Organisational resilience

No organisation can afford to be without a comprehensive, documented and fully integrated business continuity management system consisting of policy, strategy, plans and a mechanism of continuous improvement.

We can support you to develop your business continuity management systems, including oversight and reporting frameworks. Our approach is scalable and applicable to organisations regardless of type, size and output. We can help in a variety of ways, including the development of Policy, minimum requirements and control libraries, to metrics for reporting on resilience and governance structures to oversee this.

We can help you with:

• Management system design and implementation covering resilience related disciplines (e.g. Business Continuity, IT Service Continuity, Cyber and Supply Chain Resilience)
• Policy and detailed guidance development to enable the execution of resilience related processes across the organisations
• Development of reporting and assurance programmes to improve senior management’s understanding of whether preparedness and response activities are having a measurable, positive impact
• Alignment with and implementation of current management standards: the International Standards for Business Continuity Management Systems, ISO 22301 and ISO 22313 and the International Standard for ICT Continuity Management, ISO 27031

When a disruption happens organisations need to reduce the impact on their customers, and get their critical services back up and running as quickly as possible. As organisations face a growing range of technological, cyber and operational threats, a failure to recover effectively and protect customers could have significant brand impact.

We can support you with the development of continuity and recovery plans for your most critical business operations and technology assets. Our approach focuses on developing plans that are ‘actionable’ and not ‘aspirational’, that provide a clear path for technical and operational teams to execute the ‘fix’ while senior leadership manage the incident.

We can help you with:

• Strategic Business Impact Analysis to help you identify what you really want to protect, the risks that you need to plan for and what you need to be able to achieve in a disruption
• Identifying and mapping critical services and functions to operational dependencies including key systems, staff, third parties and locations
• Understanding and mitigating the potential risks posed by third parties in your supply chain
• Identifying, evaluating and selecting optimal continuity strategies for staff, technology, office sites and third parties. We understand the balance that needs to be struck between cost, risk and ease of execution
• Developing Business Continuity, IT Service Continuity and IT Disaster Recovery Plans
• Developing progressive testing programmes to validate and improve continuity and recovery plans

Organisations may face risks and events that are of such a significant scope and impact that they cannot be effectively managed by generic continuity and recovery plans alone. These can include high impact events such as a catastrophic cyber-attack, critical supply failure or an industrial dispute. Similarly, these may include major change initiatives that organisations want to happen (for instance a product launch) but where a poor execution could have significant reputational impacts. Planning for major risks and events requires considerable pre-planning to identify what the response needs to look like should the scenario materialise, and any actions that need to happen prior to the event to reduce its impact.

Our approach combines tried and tested business simulations to help senior management explore best and worst-case outcomes of specific scenarios, with detailed operational and technical planning to make their subsequent decisions executable.

We can help you with:

• Scenario planning techniques to identify potential outcomes of major risks and events you know will happen
• Development of Contingency Plans and scenario specific ‘playbooks’ that set out decision triggers, considerations and response actions should the scenario materialise
• Development of Operational Readiness programmes for major events that you want to happen, focusing on developing and validating the capabilities required for a successful ‘Day 1’

Incidents frequently hit the headlines and reputations are at stake. In these circumstances, organisations need to understand why they happened, how effectively they responded, what they can do prevent similar scenarios and how they can improve a future response. Ultimately, organisations need to be able to demonstrate to stakeholders and regulators that they are able to learn lessons from incidents, implement these and enhance the resilience of customer service.

We examine events before, during and immediately after an event to understand the root causes, effectiveness of response and adequacy of any remediation actions taken, including customer redress. Through our experience of conducting post-event reviews following recent high profile incidents, we have developed an approach which focuses on the facts to establish ‘what went wrong’, ‘how it happened’ and ‘how effectively we responded’. We bring a multi-disciplinary capability to ensure the right combination subject matter expertise and experience is brought to bear in what are often highly sensitive issues.

We have a structured approach for Post Event Reviews that looks across four main areas of People, Processes, Technology and Governance, addressing key elements in pre-incident, during incident and post-incident stages.

Technical investigation

• Understanding not just the cause but the ‘root’ cause and underlying issues which triggered the event.

Assessment of the effectiveness of the response

• Review of response actions taken to manage and resolve the issues, including: the operational and technical resolution, communication and coordination across operational stakeholders, and senior leadership and decision making (including customer redress)

Identification of lessons to be learnt

• Assessment of immediate actions to improve resilience, and medium and longer-term changes