Security and related disciplines to do with resilience have to work together, says David Thorp, pictured, the former Security Institute MD now executive director of the Business Continuity Institute (BCI). And that applies in your own career, and when responding to a security or other incident. Some sectors are cuter about catching on to that than others, he says.
Alliance
The BCI is looking at forming a ‘resilience alliance’, to reflect the fact that security, risk management, emergency planning, disaster recovery and facilities management (to an extent) each have a part to play in what David calls the ‘resilience spectrum’. It’s telling that he doesn’t have to reach far back, and doesn’t have to try hard, to come up with examples. Take the ransomware IT attack on the NHS in mid-May. David makes the point that most NHS trusts were up and running again within a week. That suggested that most hospitals had a business continuity (BC) plan, for recovery; ‘which means they thought about the risks, they covered all of the various bases, because it’s the sad nature of things that security doesn’t always work, things do slip through. Now my idea is that you are going to have a much more robust organisation, and for ‘robust’ translate that into resilience, if all of the various professionals with specialisms such as security, risk management, actually get together and discuss and plan for the eventuality; and the one thing that we can say with any degree of certainty is that this is going to happen again.” He offers the example of the British Airways weekend IT failure that grounded flights, leading to reputational and financial damage. Other BCI members – as it’s a worldwide body – may have to plan in extreme weather such as floods, bush fires or typhoons; or earthquakes. Security’s job is to close the doors, to protect assets; BC’s is to identify how the business can be restored as soon as possible: “They are like two peas in the same pod; you can’t have one without the other.” To leave David for a minute, this is happening; and as featured in Professional Security.
For last year we featured Guy Mathias, lately become strategy director at the Security Institute; his day job at Suntory Ribena has covered various risks, and his title nowhere included the word security. We interviewed in our July 2017 issue Neil Wainman, business continuity manager at e.on, a BCI stalwart and also someone who’s manned the ASIS UK stand at his nearest Security TWENTY event, in Nottingham the last couple of years. To return to David; he feels that the future, resilient organisation will have a head of resilience, that those risk functions will sit under; and that head will need an understanding of the various functions. Hence the BCI’s offering of a certificate and diploma (through Buckinghamshire New University), not unlike the Security Institute. David’s message then is that while there’ll always be a role for the specialists in a field, there’s convergence; and if those fields want boardroom influence, it’ll be through a head of resilience.
As an aside while it’s called the business continuity institute, we’re really talking about organisations, as BCI members (and the institute may concertina its name like the former British Computer Society became BCS) work not only for businesses, but the public sector. That said, David points out that small businesses lack BC; and yet when a small firm is hit by something major – whether a fire, flood or a data leak – many do not recover. And given how much of the UK economy is made up of small businesses, ‘that really is a worry’, David says. Hence the BCI’s ‘mission to society’ as he terms it, not just for members; it’s in society’s interest that organisations are resilient.
More in the August 2017 print issue of Professional Security magazine.
About the BCI
The Business Continuity Institute (BCI) dates from 1994. It runs an annual conference in London – BCI World, next on November 7 and 8. Visit www.thebci.org. Like ASIS, the BCI has chapters, usually by country, and within that forums – the UK has several regional ones that meet.
