Approach to Business Continuity Planning  
By Mike Jacobs, Director at Biscon Planning As Business Continuity professionals we are expected to identify which activities are critical to an organisation, the risks to those activities and the impacts of their failure. By a process of risk mitigation, we can attempt to keep impact low or, at worst, moderate. However, the process of risk management is predominantly reactive – understanding what has been before, and interpreting it in a current context. This presents the problem of „unconsidered risk - 想定外‟, where circumstances may combine to create an event that is beyond the imagination of those responsible for planning, and therefore increasing the likelihood of a catastrophic impact.   To understand the framework for business continuity, we can break any organisation down to its constituent parts – there will be inputs, based around client orders of some description, a process flow to create the goods / services (probably with a reliance on a supply chain), and then the output of finished product / delivery of service. Each stage of this will be subject to its own risks, and some risks will be common across the whole process.   Every process will have resource requirements across five key areas, and these can be broadly categorised as people, premises, technology, data and supplies. In a recovery situation, we need to understand which processes are to be restored in which order, and how the resource categories are mapped across. We also need to be aware that as well as the pre-defined (and in some cases pre-mitigated) risks, there will be risks associated with the transfer of process and resources to the recovery environment, and to the recovery environment itself. If you are using your fallback site, what is your next layer of resilience?   Key to any effective recovery is the flow of information – both within and outside of an organisation. Until perhaps the past 20 years it has been relatively easy to control the spread of information. It was generated and distributed in an ordered system. That has now changed. Information spreads in a far more chaotic, less controllable method.   This flow of information is sometimes referred to as the „information ecosystem‟. Until recently information created would have been primarily channelled through a limited number of organisations, who could control the slant of the story presented and then distribute it to their audience, either through print or television media, with an associated delay. Direct communication was one to one e.g. through telephone calls or letters. We have now entered the age of the „Citizen Journalist‟ where anyone with a mobile phone can create content and immediately distribute it on the basis of one to many through a number of internet avenues e.g. You Tube. The audience can comment or feedback with their own information as soon as they have consumed the source material.   So what does this mean for Business Continuity? It means you no longer control the message. The best any organisation can hope for is to manage it in a positive way. In January 2009, US Airlines flight 1549 ditched into the Hudson River. 4 minutes later, the story was broken on Twitter. Shortly after, a photo was posted on TwitPic by someone whose ferry had been diverted to assist with the rescue. Approximately 15 minutes after the first tweet, the story was picked up by the mainstream media. At this point, official flight tracking only showed the plane as running late.   Perhaps we should change our view of people as a simple recovery tools, to be assigned roles and expected to undertake tasks. We need to understand the complex components that make up an individual, and the speed and ease with which they can communicate. Rather than try to control or regulate this information and communication, we need to tap into it and use it to develop effective recovery strategies in response to unfolding situations.   Social media giants also seem to have made this connection. Facebook, although a poor second in the Japanese market to Mixi with approximately a 10% market share, has recently introduced the ability for users to mark themselves as “safe” in the event of an incident. This should allow friends and family outside of an affected area to check on the well being of individuals when other more direct methods of communication are affected. One obvious flaw in this system is that if you mark yourself as “safe”, and something subsequently happens to you, you can‟t change your status! On mobile networks, voice calls require continuous connection, whereas data connection can operate in packets.   Immediately following the Great East Earthquake, NTT DoCoMo reported disruption to the voice network and even restricted the number of calls that could be made, whilst reporting that data traffic was unaffected.   Based on the Ushahidi platform, the website sinsai.info was established to co-ordinate information, and was up and running within 4 hours of the earthquake occurring. Within a month, over 10,000 reports – from personal messages to official government notifications – had been submitted, via Twitter, email and directly on the website. There had been over a million page views and the information was being used by Yahoo Japan, Google and the Japanese government official website (Tasukeai Japan).   So what does the future hold? We can be almost certain that there will be more disruption and – hopefully infrequently – catastrophic natural events. We need to learn our lessons and embrace technology. There is no reason for organisations not to set up their own mapping tool and pre-define Twitter #hashtags that they will use to collate information.   The future will, I hope, see the integration of personal and corporate social media use. Organisations will rely on their employees to update their status and, in turn, they will be able to provide their employees information about safe routes to and from work, and information about co-workers. Biscon are also working on an application that, when an organisation relocates to a recovery environment, provides information about the surrounding environment – where to park, where to eat, how to get there from the station, where local shops are, etc – through augmented reality. If global events of the last few years have shown us one thing, it is that although plans are important in recovering operations, people are essential.

●This article was translated into Japanese and published on magazine “Risk-taisaku.com” vol.32.

◆Profile Mike Jacobs is a Director at Biscon Planning (www.biscon.co.uk) a specialist business continuity consultancy. Mike has a particular interest in social media as a crisis communication tool. He can be contacted at mikejacobs@biscon.co.uk or at +44(0)845-076-5637.