Recording of a PECB webinar hosted by John Robinson on the importance of ISO 22136 in the context of Brexit.
Slide 1 - Introduction
I’m John Robinson and in this webinar I’m going to explore how ISO 22316 can help us manage the Brexit phenomenon.
What qualifies me to do this? I am a scientist and engineer by education, before moving into IT and business continuity in 1991.
My company Inoni was retained by the Bank of England, FSA and UK Treasury to benchmark resilience in the UK finance sector between 2005 and 2010
For which I received the BCI’s Lifetime Achievement Award.
We build resilience programmes for organisations and on behalf of insurers.
They come into contact with many who will unquestionably be affected by Brexit and other complex geopolitical risks.
This led me to write the papers on the slide, amongst others.
Of course, Brexit has not yet run its course and so the validity or otherwise of my conjectures is not proven. We’ll have to wait and see.
Slide 2 - About Inoni
Inoni was formed when some of the banks involved in the Resilience Benchmarking Project asked if we could extend its scope to provide BC tools.
We now provide consulting and software services, specialising in resilience-building and related metrics, specifically capability maturity modelling.
We have some great customers, ranging from global corporates through to SMBs.
We enjoy finding practical new ways to solve organisational resilience issues.
Slide 3 - ISO 22316
So, to ISO 22316. If you search the Internet the first 4 or 5 pages it becomes clear that any new standard is a gravy train that must be leapt upon
Few have a bad word to say about it. However, when you speak with professionals in confidence, they seem less certain.
My own initial reaction was not one of total enthusiasm. I initially preferred the more pragmatic approach of BS 65000.
I decided the only way to identify benefit was to apply the standard to a real-world problem, ideally one I could extend to any organisation, hence selecting Brexit.
I work with organisations in the UK, in France, Africa, the Caribbean… right out to Australia. It should benefit all.
There are some important considerations here:
- It must apply for all shapes and sizes, so is necessarily generalised. It then states at the outset that there is no single approach. There is a conflict here
- It states that the source of resilience lies in the mix of management disciplines that are defined elsewhere. Optimise them and you become resilient. They are the material content
- Standards are at their best when applied post-implementation. They are not an instruction manual, they tell you what’s missing
My conclusion was “don’t expect much” but maybe got a little more than I reasonably expected.
Slide 4 - Brexit
Last week I spent time working with one of the UK’s largest fruit and flowers packers and distributors, developing an impact model for their business.
Brexit was hardly discussed, possibly because of the intense uncertainty it brings. It is the elephant in the room, delaying decisions and investment.
For them it represents an intense risk, driving willing and flexible migrant workers away from a labour-intensive seasonal business with super-sensitive customers.
Exposure can arise at all levels. Supply is perhaps the most obvious, however demand is equally fragile.
Two near-identical firms serve near-identical customers, except one decides to relocate to Frankfurt and seeks a local provider.
The complexity of the trading environment means that no two organisations face the same Brexit risk, and therefore their provisions against it need to be specialised.
It is also a systemic disruptor, meaning it affects currency values, interest rates, socio-political conditions, property values. The risk environment changes.
Making any organisation demonstrably more resilient generally would be a good thing. Making it resilient to Brexit is for some a necessity.
SO let’s take a look at the Standard and see how it might help. By tackling this most difficult of challenges, we should learn
Slide 5 - Attributes for Resilience
ISO 22316 includes:
-Principles = foundation
-Attributes = characteristics that allow principles to be adopted
-Activities = acts to deploy and optimize attributes
Rhetorical question: how many of you are familiar with ISO 22310? It was one of the first to adopt the PDCA Deming Model
The business continuity-specific ‘meat’ of the standard is mostly in the Operation section, the remainder is substantially management system
This is the same as 22301, possibly more so. Almost every clause represents what most of us would think of as ‘good management’
The trick however, lies in the fact that the 20 or so resilience-related disciplines ALL get managed under ONE system
It’s as if they should each permeate this cellular model, giving it immense strength.
This is why it works. Message one is therefore USE ISO 22316 TO INSTALL A DEMING MANAGEMENT SYSTEM
SO ARE THE ATTRIBUTES ONLY FOR RESILIENCE? WHICH DO WE NEED FOR BREXIT?
Slide 6 - Attribute #1 Shared Vision and Clarity of Purpose
So here’s the first attribute. Totally generic, nothing specific to resilience
Personally, I wouldn’t start here. I need attribute 2 to be in place first – understanding – but we’ll come to that
For Brexit, it means your organisation needs to (even this is out of sequence)
-Get a comms plan in place, identify your audiences and stakeholders. Let them know you’ll be keeping them informed
-Set the planned Brexit outcome so aligns with business values and expectations (is acceptable)
-Check they stay in line
-Be ready to change
-Be ready to innovate
See what I mean… it’s not resilience-focused. The same applies for security, risk, and so on
Use Brexit as your interpreter to see what it means generally
For Brexit… for resilience generally… Policy and Mission, Comms Plan, Project Office, Programme Tor
Slide 7 - Attribute #2 Understanding and influencing context
This is where I personally think it all begins. A context model that represents the organisation in all its environments.
ISO talks about context but doesn’t define it, yet for me it is the essence of any resilience activity
WHY? You need a clear model of the entity whose characteristics you are working to improve
For BC we use an elastic dependency model to do this so we can depict all critical internal and external relationships, sensitivities
We then use risk objects as targets for threats allowing a level of basic simulation. It provides the basis for BIA and Risk Assessment, establishing rules, scenarios and strategies
It allows us to harden each object appropriately, fed with information – including the organisation as a whole
This is what I think is missing from the standard. It hints at it but doesn’t explain why or how to use the information
It needs a third critical dimension adding to attributes and disciplines that allows the organisation to be consistently represented for resilience
THIS IS MY SECOND MAIN LEARNING POINT
Unsurprisingly, it’s the same model for Brexit as any other risk source. But it allows us to repeatably represent the effects of Brexit-related threat patterns AND propose strategies
As the patterns become firmer, so do the strategies.
Now you have something worth communicating
Slide 8 - Attribute #3 Effective and Empowered Leadership
Resilience is (should be) a steady state condition, so does it need specialised leadership or simply management and a sponsor?
If so, how do you reconcile this with the 20-odd disciplines with responsibilities split between many heads and sponsors?
It sounds like it needs a process lead, Quality Director or similar with oversight
So do you assign Brexit responsibility within an executive, or do you ‘delegate… encourage others to lead… during period of uncertainty’. An interesting discussion
It depends. For many Brexit ought to be a side issue …UNLESS things become critical
In which case, different sets of skills may be required – crisis management (David Davies, Michel Barnier are proxy negotiators)
Are Brexit events treated as INCIDENTS that get managed operationally,
EMERGENCIES capable of programmed ‘blue light’ response, or
CRISES demanding a complete change of external representation
In which case, it would be useful to foresee whether things COULD become critical and ANTICIPATE the scenarios under which leadership changes character
Again, good modelling and scenario planning should prevent crisis and allow delegation to work
I think this means that for most organisations, Brexit probably needs a transformation project or programme with a capable leader answering to the CEO
The business then needs a way of setting criteria for escalation, probably threat-scenario based on the model I described
It then needs to refine and practice so the mechanism works
Slide 9 - Attribute #4 Creating a Resilient Culture
CULTURE is the ULTIMATE ENABLER or OBSTACLE. It determines whether changes you make will stick, or simply revert as soon as the focus changes
I wrote a paper entitled Creating a Resilient Culture in 2003 and I know how difficult it is to know what you have
Since then we developed a range of tools for measuring resilience cultural maturity. It keeps us very busy and is growing
So what is a resilient culture … read from the paper
Conclusion: working with a mature resilient culture is like pushing an open door. Improvements happen constantly and are welcomed
Depending on your situation, Brexit is possibly more interesting as a niche target!
Slide 10 - Attribute #5 Shared Information and Knowledge
The Context Model is built on updating INFORMATION. It forms the basis for reasoning and decisions
I’m going to revert to Business Continuity again, or more precisely, Crisis Management
When we run an exercise, its realised value is almost always reflected in the quality of information gathered, transmitted, analysed and deployed
We encourage customers to evaluate, and if credible, use every source available to them.
Simply, it allows them to make better decisions
Stating the obvious, but do the same for Brexit.
- Build your network,
- scan the horizon,
- create a knowledge framework,
- analyse it,
- modify the model,
- replay the informed scenarios and
- adjust your strategies
Slide 11 - Attribute #6 Availability of Resources
ISO refers here to people, premises, technology, finance and information
Everything you need to close gaps, adapt, reinforce, replicate
Brexit may result in complications that affect the various systems and resources within your business that keep it running on a daily basis
- If demand (your business model, competition) changes, it may affect the resources you need
- If supply changes, the resources you need may no longer be available
Your Brexit strategy should therefore have a business-led recipe for resilience – a resource plan
e.g. you may predict a surge in demand as a competitor is taken out of the equation
This affects potentially everything and has seen a growing number of organisations relocating their headquarters.
Other resourcing strategies include
- Re-sourcing or multi-sourcing
The general resilience message is ‘this is a programme with continuous demand’. Be ready to pay for A LEVEL of RESILIENCE MATURITY
Slide 12 - Attribute #7 Development and
Co-ordination of Management Disciplines
So here’s the list of disciplines (and mostly, Standards) I mentioned earlier, and I’m familiar with a number of them
Individually, they are a kind of network with weak linkages (coherence)… you could easily fall thru the gaps
They are not all wholly resilience-related, but have implications for resilience
Some already contain elements of management systems within the specification, whereas others don’t, according to age and maturity
Think of these as the reinforcing rods that go in each of the attribute pillars, creating a physically and metaphorically resilient structure.
The addition of attributes brings coherence
I can see ISO eventually offering this as the management system and then specific content that gets delivered via this construct. But I’m guessing
It might reduce certification overheads and conflicts considerably
Is it overload? Maybe. However, most of us adopt one or other approach to each of these, however formal or informal
All we’re saying is use the same control and delivery vehicle
There’s one special point I’d like to make here, namely that the modelling method I mentioned earlier arose from the way we delivered BIA
That in turn originated from software development I carried out using object-oriented languages back in the 1980s
I’d separate it out and use it to add a third dimension to the picture I’ve painted for you here today
Slide 13 - Attribute #8 Supporting Continual Improvement
This is the detection system that enables proactive or opportunistic refinement.
It is like the feedback amplifier in a closed-loop control system. The better tuned it is for the organisation, the more closely you can track your objective
It tells you an opportunity to improve exists and reports it to you so you can evaluate it
It implies performance measurement, allowing you to converge on an ideal reference target – in this case a standard or for Brexit, an outcome
The application of this attribute for Brexit could help you survive, since (at worst) a 2-year timescale is inadequate for most reactive business change to deliver results. A weekly Brexit review meeting with an appropriate agenda and participation
Slide 14 - Attribute #9 Ability to Anticipate and Manage Change
This attribute delivers the changes identified in #8 AND any optimises any other (reactive) changes for resilience
Change is continuous in all the environments we operate in, and affects resilience, generally reducing it.
If you don’t adapt you fall behind – entropy sees to it. It would be a brave IT manager that clung onto last year’s anti-virus software.
In fact a static system quickly becomes worse than useless as it offers false value and confidence, misleading and failing directors in their governance obligations. Simply, we become potentially less resilient through inaction
Instead, this attribute encourages you to anticipate, avoid, adapt and generally enhance your resilience capability, scanning the horizon so you see change coming.
The application of this attribute for Brexit is real and could help you survive since time is of the essence and a 2-year timescale is inadequate for most business change to deliver results.
- You apply the context model and develop your strategy
- You measure its performance so the outcome converges on your vision.
- You repeat this at a frequency that exceeds the rate of change.
- You stay ahead of the game at all times.
Practically, a regular meeting will do this
Source is Open Europe
Slide 15 - Evaluating Contributing Factors
So what do you think? Can you see how 22316 might work for your organisation generally?
- Identify and define the set of disciplines
- Build the resilience management system to this pattern
- Use it as the shared delivery mechanism
- Set targets and converge on them
Do you believe 22316 could help you become resilient to Brexit?
I can see situations now where the discipline it brings might help reduce uncertainty and deliver options
Before I conclude, I’d like to return to attribute #8
Slide 16 - Attributes as Maturity KPI
We used Inoni to set up a simple capability maturity model that measures organisations’ aptitude for running a 22316-aligned management system to support the webinar.
It doesn’t attempt to tie in all the disciplines – simply too many questions. If you’d like to take part – anonymously, please email me.
It asks questions (like this) and assigns you a score on each of the 9 KPI (plus Monitoring).
It measures capability maturity as opposed to compliance as this allows more variables to be addressed in the assessment, whilst still responding with a simple dropdown. The ReadMe explains how it works, similar to CMMI
… and we can use it on a distributed basis, compound the results and so on.
I just have one more slide to conclude
Slide 19 - Conclusion
Generic. It’s a dry read but contains value if you work at it
The framework is good… it is much better to just have ONE Deming MS for all subjects
…but has some practical pieces missing (imho the context model)
You will end up with a raft of resilience strategies to address different issues
One of these might be Brexit
OK so that’s about it. It’s a slightly offbeat topic and I hope it got you thinking. I’m not sure how many questions I may have answered, but I’m sure you’ll have many more.