2. Regus / URM Business Continuity Survey
Business continuity communication – the weakest link?
Background Existence of Business Continuity Plans
With the introduction of ISO 22301, the new It seems that whilst organisations are aware of the
International Standard for Business Continuity importance of BC, it can be argued they are not doing
Management, Ultima Risk Management (URM) and enough to plan and prepare for future incidents and
Regus took the opportunity at the end of 2012 to events. This appears to be particularly true for SMEs,
conduct a survey with the objective of assessing the with 30% of those respondents with less than 50 staff
current status of Business Continuity (BC) in the UK reporting they had no Business Continuity plans (BCPs)
and the likely impact of the new Standard. Of the 200 in place (compared to 16% overall).
organisations who completed the survey, the vast
Smaller organisations may be thinking that such plans
majority were from the private sector and represented
are not needed or they are not a priority. However, it is
both manufacturing and service organisations. There
argued that having an effective response mechanism in
was also a wide spread in terms of organisation size i.e.
place against different disruption scenarios , including
from SMEs to large corporates. The results provided
loss of key staff, single points of failure and denial of
some interesting insights into existing BC practices
access to key buildings/sites, are highly relevant issues
and, in particular, to those areas which represent the
for SMEs.
biggest challenges to UK businesses.
Any organisation, no matter what size or industry, would
Impact of ISO 22301 suffer some level of adverse impact in the event of a
disruption. Many businesses may consider that people
Overall, there was quite a high awareness of ISO 22301, within their organisation are capable of ‘thinking on their
with 62% of survey respondents looking to comply or feet’ and they would just ‘know’ how to deal with an
certify with the new Standard. One of the key perceived incident, but there is a lot more to Business Continuity
impacts of the Standard was in the use of ISO 22301 than just ‘thinking on your feet’. Furthermore, it begs
in tenders. the question of what happens ‘if those individuals
Nearly 2 out of 3 of respondents believed that capable of thinking on their feet are not available?’
ISO 22301 will become an essential requirement Business Continuity planning includes ensuring
to bid for high value tenders and 58% believed the the people involved with the response and recovery
same to be true for general tenders. However, most processes have the appropriate skills, competencies
respondents were not anticipating an immediate and have been trained to deal with an incident,
impact i.e. for those who anticipate it becoming a no matter what form it may take. It also ensures that
requirement, 57% were not expecting it to become every key role within the process has a deputy who is
essential for 3 years or more. also trained with the necessary skills and competencies,
if required.
Senior Management Involvement
One of the positive findings was the high percentage
of senior managers who were involved to some degree
in BC, with only 2% reporting no involvement. Senior
management involvement is widely recognised as a key
requirement in any successful BC implementation and
is featured prominently as a requirement in the new
ISO 22301 Standard. Given this statistic, one could
assume that Business Continuity is being given
significant focus within organisations. However, the
survey points to a number of weaknesses in terms
of BC arrangements.
3. Importance of Business Impact Analysis (BIA) External Concerns
Whilst the statistic of 5 out of 6 responding Apart from internal communication issues, the
organisations having BCPs in place may appear to be Regus/URM survey also found that 27% of respondents
acceptable/impressive, it has to be questioned what reported that BC in the supply chain was their major
the plans are based upon. There is little benefit in external concern. Although 73% of all respondents had
having a BCP in place, if you are not protecting your identified their critical suppliers, far fewer organisations
key products and services. Before an organisation had taken proactive steps to address BC arrangements
develops effective BCPs, good practice dictates that with them. It seems that the larger organisations
it needs to determine what it needs to recover - its have a slightly better handle on things. 52% of the
‘critical processes’. What really needs to be recovered organisations responding to the survey indicated that
and how quickly is best determined by assessing the they had discussed the subject with their suppliers, but
impact of a disruption on the business, be that from a this fell to only 35% for businesses who employed less
financial, operational, contractual or health and safety than 50 people. When asked whether they require their
perspective. If an organisation does not know the supply chain to have exercised / tested their plans, the
answer to these questions, it is quite possible that any numbers dropped drastically to 29% and
plans developed will be based on someone’s guess 18% respectively.
work, the wrong parts of the business or the wrong
An organisation is only as strong as its weakest link.
recovery requirements. The process of uncovering this It doesn’t matter how robust the BCPs and processes
information is called a business impact analysis, or ‘BIA’. are, if an organisation’s critical suppliers cannot provide
Of the 200 organisations surveyed, 26% said that they the level of service required.
had not carried out a BIA. It can thus be hypothesised that
of the 84% of respondents who reported having BCPs Conclusion
in place, some of these may be focussing their recovery
efforts around the wrong business processes or incorrect The Regus / URM BC survey is a lesson to us all
recovery requirements. that organisations need to communicate about
Business Continuity more regularly (whether internally
or to their suppliers).
Internal Communication
Identification of critical processes (via BIA)
Apart from conducting BIAs, another critical (and often
is essential so that more appropriate BCPs can
neglected) element of good practice BC is internal
be developed.
communication. What if employees don’t know what
is contained within the BC plans or what their roles or Effective communication to staff through exercising,
responsibilities are in the event of a disruption? One training and awareness is vitally important to ensure
of the key findings and concerns emerging from the that should the unforeseen happen, everyone knows
Regus/URM survey relates to BC awareness levels. what their roles and responsibilities are and can focus
When asked what their biggest BC concerns were, on recovery and ensuring the business continues.
28% of all organisations surveyed reported ‘a lack
A more proactive approach when dealing with key
of awareness of BC arrangements’. This figure rose
suppliers will ensure that services continue in the event
to 35% for those organisations with more than 250
of an incident.
employees. Only 46% of survey respondents indicated
that they issued regular BC communications to their
employees; for smaller organisations with less than 250
employees, this figure fell to 32%.
Knowing that the plans exist is only one element of BC
awareness though. Staff need to be given specific BC
responsibilities and should be trained and participate in
exercises to ensure that they are competent enough to
carry those responsibilities out.
If an incident occurs, every organisation needs to
know which members of staff (primary role holders and
deputies) will keep the business going. Businesses of all
sizes will benefit from increased internal
BC Communication.
4. About Regus
Regus is the world’s largest provider of flexible
workplaces, with products and services ranging from
fully equipped offices to professional meeting rooms,
business lounges and the world’s largest network of
video communication studios. Regus enables people
to work their way, whether it’s from home, on the
road or from an office. Customers such as Google,
GlaxoSmithKline, and Nokia join hundreds of thousands
of growing small and medium businesses that benefit
from outsourcing their office and workplace needs to
Regus, allowing them to focus on their core activities.
About Ultima Risk Management (URM)
Ultima Risk Management (URM) specialises in
delivering consultancy and training in the areas of
Business Continuity, information security and risk
management. A particular niche skill of URM is in
assisting organisations comply with the relevant British
and International Standards, most notably ISO 27001
and ISO 22301 (and its predecessor BS 25999). To
date, URM has assisted over 60 organisation from
both the public and private sectors certify to these
Standards. In addition, URM is also a Payment Card
Industry Qualified Security Assessor (PCI QSA) which
means that it has been certified by the PCI Security
Standards Council (PCI SSC) to assess organisations’
compliance to PCI DSS.
Regus / URM Business Continuity Survey – April 2013