This page contains a Flash digital edition of a book.
spent on rehearsing for infrequent and unlikely events is, for commercial organisations, a luxurious opportunity cost which is not relished.


The Plan


Therefore, if we cannot change the quality of the people, nor spend too much time in rehearsal, the only variable that can be influenced positively and comparatively quickly is the quality of the plan. Academic consensus is often rare, and a lot of the literature in the academic debate is frequently mired with semantic arguments. However, in commentaries on resilience planning there is a growing consensus of ‘what is good’ that can be summarised together with some personal observations as follows:


• Large plans are seldom read and are less easy to use speedily; short plans are potentially better.


• Scenario planning, unless you are a highly specialised company or in a specific location (like a nuclear fuel company or an organisation based on a flood plain), is unwieldy at best and likely to misforecast the actual event.


• Generic plans are more flexible in the face of adversity.


• There is a convergence developing of business continuity, disaster recovery, crisis management and emergency planning under the banner of ‘resilience planning’.


Personal observations based on eighteen years’ experience include that:


• Subjectively derived risk assessments, which supposedly inform the plan, are of questionable utility.


• Good business impact analysis is critical to the plan.


• Strategic plans are often poor and thus promote the strategists’ ‘descent’ into tactical level activities.


• The achievement of ISO standards does not improve the quality of a plan per se, merely its ability to be audited.


• Prose based plans are less useful or at least less likely to ‘engage’ staff than diagrammatic ones.


• There is arguably a financial underinvestment in obtaining the quality of the planner who is required to author complex plans for global companies in a simple fashion.


Paradoxically perhaps, my studies have cast doubt on certain aspects of planning doctrine and are more questioning of conventional methods. What appears to influence the planner and thus the consequent plan are often far more mundane factors than might be imagined. Such simple factors as the planner’s age or seniority, and thus the


© CI TY S ECURI TY MAGAZ INE – S PRING 2015


organisation’s perception of their knowledge and/or experience, influences their credibility and the potential adoption of the plan. Planning is also deceptively difficult; it has to accommodate several constantly moving variables and is arguably always capable of refinement and improvement. In theory, resilience planning is pretty simple (bear in mind that ISO 22310 is only 24 pages long), but its implementation is extremely complex. In the planning process a myriad of factors shift and change in a kaleidoscopic way, not least of all the factors alluded to by Smith and by Elliot and colleagues. It appears, therefore, that even if we accept Mitroff’s analogy of the outer onion layer being the visible plan, this layer has a quantum quality where yet more and more factors can be taken into account.


If an organisation can accurately identify at least some of the issues and influences involved in the planning process then plans and consequent responses can be made more proficient. A summary of the‘fog of variables’ that potentially determines the quality of the plan is outlined in the diagram:


In this ‘fog’ some issues are easier to deal with in the planning process than others. Usually, the hard question for the planner is not really the identification of the various issues, which are usually fairly evident. Rather, it is ‘what can be done in the plan to compensate for them?’ Smith noted that the culture of an organisation can ‘provide an environment within which such an event can escalate rapidly’ or alternatively it can be ‘central to the ability to cope’. The harsh reality is that organisational cultures do not evolve overnight nor are they changed speedily by the actions of the resilience planner. However, the recognition by the planner of any such cultural propensity can be used to shape the plan to better effect.


externalised). It is utterly critical, therefore, that the planner gains this understanding, otherwise the plan could be fatally flawed.


The final justification for selecting the quality of the planning process on which to concentrate lies in the problem of testing or, more correctly, ‘validating’ the plan. Technically, a plan, aside from its IT focused recovery time objectives, can never be ‘tested’ in the absence of any control groups such as might be found in medical trials. Rehearsals, as mentioned earlier, are infrequent and have to deal with several possible incident scenarios. At the same time, the organisation is changing and staff turnover alters the people element of the equation. The resultant attitudes, dynamics, moods and biases of response teams constantly change, perhaps even on a daily basis. The only constant is therefore the plan, which admittedly also evolves over time, therefore my focus of effort as a consultant and as a student, at least for my study, remains the quality of the plan.


IT Literacy


Budgets for planning


The complexity of the


organisations


Stakeholders obligations


Prior


corporate memory


Exectutive support


The


understanding of the problem


National culture


The educational level of the planner


The job grade level of the planner


Regulation or legislation


Nature of the business


Corporate culture


There is merit in a careful consideration of planning and perhaps the most compelling overall reason for more people to study this topic academically is the ‘Cassandra’ like position of the planner.


Perhaps surprisingly, it can now be argued that one factor is emerging as being pre- eminent, at least in terms of making positive and quick improvements to the plan: the planner’s ‘IT literacy’ is now possibly the most critical issue in the authorship of a good plan. This is an area that the planner can do something about to influence the plan positively. The rationale for this is that Sainsbury’s supermarkets are no longer really grocers, they are technically IT organisations which move and sell food, similarly banks are IT companies that move money. The planner is not often an IT expert and systems are now phenomenally complex and interrelated. Seldom does one single person in an organisation have an effective grasp of all the IT systems and, as importantly, what the effect of their loss would be on operations or service delivery (this is perhaps especially the case with outsourced IT where the knowledge is


www. c i t y s e cur i t yma ga z ine . com


Cassandra was a Greek prophetess who was cursed to the effect that her highly accurate prophecies would always be disbelieved; the resilience planner is currently the corporate Cassandra. Fundamentally, one believes the opinion of doctors, lawyers and accountants because they are highly qualified and answerable for their opinion to their respective governing bodies. Therefore any measure, such as tertiary education, that can elevate the position of resilience planning to that of a credible profession can only be welcomed.


Chris Needham-Bennett Managing Director of Needhams 1834


Chris is undertaking a Professional Doctorate in Security Risk Management at the University of Portsmouth.


> 17


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36