THE MAGAZINE OF THE BCI | Q1 2020
Using thought leadership to develop the BC/R profession Social engineering - can a personality test help identify the weakest links? How empathy strengthens an organization’s Resilience
ADAPT TO SURVIVE Future operability depends on an innovative strategy
P01 Cover_Q1 Spring 2020_Continuity-Resilience.indd 1
06/03/2020 11:56
BCI.Q1.2020.002.indd 2
03/03/2020 11:18
Q1 2020 | ISSUE 9
REGULARS
13
04 Welcome 06 News BCI World moves to Birmingham, Resilience Alliance launched, Scottish Continuity, Twitter CEO victim of data breach
18
10 Debate
SPECIAL REPORT
F E AT U R E S 18 Survival of the fittest To ensure future operability, top-level leadership teams must understand how the changing business landscape of the future will affect their organization
22 SPECIAL REPORT: Thought leadership
22
Minimising disruption when rolling out a new function
A new BC/R app aims to support collaboration in the UK’s retail industry
12 Interaction Opinion: Gianna Detoni, Panta Ray Expert View: Nalin Wijetilleke, consultant
15 Tech Round-up News from: Virsec, ProtectedIT, SAI Global, Fusion Risk Management, SolarWinds
The BCI has a strategy that will empower its members and the discipline of Business Continuity and Resilience (BC/R)
30 Emotional intelligence BC/R practitioners can win new believers across the business by trying a little tenderness when educating staff on best practice
16 RBCA App
34
37 Next Gen Jan Kevin Rico, Philamlife
38 My Lightbulb Moment Personal Resilience specialist and speaker Cécile Bastien Remy explains how to bounce forward
15
34 Communicating the risks Knowing who is most at risk of social engineering can help methodically defend against the threat of cyber attack
P03 Contents_Q1 Spring 2020_Continuity-Resilience.indd 3
06/03/2020 15:07
LEADERS’ MESSAGES
WELCOME Continuity & Resilience is the magazine of the BCI and is published four times a year. THE BCI 10-11 Southview Park, Marsack Street, Caversham, Berkshire, RG4 5AF tel: +44 (0) 118 947 8215 bci@thebci.org | www.thebci.org EDITOR DeeDee Doke deedee.doke@redactive.co.uk A S S I STA N T E D I TO R Patrick Appleton patrick.appleton@redactive.co.uk REPORTERS Colin Cottell colin.cottell@redactive.co.uk Graham Simons graham.simons@redactive.co.uk CONTRIBUTING WRITERS Dean Gurden, Sue Weekes, Roisin Woolnough SENIOR DESIGNERS Gary Hill, Sarah Auld PRODUCTION EDITOR Vanessa Townsend PICTURE EDITOR Claire Echavarry SENIOR SALES EXECUTIVE Fred Dubery Tel: +44 (0) 20 7880 7661 fred.dubery@redactive.co.uk
TIM JANES
History shows us the way
F
or BCI members who have been in the industry for more than a decade, the global march of the coronavirus outbreak should have provoked a strong sense of deja-vu. I can imagine more than a few dusty pandemic plans have been pulled down from top shelves. The first decade of this century was a particularly busy period for viral outbreaks, with avian, swine and equine origins. The insight of BC and resilience professionals who responded to those past events is proving invaluable in 2020. One of the great strengths of our discipline is its adaptability. Lessons learnt from past disruptions are often
eminently applicable to current, seemingly unconnected events. However, this transfer can only be effective if we had the foresight to capture the details at the time and the present wisdom to make use of this retained knowledge. That’s not to say that nothing has changed over the years, so it’s essential that historic plans and strategies remain flexible to deal with our rapidly evolving civilisation. Massive growth in air travel and urbanisation have increased our vulnerability to the rapid spread of diseases across cities, countries and continents. An explosion in the use of global supply chains now acts to amplify the impact of an epidemic in China and
PRODUCTION DIRECTOR Jane Easterman Tel: +44 (0) 20 7880 6248 jane.easterman@redactive.co.uk
D AV I D T H O R P
PUBLISHING DIRECTOR Aaron Nicholls Tel: +44 (0) 20 7880 8547 aaron.nicholls@redactive.co.uk
Does human expertise still hold value?
PRINTER The Manson Group, St. Albans PUBLISHED BY Redactive Publishing Ltd Level 5, 78 Chamber Street, London, E1 8BL Tel: +44 (0) 20 7880 6200 www.redactive.co.uk
L
© BCI 2020 The views expressed in C&R are not necessarily those of the BCI. All efforts have been taken to ensure the accuracy of the information published in C&R. However, the publisher accepts no responsibility for any inaccuracies or errors and omissions in the information produced in this publication. No information contained in this publication may be used or reproduced without the prior permission of the BCI. ISSN 2517-8148
Recycle your magazine’s plastic wrap. Check your local facilities to find out how.
ast month I spoke at a conference in London on the future of professional bodies. This was to an audience of leaders from the professional body sector, and I was asked to highlight some of the challenges that will shape the futures of all professional bodies. The key challenge – if not threat – to my mind is the erosion of the concept of expertise. There was a time when a professional body developed and curated the canon of knowledge for its particular discipline. Specialised knowledge is a fundamental part of
4 C O N TIN UITY & R E S IL IE N C E | Q1 2 0 2 0
P04-05 Chair Messages_Q1 Spring 2020_Continuity-Resilience.indd 4
06/03/2020 11:57
disrupt economies around the world. On the positive side, vast improvements in real-time communications and data accessibility means that the world today is better equipped to deal with these problems when they arise. We are much better informed about the occurrence and spread of disease, and so better able to co-ordinate an effective response. As Business Continuity and Resilience professionals, whether we are old hands or novices, one of our core skills is the capability to take proven principles and practices and adapt them to whatever turmoil the world throws our way. Alongside that, adding some historical insight into the mix can always help.
DEEDEE DOKE
Editor’s comment
I
PH OTO G RA PH Y: A K I N FA LOPE
Tim Janes Hon FBCI, Chairman, BCI
every profession or occupation. Expertise is what we possess when we have mastered a set of skills, can demonstrate a range of professional competencies and have assimilated a body of knowledge into our practice. Professional bodies were once the gatekeepers of that knowledge. “Experts” are people who we turn to for advice when we need solutions for challenges or problems. But how long can we rely on this to be the case? Whilst access to vast reservoirs of online knowledge has been largely beneficial, the downside is twofold as people think having knowledge alone makes them an expert, and machine learning has seen artificial intelligence threaten human expertise. The algorithms at the heart of machine learning are now able to
carry out some tasks to a higher standard than humans. Artificial intelligence has moved on from the early days when it was designed simply to mimic human thinking; the second wave of artificial intelligence is based on the premise that machines that work in different ways to humans can often perform tasks better by resolving the uncertainties in a situation that lead to the exercise of judgement – what might in fact be termed the performance of expertise. As professional bodies, and as professionals, we’re going to have to adapt to these evolutionary challenges and quite what that means is still uncertain.
f there is a theme to this first issue of Continuity & Resilience in 2020, it’s ‘breaking down barriers’ – and the BCI is at the forefront of pushing boundaries across the BC/R landscape. With distinguished partners Airmic, ASIS International and the IWFM, the BCI has signed a Memorandum of Understanding to create a Resilience Alliance. This will open doors to professionals across BC/R to better understand each other’s practices and modus operandi while picking up useful knowledge specific to each discipline. See p7 for our report on the Alliance’s launch. On another front, the BCI is building its future strategy around thought leadership and its capability to identify its sources, commission, gather and disseminate the thinking that will take the profession and disciplines to the very highest level. Read about the strategy in our Special Report from p22. Two other intriguing features explore psychological aspects of practising BC/R now and in the future. There’s also a challenge of sorts from the BSI: the ability of organizations to adapt to changing conditions appears to be falling. Join the discussion, and help reverse the trend. Here’s to a successful Q1!
DeeDee Doke Editor
David Thorp Executive Director, BCI
5 C O N TIN UITY & R E S IL IE N C E | Q1 2 0 2 0
P04-05 Chair Messages_Q1 Spring 2020_Continuity-Resilience.indd 5
06/03/2020 11:58
G LO BA L N E W S U P D AT E
“BCI is looking at examining more closely what it means to have a career in Resilience in the next 10, 20 years” By Roisin Woolnough The BCI is moving its annual conference and exhibition BCI World to Birmingham in 2020 in order to increase capacity and run a more diverse programme of events and speakers. “The array of resources that will be available will be in excess of anything that we have done in the past,” said David Thorp, Executive Director at the BCI. “We are moving it from something that is predominantly a conference to something that is an event.” Birmingham’s ICC (International Convention Centre) will host the event, which will be held over two days, on 5 and 6 November (Thursday and Friday). Ruth Elmore, Events Manager at the BCI, said the conference had outgrown the Novotel London West Hotel venue in London, both in terms of space and scope. Moving the conference enables the BCI “to work on the programme we would like to have rather than the programme that we can fit in,” she says. As a result, the 2020 event will encompass a broader range of topics and sessions, covering areas such as Resilience and risk. Elmore says it is vital that the conference and exhibition reflect what is happening in the sector as a whole: an increasing shift towards greater collaboration and crossover between different
EVENTS
A whole new World for BCI
Elmore says the exhibition event will be a better experience for delegates, with more on offer and better networking opportunities. Moving the event to the ICC means that the BCI can extend the number of main conference streams to six or seven. This year there will be smaller group sessions and breakfast briefings, bite-sized sessions of between 15-30 minutes, covering specialist topics. The BCI also plans to
disciplines. This shift is reflected by the theme of the 2020 conference and exhibition: Stronger Together. “Just talking about Business Continuity issues will not be enough for professionals in the future,” she says. “Doing this allows the BCI to reposition itself at the forefront of thinking and push conversations forward.” The exhibition space will also be larger and will feature a broader range of vendors.
provide access to external expertise and information. It is building on its Careers Corner, which it has run at past conferences. There will be sessions on topics such as leadership, personal resilience, storytelling and emotional awareness, hosted by a mix of BCI members and external practitioners. “This year we are looking at examining more closely what it means to have a career in Resilience in the
6 C O N TIN UITY & R E S IL IE N C E | Q1 2 0 2 0
P06-09 News_Q1 Spring 2020_Continuity-Resilience.indd 6
06/03/2020 11:58
VISIT THE WEBSITE FOR MORE NEWS: WWW.THEBCI.ORG
34,000 ASIS International has 34,000 members around the world, including 27,000 in North America
PA R T N E R S H I P S
By DeeDee Doke
next 5/10/20 years,” says Elmore. “We are bringing in concepts that aren’t currently a traditional part of business continuity practice, but will provide useful insights in dealing with people.” This increased focused on careers supports the BCI’s new competence framework. To find out more and register for the event, visit thebci.org/bciworld2020
The BCI has joined with three other organizations to launch a new Resilience Alliance aimed at sharing knowledge and experience across professional disciplines that are active in specific Resilience strands. Partnering with the BCI on the noncommercial understanding are Airmic (the Association of Insurance and Risk Managers in Industry and Commerce), ASIS International, and the Institute for Workplace and Facilities Management (IWFM). The Memorandum of Understanding (MoU) creating the Alliance was signed on 10 March. David Thorp, BCI Executive Director, said, “We go into this Alliance with the intention of providing a benefit for our members. For all the parties, it is based on providing more information to our members – in those areas not covered by each of us.” He gave an example of a BCI member wanting to learn more about risk or to attend an event about security, as an opportunity
to display cross-industry collaborative value for each organization’s members. Thorp went on to say, “Our mission as an organization is to create a resilient world; we believe this Alliance will take us a few steps along the path to achieving this.” Leaders at the partnering organizations were equally enthused about the opportunities ahead for the Alliance, from disseminating information across a wider network to conducting joint research projects and sharing different tools and approaches. “This is a great opportunity to share solutions for the challenging world out there,” said Sofie Hooper, IWFM’s Head of Policy. “Today’s working
“BCI goes into this Alliance with the intention of providing a benefit to our members”
environment is a big exercise in Resilience.” ASIS International is focused on the enterprise security risk management of “people, property and community”. CEO Peter O’Neil said he looked forward to “getting our four organizations at a figurative table” to have a better understanding of “where our strengths and weaknesses are”. Speaking on behalf of Airmic, Julia Graham, its Deputy CEO and Technical Director, said building the Alliance would help the four organizations “leave behind any silo mentality” in what she called “this complex and connected world” and “see through the lens of integration and collaboration” to recognise common ground and shared purpose. There is an existing Resilience Alliance, but Thorp assured C&R the new collective will not be in competition with that group, which functions as an academic body.
IMAGES: ALAMY/SHUTTERSTOCK/ISTOCK
BCI launches Resilience Alliance
7 C O N TIN UITY & R E S IL IE N C E | Q1 2 0 2 0
P06-09 News_Q1 Spring 2020_Continuity-Resilience.indd 7
06/03/2020 11:58
NEWS
22
Police and Security Services have foiled 22 terror plots since the Westminster attack in 2017
RESILIENCE
From pandemics to parliaments at Resilient Scotland By DeeDee Doke Covering issues as wideranging as the loss of privacy to BC/R skills development, the annual Resilient Scotland conference in February delivered a day of focused knowledge-sharing to a full house. Here are a few highlights: Opening the day was a response to global headlines around the coronavirus, which at the time of the event, had been detected only in China. David Hutcheson, Director at Glen Abbot, warned that the furore over securing supplies of masks to protect against the virus was useless. “Realistically, they’re almost a waste of time,” Hutcheson said, reiterating his contention as C&R was going to press. “They’re not very effective as you ingest the virus through your skin and eye. They’re only effective for four hours or so, so you need two or three for a working day.” Hutcheson recommended against creating a plan dealing only with the
coronavirus crisis at hand. Instead, he suggested, BC/R managers should consider what they would do in the event of a supply chain interruption “which could be caused by strikes, bad weather, bankruptcy within the supplier – rather than try and build this massive individual plan that focuses only on coronavirus, which might come to nothing. Don’t get too caught up in just the one cause.” However, he acknowledged that it will get organizations “to look at policies like home working and how feasible that actually is. We’re working with somebody who said quite confidently they
could shut the office and everybody could work from home, but they then found out they don’t have enough bandwidth to cope with hundreds of people dialling in from home.” Terror incidents occurring in the vicinity of the UK’s Houses of Parliament and aimed at individual members of Parliament have led to changes in the institution’s defence and protection measures, according to Simon Hankins, UK Parliament Security’s Head of Security Operations. Hankins outlined challenges faced in securing the heart of UK government: multiple sites that are surrounded by other high-profile buildings, its Thames River aspect, and popularity with tourists as a UNESCO World Heritage Site, to name a few.
We have to be imaginative in how we deal with security, Hankins told the audience. On 22 March 2017, the reality of the war on terror came home to Parliament when lone terrorist Khalid Masood murdered PC Keith Palmer and four passers-by and injured 50 other people on Westminster Bridge and at Parliament’s gates. On the day, Parliament was a hive of activity including the Prime Minister’s Questions, educational visits, a state occasion and ceremonies rehearsal, contractor work on restoration projects, tours, dining events and weddings. “It was a really risky situation in Parliament that day,” Hankins said. Since then, a number of improvements have been made to Parliament’s security operations. They include: Adoption of a new fast-track communications protocol,
8 C O N TIN UITY & R E S IL IE N C E | Q1 2 0 2 0
P06-09 News_Q1 Spring 2020_Continuity-Resilience.indd 8
06/03/2020 11:59
IN BRIEF
VISIT THE WEBSITE FOR MORE NEWS: WWW.THEBCI.ORG
“Medical masks are a waste of time – coronavirus can be ingested through the skin and eyes”
Data breach at celeb hotel Names, addresses and contact details of 10m MGM Resorts International customers were leaked online, it has emerged. The 2019 data breach allowed unauthorised access to a cloud server containing information for previous guests, including Twitter CEO Jack Dorsey (left). The hotel chain said no financial, payment card or password data was stolen as a result.
DIVERSITY
‘Listen and learn’ to build BC as an industry By Graham Simons pre-agreed media lines to ensure “a single version of the truth” and a way of cascading information. “All communications were siloed at that time,” Hankins said. A fast-line way of identifying staff who witness incidents and increased attention to staff health and wellbeing. Hankins said the murder of Labour MP Jo Cox in June
2016 also has led to “a huge sea change in how we manage MP security”, but did not elaborate further. Police and Security Services have foiled 22 terror plots since the Westminster attack in 2017. Seven related to suspected far-right terror activity which, Hankins said, currently seems to be “the direction of travel”.
The numbers are adding up for Scottish Continuity. At 25 years old, the networking organization has a membership of 300-plus and its sold-out annual conference drew 200-plus attendees at Edinburgh’s Our Dynamic Earth in February. Tommy Lynch, Scottish Continuity Treasurer and Business Continuity Manager for The Scottish Parliament, said the group’s growth plans are focused on increasing the number and type of events it holds and “not massive expansion” in either geography or members. “What other kind of learnings could we offer during the year?” he opined by way of example, adding that “We want to do more topic-specific events” on BC/R subjects ranging from pandemics to weather and “share stories that people can learn from.” Scottish Continuity is also working with Skills Development Scotland and Glasgow Caledonian University to promote BC/R careers and create a network within its membership and beyond.
IMAGES: SCIENCE PHOTO LIBRARY/SHUTTERSTOCK/GETTY/ALAMY
GROWING THE NETWORK
The Business Continuity sector needs to listen to the voice of early years professionals in order to better to build a BC industry fit for the future. Speaking at the BCI Women in Resilience committee’s first event of 2020 in the City of London, committee Vice Chair Kate Needham-Bennett told the audience that while people can come to the sector late on in their career, listening to young professionals in BC is important. “If we can get an idea of how our industry looks, how we can make it more diverse, how we can make it more interesting then hopefully this will be a different industry in 10, 15 years’ time.” Opening speaker Eugina Pierre, BC Consultant at Daisy Group, revealed that often when she goes to external meetings people can walk past her several times before realising that she is the person they are due to meet. Pierre (right) also said that rather than conform to the traditional view of staying in a job for five to 10 years, she prefers to strategically move jobs every two to three years so as to expose herself to a range of industries and practices. Meanwhile Elodie Huet, Cyber Security Governance Risk and Compliance Analyst at Arup, challenged the audience to just go for it. “Don’t be afraid, get out of your comfort zone… this is so important,” she said. “Be curious about anything and everything and don’t be afraid of big change because it is an amazing thing that comes to you.”
9 C O N TIN UITY & R E S IL IE N C E | Q1 2 0 2 0
P06-09 News_Q1 Spring 2020_Continuity-Resilience.indd 9
06/03/2020 11:59
D E BAT E
THE BIG QUESTION
How can organizations minimise disruption when rolling out a new business function?
D R C H A R L E S M O TA U , S O U T H A F R I C A
Build in Resilience and communicate clearly Organizations should manage risks by creating Resilience and proactively plan for unforeseen incidents. Introduction of a new function is strategic in nature and normally emanates from a turnaround strategy that tends to create fear and uncertainty in an organization. The following should be considered to deal with potential threats associated with the introduction of a new function: A BIA should be performed to ensure that the new function does not
negatively affect the business operations or at least the impact of disruption is minimised and properly managed. Analysis should centre on value chains, new operating models, costs, skills and approaches to enable the new function. Following that, change management should manage the transition and communicate new intentions on timespan, the function’s strategic fit and why it will benefit the organization. This is to ensure that change does not negatively affect staff morale or
productivity and that the business continues to run without any hindrance or labour challenges. Next, focus on technology capacity and performance management. The ICT function should determine the new capacity requirements, such as bandwidth, server space etc. It will ensure that technology resources meet the new added function in a cost-effective manner. When all that is done, an organization would be best served to look at the induction of new employees so they understand
10 C O N TIN UITY & R E S IL IE N C E | Q1 2 0 2 0
P10-11 Big Question_Q1 Spring 2020_Continuity-Resilience.indd 10
06/03/2020 11:59
D E B AT E
T H I L A K D H A R M A N A N DA , S R I L A N K A
Empower the BC champion It is vital to involve a Business Continuity champion from the inception of the new function to expediate risk assessment, risk mitigation and conduct a BIA. In addition, this BC champion should perform the following with the support of those invested in the relevant processes: Assess new risk introduced by the innovation; analyze the business impact; modify existing risk profiles and alteration of existing business impact emanating from the new function. The BC champion should also make sure the deployment process includes tested rollback procedures & documented recovery actions. Other important issues include reviewing and updating the current design of continuity solutions
while referring back to the assessment of new risks and BIA. Accordingly, update the BC plan to include the new function and perform a BCP drill to ensure everything is running smoothly or to prepare for problems that may arise. Revise the BC documents if required, and communicate these in a simplified, yet thorough manner to all employees. Generally, the second part of the process can take a considerable amount of time, which may not be a pragmatic approach for different reasons. Therefore, the consideration of an automated IT system could prove instrumental for an efficient risk assessment and BIA. Thilak Dharmananda, Managing Director, ES2 Solutions
A LTA T E R B L A N C H E , A U S T R A L I A
Prepare for the worst, achieve the best
business processes and systems. Not only does this help recruits get a feel for the vision, mission, values, culture and expected behaviours at the organization, but it also minimises disruption and ensures new employees know exactly what is expected just as well – and perhaps better – than those already settled in the organization. Dr Charles Motau (AMBCI), Managing Director, Motau Consulting
When implementing a new function in an organization, there are always risks associated with the execution. It is of importance that all contingencies are catered for during the implementation and that is why the incident management plan (IMP) is the most important BC process to be done. The IMP will be defined by undertaking two other BC processes, namely a product business impact analysis (BIA) of the new function and the associated BC plan (BCP). This BIA would assess the impact that the new function would have on the other business functions and define the associated risks identified to those. People are one of the most important resources in BC. Staff involved in the implementation of the
new function should also receive IMP training, and an awareness program should be communicated to the rest of the organization. In preparation of the rollout of the new function, IMP and BCP rehearsals/exercises should be undertaken to validate any assumptions that were made. The results should be analysed and improvements made to each plan. All the previous processes assume that the organization has an active BCP with the necessary processes and procedures in the other business functions. Alta Terblanche, Director, Caridon Business Solutions
11 C O N TIN UITY & R E S IL IE N C E | Q1 2 0 2 0
P10-11 Big Question_Q1 Spring 2020_Continuity-Resilience.indd 11
06/03/2020 11:59
INTERACTION
OPINION G I A N N A D E TO N I
Is the workplace friendly to women?
I
n a global career spanning four decades, there is little I haven’t seen or heard in American, British and Italian work environments. An international remit meant I experienced many other cultures as well, and with this in mind, I offer my perspective on the evolution of the workplace from the past to the present and beyond. Together we can increase the speed of change.
or conferences, I am told: “We believe in merit.” This ridiculous, insulting point of view implies it is difficult to find women deserving of a position on that board or speaking at that conference. Although society has ensured that women can work hard and attain great careers, it often requires fitting their other gendered roles around their job. These tools ‘facilitating’ a woman’s life are against what most of us wish to be. Part-time, smart-working, childcare facilities at the workplace should be aimed at men and women.
Culturally, a lack of diversity should be felt as a shame on the business
In times gone by If anyone thinks workplaces are unfriendly to women now, they would be shocked by the past. Workplaces were challenging and uncomfortable until women rebelled and changed the status quo, becoming more aware of unfair conditions and demanding equal opportunities. There were men who resisted for a long time, refusing to recognise their faults and, offended by any type of diversity awareness, they moaned and complained about the change making things worse. Sadly, rules are needed for those who confuse being funny with being inappropriate.
Where we are today Even if we have laws on diversity protection, the workplace is not balanced yet. Women struggle to attain powerful positions. It will take centuries to change, as while the behaviours have improved, decision-making is still very much in the hands of men. It frustrates me greatly when, pointing out the lack of women at board meetings
In the future My wish for tomorrow is that we can achieve a workplace that is attractive for everyone. I hope businesses begin to realise the importance of gender equality, as studies show profits increase when the business meets the needs of the entire population (not just half of it). I also hope that in future, people will refuse to work with organizations if they do not show proof of gender balance, and that they will boycott conferences which fail to feature women as speakers. Culturally, a lack of diversity should be felt as a shame. I will always be grateful to those who rebelled and made women aware of our potential. Let us achieve the dream for a happy professional and personal life in the next few years. It is never too soon. Gianna Detoni, Chair, BCI Women in Resilience and Founder, Panta Ray
THIS QUARTER’S BEST QUOTES “There is talk about TWITTER @THEBCEYE the golden hour [response time to enact BC plan], but the BCI notices it is now the golden five minutes for a third of organizations. Some activate plans instantly in 0 minutes” BCI’s Head of Thought Leadership Rachael Elliott discussing insights from the 2020 Emergency Comms report at the launch event in London
“At Dentsu, our employees are all over the world and that involves different cultures. So I don’t know how the French do it, or what the Mexicans think, but I have to learn and adapt. Effective Business Continuity depends on the company, we are not all the same” Abigail Abimbola, BC Analyst at Dentsu Aegis Network addressing the importance of adaptability at Women in Resilience’s first meeting of 2020
“Panic spreads much faster than any pandemic. [Communication with staff] has got to demonstrate empathy: this is the information, this is what’s happening and this is how it will affect you” Sandra Bell, Head of Resilience Consulting EMEA at Sungard AS, speaking in the Financial Times on the coronavirus outbreak
12 C O N TIN UITY & R E S IL IE N C E | Q1 2 0 2 0
P12-13 Opinion-Expert_Q1 Spring 2020_Continuity-Resilience.indd 12
06/03/2020 12:00
INTERACTION
EXPERT VIEW NALIN WIJETILLEKE
Ignore the blind spots at your peril
will be the weakest link in the chain and when it is necessary to respond to an incident or fix a critical business process, the organization’s expectations will never be achieved. Budget constraints and operational priorities, etc are often justifications for not training staff, but failing to do so may prove more costly.
he randomness of destructive threats is much higher today than a decade ago. Furthermore, there is also a certain degree of denial that such disruptions could happen any time soon. Leaders’ closed mindsets could put their businesses in danger, which is called ‘blind spot syndrome’ and can have a significant effect on business operations. Here are eight practical steps to avoid such pitfalls in future:
T
delivery of key products and services, and protect them. A Business Impact Analysis (BIA) can help prioritise business activities for recovery. It also helps establish the interdependencies, the level of outsourcing, and how the service-level agreements should be calibrated. Without this information, it is a guessing game. Operating in the dark, the repercussions are severe and may cause irreversible damage.
1
4
Threats and risks are not properly assessed All threats, especially those associated with the prioritised business functions, have to be understood and addressed. The risk information must be effectively transformed into action by applying appropriate control measures.
BC plans are rarely validated As the Boy Scout motto says, ‘Be prepared’. Similarly, in BCM, being prepared is the key. Here again, the common main reason is that day-to-day operations are more important. The BC plans and arrangements are often allowed to stagnate, becoming unfit for purpose. Those organizations that systematically schedule exercising and testing can soon find out their BCM weaknesses. They will better align the arrangements for effective and efficient incident response and recovery. It also provides critical hands-on exposure and training for those responsible for BC. Repeated exercising and testing is the key. As Greek philosopher Aristotle said: ‘We are what we repeatedly do. Excellence is not an act, but a habit’.
2
5
8
3
6
Relying on a trouble-free past It is human nature to think that tomorrow is an extension of today. If today is good, why not tomorrow? Many business leaders can be blindsided by risks ranging from political to natural disasters when they refuse to accept the evolving threat landscape and fail to prepare for unforeseen events. Lack of governance and a structured framework The continuity of business and incident response readiness is too often at the bottom of the leadership priority list. Often, the person who is assigned to Business Continuity (BC) has had no training in the discipline, but implementing BC is hugely different to adopting an accounting or IT system. It is a people-centric discipline that must be developed according to the nature of the organization and its maturity. Without collaboration in building the BCM system and practices, the ability to cope with and recover from a disaster will be difficult. Key processes are misunderstood Organizations must prioritise processes in terms of their importance to the
Lack of clarity in BC roles and responsibilities Lack of role clarity in the implementation and management of BCM is common. Also, staff are often overburdened with conflicting roles, resulting in the loss of overall effectiveness. In medium-to-largesized organizations, the use of ‘RACI charts’ (Responsible, Accountable, Consulted & Informed) is recommended. Here, the roles are mapped to responsibilities, tasks or deliverables, as implementation and BC involve crossfunctional personnel. Lack of clarity can lead to confusion, communication gaps, loss of critical staff and more.
Inadequate training of staff The competency and capability of those directly and indirectly involved with all aspects of Business Continuity is vital. A single untrained staff member
7
Include critical suppliers and partners in the BC plan Too often, BC plans and arrangements are only inwardly focused, and vendors and suppliers are not incorporated into planning. However, disruption or outage of any outsourced services will have a chain reaction and could affect the mission-critical business processes. The damage could be both financial and reputational. Therefore, service-level agreements must be carefully calibrated to ensure uninterrupted supply of services and to prevent the organization from suffering issues at the service provider or supplier end. Having a summary of vendor details and service delivery timelines in the BC plan is vital. Nalin Wijetilleke AFBCI is a Business Continuity and information security professional based in New Zealand
13 C O N TIN UITY & R E S IL IE N C E | Q1 2 0 2 0
P12-13 Opinion-Expert_Q1 Spring 2020_Continuity-Resilience.indd 13
06/03/2020 12:00
Find out more www.thebci.org
BCI Horizon Scan Report 2020 An examination of the risk landscape for resilience professionals
Free download now available from thebci.org Knowledge Library
BCI.Q1.2020.014.indd 14
03/03/2020 11:19
TECHNOLOGY Helping organizations to put ethics and trust front and centre SAI Global’s latest release of its risk platform, SAI360, supports organizations in placing trust and ethics firmly at the centre of corporate culture, which in turn helps to ensure the right behaviours are in place to ensure adherence to compliance and risk-related matters. A suite of capabilities are designed to help organizations manage and assess operational and strategic risk and compliance obligations and minimise the overhead costs. These include the ability to integrate ethics and learning content with automated workflows for creating and investigating issues of potential non-compliance. It also helps to reinforce a culture of ethics and compliance with 75 new learning experiences focused on areas such as data privacy, sexual harassment, global trade compliance, values-based code of conduct, and more. www.saiglobal.com
Advanced cyber security collaboration Virsec and ProtectedIT are partnering to deliver advanced cyber security protection for businesses across the US. The Virsec Security Platform stops fileless attacks and in-memory threats that escape detection by conventional security tools while ProtectedIT provides a full range of IT security services and solutions. The two companies will collaborate on next-generation security and risk management solutions to combat the rise in cyber attacks, including those that target application memory during runtime. Organizations have experienced an exponential rise in these type of attacks, said Virsec. www.virsec.com www.protectedit.net
BEST NEW TECH
TECH RROUND UUP Best new tech this month
An integrated approach to digital risk RSA Archer SaaS is launching a full suite of integrated risk management solutions to help organizations better manage “digital risk”. As organizations progress along their digital transformation journeys, previously analogue or manual processes or operations will find themselves prone to cyber security or IT risks for the first time, which threatens business continuity. The expanded use of big data from all functions across organizations also brings risks in areas such as data privacy and compliance. The cloud-based RSA Archer Suite aims to offer organizations the speed and agility of an integrated approach combined with the flexibility and scalability to support digital transformation and strategic growth. rsa.com
SolarWinds extends back-up for Office 365 Data IT management software firm, SolarWinds, is launching Backup for Office 365 which extends its data protection services for Office 365 data. It will back up and help restore Exchange, OneDrive and SharePoint data managed from the same web dashboard that is used to protect servers, workstations and critical business documents, reducing administrative processes and time. SolarWinds says that potential gaps can exist within organizations around the recoverability, accidental deletion or overwritten data that only an effective back-up product can address. It wants to help organizations regain control over their data back-ups. www.solarwindsmsp.com
Fusion connects to Everbridge alerts Fusion Risk Management has launched a connector that enables users to integrate its risk management, business Resilience and crisis management SaaS solution with Everbridge’s Risk Intelligence Monitoring Centre (RIMC). It means Fusion Framework System users can view Everbridge RIMC alerts in their incident maps to establish situational awareness across all assets, resources and third parties located in defined regions. It also enables them to quickly evaluate critical business processes throughout the organization impacted by disruptive events and initiate incident response activities based on contingency plans maintained in the system. They can also generate real-time and after-action reporting to fully evaluate response time and effectiveness, business impacts and recovery processes. www.fusionrm.com
15 C O N TI N UI TY & R ES I LI EN C E | Q 1 2 0 2 0
P15 Tech Round Up_Q1 Spring 2020_Continuity-Resilience.indd 15
06/03/2020 12:01
D I G I TA L I Z AT I O N
Collaborating across varied sectors, Business Continuity and Resilience professionals have developed an app to promote best practice on a wide range of challenges
A DIGITAL SOLUTION FOR A DIGITAL AGE BY COLIN COTTELL
new app developed by members of the UK’s Retail Business Continuity Association (RBCA) demonstrates the value of industry professionals collaborating for the greater good of their organizations and the public, while working alongside the BCI in partnership, according to the member who put forward the concept. Designed as a digital one-stop-shop to support industry professionals, the RBCA Resilience Best Practice App, which went live earlier this year, was developed during the latter half of 2019 by members of the RBCA from three leading retailers; Marks & Spencer (M&S), ASOS, and John Lewis & Partners, working alongside a BCI representative, Catherine Thomas. Among the app’s many features are a reference point for industry best practice and up-to-date information, a contact list, and instant messaging (See box for a full list of features). According to John Frost, MBCI, RBCA Chair and Head of Business Continuity Retail Services at M & S, who proposed the original concept, the app is “a digital solution to a digital age” that reflects how information is accessed and obtained today. However, according to Frost, with the team
16 C O N TIN UITY & R E S IL IE N C E | Q1 2 0 2 0
P16-17 APP_Q1 Spring 2020_Continuity-Resilience.indd 16
06/03/2020 12:01
D I G I TA L I Z AT I O N
FEATURES OF THE RBCA APP An instantly accessible list and a reference point for industry best practice broken down into user-friendly, bite-sized pieces. One example is the UK government’s 175-page long Crowded Places Guidance, which has been split up into 11 more manageable sections. “People don’t have to sift through maybe 200 pages to find one bit of information,” says Elizabeth Britton-Jones. An up-to-date contact and immediately accessible list of BC professionals working with RBCA members. Instant messaging amongst RBCA members, facilitating co-operation and coordination when there is an incident. Other guidance built into the app includes invacuation, lockdown procedures and how to deal with suspect packages – all broken down into manageable snippets. It is designed to work in a variety of formats, including video and text, as well as having the functionality to support PDFs. Secure and confidential. Can be updated in real-time, and also works offline.
putting together the content coming from four different organizations, supported by a further 21 organizations, and 50-plus members who will be adding and contributing to content going forward, the app demonstrates the vital importance of collaboration within the industry. “The value of collaboration on this scale is not something I have witnessed before,” he says. “The app promotes the Resilience message on a number of fronts. It is an innovative digital way of collaborating, encouraging Resilience practitioners from across an entire sector to share their subject matter expertise within a safe and secure environment with their peers regardless of working for different organizations, and allows everyone to contribute to the content regardless of experience.” From its beginnings at an RBCA meeting in 2019 at which Frost floated the idea, Katherine Bosworth, CBCI, Business Continuity Manager at M&S and member of the app working party, says there was a recognition it would only work for the RBCA’s members if there was a collaborative approach. “If we ended up developing the app in silos, it wouldn’t be an industry app, it would just be a company app. So
working collaboratively means that we are able to make it almost universal, that if any UK retailer joins the RBCA they will find it beneficial” she says. Alice Lundgren, Business Assurance Manager at ASOS describes the group’s modus operandi: “We all got together with a blank canvas, and we came up with the headings that would be important to everyone. Obviously, all retailers have their own individual ways of doing things and their own terminology, so it was just trying to find content that was going to be helpful for everybody,” she says. This approach has carried on throughout, says Bosworth, with members of the group reluctant to take credit for individual contributions. “I’d say we all have an equal, collaborative approach,” she says. Coming from different organizations meant the group benefitted from “different viewpoints and ideas”, adds Lauren Ouzman, AMBCI, Resilience Manager at John Lewis. Elizabeth Britton-Jones, CBCI, Business Continuity Manager at M&S, says, “I’m drawn from Marks and Spencer so having both Alice and Lauren come into the fold and suggest different ideas allowed us to think a bit differently.” Presenting the app to the wider RBCA group at one of the quarterly meetings was also useful, adds Britton-Jones, with one suggestion being to include slides from presentations given by speakers on the app. “I think the scope of it has grown purely from this engagement that we have both among ourselves as a group and then with the RBCA.” A key benefit of collaboration is that ideas and suggestions go through a process of evaluation and tweaking by others in the group, adds Lundgren. Looking ahead, collaboration will continue to be at the heart of the app’s further development, and it is envisaged that there will be greater scope to allow all of the RBCA’s 50-plus member organizations to contribute content. For example, Britton-Jones suggests that in the Incident Guidance section of the app, specific content for the aviation sector – easyJet is a member of the RBCA – could be added. “The world is our oyster, and we can keep developing it,” says Britton-Jones. However, Frost says the benefits of the app go well beyond functionality. “It is energising our more experienced members whilst at the same time inspiring those new to the industry. The concept of ‘winning together’ is very powerful as together we are stronger and can keep moving the industry forward in partnership with the BCI,” says Frost.
Additional information: The RBCA is a group of leading retailers. With more than 50 member businesses across 25 organizations, it meets quarterly to collaborate on all things Resilience. RBCA’s motto is ‘Plan, Prepare and Share’. The BCI is represented on the RBCA app working party by Research and Insight Manager Catherine Thomas.
P16-17 APP_Q1 Spring 2020_Continuity-Resilience.indd 17
06/03/2020 12:01
ADAPTIVE RESILIENCE
SURVIVAL OF THE FITTEST BY DEAN GURDEN
Making an organization’s leadership understand how to proactively address the changing business landscape is crucial to future operability
IMAGES: SHUTTERSTOCK/ALAMY
O
ften, wrongly, attributed to Charles Darwin is the quote: “It is not the strongest of the species that survives, nor the most intelligent, but the one most responsive to change.” Sidestepping the doubts over its origin for a moment, this thought perfectly sums up the plight of today’s organizations and businesses – that failing to adapt to the rapid technological and social change of the 21st century sets an organization on a path towards disaster. This makes it all the more alarming that the BSI’s latest annual Organizational Resilience Index shows that the ability of organizations to adapt to change has fallen for the first time ever. So why has this happened? Is it simply a product of our turbulent political and economic times, or are organizations giving far too much attention to external pressures and compromising on internal innovation? For Tim Wren, the BSI’s Regional Director, Americas, and Lead for the Organizational
Resilience Index, change is simply happening more quickly than it has in the past. “The stability in our systems, processes and markets is not there anymore,” he says. “There are so many more disruptors out there, whether it’s new technology or even new companies. What we considered a solid, normal company 20 years ago might not even exist today.” BSI CEO Howard Kerr uses electric vehicles as an example of this disruption. Five years ago, electric vehicles made up a fraction of global car sales; today it’s 3%. Half of all sales in Norway, for example, are now electric. “This shift in the market has required significant strategic adaptation on the part of automotive manufacturers and highway authorities,” says Kerr. “Such adaptation is tough,” he adds, “and while our Organizational Resilience Index has shown considerable volatility in the past, what is new, and worrying, is that for the first time we have seen a weakening of organizations’ ability to adapt to this change,” says Kerr. Laura Trendall-Morrison, Founder of the GameChanger Consultancy and a strategy, leadership and management expert, agrees the rules
18 C O N TIN UITY & R E S IL IE N C E | Q1 2 0 2 0
P18-21 Adaptive Resiliance_Q1 Spring 2020_Continuity-Resilience.indd 18
06/03/2020 14:44
ADAPTIVE RESILIENCE
“I think corporations recognise they need to be doing their absolute maximum if they are going to survive in the future, rather than simply looking to adhere to regulatory compliance� Laura Trendall-Morrison, Founder, GameChanger Consultancy
19 C O N TIN UITY & R E S IL IE N C E | Q1 2 0 2 0
P18-21 Adaptive Resiliance_Q1 Spring 2020_Continuity-Resilience.indd 19
06/03/2020 12:02
ADAPTIVE RESILIENCE
of the game are changing profoundly and businesses are struggling to adapt strategically. “Increasingly, I think corporations recognise they need to be doing their absolute maximum if they are going to survive in the future, rather than simply looking to adhere to regulatory compliance, especially as they come under increasing scrutiny from the general population,” she says. “That means they are in a period of reflection and examination from within to get ready for this next decade.” Trendall-Morrison suggests one of the biggest challenges for some organizations, and what may account for the drop in confidence, is the capacity for brand management. “All it takes is one lapse in the supply chain, or one failure of governance and security, for a corporation to become a global headline within minutes, not hours.” Is this drop in the ability to adapt the same for both organizations large and small? According to Ian O’Donnell, Regulation Policy Chair of the UK’s Federation of Small Businesses, small firms in particular have experienced a growing burden of cost and time, especially in dealing with administration related to employment. “Over the last few years, for example, pensions have moved to being the employer’s responsibility,” he says. “On top of that, those in the low-wage economy are dealing with a rising minimum wage, and then there is the IR35 registration legislation coming into force. Basically, the administrative and physical cost involved in employment has increased, so businesses are often involved in addressing this rather than looking at their organization more strategically.” As O’Donnell points out, businesses that are just firefighting day-to-day lack the resources to delegate to other activities. For example, over the last 12 months, the UK had four dates when it was supposed to be leaving the EU. Each time, any business involved in retail or exporting and importing has had to invest money and time in planning for that immediate date, with no certainty over what the outcome would be following it. “So much resource has been wasted in preparing for those dates,” says O’Donnell. “And any increase in administrative burden will inevitably lead to a
50%
Renault Twizy cars charging up at Geiranger, Norway
decline in a business’s ability to adapt and work on future planning and growth.” Mike Hampson, CEO of London-based Bishopsgate Financial Consulting, agrees that uncertainty around Brexit has seen both large and small businesses in the UK just sit on their hands. “If companies didn’t have to make a decision, they didn’t,” he says. “But I think this reflects on the leadership in many of these organizations. They don’t have delivery and change project management key skills, and don’t understand what it takes to create, adapt and execute a vision.” It’s a point echoed by Canada-based Victoria Morgan, leadership expert and Founder of Impact Strategic. Even developing an implementation plan can be difficult to accomplish, she says. “It’s easy for leaders to acknowledge the need to be adaptable, but it requires more than just acknowledging that things need to be done differently. No one likes
Electric vehicles made up a fraction of global car sales in 2015; today it’s 3%. Half of all sales in Norway are electric 20 C O N TIN UITY & R E S IL IE N C E | Q1 2 0 2 0
P18-21 Adaptive Resiliance_Q1 Spring 2020_Continuity-Resilience.indd 20
06/03/2020 13:50
ADAPTIVE RESILIENCE
TOP TIPS FOR RESPONDING AND ADAPTING TO EVENTS: Get involved in partnerships and industry initiatives to collaborate with others. Make change a board-level responsibility, focusing on strategic plans, not just shortterm or reactive changes. Establish strategies for tackling operational Resilience and addressing climate change. Earmark budget and resources for upgrading technology and legacy systems, as these increasingly inhibit effective change. Ensure your vision is communicated to the broader organization. Review the possible skills gap and workforce flexibility – train wherever necessary or identify a partner who could do this for you. Push for diversity in the workplace. Recognise that change is stressful and invest in employee wellbeing and mental health. Source: Change Perspective 2020, Bishopsgate Financial
change and not every team member will get on board, which is something leaders must understand. But having a clear implementation plan can only help. Hampson sees larger organizations as the biggest culprits when it comes to lacking this clear plan. “We see this particularly in larger organizations where they are more focused on short-term results. They are not really looking at what the big growth vision is and how they are going to execute and communicate it to their organization. They seem stuck in the day-to-day running of their business and working out how to cut costs.” The smaller and nimbler new entrants, however, are focused on a particular market, client sector or product and they are innovating in that space, says Hampson. “They are more focused and have a vision of what they are trying to achieve in possibly disrupting a market. The larger organizations tend to want to be in all sectors with all clients and they don’t have a vision that ties it all together.” Large or small, organizations generally are finding themselves in flux right now, says Rachael Elliottt, Head of Thought Leadership at the BCI. She sees a push to improve internal communication channels to manage this change. “From a Business Continuity perspective, we’re seeing Chief Resilience Officer roles being created to oversee all the different strands and silos that feed into
Resilience, and they oversee everything.” Elliott doesn’t necessarily think silos are a bad thing, as not everybody has to know everything that’s going on, but she’d like to see more organizations pushing towards glass silos, where departments can see part of what’s happening elsewhere and get the information they need. “Unfortunately, there’s a lot of work to be done to achieve this,” she says. The BCI also produces its own annual ‘Horizon Scan’ report. It shows that last year, 91% of organizations had some means of internal risk and threat assessment, but this has dropped to 86% this year. Also, 71% operated risk registers in 2019, but this has dipped to 62.5%. The ability to horizon scan appears to have dropped from 70% to 58.2% as well. In looking at how organizations are trying to predict the future so they can adapt to it, the BCI’s report shows that many simply don’t do it. “This is despite the fact that there are a lot of resources available to aid them in doing this,” says Elliott. “We try to get them using the BSI’s Index and tools like our Horizon Scan, because it gives a better idea of what’s happening beyond the four walls of their organizations and what others are facing.” Unfortunately, last year’s BCI report showed that four out five BC professionals didn’t have enough resource in their departments. “If they could get more buy-in from the board to get more money to get more people, we could see this improving,” says Elliott. “But with all the economic uncertainty, it’s just not the focus of corporate cash at the moment.” Governments have a role to play here, believes Sean Abbott, Australia and New Zealand Country Manager at IT Resilience supplier Zerto. “They can provide funding and resources for organizations to create an effective Business Continuity and Resilience management process. This can involve assisting organizations with mandatory legislation in implementing incident response capabilities.” As you might expect of the producer of the Organizational Resilience Index, the BSI has got its own house in order, as Wren explains: “We realised that if we wanted to be a market leader, we had to innovate and adapt, particularly in regards to how to better use new technology in our services for our clients. We recognised that our normal business process was not going to address that. Innovation helps us change and challenge our business model.” In a world where the only certainty is uncertainty, the BSI has recognised that business as usual is not an option. However, its Index shows that firms are clearly struggling to respond to this uncertainty. But respond they must. Even if it wasn’t Darwin that originally said it, the message is clear: learn to adapt or survival becomes impossible.
21 C O N TIN UITY & R E S IL IE N C E | Q1 2 0 2 0
P18-21 Adaptive Resiliance_Q1 Spring 2020_Continuity-Resilience.indd 21
06/03/2020 12:02
SPECIAL REPORT
THOUGHT LEADERSHIP
THE THOUGHT PROCESS SPECIAL REPORT
A desire to challenge current thinking and curate cutting edge content that can reach mainstream audiences sits at the heart of the BCI’s new thought leadership strategy
22 C O N TIN UITY & R E S IL IE N C E | Q1 2 0 2 0
P22-28 Special Report_Q1 Spring 2020_Continuity-Resilience.indd 22
06/03/2020 12:03
THOUGHT LEADERSHIP
BY PATRICK APPLETON
n the 1830s, London businessman Marcus Samuel changed his focus and began selling oriental seashells – popular at the time – in addition to the antiques he was better known for. Developed further by his sons, it eventually grew into an import-export business of mammoth proportions. Today, when the name of Royal Dutch Shell PLC is mentioned it is hard to conceive that anyone thinks of something other than petroleum.
The multi-billion dollar oil giant is not the only organization to reinvent itself over time to the extent that its current strategic direction seems like all it’s ever been known for, and now the BCI is embarking on a similar journey as it transitions from an institute focused on research to one that delivers thought leadership for both its members and the wider business world. The aim is “to be a fulcrum of knowledge” for the Business Continuity and Resilience (BC/R) community, says BCI Executive Director David Thorp. Although the BCI is steeped in research as an organization, Thorp’s ambition is to go beyond that and use the content it produces as a “growth driver” for the institute. There are external organizations which could help the BCI create evidenced-based thought
leadership, but in order to be fully aligned with the BCI’s goals, an internal team was chosen to lead the strategy. That led to the appointment of Rachael Elliott as Head of Thought Leadership at the BCI in late 2018, with the idea being that Elliott – who has more than two decades of experience in commercial research – would be tasked with leading the quest to collate the vast swathes of relevant and thought-provoking information that a thought leadership strategy relies on. Her technological background and links to the risk management world were an added bonus. Thorp describes the idea of thought leadership as “primary, premium, intellectual capital” and points out that the organization is on a journey to build a methodology that can permeate throughout the BC/R community.
23 C O N TIN UITY & R E S IL IE N C E | Q1 2 0 2 0
P22-28 Special Report_Q1 Spring 2020_Continuity-Resilience.indd 23
06/03/2020 12:03
SPECIAL REPORT
THOUGHT LEADERSHIP
“Expertise that helps us become a thought leadership organization is not ours per se; it’s drawn from a wide range of sources including members and non-members,” he says. It is an altruistic quest to develop best practices and new modes of thinking, not an exercise in telling others what to do, he adds. Coined in 1994 by influential American economist Joel Kurtzman (see box), the practice can be difficult to define, with the idea of “thought leader” being seen through a diverse lens, from risible to pioneering, depending on the viewpoint of the individual. Writing in Forbes magazine, CEO and Co-Founder of Influence & Co. John Hall describes the key tenets of a thought leadership strategy as requiring full alignment with a content marketing strategy, and being a trusted and reputable source of information. The Fortune 500 business consultant adds that the benefits include “a culture of learning” throughout the organization and profession – giving kudos to members and associates – and eventual self-sustainability as a wider audience becomes aware of the content, ethos and direction of the movement. Working in collaboration with Elliott to create a space where a culture of learning can develop are Dr Ran Bhamra and Professor Paul Baines.
“Our job is to bridge academia and practice, as academic journals can be a bit dry” Ran Bhamra, Editor, Continuity & Resilience Review
Bhamra has been appointed as Editor of the Continuity & Resilience Review, an academic journal aimed at providing “a holistic perspective across resilience research and practice” from a variety of disciplines within BC/R, such as disaster recovery, risk management and information security. “Our job is to bridge academia and practice,” says Bhamra, Senior Lecturer in Engineering Management at Loughborough University. “It’s an interesting niche [to develop], because academic journals can sometimes be a bit dry, boring, and not always relevant.”
9,500
ELLIOTT SAYS THE BCI’S 9,500 MEMBERS RESPOND STRONGLY TO SURVEYS AS “THEY KNOW THEY ARE HELPING US HELP THEM”
For Bhamra, a former key processes manager at Alstom Power Services, the key to thought leadership is making the information and the message a credible one. He explains that in helping “leaders sitting in ivory towers” understand how the real world works, thinking is crucial, and adds that his experience of both academia and real-life practice will help translate academic insights to the benefit of practitioners and beyond. Baines’ work with the institute is slightly different, helping to build the BCI’s academic focus by looking at its educational mission and thought leadership activities. Having spent many years in research departments within the UK government, the University of Leicester’s Professor of Political Marketing is well placed to help the BCI understand how best to market its new strategy toward a wider audience. Baines was accepted on to the BCI board a few years ago, to help the organization build up a mission around Resilience and take it beyond Business Continuity only. As a Non-Executive Director, Baines helps the leadership team consider how to build a credible presence in the area of Organizational Resilience – a task that has seen him play a part in setting up a research foundation, which will be funded by business and undertake research on behalf of those sectors, organised and brokered by the BCI. Building up an academic conference to sit within BCI World is another creation with his fingerprints on it (see box). The research foundation would be a self-sustaining, reciprocal process that would see the BCI produce paid-for industry-specific research, and in turn individual industries would continue to use BCI expertise on a regular basis. But there is a bigger picture, he adds. “There is something much more altruistic [to the thought leadership strategy], which is to build the knowledge base in [BC/R] to further professionalise the discipline, beyond tools and techniques to paradigms and major shifts in thinking to do with some of these very complex problems,” Baines says.
24 C O N TIN UITY & R E S IL IE N C E | Q1 2 0 2 0
P22-28 Special Report_Q1 Spring 2020_Continuity-Resilience.indd 24
06/03/2020 15:08
THOUGHT LEADERSHIP
Who is Joel Kurtzman?
GOOD PRACTICE GUIDELINES – INNOVATION IN ACTION
IMAGES: IMAG E S : GGETTY/ISTOCK/SHUTTERSTOCK E T T Y/I STO C K/SH U T T E R STO TO C K
BCI Chair Tim Janes explains the importance of the Good Practice Guidelines and why their creation was a significant moment in the history of the profession Introduced in 2001, the BCI Good Practice Guidelines is the BCI’s global benchmark document for its members and the wider community, describing an accepted and proven methodology for implementing Business Continuity Management (BCM). Its creation was designed to capture the expertise of BCI members in a shared body of knowledge. For example, the 2018 Edition represents the distillation of knowledge and experience of over 60 volunteers from varying continents and industries. The first GPG provided structure and formality to the many personal practices that had developed across the industry. It encouraged a more consistent use of terminology and established consensus in place of opinion and disagreement. Now used by seasoned BC/R practitioners as a valuable reference manual and by beginners as an essential ‘how to guide’, the GPG content also provides the foundation of the CBCI Certification Course and our wider education programme.
The GPG preceded and informed the progressive standardisation of BCM by several national bodies and then ISO. However, the GPG is different to these standards, as it is not prescriptive. Although aligned to ISO 22301, the GPG is done so in a flexible manner to ensure its content can be interpreted and adapted by the user to suit their needs and circumstances. If the ISO standard defines ‘What’ practitioners must do, the GPG methodology also explains the ‘How’ and ‘Why’, along with practical hints and examples. Ideas and principles that went into the first GPG have continuously adapted as our industry evolves. 20 years and six iterations later, the 2018 Edition built on familiar concepts, methods and techniques to reflect the progressive evolution towards resilience concepts. The principles of cross-discipline collaboration at the heart of resilience are captured in the GPG content and the inter-connected ‘cogs’ imagery.
Joel Allen Kurtzman was born in Los Angeles, California in 1947, the son of a Russian immigrant. After completing his education at the University of California, Berkeley and University of Houston, Kurtzman went on to become Global Lead Partner for Thought Leadership and Innovation at PricewaterhouseCoopers. Part of his job title at PwC became a term he would coin during his later years as Editor of Strategy + Business magazine, using the words “thought leader” to describe strategists who were forward-thinking and unafraid to challenge common conceptions. Before taking on editorial roles at the Harvard Business Review and New York Times, Kurtzman was an economist at the United Nations and has been attributed with predicting the 1990s Latin American debt crisis. He was also a Senior Fellow at the Milken Institute, a non-profit, independent economic think-tank based in California.
25 C O N TIN UITY & R E S IL IE N C E | Q1 2 0 2 0
P22-28 Special Report_Q1 Spring 2020_Continuity-Resilience.indd 25
06/03/2020 15:09
SPECIAL REPORT
THOUGHT LEADERSHIP
LINKING THOUGHT AND PRACTICE
“Research is about drawing out learnings, thought leadership is about developing the content” David Thorp, BCI Executive Director
Next Practice Groups (NPG) are another string to the BCI bow, producing reports, contributing to benchmarking exercises and encouraging innovation at practitioner level. Similarly steeped in research, the groups comprise individuals ranging from chartered BCI members right up to Fellows of the Institute. Each unit is spread across a different continent or country (see box), and built up by members with a keen interest in research and forward-thinking practices in BC/R. India sits at the vanguard of these innovative clusters, producing two reports a year, and at the time of writing, the North American group has just completed its first piece of analysis, titled ‘Investing in Resilience’. “They really help build this practitioner thinking, so we try and attract a broad sphere of people in these groups,” says Elliott. “We don’t just want people who have been in the industry 40 years, although there’s nothing wrong with that; we also need people straight out of university with bright new ideas that can propel forward thinking in our research.” According to Baines, producing these insights are key to the importance the thought leadership strategy can hold in today’s world. Problems which are rooted in the climate change issue, for
To help build the links between the academic and practitioner worlds, the BCI will hold an Academic Conference within BCI World when it moves to Birmingham later this year. Paul Baines, BCI Non-Executive Director, says its important that the conference is carefully curated in its first year to ensure those in attendance have the right ideas to start a conversation on bridging the gap between academia and BC/R. “We won’t yet have a full understanding of how an organizational resilience academic conference should run at this stage because I’m not aware of any being run in the past,” says Baines. “For that reason alone, it is important that we get the right people in. We need to know that they have a particular interest in an area related to BC/R.” Details will arrive in due course, but Baines would prefer the conference to remain tight-knit in the beginning to keep down costs and encourage group-think among
those in attendance, coupled with the regular keynote speaker element, some seminars and networking opportunities. Executive Director of the BCI David Thorp says the conference is inspired by his time in marketing, given that a large proportion of the tools used in the discipline began life as academic thought pieces. “This conference is about getting content from academics and presenting it to practitioners so that they can use that moving forward,” says Thorp. “60% of day-to-day marketing tools used by marketers began life in academic journals – that is a fantastic hit-rate. It didn’t come from practice but it was honed there. If we can do that it will truly become a mature profession in terms of its acceptance of new thinking and new ideas.” Collaboration between academic institutions and the BC/R community is not something new, but the BCI wants to advance that. Rachael Elliott, Head of Thought
Leadership at the BCI, explains that in recent years BCI World has hosted “coach-loads of students” from Coventry University to show them around the conference space and to give students a taste for the excitement and opportunity the discipline has to offer. Elliott adds that the ‘research rooms’ at BCI World – which are a free strand of the conference programme – attract a lot of students from different universities and the organization appreciates the feedback received from these, which it can then act upon in terms of refreshing reports to make them more accessible to a wider audience.
60%
of dayto-day marketing tools used by marketers began life in academic journals
26 C O N TIN UITY & R E S IL IE N C E | Q1 2 0 2 0
P22-28 Special Report_Q1 Spring 2020_Continuity-Resilience.indd 26
06/03/2020 15:11
£54bn
DEEPWATER HORIZON COST BP $54BN. IT WAS A CRISIS SOLVED BADLY AND WITH A LACK OF THOUGHTFUL ANALYSIS, SAYS BAINES instance, such as natural disasters, he says, are “major intellectual problems” that require a significant level of thinking to be dealt with effectively and to ensure the problem does not continually rear its head. “You are not going to stop something like that, but you can communicate with people to lessen its impact,” says Baines. He uses the Deepwater Horizon case as an example where analysis and thought leadership could have negated some of the damage. The explosion and subsequent oil spill in the Gulf of Mexico saw oil company BP eventually pay $54bn in clean-up and legal costs. “That was a crisis solved very badly in my opinion,” says Baines. “The result of that was that BP probably paid far more money than they should have done. Some of that failure is rooted in crisis management, but more could also be done to understand when the plan is or isn’t effective, to find out what people needed to hear or do to recover correctly and be more agile afterwards.” Building a system to deal with those intellectual problems is something that demands further research. At present, the BCI produces a series of reports throughout the year – ‘Emergency Comms’, ‘Horizon Scan’, etc – but the organization is keen on listening more to what its members and practitioner community wants to see within those reports. Speaking from experience, Elliott says environmental change is certainly on the agenda for 2020 as it is an issue “people want to hear about”. She adds that the BCI has grown to become
more “reactionary” in what it produces, and that more regular blogs and webinars on pertinent topics are the order of the day. For Thorp, a former marketer, the time is right to refresh the discipline of BC/R and consider how it thinks about itself and others as it bids to become a profession with mainstream appeal. During his time at the Chartered Institute of Marketing, where he led research, professional development and thought leadership departments at various points, challenging conventional thinking was a way of life. He wants the BCI to eventually grow into a position where it can have the same impact, although Thorp concedes this could be a slow road to success. BCI’s Executive Director believes that the underlying methodologies and tenets of practice within the BC/R profession “do need looking at in more detail”, an issue he says is a function of thought leadership at its core. In addition, is the need to differentiate between the path of
“We don’t just want people who have been in the industry 40 years; we also need people straight out of university with bright new ideas that can propel forward thinking in our research”
THOUGHT LEADERSHIP
research once trodden by the BCI, and its new strategic direction. There is a significant difference between being an organization driven by research to one that is a thought leader, adds Thorp. “Research is about drawing out learnings, while thought leadership is about developing the content. There is a radical difference,” he says. At the BCI, a big difference is that the research produced is to help practitioners do their job better – it is aimed at a certain group of people for holistic reasons, rather than to increase profit margins. Elliott notes that while the processes between her previous, more commercial, research roles and her current function are quite similar, the audiences are entirely different. The 9,500 BCI members are more responsive as they value information they send, “because they know they are helping us help them”. “If people send us better information, we do better research,” says Elliott. “It is a very, very refreshing difference [to commercial] and makes the research more compelling as it removes bias. You can really write about what you’re seeing in the results.” For the strategy to succeed, Baines urges the BCI and its members to understand the underpinning ideology of thought leadership, explaining that the practice is mainly about “developing a set of coherent intellectual ideas to advance a particular area of thought”, and influencing positive change. Bhamra agrees with this, saying that for thought leadership to grow at the BCI, it must do what any good thought leader does. That, he says, is picking up on the “zeitgeist”, or flavour of the day, in its particular domain. The BCI displayed such an approach in the wake of the ongoing coronavirus outbreak, holding a series of webinars in early February and with more in the pipeline as the situation
27 C O N TIN UITY & R E S IL IE N C E | Q1 2 0 2 0
P22-28 Special Report_Q1 Spring 2020_Continuity-Resilience.indd 27
06/03/2020 12:09
THOUGHT LEADERSHIP
WHAT’S NEXT?
Q
How does the BCI Next Practice Group work?
Our group assembled in early 2019 and has submitted its first report for publication, which we expect will be debuted by the BCI in February. We were pleased to have 17 volunteers from Canada, Mexico and the US who participated in developing our first report. We divided the work into sections, and the leaders of those sections typically were supported by two or three team members. As we are on the cusp of our first report being published, we hope
continues to develop daily. Webinars focused on the situation as it was and how BC/R professionals and their organizations could best adapt to the challenging nature of operations during such a pandemic. The initial webinars were facilitated by Dale Cochrane, a senior BCI member in Australia, and Thorp says that having group-think sessions on pressing matters like this, which spring out of nowhere and can rock businesses to the core, “creates powerful outcomes” and is “thought leadership in the truest sense” as it provides essential knowledge imminently for frontline professionals. He adds that the online gatherings – which reached practitioners from Northern Ireland to Australia – will continue to run throughout early 2020, with capacity outweighing demand during the first run of the webinars. Indeed, further webinars will be appropriate as the outbreak develops. An additional element is getting content and insight on to the BCI’s website and
intersected with my role at Bank of America, as I contribute to the NPG in my personal time. However, I am open to greater levels of collaboration if the opportunity arises.
it will have a very positive effect both in terms of its content, as well as in terms of generating additional interest in contributing to future reports.
Frank Lady, Chair of the BCI Americas Next Practice Group discusses the role of the body in encouraging innovative thinking
Q
What does your role at the Next Practice Group entail?
Q
I am the chair of the North America Next Practice Group through to the end of 2020. At the end of this year a new chair will be named for a two-year term. I was very involved in the development of the first report, from conceptualisation, to writing and editing. The Next Practice Group has not
As we continue to seek opportunities to collaborate across disciplines and move from a unitary Business Continuity discipline to a more multifaceted approach to Resilience, the NPG also seeks to help define pathways and hopefully success stories as the journey progresses.
open channels at speed, with Elliott also referencing the coronavirus outbreak to demonstrate the point, explaining that a BCI partner offered guidance on the virus as news broke. That was disseminated on BCI channels – including the website – immediately and structured in such a way that when someone searches for ‘Business Continuity coronavirus’ on Google, the BCI’s website will be at the top of the search results. She adds that getting reports out more quickly is critical if the strategy is to be successful. Producers of those reports, including NPGs, add greatly to the thought leadership strategy. Bhamra says that Continuity & Resilience Review will work to engage with these groups, among a range of diverse contacts worldwide, to help bridge the gap between academic and practitioner thinking. Frank Lady, Senior Vice President of BC, Bank of America, and Chair of the Americas NPG, welcomes the changing focus and says that for BC/R to grow as a profession, having a body that challenges the status quo and forces practitioners to think laterally can only be a good thing. “The BCI has established as a priority the imperative of providing high-quality,
insightful and thought-provoking content for our profession,” says Lady. “A thought leadership strategy should be about seeking to establish a pre-eminent position in articulating the challenges, opportunities and processes of Business Continuity in the years ahead, both in terms of its current context, as well as how it might evolve over time.” As a champion of diversity within the NPG, Lady’s work also involves creating a culture of differing viewpoints and perspectives for the greater good. Different views, organized by a leader into a clear and coherent approach, are the lifeblood of the most innovative and agenda-setting organizations in the world. There are clearly a vast number of individuals in the BC/R community with the determination to be different and affect positive change throughout the discipline, to work with others and challenge what the profession is and can be. For the BCI, the task ahead is to listen to those individuals far and wide, provide the tools and platforms they need to succeed, and demonstrate to both members and non-members the critical role the discipline has to play in a testing new era for business and civilisation.
Why is thought leadership so important to Business Continuity and Resilience?
28 C O N TIN UITY & R E S IL IE N C E | Q1 2 0 2 0
P22-28 Special Report_Q1 Spring 2020_Continuity-Resilience.indd 28
06/03/2020 12:10
Expert Voice SPO NSO RE D FEATU RE R I S K A N D R E S I L I E N C E
Risk and Resilience – Beating the Odds
A
lan Elwood and Rupert Johnston, co-founders of Risk and Resilience, a company with over 100 years’ combined experience as resilience practitioners and consultants, talk about their early advocacy of organisational resilience. Based on their former careers, consulting and planning for complex challenges, Alan and Rupert were quick to identify a need in the market in 2013. Rupert explains: “A decade ago it was apparent that many organisations were settling for ‘off the shelf’ solutions to increasingly complex risks and challenges. We knew those solutions or stovepiped responses wouldn’t work, given the complexity of risks, the interdependence of businesses and supply chains, as well as the speed of communications and damage and disruption which take hold quickly. “So, we set up Risk and Resilience with a very clear focus on developing practical, bespoke solutions, addressing the risks that are relevant to our clients, working alongside them to develop and integrate their various resilience components – such as risk, information security, incident management and business continuity – into a meaningful resilience capability.” The company has steadily grown since its inception. Being selective and finding the right people has been a challenge but it has paid off for the team.
ALAN ELWOOD & RUPERT JOHNSTON Co-founders, Risk and Resilience
When asked about the challenges they encounter, Risk and Resilience’s co-founders point out that understanding what actually works in practice, rather than on paper, is the key ingredient for resilience. “We’ve found that it’s vital to resist the urge to short-circuit planning; creating stable and pragmatic ‘crisis ready’ processes and structures is fundamental. In particular, it’s critical to understand how information will be used to shape decisions in challenging circumstances,” Rupert continues. “We also set great store by seeking balance between preventing disruption and being ready to respond, with solutions tempered by clear priorities, understanding how much risk can be borne and the ‘art of the possible’. “Aspirational plans about what you hope might happen have no place in any organisation that’s serious about protecting itself! This is where good governance and Board level engagement becomes important. “We know that meaningful resilience brings competitive advantages and protects businesses and jobs. We make no apologies for holding any organisation’s feet to the resilience fire; it’s served our clients well in times when they’ve needed it most.” ●
↗
Alan, a Fellow of the BCI, described the company’s journey, “Having steadily grown our experienced team has allowed us to create a formula that worked for our clients and our record now speaks for itself. We continue to support executives and their resilience teams in the UK’s leading airports, Europe’s leading air navigation service providers, FTSE 100 manufacturers and global financial services institutions.
“Our growing client base keeps us very busy and it’s fulfilling to add real value and help organisations across Europe to become more resilient.”
RISK AND RESILIENCE LTD For further information please visit: www.riskresltd.com +44 (0)28 9073 5887 enq@riskresltd.com
“It’s interesting to work with a range of other companies varying in size and maturity and we’ve noticed a change in demand to provide more complex and challenging ‘live play’ exercises, as well as training, advisory and assurance support.
29 C O N TIN UITY & R E29 S IL IE N C E | Q1 2 0 2 0 CONTINUITY & RESILIENCE | Q3 2019
R&R advertorial.indd 29
03/03/2020 11:21
E M PAT H Y I N B C
EMOTIONAL INTELLI By genuinely trying to understand their people and their mental aptitude, businesses and organizations can become more resilient, productive, and attractive to others
C
ould a tried and tested technique borrowed from the world of sales contain within it the secret to building greater Resilience within organizations? According to a presentation at BCI World 2019 in November, employing a seemingly simple sales technique can win hearts and minds – in Business Continuity’s ongoing struggle to get cooperation and engagement from business colleagues and recognition from senior business leaders. The presenter of the session, Bert Burkels MBCI is Outsourcing and BC Manager at the Netherlands Addiko Bank AG. His role includes running BCM training courses for company employees, but rather than presenting participants with a certificate at the end of each course, he has put his own spin on it by giving employees a key chain with a wooden clog on it. ‘BCM certified by Burt’, reads the imprint. After receiving three of these, participants in his courses are entitled to a fourth featuring the Dutch flag and the orange banner of the Dutch king. “These are people who are reporting to C—level,” he says, adding that the small wooden clogs are a very cost-effective reminder of the courses. “They cost one euro each, and people are fighting over them. I was amazed it works, but by giving them something other than the boring stuff, people respond enormously.” Burkels uses this story to highlight the importance for BC professionals of being able to understand and then tap into the emotions of others.
Whether they are trying to persuade colleagues or clients to attend a BCM training course, to complete a BIA (Business Impact Analysis), or in the case of senior management to take BCM more seriously, Burkels argues that the ability to demonstrate empathy is an essential component of every BC professional’s toolkit. Not only will their relationships with colleagues and improve, but crucially this will also have a positive knock-on effect on Organizational Resilience. The need for empathy among BC professionals is increasing all the time, he says, largely as a result of rising workloads. For Burkels empathy starts with
30 C O N TIN UITY & R E S IL IE N C E | Q1 2 0 2 0
P30-33 Emotional Intelligence_Q1 Spring 2020_Continuity-Resilience.indd 30
06/03/2020 12:10
E M P AT H Y I N B C
BY COLIN COTTELL
LIGENCE “Empathy is going to put us in better stead in the world of BC to be able to get our message across, to get that person’s time, and to buy into our programme” Eren Aslan, MBCI, Senior Business Continuity Specialist – Global at ARM Holdings
the premise that both BC professionals and their colleagues or clients each get something out of the relationship. “It is about establishing common goals,” he says. One particular tactic he uses is to appeal to colleagues’ self-interest, using the line, “Continuity of the organization is good because you get to keep your job, and you have a salary so you can continue to pay the mortgage or rent.” This establishes a common goal between BC and non-BC employees. And if colleagues then protest they don’t have the time, Burkels says he gives them a choice – either to postpone until a later date or he offers to unburden their workload by talking to their manager. “Again, I achieve my goal and get my BIA done, and they get their work done,” he smiles. But crucially in either case, if this is done in an empathetic way, Burkels says what he gets is “more than just a tick in the box”. “I get some good information so we actually get a higher level of Business Continuity and Resilience for the bank,” he says. In contrast, Burkels says asking a colleague to complete a BIA template, for example, simply because the banking regulator is demanding it doesn’t work, with the outcome likely to be “a document that doesn’t help you in creating Resilience within your organization”.
31 C O N TIN UITY & R E S IL IE N C E | Q1 2 0 2 0
P30-33 Emotional Intelligence_Q1 Spring 2020_Continuity-Resilience.indd 31
06/03/2020 12:10
E M PAT H Y I N B C
Eren Aslan, MBCI, Senior Business Continuity Specialist – Global at global semiconductor and software design company ARM Holdings, who spoke on the subject of “Empathy in Continuity” at BCI World 2019 in London in November, strikes a similar tone. “Anybody who works in BC has to be empathetic. I think it is paramount,” he insists. “We deal with multiple departments on a daily basis, and our job is to get every single stakeholder to understand the importance of the company’s BC programme and why it’s building Resilience, why it’s valuable.” Without speaking the stakeholder’s language “we don’t stand much chance”, he warns. BC professionals who behave empathetically can also be the catalyst for better understanding between different business functions that play a role in BCM, such as HR and risk. “They are both going to have confirmation bias based on their professional background, so it is about trying to get the risk guys to understand the perspective of the HR team and vice versa,” says Aslan. “[But] they don’t necessarily have to agree. Active listening is also vital. He advises to take the narrative that has been provided and tailor the response using “relative expertise” to offer “relevant answers”.
Burkels’ quirky ‘awards’ have proved a hit with his fellow bank employees
BUSINESS CONTINUITY: IT’S AN ETHICAL THING, YOU NEED TO UNDERSTAND Developing empathy is not the only way that BC can raise its profile and increase its influence within organizations. According to Dimitrios Spentzas, MBCI, Group Business Continuity and Risk Manager at international specialist banking software company Temenos, another way to achieve this is to change how we frame BC and present it to the world. Rather than continue to look at BC as a risk
issue, Spentzas suggests it would be better to look at it through the prism of ethics. Referring to his own company he says: “We are doing BC because it is the ethical thing to do, because we are part of the supply chain and we want to continue to provide our services to customers.” Spentzas says the advantage of presenting BC in this way is that ethics “is very close to the hearts of top management and CEOs.”
Spentzas says building Organizational Resilience can also be linked to company’s corporate social responsibility goals of operating responsibly. As well as resonating with CEOs and board members, demonstrating that BCM is linked to an organization’s higher purpose will also help attract talent that is attracted by values and purpose into the profession, he says.
Burkels agrees that empathy allows BC professionals to tap into the knowledge and expertise they don’t have themselves, resulting for example, in an improved BIA template that ultimately feeds through into a higher level of Organizational Resilience. There is a link between relationships built on empathy and building Organizational Resilience. “Empathy is going to put us in better stead in the world of BC to be able to get our message across, to get that person’s time, and to buy into our programme,” Aslan says. “It is also a way to sort out what is important to individuals and utilise their expertise to build truly resilient organizations.” He suggests BC practitioners use what he labels as “stereotypical knowledge” of threats, such as global warming, to pull colleagues in so they see the links between their role and the Resilience of their area of work and the wider organization. “If everybody does that, the organization becomes resilient by default,” he says. Aslan recognises that achieving Organizational Resilience may be more difficult in organizations where the culture is resistant to change. However, he argues that while this type of organization makes building Resilience more difficult, it is up to people within BC to take the first step by being empathetic themselves. “There is a ripple effect, so essentially in order to change your surroundings you first start to change yourselves,” he says. Andrea Bonime-Blanc, Founder of GEC Risk Advisory and author of Gloom to Boom: How Leaders Transform Risk into Resilience and Value, says that all leaders – “and especially leaders heading up such sensitive and critical functions like Business Continuity and crisis management, where the wellbeing of humans and related ecosystems is often at stake – must have a good balance of empathy”, although many don’t. A balance of empathy becomes even more important as they become more powerful with an organization. If they don’t have such empathy, serious consequences may follow, says Bonime-Blanc, with the loss of key stakeholder support being a main negative consequence. “If BC professionals are exclusively focused on getting the business up and running again, say, after a natural catastrophe, and they don’t have the empathy necessary to put people first, severe consequences may follow including the health and
32 C O N TIN UITY & R E S IL IE N C E | Q1 2 0 2 0
P30-33 Emotional Intelligence_Q1 Spring 2020_Continuity-Resilience.indd 32
06/03/2020 14:45
IMAGES: ISTOCK
E M P AT H Y I N B C
safety of employees, customers and communities, not to mention long-term reputation risk,” she warns. Diversity could hold the key to greater empathy within BC. This starts with hiring a more diverse workforce, Aslan says, resulting in BC processes and programmes that benefit from individuals’ different perspectives and approaches to solving problems. “If we do this, I think we will be 90% there in terms of building empathy into our programmes,” he says. BC has moved on from the day when many practitioners came from only one or two professions, adds Aslan. On the subject of gender diversity, Burkels says he has seen more and more women coming into the profession but he contends that the link between more women in BC/R and higher levels of empathy overall is nuanced. The level of empathy present depends on the individual rather than whether the person is a male or female, he believes. However, Aslan is more categorical, referring to research that claims women “are actually better at empathy than men”. It is hugely important that women make up at least half of the workforce within BC, he says. “Otherwise, the chances are we are going to have a lot of confirmation bias and group-think if it is only men sitting around the table.” Burkels and Aslan concur that while some people are naturally more empathetic than others, empathy can be learned and developed. “It’s a thing of experience, so you need some life experience which develops your skill and knowledge of how to get people to do stuff,” says Aslan. However, he adds that brushing up on your knowledge of psychology and training in neurolinguistic training are also helpful. Aslan says most people are born with empathy, but that it can be further honed and developed over time, including through empathy training. A proponent of role-playing drills among employees, Bonime-Blanc adds that “well-designed, hypothetical scenario exercises” are a great way to “get people immersed and sensitised” into issues such as understanding and feeling empathy. Whether it is through such training methods or by borrowing sales techniques, it clear that in Business Continuity and Resilience’s quest to win friends and influence people, empathy is making an impact upon the hearts and minds of leaders across various industries.
HOW TO BE EMPATHETIC Try to put yourself in the other person’s shoes and focus your attention on their welfare, interests and needs Listen to people, and don’t interrupt them, and don’t rush to give advice Create a win-win situation for both parties by looking for common ground and goals Consider tone of voice and body language Give genuine recognition and praise Selective disclosure of your own feelings and experiences can be a way of connecting with others Take people out of a group situation by talking with them individually face-to-face
“If BC professionals are exclusively focused on getting the business up and running again, say, after a natural catastrophe, and they don’t have the empathy necessary to put people first, severe consequences may follow” Andrea Bonime-Blanc, Founder of GEC Risk Advisory
33 C O N TIN UITY & R E S IL IE N C E | Q1 2 0 2 0
P30-33 Emotional Intelligence_Q1 Spring 2020_Continuity-Resilience.indd 33
06/03/2020 14:46
CYBER SECURITY
COMMUNICATING
THE RISKS As social engineering grows in infamy, understanding employee traits could help organizations defend more resolutely against the threat of cyber attack
BY SUE WEEKES
B
usiness Continuity and Resilience (BC/R) professionals are used to identifying and testing vulnerabilities in processes and systems. How effective are they at spotting something inherent in the personality of the individual operating them that might increase the risk of a crippling cyber attack occurring? A recent study concludes that there may be a link between personality type and falling foul to cyber crime. Jake Moore, Cyber Security Specialist from internet security firm ESET, reports that cyber criminals can prey on their victims for years. He wanted to investigate whether there was a correlation between personality type and the likelihood of being phished/socially manoeuvred, where individuals are manipulated or deceived into divulging confidential details that may compromise themselves or their organisation. “Poor cyber awareness or education is one thing – but there are still examples of people high up in companies who have been pivotal to huge scams and cyber attacks,” he says. It led the company to collaborate with business psychology experts The Myers-Briggs Company to explore the link between personality type and vulnerability to cyber crime. A joint whitepaper, ‘Cyberchology: The Human Factor’, highlights how the most successful – and therefore damaging – cyber attacks rely on a degree of human error and/or ignorance. For the human risk factor to be mitigated, senior and middle management must play a much larger role in identifying the
34 C O N TIN UITY & R E S IL IE N C E | Q1 2 0 2 0
P34-36 Cyberchology_Q1 Spring 2020_Continuity-Resilience.indd 34
06/03/2020 12:11
CYBER SECURITY
CYBER SECURITY TIPS FOR EACH MBTI TYPE THE LIKELY CYBER SECURITY STRENGTHS AND TIPS FOR PEOPLE WITH PREFERENCES FOR EXTRAVERSION.
ESTP
When they are persuaded that cyber security is important, ESTPs can quickly spot when things are not right and take immediate action. Cyber security tips: IT security is important and the rules do apply to you. Get specific examples of what you can do differently and act on them.
ENFP
ENFPs are one of the first to realise when a new security process is in place. Will take IT security very seriously if it becomes one of their values. Cyber security tips: Be suspicious of emails that have an emotional appeal for you. Stop and think before you click.
ESTJ
ESTJs are likely to follow IT security rules and processes and seek to improve them. Generally, they take cyber security seriously. Cyber security tips: Don’t always do things the same way or use the same passwords. Don’t be tempted to cut corners in order to be more efficient.
ESFJ
ESFJs are aware of IT security policies and follow them conscientiously. They form security habits and use them to follow the rules efficiently. Cyber security tips: Be careful who you trust. People online may not be who they seem. Don’t always do things in the same way or use the same passwords.
ESFP
ESFPs will take quick action when they spot that something is not right. Generally, they follow IT security rules and policies. Cyber security tips: Don’t trust a public network for sensitive data even if it has a password. Don’t take things for granted, it pays to be vigilant, perhaps even untrusting.
ENTP
IT-savvy ENTPs will strive to be competent and avoid ‘stupid’ errors. Keen to make things happen (though this can mean bending the rules). Cyber security tips: If you compromise security, others may see you as incompetent. Slow down before you read emails, you might spot something.
ENTJ
ENTJs are one of the first types to realise when a new security process is in place. Will keep up-to-date and ask questions to understand security issues. Cyber security tips: Don’t rush to change security processes, find out more first. Avoid overruling others if they have a fuller knowledge of IT security.
ENFJ
Will follow the rules when the rules are clear. Will take security seriously when aware of effects of breaches on people. Cyber security tips: Be proactive about IT security, even at home. Don’t re-use passwords or use the same one for different apps.
THE LIKELY CYBER SECURITY STRENGTHS AND TIPS FOR PEOPLE WITH PREFERENCES FOR INTROVERSION.
ISTP
ISTPs have a mistrust of systems and of other people online. Happy to follow IT security rules when they make logical sense. Cyber security tips: Make the effort to find reasons for a rule before you bend it. Doing things your own way can be risky.
INFP
INFPs are unlikely to make sudden, risky choices. If aware of the effects of poor security on others, they value the rules. Cyber security tips: Your organization will have IT security rules. Follow them. Take personal ownership of IT security.
ISFJ
ISFJs are likely to spot discrepancies and errors in phishing emails. Unlikely to be caught out twice by the same cyber attack. Cyber security tips: Don’t trust a public network for sensitive data even if it has a password – Be careful who you trust.
INTJ
INTJs value knowledge and strive to be capable and competent. Generally, they follow IT security rules and policies. Cyber security tips: You don’t necessarily know best, even if the rules seem unnecessary. If you want to be competent, remember to check the details of emails.
ISTJ
INTP
INFJ
ISFP
ISTJs are likely to spot discrepancies and errors in phishing emails. Generally, they follow IT security rules and policies. Cyber security tips: Don’t just use variations on the same password or passwords. Stay alert. Previous experience should not be your only guide.
INFJs can over-complicate things and search for hidden meanings. This can be an asset in IT security. Cyber security tips: If something doesn’t feel right then check, check and check again. Don’t forget to check details, they are important.
Many INTPs are learned about cyber security issues. INTPs are very aware that anyone can be caught out by cyber attacks. Cyber security tips: Find the IT security rules for your organization and follow them. You don’t always know best. The rules are there for a reason. ISFPs take IT security seriously and are careful in their online behaviour. Generally, they follow IT security rules and policies. Cyber security tips: Pause before you click. Remember that people online, even friends, may not be who or what they seem.
Copyright 2019 The Myers-Briggs Company
35 C O N TIN UITY & R E S IL IE N C E | Q1 2 0 2 0
P34-36 Cyberchology_Q1 Spring 2020_Continuity-Resilience.indd 35
06/03/2020 12:11
XXXXXXXXX
ATTACK TRENDS
vulnerabilities within their teams and securing cyber Cyberchology: The Human Factor systems via “an integrative describes the items below as human/machine approach”. among the biggest trends in the The company has area of cyber attacks. ESET warns, subsequently come up with though, that it is a fast-moving a set of tips for each of its area and cyber criminals can 16 personality types (see implement changes at an boxout) by the Myers Briggs “unprecedented speed”, enabled by ever-evolving technology Type Indicator (MBTI) and such as artificial intelligence. based on the four basic preferences of where you FORMJACKING focus your attention: Formjacking codes, extraversion (E) or as the name suggests, introversion (I); the way you target online forms. take in information sensing Typically, a formjacking attack will (S) or intuition (N); how you skim credit card details as they’re make decisions: thinking (T) entered by customers of online retail sites. or feeling (F) and how you deal with the world: judging POWERSHELL (J) or perceiving (P). PowerShell, or BC/R professionals need to ‘Living off the Land’, be part of the conversation attacks rely on that alerts all managers – eccentric behaviour in order to junior, middle and senior – to feed off supply chains. A the possibility of such human PowerShell script will disguise risk within their teams. itself within a ‘safe’ process (the ‘shell’) and phish for data “Building a resilient and/or intelligence from therein. business and safeguarding continuity may look to be all IOT ATTACKS about processes, but those The Internet of Things processes are carried out by provides a plethora people, many of them with of opportunities for ‘day jobs’ outside of the cyber criminals. The need to secure Business Continuity and smart devices (for example, an Resilience function,” says Alexa-enabled speaker) against cyber attack is often overlooked, making John Hackston, Head of these an easy portal via which cyber Thought Leadership, The criminals can access a system. Myers-Briggs Company. Hackston presented the paper and the findings of a subsequent survey to a British Psychology Society event in the UK earlier this year. He reports that what the delegates – all occupational and organizational psychologists – found most interesting was what the survey said about their own “less than perfect” online behaviour. Following the initial study, The Myers-Briggs Company carried out a survey that found nearly two-thirds (64%) believed they had been the
“There are examples of high up people who have been pivotal in causing attacks” subject of a cyber attack in the last year and 15% in the last week. It also found that men were more likely than women to report having experienced a recent cyber attack. Those working in the US were, on average, the highest on ‘conscientiously follows rules’, significantly more so than those working in India, who came out as the lowest. It contends that people with more extroverted personality types tend to be more vulnerable to manipulation, deceit, and persuasion from cyber criminals, known as social engineering attacks. People with a preference for sensing are more likely to spot phishing attacks than intuitive counterparts, but are also more likely to take cyber security risks. Hackston says that BC managers and specialists need to work on such areas with employees, adding that it is important to tailor any communication around the subject appropriately. “We know that framing any communication in a way that is likely to appeal to the recipient’s personality type is more effective and more persuasive,” he says. Moore and Hackston both believe more work needs to be done in this area to build further evidence of the link. And as well as put the findings to date in front of its traditional HR or learning and development client base, The Myers Briggs Company also wants to target IT and other functions. “Many businesses have historically operated in silos – HR dealing with those tricky ‘people’ issues, facilities dealing with physical infrastructure, IT with issues around cyber security and so on,” says Hackston. “But in reality, all these aspects are linked.” Moore adds that personality testing would also enable HR to direct more training to individuals to minimise the risk to the business. But he warns that any data from such testing and research in itself needs to be stored correctly and encrypted “because this type of data would be alike a gold mine to a cyber criminal if they were to know which individuals to attack.”
36 C O N TIN UITY & R E S IL IE N C E | Q1 2 0 2 0
P34-36 Cyberchology_Q1 Spring 2020_Continuity-Resilience.indd 36
06/03/2020 12:11
Q&A
NEXT GENERATION Q
What attracted you to the Business Continuity and Resilience industry? That’s an interesting question, as I was about to resign from Philamlife when the COO gave me the opportunity to take on an assignment in the Business Continuity Management (BCM) department. I had no idea what to expect, and went in there with a clean slate, hungry to learn the ins and outs of BC.
Q
What is your biggest learning to date? Taking risks in all aspects of my life is by far my biggest learning. If the intent of doing things are genuine, then the risks are ultimately limited in achieving the bigger picture.
N E X T G E N E R AT I O N
Jan Kevin Rico
Q
What is your career ambition? To keep on improving my skills in this field for the next five years until such time that I will be confident to venture into consultancy. Another option is to aim for a regional role covering both BCM and enterprise risk management.
NATIONALITY Filipino TIME IN THE PROFESSION Two years FIRST JOB IN BUSINESS CONTINUITY/RESILIENCE Operations Associate, Policy Owner Services
Q
What is the best career advice you have received? Trust the process, and enjoy it. It is always the process that gives me better appreciation of the success and growth, never the other way around.
CURRENT EMPLOYER Philamlife CURRENT ROLE Management and Shared Services Governance Officer FAVOURITE ASPECT OF THE WORK Interacting with a lot of people is my favourite aspect of the work. It was a natural fit for extroverted people like me to thrive in this profession. I prefer talking to people face-to-face rather than emails and calls. Human interaction is a vital component in our personal and professional development.
Q
What is your preferred mode of learning? Philamlife is the first company I’ve worked with, spending the past four-and-a-half years
here. After being assigned to different roles in operations, I’ve come to terms with the fact that there is no teacher quite like experience. Having a hands-on approach provides an engaging and empowering environment which increases my appetite to learn.
Q
What changes would you like to see in the profession? People’s perception towards the importance of this profession.
“Trust the process, and enjoy it. It is always the process that gives me better appreciation of the success and growth, never the other way around“
Q
In your opinion, why should more people be joining the BC community? Law of supply and demand. It is simply to meet the growing demand of companies seeking the services of BC professionals.
Q
Who would be your mentor? I do not have one as such, but ideally I’d want to have a mentor who can guide me both on my career and personal life. Any mentor must be prepared to let me know what I need to hear even if it is difficult for me and them, because there’s always room for improvement.
37 C O N TIN UITY & R E S IL IE N C E | Q1 2 0 2 0
P37 Next Generation_Q1 Spring 2020_Continuity-Resilience.indd 37
06/03/2020 13:51
W H A T A G R E AT I D E A
“Preparing to fail is what gave me the ability to succeed, becoming better each time I failed”
MY LIGHTBULB MOMENT Bounce forward not back
Cécile Bastien Remy is a global speaker on personal Resilience and appeared at the Risk !n 2019 event for Business Continuity and Resilience (BC/R) professionals
At the age of 21, I was diagnosed as 45% disabled following a car accident which claimed the life of my boyfriend. The physical and emotional hurt was real, but despite the fact that personal Resilience is a highly researched topic, I could not find answers to the questions of ‘when’, ‘how’ or ‘will I recover’? Personal Resilience is tough, but there are practical steps to take: Make an inventory of what you lost and what you have; Choose who you want to become – have a goal; Move on and make a fresh start. BC/R professionals have to know how to impart ideas clearly to a variety of people, which reminds me of eight years ago, when I was invited to give a keynote speech at an event. I was both afraid and excited. My Lightbulb Moment was to use my Resilience process to overcome this challenge: I assessed my abilities, I chose who I wanted to be by investing time and money to practice, and I prepared to fail. It is what gave me the ability to succeed, becoming better each time I failed. Even if Resilience is defined as bouncing back, I like to think that I bounce forward. 38 C O N TIN UITY & R E S IL IE N C E | Q1 2 0 2 0
P38 Lightbulb_Q1 Spring 2020_Continuity-Resilience.indd 38
06/03/2020 12:12
Find out more thebci.org/BCAW2020
# BCAW2020
Business Continuity Awareness Week We are Stronger Together Arriving May 2020
Get Involved
Sponsored by:
BCI.Q1.2020.039.indd 39
03/03/2020 11:22
RISK ERADICATOR
YOU are ready for anything. You’re poisedˏ
WE are Sungard Availability Services.ˏWe
to anticipate risk, mitigate the impact and capitali/e on the outcomes. You’re revamping production and recovery processes to keep IT systems in sync and cyberthreats at bay. But the risk and complexity of IT transition can run companies ragged.
help transform IT and deliver resilient, recoverable production environments— protecting risk eradicators from the perils of IT disruption every day. Lead with resilience at www.sungardas.coȐ1'.
Transforming IT for resilient businessTM
BCI.Q1.2020.040.indd 40
05/03/2020 14:00