Business Continuity Blog

With significant experience in resilience, John Robinson shares his insight.

Video - The importance of ISO 22316 on the brexit phenomenon

Posted by Mark Robinson on September 8, 2017

Recording of a PECB webinar hosted by John Robinson on the importance of ISO 22136 in the context of Brexit.

 

Webinar Commentary/Script

 

Slide 1 - Introduction

I’m John Robinson and in this webinar I’m going to explore how ISO 22316 can help us manage the Brexit phenomenon.

What qualifies me to do this?  I am a scientist and engineer by education, before moving into IT and business continuity in 1991.

My company Inoni was retained by the Bank of England, FSA and UK Treasury to benchmark resilience in the UK finance sector between 2005 and 2010

For which I received the BCI’s Lifetime Achievement Award.

We build resilience programmes for organisations and on behalf of insurers.

They come into contact with many who will unquestionably be affected by Brexit and other complex geopolitical risks. 

This led me to write the papers on the slide, amongst others.  

Of course, Brexit has not yet run its course and so the validity or otherwise of my conjectures is not proven.  We’ll have to wait and see.

Slide 2 - About Inoni

Inoni was formed when some of the banks involved in the Resilience Benchmarking Project asked if we could extend its scope to provide BC tools.

We now provide consulting and software services, specialising in resilience-building and related metrics, specifically capability maturity modelling.

We have some great customers, ranging from global corporates through to SMBs.

We enjoy finding practical new ways to solve organisational resilience issues.

Slide 3 - ISO 22316

So, to ISO 22316.  If you search the Internet the first 4 or 5 pages it becomes clear that any new standard is a gravy train that must be leapt upon

Few have a bad word to say about it.  However, when you speak with professionals in confidence, they seem less certain. 

My own initial reaction was not one of total enthusiasm.  I initially preferred the more pragmatic approach of BS 65000.

I decided the only way to identify benefit was to apply the standard to a real-world problem, ideally one I could extend to any organisation, hence selecting Brexit.

I work with organisations in the UK, in France, Africa, the Caribbean… right out to Australia.  It should benefit all.

There are some important considerations here:

  1. It must apply for all shapes and sizes, so is necessarily generalised.  It then states at the outset that there is no single approach.  There is a conflict here
  2. It states that the source of resilience lies in the mix of management disciplines that are defined elsewhere.  Optimise them and you become resilient.  They are the material content
  3. Standards are at their best when applied post-implementation.  They are not an instruction manual, they tell you what’s missing

My conclusion was “don’t expect much” but maybe got a little more than I reasonably expected.

Slide 4 - Brexit

Last week I spent time working with one of the UK’s largest fruit and flowers packers and distributors, developing an impact model for their business.

Brexit was hardly discussed, possibly because of the intense uncertainty it brings.  It is the elephant in the room, delaying decisions and investment.

For them it represents an intense risk, driving willing and flexible migrant workers away from a labour-intensive seasonal business with super-sensitive customers.

Exposure can arise at all levels.  Supply is perhaps the most obvious, however demand is equally fragile.

Two near-identical firms serve near-identical customers, except one decides to relocate to Frankfurt and seeks a local provider. 

The complexity of the trading environment means that no two organisations face the same Brexit risk, and therefore their provisions against it need to be specialised.

It is also a systemic disruptor, meaning it affects currency values, interest rates, socio-political conditions, property values.  The risk environment changes.

Making any organisation demonstrably more resilient generally would be a good thing.  Making it resilient to Brexit is for some a necessity.

SO let’s take a look at the Standard and see how it might help.  By tackling this most difficult of challenges, we should learn

Slide 5 - Attributes for Resilience

ISO 22316 includes:

-Principles = foundation

-Attributes = characteristics that allow principles to be adopted

-Activities = acts to deploy and optimize attributes

Rhetorical question:  how many of you are familiar with ISO 22310?  It was one of the first to adopt the PDCA Deming Model

The business continuity-specific ‘meat’ of the standard is mostly in the Operation section, the remainder is substantially management system

This is the same as 22301, possibly more so.  Almost every clause represents what most of us would think of as ‘good management’

The trick however, lies in the fact that the 20 or so resilience-related disciplines ALL get managed under ONE system

It’s as if they should each permeate this cellular model, giving it immense strength.

This is why it works.  Message one is therefore USE ISO 22316 TO INSTALL A DEMING MANAGEMENT SYSTEM

SO ARE THE ATTRIBUTES ONLY FOR RESILIENCE?   WHICH DO WE NEED FOR BREXIT?

Slide 6 - Attribute #1 Shared Vision and Clarity of Purpose

So here’s the first attribute.  Totally generic, nothing specific to resilience

Personally, I wouldn’t start here.  I need attribute 2 to be in place first – understanding – but we’ll come to that

For Brexit, it means your organisation needs to (even this is out of sequence)

-Get a comms plan in place, identify your audiences and stakeholders.  Let them know you’ll be keeping them informed

-Set the planned Brexit outcome so aligns with business values and expectations (is acceptable)

-Check they stay in line

-Be ready to change

-Be ready to innovate

See what I mean… it’s not resilience-focused.  The same applies for security, risk, and so on

Use Brexit as your interpreter to see what it means generally

For Brexit… for resilience generally… Policy and Mission, Comms Plan, Project Office, Programme Tor

Slide 7 - Attribute #2 Understanding and influencing context

This is where I personally think it all begins.  A context model that represents the organisation in all its environments.

ISO talks about context but doesn’t define it, yet for me it is the essence of any resilience activity

WHY?  You need a clear model of the entity whose characteristics you are working to improve

For BC we use an elastic dependency model to do this so we can depict all critical internal and external relationships, sensitivities

We then use risk objects as targets for threats allowing a level of basic simulation.  It provides the basis for BIA and Risk Assessment, establishing rules, scenarios and strategies

It allows us to harden each object appropriately, fed with information – including the organisation as a whole

This is what I think is missing from the standard.  It hints at it but doesn’t explain why or how to use the information

It needs a third critical dimension adding to attributes and disciplines that allows the organisation to be consistently represented for resilience

THIS IS MY SECOND MAIN LEARNING POINT

Unsurprisingly, it’s the same model for Brexit as any other risk source.  But it allows us to repeatably represent the effects of Brexit-related threat patterns AND propose strategies

As the patterns become firmer, so do the strategies.

Now you have something worth communicating

Slide 8 - Attribute #3 Effective and Empowered Leadership

Resilience is (should be) a steady state condition, so does it need specialised leadership or simply management and a sponsor?

If so, how do you reconcile this with the 20-odd disciplines with responsibilities split between many heads and sponsors?

It sounds like it needs a process lead, Quality Director or similar with oversight

So do you assign Brexit responsibility within an executive, or do you ‘delegate… encourage others to lead… during period of uncertainty’.  An interesting discussion

It depends.  For many Brexit ought to be a side issue …UNLESS things become critical

In which case, different sets of skills may be required – crisis management (David Davies, Michel Barnier are proxy negotiators)

Are Brexit events treated as INCIDENTS that get managed operationally,

EMERGENCIES capable of programmed ‘blue light’ response, or

CRISES demanding a complete change of external representation

In which case, it would be useful to foresee whether things COULD become critical and ANTICIPATE the scenarios under which leadership changes character

Again, good modelling and scenario planning should prevent crisis and allow delegation to work

I think this means that for most organisations, Brexit probably needs a transformation project or programme with a capable leader answering to the CEO

The business then needs a way of setting criteria for escalation, probably threat-scenario based on the model I described

It then needs to refine and practice so the mechanism works

Slide 9 - Attribute #4 Creating a Resilient Culture

CULTURE is the ULTIMATE ENABLER or OBSTACLE.  It determines whether changes you make will stick, or simply revert as soon as the focus changes

I wrote a paper entitled Creating a Resilient Culture in 2003 and I know how difficult it is to know what you have

Since then we developed a range of tools for measuring resilience cultural maturity.  It keeps us very busy and is growing

So what is a resilient culture … read from the paper

Conclusion:  working with a mature resilient culture is like pushing an open door.  Improvements happen constantly and are welcomed

Depending on your situation, Brexit is possibly more interesting as a niche target!

Slide 10 - Attribute #5 Shared Information and Knowledge

The Context Model is built on updating INFORMATION.  It forms the basis for reasoning and decisions

I’m going to revert to Business Continuity again, or more precisely, Crisis Management

When we run an exercise, its realised value is almost always reflected in the quality of information gathered, transmitted, analysed and deployed

We encourage customers to evaluate, and if credible, use every source available to them.

Simply, it allows them to make better decisions

Stating the obvious, but do the same for Brexit. 

  • Build your network,
  • scan the horizon,
  • create a knowledge framework,
  • analyse it,
  • modify the model,
  • replay the informed scenarios and
  • adjust your strategies

Slide 11 - Attribute #6 Availability of Resources

ISO refers here to people, premises, technology, finance and information

Everything you need to close gaps, adapt, reinforce, replicate

Brexit may result in complications that affect the various systems and resources within your business that keep it running on a daily basis

  • If demand (your business model, competition) changes, it may affect the resources you need
  • If supply changes, the resources you need may no longer be available

Your Brexit strategy should therefore have a business-led recipe for resilience – a resource plan

e.g. you may predict a surge in demand as a competitor is taken out of the equation

This affects potentially everything and has seen a growing number of organisations relocating their headquarters.

Other resourcing strategies include

  • Stockpiling
  • Diversification
  • Replication
  • Redundancy
  • Re-sourcing or multi-sourcing
  • Globalisation
  • Termination

The general resilience message is ‘this is a programme with continuous demand’.  Be ready to pay for A LEVEL of RESILIENCE MATURITY

Slide 12 - Attribute #7 Development and
Co-ordination of Management Disciplines

So here’s the list of disciplines (and mostly, Standards) I mentioned earlier, and I’m familiar with a number of them

Individually, they are a kind of network with weak linkages (coherence)… you could easily fall thru the gaps

They are not all wholly resilience-related, but have implications for resilience

Some already contain elements of management systems within the specification, whereas others don’t, according to age and maturity

Think of these as the reinforcing rods that go in each of the attribute pillars, creating a physically and metaphorically resilient structure.

The addition of attributes brings coherence

I can see ISO eventually offering this as the management system and then specific content that gets delivered via this construct.  But I’m guessing

It might reduce certification overheads and conflicts considerably

Is it overload?  Maybe.  However, most of us adopt one or other approach to each of these, however formal or informal

All we’re saying is use the same control and delivery vehicle

There’s one special point I’d like to make here, namely that the modelling method I mentioned earlier arose from the way we delivered BIA

That in turn originated from software development I carried out using object-oriented languages back in the 1980s

I’d separate it out and use it to add a third dimension to the picture I’ve painted for you here today

Slide 13 - Attribute #8 Supporting Continual Improvement

This is the detection system that enables proactive or opportunistic refinement. 

It is like the feedback amplifier in a closed-loop control system.  The better tuned it is for the organisation, the more closely you can track your objective

It tells you an opportunity to improve exists and reports it to you so you can evaluate it

It implies performance measurement, allowing you to converge on an ideal reference target – in this case a standard or for Brexit, an outcome

The application of this attribute for Brexit could help you survive, since (at worst) a 2-year timescale is inadequate for most reactive business change to deliver results.  A weekly Brexit review meeting with an appropriate agenda and participation

Slide 14 - Attribute #9 Ability to Anticipate and Manage Change

This attribute delivers the changes identified in #8 AND any optimises any other (reactive) changes for resilience

Change is continuous in all the environments we operate in, and affects resilience, generally reducing it.

If you don’t adapt you fall behind – entropy sees to it.   It would be a brave IT manager that clung onto last year’s anti-virus software.

In fact a static system quickly becomes worse than useless as it offers false value and confidence, misleading and failing directors in their governance obligations.  Simply, we become potentially less resilient through inaction

Instead, this attribute encourages you to anticipate, avoid, adapt and generally enhance your resilience capability, scanning the horizon so you see change coming.

The application of this attribute for Brexit is real and could help you survive since time is of the essence and a 2-year timescale is inadequate for most business change to deliver results. 

  • You apply the context model and develop your strategy
  • You measure its performance so the outcome converges on your vision.
  • You repeat this at a frequency that exceeds the rate of change.
  • You stay ahead of the game at all times.

Practically, a regular meeting will do this

Source is Open Europe

Slide 15 - Evaluating Contributing Factors

So what do you think?  Can you see how 22316 might work for your organisation generally?

  • Identify and define the set of disciplines
  • Build the resilience management system to this pattern
  • Use it as the shared delivery mechanism
  • Set targets and converge on them

Do you believe 22316 could help you become resilient to Brexit? 

I can see situations now where the discipline it brings might help reduce uncertainty and deliver options

Before I conclude, I’d like to return to attribute #8

Slide 16 - Attributes as Maturity KPI

We used Inoni to set up a simple capability maturity model that measures organisations’ aptitude for running a 22316-aligned management system to support the webinar. 

It doesn’t attempt to tie in all the disciplines – simply too many questions.  If you’d like to take part – anonymously, please email me. 

It asks questions (like this) and assigns you a score on each of the 9 KPI (plus Monitoring). 

Slide 17

It measures capability maturity as opposed to compliance as this allows more variables to be addressed in the assessment, whilst still responding with a simple dropdown.  The ReadMe explains how it works, similar to CMMI

Slide 18

… and we can use it on a distributed basis, compound the results and so on.

I just have one more slide to conclude

Slide 19 - Conclusion

Generic.  It’s a dry read but contains value if you work at it

The framework is good… it is much better to just have ONE Deming MS for all subjects

…but has some practical pieces missing (imho the context model)

You will end up with a raft of resilience strategies to address different issues

One of these might be Brexit

OK so that’s about it.  It’s a slightly offbeat topic and I hope it got you thinking.  I’m not sure how many questions I may have answered, but I’m sure you’ll have many more.

Tags: Brexit, ISO 22316