Addressing business continuity in government

Earlier this year a fire was deliberately started at the offices of South Oxfordshire District Council (SODC), a fire that ultimately destroyed 85 per cent of the building making it uninhabitable for perhaps even two to three years. About 400 people worked at these offices so what happens in the meantime? How do these 400 people continue to do their job without an office to work in?
    
This is why we have business continuity plans. They ensure that, when we lose something that is vital to the way we function – whether that be buildings, staff, power, communications, suppliers, reputation – we are still able to operate as normal as possible.
    
As SODC know all too well, business continuity is not just for business, it is for all organisations whether they are in the private, public or third sector. All organisations are susceptible to disruption so all organisations must have plans in place that enable them to deal with such events. In some cases, public sector organisations are legally obliged by the Civil Contingencies Act 2004 to maintain certain services and so assess their risks and have plans in place to manage the consequences of those risk materialising.
    
In the case of SODC, in order to get staff working again, the immediate response was to enable some staff to work from home while some could work from other council offices. This would work well in the short term but would not be the ideal situation for up to three years, so the next step was to find temporary workspace that could take on the role of the destroyed offices. Business continuity managers at SODC would have conducted a Business Impact Analysis (BIA) that not only assessed the threats to the organisation but highlighted what the main activities are, as well as the resources required and dependencies involved. In conducting a BIA, the business continuity managers would have been able to demonstrate to top management what the priorities of the organisation are and the maximum time that can elapse before these activities must be operational again.

Recognising reliance
It is fires such as the blaze that ripped through SODC’s offices that always get the headlines, everyone loves a good disaster, and the visible evidence of such a disaster provides great television footage, but it’s important to remember that these events are rare. When they do happen they can be devastating but they don’t happen often. What does happen often are the less dramatic events that on their own may not have a big impact, but added together they can be costly, both financially and reputationally.
   
Take telecoms or IT outages for example. Historically these have been the number one concern for business continuity managers according to the Business Continuity Institute’s Horizon Scan report. You realise how reliant you are on communications technology when the phones or computers become unavailable. Like with most organisations, the public sector is heavily reliant on IT and if this stops working then it can bring people to a standstill. If it’s temporary then people can often find other tasks to be getting on with but if it goes on for too long then it can become damaging.

Cyber threats
What is becoming a major concern for many organisations is cyber threat and many government departments are often the target of these types of attacks, sometimes to steal data, but often just to be disruptive.
    
The Horizon Scan report revealed that cyber attacks are now the number one concern for business continuity professionals. According to the global survey, 83 per cent of respondents working in this sector expressed either concern or extreme concern to a cyber attack while 76 per cent expressed the same degree of concern towards a data breach.
    
So how do you combat the cyber threat? Technology is advancing all the time to prevent various types of attack, but so is the sophistication with which the attacks are carried out. What is perhaps the most important tool in preventing any unwelcome intrusion into your system is employee awareness. All too often it is a lapse in judgement by an employee which allows the attacker in – weak passwords, clicking on malicious links, opening harmful files. Staff need to be made aware of the threats posed and therefore consider their own actions.

The greatest asset an organisation can possess
They often say that the greatest asset an organisation can possess is its staff so what happens when those staff are unable to come into work?
    
The UK may not have extreme weather patterns the way other countries do – hurricanes, ice storms etc – but adverse weather events don’t need to be as catastrophic to cause disruption. Snow storms can play havoc with infrastructure and so prevent access to work, and flooding during the past two years had a similar result.
    
A relatively common disruption for public sector organisations is industrial action as staff can walk out in large numbers at relatively short notice for several days at a time.
    
Government departments are often the target for protest action and, while in most cases these are a nuisance rather than anything more sinister, it is often the uncertainty of what may happen next that causes more disruption. That can also be the case with acts of terror where the fear factor that emerges can cause more problems that the original incident. What is important in both cases is not just to make sure that your staff can work, but that they can do so safely.
    
Human illness is also a major risk and over the last few years there have been many ‘outbreaks’ – bird flu, swine flu, SARS and, more recently, Ebola. A pandemic can cause severe disruption by not just preventing staff from coming in to work, but by preventing them from working at all if they become unwell. While the outbreaks mentioned above may not have come to much (compared to what might have been), as with acts of terror, the fear factor often causes more disruption than the incident itself.

Responding to an incident
So how does an organisation respond to an incident that has the potential to cause disruption? Is the IT out of action? Can it be replicated elsewhere? There are many data replication solutions available that can migrate all of your data to a secondary system, removing the potential single point of failure that could result in you losing all of your data in the event of an IT disaster. With the increasing use of the cloud, in theory people should be able to uproot themselves and move virtually anywhere to get their work done, and in office based environments, this is certainly the case.
    
Is the building out of action, either because it is closed or because it is inaccessible? Is there a nearby workspace that can be used instead or can staff work from home? The technology that is available, either by enabling employees to log in to the server remotely or by using the cloud, makes this a perfectly feasible solution without too much disruption. If the disruption is on a much wider scale, can the important work be transferred to a separate location but within the same organisation. Again it comes down to ease of access to data.
    
Has there been a loss of staff? If this is down to inaccessibility of their workplace then again you need to look at options such as working from other locations. If it is down to inability to work, for example the result of a pandemic, then your plan needs to include a succession plan identifying who can cover the important roles, or whether staff are trained in multiple roles?
    
Whatever the crisis, it is essential to respond swiftly as the longer you delay action then the more disruptive the incident could become. Communicate to all your stakeholders what is going on and what you are doing to resolve it. People are a lot more understanding when you’re being transparent and they can see you’re making an effort to sort things out.
    
Of course making sure that your own house is in order is one thing, but in the globally connected and often complex world that we live in, most organisations are dependent on many other organisations that are contained within their supply chain. A supply chain is only as strong as its weakest link so it is important to make sure that the organisations you deal with have their own business continuity plans in place so they can manage any disruption that occurs to them.

Testing the plan
What is perhaps the key part of any business continuity plan is the validation phase – does it work? During an incident is a great way of finding out whether your plan works or not, but if the answer is that it doesn’t then it could leave the organisation in a bit of a mess. Testing and exercising ensures that the plan can be effectively assessed in an environment where it doesn’t matter if it goes wrong. There are several ways of exercising the plans and these range from table top exercises whereby the key players discuss different scenarios and what they would do if those scenarios occurred to a live exercise in which an incident is played out as if it were for real.
    
Disruptive events will always occur, whatever form they may take. By having an effective business continuity programme in place, it should mean that, in the event of an incident, a drama doesn’t turn into a crisis.

Further information
www.thebci.org