Give bootleg sights a miss

Imagine that you are one of the world’s leading suppliers of optical rifle sights.  An irate customer is standing in front of you brandishing one of your most popular products.  He is so angry that he almost throws it in your face.  He has spent a lot of money buying this sight because he wanted the best and he has not got the best because he has bought a knock-off, outwardly indistinguishable from the real thing, perfect to the last detail but inside, the part that matters, it is a cheap substitute.

QUESTION: which is going to hurt you most?

  • Losing the original sale?
  • Refunding for a sale you never made?
  • The loss of your reputation?
  • Being hit over the head with a knock-off rifle scope?

Bootlegging is not a new problem and China has long been regarded as the “evil empire” of bootlegging.  In March 2006 a leading manufacturer of rifle and pistol optical sights – let’s call them “DeadShot” (no names, no pack drill) testified to the U.S. Senate about the problem of Chinese counterfeit items.  Once cheap copies make their way into the marketplace, they lose their identity and unknowing or unscrupulous sellers can list them as the real thing.  Unsuspecting buyers wound up paying for what they believed to be a top quality item, only to find out that they had a cheap Chinese copy.  In addition to the risk of someone getting cheated on a resale, the manufacturers were concerned that the poorly made optics would damage their own reputations and brand names, which had been established on the perceived quality of products and service.  The copies were not legal and the genuine manufacturers quite correctly wanted them to be neither listed nor purchased by anyone.  At that time DeadShot and several other companies were in legal battles with the Chinese companies in an effort to make them stop making the copies altogether.

Seven years ago there were some obvious ways of spotting knock-offs.  Unreasonably low sales prices (bearing in mind the significant shipping cost if being delivered from China) were a clear indication.  If the seller said that they offered to warranty the sight themselves then it was probably a fake.  Most manufacturers’ warranties are handled by sending the sight to their factory where they are re-tested by computer and verified as a genuine article and most sights are computer tested before being shipped from the U.S. factory.  The packaging could be a giveaway, too.  A nice box printed in exactly the correct colours, soft bag, printed instructions, warranty card, shrink wrap and so on had to be correct and complete and if not then they may not be original, which is a bad sign.

In 2006 DeadShot were alarmed at the number of their top-selling riflescopes – quality products – that were arriving at the firm’s U.S. headquarters for service.  These turned out to be counterfeit products not manufactured by DeadShot and consequently not covered by the DeadShot full lifetime warranty.  They put a raft of precautions in place.  The DeadShot website provides descriptions of their products together with examples of how to determine if a device is authentic or fake, thus offering potential purchasers the opportunity to educate themselves prior to purchasing a DeadShot product over the internet.  DeadShot issue customer alerts to potential purchasers of their products, particularly aimed at those considering making a purchase via the internet, warning them of bogus DeadShot products.  DeadShot also use a serial number tracking based system for all its riflescopes, so if a customer thinks that a scope that is suspect, this can readily be checked for authenticity with the manufacturer.

An example of bogus riflesight that I examined last year had ‘DeadShot’ laser engraved on the bottom of the turret in a silver etch and the black ring on the objective was etched in white and did not include the name ‘DeadShot’.   Authentic DeadShot riflescopes are  always engraved black on black and have the name ‘DeadShot’ engraved on the black ring.  The counterfeit scopes usually did not bear the DeadShot logo, which all genuine new DeadShot scopes carry.

In 2015 the situation has become trickier as the counterfeiters have become more professional and skilful.  These days counterfeits are often marked, branded and marketed just like the real items they imitate (this is less of a problem if the manufacturer admits to producing “replica” or “clone” items, but they are not, particularly when being promoted on-line).   They make exact copies, even down to the serial number and trade mark.  They no longer offer their products at a bargain price but quote the full retail price.  Sub-standard reject and counterfeit sights were sold to U.S. customers through on-line auctions, like eBay through sellers based in Hong Kong and Shanghai China and some other Asian countries.  Some still are but bootleggers now also break in to the supply chain closer to home.

SCENARIO:  a 20 foot container of rifle scopes arrives at a port in southern Asia and is added to a container stack to be trans-shipped in two days.  That night a trailer unit arrives and takes the container away, returning it next morning.  Only now it is full of bootleg rifle scopes.  The supply chain is compromised and the bootleggers have a container-load of genuine sights.  It happened.

Bootlegging sights is no longer a cottage industry run from a garage in Shanghai; it is big business.  Hunting with guns is a sporting activity that requires the right equipment and manufacturers charge a realistic price for their products.  You pay for a quality item and you expect to get what you pay for.  Bootlegging can spoil your sport, damage the manufacturer and, if they find their way into the police and security arenas (as they are), have even more serious consequences.

One way of safeguarding genuine products is to incorporate a chemical substance (called a ‘taggant’) into the coating of the sight, or into the paint highlighting the numbers on the scope’s dials, into the logo or into pretty much any part of the product, which, when exposed to particular types of light, glows a specific colour.  One U.S.-based manufacturer of this type of solution can even tune their product to indicate the date of manufacture.  When a sight is returned as sub-standard that provides a definite way of proving that the customer has got hold of a bootleg item so (as the lawyers say) caveat emptor or “you bought a junk item and it is not our responsibility to replace it for you”.

A wide range of suppliers unique marking systems which they claim will protect products from counterfeiting.  Not all of these claims are genuine.  A worldwide security marking provider, DataTraceDNA/DataDots, has, it is claimed by the Courier Newspaper of Australia, duped Novartis, a global pharmaceutical company, into using its security solution. What is apparent from the investigation is that, far from being unique to the security provider, the security marking product is based on bulk chemicals supplied as phosphors for the lighting industry. The inevitable consequence of this, the newspaper claims, is that the entire stock of Novartis “‘Voltaren” ampoules sold in Australia using the taggant has been compromised.

The counterfeit product market is booming and becoming more dangerous as the focus moves from clothing, shoes and handbags to medicines, pesticides and firearms.  I came across an H&K G3 machine-rifle a few months ago, destined for a prestige customer in the Middle East.  It was perfect in every detail but one: H&K assured me that they do not make gold-plated firearms!  Nope, it was not a Khyber Pass Special (my wife’s uncle owns a Pakistani copy of an S&W K38 that would have been all but perfect if they had spelled ‘Wesson’ with two “esses”) but copied in a properly tooled-up private arms factory.  The International Chamber of Commerce estimates that by the end of 2015 the economic value of counterfeiting will be $1.7 trillion[1] and while many of the products counterfeited are fashion and apparel items an increasing proportion of goods compromised by this form of economic piracy include weapons, ammunition, accessories and military electronics.

If you are a manufacturer, however, small-scale, you need the products of an anti-counterfeiting/security marking company that maintains a stringent control of their suppliers, manufactures their own marking chemicals and designs their own detector systems.  No security marking system is infallible but the professional approach of the better companies in the market, and the stringent control regimes they have in place, will give you security for your products and allow your customers to buy with confidence.

[1] Steve Hargreaves @CNNMoney

Verimaster anti-counterfeiting technology

 

Portable Verimaster Detector Units

Background.

Historically counterfeiting has been seen as an issue for luxury consumer goods manufacturers. However, counterfeiting affects many more technology-based products ranging from components through high value pharmaceuticals onwards to accessories and enhancements to military systems such as optical sights, personal protection weapons and beyond.

Counterfeiting has become such a problem that at least one US accessory supplier has had their distribution network compromised twice in the last five years.

Consequently, within the supply networks of many products, feature goods of inferior quality that cause increased risk to performance, health and profitability

The purpose of this brief post is to introduce Verimaster® a superbly effective yet simple solution to the critical need to protect your supply chain from corruption through counterfeiting.

The Verimaster® Product

Characteristics. The product, developed by an Anglo-American alliance, is based on a blend of high strength ceramic seeded with inorganic oxides. The combination is chemically inert, immune to ageing or leaching and long-lived.

Very importantly, unlike some basic tagging systems it neither impairs performance of the doped product nor can it be counterfeited without criminals incurring significant costs. Verimaster® is also far less complex and much more easily utilised than the advanced DNA tag typing which has recently been used in very high value products.

Operation.

The product works by incorporating the additive into the manufacturing process at a doping level suitable for the chosen application. When stimulated by a non-visible laser or an audio detector the additive produces either a visual signal or an audible warning to indicate that the product being tested is genuine. Each sensor is supplied as a portable, battery-operated unit. Alternatively the audio sensor can be incorporated into a larger portal for warehouse applications.

Doped Plastic Feedstock illuminated by the Verimaster Laser Detector

The Verimaster® security additive can be incorporated into a wide-range of substrates including textiles, plastic feedstock, inks, laminates, coatings, adhesives, varnishes and paints. Consequently it can be added uniquely to particular components, colours or coatings; a choice that’s made by the customer and changed on an as required basis. It also means that the doping could be in the packaging of a component, system or accessory rather than in the physical product.

Applications.

The product is already being used in the following security applications:

  1. Human protection systems
  2. Financial services and systems
  3. High quality branded consumer products
  4. High value leisure services

In all examples the additive has had no affect on the doped product nor has detection performance deteriorated with operation, storage or environmental exposure. The use of Verimaster® to protect products in these applications has led to major cost savings, brand protection and the detection of criminal activity.

Concept of Operations

Example supply chain application of the Verimaster® system include:

  1. A sub-system printed circuit board (PCB)
  2. An pharmaceutical
  3. Emergency Service personnel uniform

PCB. The wide range of substrates that can be doped mean a genuine PCB can be identified by: the board itself, a protective coating, or a printed logo on the board. Equally individual components can be “marked” as genuine

A Pharmaceutical. Depending on the type of drug and level of supply chain control exercised by the manufacturer. The doping material could be used in the box, blister or the drug caplet itself.

Emergency Services. One of Verimaster®’s principal applications is in clothing. The additive has no effect on the structure, colour or wear of the doped textile and can be incorporated emergency services uniform manufacture with confidence. Example applications include: Identity markings, identity cards, insignia, nametags, webbing, and caps/helmets.

Flexible application means genuine uniforms and so genuine people are quickly and simply identified.

Verimaster® therefore presents a major opportunity to protect genuine products without any impairment of performance.

Anticipated Benefits

The primary benefit of utilising security doping is in the protection of genuine products, systems and accessories throughout your supply chain.

Secondary benefits include:

  • Confidence in product replacement
  • Improvements in ARM performance
  • Identification of reliable and untrustworthy suppliers
  • Date/batch marking or system specific identification marking
  • Personnel protection through security marking of individual uniforms, accessories and equipment
    • Criminal investigation and prosecution

Conclusions

Counterfeit goods are a significant threat to safety, security, and product performance. It can lead to the impairment of delivered capability/serviceability with your customers. The Verimaster® additive is a viable, readily used technology to combat these threats. It is inert, long-lived, has no impact on performance and is simple to use. Existing utilisation in a number of complex, high-value or secure services demonstrates transferability to many commercial domains and so presents an excellent opportunity to secure the your supply chain from the impact of counterfeit goods

Do you have to play by Six Sigma’s rules?

Its promoters are evangelists, preaching a creed of process perfectionism.  Its practitioners are passionate, its methodology is inflexible and to suggest a deviation is close to heresy.  I know, because I was once a fan of Six Sigma and its sleek sibling, Lean Six Sigma.  Not a big fan because, although it has some useful techniques, it has never been perfect.  It is dogmatic and process-bound.  It  presupposes that only Six Sigma “black belts” are capable of doing the process analysis and design.  It is only good for incremental improvement and not brilliant for innovative work.  And it did not incorporate information technology. I have a real problem with that as I am an IT man at heart and have used the power of IT as a tool for business, organisational and process improvement for over 20 years.

Cometh the day, cometh the methodology and Six Sigma, Lean or full-fat, has had its day. When corporate planning horizons were three, four, five years ahead an inflexible process-bound methodology was useful, if only as the basis of more agile in-house adaptations.  In times of great uncertainty, with planning horizons six months away, organisations are looking for agility, flexibility, speed of response (provided by a combination of tools and approaches), advanced systems thinking and an innovative, mix-and-match, method for creating breakthrough process improvements.

Six Sigma, with its dogma, priesthood and devotees, was born in times of certainty and flounders in a period of unprecedented economic turbulence and instability where years of consistent economic growth have given way to rising unemployment, increased costs, reduced incomes and a climate of  risk.  The increased uncertainty has affected everyone. Very few businesses, governments, private or public bodies are immune to the effects of uncertainty. To stay on top most organisations now revise their business plans more than once a year.  Any business plan that is over six months old is likely to be based on assumptions that have been overtaken by events and probably needs to revise its revenue figures downwards and costs upwards.   Business change is now a day-to-day process that needs to be realigned towards the changing strategic goals of the organisation and to be able to take the impact of changing assumptions on the chin.

Requirements capture, the foundation stone of the project pyramid

Why is it that clients are resistant to the suggestion that requirement definition is the most important, and time and resource intensive, phase of any project?  Why do they think that diving right in with the development is a good idea?  And why do they think that change control is an optional extra, or unnecessary or even an obstacle to project success?  Well, maybe not ALL clients because realisation has slowly been dawning that the requirement is king.

The tools and techniques have been around for years, promoted by, among others, the International Institute of Business Analysis (IIBA); however, I still find myself discussing projects with new clients who think that the 50 page booklet they have produced will guarantee the delivery of the benefits required from a £3 million system implementation!  To counter this, while engaged in 2000 by Bovis Lend Lease EMEA to set up a business analysis department, I produced an in-house guide (based on my experience in various organisations) to gathering requirements, to be used in training and mentoring business analysts and those in the business who worked with them.  I called it ‘SRS 2000′ and the next 15 years I have found more and more use for it, updating it every year until I arrived at the current version, ‘SRS 2015′.

I recently accepted an invitation to publish my notes as a slim volume on requirement-gathering and this will shortly be available as a pdf file to download from this website in the belief that having had a good look at it you will be in touch to ask us to apply it to your requirements!

Change control is another undervalued area.  While talking to the IT manager of an SME recently I was not surprised to hear that “we freeze the specification on day one and that is what we deliver”!  Hmm … I came across this a lot 20 years ago and it is less prevalent these days but too many managers still think that the requirements  signed off at the start of the project are identical with the system that will finally be delivered.  Some of my projects have taken two to three years to complete.  Hands up all those who think that, given changing legislation, new technologies, updated business practices and a thousand other factors, the requirements at the end of the project match those at the start … Freeze your spec and you practically guarantee delivery of an obsolescent system that may match the requirements at the start but will not deliver the goods at rollout time.

Change control requires an analyst to capture the change and define it in relation to its impact on the overall requirement in terms of time, money, resources, quality, interfaces to other systems (among other factors) someone with the authority to say whether the change should go ahead, be ignored, modifed or added to a wish list for the next iteration of the system, a budget to pay for the changes and a senior manager to sign off the funds.  Sign it off then revamp the project plan which should be regarded as a work in progress.  Not easy, but we are here to give you a hand.

Pro Bono: Battle of Evesham 2015 Ltd

Speaking at the tenth anniversary celebration for the Evesham Market Town Partnership MP Peter Luff urged local business and organisations to support the 750th anniversary of the death of Simon de Montfort at the Battle of Evesham on August 4th 1265 and the town in general to celebrate and exploit its past as one key to its future.  Earl Simon was a charismatic and complex figure. A man of contradictions, he was forthright and enigmatic, chivalrous, yet dictatorial, an able military strategist who also cultivated the friendship and guidance of some of Western Europe’s foremost religious leaders. His significance was so great that the 700th anniversary of his death was celebrated by the Speaker of the House of Commons and of the Archbishop of Canterbury visiting Evesham to dedicate a new, simple and dignified, memorial to him in Abbey Park, on the site of the high altar of the former Evesham Abbey at the spot where Earl Simon’s remains were originally interred after the battle.  By his death at Evesham Simon de Montfort brought Evesham to the centre of our national history and that is why I am organising a programme of events to celebrate the 750th anniversary of his death.  The events that are being set up each have their stakeholders who are responsible, among other things, for obtaining the necessary consents and finance.  A year of festivities is designed to run alongside Evesham, drawing in visitors and boosting the town centre.  We have provided directors for the limited company set up to organise and publicise events and to advise local businesses on how to capitalise on the boost these events will give to the local economy.

Pro Bono: Evesham’s town plan

Earlier this year the Evesham Town Plan working group published its detailed vision for Evesham.  We have created a vision for the Evesham of the future, reflecting the needs and aspirations of residents and users of the town and devised  an action plan to help us to get there.

Our objectives were to give as many people as possible an opportunity to help to shape a thriving future for Evesham:

  • Establish a broad consensus on what needs to be achieved.
  • Produce an exciting shared vision for the next five, 10 and 20 years.
  • Produce and agree a clear, ambitious and achievable plan.
  • Propose a framework for implementation and evolution.

We modified a standard business transformation methodology to provide an easy to follow approach.  We called it “5D”:

  1. Definition.  Here we defined the objectives and scope of the project.  We established project roles and governance and identified the key stakeholders.
  2. Discovery.  We engaged the stakeholders to clarify expectations and identify issues, identify and prioritise the key issues and opportunities, finalise the scope of the project and sign off the project charter.  We will also developed communications and survey tools.
  3. Diagnosis.  Researched community issues and opportunities in and around Evesham, identified and examined good practice elsewhere.
  4. Design.  Here we considered our options, defined the key elements of the Town Plan and validated them with our key stakeholders.
  5. Delivery.  Here is where it all came together.  We produced a delivery plan, identified obstacles and barriers, created a pilot plan (refining it in consultation with our stakeholders) launched the Town Plan and reviewed progress with our key stakeholders.

Pro Bono: Evesham shopping survey

We hear a lot that people do not come into Evesham for their shopping because “there are no shops”.  There are a few empty shops in town so we presented a report to the Market Town Partnership analysing business premise occupancy as a preliminary to going for some funding.  In reality there are 308 shops in the town centre and 388 if the town edge shopping areas are included.  However, the mix of shops in town is quirky.  There is some truth in the claim that you cannot go out for a day’s shopping in Evesham (with Worcester, Cheltenham and Stratford-upon-Avon, Pershore and Tewkesbury all with 16 miles there are plenty of alternatives) but if you want to have your nails done and pick up a tattoo while buying a cellphone, browsing the charity shops, munching a pasty and get an instant tan then Evesham is the place for you!

Pro Bono: remodelling Evesham’s High Street

A couple of years ago we remodelled Evesham’s High Street to remove most of the clutter, to open sight-lines to the main attractions, build slabs engraved with episodes from Evesham’s history into the pavement and generally make the High Street more tourist-friendly.  We got involved to provide project management and designed the slabs and heritage features of the development.

Why do pro bono work?

We do pro bono work locally, partly to keep our skills up to date and partly because we like to give something back to our local community.  Our consultants are trustees of two charities, serve on the management committee of our local heritage centre and get involved with using Evesham’s heritage to promote the town and develop its selling proposition.   Most of what we do is for Evesham Town Council, Wychavon District Council, Worcestershire County Council, The Market Town Partnership and the Vale of Evesham Commerce and Tourism Association and other parts of the voluntary sector, using our business transformation, enterprise growth, consultancy and project management skills.

Soft skills, hard results

Married to Joya, an IT training and Learning & Development manager, I seem to absorb developments in training almost by a process of osmosis.  One trend that I want to encourage is the increasing pressure to abandon the idea of ‘soft skills’.  For the uninitiated ‘soft skills’ include influencing, communication, team management,  delegating, appraising, presenting and motivating.  Many now recognise these as key to making businesses more profitable and better places to work.  I argue that they have never been ‘soft’ (with the implication that they were optional or in some measure less important than ‘hard’ skills) but the way professionals relate to and communicate with others has always been a fundamental part of their personal toolkit.  How effective is a Business Analyst who cannot conduct penetrating interviews or facilitate a workshop?  How would you rate a project manager who cannot read his audience and know whether he should adopt ‘sell’, ‘tell’, ‘collaborate’ or ‘innovate’ styles of communication?  HR departments call these ‘soft skills’ because they are difficult to teach and assess but IT/IS professionals must be able to communicate clearly and openly, to secure commitment and to listen and respond empathetically.  They also need equally well-honed written skills so that their correspondence (even emails) are as effective as their face-to-face communication.  We are all business professionals in one form or another so we need to balance commercial needs of our employers or clients with the individual needs of staff.  Being flexible and able to adapt to the changing needs of an organisation is also an important ‘soft skill’, along with the ability to collaborate with others and influence situations through lateral and creative thinking.  In our global marketplace the ability to deal with differences, multiculturalism and other forms of diversity is needed more than ever.  Very few organisations are untouched by the ever-widening influence of other cultures and good soft skills facilitate better communication and people’s ability to manage differences effectively. So-called soft skills can be developed and kept sharp through good training and lots of practise.  Most of all remember that …’Soft skills’ produce hard results!

Nine errors of process with Business Continuity Management

When needed, a good business continuity plan is the single most important asset a business organisation has to ensure that it recovers quickly from an incident.  It can be the difference between an organisation surviving or going under, and it can be the difference between an executive enhancing their reputation or completely ruining it.  A good plan well executed will ensure that people, brand, property and profits are protected as well as can be.  Unfortunately many plans are seriously flawed.  Sometimes this is discovered during or after an incident and leaves nothing but regret, and sometimes this is never discovered but is unnecessarily draining the organisation of valuable resources.

There are plenty of common mistakes made in BCM but, from our experience of providing business continuity, disaster recovery, high availability and resilience solutions to our clients we have selected nine of the most common errors of process, and potentially the most damaging.  The good news is that if you are concerned about your plans these errors are all simple to correct.

There are a series of essential steps in implementing business continuity management, this includes development, maintenance and implementation of business continuity plans.  Errors of process are evident where there is no framework used to guide the implementation of business continuity management, where experienced business continuity professionals are not called upon to share their experience, and where the organisation loses focus.  This can give rise to errors such as:

  1. “We’ve got business continuity plans… now let me see, where are they?”
  2. “Head office created some plans last year so I think we’ve got it covered”.
  3. “I’m not sure who’s in charge during an incident… it’s the CEO isn’t it?”
  4. “Great communication plan, but what happens when your communications infrastructure is lost?”
  5. “Jimmy and Dave know the passwords to all our systems, plus they’re stored in a key-code safe in the server room”.
  6. “We back up our data regularly but have never tested the backups in anger”.
  7. “We’ve got very strong IT security controls in place”.
  8. “We invested in a fantastic DR facility about 5 years ago”.
  9. “A grab bag is a waste of money”.
  Fallacy

Fix

1     “We’ve got business continuity plans…   now let me see, where are they?”
Plans that are created and then left to gather dust will quickly be   out-of-date and forgotten.  If they’re   not relevant and readily available you might as well not bother having   them. Make business continuity a consideration   in every strategic decision that you make.    In addition to highlighting the importance of business continuity,   because considering business continuity involves the identification of   organisation weaknesses, points of potential failure and dependencies that   affect an organisation’s ability to manage and recover from incidents it will   result in more robust strategic decision-making.  Review the plans quarterly.
2     “Head office created some plans last   year so I think we’ve got it covered”
Planning that does not involve the staff affected and plans which are   not tested are usually flawed.  They   are not ‘owned’ by the people who may have to implement them and they will   have key procedural weaknesses. Engage relevant staff in the planning process   and test the plans either in a desktop or blue-light exercise.
3     “I’m not sure who’s in charge during an   incident… it’s the CEO isn’t it?”
Unclear and un-communicated roles and responsibilities result in   confusion and delays during an incident. Identify, document and communicate the   incident ‘command structure’ and the associated roles and responsibilities.
4     “Great communication plan, but what   happens when your communications infrastructure is    lost?”
Communication is often a serious challenge during an incident.  There are numerous scenarios where things   go wrong.  If you lose power on an   unmanned site or when no one is in, how will you be informed?  If your telephone network goes down   (including mobile as can happen in some companies and some disaster   situations), how will you communicate? Document your communication plan and think   through numerous, relevant scenarios.    Depending on your circumstances there are options available for every   situation; like installing a failover system or contracting with a third   party to monitor your unmanned site; and giving alternative communication   tools to key staff members.
5     “Jimmy and Dave know the passwords to   all our systems, plus they’re stored in a key-code safe in the server room”
Unfortunately Jimmy, Dave and the server room might all become   unavailable at the same time and in an instant your business is   crippled. Store passwords in at least two   geographically distinct locations and make sure details of those locations   and access to them is known to people who don’t usually work in the same   place together.
6     “We back up our data regularly but have   never tested the backups in anger”
Unfortunately backups do fail, and so do recovery procedures.  Also, backups can be lost or inaccessible   during a disaster situation. Design a thorough backup testing procedure   that covers all of your systems and run tests at regular intervals.  Also test scenarios where backups from your   normal backup site are not available.
7     “We’ve got very strong IT security   controls in place”
These days this is indeed the case in most organisations.  It is important though not to take your eye   off the ball during an incident; when you are vulnerable you are likely to be   attacked, and the threats may be internal and external. Include in your business continuity plans,   plans to maintain high levels of IT security during an incident.  Appoint an IT security officer to your   disaster recovery team and make sure that you continue to monitor your systems for threats.
8     “We invested in a fantastic DR facility   about 5 years ago”
Disaster Recovery facilities need to be kept up-to-date just as any   other normal office facility does.    Outdated assets like computers, printers, electronic screens and   telephony systems might not work when you need them – either because they’re   old or they’re no longer compatible with your infrastructure. Keep an inventory of DR facility assets,   update and test them on the same schedule as all other office equipment.
9     “A grab bag is a waste of money”
Incidents can happen at any time of the day or night and whether or not   key business continuity people are in the office.  Even with the advent of mobile technology,   hard copies may come in handy.  The   important thing is that somebody will need to ‘grab’ a copy of the business   continuity plan, essential contact details, directions to recovery sites and   other emergency reference material and supplies so that your well thought out   plans can be implemented. Put a grab bag with all the contents   mentioned above next to the main emergency exit of every building.

Nine errors of understanding with Business Continuity Management

When needed, a good business continuity plan is the single most important asset a business organisation has to ensure that it recovers quickly from an incident.  It can be the difference between an organisation surviving or going under, and it can be the difference between an executive enhancing their reputation or completely ruining it.  A good plan well executed will ensure that people, brand, property and profits are protected as well as can be.  Unfortunately many plans are seriously flawed.  Sometimes this is discovered during or after an incident and leaves nothing but regret, and sometimes this is never discovered but is unnecessarily draining the organisation of valuable resources.

There are plenty of common mistakes made in BCM but, from our experience of providing business continuity, disaster recovery, high availability and resilience solutions to our clients we have selected nine of the most common errors of understanding, and potentially the most damaging.  The good news is that if you are concerned about your plans these errors are all simple to correct.

Comprehension of business continuity management is related to a person’s knowledge of or familiarity with the subject.  Most people charged with responsibility for an organisations’ business continuity management are not trained or experienced in it and hence errors of understanding are common.  Such as:

  1.  “Skip the business impact analysis, let’s get on with planning!”
  2. “Why did you get that system up-and-running first when this one is more important!?”
  3. “Business continuity is someone else’s department”.
  4. “The IT department is responsible for our business continuity plans”.
  5. “Only a few people need to know what our business continuity plans are”.
  6. “In business continuity planning, you can’t overdo the detail”.
  7. “A disaster in our organisation won’t attract media attention”.
  8. “Our insurance policy gives us adequate cover”.
  9. “Business continuity management does not affect our business insurance premium”.

 

 

Fallacy

Fix

1      “Skip the business impact analysis, let’s get on with planning!” 
If you don’t identify and assess critical business activities before   creating your plans you will create plans that do not give you the best   chance of speedy recovery.  Business   leaders are often surprised by the outcomes of the business impact analysis,   learning what really makes the business tick and how long activities could be   interrupted for before business shuts down. Give the business impact analysis your   full attention!
2     “Why did you get that system   up-and-running first when this one is more important!?”
  This is a very common issue usually resulting from non-existent or poor   business impact assessment, a lack of communication between the business and   IT, or political issues clouding decision making. It is important to be   selective about which IT systems to bring back online first, and it should be   those that are required by the most important business functions – the ones   that need to be recovered the fastest in order to ensure business   continuity.  Get buy-in from the business into business   continuity management, conduct thorough business impact analyses, assess and   invest in closing the gap between the business requirements and the IT   department’s capability and keep plans up-to-date.
3       “Business continuity is someone else’s department”
  1. 1.      
The less obvious flaw in this   logic is that if you leave business continuity planning to others then your   department priorities will not be properly understood and accounted for in   the plans.  Your department might be   the one department that if not up-and-running first after an incident brings   the whole business down.  Treat business continuity as a discipline in its own right, make the   process of planning and management collaborative, and put the most senior   executive in charge.
4     “The   IT department is responsible for our business continuity plans”
The priorities of the whole business need to be understood before   business continuity plans are created.    You’ve got to consider the true resilience of your organisation to   determine where and in what order to channel your resources following an   incident.  Individual departments are   unlikely to understand the full picture.   Treat business continuity as a discipline   in its own right (for example, don’t make it a part of risk management), make   the process of planning and management collaborative, and put the most senior   executive in charge.
5     “Only   a few people need to know what our business continuity plans are”
Almost every employee should be familiar with the elements of business   continuity plans that affect them.    This should not only include emergency procedures, but also for   example social media policies that govern communication during an   incident.  It is often useful to let   clients, partners and suppliers have access to your continuity plans.  And there are even situations when you   should share continuity plans with your competitors. In your business continuity communication   plan assess the stakeholders and willingly and openly share relevant   information.
6     “In business continuity planning, you   can’t overdo the detail” 
It is very easy to get bogged down in detail, trying to identify every   eventuality and to plan for its occurrence.    You then end up with a massive plan, a tome of a document that is   impossible to use effectively.  Of course   do mitigate key risks with sensible solutions (for example, if you’re in a   flood plain, build flood defences) but for business continuity plans, keep   things simple.  There are three main incident types that   you can plan for generically: 1. Denial of access to buildings and   facilities.  2. Loss of people.  3. Loss of IT and communications.  It rarely matters what has caused the   issue, the key thing is for you to plan your response
7     “A disaster in our organisation won’t   attract media attention” 
Your business may be small and uninteresting to the public, but some   disasters because of their very nature will always attract media   attention.  Significantly though,   social media enables almost instant communication to millions of people and   as a result your disaster might very quickly become national news Include in your business continuity plans   a public relations plan that includes coverage of all media (press and   social).  Build an organisation culture   of healthy respect for the use of social media.  Put policies in place, update employment   terms and conditions, educate staff, lead by example and correct   inappropriate behaviour. Know the social media landscape.  Find out what Twitter, Facebook and other   social media platforms have connections to your organisation, who updates   them and what they are saying?  Keep   this information up-to-date in your business continuity plans because you   might need it when a disaster strikes.    Monitor the landscape and respond to trends where appropriate.  Develop a clear social media strategy to be   implemented in the event of a disaster.    This strategy should be part of your business continuity plans and   should include actions and persons responsible for monitoring trends, communicating   messages and rapidly addressing non-compliance to policies.
8     “Our insurance policy gives us adequate   cover”
This may indeed be true, but financial support might not be all you   need from your insurer.  Rapid response   (minimum red tape, quick decision making, and fast release of cash) is not   always forthcoming from insurers and this may be the difference between survival   and failure for your organisation. In your business continuity plans address   how re-imbursement occurs (how and when will loss assessments be done and how   quickly will payments be made).    Wherever possible and relevant, pre-agree scenarios and decisions so   that you can take action without seeking approval.
9     “Business continuity management does not   affect our business insurance premium”
It is not unheard of but is unlikely that implementing business   continuity management will lead to an agreement from an insurer to reduce you   current premium.  What is likely is   that when next your insurer assesses your business your premium will not   increase as much as it would have done.    Some insurers will even pay for or contribute to your cost of implementing   business continuity management. Discuss with your broker the impact of   business continuity management on their assessment of your business’ risk.

Four errors of judgement with Business Continuity Management

When needed, a good business continuity plan is the single most important asset a business organisation has to ensure that it recovers quickly from an incident.  It can be the difference between an organisation surviving or going under, and it can be the difference between an executive enhancing their reputation or completely ruining it.  A good plan well executed will ensure that people, brand, property and profits are protected as well as can be.  Unfortunately many plans are seriously flawed.  Sometimes this is discovered during or after an incident and leaves nothing but regret, and sometimes this is never discovered but is unnecessarily draining the organisation of valuable resources.

There are plenty of common mistakes made in BCM but, from our experience of providing business continuity, disaster recovery, high availability and resilience solutions to our clients we have selected four of the most common errors of judgement, and potentially the most damaging.  The good news is that if you are concerned about your plans these errors are all simple to correct.

Making decisions about business continuity management is often clouded by a lack of appreciation for its importance and relevance, particularly when considered in respect to other decisions that have to be made or business activities that have to be carried out, and objectivity can be compromised in highly political environments.  That leads to errors such as:

  1. “Scare tactics will engage senior management in business continuity management”.
  2. “Business continuity planning and management is not important right now”.
  3. “We’re only a small business; we don’t need business continuity plans”.
  4. “Business continuity management should be justified like all other investments”.

Fallacy

Fix

1 “Scare tactics will engage senior   management in business continuity management”
Senior managers are usually busy people and getting their attention can   be very difficult, particularly for activities like business continuity   management which is often perceived to be unimportant right now.  Scare tactics sometimes work, but more   successful approaches are available. Educate senior managers by   emphasising that business continuity management is an element of good   governance which aims to increase resilience, minimise down time and reduce   the risk of organisational failure.    Keep the discussion practical by describing the impact of down time on   their objectives and the usefulness of business continuity management in   preventing and keeping downtime to a minimum.    Explain that when tendering for new business you can achieve   competitive advantage by demonstrating your resilience.  Run a short, simple and realistic   desk-based scenario to highlight your arguments.
2 “Business continuity planning and management is not important right now”
This   could not be further from the truth.    You cannot predict when disaster will strike.  Something could be happening right now   whilst you’re reading this.  If you’re   not prepared you will have nothing but regrets  (visit us at : http://continuity.charteris.com/about-business-continuity-management/what-could-happen/   to read what happened to other people). Make time for business continuity planning.
3 “We’re only a small business; we don’t need business continuity plans”
Small businesses tend to be the least resilient because   there are more single points of failure.    Loss of one member of staff with important knowledge, failure of one   key item of equipment, loss of one key customer due to loss of one key   supplier can all spell disaster.    Simple plans can mitigate these risks, reducing the chance of the loss   but also ensuring that you’re properly covered, for example, with the right   insurance. No business is too small to give business   continuity management some consideration.
4 “Business continuity management should be justified like all other   investments” 
Business continuity should be regarded as a cost of doing   business.  Like risk management, it   does not in itself deliver business benefits but there is an opportunity cost   of not doing it.  The good news is that   in many organisations the implementation of business continuity management   results in the identification of process improvements, over-commitment to   insurance cover and excessive disaster recovery assets.  In some organisations where business   continuity software is introduced the introduction of business continuity   management can even lead to headcount reduction. Use the introduction of, and the   process of, business continuity management as an opportunity to identify   organisation weaknesses and overspend on risk mitigation but don’t expect it   to show a return on investment as you would from other investments.

Leave a Reply »