This week Charlie looks at the relationship between business continuity and emergency response.
I have noted within LinkedIn forums, on Pulse, Continuity magazine and on various blog sites and portals that there is a gathering debate on whether business continuity is fit for purpose. Have changes in the threat landscape made it relevant and what direction should the profession taken? Thrown into the mix is the new buzz word of the moment, resilience, and there is much debate on what it is and how it fits with business continuity. There was an excellent statement from the BCI in February by Tim Janes, one of the BCI’s Board Members, which stated that for the BCI, resilience and business continuity complemented each other but were separate with organizational resilience having a much wider scope than business continuity. The BCI stated purpose to "promote a more resilient world” but the organisation was not going to put resilience into its title.
For this week’s bulletin I thought I would explore the concept of emergency response and highlight some of the issues I have seen with the concept, working with a number of different organisations’ in different sectors, as a way of adding to this debate.
According to the HM Government publication, Emergency Response and Recovery Non Statutory guidance - revised version October 2013, ‘response encompasses the decisions and actions taken to deal with the immediate effects of an emergency’. Within many plans that I see, there is an emergency response phase which takes place from an incident occurring to it being brought under control, and the incident no longer being a threat to ‘life and limb’.
I have always felt that business continuity, as outlined in the BCI Good Practice Guidelines 2013, is geared up to people working in offices. The concepts work well, if we have them we do a threat analysis on PPRS (people, premises, resources and supplier) and then put plans in place for their recovery and the job is done. All we need to do is exercise them and keep them up to date. The emergency response phase of the incident is usually very easy to manage, as it consists mostly of evacuating the office, accounting for staff and then waiting for the fire service to put out the fire. This is relatively short and the plan then swiftly moves on to recovery of operations at an alternative location.
Where I feel business continuity is more unsure of itself is within industries such as manufacturing, oil, gas and chemicals, where they have all the PPRS issues but also the additional issue of an incident which doesn’t neatly fall into PPRS. This was brought home to me recently when I worked on a major project rolling out the full business continuity lifecycle to a large manufacturing plant. We came onto site, ironically to teach them incident management, to find they were in the middle of a major incident. There had been a spillage of fuel oil on site which had got into the local river. The plant health and safety team were responsible for writing the emergency response plan and had oil clean up equipment and trained personnel. It very quickly became obvious to me that I have focussed too much on planning for PPRS incidents and not looked at the wider range of incidents which could affect the plant.
I had a similar experience in the oil industry when implementing business continuity and coming across some very comprehensive emergency response plans for dealing with the immediate response to a fire or oil spill incident. What they lacked was any plans for managing the situation after the incident had been stabilized and how the consequences of the incident would be managed. The other issue which they were very light on was stakeholder communication beyond the immediate responders and how the media response would be managed. I tried in this instance, to make sure that there was a dovetailing of the emergency response plan, written by Quality, Health and Safety, and the business continuity plan, and that they cross referenced each other. In parallel with the emergency response plan being implemented, the business continuity plan was also invoked to deal with the wider issues associated with the incident such as communications with interested parties and the recovery after the event.
My lesson learned from these two events is that we have to embrace others working in similar but complementary areas and work with them to provide a holistic response to any incident. This includes those who are working on cyber and information security, as well as health and safety and security. What we can bring to the table is our ability to write plans from the operational to the strategic, to train and exercise those who are going to respond and to make sure that all plans work together to manage any incident.
As business continuity people we need to ensure that we remain relevant and work to break down silos otherwise as organisations look for savings and for staff to take on wider responsibilities we might just find ourselves ‘surplus to requirements’.