The Final Draft International Standard (FDIS) for ISO 22301 was released on the 1st of February so it seems almost certain now that the new standard will be formally approved in the next few months.  There has already been a significant drop in BS 25999 certifications over the last year or so and, as in previous similar cases, it is anticipated that once the ISO has been approved the British Standard will be completely phased out.  So, whilst a full post-mortem is a little premature, it is maybe a suitable moment to reflect on the impact of BS 25999 over the last 4 years.

In terms of the number of certifications, BS 25999 has undoubtedly been somewhat disappointing.  There don’t appear to be any official figures; but a search of numerous media databases and the internet reveals less than 100 organisations worldwide that have announced that they have achieved certification.  Obviously this search strategy will have missed some organisations, particularly smaller ones, but it still gives an order of magnitude.  It may be a little unfair to compare directly with ISO standards, but in the first year after release ISO 14001 (Environmental Management) had 14 000 certifications and ISO 27001 (IT Security) nearly 6000.  It will be interesting to see how ISO 22301 compares with these figures once it is released.

Notwithstanding the lack of interest in certification, it would be wrong to say that BS 25999 has been a failure for it has in fact been extraordinarily successful in terms of spreading good practice in Business Continuity.  Whilst the principles contained in the standard were already contained in, for example, the BCI’s ‘Good Practice Guidelines’; encapsulating this good practice in a British Standard has vastly increased both the awareness and acceptance of these principles.

One of the most interesting aspects of the BS 25999 story has been the way it has been accepted globally, with roughly half of certifications being awarded outside the UK.  Perhaps BS 25999′s lasting legacy will be the stimulation of this international convergence on good practice in Business Continuity which has paved the way for ISO 22301.

It is both tragic and very surprising that people could lose their lives on a modern cruise ship, in perfect conditions within sight of land; as happened this morning when the Costa Concordia ran aground.  It is not appropriate or useful, at this early stage, to speculate on how the accident occurred or how it resulted in fatalities.  However, it is instructive to look at the crisis communications by Costa Cruises in the immediate aftermath of the accident.

By 1300 GMT today, only 2 updates had been posted on the Costa Cruises website, the last of these at 0500.  Whilst these contained a number of important messages such as: expressions of sympathy to the bereaved and thanks to emergency services; they provide very little information about the cause of the accident and the conduct of the evacuation.  This left a vacuum that was quickly filled by news websites carrying eye witness accounts (and video clips) and references to a previous fatal accident involving a Costa liner.  Furthermore, there is no practical information for passengers who were intending to take cruises in the near future besides saying that “The Guests [sic] had to embark today in Savona and in subsequent ports will be contacted directly by Costa Cruises.”

As in a number of other recent, high-profile incidents; effective communication with stakeholders was further impeded by practical problems with the website.  The English language version was unable to cope with demand at times this morning and the German and Italian versions were still struggling this afternoon.

See also previous posts about NI Water and Beko.

As product recalls go, the current  problems with PIP breast implants are pretty much a perfect storm:

• There is a perceived risk of serious harm to large numbers of people but the scientific evidence is, as yet, inconclusive;
• Responsibilities are dispersed across a complex, international network of actors including the manufacturer, governments, regulators, the NHS and, crucially, the clinics that actually performed the operations; and
• The situation has to be managed in the full glare of the media spotlight.

Unsurprisingly this has resulted in a number of different responses from the clinics involved.  At one end of the spectrum, organisations such as Nuffield Health, Spire Healthcare and BMI Hospitals have given strong assurances that they will continue to provide whatever support patients require.  Unfortunately though, these providers only account for a small proportion of the operations performed.  In stark contrast, the 4 providers who are believed to account for 60% of use of the PIP implants have been much more equivocal about what their patients can expect.  Indeed one of them, Transform, has taken a very aggressive stance saying “The agency [Medicines and Healthcare products Regulatory Agency] must bear responsibility for the current situation.”

In any potential product recall situation, organisations must balance the immediate cost of the recall against the potential long-term costs, particularly reputational damage, of being too slow to react.  There is no magic solution to this question and only time will tell what the long-term effect will be on each provider in this particular case.  What is beyond doubt though, is the need for each provider to be communicating effectively with anxious patients to ensure that they receive the information and reassurance that they need; and there are already signs that this is not happening in all cases.

The news earlier this week that Intel sales this quarter will fall short of estimates provides a fascinating perspective on supply chain continuity.  Intel’s sales have not been hit by disruptions experienced directly by either a supplier or a customer; but a global shortage of hard disk drives, caused by damage to factories in Thailand, has caused Intel’s customers to reduce production and hence reduce their orders for Intel’s chips.

The BCI’s recent supply chain resilience survey highlights how commonplace supply chain disruptions are and also the various strategies that organisations are successfully employing to mitigate the risk.  But a situation such as Intel’s represents a new level of complexity in supply chain continuity and presents a significant new management challenge.

The public sector pensions strike planned for Wednesday 30th November will undoubtedly highlight many Business Continuity issues for organisations across the UK.  In particular, businesses may experience significant staff absences due to school closures; exacerbated in some areas by localised suspension of public transport.  One of the biggest impacts though is the predicted severe disruption at Heathrow, and other airports, due to the lack of Border Agency staff.  The way that airports are being affected by disruption to a key supplier (who just happens to be a government monopoly) which, in turn, is affecting their customers (the airlines) is a powerful illustration of how disruption propagates up and down supply chains.

The Business Continuity Institute’s recent Supply Chain Resilience report confirms the importance of supply chain issues as a continuing source of disruption globally; explores where in the supply chain these disruptions originate; and what steps companies are taking to manage these risks.  The key findings in the report were that 85% of businesses experienced some form of supply chain disruption in the last year and that 40% of these disruptions originated beyond the immediate tier-one supplier.  Indeed nearly 10% of disruptions originated in tier-three suppliers or below, so the experience of the airlines, where disruption is caused by a problem with a supplier’s supplier, is surprisingly common.

In terms of mitigating supply chain risks, the BCI survey found that half of respondents asked for copies of suppliers’ BCM plans (roughly similar to previous surveys) and 26% claimed that they looked for certification to BS25999 (or equivalent, up from only 5% 2 years ago).  Perhaps more importantly, 51% of respondents report that they actively validate their key suppliers’ plans (up from 31% in 2009) by, for example, running workshops or exercises with them.  Other mitigation strategies that respondents have pursued include bringing an additional supplier on board (31%); changing suppliers (31%); in-sourcing activities (26%); or transferring some or all of the the risk by purchasing insurance (12%).

The new international Business Continuity standard, ISO 22301, will move a step nearer to publication next month when the Final Draft International Standard (FDIS) is released.  The FDIS will then be circulated to all ISO member bodies who will vote whether or not to approve it in early 2012.  If it receives the required two thirds majority, it is expected that the standard will finally be released in April or May 2012.

Follow the link for more information on ISO 22301.

In today’s Telegraph the Rev George Pitcher provides a very critical analysis on how the Chapter of St Paul’s has (mis)handled the current problems caused by the anti-capitalist protest outside the Cathedral.  Whilst his perspective is very interesting I strongly disagree with his central assertion that the mistakes that have occurred are “Rooted in a deep-seated psychological disorder of the Church”: what he describes is, in fact, a fairly normal organisational response to a crisis.

The first issue that the Rev Pitcher focuses on is the absence of appropriate command and control arrangements for dealing with a crisis; stating that canon Giles Fraser was completely on his own during the early stages of the incident.  Sadly though, and contrary to the assertion that “This would never happen in any other commercial or institutional organisation”; it is still commonplace to find organisations that have no defined Incident Management structure.  Furthermore, even where teams have been established, they often lack the training to carry out their roles effectively.

The second issue that he highlights is the problems that St Paul’s has encountered in working with key operational partners, principally the Corporation of London.  Once again, this is a significant weakness in many organisation’s planning for and response to crises.  Modern business is based on a network of relationships with partners, suppliers and customers and crisis management planning must take these into account.  As a minimum, it is vital to identify who these stakeholders are and how one would communicate with them in a crisis.  Ideally these key organisations should be integrated into your crisis management structure but this is rarely achieved.

So, whilst agreeing with much of what the Rev Pitcher says, I think that we can draw lessons that apply much more widely than the Church of England from this incident.

As well as resulting in tragic loss of life and causing misery to thousands of other people caught up in them, the ongoing floods in Thailand are also impacting on many businesses.  Honda, Toyota, Nissan and Sony are amongst those affected, and whilst the impacts so far are not believed to be serious, if it should ultimately result in supply chain outages the costs could be very significant.

Following on from the Japanese earthquake and Tsunami, it is a further reminder that sourcing your supplies abroad does not come without risks.  It is important to be absolutely clear on where your critical supplies are manufactured and what contingency plans your suppliers have in place.

Further information on the cost of disruptions is available in the Downloads section of our website.

Millions of Blackberry users across Europe and the Middle East were left without email, web browsing and messaging services following a disruption to the network infrastructure on Monday morning.  The makers of Blackberry, RIM, announced on Tuesday that all services were operating normally again, and apologised for the inconvenience, but problems have persisted for many users and have now spread to the US as well.

A lot of the media coverage of the incident expresses shock and outrage at the scale of the outage and the slowness of RIM’s response but, in fact, this story simply exemplifies 3 recurring themes in Crisis Management:

• We underestimate the potential for wide-scale disruption (it’s only last month that a problem at a single sub-station escalated to leave 5 million people in the US and Mexico without electricity);
• Recovering from a business disruption generally takes longer than expected (like wars and large construction projects); and
• Effective communication with stakeholders is essential in a crisis, but usually lacking.

Interestingly, despite all the adverse media coverage and dire predictions about the future of the Blackberry, RIM’s share price has hardly moved over the last two days.

The Information Commissioner published a report last week into an incident that occurred in March this year, when a CD containing personal data on 1.6 million people was lost during an office move at Eastern and Coastal Kent Primary Care Trust (PCT).  Clearly people will be concerned that data losses such as this are still occurring after so many well-publicised incidents, but the interesting aspect of this story is the way in which it sheds light on attitudes towards risk management in some organisations.

The PCT has published quite a detailed explanation on its website, from which it is clear that a formal risk assessment process was undertaken (and appears to have been documented) before making the decision to store the CD in a filing cabinet.  The PCT then goes on to reassure people that the data was “not current – the most recent information was from 2002″; but offers no explanation as to why they needed to continue storing this data on a CD.  It seems very unclear why anyone required access to this non-current data in this format?

There is always a danger with formal risk management processes that people become so focused on the process that they forget to ask obvious questions like – why are we storing this data in the first place?  No policies or procedures can substitute for common sense.

Follow the link for more information on Risk Evaluation and Control.