Sometimes I just get an urge to dig a little deeper – beyond what’s actually reported when there’s a major financial incident – normally involving a rogue trader or a big miss-selling scandal.  The thing that sparked my interest goes back a long time – to the Barings collapse following Nick Leesons trading activities.  What interested me was that one of the key issues (i.e. a basic segregation of duties issue) was known and had been flagged up by internal audit.

Since then we have had many other major rogue trading incidents – and all have displayed that common attribute: an internal control issue was raised and communicated to management some time before the rogue trading incident fully manifested itself as a major scandal.  Some of them will be very familiar:

• AIB / Allfirst
• Caisse d’Epargne
• Societe Generale
• Merril Lynch & more recently;
• Credit Suisse

It’s interesting to note that the existence of the controls weaknesses that provided the opportunity for these traders to break limits, hide trades, perform spurious valuations etc. – were known and had been known for some time.  So, are some of the worlds most prestigious financial institutions run by management that prefers to bury its head in the sand rather than deal with internal control issues, or is their something more subtle going on here?  Let’s reflect a little on how often financial performance is measured compared with control issues clearance.  I think we know the answer: financial performance is measured MUCH MORE frequently than boring old internal controls – and, let’s face, it how many organisations have the “1 sheet of paper” approach to establishing the key internal control issues to be addressed in their organisation?  Most organisations will have a plethora of control issues registers – possibly one for for every group that performs some kind of risk oversight and assurance activity.  The problem here is that important stuff can just fall off of the radar - we need an enterprise wide controls issues register that senior management are appraised of at the same levels frequency that financial performance is reported.  That way, the numbers AND the risks to the integrity of the numbers are reviewed at the same time by the same people.

Now I don’t lay claim to having found the solution for eradicating rogue traders and ignored control issues, sometimes – as history has shown – wilful blindness has played it’s part.  But if we had a permanent record of significant control issues that always accompanied “the numbers” there would be a constant reminder that the numbers can’t always be relied upon.

No tags

It’s one of those questions, many of us know we’re really busy but if asked what we are working on, we can struggle to point at anything really specific. I spend most of my time working with the heads of compliance and risk assurance providing them with a solution to help them, among other things, discover just what is going in their departments. Many struggle to stay on track with their scheduled monitoring work because of the continuous stream of “side issues” that eat away at the available time of the team as a whole. The problem is of course that these “side issues” must be attended to; they are normally issues raised within the business that require compliance involvement to provide advice and guidance – and they must be dealt with as a priority.  The frustrating part is that you know your time is being eaten away, but retrospectively it’s virtually impossible to pinpoint what activities actually eat it away and what prompted them.

The problem is email: although electronic mail is a wonderful tool for connecting and communicating with people across the enterprise it has some unwanted side effects.  The downside is that, because communication is individual to individual, email creates information silos that are difficult to consolidate and almost impossible to track from a single point.  Because of this, answering a question such as “what has your department / group done this month”  becomes a very difficult one to answer because the real workload information is tucked away in the inboxes of several individuals.  Trying to perform retrospective analysis to consolidate this information is a nightmare and is itself a drain on resources.

What we need is a better way to manage emails. Faced with a challenge like this the natural reaction is, “We need a solution to support enterprise-wide  compliance and risk management” – but the likelihood is that, following the pain and expense of implementation,  such system will fall into disuse within 12 months of implementation. (I’ll go through these reasons for this in a later post).  Compliance and other risk oversight functions need an application for managing their work and associated record keeping, but “another app” is just what the rest of the organisation doesn’t need.  What’s needed is a better way for the rest of the organisation to communicate with compliance.  We need an approach so that emails received from regulators and from staff that prompt compliance and risk department staff to do something are be treated differently from the day-to-day electronic “chatter”.  Regardless of who sent them, we need to be able to update a centralised “register” that logs all issues currently being handled by the compliance/oversight group. An approach like this brings several significant benefits:

• The number of issues being fielded by the compliance/risk department can be easily seen;
• Record keeping of the response given can be logged for retrospective review;
• The approach is completely non-obtrusive, the default and preferred method of communication – email – remains.

Now this may seem like a bit of a “Nirvana” – a centralised  repository that can be monitored, interrogated and disseminated for reporting purposes, all driven via your existing corporate email system.  But it is achievable, with the right technology applied in the right way.

No tags

1. As the strength & virulence of the H1N1virus were unclear, given the potential impact, planning for the worst was the most prudent approach;

2. As regards PACE and their observations, It’s amazing how many people develop 20/20 vision with hindsight;

3. It’s good practice to plan for large scale absenteeism – you never know, loads of your staff could be stranded overseas because commercial airspace has been closed indefinitely.  But to cause air space disruption of that magnitude would require something like a massive volcanic eruption  and what are the chances of that happening!!

No tags

Did Twitter Save The Day?

 Although I consider myself “tech savvy”, I have to admit as far as social networking and Twitter in particular go, I just didn’t get it – particularly in a business context. I just could not see how “Tweeting” had any place at all in a commercial context. So, when I saw an example of Twitter being used for customer communication in a business recovery context I decided to dig a little deeper.  Most people know what Twitter is and the basics of how it works: you have a Twitter account, you post messages (called “Tweets” and some people “follow” you (if they’re interested in what you are posting). Unlike blogging, Twitter restricts you to publishing quick, frequent, 140 character messages.  Your “followers” then pick up alerts via their Twitter home page, their elected email account or their mobile telephone, if the phone and their network provider support it.  That’s all well and good, but what’s the point of it in a business context?

This week I got my answer. During the course of gathering updates to our business interruption statistics database, I came across an interesting news article that lead me to a little further research, that I thought I should share with the readership of Continuity Central: the news item related to a power failure that hit an IT Services company called Codero, based in Phoenix in the USA.  What sparked my interest was that they used Twitter as a means to keep their customers informed of progress and to deal with specific customer issues during the recovery phase.  The firm has to recover hundreds of servers and some customers (as you might expect) had more problems that others in getting back up and running.  Much of the customer interaction (and the logging of it) was managed via the company’s Twitter account.

So why was Twitter a good way for Codero to support and communicate with it’s customers during its recovery activities?  A little further research shows some real advantages of using Twitter in this way:

1. Those who want to follow you just need to set up a twitter account themselves and then opt to follow you.  Therefore you don’t have to remember or maintain contact details for each of your customers.
2. The person following your tweets can also elect to receive updates to an email address of their choosing or their mobile telephone. The “tweeter” has no need to know where to send the message the receiver chooses the delivery media according to their needs and preference;
3. The Direct Message (DM) facility allows a “tweeter” and a follower to have a private conversation that’s not on the public message log which is displayed on the “tweeters” Twitter website.

Twitter also maintains a complete history of Tweets and follower responses, so when the dust dies down you have a log of all of the conversations as a record of your customer conversation via Twitter.

So, to implement a customer communications channel in the event of a major incident you now have 6 simple steps to implementing a basic mass communications tool for incident management:

1. Open a Twitter account for your Company
2.  Decide which individuals will create “Tweets”;
3. Advise your customers in advance that you have set this up and advise them to create their own Twitter accounts;
4. If an incident strikes:
   1. Send a Tweet via the Incident Management Twitter page to alert the Incident Management team;
   2. Have a procedure in place to update your website and any pre-recorded message service to announce that you are in Incident Management mode and direct visitors and callers to go to your Twitter page where they will be able to see  updates at the time they occur;
5. Even if a caller or visitor does not have a Twitter account they can be set up in minutes (the Twitter help is quite good in this respect);
6. Send Tweets as and when required and your customers will be fully informed of events as they occur, receiving the updates on the device and channel of their choosing.

You could, of course, set up another Twitter account for the specific use of the Incident Management team to help them communicate with each other. Here you set up an Incident Management Twitter account that all members of the incident management can update it as well as follow.  This way anyone in the team can create a “Tweet” that can be received by all other members of the team.

Does this spell the end of the Incident Notification system?  Probably not for everyone (although it is a good public communications tool) and there are a few “bells and whistles” that might be important to some that it does not have.  But Twitter, of course, is free which raises standard in what needs to be available  to warrant a paid for solution.  Basically we’ve seen from a live example that Twitter, a free social networking system, can be used as an effective tool in a corporate incident management situation.  It has quite unique features that are provided by the principle of “Following” that support low maintenance communication and interaction with a large audience which make it suitable for many types of organisation:

• All types of commercial organisation could use it to communicate with their customers during an incident;
• Local government organisations could use it to provide community updates for different types of emergency;
• Diverse, geographically separated teams can communicate and collaborate without the need for specialised applications and devices.

Much of the log still remains on the Codero Twitter page and it makes interesting reading (You’ll also see how you can click on a “Tweet” and link to the follower’s response that initiated it).

To see the log on Codero’s Twitter page, follow this link to the Codero Twitter page .

Doc1

No tags

Many business continuity managers complain of the lack of management buy-in for business continuity within their organisation. They say management don’t engage with the subject, are indifferent to or unaware of the potential exposures. In most cases my response is something along the lines of :

“senior management have dozens of conflicting demands on their time. If you want to get ttheir attention be succinct in your communications and speak a langauge they will understand”

This means that you should not talk about :

• Critical dependencies;
• Dependency mapping;
• “40/50/60% – whatever- business who suffer a major disaster goes out of business 2/34 – whatever – years later;
• Any other of the jargon that’s to be found in the BS25999 standard

What you might want to try is:

• Understanding the regulatory environment that applies to your organisation and whether there are any requirements for Incident and Business Continuity Management plans.  No-one  wants trouble with the regulators and if you’re seen to be dealing with a regulatory issue before it become a problem you’ get some attention;
• Understand what your firm’s customers expect expect from you in response to order fulfillement, website availbility and responsiveness etc.  Then be in position to confirm (or otherwise) that business continuity plans support recovery within these expectation “windows”.   The real reason that firms go bust after a disaster is not the cost of actual damage, it’s because of the loss of customer confidence.
• Remember that the first word of the phrase “Business Continuity Plan” is “business”.  When you know how and why the programme will protect the business  then you’re in position to articulate the benefits to made by investing in a business continuity programme

Let me know your thoughts on this.  If you would like to know a little more about our firm please visit us at www.riskcentric.co.uk

business continuity · Measuring value of business continuity

I’m posing a question here rather than offering any kind of solution or insight – does Business Continuity actually make any discernible difference or provide any measurable benefit to an organisation that buys into the process in the first place?  Taking a broad look at the market only appears to affirm the opinion that there’s no real reward for devloping and maintaining a quality plan. 

• A recent press release from the British Insurance Brokers Association, calling for government support to raise the awareness of the need for business continuity plans amongst the SMB community also accepts that it’s difficult to get insurers to reduce premiums for organisations that do have robust plans;
• Banking regulators, whilst encouraging regulated financial institutions to have business continuity plans to support their operational risk programmes, have yet to provide any basis for capital reliefs to institutions that have robust business continuity programmes in place;
• The government by virtue of the Civil Contingencies Act mandates that local government organisations should promote business continuity principles to local businesses – but provides no guidelines what is expected of the local authority;

I could go on, but enough said – everyone seems to be preaching fine ideals but providing very little real incentive.  It’s rather like imploring people to drive carefully and then expecting them to pay the same as someone who is just plain reckless. 

BIBA, in particular, are barking up the wrong the tree – it’s not the government that needs to sort this out – it’s the risk industry.  When organisations are incentivised by a decent reduction in their business interruption insurance because they have a plan that’s proven to be effective by recent (ideally independent) testing, then the issue might be taken a little more seriously.

Let me know your thoughts.  if you would like to know more about our firm then please visit our website at www.riskcentric.co.uk

business continuity · Measuring value of business continuity

In this blog I’ll share some insights and experiences related to new and emerging issues related to bsuiness continuity – and, no doubt, many of the old chestnuts that always seem to be with us.

SDPL Soloutions

www.sdplsolutions.co.uk

No tags