The CCBMatrix

AlarmSouth East

John Basinger ACII FCILA AIRMABCI

Roy Adams

Introduction

• The Business Continuity Consultants View

• The Local Authority Perspective

Aims and Objectives

• Brief overview of CCB

• What is Business Continuity Management ?

• Why do it?

• Promote discussion on what you need to do

• Set the scene for Roy !

What does the CCB say and do

• Single framework for civil protection in 21st Century

• Identifies roles & responsibilities for local responders

• Modernises legislative tools to deal with most serious emergencies

• Creates structure for multi-agency planning teams

What does the CCB say and do

• Provides a clear set of responsibilities& expectations for local responders

• Greater structure & consistency for multi-agency planning

• Councils are Category 1

Category 1 duties

• Risk assessment• Emergency planning• Warning & informing• Business Continuity Planning ( sole

responsibility for LA’s)• Co-operation• Information sharing• Generic advice to public at large

Your duty to Plan

• CCB relates to Emergencies

• Emergency Planning is one of the Authority’s duties !

• To fulfil that duty the Authority has to be resilient

• Therefore full BCP is required for the entire authority….. Discuss!

What is BCM?

“A management process that identifies potential impacts that threaten an organisation and provides a framework for building resilience with the capability for an effective response that safeguards the interest of key stakeholders, reputation, brand and value creating activities.”

Source - BCI 2001

A Management Process

• Not a bolt-on goody

• A dynamic, proactive and ongoing process

• Must be kept up to date to be effective

• Embedding BCM makes it part of the business process

• Avoids firefighting in an emergency

• Assists in preparation for “business as usual”

Key Objectives of an Effective BCM Strategy

• Ensure safety of staff• Minimise business interruption events • Maintain service delivery • Limit/prevent impact beyond the Authority• Demonstrate effective and efficient governance to

the media and stakeholders• Protect the Authority’s assets• Meet insurance, legal and regulatory

requirements

The Process

• Understanding your organisation• Business Continuity strategies• Develop and implement Business Continuity

response• Building and embedding a continuity culture• Exercising, maintenance and audit• BCM programme management

Understanding Your Organisation - Business Impact Analysis

• Needs ownership by senior management to ensure buy-in• BCM needs to be aligned with Mission Critical Activities• What are the key processes and functions?• Who are the key personnel?• How long before service drops below an acceptable level?• Interdependencies internal/external• Single points of failure

Understanding Your Organisation - Risk Assessment and Control

• “What ifs”

• Hazard register

• Likelihood (probability)

• Impact (severity)

• Risk ranking - accept, manage, reduce, BCP

Business Continuity Strategies

• What is your appetite for risk?• Manage in-house• Third Party contracts• Reciprocal arrangements• Checklists• Contact lists etc

Develop and Implement BC Response

• Establish management of the process

• Ascribe responsibilities

• Establish Risk Management Team(s)

• Communications

• Public Relations

Building and Embedding a BCM Culture

Ongoing programme of -

Education Awareness Training

Exercising, Maintenance and Audit

• Exercising of BCM plans

• Rehearsal of staff and BCM teams

• Testing of technology and BCM system

• BCM maintenance

• BCM audit

The BCM Programme

• Executive commitment and proactive participation• Organisation (corporate) strategy • BCM policy• BCM framework• Roles, accountability, responsibilities and authority• Finance• Resources• Assistance• Audit• Management information systems• Compliance• Change management

Conclusions

• Business Continuity is Business Management

• Pre-planning pays off

• Plans need to be kept up to date

• Plans need to be kept simple

• BCM is peace of mind

Theory into practice-the challenge!

EmergencyPlanning

Day to DayFunctions

Business ContinuityPlanning

Utilities

BlueLights

LocalBusinesses

CentralGovernment

AuditCommission

Business as Usual? – have you thought about CCB?

• Its big, potentially one of the biggest issues for Local Government

• It will affect every organisation involved in Government and Emergency Services

• It could save lives or cost lives• It is beyond the skills of anyone individual…

Vision Statement

• The CCB is designed to ensure that the Country is able to withstand a serious event with the minimum disruption to Society

• The CCB imposes clear duties upon Local Government and the Emergency Services- there is no “opt-out” clause

It will never Happen!

• Remember Manchester? £257m, Canary Wharf £117m, 2002 storms £1.25billion. Plus lost lives!!!

• ABI impact indicates incident in London hits all the travel to work areas

• ABI plans East Coast/Thames estuary flood £8-10billion + lost business

The Challenge

• Deal with the “event” • Handle the effects i.e. Evacuations, Damage

limitation, Crisis Management• But Now determines the role of the local

authority & looks for continuity of service from the Authority and “other providers”

Today’s Issues

• Presently EPO’s and Council teams have plans for external events and not Business continuity in a wider perspective

• These plans were found wanting in recently i.e. fuel crisis, M11 Snow, and exposed the “gaps” in contracts and partnerships

• Even the roles of emergency service and military were confused.

How Did We Get in that situation?

• Role of EPO’s and Councils have changed following recent incidents- wider involvement- lack of clarity

• Original assumptions are no longer valid the Public expectations are “Service” as usual

• Society is more complex with centralised supply chains, outsourcing, diversity of Health Care and essential services

Partners=Problems

• No contractual responsibility for out sourced services

• No real strategic grasp of the wider issues • Who pays syndrome• Isn’t this your problem?• Outsourcing does not remove the

responsibility.

What are the threats? [P45?]

• Public Outcry= Politicians embarrassed• Awkward questions- [No Blame Culture?]• No single person/organisation at fault• Press pressure- why no scapegoats??• Embarrassment=Action=CCB• CCB=You! [No blame culture???]

Our Challenging Society of Risk

• Terrorism, WMD’s, “flixborough’s”• But also “rights” extremists, Hackers,

Globalised Suppliers, infrastructure i.e. I.T/ WWW, Electronic banking etc

• No natural inbuilt “resilience” in society Who will face the litigation? “someone’s at fault! “

• No experience or tolerance of mass disruption since WW2.

The CCB Solution [Passing the Buck?]

• No Centralised system-[ “no CG blame?]• Wide definition of emergency!!• By decentralising the onus is upon Local

Authorities and Emergency services to get things right

• No matter what happens, there will be Litigation, Enquiry’s and Scapegoats.

The “Way out of the CCB Matrix?” Route 1

• This is a BIG and NASTY risk, get it wrong and it could be fatal in real terms

• Assess your role and the risks for your area, work as a group. No Opting Out

• Learn from others, what has happened before, natural, accidental and deliberate

• Clearly define your role/ responsibility

Route 2 Provide Services

• Get your own Business continuity plan in place, keep it simple, many incidents are generic.

• Plan as if there are 2 incidents-• The external event and your response• The impact of the event upon your own

service provision

Route 3 Simple Problems- Big Impact

• Money- set up agreements or credit cards• People- who will do what? i.e. the senior risk

and insurance staff could be involved in both-EPO’s, H&S, Adjusters? who does what?

• Access- to your property, the area, systems, facilities.

• Transport, where do you live? Will it work? Would you be allowed access?-SOCO etc

Route 4 Plan Ahead

• Assuming you have your business continuity plans in place do you know what is expected of your organisation

• Giver or Receiver?- your plans will differ• Big or Small? County Plans should dovetail

with Districts, neighbours? • Never ever assume – ask, know your place

Route 5 Other Routes

• Duty on other category 1 providers to assess risk, maintain plans, publish and maintain arrangements to warn, advise and inform the public in the event of an emergency

• Category 2 duties to co operation with Cat 1--- but how?, needs evaluation and action plans

Oh yes, there’s more

• Advice on Business Continuity to others- keep it simple- seminars etc, use Brokers BCI or ABI etc [it’s in their own interest!]

• Remember that you cannot design the plan for others, keep it generic or get sued!

Who Pays?

• Only small % is insurable• Bellwin -1/2% excess, not if insurable• Taxpayers?• Or is it a case for Central Government to

agree to underwrite the costs?• A the outset involve accountants to agree and

monitor expenditure, and records of why when etc.

The Carrot and the Stick- The stick

• CPA’s- Business Continuity on agenda• Corporate manslaughter-• Press reaction• Litigation- Hindsight!!• Political fall out• Career?

Recommendation

• Identify the risks- include on Strategic Risk Register

• BC Plans- link to Services, EPO’s and test• Record all outcomes, if funding is needed

then ask. If no funding then the responsibility passes up the chain [so does the blame!!!]

Finally the Carrot

• There is no carrot• Only the knowledge that if something does go

wrong then you and your colleagues could actually make a real contribution to the welfare of others

• If not then how will you reply when the questions are being asked????

And now John’s Practical Tips

Practical advice

• Ensure buy in from the top

• Involve all departments & stakeholders

• Ensure BCM is embedded into day to day management

• Raise awareness

• Plans need to be kept simple & up to date

Practical advice

• Exercise your plans• Involve insurers / adjusters • Train your crisis management teams• Crisis logs- to demonstrate rationale of decision

making, expenditure etc. • Things happen in a way you can’t always

predict.Therefore plan in flexibility.

Final Thoughts

• Even if the Bill is amended further the concept and duties will still remain

• It will not go away, and BC is part of the CPA• Proaction is better than no action• It will cost money, remember your budgets-

bid now for funding…