Business Continuity – the need for

next generation thinking

Peter Power

Visor Consultants (UK) Limited

A few months ago I was invited to take part in ‘corporate resilience’ workshop in Whitehall. The organisers wanted to try and put some identifiable shape to 21^st century concerns, defined by quickening threats and opportunities that are now evolving and mutating faster than before.  So what? 

Well, the reason for doing this seems pretty obvious to me. The last few years have been full of crises starting with 9/11 and including the Asian Tsunami, Madrid and London train bombs, widespread flooding, serious fires, earthquakes and even the spreading credit crunch and Northern Rock debacle.  Many of these occurred where we live and work. In familiar territory. Yet they have transformed the lives of many and we have come to acquire the vocabulary of the extraordinary.  However, these past few years are probably going to be the normal course for the future.

One of the workshop outcomes was to recognise that businesses (in the context of the private sector) are not necessarily resilient just by virtue of their existence. Being corporately resilient equates with being a successfully run organisation.

This means knowing that resilience in a fast changing world is predicated on a lot of corporate uncertainty where it’s difficult to know what events might change the business landscape for better or worse. It’s therefore not about maintenance of a presumed status quo.   

Put this way corporate resilience becomes a platform to integrate forward planning, reputation management, corporate social responsibility, risk management, governance, ethical and environmental policies and security. It has to be organic, participative and dynamic.  All well and good perhaps, but where does this leave Business Continuity which is, at the moment, a more commonly understood term than corporate resilience?

Perhaps that’s the real problem:  These powerful issues could leave BC in its own backyard as new dilemmas require new solutions, but BC nowadays is by comparison compliance driven, aimed at maintenance of the operational status qou and without true integration with many any of the concepts listed above. At least BC as we know it today, enshrined as it is in BS25999. 

There is no doubt that this popular standard is in many ways a very useful application to measure and apply BC, but it’s not exactly dynamic and pays scant if any attention to many key issues ranging from resilience to crisis management. For example, resilience is simply mentioned as “the ability of an organisation to resist being affected by an incident.” and risk management vis a vis BC, is described as “BCM is complementary to Risk Management”.  

But isn’t this all about risk management in its widest interpretation and should we not therefore widen BC to be much more forward looking?  I think so. Take for example these extracts from recent reports on risk and BC:  

·               Royal United Services Institute: “Corporate entities are facing a dazzling array of fast changing conditions from technology to terrorism, social responsibility to social unrest…all these considerations now exist in a quickly evolving and mutating context….a company that is unable to respond to change will not survive…. Disparate approaches largely conceived through the prism of security and/or BC, creating an idea of control and risk-adversity, potentially disabling agility and innovation and are running counter to the business objectives of profit, customer satisfaction and shareholder value.”

·               UK Ministry of Defence Development, Concepts and Doctrine Centre: “During the next 30 years, every aspect of human life will change at an unprecedented rate…Three areas of change will touch the lives of everyone on the planet and will underpin these processes: climate change, globalization and global inequality…in all but the most affluent societies, rapid, large shifts in global markets, which are increasingly sensitive to uneven supply and changing demand, will result in potentially dramatic changes in personal fortune and confidence….This tension will heighten preoccupation with risk at every level.”

·               KPMG Report Living on the Front Line: “Organisations across the world are facing challenges from the global risks of terrorism, pandemic flu and climate change. The likely impacts of these risks are far wider and longer-term than business continuity preparations have traditionally been designed for…the ultimate goal for BC professionals is 'the resilient organisation'…able to maintain its most critical operations, and ultimately survive all but the most extreme forms of operational disruption.

One solution fits all’ is not an appropriate approach …BC teams must embrace multi disciplined skills….The emphasis is now clearly on delivering advanced BC solutions….improved connections to Operational Risk….Achieving greater diversity in BC arrangements is vital”. 

·               2007 World Economic Forum Report on global risks: “There is a fundamental disconnect between risk and mitigation…risks are rising …but the mechanisms in place to manage and mitigate risk at the level of business, governments and global governance are inadequate.”

Unless corporate resilience unavoidably takes over from BC because the latter simply cannot evolve, I can see many more workshops ahead before these varied conflicts start to become reconciled. That’s why I think a new or fourth generation of BC should be grasped now.   If so, how would this work?

To start with we need to crudely define the previous BC generations: First the generation that was essentially defined by the generic (and still not inaccurate) term contingency planning. The second generation was basically disaster recovery with its focus on trying to reassemble the broken bits after a disaster has occurred, followed by the present or third generation which is BC as defined by BS25999.

The next or fourth generation of BC should be characterised by its inclusive nature rather than exclusivity. Just that simple sentence makes it a lot different to what we have now.

4GBC™ would not just be complementary to risk management as stated in BS25999. It should be all about risk management – in its broadest context.  But here it’s worth pausing a bit because so very many risk managers have not grasped BC, in similar fashion to so many BC managers not grasping risk management. I say this as a fellow of both industry institutes. We need to push the boundaries still further to recognise that whilst the Institute of Risk Management and BC Institute provide so many benefits, the concepts of risk and BC and not solely defined by them. They are wider than that and I suggest, logically become one under the banner of 4GBC™ which could become:

·      A platform to integrate forward planning, reputation management, corporate social responsibility, risk management, governance, ethical and environmental policies and security. 

·      A catalyst to move BC from just impact assessment to now plotting likelihood and mitigation of all mutating and evolving risks.   

·      The mechanism to combine crisis and risk management, information and corporate security.  Not just through the prism of either BC, risk or security, but together in absolute harmony with enterprise risk management, corporate social responsibility and environmental and ethical polices. 

·      A process predicated on corporate uncertainty vis a vis reputation management, rather than maintenance of an ideal status qou. 

·          The Development of an organic, participative, dynamic and inclusive approach. 

·          A coherent and holistic business strategy that combines accountability, customer confidence, and competitive advantage.  

·          A mechanism to advance (1) the reality of corporate uncertainty - where it is not possible to know what events will alter the competitive operating landscape for better or worse and (2) the need combine, not just compliment a range of existing but discrete activities. 

·          A process that adopts a self healing and a wide learning ability.  

·          The embodiment of much that is currently corporate resilience.

These last two points require a bit of specific explanation: Self healing requires 4GBC™ to cure itself if for any reason it breaks at some point because the risks to it are greater than anticipated.  It has to learn to be far more flexible than the third generation and learn from experiences. This means having a wide learning ability. This now raises the question of what is sometimes referred to as Isomorphic Learning which is defined as the facility to learn from the similar experiences of others.

It can be particularly important in the context of crises on a wide scale where organisations can benefit from each other's experiences with various types and scale of incidents.

As for corporate resilience, I think we can actually put a shape to this. Perhaps think of organisations and all their fragile strands that lead to outsourcing, stakeholders and suppliers as an entity. Than construct a six facet ‘box’ around each that contains mechanisms to (a) cope and/or (b) identify, treat, tolerate, transfer or terminate whatever risks exist according to each facet.  For example, coping by increasing crisis management ability and identifying risks such as damage to reputation or even avian bird flu.  Such a ‘resilience box’ will then resemble 4GBC™

There are many real challenges ahead for us that will assault our societies, countries, cultures, governments and businesses no matter where we live or work. No organisation or country can afford to either ignore the risks, or act in isolation when it considers them.  

Challenges will continue to emerge and evolve and if the WEF report above is to be believed, there will be an increasing disconnect between risk and mitigation in just about every risk facing us now and if left unchecked, for the future.  Their report concludes with sombre words: ‘Global risks cannot for the most part be mitigated out of existence. But inaction in the face of global risks is not an option, either for businesses or government’.

We must therefore recognise that risks and threats come as much from the faults in others as from the faults in ourselves – if we cannot accept the need to look again at what BC should do and how it should do it.  As Charles Darwin famously said:

“It’s not the strongest of the species that survives, nor the most intelligent, but the ones most responsive to change” 

A good place to start I think?

Gold, Silver & Bronze:

What’s in a name?

Peter Power

Visor Consultants (UK) Limited

1985 was not a good year. In fact it was one of the worst ever for disasters. In February nine Police Officers were killed by a terrorist bomb in Belfast, in May fifty six people perished in the Bradford stadium fire and later that month thirty nine people were killed in the crush at Heysel stadium Brussels. 

The following month an Air India flight over Ireland was bombed, killing three hundred and fifty nine people on board. The remainder of that year saw one hundred and thirty seven people killed in a Delta Airlines crash in Texas, five hundred and twenty people losing their lives in a Japanese air crash, thirty one in another air crash in Wisconsin USA, sixty people shot in Malta when Egyptian commandos stormed a hijacked aircraft and a further two hundred and fifty six air passengers killed in Newfoundland. 

But just one event that year, when only on person was killed, changed forever the way the UK responds to all major emergencies and also how thousands of commercial operations deal with crises.

On Sunday 6 October 1985 a riot took place in North London that ended with the murder of PC Keith Blakelock.  A management problem caused a failure to clearly appoint leaders for strategic, tactical and operational command, causing confusion at the rear and indecision at the front. The result was a riot out of control and a demand from all ranks to never to repeat it.

In those days I was a senior Police Officer in a team at Scotland Yard responsible for analysing events such as bombings, fire and riots and hoping to find ideas to better deal with them. I had already spent years at the sharp during what history has now labelled the ‘decade of disasters’.

The task on Monday 7 October was obvious and immediate:  Old time routine management was not suited to new time non routine events. Management had to be more accountable and so in a major incident ranks were henceforth going to be replaced by three roles: Who thinks, who directs and who does?  In other words (a) creating policy and thinking strategically, (b) directing the entire response at the scene and (c) doing the many ‘point of delivery’ tasks such as managing access points or protecting key buildings.  The first question was what should we call these three basic role holders?

The British Army were then using radio call signs such as ‘Sunray’ or ‘Sunray Minor’ to denote who was in charge and who was second in command and they were very familiar with tasks divided into strategic, tactical and operational. But somehow titles such as Sunray had a rather clumsy fit with the Police?  Next it was decided to explore names used in ancient Rome, not least because Police drills to use riot shields in 1985 were identical to those practiced by Roman soldiers 2000 years earlier.  However, being a Centurion, Consul or Emperor was not exactly going to be too PC in a PC world?  But the ancient world did lead us to Alchemists and so Gold, Silver and Bronze became the titles. We thought it was obvious, but not exactly so.

A few days later I was addressing a group of Sergeants as part of their regular training. Supremely confident that we had solved the serious failure a few days before with an easy to recall three layer command system, I outlined Gold as the top layer and asked therefore, what the next layers were?  I shall never forget one tongue in cheek answer: “frankincense and myrrh?”

In the 23 years since its creation the GSB structure has withstood several attempts to make it more complex, yet its simplicity remains its strength. It’s used all over the place. Typing ‘gold silver bronze command’ on Google calls up 163.000+ entries. 

It was always intended to give individual people the tiles Gold and Silver, supported by their own teams. Bronze also, but formal teams for them were seldom required. Not just layers that might inadvertently become the mechanism for the avoidance of responsibility?  This is a key point as the firm intention, if at all possible,  has to be the identification of people at the strategic/planning layer and those directing at the scene, plus others completing short terms tasks. Each knowing the parameters of their tasks and everyone recognising them, simply because they now have obvious titles based on their roles – not names or ranks.   But how (or perhaps should?) it work in the context of commercial sector organisations? 

• Gold - This is the person and his/her team responsible for setting the overall policy on how to respond to whatever crisis is occurring. In an ideal world Gold can be hands-off and only called when strategic problems or questions need to be answered. However, life is seldom so straight forward, so Gold and a team of special advisers are often very busy.  These figures will be senior people who should assemble according to the scenario and possible impact/consequences on the business. In particular, likely impacts on Finance, Business/Operations and Reputation should always be core considerations and people best placed to assess this at top level should be with Gold. Others such as legal, welfare, media relations, risk etc. are also very likely to be included.  
• Silver – This is the person and his/her team responsible for coordinating actions wherever the ‘incident’ is geographically, or wherever best place to direct resources to contain and recover from the crisis. Usually a senior management team of experts within a business and responsible for co-ordinating and directing the resources of the organisation to ensure BC plans are being properly implemented.  
• Bronze – Any number of people most likely identified in BC plans as responsible for recovering/restarting crucial business functions. They have to make sure specific business continuity plans are implemented and take directions from Silver. Key points applicable to each layer: 
• At all levels, especially Gold and Silver, succession planning will be needed to schedule new team members before the first teams become exhausted.
• Whoever Gold or Silver is should not, ideally, be predetermined. The best approach is to have a cadre of skilled and competent people at these levels and the first available becomes the initial Gold or Silver, then others take over according to changes in the scenario and/or when eight hours have been completed.  
• Avoid arcing where Gold directs Bronze with the result that Silver becomes superfluous. The vital thing is to separate not blend layers of command.
• If applied properly you then start to use the same language as the emergency services and that can certainly help to clarify and accelerate the overall response.
• SMEs will seldom if ever, have the capability to run GSB in full, so the advice is to at least separate strategic thinking from operational doing and to remember what names you actually use are not as important as the tasks.
• Speed of decision making often varies between Gold (slow time) and Silver (quick time).

However, in recent years there has been a tendency to massage GSB and to bolt on unnecessary layers (there was talk not long ago of applying an extra ‘platinum’ layer for example). Moreover, there is an often seen tendency to pre-assign all layers with names in advance and when they are not available refer to caretaker people who fill in as ‘deputies’. This implies they are just keeping chairs warm until the real person arrives (if ever). Better I suggest, to have ‘alternates’ who should have the same executive capability as the preferred person?

I have seen examples of the Gold level, rather than applying their strategic muscle to the management of an emergency situation, use their executive position to actively remove themselves from the process. For example, I have personal knowledge of at least one occasion on 7 July 2005 when the executive board (de facto Gold) rushed home by individual taxies as soon as they could, leaving junior managers to cope.

Elsewhere, people at Gold and Silver layers find it irresistible to meddle in Bronze recovery actions and to make tasks important solely on the basis that you can measure them. For example, moving critical IT features to a recovery site. The really important tasks such as maintaining staff/stakeholder moral and business reputation are of course less easy to measure – but more important I suggest?  Wide area catastrophes are also prone to GSB failings:

Extract from post Buncefield fire (2005) report:

“Key Difficulties: Use of different recovery area maps by Strategic (Gold) Command, Tactical (Silver) Command and the Recovery Group caused confusion…there was a difference between actions agreed with Strategic (Gold) Command and actions carried out on the ground. Providing consistent messages was difficult due to the situation constantly changing and the involvement of a number of organisations pursuing different priorities. Initial meetings were not in the right pattern with Strategic (Gold) and Tactical (Silver) Command meetings....there was incomplete understanding of the roles of Strategic (Gold) and Tactical (Silver) Commands and how they obtained their information and reached decisions…lack of status of Recovery Group decisions, unclear where it sat in relation to Strategic (Gold), Tactical (Silver) and Operational (Bronze) Commands. Having a clear understanding of where incident management ended and recovery started”.

Extract from Pitt report into serious UK flooding (2007).

 “In some areas responder organisations had difficulty in engaging effectively with the local response effort, possibly because Silver Commands were activated instead of Gold? Although these areas coped, the strategic perspective brought by Gold Command would have allowed more effective engagement by the full range of potential responders and hence the easier procurement of external resources. Local Resilience Forums should assess the effectiveness of their Gold facilities, including flexible accommodation, IT and communications systems”.

So what really is in a name?  I think these benefits:

• Clearly defined responsibilities – strategic, tactical and operational.
• Separates tasks to avoid overlap.
• Uses titles/call signs in the form of a logical hierarchy.
• Can be rapidly applied in emergency situations.
• Is easy to understand and commonly applied elsewhere.
• Role, not routine job title, focused.
• Allows continuity of roles without the need to change titles/names.
• Facilitates leadership.
• In harmony with Crisis Management and BC plans

In 1985 we never imaged that 23 years later what we created then would be so ubiquitous now. Some changes will be inevitable, but as long as the core principles of GSB are recognised it might even be good for another 23 years?

Peter Power  BA FCMI FEPS FIRM FBCI is Managing Director of Visor Consultants (UK) Limited, Piccadilly, London (email: info@visorconsultants.com . He and his team regularly help organisations prepare CM plans and deliver scenario based exercises as well as workshops, leadership courses and motivation sessions.  Peter has considerable front-line experience of many real incidents and his research on crisis decision making is quoted in the UK Government (Cabinet Office) Guide on Integrated Emergency. He  is a member of several committees including the Resilience sub group of the UK Security Review Commission and BSI draft Crisis Management PAS/standard. He is also the primary author of the UK Gold, Silver & Bronze command system.