RiskUKSeptember2017

More documents

Recommendations

Info

ISO 22316: Preparing for Brexit With ISO 22316:2017 Security and Resilience – Organisational Resilience – Principles and Attributes now upon us, John Robinson decided to apply his own test – focused on Brexit – in a bid to ascertain what’s of value in this document for security, risk and resilience professionals. Following on from last month’s initial discourse, the focus now turns towards areas including shared information and knowledge and support for continual improvement John Robinson MSc CEng FBCI: Managing Director of INONI 14 www.risk-uk.com Every day we’re faced with a barrage of Brexit-related news items of varying substance and credibility, many with the potential to influence or directly affect us and our relationship partners. Somehow we must process this media flow, deciding what’s real and what isn’t, but also second-guess how interested parties such as customers, suppliers, regulators and competitors may respond. The influence of fake news is an illustration of this. ISO suggests an organisation’s resilience will be enhanced when all available related knowledge is appropriately shared, analysed and applied. Maximising this for Brexit means that we might harness a wide, varied and credible range of relevant data and knowledge sources, define criteria to identify, validate and value what we collect, assign specialists to manage, analyse, add value and distribute it as information, use the information to update the context model for Brexit, use the model to trigger and fuel decisions and improve the Brexit strategy and share results across the business (and externally if/where applicable). Where Brexit’s concerned, and perhaps generally speaking, intelligence drives resilience. Clearly, we need to respond acceptably quickly to all kinds of change such that we’re not disadvantaged. This in turn relies on high-grade information, analysis, judgement and executive decision-making. It makes shared information an important attribute. ISO 22316 implies that resilience will be enhanced if the resources required to align with the organisation’s own resilience objectives are made available, including an allowance for adaptation. Aspects relating to people, premises, technology, finance and information will inevitably be part of the overall mix. For those who perceive little or no Brexitrelated threat, no specific action will be planned or dedicated resources required. However, for others, and particularly so in the UK and the EU, Brexit may be a headline item: a threat demanding a planned response. Where this is the case, it becomes a matter of ensuring the strategy is sufficiently resourced to be implemented as intended. Some checks you might wish to make are as follows: • does the strategy clearly define acceptable levels of business during Brexit? • do we know how Brexit changes will affect resourcing and how we’ll deal with it? • do we face Brexit-induced failures of supply and/or demand? • do we need to increase or reduce our capacity and can we do this acceptably? • do we need to diversify or replicate resources or build-in redundancy? • do we have the skills and abilities we need to respond acceptably? • do we have the inherent flexibility to redeploy and adjust in time? • do we look ahead, take account of change and anticipate what might happen? It’s tempting to put off resilience resourcing decisions for the obvious reason that they consume investment, but will yield no return if the planned-for situation fails to materialise. As a discipline, business continuity faces this dilemma on a frequent basis. Management disciplines Attribute 7 is all about the development and coordination of management disciplines. At first glance, this seems to be a classic catch-all statement of the obvious that says your resilience will be enhanced if you’re good at every management discipline. However, this is reasonable if you accept that any deviation from Best Practice or omission does indeed potentially leave a hole in your defences, implying a reduction in resilience. It’s clearly a valid and relevant indicator. Moreover, if you did this just as part of your response to Brexit, the benefits would be felt in (potentially) many other ways, improving resilience generally and making management more effective, efficient and communicative. With this in mind, and specifically for Brexit, you might consider engaging the 20 disciplines with a common purpose of enabling the Brexit strategy, adapting existing processes, roles and responsibilities so they interact efficiently, searching for and plugging any material gaps between disciplines (thus removing duplication), keeping the web of disciplines elastic (such that it can flex and adapt as Brexit demands change) and establishing communications and reporting such that all parties are kept informed and co-ordinated. Note that the 20 include disciplines such as asset management, crisis management, governance, fraud control and so on. Not all organisations will implement or recognise all of these disciplines. However, they will generally be present in some shape or form. The clause seems to sum up what BS 65000 called ‘coherence’: the joining-up of related key disciplines into a collaborative resilient whole
Opinion: ISO 22316 Security and Organisational Resilience (Part Two) with no gaps or overlaps, rather than in relatively closed silos, creating an environment for Brexit and other major programmes. Continual improvement No organisation has faced Brexit before and it’s fair to assume that, while some larger firms’ management systems architecture will accommodate it as just another major change, the experience will be very new for others. Most who decide to act in a structured way will establish a project whose remit and execution will evolve sporadically, improving only when driven to do so or when an idea emerges. Continual improvement is a mindset that accepts we can always do things better and this applies particularly to resilience. It means we systematically and intentionally keep improving the context model, quality of information and each of the other attributes listed. A simplified framework applying this for Brexit might include making innovation and improvement part of the strategy and habitual, regularly scanning for changes and accommodating them by adapting the strategy, planning improvements, assigning resources and making them happen and carrying out regular reviews while also monitoring what has been achieved against goals set. Change drives risk and resilience. If things didn’t change, equipment would never wear out, rainfall would be standard and Brexit wouldn’t happen. Some changes we can anticipate and plan for, others come out of the blue or must be imagined because they’re outside of our experience. In any case, anticipation and readiness is preferable. The degree to which we develop and systematise this will influence our adaptive resilience. As we’ve seen, Brexit is far from a straightforward change. It means we need a mechanism that ensures we’re not surprised or shocked by what it brings, leaving us wellplaced to respond and continue with business. Steps that we can take to build this adaptive capability might include regularly updating the context model and using it to look ahead while scanning for change, modelling change scenarios and developing response tactics for those that seem likely, exploring alternatives as well as ways to deliver on commitments, dual suppliers and diversifying, planning to respond and absorb the shock of unexpected announcements, influencing changes before and after they materialise and being ready to adapt without impacting delivery or compromising vision or core values. At the headline level, Brexit now seems a certainty. At almost every other level, though, the potential remains for surprise. No-one can be certain how it will unravel, either globally, nationally or at the organisation level. Our choices are to either move with the herd and hope to arrive intact or seize the initiative by becoming proactive, adaptive and influential. Contributory factors The nine attributes focused upon in Part One and in this month’s article tell us what we should expect of a resilient organisation. Part 6 of ISO 22316 explains how we can evaluate these capabilities for ourselves and offers a governance framework with which to do this. Again, there’s little if any practical guidance here to help you decide on acceptable levels of attainment for each attribute, or a detailed explanation of how to bring about improvements in each as this must be determined by the host organisation. Apply this framework for Brexit and you derive a management system that converges on targets set by top management for each of the resilience attributes. It – ie the system – needs to be delivered by a programme or an existing compatible process that’s kept running for the duration of Brexit. Delivered as described, it should continually evolve to track Brexit’s changing shape and improve such that it aligns with the organisation’s Brexit-specific and general resilience objectives or success criteria. To make it work, you need to set your own attribute targets and thresholds and monitor and measure your performance against them. “Where Brexit’s concerned, and perhaps generally speaking, intelligence drives resilience. Clearly, we need to respond acceptably quickly to all kinds of change” 15 www.risk-uk.com
Page 1 and 2: September 2017 www.risk-uk.com Secu
Page 3 and 4: September 2017 Contents 42 Meet The
Page 5 and 6: Editorial Comment More zones, more
Page 7 and 8: News Update “Employees pose great
Page 9 and 10: News Analysis: British Standard 859
Page 11 and 12: They see a well secured airport. Yo
Page 13: News Special: Cortech Open Innovati
Page 17 and 18: Opinion: Apprenticeships in the Sec
Page 19 and 20: BSIA Briefing With an estimated eig
Page 21 and 22: “ MY PASSION IS PERFECTION IN EVE
Page 23 and 24: Enterprise Security Risk Management
Page 25 and 26: Bribery, Fraud and Corruption: Risk
Page 27 and 28: Crisis Management: Leadership in Pr
Page 29 and 30: www.coie.uk.com Cortech Open Innova
Page 31 and 32: Lone Worker Security and Safety wor
Page 33 and 34: The Changing Face of Security Servi
Page 35 and 36: Multi award winning security servic
Page 41 and 42: Tel: 08707 508070 Fax: 08707 508066
Page 43 and 44: Meet The Security Company: Doyle Se
Page 45 and 46: Fire Safety Planning: Emergency Eva
Page 47 and 48: National Association for Healthcare
Page 49 and 50: The Security Institute’s View and
Page 51 and 52: In the Spotlight: ASIS Internationa
Page 53 and 54: FIA Technical Briefing: Gaseous Fix
Page 55 and 56: Security Services: Best Practice Ca
Page 57 and 58: Cyber Security: Risk Management in
Page 59 and 60: Training and Career Development ‘
Page 61 and 62: Risk in Action Cambridgeshire Fire
Page 63 and 64: Technology in Focus SPC Connect’s
Page 65 and 66:
Appointments Magnus Ahlqvist The Bo
Page 67 and 68:
thepaper Business News for Security
Page 69 and 70:
CCTV CCTV Rapid Deployment Digital
Page 71 and 72:
SECURITY ANTI-CLIMB SOLUTIONS & SEC
show all

RiskUKSeptember2017

Create successful ePaper yourself

Delete template?

Save as template?