BarnOwl info sharing session: Build resilience into your business before a crisis hits
BarnOwl Info Sharing session: 24 November 2022
Presented by: Tracey Linnell | Director | Morgan Solus
Introduction
Thank you very much Tracey for your most informative presentation on ‘building resilience into your business before a crisis hits’ at the BarnOwl info-sharing event held on 24 November 2022. Thank you too, to all those who attended the session.
What can go wrong?
As we know, the world at the moment is in quite a state of upheaval and especially in South Africa with an increase in load shedding, the threat of social unrest, infrastructure degradation affecting transport, ports water and sanitation, telecoms and so the list goes on; not to mention the omnipresent threat of cyber-attacks. There is a term in the risk management space called VUCA which stands for Volatility, Uncertainty, Complexity and Ambiguity.
There has been an unprecedented number of exposures in the last few years and the frequency and severity of events seem to be increasing, due largely to the advancement in technology and integration of supply chains. If unmanaged, these risks leave companies exposed and vulnerable to significant downtime should an incident occur. Survival of the organisation may very well come down to whether the company has Business Continuity in place or not.
Misconceptions
Staff: Even the best employees cannot be expected to know what to do when disaster strikes. Leaving each to respond in his or her own way only adds to the confusion of an event. Having a well-documented business continuity plan in advance, and training your employees to follow it, gets everyone on the same page — helping to ensure an organised, safe and timely recovery.
Insurance: Insurance alone is NOT a business continuity strategy. Proper coverage is a significant and important part of the plan. But it may not fully cover some of the peripheral damages from an event, like loss of customers, loss of market share, or setbacks in development or release of a new product.
Time to do BCP: Time spent developing and maintaining a business continuity plan is an investment in your company. Your fixed costs will continue after an event, whether or not you are open for business. The faster you can return your operations to normal, the more likely you will recover from the event successfully. With so much at stake, your company cannot afford to NOT have a plan.
BC & DR: Business continuity is a proactive plan to avoid and mitigate risks associated with a disruption of operations. It details steps to be taken before, during and after an event to maintain the financial viability of an organization. It covers the 6 key pillars: Premises, Skillsets, Documentation, Equipment, 3rd Parties, and IT applications. Disaster recovery is the ability of the IT function to restore critical applications within the time frames required by business functions. The two fields must work side-by-side to ensure alignment and a successful outcome.
Response and Management
It is important to understand what business continuity is, and how it operates. The picture above illustrates a timeline. If we start on the left hand side and imagine that there was an incident such as a fire at one of our buildings:
Emergency response phase: The first response would be to get everybody out of the building make sure that they are safe and perform roll call – this is the Emergency Response phase.
Crisis management: The next phase would be for the crisis management team to get together and understand the impact of the incident in terms of the strategic decision making. This would include things such as: crisis communications, talking to the media and understanding the operational impact to the organisation and the customer.
Business continuity management: The next phase covers business continuity operations, which is where we look at the recovery of each of the different departments and their supporting resources. For example, if we need to recover the payroll function, then we would need to know: how quickly we need to do it, what skill sets are required, what IT systems are used etc.
IT incident management: Then below the line we look at IT incident management. An example of this would be Email. If the email server goes down for an hour or two it’s not the end of the world, the IT team would rectify it.
IT disaster recovery: Whereas the dark blue phase to the right, is IT Disaster recovery. An example of this would be where the IT data centre experiences significant issues or our servers or applications are offline, then the IT team would have to fail over to alternate IT site in another location.
So it is important to take from this picture how the different terminology is used within your context.
Why do we do business continuity?
So the big question is why do we do business continuity?
Our business is to look after the wellbeing of all our stakeholders including customers, staff, shareholders, community etc. but it order to do our organisation needs to make money. In order to make money we need to have customers that are purchasing a product or service from us.
If we have a situation where there is an interruption to the product or service and the timeframe is too long for us to recover, our customer will get frustrated and eventually move to a competitor, change brand or just stop buying from us.
This has a direct knock on impact on our revenue and knock on effects down to individual staff members such as job cuts, salary cuts and no bonuses.
So what we want to achieve with business continuity, is to ensure that we can protect the product and service to make sure that it is restored within a timeframe that is acceptable to our customers. We do this by ensuring we have planned and are ready to respond and recover.
What are we protecting?
As part of our business continuity program we need to ask ourselves the question – what are we protecting? There are six pillars within the organisation that we need to ensure have resilience in place.
#1 Skillsets: Skillsets are the people that are performing the functions in order to serve our customers.
#2 Premises: We need to protect the premises or physical sites that we operate from.
#3 Documentation: We need to ensure that hard copy documentation has been scanned in and is available electronically in case we need to move premises.
#4 Equipment: We also need to ensure that we can recover from the loss of critical equipment. For example if we had a fire and we evacuated and left our laptops and desktops behind, where would we get new equipment from and how quickly?
#5 3rd parties or supplier: If a critical supplier is not servicing us for some reason, then how will we continue to service our customer if they are a key part of the value chain?
#6 IT Systems: We must ensure that the underlying IT systems and data can be restored within acceptable timeframes.
Solutions – options to meet RTO (Recovery Time Objective)
Value chain protection
So how do we go about ensuring that we can protect these six pillars?
We follow a circular methodology as you can see in the picture. The first thing that we do, is we understand the organisation in terms of each business units, what functions they perform, the skillsets required, what documentation and equipment they use, 3rd parties involved and IT systems used. See the info gathering slide below:
Once we have this information, we look to see if there are any gaps in those six pillars and if there are, what solutions need to be put in place. The gaps and solutions are then converted into projects, with associated cost benefit analysis, and if approved, are then implemented.
Once the gaps are closed, we then move onto documenting the business continuity plans which will cover all the steps and actions that need to be followed to recover that business unit.
Once we put the plans in place we go about testing and exercising the plans and solutions.
This is to ensure that all the work that we’ve done previously from a theoretical point of view, now actually works in practice.
On the outside of the circle, we have a policy and governance phase. This covers all the foundation documents such as the BCM policy and framework and helps to guide the way in which we run the Business Continuity program.
Last but most importantly, is the training and awareness phase, where we need to ensure that all staff members are aware of what is expected of them and that those who are part of the operational response, are suitable trained.
Industry Standards
The business continuity program implemented is based on leading industry standards. It’s not necessary for you to know these standards, just simply to know that they exist and that we as an organisation are aligning to the standards.
In conclusion
In today’s environment it is not IF, it’s WHEN.
It’s all about planning. Plan, plan, plan. Let’s make sure that we put these activities in place ahead of time.
The good news is that there are software solutions available that will help you with these processes, whether it be cyber, IT disaster recovery, business continuity, enterprise risk management. Software solution/s automate the process which makes your life a lot easier and more efficient and moves away from 100s of Excel and Word documents.
Presentation and video links
Please see attached presentation here, and the info sharing recording here
Related links
https://barnowl.co.za/knowledge-centre/
Cheryl Keller | BarnOwl: cheryl@barnowl.co.za
Tracey Linnell | Morgan Solus: traceyl@morgansolus.com
Thank you
Once again, thank you Tracey for your time and for your informative presentation and thank you to all those who attended our info sharing session. We look forward to seeing you at our next info sharing session. Please keep a look out for our upcoming events at: https://api.barnowl.co.za/events/
Kind regards
Jonathan Crisp
Director – BarnOwl GRC and Audit software
About BarnOwl:
BarnOwl is a fully integrated governance, risk management, compliance and audit software solution used by over 150 organisations in Africa, Australasia and the UK. BarnOwl is a locally developed software solution and is the preferred risk management solution for the South African public sector supporting the National Treasury risk framework.
Please see www.barnowl.co.za for more information.
About Tracey Linnell
Biography
Tracey Linnell has been involved in Business Continuity Management (BCM) and ICT Continuity since 2003, with over 18 years’ experience. She is a Director of Morgan Solus, which provides specialist consulting services on Crisis Management, Business Continuity, Disaster Recovery, Resilience and BCM Software.· Tracey is an ISO 22031 Lead implementer Master and holds an Honorary FBCI from the Business Continuity Institute.
- Tracey was awarded Africa Continuity and Resilience Consultant of the year from the BCI in 2016, 2018 and 2020
- Tracey was awarded Global Continuity and Resilience Consultant of the year from the BCI in 2020.
- Tracey is also a BCI “Hall of Famer” and won Contributor of the year for 2021.
- Tracey is passionate about the Resilience discipline and spends a lot of time coaching and mentoring clients along their journey and also loves to share her knowledge through speaking engagements.