Welcome to the latest issue of Beyond the Shadow, our newsletter which
brings you important news, helpful information and industry best practices.

Table of Contents

• Featured Customer: Edwards builds a sustainable Business Continuity system
• Latest News: Office-Shadow holds first North American user group meeting
• Office-Shadow enters healthcare market
• Product & Program News: Shadow-Planner v 3.7 and v 3.7.1 showcase significant features
• Tips and Techniques: Functional productivity: a realistic look at human behavior in times of crisis
• The Experts’ Corner:  Operational risk management and business continuity - Leslie T Whittet FBCI MACS MRMIA
• Calendar of Events:  Visit us at these upcoming shows, symposia and events

FEATURED CUSTOMER

Edwards builds sustainable BC plans with Shadow-Planner

The Situation

Edwards is synonymous with vacuum innovation. For nearly 100 years, the Company has delivered the highest quality vacuum pump and exhaust management system solutions for a broad spectrum of applications. This global company relies on a set of core values, and Business Continuity plays a key role.

The Problem

When Edwards split off from the BOC Group and became an independent entity, the Company found itself with a golden opportunity to take over its Business Continuity management function. The effort involved taking an in-depth look at BC and BC automation tools.  This initiative was focused on the ability to build BC plans that stay up to date and can be maintained in real time.  Naturally, ease of use is a primary requirement in building a sustainable system.

The Solution

Shadow-Planner was chosen for its ease of use and flexibility, allowing Edwards to revise and update plans through the efforts of people throughout the organization.  In the process, the Company developed a breakthrough approach: rather than focusing on specific causes of potential crisis, Edwards wrote plans based on different levels of threat. The Company was thus able to devise a system of color-coded alert levels, such that a small number of plans can easily cover a wide range of potential threats.

Benefits

Shadow-Planner is ideal for Edwards. It can be kept up-to-date with tasks that take only five or ten minutes, without the need for a document control manager. The people who keep it updated report that it is extremely easy to use, and senior management appreciates the fact that Shadow-Planner is a hosted solution. Always available, always up-to-date: that’s sustainable Business Continuity.

---

COMPANY NEWS

Nigel Hopkinson, CEO

User Group Inaugural Meeting

Shadow-Planner Inaugural North American User Group Conference
Hosted by the Securities Industry & Financial Markets Association (SIFMA)

Office-Shadow reached a milestone on August 21 and 22, holding its first dedicated North American User Group conference at SIFMA HQ in New York City.  After several years of holding global conferences in Europe, this marked the first occasion when North American clients could get together locally to discuss their shared experiences with Shadow-Planner.

OSI’s CEO Nigel Hopkinson highlighted the spirit of the week.  “We are so pleased to be able to add to the value of our clients’ investments in Shadow-Planner through shared learning.  On this basis alone, the week has been a great success.  Further, we can hone the direction of our exciting forthcoming product developments to make our clients even more resilient and keep Shadow-Planner ahead of the pack.”

Clients from across North America met with Office-Shadow executives to discuss hints and tips, best practice ideas, imminent product enhancements and the longer term product roadmap.  A formal User Group structure was established with Chair and Co-Chair appointed from within the user community, and with a strong emphasis on steering a Product Advisory committee.

According to Gretchen Grey, Academic Continuity and Disaster Readiness Director at the University of Michigan and Chair of the User Group, “I met a group of wonderful people who are surprisingly open and willing to provide all types of support, such as lessons learned and training guides. Affiliates were delighted to get a sneak peek at the advancements planned as part of next year’s upgrade.”  Grey stated that the infrastructure improvements and functional enhancements could not be going in a better direction, and that many of the group are looking forward to providing input as Beta testers. 

Roland Johnson, President of Office-Shadow North America, was delighted to welcome another household name to the burgeoning list of Shadow-Planner clients, with a signed agreement at the commencement of the conference.

The group plans to meet at least annually, and to use their forum on Shadow-Planner to collaborate between meetings. The overwhelming enthusiasm of the attendees bodes well for next year’s meeting, by which time we expect that the group will have doubled in size.

HEALTHCARE MARKET

Paul Gant, MD Europe

The healthcare industry views Business Continuity with perhaps a bit more urgency than any other industry: it's a matter of life or death. Business continuity plans must accommodate and be tailored to all types of potential crises, including natural disasters, power outages, pandemics, terrorist attacks and much more.  Plans must provide for patient safety, staff logistics, information availability, public information and notification, and facilities recovery, among others. Office-Shadow Ltd., the premier business continuity solutions company, announced its intention of playing a major role in this industry when it announced, on June 18, 2008, that it has entered into a long-term agreement for distribution of Shadow-Planner products to the health care market in England and Wales.

Agnentis Ltd, designer and implementer of bespoke solutions for NHS Trusts, signed the agreement with Office-Shadow and is working with the Company to create a fully customized business continuity solution for the healthcare community.

Agnentis Ltd designs and implements bespoke solutions to help NHS Trusts with all or any of their financial, managerial, IT and operational requirements to help deliver a better quality service, more effectively and at a lower cost. The company chose Shadow-Planner, from Office-Shadow Ltd., as the ideal platform for business continuity automation in this demanding market. With a full understanding of the requirements of PCTs, Trusts and the NHS, Angentis can work with Office-Shadow to ensure a smooth implementation of this solution.

"We are very happy to have selected Shadow-Planner, the ideal BC automation suite to serve the business continuity management needs of the healthcare market here in England and Wales," stated Simon Taylor, CEO, Agnentis Ltd. "We have been working diligently with Office-Shadow experts to ensure that our deep understanding of the needs of this market are reflected in a fully tailored implementation of Shadow-Planner that reflects our unique requirements. The product’s ease of use, power and flexibility will be immediately appreciated by Hospital Trusts throughout the country"

Agnentis has worked with King’s College Hospital NHS Foundation Trust, one of London’s largest and busiest teaching hospitals, in selecting Shadow-Planner as the best product to meet the challenging business continuity needs of a major acute hospital. The hospital is in the vanguard of Foundation Trusts that are embracing business continuity automation. King’s is the first healthcare organization to purchase the product in the UK and is now in the process of implementing the system with the assistance of Agnentis.

"We have been working hard to build out our business continuity plans, and are delighted to be able to use Shadow-Planner to automate the testing, updating and maintenance of our plans," said Liz Wells, Head of Emergency Planning and Clinical Site Management at King’s College Hospital. "With the strong healthcare knowledge of Agnentis, we will be able to implement a solution that is fully tailored to the needs of the healthcare community."
Office-Shadow is recognized as the world leader in web-based business continuity management solutions, and has established a strong base in the global financial services market as well as other important market segments such as energy, communications and services. The relationship with Agnentis provides an important beachhead in the healthcare market.

"We are delighted to welcome King’s College Hospital to our growing base of key customers, and are excited about the new partnership with Agnentis." said Paul Gant, Managing Director EMEA for Office-Shadow. "Business continuity in the healthcare market goes far beyond basic business operations: BC plans must be tailored and tested for any potential circumstance, linked into plans for emergency preparedness, and patient safety is paramount. Shadow-Planner integrates business continuity into the daily workflow of the healthcare organisation, making it possible to build a culture of business continuity."

PRODUCT AND PROGRAM NEWS

Phil Becker, CTO

Summary

There have been two significant releases of Shadow-Planner in the last few months. Version 3.7, released in May, brought increased usability, with several important features such as pagination for faster display and access in long lists, additional search and sorting capabilities, and reference resolution options. The 3.7.1 release, which came out at the end of August, provides a number of enhancements to resources, assets and local process functionality, the ability to suppress tables of contents for procedure report sections, and increased sizes for uploaded images.

Details

Shadow-Planner v 3.7 includes the following features and functionality:

1. Pagination in both the Treeview and the Work Page, to result in faster display and access in long lists, and easier navigation. This has been implemented for the platform, BCP, BIA and Risk Management.  Key features include customizable page length defaults, case-insensitive searching and filtering, sorted lists (just by clicking a column heading) and flexible navigation (scroll through lists a page at a time, go straight to first or last page, or jump to a specific page.) 
2. Search and sorting facilities, to help you locate specific records with minimal effort.
3. Additional information in the Work Page listings – e.g., company name and date of last update for contact records are displayed.
4. The Micro Internal Contacts Grid with Personal Mobile micro stylesheet in Report Templates can be used to generate a list of staff names with work, home and personal mobile telephone numbers.
5. The Perspectives documentation has been enhanced to more fully explain how to delete entities, provide additional information about the use of mandatory contact groups, explain how perspectives affect the Local Contacts group, and further explain what is possible when using perspective rules to share contact groups.
6. The Platform documentation has been enhanced to provide information on how to sort contacts within a contact group, and to explain how to easily remove a single record from a section.
7. The security documentation has been expanded, with the addition of recommended procedures for setting up security for your organization. See the document for specific details on the following security profiles:  Administration, Platform & BCP, BIA, Portal, Risk Management and Task Access.
8. We have added the ability to resolve references while searching. When turned on, a search will return not only items that specifically contain the search text, but also related documents that contain the text. For example, let’s say your procedures contain references to action plan names. A search of procedures for text string “abc” will return not only those procedures whose names contain “abc” but also procedures whose names contain references to action plans with names containing “abc”.

The 3.7.1 release, available as of the end of August, brings the following features:

1. When a resource or asset is used in the local process tree, the details page for that resource or asset lists all processes, resources and assets that rely on that item. This table of dependencies also shows the ATO and APO for the current process and highlights them in red if they exceed the requirements for the areas that reply on the current process.
2. Requirements tables for local processes can now show all processes, resources and assets that a chosen process requires, or just those that appear directly below the chosen process in the local process tree.
3. Recovery requirements can be suppressed when viewing local processes, and from associated reports and questionnaires.
4. A new option to display the minimum RTO for subprocesses that have no specific RTO set.
5. Real (indirect) RTOs are now set correctly for all processes at all levels.
6. We have increased the maximum size for uploaded images to 1 Mb.
7. In reports, the automatic tables of contents at the start of each procedure section can be suppressed.
8. The search facility now allows searching for contact groups.
9. The Tasks Totals report now shows the number and percentage of unique tasks with each task status, and tasks that are shared between a number of perspectives are now included in the counts of all perspectives to which they belong.
10. A Complete Task icon has been added to the Review Schedule page for assets.

TIPS AND TECHNIQUES

Chris Oliver FBCI

This section of the newsletter brings you tools and information that are immediately usable in your day-to-day life. This edition of the newsletter brings you an overview of one of the most crucial aspects of business continuity – the human element.

Functional Productivity - A Realistic Look at Human Behavior in Times of Crisis

Some people can rise to a challenge, while others find themselves paralyzed when the unexpected happens. As Business Continuity practitioners, we need to understand what to expect and how to set expectations. Office-Shadow’s Chris Oliver explains:

Introduction

Not all people are created equal. Some people can rise to a challenge, while others find themselves paralyzed by something unexpected. Similarly, not all crises are created equal. Some require simple adherence to a plan in order to reach a speedy resolution, while others bring out the best – and the worst – in people. 

As Business Continuity practitioners, we need to be constantly aware of this inequality, and take steps to understand the different types of crises and people’s reactionary timeline. Then, we must set our expectations, and those of others, accordingly.

Types of Crisis

Crises differ in many ways: duration, physical impact, emotional impact and more. Take, for example, the Hurricane Katrina that hit New Orleans three years ago. The crisis was prolonged and the effects severe, including both physical devastation and the concomitant emotional turmoil. The effects, even three years on, are still deeply felt on a visceral level. With the threat of Hurricane Gustav, old wounds are reopened and old miseries relived.

In contrast, when a pipe bursts in a data center, the effects can be immediate yet short-lived. Those people who saw the pipe burst were forced to quickly gather their belongings and vacate the premises, but may have been able to shake off the crisis as they traded anecdotes in a local coffee shop.  Those affected by a loss of data center capacity were even less affected by the mishap, and were able to return to work the following day with just a few hours’ interruption in their lives.

The higher the emotional impact of an event (e.g., aircraft hits building) the more it will impact productivity.  And depending upon the level of an individual within an organization, the effect can be much more long-lived, or much shorter.

Types of Reaction

People react differently to a crisis depending on their level in the organization, and on the duration of the crisis.  While this sounds entirely logical, it is in fact a difficult principle to put into action.  Let’s take a simple example: a natural disaster that forces a long-term interruption in business. 

A simple rule of thumb says that you will be able to rely on your employees to work extra for about three weeks after the disaster strikes.  In other words, they will willingly work extra hours in week 1 and maybe even put in some weekend work. During week 2, they will work extra, but probably not as much (and not as willingly) as in week 1. By the third week, their willingness to work extra is eroding, perhaps aided by the cries of family who want to know when this will stop.

Organizational Differences

The effect is different depending upon an individual’s level within the organization. For senior management – managers, controllers and the like – the willingness and ability to keep working extra is seemingly unending.  While not usually the doers in an organization, they recognize their leadership position and the need to lead by example.

For middle management, such as operational controllers, native ambition and drive will propel them to continue to perform at a higher level for a period of time, after which their extra efforts begin to taper off. 

But for operational staff, it may be necessary to reward extra efforts with overtime pay, recovered costs and the like.

Finally, there are those in an organization who simply can’t put forth the extra effort, regardless of how much they might want to do so.  Consider the part-time workers who have other jobs, or the single parents who must pick up their children from school at a given time each day, or those who simply can’t relocate to another facility due to other constraints.

Final Words

One of the biggest dangers in a real crisis situation is the failure of BC professionals to take into consideration this aspect of functional productivity. Asking people to do what they simply cannot, will only cause them to feel guilty, and make motivated employees unmotivated. It is in our best interests to understand how people react to various types of crises, and set expectations accordingly.

THE EXPERTS’ CORNER

Our website features a monthly column that showcases the thoughts of various experts in the industry. The Expert’s Corner provides thoughtful and thought-provoking information.

I’m delighted to welcome Leslie to Experts Corner. After having seen this particularly interesting piece, one of our readers suggested that we share this with the community and I couldn’t agree more. Having insight into Operational Risk varies from company to company, not just in the conception of what it is, but how it is handled. In this article Leslie demonstrates some of the common lynchpins that have people talking today and how BCM fits into that space.

Chris Oliver FBCI
Group Operations Director

OPERATIONAL RISK MANAGEMENT AND BUSINESS CONTINUITY

Leslie T Whittet FBCI MACS MRMIA

By Leslie T Whittet FBCI MACS MRMIA.

The requirement by national regulators, based upon guidelines from the Bank for International Settlements (Basel II), for financial institutions to manage operational risk in addition to credit and market risk, has raised a number of issues and much debate. Precisely what is operational risk? How is it delineated from credit and market risk? How can it be quantified? How can one separate the sources of operational risk when some, such as employee-related examples, may be a common cause?

Basel II defines operational risk as, “The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.” It further breaks loss events into seven general categories:

1. Internal fraud;
2. External fraud;
3. Employment practices and workplace safety;
4. Clients, products and business practice;
5. Damage to physical assets;
6. Business disruption and systems failures;
7. Execution, delivery and process management.

It is easy to see that there may be considerable overlap between these in terms of the source of a particular loss. It is also apparent that some are closely related to the discipline of business continuity management whereas others must be treated via standard risk management and/or good corporate governance practices. Damage to physical assets is a typical BCM issue leading to the preparation of a business continuity plan, possibly underpinned by a number of subsidiary plans such as an information and communications technology disaster recovery plan. Conversely, fraud issues will usually be addressed through conventional risk management practices supported and strengthened by strong company policies and procedures.

The difficult operational risk question – what risks are to be addressed - will be confirmed in the business impact analysis (BIA) phase of the business continuity management program if it has not already been separately considered. Indeed it is better to resolve it through the BIA process as this rigorous process may offer unexpected solutions. The BIA is the foundation of effective business continuity planning and it is the appropriate stage in which to examine all supporting processes and activities.

The process of developing the plans (see below) – especially the BIA – will identify options to minimise likelihood of interruption to critical activities. It is essential to recognise the criticality of the pre-incident activities which should also be revealed through the BIA. These may include, for example:

• Good health and hygiene practices as a preventative for pandemics and epidemics (in fact, for a healthy workplace at any time!)
• Comprehensive succession planning
• Comprehensive knowledge management practices including the provision of clear and concise standard operating procedures (SOPs) – these may be critical in business recovery if inexperienced personnel are required to perform unfamiliar tasks
• Job rotation practices
• Rotation of key processes and/or activities through alternate sites.

It is useful to bear in mind, however, that business continuity plans primarily deal with the post-incident timeframe. It is the retained risks flowing from the BIA for which effective continuity and recovery plans must be developed. Attention must also be given to the impact upon the risk profile if/when certain continuity measures are implemented. For example, the loss of a primary data center with attendant failover to a standby center, has a dramatic impact on the risk profile as the organization now has multiple single points of failure. This is not to suggest that we establish a standby to a standby to a standby... but rather to stress that consideration must always be given to alternative solutions – e.g., manual methods – at least for short-term response.

For those operational risk areas that are to be treated through the business continuity management program standard practices should be applied:

• Establish business continuity policy and scope
• Establish resourcing and funding
• Define the organisation’s key products and services
• Determine the maximum tolerable period of disruption (MTPD) for each
• Conduct a business impact analysis to establish and prioritise the critical activities and their MTPDs – this stage includes using standard risk management practices (e.g., AS/NZ 4360 – 2004) to assess risks and establish treatment options
• Present retained risks and management strategies to the executive for determination
• Develop continuity and recovery plans - BCP(s) - to address the retained risks in accordance with the agreed strategies including, among others.
  • Scope
  • Team briefs
  • Team action plans
  • Key stakeholder contact lists
  • Resources
  • Supporting plan references.
• Exercise business continuity plans
• Undertake training and cultural awareness;
• Maintain business continuity plans within business continuity management program reviews.

Note that this is merely a brief summary of key aspects and the reader is directed to international best practice materials for further information ⁽¹⁾. Perhaps the key requirement in an on-going sense is to ensure that the entire business continuity management program is formally established and managed, including periodic – at least annual – reviews. There is a real danger that the focus is trained squarely on exercising and updating business continuity plans without ensuring that they remain aligned with the changing requirements and practices of the organisation. This can only be addressed through regularly reviewing the entire program in accordance with the process used to initially develop the business continuity plans.

I would suggest that most reviews go no further than the business continuity plans and possibly exercise outcomes yet the organisation may have changed to such an extent that the BIA, today, would yield quite different results to when it was first undertaken. As a consequence the strategy forming the basis for the business continuity plans may also require significant review. Some of the plans will have been updated to accommodate a new process here and there, or some new ICT capability, but no systematic approach has been undertaken to ensure that the wheel remains round rather than having an irregular shape with random air bubbles, patches and punctures! There is a very real danger that the business continuity plans themselves will, over time, become quite dysfunctional and unsuited to the current needs of the organisation if due attention is not given to the entire business continuity management program.

Much of what contributes to effective business recovery is really in the preparatory planning and this aspect gets primary focus during the BIA and strategy development phases. Unless there is organisational commitment and a process to revisit these business continuity management foundation steps it is likely that we will experience a widening gap between our business resilience capability and what is potentially achievable. In other words we are diminishing the real value-add that effective business continuity management brings to an organisation.

⁽¹⁾ Business Continuity Institute Good Practice Guidelines, 2007
British Standards Institute BS 25999-1 Business Continuity Management - Code of Practice, 2006
British Standards Institute BS 25999-2 Business Continuity Management - Specification, 2007

CALENDAR OF EVENTS

Please stop by and see us at any of these upcoming events:-

Name of Event: Disaster Recovery Journal Fall World 2008
Location: San Diego, California
Dates:  14-17 September, 2008

Overview:  Fall World 2008 is the 39th conference sponsored by Disaster Recovery Journal. Fall World 2008 offers the best opportunities for exploring Today’s Trends and finding Tomorrow’s Solutions. 

Overview:  The BCI Symposium will offer insight and knowledge into today’s BCM drivers. A high volume and standard of submitted papers will ensure a fresh and innovative approach to the topics that are shaping the world of business continuity.

Name of Event: SIFMA Business Continuity Planning Conference
Location: New York City, NY
Dates: 22 October, 2008

Name of Show: 8th Annual Business Continuity Management Conference
Location: Singapore
Dates:  5-7 November, 2008

Overview:  BCP Asia aims to promote and increase awareness of Business Continuity to professionals in the Asia region. The conference creates a platform for practitioners to share their knowledge, learn from each other and benefit from real life experience.

Name of Event: CPM 2008 East
Location: Orlando, Florida
Dates:  12-14 November, 2008

Overview:  CPM is dedicated to the convergence of business continuity/COOP, emergency management and security enabling participants to prepare a comprehensive and effective plan to maintain a resilient organization.