Suffolk County Council Suppliers & Contractors February-March 2017 Business Continuity Rick Thornton, Business Continuity Manager
Business Continuity The format today… Some chalk and talk. Practical sessions to put the theory into practice. Time to ask questions and discuss answers. Presentation handouts Fire exits etc.
Business Continuity Business Continuity… …ensures that your essential services and activities are protected and recovered in the event of a major disruption.
Business Continuity Why do Business Continuity? To protect your business in the event of a disaster. Keep it functioning (products and services). Maintain your reputation. Keep your customers happy (keep SCC happy). Keep ahead of the competition. Meet regulatory duties. Save on the cost of recovery. Reduce the hassle and stress.
Business Continuity Why do we want you to do Business Continuity? To minimise the disruption of our critical services. We still retain a responsibility to the customer. Maintain our reputation. Meet our statutory duties. Saves on our costs of recovery. Reduce our hassle and stress.
Disruptions include…
Business Continuity What SCC expects you to have… A business continuity plan, reviewed annually. An officer responsible for BC. Internal awareness for those with a key role. Cooperation with SCC in “peacetime” – e.g. the survey. Cooperation with SCC in an incident.
Business Continuity What SCC expects in your BC Plan… A statement as to how quickly you will recover your contracted service. * List of your critical services/functions/activities. An analysis of the threats to those services. Incident management and communication processes. Clear recovery actions and contingencies. * Force Majeure and Acts Of God
Business Continuity A recent survey… We asked you to send in your BC plans, 309 did, which was good. The not so good news…over half (59%) of those plans showed a lot of room for improvement (i.e. they scored less than half marks).
Business Continuity Therefore, the objectives for today are… Help you develop good BC Plans. Identify what else you can do to get prepared. Time to ask questions and discuss answers. So, a mix of presentation and discussion. Did you bring your BC plan?
Business Continuity What makes a good BC Plan? Primarily… Incident management – control and communications. Contact details – how you get hold of key people. Contingencies – options and actions to recover your service. Dated – showing its annual update. Plus… Recovery time – how quickly your service should be recovered. BIA – analysis of critical activities and the threats to those activities. Roles and responsibilities – who does what in an incident Your critical suppliers and contractors (and how to contact them). Detail – enough to make it helpful, but still usable in a crisis.
Business Continuity Firstly…before you start… What sort of plan… “fit for purpose” General company BC plan. BC plan for a location (e.g. care setting or office). Threat-specific plans (e.g. Flu Pandemic). Disaster Recovery Plan (IT only). Policy vs Plan. Templates… Overrated, can be misunderstood, can be OTT. Can get you started, but don’t be a slave to them. Empty templates.
Business Continuity First Discussion Introduce yourself to your neighbour. “You show me yours and I’ll show you mine.” What is it’s origin and history? What is your relation to it? Is the template/format fit for purpose? Those without a plan...
Business Continuity Incident Management How you control things at the time… Who’s in charge. Checklist Flowchart Plus… A communications plan. Call cascade. Other stakeholders. Maybe… Evacuation process. Media management. Should be common to all BC Plan types.
Business Continuity Contact Details Either because you need them or they need to know. What I look for… 1. Contacts for your key players in a crisis. Incident manager. Staff expected to respond. Senior managers. Experts (IT, Comm’s, Property, HR, Insurance). 2. Contacts for your key contingencies. Care setting place of safety. Medium/long term alternative office accommodation. IT provider, utilities, transport. Staff agency. Look internal as well as external. Should be common to all BC Plan types.
Business Continuity Recovery actions and contingencies… Either aim these at your key threats/risks…(most common) Loss of site/location/office/care setting. Loss of utilities Loss of IT and communications. Loss of staff. Maybe; fuel, critical supplier, bomb threat, flu pandemic. Or aim them at your critical services/activities/functions…(rare) Resources required (people, accommodation, IT applications). Alternative ways of getting these resources. Key providers. One of the most common mistakes is to confuse these, putting threats into a function analysis. Should be common to all BC Plan types.
Business Continuity Recovery actions and contingencies… What do I look for, what gets half marks… Care settings – immediate place of safety (xcheck contact details). Generally – alternative office accommodation vs WFH. IT – not just data back up recovery, but what you do if... Utilities – not just calling the utility company, but what you do if... People – not just “hire from an agency”, but what you do if... Nice to have… Evacuation process. Utility shut off points. IT Disaster Recovery details. Flu Pandemic plan. Doesn’t matter what you call them…Action Cards, Recovery Plans…make them easy to find (not buried in the Appendices).
Business Continuity Your next neighbourly discussion… What do you think of it so far? How do your BC Plans measure up?
Business Continuity Business Impact Assessment… Analysis of critical activities and the threats to those activities. Part 1. List of critical services/activities/functions. Define the critical bit (AKA minimum service level). How quickly it should be recovered. Maybe… Key players for each service/activity. Minimum resources (people, space, equipment/materials, IT) Even if the service/activity is contracted out. Is IT a critical service/activity/function?
Business Continuity Business Impact Assessment… Part 2. The threats that could disruption your critical services. List the threats…don’t go overboard. Risk assessment - Likelihood and Impact. Maybe… Scoring and colour-coding. Include risk mitigation. The purpose of this section is to set the agenda for RAs & Cs. So, don’t put the recovery actions in the analysis, keep separate. Should a BIA be common to all BC Plan types?
Business Continuity Roles and Responsibilities… Who does what in an incident…usually checklists… Should be clear for awareness and accountability. Incident Manager/Team, Op’s Manager, Comm’s Officer, HR etc. OK to put these in IM or RA & C sections. Not mandatory to have a separate R&R section. Useful cross check (and useful in training). Maybe common to all BC Plan types.
Business Continuity Date your document Self explanatory…demonstrates its review and update. Useful for identifying the most up to date document.
Business Continuity Critical Suppliers and Contractors… Who you normally depend on… So, if they failed, you would struggle to deliver your service. (Similar to utilities) Minimum – access to a list of contact details. Should have recovery actions and contingencies… Alternative providers. Work round. Also consider who you might need in a crisis.
Business Continuity The 9th criteria…the level of detail… Enough to make it helpful, but still usable in a crisis. Key areas I look at… Incident management. Recovery actions and contingencies. Critical services (RTOs) and threats. Extras - evacuation plan, Comm’s plan, resource lists, threat-specific plans, flood plans. Put yourself in the shoes of the person in the eye of the storm.
Business Continuity Next neighbourly discussion Which bits are you going to focus on first?
Business Continuity Peace-time preparations… Warnings… Environment Agency flood warnings. Met Office weather warnings (+ other providers). Utility preferential response schemes… Anglian Water - WaterCare. Essex & Suffolk Water – Priority Services UKPowerNetworks – Priority Services Register. National Grid (Gas) - ??
Business Continuity Peace-time preparations… Cheap and cheerful… Buddy up, e.g. your immediate place of safety. Battlebox (buddy exchange). Critical information back up (belt and braces). Bottled water. More serious investment… Alternative electrical heating for a gas outage. Flood protection (impartial advice from National Flood Forum). Power generation (fixed vs mobile (hook-up). Work Area Recovery (sites vs services (call handling).
Business Continuity Get to know your utility provider… UK Power Networks…the good news…12 hour restoration target. If they have your mobile No., they can text power outage details. If you call 105, they can provide local information on outages. Red Cross provide support to the vulnerable in a prolonged outage. Priority Services Register – they call you to check you are OK. The not so good news… Any powered phone will not work in a power cut, so always have an old fashioned one that works without power. Priority Services Register does not mean you will get your power restored quicker or that they will turn up with a generator. Finally, climate change is increasing the likelihood, but technology is decreasing the the impact (i.e. duration). Trim your trees!
Business Continuity BC management… Ownership… Flag up residual risks to senior management. Devolve responsibility to local managers. Review… Check contact details quarterly. Check the rest (esp. contingencies) annually. Training & Awareness… Training for those with responsibility. Awareness for everyone else. Exercise – optional, the scale should match the risk. Second opinion – uninformed, informed, accreditation.
} Business Continuity How can we help? Free We can provide (generally or for social care) : A simple guide. Templates to fill in. A second opinion…be a “critical friend”. } Free Go to our website, send me your plan... rick.thornton@suffolk.gov.uk, 01473 260439 www.suffolkresilience.com
Please complete the feedback form Business Continuity Did we achieve today’s objectives? Those starting out…have you got what you need to draft a BC Plan? Those with BC Plans…have you picked up some ideas for improving them? Are there any unanswered questions? Please complete the feedback form