Successful risk, crisis and business continuity management
Security’s all about asset protection. Right? Physical, personnel and information security provision are the very basis of protecting our assets, and ensuring that the company may continue to operate despite the risks. Right? There are hundreds of threats to any organisation across a wide spectrum, and fundamental to the company’s success is keeping these threats at bay. Right?
Corporate practitioners have to make sure that the security measures they put in place are capable of the deterrence, detection, delay and deflection – or whatever – of a potential intrusion or breach. I’ll bet you a tenner that your security procedures and plans are orientated towards these ‘front end’ concerns.
Your time and effort will be expended mainly on the ‘rudiments’ that fill the pages of publications like Security Management Today (SMT). In other words, cameras, CCTV, security guarding, perimeter detection and access control systems. Oh, and IT security.
I could go on, right? Well, yes I could, but there’s far more to it than that.
Principles of risk management
To put these all-singing, all-dancing measures into place properly, and to ensure that a ‘Ring of Steel’ is being built around the appropriate and relevant parts of the business, security practitioners must subscribe to – and invoke the principles of – risk management.
You know what the business’ main objectives are, and you’ve looked at the probability and potential impact of threats and prioritised them accordingly. Once the risk assessment has been made, we’ve worked out how we’re going to deal with it. This particular risk treatment process requires research, much thought and detailed planning. If completed properly, it will allow security risk management to be included within corporate planning at the highest level possible in order to influence the corporate direction and to achieve your aim. In short, asset protection in support of the business’ objectives.
All of the above makes sense. Just think about the losses you could face… but wait a minute, though… If there were a ‘downtime’ of network IT capability in the business because of a fire, and say you hadn’t carried out a risk assessment, treatment and management procedure… You’re going to lose the ability to communicate and move files and documents around. That’s your direct loss.
What about the other consequential losses? These might include loss of business, investigation costs, salaries for staff members who cannot work, loss of customers (and customer confidence), an increase in insurance premiums, the cost of replacement equipment, loss of data, reprogramming costs, reinstatement costs, loss of reputation and loss of market share.
The list is a long one, if not endless… and mostly avoidable if the risk management process were applied to the protection of IT.
Complementary and synergistic
Risk management, crisis management and business continuity management are complementary and synergistic. The successful combination of all three is essential to the ability of an organisation to survive and continue operational functions.
The proactive and cyclical risk management process allows an organisation to be as well prepared as possible for a risk event to occur. Crisis management and business continuity planning overlap with risk management planning to a certain extent, but are also sequential to it.
Once the risk event – a fire, for instance – has happened, and while it continues, a crisis management plan will allow you to alleviate the impact of the event. The focus of the plan will be to survive the crisis in progress and ease its effects as far as possible. The strategy will include measures such as evacuation plans and the establishment and maintenance of information flow as the crisis unfolds. The link to the risk management plan is thus very clear as the crisis management plan deals with the consequences of risk impact.
For the crisis management plan to be successful, it’s absolutely essential that the risk management process has clearly and correctly identified the risks. Thus the former will also be cyclical in nature, as it has single-handedly changed and amended to reflect risk factors (and any change management processes in business). Of course, it should also be tested and exercised regularly to guarantee both its currency and efficacy.
Analysis, implementation, testing
Business continuity planning is the third phase of the security management plan. Its focus is to sustain the delivery of services essential to the organisation’s survival. We don’t need a ‘Gold Standard’ response. ‘Just enough, just in time’ will do in the short term. As with the other aspects, it includes policies, procedures, protocols and information to allow rapid response and prevent service interruption.
The continuity plan follows a similar path to risk management planning, first by way of analysis. It will assess the impact of an event and provide scenarios which will then allow the relevant solution to be drafted, look at critical and non-critical functions and allow for the continued provision of those critical functions.
The effects of any loss of buildings, personnel or equipment need to be analysed – in concert with the risk analysis – and then incorporated within the plan.
Implementation and testing of the plan is crucial. Testing may involve the practice call-out of personnel, physical and technical transfer to alternative premises and the examination of core business processes under business continuity arrangements.
It’s essential that the plan is updated to keep pace with organisational changes, be they operational, personnel-related, to do with IT or communications equipment. Linkage to the risk management plan has to be maintained at all times to ensure that the ‘hub’ activities initially identified may continue in the event of disaster or disruption.
Learning by example
The cyclical nature of the risk management plan is reflected in both crisis management and business continuity plans. The effectiveness of all three depends on their flexibility and anticipation of changes in either the organisation itself or the threats to it. All plans must be linked to a degree, with the risk management plan at the centre – informing changes to the other two plans and influencing their development.
To explain the synergy of the risk, crisis management and business continuity planning processes, here’s a worked example. The scenario focuses on one risk identified within an organisation. Each stage of the scenario is annotated – R (risk), C (crisis) or B (business continuity) – for its applicability to the appropriate security planning function.
So… A corporate insurance company’s Claims Processing Department is responsible for a turnover of GB pound 50 million per annum. Located in the City of London, it employs 30 staff and is IT-rich. The company deals with many high profile clients around the world who rely upon it for the provision of this service.
The corporate security manager has anticipated all eventualities, and ensured that the plans have been cleared and put in place. He has consulted widely, assessed the company’s business priorities (R, B) and ensured that the plans needed to deal with an event (C, B), emergency response (C) and recovery and continued service (B) have been widely disseminated, tested and exercised.
The security manager has been made aware that there’s a high level of terrorist threat to financial centres in London, and assessed the risk of a bomb explosion – and the impact it would have upon the business (R, C, B). His planning has accepted that the business will inevitably be disrupted in such an attack (R, B), and he has ensured the risk can be accepted.
Provision of a cleared zone
A conventional, non-hardened building cannot withstand an explosion, while the cost of relocating or upgrading the building is prohibitive. The threat can be mitigated against by the provision of a cleared zone around the building, and by a strict access control system.
The threat has been balanced against the company’s need to continue to operate in this location and the perceived risk to personal safety. It’s essential that this continuity is maintained, and that service to the company’s customers isn’t disrupted in any way (R, C, B).
Unfortunately, the worst scenario possible occurs and a large truck bomb is detonated just 100 metres away from the building. There are some minor injuries to personnel, and the IT systems are damaged or disrupted.
Immediately, the security manager puts into operation his well-rehearsed plans and a team of four designated First Aiders begins to treat the casualties after a rapid evacuation of the building to a designated assembly point – well away from the point of explosion – under the direction of nominated marshals.
The security manager’s designated emergency assistant (the company secretary) has contacted the emergency services on a telephone issued to him for that purpose (C).
Concurrently, the manager has used his own dedicated mobile telephone to contact a subsidiary company based in Pimlico. Staff at the subsidiary company have been trained in the procedures for continuing the parent company’s business, albeit in a reduced role. Within 30 minutes, a basic but functioning business is operational once again (B).
Checking the efficacy of plans
Recovery from the incident takes several weeks. The security manager has used this time to de-brief and consult at all levels. The risk management plan functioned as required, while the measures put in place did mitigate against more extensive damage to the company’s operations (R).
The evacuation and First Aid treatment of casualties went well. However, the use of mobile telephones proved to be difficult after the explosion, and plans (R, C, B) will need to be reviewed to identify a more robust system.
The example illustrates what’s meant by ‘seeing things through to the end’, evaluating all aspects of the business and the threats posed to it. Security professionals must look at the triumvirate of risk, crisis and business continuity and blend them to meet their needs.
Such a ‘belt and two pairs of braces’-style approach involves a heck of a lot of work, but if you keep everything tight there’s no real chance of you or the organisation being caught with your pants down.
Phillip Wood is deputy director of ARC Training International (www.arc-tc.com)
Successful risk, crisis and business continuity management
Security’s all about asset protection. Right? Physical, personnel and information security provision are the very basis of protecting our assets, […]
IFSEC Insider
IFSEC Insider | Security and Fire News and Resources