requires the organization to identify risks to the implementation of the management system and set clear objectives and criteria that can be used to measure its success.

Support Activities and Resources For Implementation - The seventh clause focuses on support activities and resources for implementation of the BCM. Individuals with appropriate competencies (knowledge, skills and experience) must be employed to both contribute to the installation and operation of the BCMS and also to respond to incidents when they occur. Each member of staff should be aware or their role in responding to incidents when they occur. Communication of the BCMS is also important not least to ensure customers are aware and assured that it is in place. Furthermore, the firm should have made appropriate preparations to communicate after an incident and have made provisions if normal channels of communication have been disrupted. Business Continuity and Risk Analysis - Clause eight addresses business continuity expertise and analysis and is the main body of related best practice. The organization should undertake business impact analysis in order to understand how the business will be affected, especially in the face of change over time. Risk assessment outcomes should address risks in a structured way to inform the development of the business continuity strategy. This analysis should outline steps to reduce the likelihood of incidents occurring and should be developed along with clear guidance regarding the steps to be taken if an incident does occur. Clearly, it is impossible to predict with complete accuracy all possible events and so a balance is required to reduce risks and plan for as many eventualities a possible, given resources and costs.

23 https://www.iso.org/news/2012/06/Ref1602.html 24 https://www.iso.org/obp/ui/#iso:std:iso:22301:ed-1:v2:en

16

As it is impossible to completely predict and prevent all incidents, the approach of balancing risk reduction and planning for all eventualities is complementary. This clause also addresses the need for a well-defined incident response structure. When incidents occur they must be appropriately handled and where necessary escalated in appropriate time frames. Individuals need to empowered to make necessary decisions and take action. Where relevant, life safety is prioritised and organizations are require to communicate to the external parties who may also be effected, for example, if an incident poses a noxious or explosive risk to surrounding public areas. This section also outlines requirements for business continuity plans. Emphasis should be placed on documents which can be quickly understood and are userfocused rather than large documents which may be unwieldly and difficult to absorb quickly. Smaller plans are preferable to one large document or plan. The clause also introduces a new requirement, not included in preceding clauses, to plan for a return to normal business and so addresses the need for organizations to consider, in some depth, what should happen after the emergency has been addressed. The last subsection of clause eight addresses the exercises and tests. The purpose is to asses all elements of the business continuity arrangements and demonstrate that they can work to an agreed standard. Exercises, may also be outlined to simulate responses to an incident. Such drills help train and build awareness and also help evaluate processes. Exercises and tests underpin ISO 22301 through structured exercises, which challenge individuals and teams so that an organization can achieve objective assurance that its practices will be effective when needed. Monitoring and Evaluating Against Plan - The ninth clause addresses the need, inherent in all management systems, to monitor and evaluate performance against the plan. This requires firms to set appropriate performance benchmarks and select metrics as appropriate. Internal audits of their effectiveness should be conducted periodically, and management should respond and act on audit outcomes. A BSI white paper on ISO 22301 metrics includes 10 questions management may ask. BCM’ Global Business Continuity Technical Manager states: “Organizations must remember that if you’re going to invest in BCM and wish to have a clear view on the health of your BCMS, then you need to track its performance. In other words, your BCM metrics constitute your BCM scorecard, the way you figure out where you are. To use another term, they form your dashboard. So, when considering your metrics please ask yourself the basic ten questions.” These ten questions, in practice, form a highly useful foundation for effective BCM practices, and the ten question BCM dashboard is detailed in Figure 9. Continuous Improvement - The tenth clause focuses on improvement and highlights how all management systems need to be refined over time, not least as organizations and their environment are in constant flux. This clause defines actions to improve the BMCS over time and ensure that corrective actions, arising from audits, reviews and exercises are acted upon.

17

1 Do your metrics link directly back to your BCMS and its objectives? 2 Will the metrics drive improvement and progress?

6 Does each metric allow for meaningful trend or statistical analysis and include milestones and/or indicators to provide qualitative feedback? 7 Are your metrics challenging, but at the same time attainable?

3 Do your metrics follow the SMART principle: S = Specific: clear and focused to avoid misinterpretation. Should include measurement assumptions and definitions, and be easily interpreted. M = Measurable: can be quantified and compared to other data. It should allow for meaningful statistical analysis. Avoid “yes/ no” measures except in limited cases. A = Attainable: achievable, reasonable, and credible under conditions expected. R = Realistic: fits into the organization’s constraints and is cost-effective. T = Timely: doable within the time frame given.

8 Have assumptions and definitions been specified for what constitutes satisfactory performance? Is it clear what ‘good’ or bad compliance actually looks like?

4 Does each metric include a clear statement of the expected results?

9 Have those who are responsible for measuring performance been fully involved in the development of the metrics?

5 Does each metric focus on effectiveness and/or efficiency of the element being measured?

10 Do your metrics allow for clear reporting to their intended audience?

Figure 9: 10 Questions for defining a BCM dashboard25

Respecting Regulations In addition to institutions and standards various regulations exist which require firms to adopt BCM practices26. For example, the UK Financial service regulator (FSA) provides guidance to firms suggesting that firms: “should have in place appropriate arrangements, having regard to the nature, scale and complexity of its business, to ensure that it can continue to function and meet its

25 https://www.bsigroup.com/en-ZA/Our-services/Product-certification/ 26 https://www.drii.org/whatisbcm.php

18

regulatory obligations in the event of unforeseen interruption. These arrangements should be regularly updated and tested to ensure their effectiveness”. 27” Appendix C outlines the FCA guidance which is covers similar grounds to ISO 2301. Furthermore, regulated financial services firms which outsource critical activities cannot outsource the responsibility to ensure the resilience of these activities to their vendor. Thus, if the outsourcing vendor’s services and products are disrupted their client, the financial services firm, may be sanctioned by the regulator 28. Other regulations addressing health care 29 and energy30 also stipulate BCM practices while common law courts have ruled that "failure to prepare" as well as "failure to plan" are grounds for negligence. 31 Finally, all industries in the EU, for example, are subject to data protection laws which allow regulators to sanction firms if data is lost, stolen or cannot be accessed. The new EU General Data Protection Act (GDPR) 32 increases the maximum fines that can be levied at firms to €20m or 4% of annual worldwide turnover, whichever is greater, far more than the previous maximum of £500,000.33

Conclusion This paper establishes that the contemporary business environment is dynamic, complex, uncertain - and replete with risk. Those risks are complex, interconnected, offer systemic threats that are frequently unobserved, but more often than not are under-analysed and seriously under-stated. In practice it has become highly difficult to predict which risks will appear, how they will combine and their likely impact. It has also become very difficult to anticipate the level of reputational damage that can result from a hazard actually occurring, and from a firm’s manifestly inadequate preparation for and response to that possible disastrous event.

27 https://www.handbook.fca.org.uk/handbook/SYSC/3/2.html#D61 28 Other USA focused regulators which stipulate that regulated firms should have BCM contingencies in place include Federal Financial Institution's Examination Council (FFIEC), Financial Industry Regulatory Authority (FINRA) and the Office of the Controller of the Currency (OCC). 29 Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Joint Commission on Accreditation of Healthcare Organizations (JCAHO) 30 North American Electric Reliability Corporation (NERC) and Federal Energy Regulatory Commission (FERC) 31 https://www.drii.org/whatisbcm.php 32 Even though this is an EU Regulation the UK government have signalled that it shall be adopted in the UK regardless of Brexit 33 http://www.computerweekly.com/news/450401190/UK-firms-could-face-122bn-in-data-breach-fines-in2018

19

All this makes Business Continuity Management more difficult than ever before, but also much more necessary. It also means that Business Continuity Management, as an ethos, needs to be holistic and dynamic, and completely alive to changing environment and circumstances, fluctuating risk profiles, and ever new risks and combinations of risks. At one level the problem is to develop a BCM strategic imperative. Organizational responses to BCM are various, ranging from denial, passivity, minimum compliance to regulations, active pursuit of standards, through to developing an anticipatory, customised, long-term strategic capability. At a second level the problem is the operational one of executing the strategy in detail, granular enough, to achieve business resilience in the face of environmental and internal risks and uncertainties. As we have shown, the institutions, standards, recommended practices and regulations available are actually designed to be supportive of a company’s BCM activities, and, in our view, form a very useful foundation for an organization’s BCM practices. But compliance with these will not lead to effective BCM practice, unless such compliance is supported by real management understanding of the risks being incurred, the building and harnessing of BCM capabilities, and a BCM strategy developed specifically for the company’s unique business journey. In a separate KCP Executive Briefing, we enrich this view of business continuity management by illustrating problems issues and ways forward from six case studies, and by pointing to a range of additional action principles emerging from the research we have conducted.

20

About The Authors Dr Daniel Gozman BSc, MSc, PG Cert HE, MBCS, PhD. is a Lecturer at Henley Business School at the University of Reading. Daniel holds a first class honours degree in Computer Science an MSc with distinction in Information Systems and Management, and a PhD. in information systems and innovation from the London School of Economics. He is a fellow of the Higher Education Academy (HEA), a member of the Association of Information Systems (AIS) and holds professional membership with the BCS Chartered Institute for IT. Since 2009, he has focused on understanding how Governance, Risk and Compliance (GRC) activities are underpinned by technology with a specific focus on the intersection between regulatory change, information systems and operational resilience. Daniel is an academic advisor for Kemp Little Consulting the management consulting arm of a technology focused law firm and is the ‘fintech’ practice lead for Bloor (IT advisory and analyst firm). He is member of the LSE’s Outsourcing Unit and and a Research Fellow at UCL’s Centre for Blockchain Technologies. Recent work, sponsored by the SWIFT Institute, has focused on the role of Big Data in regulatory investigations. Other recent work funded by the EU Horizon 2020 Financial and Institutional Reforms to build an Entrepreneurial Society (FIRES) in Europe, focused on factors influencing equity based crowdfunding platforms in London to develop. Prior to academia, Daniel worked for a global management consultancy and a big four accounting firm. His consulting experience includes providing advice to a US financial services process and trading outsourcer on the impact of new regulations. He has worked to refine risk management practices within a top tier European investment bank. He has also consulted on securitization deals. More recently, he has worked to help a Cloud hosting provider market their services to fintech start-ups. Dr. Leslie P. Willcocks has an international reputation for his work on global management, outsourcing, e-business, information management, IT evaluation, strategic IT and organizational change. He is Professor in Technology Work and Globalization at the Department of Management at London School of Economics and Political Science. He also heads the LSE’s Outsourcing Unit research centre. He has been for the last 22 years Editor-in-Chief of the Journal of Information Technology. He is co-author of 53 books including Nine Keys To World Class BPO (2015), Moving to The Cloud Corporation (2014), and The Rise of Legal Services Outsourcing (2014) and has published over 230 refereed papers in journals such as Harvard Business Review, Sloan Management Review, California Management Review, MIS Quarterly and MISQ Executive. He has delivered company executive programmes worldwide, is a regular keynote speaker at international practitioner and academic conferences, and has been retained as adviser and expert witness by major corporations and government institutions. Forthcoming books include Global Outsourcing Discourse: Exploring Modes of IT Governance (Palgrave, 2017). His research into the management of cloud business services appears as Cloud and The Future of Business: From Cost to Innovation (www.outsourcingunit.org). Email : l.p.willcocks@lse.ac.uk Andrew Craig has been visiting Senior Research Fellow at the London School of Economics and Political Science UK where he helped set up the Outsourcing Unit. He heads the IT leadership and governance stream of Rame Associates and is also a director of Board Coaching Ltd. He has coached executives, teams and boards in the Defence Procurement Agency, the UK Border Agency, the leisure industry, Balfour Beatty, HSBC and finance and fund management companies. He is coauthor of The Outsourcing Enterprise: From Cost Management to Collaborative Innovation (Palgrave, 2011). In his professional British Army career, as Brigadier, he directed the recruiting operation - an annual requirement of 16,000 people - and was responsible for Human Resource planning for a workforce of 120,000. He commanded engineering operations worldwide, including the first Gulf War and Bosnia, and led the UK’s planned military response to nuclear, biological and chemical terrorism. He was awarded an OBE in 1992.

21

Appendix A: ISO Standards for BCM34 ISO 22300:2012, Societal security – Terminology ISO 22320:2011, Societal security – Emergency management – Requirements for incident response ISO/TR 22312:2011, Societal security – Technological capabilities ISO/PAS 22399:2007, Societal security – Guideline for incident preparedness and operational continuity management The following projects are under development: ISO 22311, Societal security – Video-surveillance – Export interoperability ISO 22313, Societal security – Business continuity management systems – Guidance ISO 22315, Societal security – Mass evacuation ISO 22322, Societal security – Emergency management – Public warning ISO 22323, Organizational resilience management systems – Requirements with guidance for use ISO 22325, Societal security – Guidelines for emergency capability assessment for organizations ISO 22351, Societal security – Emergency management – Shared situation awareness ISO 22397, Societal security – Public Private Partnership – Guidelines to set up partnership agreements ISO 22398, Societal security – Guidelines for exercises and testing ISO 22324, Societal security – Emergency management – Colour-coded alert

34 https://www.iso.org/news/2012/06/Ref1602.html

22

Appendix B: ISO27K Standards for Information Security35 ISO/IEC 27000:2016 (ISO 27000) Information technology – Security techniques – Information security management systems – Overview and vocabulary. ISO/IEC 27001:2013 (ISO27001) Information technology – Security techniques – Information security management systems – Requirements. The latest version of the ISO 27001 Standard. ISO/IEC 27002:2013 (ISO 27002) Information technology – Security techniques – Code of practice for information security controls. The latest version of the code of practice for information security controls. ISO/IEC 27003:2010 (ISO 27003) Information technology – Security techniques – Information security management system implementation guidance. ISO/IEC 27004:2016 (ISO 27004) Information technology – Security techniques – Information security management – Monitoring, measurement, analysis and evaluation.. ISO/IEC 27005:2011 (ISO 27005) Information technology – Security techniques – Information security risk management. ISO/IEC 27006:2015 (ISO 27006) Information technology – Security techniques – Requirements for bodies providing audit and certification of information security management systems. ISO/IEC 27007:2011 (ISO 27007) Information technology – Security techniques – Guidelines for information security management systems auditing. ISO/IEC TR 27008:2011 (ISO 27008) Information technology – Security techniques – Guidelines for auditors on information security controls. ISO/IEC 27010:2015 (ISO 27010) Information technology – Security techniques – Information security management for inter-sector and inter-organizational communications. ISO/IEC 27011:2008 (ISO 27011) Information technology – Security techniques – Information security management guidelines for telecommunications organizations based on ISO/IEC 27002. ISO/IEC 27013:2015 (ISO 27013) Information technology – Security techniques – Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1. ISO/IEC 27014:2013 (ISO 27014) Information technology – Security techniques – Governance of information security. ISO/IEC TR 27016:2014 (ISO 27016) Information technology – Security techniques – Information security management – Organizational economics. ISO/IEC 27017:2015 (ISO 27017) Information technology – Security techniques – Code of practice for information security controls based on ISO/IEC 27002 for cloud services. ISO/IEC 27018:2014 (ISO27018) Information technology – Security techniques – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors.

35 https://www.itgovernance.co.uk/iso27000-family#1

23

ISO/IEC TR 27019:2013 (ISO 27019) Information technology – Security techniques – Information security management guidelines based on ISO/IEC 27002 for process control systems specific to the energy utility industry. ISO/IEC 27023:2015 (ISO 27023) Information technology – Security techniques – Mapping the revised editions of ISO/IEC 27001 and ISO/IEC 27002. ISO/IEC 27031:2011 (ISO 27031) Information technology – Security techniques – Guidelines for information and communication technology readiness for business continuity. ISO/IEC 27032:2012 (ISO 27032) Information technology – Security techniques – Guidelines for cybersecurity. ISO/IEC 27033-1:2015 (ISO 27033-1) Information technology – Security techniques – Network security – Part 1: Overview and concepts. ISO/IEC 27033-2:2012 (ISO 27033-2) Information technology – Security techniques – Network security – Part 2: Guidelines for the design and implementation of network security. ISO/IEC 27033-3:2010 (ISO27033-3) Information security – Security techniques – Network security – Part 3: Reference networking scenarios – Threats, design techniques and control issues. ISO/IEC 27033-4:2014 (ISO 27033-4) Information technology – Security techniques – Network security – Part 4: Securing communications between networks using security gateways. ISO/IEC 27033-5:2013 (ISO 27033-5) Information technology – Security techniques – Network security – Part 5: Securing communications across networks using Virtual Private Networks (VPNs). ISO/IEC 27034-1:2011 (ISO 27034-1) Information technology – Security techniques – Application security – Part 1: Overview and concepts. ISO/IEC 27034-2:2015 (ISO 27034-2) Information technology – Security techniques – Application security – Part 2: Organization normative framework for application security. ISO/IEC 27035:2011 (ISO 27035) Information technology – Security techniques – Information security incident management. ISO/IEC 27036-1:2014 (ISO 27036-1) Information technology – Security techniques – Information security for supplier relationships – Part 1: Overview and concepts. ISO/IEC 27036-2:2014 (ISO 27036-2) Information technology – Security techniques – Information security for supplier relationships – Part 2: Requirements. ISO/IEC 27036-3:2013 (ISO 27036-3) Information technology – Security techniques – Information security for supplier relationships – Part 3: Guidelines for information and communication technology supply chain security. ISO/IEC 27038:2014 (ISO 27038) Information technology – Security techniques – Specification for digital redaction. ISO/IEC 27039:2015 (ISO 27039) Information technology – Security techniques – Selection, deployment and operations of intrusion detection systems (IDPS). ISO/IEC 27040:2015 (ISO 27040) Information technology – Security techniques – Storage security – Please contact us to buy your copy.

24

ISO/IEC 27041:2015 (ISO 27041) Information technology – Security techniques – Guidance on assuring suitability and adequacy of incident investigative methods. – Please contact us to buy your copy. ISO/IEC 27042:2015 (ISO 27042) Information technology – Security techniques – Guidelines for the analysis and interpretation of digital evidence – Please contact us to buy your copy. ISO/IEC 27043:2015 (ISO 27043) Information technology – Information technology – Security techniques – Incident investigation principles and processes – Please contact us to buy your copy. ISO 27799:2008 (ISO 27799) Health informatics – Information security management in health using ISO/IEC 27002.

25

Appendix C: FCA guidelines addressing BCM

26

27