Lesson 3:

Exploit the synergies between standards for BCM, IT/business security and service level management

Following the previous lesson outlining how BCM can add further benefits beyond robust processes, products and services, our next case highlights synergies between BCM and other standards. For example, information security standards (e.g. ISO 27001) and BCM may be considered in conjunction as can BCM and standards on ensuring IT service levels (e.g. ITIL). Analyzing service level agreements, understanding IT resilience and the impacts on customers if service levels fall or systems are compromised all flow naturally across IT service management, IT security and BCM.

Case example: Open System Production Inc. (OSP) has implemented four management systems and achieved certification for all of these. The trigger to consider implementation of the information security management system (ISMS) was a rising demand, turning into a mandate from their customers. When OSP decided to implement the IT service management system (ITSMS), the trigger was only partly their customers. They started to study ITIL (IT Infrastructure Library) proactively for improvement of their internal management and received ISO/IEC 20000 certification. After that, OSP decided to implement BCMS. The main reason was the threat of pandemic flu. They recognized the potential large adverse impact of such a pandemic, as did their customers.

OSP implemented ITSMS effectively by using the outcomes from ISMS adoption. Furthermore, the fruits of ITSMS also assisted establishing BCMS. In the process of implementing ITSMS, the team analyzed service level agreements (SLA) between OSP and their customers. The conditions and levels of SLA varied among customers, requiring analysis to clarify their target for IT service in ITSMS. The analysis helped further understanding of the requirements for their BCM.

Lesson 4:

Adopting BCM globally can improve ROI

Taking the example of large global manufacturing operations, BCM may help organizations drive additional value out of investments.

Case example: In recent years this global telecommunications company introduced BCM across its IT infrastructure. Over two decades the telecom company had established factories across the world to meet mobile phone demand. The use of state of the art manufacturing technology today means a very heavy reliance upon Information Technology and its associated infrastructure. Therefore it is essential that the IT function operates at maximum capability, i.e., 24 hours a day. Unfortunately, this was not happening. A series of problems resulted in the shutdown of part or all of the production lines, and this was repeated across most factory sites. Losses totaled 205 hours of lost production or, in financial terms, $51.25 million of lost revenue in six months. At this point, BCM was introduced in earnest. The solutions put in place were built closely around the BS25999 standard, although their implementation was complex, involving many different cultures of those involved.

The BCM work took several months to complete but it quickly became clear over the following year that the adopted measures led to considerable additional value in ROI terms. Had the loss of hours been permitted to continue over two years, it would have cost the company a total of $355 million dollars in lost revenue. The estimated total costs for setting up the BCM system, staff training and facilitation of exercises was around $1.8 million. This provides a strong example of BCM value, and the Return on Investment it can deliver.

Lesson 5:

Monitor, report and refine BCM … early and often

It is critical to introduce appropriate (not overly complex) metrics for tracking and trending BCM arrangements and outcomes. It is especially important to identify new risks to the business, their impact and mitigation strategies. Key to implementing effective data analysis is to look beyond the boundaries of the organization and also seek data from key suppliers to reduce potential risks.

Case example: Telefónica is one of the largest telecommunications companies in the world. Telefónica UK Limited found ISO 22301 much more explicit in its reporting requirements than its predecessor, BS 25999. Senior executives commented that the company’s starting point for business continuity metrics was to “look at what we do.” They thought through what an incident is, and categorized incidents from ‘major’ to ‘minor,’ using a scoring system. People, therefore, became familiar with types of incident and their seriousness. Metrics were developed so that number and types of incident could be collated, providing a clear picture of what was happening. But the people that businesses tend to forget are partners and suppliers. Telefonica also built into contractual requirements that suppliers are required to keep track of incidents and notify Telefonica regularly. According to executives, this is key because internally any company maintaining certification to ISO 22301 will, on the whole, manage itself effectively, but they are invariably also dependent on external third parties.

The reality is that it is difficult to track every incident at every supplier, especially with the small suppliers. The important move is to monitor key suppliers, for example in sales and service operations. Also important is external benchmarking by a third party using O2’s customer satisfaction index (CSI) score which highlights service interruptions, recurring incidents and business continuity problem areas. A further metric is the number of times a BC incident is declared. Suppliers must report on this, and this creates a strong picture of history and whether a particular problem is becoming serious at different points in the supply chain. Telefonica also draws on data from its internal audit function and from an external company that provides it with quality checks.