Post on 23-Feb-2020
Suffolk County CouncilSuppliers & Contractors February-March 2017
Business Continuity
Rick Thornton, Business Continuity Manager
Some chalk and talk.
Practical sessions to put the theory into practice.
Time to ask questions and discuss answers.
Business Continuity
The format today…
Presentation handouts
Fire exits etc.
Business Continuity…
…ensures that your essential services and activities are protected and recovered in the event of a major disruption.
Business Continuity
Keep it functioning (products and services).
Maintain your reputation.
Keep your customers happy (keep SCC happy).
Keep ahead of the competition.
Meet regulatory duties.
Save on the cost of recovery.
Reduce the hassle and stress.
Business Continuity
Why do Business Continuity?To protect your business in the event of a disaster.
We still retain a responsibility to the customer.
Maintain our reputation.
Meet our statutory duties.
Saves on our costs of recovery.
Reduce our hassle and stress.
Business Continuity
Why do we want you to do Business Continuity?
To minimise the disruption of our critical services.
Disruptions include…
A business continuity plan, reviewed annually.
An officer responsible for BC.
Internal awareness for those with a key role.
Cooperation with SCC in “peacetime” – e.g. the survey.
Cooperation with SCC in an incident.
Business Continuity
What SCC expects you to have…
A statement as to how quickly you will recover your contracted service. *
List of your critical services/functions/activities.
An analysis of the threats to those services.
Incident management and communication processes.
Clear recovery actions and contingencies.
Business Continuity
What SCC expects in your BC Plan…
* Force Majeure and Acts Of God
We asked you to send in your BC plans, 309 did, which was good.
The not so good news…over half (59%) of those plans showed a lot of room for improvement (i.e. they scored less than half marks).
Business Continuity
A recent survey…
Help you develop good BC Plans.
Identify what else you can do to get prepared.
Time to ask questions and discuss answers.
Business Continuity
Therefore, the objectives for today are…
So, a mix of presentation and discussion.
Did you bring your BC plan?
Primarily…
Incident management – control and communications.
Contact details – how you get hold of key people.
Contingencies – options and actions to recover your service.
Dated – showing its annual update.
Plus…
Recovery time – how quickly your service should be recovered.
BIA – analysis of critical activities and the threats to those activities.
Roles and responsibilities – who does what in an incident
Your critical suppliers and contractors (and how to contact them).
Detail – enough to make it helpful, but still usable in a crisis.
Business Continuity
What makes a good BC Plan?
What sort of plan… “fit for purpose”
General company BC plan.
BC plan for a location (e.g. care setting or office).
Threat-specific plans (e.g. Flu Pandemic).
Disaster Recovery Plan (IT only).
Policy vs Plan.
Templates…
Overrated, can be misunderstood, can be OTT.
Can get you started, but don’t be a slave to them.
Business Continuity
Firstly…before you start…
Empty templates.
First Discussion
Introduce yourself to your neighbour.
“You show me yours and I’ll show you mine.”
What is it’s origin and history?
What is your relation to it?
Is the template/format fit for purpose?
Business Continuity
Those without a plan...
How you control things at the time…
Who’s in charge.
Checklist
Flowchart
Plus…
A communications plan.
Call cascade.
Other stakeholders.
Business ContinuityIncident Management
Maybe… Evacuation process. Media management.
Should be common to all BC Plan types.
Either because you need them or they need to know.What I look for…1. Contacts for your key players in a crisis.
Incident manager.
Staff expected to respond.
Senior managers.
Experts (IT, Comm’s, Property, HR, Insurance).
2. Contacts for your key contingencies.
Care setting place of safety.
Medium/long term alternative office accommodation.
IT provider, utilities, transport.
Staff agency.
Business ContinuityContact Details
Look internal as well as external.
Should be common to all BC Plan types.
Either aim these at your key threats/risks…(most common)
Loss of site/location/office/care setting.
Loss of utilities
Loss of IT and communications.
Loss of staff.
Maybe; fuel, critical supplier, bomb threat, flu pandemic.
Or aim them at your critical services/activities/functions…(rare)
Resources required (people, accommodation, IT applications).
Alternative ways of getting these resources.
Key providers.
Business Continuity
Recovery actions and contingencies…
One of the most common mistakes is to confuse these, putting threats into a function analysis.
Should be common to all BC Plan types.
What do I look for, what gets half marks…
Care settings – immediate place of safety (xcheck contact details).
Generally – alternative office accommodation vs WFH.
IT – not just data back up recovery, but what you do if...
Utilities – not just calling the utility company, but what you do if...
People – not just “hire from an agency”, but what you do if...
Nice to have…
Evacuation process.
Utility shut off points.
IT Disaster Recovery details.
Flu Pandemic plan.
Business Continuity
Recovery actions and contingencies…
Doesn’t matter what you call them…Action Cards, Recovery Plans…make them easy to find(not buried in the Appendices).
Your next neighbourly discussion…
What do you think of it so far?
How do your BC Plans measure up?
Business Continuity
Analysis of critical activities and the threats to those activities.
Part 1. List of critical services/activities/functions.
Define the critical bit (AKA minimum service level).
How quickly it should be recovered.
Maybe…
Key players for each service/activity.
Minimum resources (people, space, equipment/materials, IT)
Even if the service/activity is contracted out.
Business Continuity
Business Impact Assessment…
Is IT a critical service/activity/function?
Part 2. The threats that could disruption your critical services.
List the threats…don’t go overboard.
Risk assessment - Likelihood and Impact.
Maybe…
Scoring and colour-coding.
Include risk mitigation.
The purpose of this section is to set the agenda for RAs & Cs.
Business Continuity
Business Impact Assessment…
So, don’t put the recovery actions in the analysis, keep separate.
Should a BIA be common to all BC Plan types?
Who does what in an incident…usually checklists… Should be clear for awareness and accountability.
Incident Manager/Team, Op’s Manager, Comm’s Officer, HR etc.
OK to put these in IM or RA & C sections.
Not mandatory to have a separate R&R section.
Useful cross check (and useful in training).
Business Continuity
Roles and Responsibilities…
Maybe common to all BC Plan types.
Date your document
Self explanatory…demonstrates its review and update.
Useful for identifying the most up to date document.
Business Continuity
Who you normally depend on…
So, if they failed, you would struggle to deliver your service.
(Similar to utilities)
Minimum – access to a list of contact details.
Should have recovery actions and contingencies…
Alternative providers.
Work round.
Business Continuity
Critical Suppliers and Contractors…
Also consider who you might need in a crisis.
Enough to make it helpful, but still usable in a crisis.Key areas I look at…
Incident management.
Recovery actions and contingencies.
Critical services (RTOs) and threats.
Extras - evacuation plan, Comm’s plan, resource lists, threat-specific plans, flood plans.
Business Continuity
The 9th criteria…the level of detail…
Put yourself in the shoes of the person in the eye of the storm.
Next neighbourly discussion
Which bits are you going to focus on first?
Business Continuity
Business Continuity
Peace-time preparations…
Warnings…
Environment Agency flood warnings.
Met Office weather warnings (+ other providers).
Utility preferential response schemes…
Anglian Water - WaterCare.
Essex & Suffolk Water – Priority Services
UKPowerNetworks – Priority Services Register.
National Grid (Gas) - ??
Business Continuity
Peace-time preparations…
Cheap and cheerful…
Buddy up, e.g. your immediate place of safety.
Battlebox (buddy exchange).
Critical information back up (belt and braces).
Bottled water.
More serious investment…
Alternative electrical heating for a gas outage.
Flood protection (impartial advice from National Flood Forum).
Power generation (fixed vs mobile (hook-up).
Work Area Recovery (sites vs services (call handling).
Business ContinuityGet to know your utility provider…UK Power Networks…the good news…12 hour restoration target.
If they have your mobile No., they can text power outage details.
If you call 105, they can provide local information on outages.
Red Cross provide support to the vulnerable in a prolonged outage.
Priority Services Register – they call you to check you are OK.
The not so good news…
Any powered phone will not work in a power cut, so always have an old fashioned one that works without power.
Priority Services Register does not mean you will get your power restored quicker or that they will turn up with a generator.
Finally, climate change is increasing the likelihood, but technology is decreasing the the impact (i.e. duration).
Trim your trees!
Business Continuity
BC management…Ownership…
Flag up residual risks to senior management.
Devolve responsibility to local managers.
Review…
Check contact details quarterly.
Check the rest (esp. contingencies) annually.
Training & Awareness…
Training for those with responsibility.
Awareness for everyone else.
Exercise – optional, the scale should match the risk.
Second opinion – uninformed, informed, accreditation.
Business ContinuityHow can we help?
We can provide (generally or for social care) :
A simple guide.
Templates to fill in.
A second opinion…be a “critical friend”.
Free
Go to our website, send me your plan...
rick.thornton@suffolk.gov.uk, 01473 260439
www.suffolkresilience.com
Those starting out…have you got what you need to draft a BC Plan?
Those with BC Plans…have you picked up some ideas for improving them?
Are there any unanswered questions?
Business Continuity
Did we achieve today’s objectives?
Please complete the feedback form