Today marks the start of Business Continuity Awareness Week (BCAW) 2016, the annual event aimed at raising awareness of the importance of business continuity globally. As in previous years, we shall be blogging regularly throughout the week.
Unusually for me, I start of this blog with a quote from ISO 22313:
“Exercises should be realistic, carefully planned and agreed with relevant parties, so that there is minimum risk of disruption to business processes and of an incident occurring as a direct result of the exercise” (para 8.5.3).
Despite this good advice having been available for the last four years in ISO 22313 (and previously in BS 25999 and other national standards), there have been two high-profile examples in the last week where the advice has not been heeded.
Firstly, at the start of last week, Greater Manchester Police (GMP) were subject to an angry backlash when it became public that they had initiated an exercise to practice their response to a major terrorist incident in the city with a masked figure shouting “Allahu Akbar” before setting off a bomb. The significant offence caused by this was entirely predictable but, for some reason, had not been picked up in the planning of the exercise. As a result, instead of GMP being praised for making the effort to test their response plans; the media coverage of the exercise focused on the Police’s stereotyping of Muslims and lack of sensitivity.
Then, less than a week later, there was another incident in Manchester. As has now been widely reported, Manchester Utd’s last Premier League game of the season had to be postponed yesterday after a suspicious device was found at the Old Trafford stadium. It subsequently emerged that the fake bomb that triggered the alert had been left behind after a security training exercise earlier in the week. Once again, in stead of the club receiving praise for taking security training seriously, they are being criticised for making such a public (and very costly) blunder.
These two examples serve as powerful reminders to heed the words of ISO 22313 when planning exercises. Exercises are a vital part of any business continuity programme, but care must be taken to ensure that the exercises themselves don’t end up disrupting the organisation.