Ten Years of Teaching the CBCI Certification Course - What Has Changed?
Charlie looks at how the CBCI Certification Course (GPG) has changed over the last ten years.
Just before I start this week's bulletin, our thoughts are with the people of New Zealand after the attack on the two mosques today.
This week I have been teaching the CBCI Certification Course (GPG) in Glasgow and I found myself thinking about how the course and the Good Practice Guidelines (GPG)has changed over time. What I think is especially interesting, is how the points I emphasised and thought were important in my first course in Glasgow June 2009, have changed since then. Here are a few of my observations:
1. The students on my course were all relatively new to business continuity, but they all came from organisations which already had business continuity in place. Going back 10 years, all of those attending the course would have been from organisations with no existing business continuity, and delegates were attending the course so that they had the skills to roll out business continuity for the first time. I noticed in the new GPG that this had been taken into account, and the book talks about how to review an existing policy, as well as how to write a business continuity policy from scratch.
2. Resilience and resilience departments are mainly a very recent phenomenon, and so most of those attending the course were either in resilience departments already or were working towards this. One of the delegates worked for a bank, and her company was strongly embracing resilience by having multiple disciplines coming together, working under the same manager, a Head of Resilience. She mentioned that they had not quite finished implementing this, but it was definitely the direction they were taking. Often where the banks go, others follow, especially when it comes to business continuity.
3. Over the years there has been a gradual shift away from the importance of buildings. When I first started teaching, the main threat to organisations was the loss of buildings and often this would be double the impact, as the company's IT was housed in the same building. With changes in IT, systems are now housed in clouds or in dedicated data centre buildings, often separated from the main office where staff work. Alongside this, many organisations have the ability for staff to work from home. Culturally, this has become part of people's work-life and the technology is there for employees to easily access company systems from home. This has meant that there is less need for Work Area Recovery, and if staff can easily work from home the impact on delivery of activities is minimised.
4. Loss of IT has gone full circle. When I first started, organisations had one data centre, so if they lost it they moved to a second data centre, which took a day or two to set up and they only had the essential applications. Over the last few years IT has been very resilient. Large companies have invested in two data centres, which are either active/active or active and the passive one can be made active very quickly. Technology like virtualisation has made individual systems very resilient and so they are less likely to fail. In many cases it is hard to see how organisations could have a total IT failure. Ransomware and examples like NHS with Wannacry and Maersk with Notpetya, have shown us that the entire IT estate can be lost and the importance of a manual workaround have again risen in importance.
5. Telephony and how to recover from loss of telephony was a separate area that had to be looked at and a strategy needed to be devised. During the course, we talked about the importance of telephone switches and how they could be replaced. We still need to think about how we will recover call centre telephony and customer facing numbers, but on the whole telephones have gone down in importance. Messaging via email has not changed, but nowadays with mobile phones and social media platforms, we have multiple ways to contact people, which means our systems going down is less of an issue.
6. When I started teaching business continuity it was the main methodology which organisations used to improve their resilience. Business continuity focused on PPRS (People, Premises, Resources and Suppliers), but over the years the possible threats have multiplied, and there is a much wider appreciation of the large range of different threats. These vary from all things cyber, to reputation-only type threats, such as mishandled marketing complaints, to inappropriate behaviours from senior managers, and from misuse of personal data to cheating on emission standards. The incident management framework we teach on the course can very easily be adapted to cover a wide variety of different threats. For me, the GPG is missing a framework to identify the threats to the organisation beyond PPRS, and take into account some of the more reputation type incidents, and also the number one threat of the moment, cyber. Only once we have identified and prioritised all these threats we can start building the contingency plans, and carry out the mitigation measures to make it less likely that they will occur.
Like all good professions, business continuity has evolved and adapted to the changing environment. I personally think the GPG 2018 is a really good document and a good reflection of business continuity practice. I do think as the threat landscape is evolving, business continuity has to further adapt to ensure it remains relevant.