Practical, Cost Effective and award-winning

Business Continuity, Crisis Management & Information Security Solutions

Phone:

0800 035 1231 (Mon to Fri 9am – 5pm)

Suite 3, The Cotton Mill, Torr Vale Mills, New Mills, Derbyshire, SK22 4HS, UK

Having read Yossi Sheffi’s wonderful “The Resilient Enterprise” some years ago, I had high hopes for this book.  Sadly it didn’t quite live up to my expectations.

The book is organised in six sections and, for me, the most useful content is contained in the second (“Living with Uncertainty”) and fourth (“Supply Chains for the Future”) sections.  I will discuss these two sections below.  I’m afraid that the rest of the book is somewhat disappointing, as Sheffi appears to get dragged into areas in which he is not an expert.  These include:

  • An account of the pandemic that was clearly written in 2020, whilst Covid-19 was still rampant;
  • Guidance for Covid-safe working which, once again, was written in the midst of the pandemic; and
  • Discussion of broader political and governmental issues.

However, in the second and fourth sections, Sheffi’s real expertise in supply chain strategy is once again in evidence.  The chapters on dealing with fluctuating supply and fluctuating demand are excellent and provide guidance that is of use way beyond simply dealing with the current situation.  Later on he also tackles head-on the widespread criticism of Just-in-Time inventory strategies; arguing that the experience of Covid-19 identifies ways to improve JIT rather than discard it.

All in all, the rush to get this book out means that it will probably be superseded, as an analysis of the specific issues emerging from Covid-19, by later accounts with more perspective.  It does make a more general contribution towards a better understanding of supply chain continuity; but I would unequivocally direct people to “The Resilient Enterprise” before reading this one.

Virgin Money was in the news again on Tuesday when its digital services were hit by technical problems.  It is reported that current account customers were unable to make transactions and access their accounts for much of Tuesday, with many expressing their frustration on social media.  The timing was particularly unfortunate, coming at the start of a new financial year!  The bank apologised on Wednesday, saying that the issue had been dealt with overnight and that services were working normally again.

We have been blogging for many years about IT issues in the banking sector, including a story back in January 2020 about disruption at Virgin brands Yorkshire and Clydesdale Banks.  Fortunately, now that banks are required to report figures on “Operational and Security Incidents” to the Financial Conduct Authority (FCA); we are beginning to develop a better understanding of the extent of the problem.  Focusing for a second on Virgin Money, they reported 11 incidents in the year to 30th June 2020, including (some of the incidents affected multiple platforms so the numbers don’t add up):

  • 10 incidents affecting telephone banking;
  • 9 incidents affecting mobile banking; and
  • 6 incidents affecting internet banking.

11 incidents in total is certainly at the higher end of the spectrum, although Santander reported 12 in the same period.  What is more striking is the high number of disruption to telephone banking, with twice as many incidents as any other banking group.  However, it appears that the situation may be improving, with only one reported incident in the last quarter of 2020 (and this didn’t affect telephone banking services).

As we reported last year, there appear to have been some initial data quality issues with the reporting of incidents to the FCA; but hopefully, over time, it will provide a useful dashboard of the state of IT resilience within the sector and drive further improvements.

We blogged back in June 2018 about an apparent steep rise in European automotive recalls over recent years.  Bringing the story up to date with the latest data from Sedgwick, we see another significant increase in 2019 followed by only a very modest reduction in 2020 (given the slowdown caused by the pandemic).

Even including the slight dip in 2020, we have seen a massive threefold increase in the number of recalls across Europe in only seven years!  Nobody seems entirely clear on the reason for this, or how long the trend may continue for.

Meanwhile we see a more gentle upward trend in food recalls across Europe, echoing our blog post about a rise in UK food product recalls in January.  Whilst we only have data here on two specific industry sectors; it does suggest that, at the very least, product recalls are a problem that just isn’t going away.

As well as helping our clients with their general business continuity and crisis communications planning; we are happy to advise on the specifics on managing product recalls, based on the good practice contained in  PAS 7100: 2018 – Code of Practice on Consumer Product Safety Related Recalls and other Corrective Actions.

Only 48 hours after the dramatic launch of Alex Salmond’s Alba Party, the Herald on Sunday reported that the names of more than 4,000 people who had signed up to attend party events were inadvertently made public.  Amusingly (or not, depending on your viewpoint), the list apparently contained a number of high-profile SNP members.  The issue has now been resolved; but the fact that such a high-profile organisation in the media spotlight made such a basic error in the first place, reminds us that information security considerations are still not always given the priority they deserve in website design.

Managing Risk in Extreme Environments: Front-Line Business Lessons for Corporates and Financial Institutions” has been on the bookshelves in our office since it was published in 2008 but, for some reason, I have only just got around to looking through it.  Given that

  • The book is 12 years old, and
  • I have not read it thoroughly;

This is definitely not a book review (there are a number of proper reviews on the Amazon website).  However, reflecting on some of the content of the book with the benefit of hindsight, I felt compelled to put pen to paper (so to speak).

The first point of interest is the delicious irony of the book being written by a senior credit risk manager at RBS.  Even as the book was published, catastrophic problems at RBS were being ruthlessly exposed by the credit crunch.  Over the course of 2008, the bank lost 87% of its value and ended up being bailed out by UK taxpayers.  Whilst not suggesting for a moment that the author bears any responsibility for this outcome, it would appear that RBS’s overall approach to credit risk management was not that good.

The second observation is around quotations from two members of the London Fire Brigade (LFB), talking about responding to the 7 July bombings of 2005 in Chapter 3.  A Crew Manager on the ground at the Aldgate explosion stated that “…our interaction with other agencies was spot on, it was the slickest rescue operation I’d ever seen.”  Meanwhile, LFB’s Head of Strategic Risk Management is quoted as saying “We plan for much worse events than 7/7.  That was just like training.”  Reflecting on these comments with the knowledge of what emerged in Phase One of the Grenfell Inquiry, one wonders if LFB were somewhat overconfident in their ability to manage truly complex incidents.

Finally, I was very struck by the discussion of pandemic planning in Chapter 1.  The then Head of Emergency Preparedness for the UK National Health Service explains:

The worst-case scenario…would infect 24 to 30 million people and leave close to 1 million dead.  We might consider draconian measures such as closing schools and sealing borders.

Obviously this did not come to pass in the 2009 ‘flu pandemic: is that one of the reasons why the UK was so poorly prepared for Covid-19?

Underlying these three observations is a common theme.  Based on:

  • RBS’s success at managing credit risk in the benign environment of the mid 2000s;
  • LFB’s success in responding to 7/7; and
  • The UK Government’s success in dealing with the 2009 ‘flu pandemic

Each of these organisations appears to have inferred a greater ability to deal with more complex and disruptive challenges than was truly justified.  As we recover from the nightmare of Covid-19, organisations must carefully guard against the tendency to assume that if they have survived this then they can survive anything.  Covid presents a significant but very specific challenge: surviving it does not, in itself, guarantee that an organisation will deal successfully with the disruptions of the future.

How Safe are Data Centres?

Yesterday morning, millions of websites were off-line as fire raged through a data centre in Strasbourg.  OVH is the fourth largest web-hosting provider in Europe (after AWS, Microsoft Azure and Google Cloud), and operates four data centres on the Strasbourg site.  One 500m2 data centre was destroyed and another was damaged in the blaze; the other two data centres were taken off-line but appear not to have been damaged.  Incredibly, OVH aim to have three of the data centres running again by the end of next week.  In the meantime though, high-profile customers, including the French Government, the European Space Agency, and the Pompidou Centre; have been severely impacted.

Whilst such dramatic incidents are extremely unusual, disruption to data centres is surprisingly common.  For example we have blogged in the past about:

  • Failure of both power supplies to a Telecity data centre in London in November 2015;
  • Failure of a BA data centre due to “human error” in May 2017; and
  • Failure of both data connections to a Hosting UK data centre in St Asaph in June 2018.

Research in 2010 found media reports of 32 major outages (average duration 15 hours) over a 30-month period.  Based on this level of publicly-reported incidents, the authors estimated an annual 2.5% chance of a major outage for a typical commercial data centre.

As we often say: you can outsource a process, but you can’t outsource the risk.  Whilst major providers of hosting services are extremely reliable (probably much better that you can achieve in-house), they are not infallible; so you must still have plans in place if they fail.  As OVH Chief Executive, Octave Klaba wryly observed in a tweet to customers yesterday, “We recommend to activate your Disaster Recovery Plan.”

Unsurprisingly, the Business Continuity Institute’s latest annual supply chain resilience report is dominated by issues arising from Covid-19.  After years where supply chain disruption was dominated by IT and information security incidents; neither of these even feature in the top 5 causes of disruption in 2020, which were:

  • Human illness
  • Loss of talent/skills (#4 in 2019)
  • Transport network disruption (#5 in 2019)
  • Adverse weather (#2 in 2019)
  • Health and safety incidents

Presumably though this is largely a temporary change rather than a permanent shift in the risk landscape.  Equally, it is not surprising to see increases in the incidence of reported supply chain disruptions:

  • 88% of organisations reported experiencing at least 1 disruption (up from 67% in 2019); and
  • 28% reported experiencing more than 10 disruptions (up from 6% in 2019).

The breakdown of where in the supply chain disruption originated is similar to previous years, with 56% overall originating with tier-1 suppliers.  However, in the specific case of Covid-19 disruptions the figure is only 46%; ie more than half of Covid-19 disruptions originated at tier-2 or below.

Aside from Covid-19 issues, there is cause for optimism in the finding that only 24% of respondents had not been able to recover any of the financial impact of their most significant supply chain disruption from insurance.  This is a big fall from last year’s figure of 43%, which itself came on the back of a sustained downward trend (down from 57% in 2016).  However, 2/3 of the organisations that were able to make insurance claims recovered less than half their losses; although some of this is related to specific Covid-19 exclusions.

The GDPR Enforcement Tracker website shows a dramatic increase in the number of fines being issued for data breaches in recent months.  Across Europe only 75 fines were levied in the first two years after GDPR came into force, or about 3 fines per month.  However, in the last 9 months a further 72 fines have been issued and half of these were in the last 3 months!  Indeed the Swedish regulator issued 8 fines, totalling €6.8m, in December 2020 alone.

Romania and Spain remain the most active regulators, with 28 and 16 fines respectively; whilst Italy has moved into third place with 12 fines.  Overall, across the 27 countries of the EU and the UK, 24 countries have now issued at least one fine under Articles 32, 33 or 34 of GDPR.

The UK remains a bit of an outlier, compared with other large economies, with the Information Commissioner’s Office (ICO) having only issued 4 penalties so far.  However, these include 3 out of the “Top 10” largest fines for data breaches, namely:

It is not clear why the ICO is taking a different approach to the majority of EU regulators; and whether this will continue from October 2021 under the next Information Commissioner.  It is also not clear whether the recent increase in the number of fines is a temporary blip, or represents a new normal.  Regardless of these unknowns, the fact remains that data breaches are extremely costly; both in financial and reputational terms.  Follow the link to the Information Security section of our website to see how we can help you to minimise the risk of an information security incident.

At approximately 7pm on Friday 9th February 1996, a truck-bomb exploded close to South Quay DLR station, killing two people and injuring over 100 others.  At the commemoration yesterday to mark the 25th anniversary, survivors commented on how they feel forgotten.  Certainly the incident seems to have faded in the public consciousness faster than the bombings at the Baltic Exchange and Bishopsgate a few years earlier, or the Manchester Bombing four months later.  This is peculiar, given the loss of life and the attack’s political significance as the end of the Provisional IRA ceasefire.

Perhaps the relative lack of awareness of the Dockland Bombing speaks to an early success of business continuity management.  Presumably, in targeting Docklands, the Provisional IRA sought to replicate the success of previous attacks on the City of London; and cause massive disruption to the financial services sector.  However, firms in the sector had learnt quickly from those previous attacks and had invested heavily in their disaster recovery capabilities.  Thus, despite destroying a Midland Bank building and South Quay Plaza I and II (and causing £150m of damage), disruption to businesses was kept to a minimum.  Sadly, the same could not be said in Manchester four months later when an even larger truck-bomb devastated the city centre.

The 7/11 bombings, nearly a decade later, demonstrated that technical disaster recovery is only part of an overall solution; but the resilience demonstrated by businesses impacted by the South Quay bomb is still an important milestone in the evolution of business continuity management.  So, as we remember the victims and survivors of the attack, perhaps we can also take some professional pride in the fact that the incident is not as well known as it really should be.

Nearly a week on from Sky News breaking the story that Serco had been the victim of a ransomware attack, details of the incident are still very sketchy.  From a UK perspective, we are being reassured that the attack has only affected systems on mainland Europe; so that the NHS Test and Trace programme is not impacted.  That may be so, but the fact that the attack succeeded in one part of Serco does suggest that other areas could be vulnerable.  More broadly, it prompts further questions about the robustness of the controversial procurement process under which Serco was awarded the Test and Trace contract: what assurances on information security were required?

The restriction to mainland Europe is presumably less reassuring to some other major Serco customers such as NATO, the Belgian Military and the European Space Agency.  Serco appears to have assured these key customers that their data has not been compromised, but it is unclear what this assurance is based on.  Meanwhile, Serco has remained tight-lipped publicly, declining to comment on the impact of the attack or whether they have paid any ransom.

Serco’s strategy of trying to minimise the impact is reminiscent of the UK Government’s response to the news of a massive data loss from the Police National Computer only three weeks ago.  The Home Office’s initial claim that only 150 000 records had been deleted had to be revised upwards shortly afterwards (and may yet rise further).   Only time will tell if Serco’s claims of “nothing to see here” hold up to scrutiny.