Is the business continuity planners’ ‘people, premises, resources and suppliers’ list fit for purpose?
- Published: Tuesday, 11 October 2016 09:01
Accepted business continuity good practice is to focus on the impacts on an organizations' key assets rather than to plan for specific scenarios, but does the usual ‘people, premises, resources and suppliers’ impact list have limitations? By Charlie Maclean Bristol, FBCI.
In teaching about the Business Continuity Institute's ‘Good Practice Guidelines’ (GPG) one of the points I stress is that in business continuity we do not look at scenarios such as flood, fire, pandemics, but we look at the impact on our organizations' key assets, categorised by PPRS:
- People (skills and knowledge);
- Premises (buildings and facilities);
- Resources (IT, information, equipment, materials);
- Suppliers (products and services supplied by third parties).
I make the point that we should concentrate on the effect of an incident on PPRS, so it really doesn’t matter how our head office was destroyed whether it was flood, fire or terrorist attack. What matters in business continuity terms is that we have lost key assets and we need to implement our business continuity plans to deal with the situation.
However, the more I think about PPRS the more I see its limitations and I think it gives us too narrow a focus of incidents to deal with. I also think the business continuity manager should always be looking for opportunities to expand their role and to add value to their organization and increase its resilience. In doing so they should be looking at a wide variety of different threats.
Some of the issues I see with PPRS are:
- I think it is very much written for organizations which work in offices and does not really take into account the wider variety of different organizations. If you are looking at the business continuity of a large plant, such as an oil rig, car manufacturing plant or a refinery, you could describe them as premises but it is the content of the building which is important rather than the structure. An oil rig or a refinery may have office premises within them but they are not housed actually within a premises.
- When you have key fixed structures within a building, like a CAT scanner within a hospital or fixed testing equipment within manufacturing, are these classed as ‘equipment’ under resources or are they ‘facilities’ within a premises?
- Utilities and the provision of gas, water and electricity are key to most organizations but are they ‘resources’ or ‘suppliers’?
- Raw material going into a manufacturing process, are they ‘materials’ or as they are often supplied by third parties, ‘suppliers’?
- If you had a staff member kidnapped this could be managed using the organization’s incident management or crisis plan, but in terms of the loss of one member of staff, this might be not considered a business continuity incident.
- Product recall is mentioned in the GPG as a possible incident and can have a massive impact on an organization (think Samsung Galaxy 7) but it doesn’t fit neatly with the PPRS fold.
- Cyber issues are not talked about within the GPG, and as we know, it is the top threat of the moment. Although you can consider it as part of the threats to IT, its impact is much wider than that of your IT. Your systems may be up and working normally but your customer details could be being sold on the dark web. This is a reputation issue rather than a loss of IT.
- Then there are all the issues associated with reputation management which although mentioned within the GPG, there is no structure for evaluating the wide range of possible issues which the organization should consider. Once the issues are identified, mitigation measures can be put in place, monitoring to identify if they occur and plans can be developed for dealing with them.
I am not sure what the answer is, as the list of possible considerations needs to take into account, in the widest terms, the assets which could be lost and cause an incident, but also take into account intangible issues like reputation and issues such as kidnap and cyber breach.
Perhaps we need to look to risk management to give us a better list of threats that we should be addressing?
If you have a better list than PPRS and would like to share it with the wider Continuity Central readership we would be very pleased to hear from you.
PPRS is a very useful tool for planning in that it points towards the areas that just about any disruption will affect, and so guides planners in the creation of their plans and the vulnerabilities relevant to that particular plan.
Charlie is right in that it does not cover everything, but I'm not sure creating an exhaustive list would be possible or helpful to planners. Having a strategic set of guide values is much better, as it allows for anomalies to be dealt with by encouraging invention and creativity on the part of the planner.
Continual, thoughtful horizon scanning is crucial to the identification of wildcard risks to delivery that don't appear covered in the plan. So whilst I don't have a better list, maybe I would add something to the existing one, H=horizon scanning.
John Ball AFBCI
BCI European Continuity /Resilience Manager of the Year 2016