How business continuity management training fostered interdepartmental understanding.
With the help of business continuity consultancy from Inoni, Reed & Mackay Limited, a high-end City-based travel agency, carried out a highly cost-effective and innovative Business Impact Analysis, en route to ISO 22301 certification.
Reed & Mackay was founded in 1962 as a City-based travel agency and now employs more than 300 staff from sites in the City of London and Essex. In 1988 they expanded into strategic business travel management, established as a leading company in this market. Over the years, they have shown themselves to be robust and stable, offering consistently high value despite world events such as 9/11, SARS and the more recent credit crunch. Today R&M has a turnover in excess of £200M and offers business travel and event management services. R&M’s marketplace is diverse and they created Global Specialist Markets in 2006 to consolidate and expand their international capability. The business is driven by a strong quality emphasis and this sets the tone for business continuity.
Business travel is R&M’s primary market. It is a complex, competitive and highly interconnected area, super-sensitive with customers always looking for improvement. R&M has occupied a niche at the high end of this space brought about by its focus on delivering outstanding value through ‘high touch’ and online solutions. Most customer interaction takes place using a consultative approach witha distinctive style and fit for each client’s business. The phrase ‘high touch’ is synonymous with the way the business works and reflects the intensely hands-on personal interface demanded by clients.
R&M has systematically evolved its working environment over 50 years, improving and investing to accommodate ever-changing patterns of demand. This extreme refinement is reflected in both its sensitivity and risk management strategy - for example a high percentage of transactions may be affected if phones can’t be answered within three rings. Similarly, R&M’s consultants rely heavily on their bespoke booking management system. Built and supported in-house, it is vital to all business travel booking and research, providing speed and accuracy. The business has a unique risk profile and demands a similarly optimised continuity plan tightly focused by a precise BIA.
Drivers and Enablers
“Every business should own a continuity plan”. Easily said, however, continuity requires considerable investment of time, skills and money and this rests on a sound business case. You need to assemble an arsenal of allies, accurate facts and a tried and tested route map before you get to move past first base. The conditions at R&M were therefore pivotal in making BCM happen:
- Executive backing. Perhaps the single greatest success factor for the programme lies in its sponsorship, involvement and hands-on support by R&M’s CEO, Andy Hibbert. He put the implementation of BCM high on the firm’s agenda.
- Client imperative. Although R&M is not directly regulated, the effects of legal and financial sector regulation have been increasingly passed down the supply chain, making demonstrable BCM a competitive and commercial necessity.
- Commercial advantage. R&M’s commercial team see direct benefits arising from certification, advancing their competitive position in bids and tenders.
- Pre-existing measures. Resilience-building at Reed & MacKay started with technology, driven by an experienced IT Director doing what came naturally when responsibility for minute-by-minute operations rests entirely with his team. Investment in replicating systems and equipped DR workarea was already budgeted.
- Awareness of risks. The continuity risks faced by the business are similar to those faced by many others in the City, with an emphasis on threats to cash flow, staff, infrastructure, information and suppliers. Key to each of these is the timeframe within which any form of major disruption starts to ‘bite’ and subsequently becomes intolerable. Minor incidents over a number of years and the ensuing emergency response provide testament to this and were instrumental in securing senior management’s approval.
- Cultural acceptance. R&M has a policy of best practice operation and is currently certified to ISO Standards 9001, 27001 and 14001, all overseen by a full-time Head of Governance, Risk Management & Compliance Suzanne Elmore, co- author of this paper. The existing management systems framework supported the decision to seek ISO 22301 certification. This prior experience and resulting acceptance by management and staff has been an undoubted enabler, accelerating and simplifying uptake.
Reed & MacKay’s BIA was authorised in September 2012 and the project began in October.
The firm’s initial aim was to deliver a BS25999-aligned Business Impact Analysis that accurately reflected its operations. This objective was later amended to support compliance with ISO 22301, although no major changes to the project plan were required. The key milestones were:
- Engagement, including proposal, meeting and non-disclosure agreement (July 2012)
- Preparation and on-site information-gathering. R&M supplied background information followed by two days’ of intensive interviews (September 2012)
- Analysis and draft report production (October 2012)
- Workshop preparation and delivery (November 2012)
- Review, update and signoff (December 2012)
This is recognisable as a standard approach. However, for implementation we overlaid the ISO best-practice framework with two practical delivery tools:
- Dependency mapping provided interviewees with a shared point of reference and a clear structured model of the business from a resilience standpoint. The proprietary model provided a powerful medium for representation, discussion and analysis, clearly setting out relationships between multiple business entities, suppliers and dependent external parties. It became an integral part of the BIA and is now used for reference by the business.
- Online resilience software meant collected information could be translated directly from the dependency model and entered either during or immediately following each interview session. The software published a draft MS Word BIA, updating daily, following each interview and review, and ultimately delivering a final BIA document for signoff. Subsequent changes in the business have since been reflected in the software, producing an updating auditable report. Again, the software has been retained by the business.
Each of these tools proved to be transformational, requiring just 6 days of consultant effort in all to deliver a comprehensive and detailed BIA document, an exceptional level of business buy-in and greatly improved insight into the organisation’s resilience characteristics and requirements.
Figure 1. R&M’s Impact Profile showing relative sensitivity of each key business function
The Management Workshop
The BIA programme included a workshop for all executives and senior managers. Authorised and mandated by the CEO, the workshop was fully attended and ran from 10 am to 4 pm, with the aim of no-holds-barred analysis and debate of all aspects of the BIA. Key areas covered were:
- The risk landscape including risk background, debate surrounding threat levels, impact types and tolerances and risk register status, leading to re-prioritisation in some key areas.
- Review the dependency model including discussion of internal and external tolerances to disruption, with direct implications for service and departmental recovery deadlines.
- Round-table scenario exercise. This was a revealing activity with each department head responding for their area, fine-tuning the BIA. Vitally, this crossed the boundary from theoretical to intensely practical, feeding strategy ideas into the subsequent BCP.
Workshop outcomes changed many aspects of the draft BIA, specifically: challenging assumptions, sharing a refined understanding of risk and risk appetite, incorporating new aspects of external market and supply chain behaviour, and reflecting changes occurring within departments with implications for others. We were able to reflect these changes in the BIA immediately following the workshop, readying it for review and signoff.
What we Learned
For obvious reasons, some of the BIA’s findings must remain confidential as they represent competitive material. However, a number of general points were identified and these may be beneficial for others in a similar position.
Markets, market position and risk appetite dictate what you do. Reed & MacKay operates within a highly interconnected network of firms, competitors and media, where word spreads fast, acting as an amplifier and determining the rate at which an outage becomes a crisis. This also ensures that failures – and particularly sustained or recurring failures - are talked about and remembered. Once lost, reputation may be impossible to regain, with competitors and media perpetuating and exaggerating recollection of the outage. Firms with this kind of profile need near-immediate recovery capability and exceptional crisis PR.
Do we need to condition customers? Some clients will not hesitate in seeking legal redress and in some lines of business there may be many such claims. There may be a case for factoring realistic disruption expectation into standard terms of business, beyond standard Force Majeure.
The timing of an incident can make a significant difference to the response. Most organisations are cyclic and seasonal to some extent with predictable peaks that consume capacity, requiring a potentially different response. At any point in time you need to be able to predict exactly where the peaks are likely to occur and resource accordingly.
People need to know what to expect. Business unit criticality and required resumption times vary enormously within an organisation, typically from minutes to months. Perceptions of these tolerances may not be consistent, particularly if operation is silo’ed, resulting in an unexpected competition for resources in an incident. You need to resolve these differences.
Balance residual risk against what you’re willing to spend. R&M’s BIA showed there are not enough recovery seats to accommodate all staff at peak times. This is no surprise and an accepted risk. Senior management know that ‘soft’ measures can be positioned to absorb some of the risk.
Why? Permanent readiness implies a high level of functional duplication and certainty, which comes at a price. Instead, your organisation may decide to tolerate a level of downtime and some revenue, reputation and client loss, reflecting its ability to retain any affected clients. Senior management should set this level, understand its implications, and implement a continuity plan that balances downtime against tolerance. Some response targets may be acceptable and achievable as a result of planning alone with minimum capital investment.
People are a deciding factor. R&M has a resilient IT architecture – a fully redundant network connects offices and data centres to a recovery work area facility, providing near-immediate access to replicated systems. With technology accounted-for, time taken to travel to, access and activate this work area is now the limiting factor, so the emphasis is on all staff knowing where to go and what to do, directed by a highly connected and practised crisis management team.
Revenue is not the only form of impact. Some non-core aspects of business can attract seemingly disproportionate impact and risk. Take for example any sideline activity or event involving multiple clients; any negative aspect arising from an incident transmits immediately across potentially the marketplace. Reputation is damaged, business levels fall and the impact is felt across the business.
Reed & MacKay undoubtedly benefited from the act of completing a BIA. Partly, this stems from simply having satisfied an ISO audit point, but far more significant is the rise in the organisation’s awareness of its continuity risk environment. Such insight is an intangible asset, with a consistent understanding now embedded in the minds of staff as a consequence. This affects decisions and daily operations in all areas, crossing the boundaries between what were previously business silos, as risk and continuity considerations are factored into each business change. In our view, simply completing a BIA has made the business more insightful, communicative and resilient.
Learn about putting Business Impact Analysis into perspective