A Framework for BC Success

After years of operating in silos, British bank Abbey re-engineered its business continuity policy on a building-by-building basis to deliver a policy that everyone's happy with -- even the CEO

We've all seen those IBM ads where the new CEO sits at the head of the board table and nervously asks how well protected the company is against disaster. The question is something like: "If anything happened to one of our major locations; what would we do about it?" In the ad, it leads to furtive glances between the rest of the executive committee. Damn: I'm sure we have a process somewhere, but whose portfolio does it come under?

The reality for chief security officers, risk managers and heads of IT is that maintaining business continuity is an everyday challenge. Some have it covered better than others, but the ad goes some way to illustrating the confusion that can exist about its effective implementation. Abbey, the UK's number-six bank by assets, with net interest receivables (the difference between what it lends and what it borrows) of close to ?1.5 billion ($3.6 billion) in financial year 2002, has always had BC plans. But when the company snapped up CEO Luqman Arnold from his post as chairman of UBS and COO Stephen Hester from CSFB in 2002, covering every BC contingency came much higher on the agenda than it had before.

Although Abbey is Europe's 16th largest bank, employing 30,000 people, it did not have a risk-aware culture in place. "These people had come from companies where the culture was different and there was more awareness of the importance of business continuity," says operational risk manager Richard Bridgford of the new executive leadership team. Arnold and Hester were experienced investment bankers, who took a completely different perspective on risk.

Places, Not Processes

Startling events such as the terrorist attacks of September 11 brought the reality of disaster recovery to the global business audience in the worst possible way. The introduction of the Basel II Accord then brought stricter guidelines for risk management and corporate governance. Ramp-ups by the UK's Financial Services Authority and British Bankers Association also contributed to putting BC planning much higher on Abbey's agenda. These rules mean every piece of a bank's data has to be accounted for -- crisis or no crisis. "There was already a lot of acceptance that the existing situation wasn't working," says Bridgford, "that there was a need for change."

If that IBM ad had taken place at Abbey, Bridgford knew those nervous eyes would have fallen on him and head of IT controls and continuity Jamie Watters. After reinventing Abbey's BC planning, the two now find themselves in demand on the UK conference circuit to illustrate their "proven framework" for BC success. Watters is responsible for the day-to-day delivery of IT solutions that cover the BC framework, including the company's data centre. "If we lose our mainframe, I've got the team of people that can work to recover that." Under the new BC framework, it would become his team's responsibility to recover systems and data. Bridgford's remit covers making sure all of Abbey's 50 or so business units implement the policy.

Watters explains that the main problem Abbey had was not a lack of protection of its core business processes, but a poorly coordinated framework for coping with crises in specific places -- locations that could house parts of one or more business process.

Abbey's HQ used to be at 221 Baker St, Sherlock Holmes's address (in fact, the company used to have a full-time employee who dealt with mail for the fictional detective). Today, corporate HQ is in Milton Keynes, around 100 kilometres outside the capital. The company also has key locations in other cities including Edinburgh, Glasgow, Bradford, Sheffield and Belfast.

"Throughout the UK," says Bridgford, "incidents were happening to locations, not to business processes." Where BC was concerned, it operated in silos, with "something approaching a feudal mentality", he says. Almost every business unit had its own standards, approaches, methods, metrics, plans and continuity experts. This became particularly unhelpful when business units with differing BC plans shared a location: no one knew who was in charge.

"We had a distributed organisation throughout the UK that was trying to manage all incidents from a central team," explains Bridgford, "all centrally based and not easily able to support a remote incident." There were a lot of very detailed BC plans, but they weren't tied together. External auditors had drawn the same conclusions: it wasn't working.

"A number of business areas overlapped and integrated but our BC management structures didn't reflect that," says Watters. Not just the disciplines were fragmented; management was too. "Each business area had somebody responsible for BC planning -- and that was a problem. It meant we planned on divisional lines, not on location. When we actually came to recover a building, there would be a lot of conflicting interests and no clear order of priority."

Crucial Steps

The first crucial step was getting board and executive-committee ratification for the new policy, authored by Bridgford's risk team, a process made a lot easier by CEO Luqman's "top down" approach to implementing better BCM. Bridgford already knew he had his buy-in.

"Following that was the key element: defining the implementation frameworks," he continues. This provided a clear mechanism all stakeholders could understand, illustrating how the new BCM framework would fit in to the organisational structure. Once Bridgford had that approved, it was then a question of planning by location. "The missing piece in the past had been seeing that because our operational structure focused on key locations, what we needed were plans by location rather than business area," he says.

Abbey already had a successful structure for implementing and managing risk throughout the organisation, and Bridgford sought to reflect it in BCM. "We have a central risk team comprised of people responsible for all the different business areas," he explains. "They're allocated as business heads of operational risk with people working for them who work closely with the business areas and provide frontline support. We are trying to make sure BCM works the same way."

Abbey implemented the framework from the northern autumn of 2003, having run a similar model in isolation in Bradford for three years. Crucially, this meant it had a business area "that showed doing it this way actually worked", says Bridgford.

Today, the BC framework overarches risk management, crisis management, disaster recovery and IT systems continuity management and delivers them company-wide as one solution on a location-by-location basis, defining accountability, responsibility and processes while bringing together planning and response. "The silos were swept away," says Watters.

Abbey Meets BERT

To achieve this on the ground, Abbey introduced "building emergency response teams", which the organisation now knows as "BERTs". Their purpose was to go beyond localised response to providing ownership of BC plans within each location. There are BERTs in 10 locations in all. They also act as an administrative overhead to single-business-unit locations, which have smaller business recovery teams.

The senior-most manager in each location became the head of its BERT. This gave a clear chain of command in each building, reducing conflicts of interest between business units. Making the manager accountable for the whole location has been very effective, says Watters. "We used to go back and find nothing was happening. Now, because that executive manager is accountable for that location, it happens."

Each BERT also has a coordinator to support the manager's strategic role by ensuring plans are put into place and overseeing the day-to-day management of BC within that location. "It is somebody allied to that location," says Bridgford. "If there's a risk role based there, then that will be ideal. If not, then it will be a trained person within the business area." It tends to fall to management roles within the business if a risk person isn't available because it needs to have influence with other managers within that location. The key thing, says Watters, is that all BERT co-ordinators are fully accredited in BC. With a direct link to the central BC team, they also provide consistency in BC practice throughout the organisation.

The central BC management team comprises only eight people, but there's at least one specialist per business unit. "Some of those people, BC is 10 percent of their time, some people it's 90 percent," says Bridgford. IT has a small team of recovery experts supported by the regular IT department as and when they need them.

The rest of each BERT consists of specialist functions needed to plan for each worst-case scenario: emergency-service liaisons, HR professionals, a communications person, property and facilities. "Traditionally we had this as a central function," says Bridgford, "but we're distributing it, saying you can't handle everything from central HQ, you need people on site who can act."

Testing Times

Once Abbey had the framework in place, it had to be sure it would work in practice. Running tests brought to light a number of gross misassumptions about IT recovery on the part of Abbey's employees. As part of the testing process, IT staff work side by side with end users so they can iron out any misunderstandings. For example, some people with laptops didn't realise they needed recovery, because they worked remotely -- even though the mainframe they connected to could have been destroyed. "Until you actually say, 'And where is the backup tape?' the penny suddenly drops," says Watters. "'Ah, it's sitting under a pile of rubble.' So you iron out all those creases."

Bridgford says he keeps the human and business sides of things going with regular briefings and desktop simulations. "We haven't reached the stage of putting them into a 'real' situation yet, but we're progressing towards that. We do look at scenario testing, but you don't want to create a disaster by disrupting the business." Regular testing is a central tenet of Abbey's BC policy. "It's fine having the plan on paper, but unless you've tested it, you don't really know how well it will work, and it is a very good learning exercise."

For example, Watters learnt that some IT suppliers had to be watched closely to make sure their claims about their recovery ability were accurate. It's been crucial to carry out exhaustive tests. "IT's supposed to be plug and play these days but that's far from the case, it's actually very sensitive to the hardware that's there," he says. "What works on my Dell PC in the office might not work on the Compaq PC they image to." In a dummy run, one supplier could actually only recover data on three of 185 machines. By the time December comes, Watters will have overseen 50 tests. "We take a lot of time over it," he admits -- but it's worth it.

According to Watters, business continuity long ago moved beyond disaster recovery and became a supply-chain issue. "BC is now accepted as a regular cost of doing business," he says. "Organisations are starting to look at their supply chains and realise it doesn't just matter about them, it matters about their suppliers too." If Proctor Gamble, for example, suddenly found operations of one of its main chemicals at the suppliers for making washing powder had collapsed, it could face an unaffordable hiatus in production. "As part of Abbey's due diligence process," he adds, "we make sure suppliers practise BC management." That includes everyone, from other financial services companies to IT and logistics suppliers.

Dynamic Business

"Glitches have occurred and are still occurring, and we are seeing these as part of the continuous improvement process," says Bridgford. An ever-changing business model requires flexibility of its key processes, and BC is no exception. The banking industry in Europe is experiencing unprecedented consolidation at the same time as it outsources an increasing number of services. For example, Abbey is currently looking at various offshore outsourcing opportunities, and Bridgford and his team must consider the impact this would have on risk profiles. This only reiterates the importance of making a fundamental shift from planning by business process to planning by key location, he says. "The new approach reduces the impact of business-process changes upon BC management, as the new framework accommodates potential changes within the concept of a location-based BC policy. Business changes from week to week, if not day to day. The way we're now structured, processes can change but the basic framework remains stable."

Key stages

• Approval of new BC policy board
• Development and agreement of BC management governance framework
• Implementation of framework via business risk teams, working with business heads and location-based BC coordinators
• Setup of 'building emergency response' teams (BERTs) with responsibility for BC management at key locations
• Re-engineering of BC plans and reporting structures on location, rather than business-unit basis
• Continual review of BC standards

Abbey's three keys to success

1) Accountability -- "Making the executive manager accountable has really made a difference," says head of IT control Jamie Watters. "They have to put their hands in their pocket or take a conscious decision to take the risk. Before, they were happy to make the assumption that IT would sort it out."

2) Executive team cultural change -- "That's the big push, knowing if things aren't addressed, you're going to have executive members leaning down on the levels beneath them," says head of risk Richard Bridgford. "We now have a culture where BCM is a top priority risk area."

3) Distributed organization -- "Our increased ability to manage things by location increases our ability to act," says Bridgford.