After years of operating in silos, British bank Abbey re-engineered its business continuity policy on a building-by-building basis to deliver a policy that everyone\u2019s happy with \u2014 even the CEO\n\nWe\u2019ve all seen those IBM ads where the new CEO sits at the head of the board table and nervously asks how well protected the company is against disaster. The question is something like: \u201cIf anything happened to one of our major locations; what would we do about it?\u201d In the ad, it leads to furtive glances between the rest of the executive committee. Damn: I\u2019m sure we have a process somewhere, but whose portfolio does it come under?\n\nThe reality for chief security officers, risk managers and heads of IT is that maintaining business continuity is an everyday challenge. Some have it covered better than others, but the ad goes some way to illustrating the confusion that can exist about its effective implementation. Abbey, the UK\u2019s number-six bank by assets, with net interest receivables (the difference between what it lends and what it borrows) of close to \u00a31.5 billion ($3.6 billion) in financial year 2002, has always had BC plans. But when the company snapped up CEO Luqman Arnold from his post as chairman of UBS and COO Stephen Hester from CSFB in 2002, covering every BC contingency came much higher on the agenda than it had before.\n\nAlthough Abbey is Europe\u2019s 16th largest bank, employing 30,000 people, it did not have a risk-aware culture in place. \u201cThese people had come from companies where the culture was different and there was more awareness of the importance of business continuity,\u201d says operational risk manager Richard Bridgford of the new executive leadership team. Arnold and Hester were experienced investment bankers, who took a completely different perspective on risk.\n\nPlaces, Not Processes\n\nStartling events such as the terrorist attacks of September 11 brought the reality of disaster recovery to the global business audience in the worst possible way. The introduction of the Basel II Accord then brought stricter guidelines for risk management and corporate governance. Ramp-ups by the UK\u2019s Financial Services Authority and British Bankers Association also contributed to putting BC planning much higher on Abbey\u2019s agenda. These rules mean every piece of a bank\u2019s data has to be accounted for \u2014 crisis or no crisis. \u201cThere was already a lot of acceptance that the existing situation wasn\u2019t working,\u201d says Bridgford, \u201cthat there was a need for change.\u201d\n\nIf that IBM ad had taken place at Abbey, Bridgford knew those nervous eyes would have fallen on him and head of IT controls and continuity Jamie Watters. After reinventing Abbey\u2019s BC planning, the two now find themselves in demand on the UK conference circuit to illustrate their \u201cproven framework\u201d for BC success. Watters is responsible for the day-to-day delivery of IT solutions that cover the BC framework, including the company\u2019s data centre. \u201cIf we lose our mainframe, I\u2019ve got the team of people that can work to recover that.\u201d Under the new BC framework, it would become his team\u2019s responsibility to recover systems and data. Bridgford\u2019s remit covers making sure all of Abbey\u2019s 50 or so business units implement the policy.\n\nWatters explains that the main problem Abbey had was not a lack of protection of its core business processes, but a poorly coordinated framework for coping with crises in specific places \u2014 locations that could house parts of one or more business process.\n\nAbbey\u2019s HQ used to be at 221 Baker St, Sherlock Holmes\u2019s address (in fact, the company used to have a full-time employee who dealt with mail for the fictional detective). Today, corporate HQ is in Milton Keynes, around 100 kilometres outside the capital. The company also has key locations in other cities including Edinburgh, Glasgow, Bradford, Sheffield and Belfast.\n\n\u201cThroughout the UK,\u201d says Bridgford, \u201cincidents were happening to locations, not to business processes.\u201d Where BC was concerned, it operated in silos, with \u201csomething approaching a feudal mentality\u201d, he says. Almost every business unit had its own standards, approaches, methods, metrics, plans and continuity experts. This became particularly unhelpful when business units with differing BC plans shared a location: no one knew who was in charge.\n\n\u201cWe had a distributed organisation throughout the UK that was trying to manage all incidents from a central team,\u201d explains Bridgford, \u201call centrally based and not easily able to support a remote incident.\u201d There were a lot of very detailed BC plans, but they weren\u2019t tied together. External auditors had drawn the same conclusions: it wasn\u2019t working.\n\n\u201cA number of business areas overlapped and integrated but our BC management structures didn\u2019t reflect that,\u201d says Watters. Not just the disciplines were fragmented; management was too. \u201cEach business area had somebody responsible for BC planning \u2014 and that was a problem. It meant we planned on divisional lines, not on location. When we actually came to recover a building, there would be a lot of conflicting interests and no clear order of priority.\u201d\n\nCrucial Steps\n\nThe first crucial step was getting board and executive-committee ratification for the new policy, authored by Bridgford\u2019s risk team, a process made a lot easier by CEO Luqman\u2019s \u201ctop down\u201d approach to implementing better BCM. Bridgford already knew he had his buy-in.\n\n\u201cFollowing that was the key element: defining the implementation frameworks,\u201d he continues. This provided a clear mechanism all stakeholders could understand, illustrating how the new BCM framework would fit in to the organisational structure. Once Bridgford had that approved, it was then a question of planning by location. \u201cThe missing piece in the past had been seeing that because our operational structure focused on key locations, what we needed were plans by location rather than business area,\u201d he says.\n\nAbbey already had a successful structure for implementing and managing risk throughout the organisation, and Bridgford sought to reflect it in BCM. \u201cWe have a central risk team comprised of people responsible for all the different business areas,\u201d he explains. \u201cThey\u2019re allocated as business heads of operational risk with people working for them who work closely with the business areas and provide frontline support. We are trying to make sure BCM works the same way.\u201d\n\nAbbey implemented the framework from the northern autumn of 2003, having run a similar model in isolation in Bradford for three years. Crucially, this meant it had a business area \u201cthat showed doing it this way actually worked\u201d, says Bridgford.\n\nToday, the BC framework overarches risk management, crisis management, disaster recovery and IT systems continuity management and delivers them company-wide as one solution on a location-by-location basis, defining accountability, responsibility and processes while bringing together planning and response. \u201cThe silos were swept away,\u201d says Watters.\n\nAbbey Meets BERT\n\nTo achieve this on the ground, Abbey introduced \u201cbuilding emergency response teams\u201d, which the organisation now knows as \u201cBERTs\u201d. Their purpose was to go beyond localised response to providing ownership of BC plans within each location. There are BERTs in 10 locations in all. They also act as an administrative overhead to single-business-unit locations, which have smaller business recovery teams.\n\nThe senior-most manager in each location became the head of its BERT. This gave a clear chain of command in each building, reducing conflicts of interest between business units. Making the manager accountable for the whole location has been very effective, says Watters. \u201cWe used to go back and find nothing was happening. Now, because that executive manager is accountable for that location, it happens.\u201d\n\nEach BERT also has a coordinator to support the manager\u2019s strategic role by ensuring plans are put into place and overseeing the day-to-day management of BC within that location. \u201cIt is somebody allied to that location,\u201d says Bridgford. \u201cIf there\u2019s a risk role based there, then that will be ideal. If not, then it will be a trained person within the business area.\u201d It tends to fall to management roles within the business if a risk person isn\u2019t available because it needs to have influence with other managers within that location. The key thing, says Watters, is that all BERT co-ordinators are fully accredited in BC. With a direct link to the central BC team, they also provide consistency in BC practice throughout the organisation.\n\nThe central BC management team comprises only eight people, but there\u2019s at least one specialist per business unit. \u201cSome of those people, BC is 10 percent of their time, some people it\u2019s 90 percent,\u201d says Bridgford. IT has a small team of recovery experts supported by the regular IT department as and when they need them.\n\nThe rest of each BERT consists of specialist functions needed to plan for each worst-case scenario: emergency-service liaisons, HR professionals, a communications person, property and facilities. \u201cTraditionally we had this as a central function,\u201d says Bridgford, \u201cbut we\u2019re distributing it, saying you can\u2019t handle everything from central HQ, you need people on site who can act.\u201d\n\nTesting Times\n\nOnce Abbey had the framework in place, it had to be sure it would work in practice. Running tests brought to light a number of gross misassumptions about IT recovery on the part of Abbey\u2019s employees. As part of the testing process, IT staff work side by side with end users so they can iron out any misunderstandings. For example, some people with laptops didn\u2019t realise they needed recovery, because they worked remotely \u2014 even though the mainframe they connected to could have been destroyed. \u201cUntil you actually say, \u2018And where is the backup tape?\u2019 the penny suddenly drops,\u201d says Watters. \u201c\u2018Ah, it\u2019s sitting under a pile of rubble.\u2019 So you iron out all those creases.\u201d\n\nBridgford says he keeps the human and business sides of things going with regular briefings and desktop simulations. \u201cWe haven\u2019t reached the stage of putting them into a \u2018real\u2019 situation yet, but we\u2019re progressing towards that. We do look at scenario testing, but you don\u2019t want to create a disaster by disrupting the business.\u201d Regular testing is a central tenet of Abbey\u2019s BC policy. \u201cIt\u2019s fine having the plan on paper, but unless you\u2019ve tested it, you don\u2019t really know how well it will work, and it is a very good learning exercise.\u201d\n\nFor example, Watters learnt that some IT suppliers had to be watched closely to make sure their claims about their recovery ability were accurate. It\u2019s been crucial to carry out exhaustive tests. \u201cIT\u2019s supposed to be plug and play these days but that\u2019s far from the case, it\u2019s actually very sensitive to the hardware that\u2019s there,\u201d he says. \u201cWhat works on my Dell PC in the office might not work on the Compaq PC they image to.\u201d In a dummy run, one supplier could actually only recover data on three of 185 machines. By the time December comes, Watters will have overseen 50 tests. \u201cWe take a lot of time over it,\u201d he admits \u2014 but it\u2019s worth it.\n\nAccording to Watters, business continuity long ago moved beyond disaster recovery and became a supply-chain issue. \u201cBC is now accepted as a regular cost of doing business,\u201d he says. \u201cOrganisations are starting to look at their supply chains and realise it doesn\u2019t just matter about them, it matters about their suppliers too.\u201d If Proctor Gamble, for example, suddenly found operations of one of its main chemicals at the suppliers for making washing powder had collapsed, it could face an unaffordable hiatus in production. \u201cAs part of Abbey\u2019s due diligence process,\u201d he adds, \u201cwe make sure suppliers practise BC management.\u201d That includes everyone, from other financial services companies to IT and logistics suppliers.\n\nDynamic Business\n\n\u201cGlitches have occurred and are still occurring, and we are seeing these as part of the continuous improvement process,\u201d says Bridgford. An ever-changing business model requires flexibility of its key processes, and BC is no exception. The banking industry in Europe is experiencing unprecedented consolidation at the same time as it outsources an increasing number of services. For example, Abbey is currently looking at various offshore outsourcing opportunities, and Bridgford and his team must consider the impact this would have on risk profiles. This only reiterates the importance of making a fundamental shift from planning by business process to planning by key location, he says. \u201cThe new approach reduces the impact of business-process changes upon BC management, as the new framework accommodates potential changes within the concept of a location-based BC policy. Business changes from week to week, if not day to day. The way we\u2019re now structured, processes can change but the basic framework remains stable.\u201d\n\nKey stages\n\nAbbey\u2019s three keys to success\n\n1) Accountability \u2014 \u201cMaking the executive manager accountable has really made a difference,\u201d says head of IT control Jamie Watters. \u201cThey have to put their hands in their pocket or take a conscious decision to take the risk. Before, they were happy to make the assumption that IT would sort it out.\u201d\n\n2) Executive team cultural change \u2014 \u201cThat\u2019s the big push, knowing if things aren\u2019t addressed, you\u2019re going to have executive members leaning down on the levels beneath them,\u201d says head of risk Richard Bridgford. \u201cWe now have a culture where BCM is a top priority risk area.\u201d\n\n3) Distributed organization \u2014 \u201cOur increased ability to manage things by location increases our ability to act,\u201d says Bridgford.