Explore
Knowledge Center: Risk To Resilience Part 2 - PULSE MAGAZINE
PULSE is the official global sourcing magazine of IAOP® and offers the latest advice, knowledge, and best practices to engage, inspire and challenge.
sourcing, outsourcing, global sourcing, impact sourcing, domestic sourcing, rural sourcing, magazine, service provider, RPA, strategic sourcing, GIG economy, nearshoring, supply chain, big data, AI, automation, robotics, workforce, procurement, IAOP, thought leadership, advisors, shared services, disruption, women empowerment, cognitive automation, process automation, networking, COP, risk management, digital labor, training, workshops, chapter meetings, World Summit
19198
page-template,page-template-full_width,page-template-full_width-php,page,page-id-19198,qode-quick-links-1.0,ajax_fade,page_not_loaded,,side_area_uncovered_from_content,qode-theme-ver-13.1.2,qode-theme-bridge,wpb-js-composer js-comp-ver-5.4.5,vc_responsive
 

Knowledge Center: Risk To Resilience Part 2

– KNOWLEDGE CENTER –

BUSINESS CONTINUITY MANAGEMENT:

FROM RISK TO RESILIENCE

This article explores lessons learned in

Business Continuity Management (BCM)

with case examples.

Editor’s Note: This is the second of a two-part story.

For the first part, see the fall issue of PULSE.

BY: Dr. Daniel Gozman, Henley Business School University of Reading | Andrew Craig, The Outsourcing Unit, LSE, CEO, Rame Associates | Marko Kovacevic, CEO, Trizma | Professor Leslie Willcocks, London School of Economics and Political Science

Lesson 3:

Exploit the synergies between standards for BCM, IT/business security and service level management

 

Following the previous lesson outlining how BCM can add further benefits beyond robust processes, products and services, our next case highlights synergies between BCM and other standards. For example, information security standards (e.g. ISO 27001) and BCM may be considered in conjunction as can BCM and standards on ensuring IT service levels (e.g. ITIL). Analyzing service level agreements, understanding IT resilience and the impacts on customers if service levels fall or systems are compromised all flow naturally across IT service management, IT security and BCM.

 

Case example: Open System Production Inc. (OSP) has implemented four management systems and achieved certification for all of these. The trigger to consider implementation of the information security management system (ISMS) was a rising demand, turning into a mandate from their customers. When OSP decided to implement the IT service management system (ITSMS), the trigger was only partly their customers. They started to study ITIL (IT Infrastructure Library) proactively for improvement of their internal management and received ISO/IEC 20000 certification. After that, OSP decided to implement BCMS. The main reason was the threat of pandemic flu. They recognized the potential large adverse impact of such a pandemic, as did their customers.

 

OSP implemented ITSMS effectively by using the outcomes from ISMS adoption. Furthermore, the fruits of ITSMS also assisted establishing BCMS. In the process of implementing ITSMS, the team analyzed service level agreements (SLA) between OSP and their customers. The conditions and levels of SLA varied among customers, requiring analysis to clarify their target for IT service in ITSMS. The analysis helped further understanding of the requirements for their BCM.

 

Lesson 4:

Adopting BCM globally can improve ROI

 

Taking the example of large global manufacturing operations, BCM may help organizations drive additional value out of investments.

 

Case example: In recent years this global telecommunications company introduced BCM across its IT infrastructure. Over two decades the telecom company had established factories across the world to meet mobile phone demand. The use of state of the art manufacturing technology today means a very heavy reliance upon Information Technology and its associated infrastructure. Therefore it is essential that the IT function operates at maximum capability, i.e., 24 hours a day. Unfortunately, this was not happening. A series of problems resulted in the shutdown of part or all of the production lines, and this was repeated across most factory sites. Losses totaled 205 hours of lost production or, in financial terms, $51.25 million of lost revenue in six months. At this point, BCM was introduced in earnest. The solutions put in place were built closely around the BS25999 standard, although their implementation was complex, involving many different cultures of those involved.

 

The BCM work took several months to complete but it quickly became clear over the following year that the adopted measures led to considerable additional value in ROI terms. Had the loss of hours been permitted to continue over two years, it would have cost the company a total of $355 million dollars in lost revenue. The estimated total costs for setting up the BCM system, staff training and facilitation of exercises was around $1.8 million. This provides a strong example of BCM value, and the Return on Investment it can deliver.

 

Lesson 5:

Monitor, report and refine BCM … early and often

 

It is critical to introduce appropriate (not overly complex) metrics for tracking and trending BCM arrangements and outcomes. It is especially important to identify new risks to the business, their impact and mitigation strategies. Key to implementing effective data analysis is to look beyond the boundaries of the organization and also seek data from key suppliers to reduce potential risks.

 

Case example: Telefónica is one of the largest telecommunications companies in the world. Telefónica UK Limited found ISO 22301 much more explicit in its reporting requirements than its predecessor, BS 25999. Senior executives commented that the company’s starting point for business continuity metrics was to “look at what we do.” They thought through what an incident is, and categorized incidents from ‘major’ to ‘minor,’ using a scoring system. People, therefore, became familiar with types of incident and their seriousness. Metrics were developed so that number and types of incident could be collated, providing a clear picture of what was happening. But the people that businesses tend to forget are partners and suppliers. Telefonica also built into contractual requirements that suppliers are required to keep track of incidents and notify Telefonica regularly. According to executives, this is key because internally any company maintaining certification to ISO 22301 will, on the whole, manage itself effectively, but they are invariably also dependent on external third parties.

 

The reality is that it is difficult to track every incident at every supplier, especially with the small suppliers. The important move is to monitor key suppliers, for example in sales and service operations. Also important is external benchmarking by a third party using O2’s customer satisfaction index (CSI) score which highlights service interruptions, recurring incidents and business continuity problem areas. A further metric is the number of times a BC incident is declared. Suppliers must report on this, and this creates a strong picture of history and whether a particular problem is becoming serious at different points in the supply chain. Telefonica also draws on data from its internal audit function and from an external company that provides it with quality checks.

Conclusion:

From Risk to Resilience in Outsourcing

From a business continuity point of view, the outsourcing of some or all business processes and IT operations can bring advantages such as:

  • Clearly defined outsourced processes, based on recognized frameworks, like CoBiT or ITIL.
  • Description of the services contracted for, formalized in a Service Level Agreement (SLA), with specific Key Performance Indicators, all allowing End-to-End business continuity description
  • Clear cost attribution to specific processes, allowing the service provider to offer differentiated levels of business continuity services
  • Access to a community of enterprises, sharing experience in terms of compliance, reporting and testing

Nevertheless, clients and service providers will need to deal with several BCM challenges, including:

  • Avoiding/managing expectation gaps with its clients – remedied by clearly defining the level of business continuity services offered
  • Frequent testing of the level of business continuity services provided by sub-contractors; continuous alignment and testing of these services with the SLAs signed with clients
  • Managing efficiently the “force majeure” disruption of services. This becomes particularly important where full BPO/ITO service providers are hired, as clients may experience great difficulty in contracting other service providers at very short notice.
  • A major challenge is establishing end-to-end BCM plans between several outsourcers and the service provider, at the same time taking into account prioritization of selected services to be delivered during any crisis

The use of state of the art manufacturing technology today means a very heavy reliance upon Information Technology and its associated infrastructure. Therefore it is essential that the IT function operates at maximum capability, i.e., 24 hours a day. Unfortunately, this was not happening.``

It is critical to introduce appropriate (not overly complex) metrics for tracking and trending BCM arrangements and outcomes. It is especially important to identify new risks to the business, their impact and mitigation strategies.”

clients and service providers will need to deal with several BCM challenges, including frequent testing of the level of business continuity services provided by sub-contractors; continuous alignment and testing of these services with the SLAs signed with clients.
IAOP connects you and your organization to our global community and resources.