As part of a new Business Continuity Management strategy, Openreach enlisted the help of 4C Strategies to create the optimal foundation and roadmap. The Coronavirus pandemic occurred mid project, putting the company’s business continuity and incident management capabilities to the test.
Looking beyond the norms of business continuity management
Openreach has a dedicated BCM department responsible for business continuity planning, training, exercises and audit preparation. The company wanted to take the next step in their business continuity management strategy by adopting a transformation approach to BCM, which would be more inclusive for stakeholders and customers, and better support its overall business objectives.
The Director of Security and Resilience said, “We wanted to look beyond the traditional BCM norms with a focus on better anticipating future business risk, while having solid foundations to minimise the risk of whatever unprecedented issues and potential threats may arise. This led us to speak to 4C Strategies. Based on these discussions we decided to adopt a capability maturity approach – to, firstly, establish our current position and secondly, plan what we needed to do in order to achieve an upper quartile benchmark of BCM performance.”
“We wanted to look beyond the traditional BCM […] This led us to speak to 4C Strategies.”
A typical five-point scale moves from a foundational capability, in which the business continuity community have read and understood key documents, to optimised capability, whereby there is organisational engagement and clear roles and responsibilities for BCM actions across all department of the organisation.
Want to learn more?
Discover how you can build your Business Continuity Management capability with our advisory services and Exonaut® software solutions.
Integrated business continuity and incident management services
As a global provider of risk management and organisational readiness services, 4C Strategies has extensive experience of driving BCM and IM initiatives at leading enterprises and the public sector. Unlike most companies that provide consultancy services or software, 4C offers an integrated solution whereby customers receive support from expert consultants, access to industry benchmark data, and bespoke maturity modelling data delivered via the company’s Exonaut IT software solution.
4C Strategies assignments are managed using our Exonaut software to ensure:
- projects run efficiently
- relevant data is recorded
- transparency is assured
- organisations can work with the findings over the long-term once the assignment is complete.
Questions are entered into Exonaut in a flow chart formula prior to workshops so that natural follow-up questions can be posed to a group. Answers are entered into the software in real-time and algorithms collate the data and generate automated comparisons between answers in the form of graphs and statistics in Exonaut’s intuitive dashboard.
“When Openreach approached us, we were confident that we could help them advance their BCM strategy, in line with other industry leading companies,” says Ben White, Senior Consultant at 4C Strategies. “They had a great foundation and team in place, and a desire to learn and develop their capability. It was very much a collaborative process where we all pulled in the same direction to achieve our goals.”
Organisation wide workshops for good
The project began with a series of workshops. Attendees were invited from business units across the organisation including Service Delivery, Fibre Network Delivery, Strategic Infrastructure Development, and Headquarters, to gather their views on what “good” looks like for Openreach and explore past lessons learned. The workshops included questions, discussions and exercises designed to get those who don’t work with business continuity and incident and crisis management on a day to day basis, to think about business risk and how well they and their business processes are prepared for it. On average about 20 stakeholders attended each workshop. The data gathered from these workshops was then used to create a capability maturity models.
What is a capability maturity model? An effective capability maturity model is a set of structured levels that describe how well the people, plans and processes of an organisation can reliably and sustainably produce required outcomes. It should include the capability and compliance elements necessary to measure progress over time and across an organisation, both internally and externally.
“The workshop format and questions follow international standards and guidelines which ensures that there is a systematic approach to BCM and IM. In addition to this, we ensure the organisational context and approach is incorporated in the process, so that each maturity model is tailored to fit the client,” says 4C Strategies Consultant, Mathilda Jansson. “Over the years, we have refined the process to help organisations gain a clear and comprehensive understanding of their current capabilities along with a viable roadmap and toolkit for improving on these findings.”
Is good, good enough?
Armed with the new capability maturity model, a series of interviews and new workshops were held with many of the participants from the earlier workshops, to assess the business continuity and incident management capability of Openreach. In total, over 200 BCM and IM related questions were answered and discussed during the workshops and interviews.
“The questions were derived from the capability maturity models, which are based on the ISO22301 standards and industry best practices,” continues White. “Again, we work with the concept of good and what is good enough, which we do on a sliding five-point scale. This allows stakeholders to identify where the organisation is today and where it needs to get to within the different BCM and IM functions. We use incident examples that people can relate to, such as a cyber attack, to help them pinpoint capabilities.”
“We work with the concept of good and what is good enough”
“We use 4C Strategies’ Exonaut software to gain a holistic view based on the feedback from all attendees and in relation to industry benchmarks. For example, most participants might believe that their company is good enough when it comes to reacting to governance and policy changes, but we might find that they are halfway to achieving industry best practice. Is this good enough for the company? It may well be, depending on their specific goals and their type of business. In the case of Openreach, which wants to be in the upper quadrant, we could provide them with their current status and a roadmap to achieve the highest rating if they hadn’t already achieved that.”
The power of the group
Bringing people together from across an organisation and encouraging them to share their thoughts and views is extremely worthwhile for all concerned. Drilling down through more detailed questions and performing related exercises provides valuable insights which everybody in attendance feels ownership off. People without much experience, can take a real interest in carrying out a business impact analysis or discussing things such as recovery time objectives. However, to get the best results, it’s essential to manage the room and make sure everybody is given the opportunity to contribute to discussions.
Assessing incident management during the Coronavirus pandemic
During the assignment the Coronavirus pandemic struck the UK and a full-scale lock down was imposed. This added a new dimension to the project, as the company’s incident management capabilities were put to the test, as opposed to just being scenario tested. The increased demands put on the broadband network during lockdown meant Openreach had to provide a reliable service to all customers despite the possibilities of forced absenteeism to front line, IT and other key personnel. In such a case, personnel dependency planning and business continuity and disaster recovery plans are crucial for ensuring continuous operations during and after the pandemic.
“We went from being in a room with 20 people to meeting online and from discussing potential incidents to sharing the experience of responding to a major incident,” says Jansson. “How good would our response be, quickly became how good are we performing right now. We were able to evaluate the company’s frameworks and recovery strategies based on real-life deployments as well as identify improvements. This was only possible due to us having the capability maturity model in place, which we used to assess current capability in response to the pandemic.”
Delivery to Openreach
The final delivery of this assignment to Openreach, was completed six months after the process began, despite the Coronavirus pandemic happening in the middle of the assignment. The deliverables were:
- The design and development of in-depth capability Maturity Models for BCM and IM.
- A capability assessment for BCM and IM.
- The consolidation of all information and findings in 4C’s Exonaut® software dashboard, for easy and structured analysis and exploitation.
- An implementation plan for developing IM and BCM capability through future training, exercises and audit requirements of key roles, functions and teams.
“The 4C approach aligns with what our internal stakeholders want to see”
Taking the right strategic decision
Speaking about the assignment, the Director of Security and Resilience concluded: “The output from the various engagement sessions showed us a path towards our goal, together with the various steps and interventions to help us get there. More importantly, the 4C approach aligns with what our internal stakeholders want to see, and their respective contributions have been a vital part of the data gathering process. It’s these same stakeholders who deliver front line services to customers and who are most affected if we don’t get BCM fully aligned to the evolving needs of our business.”
“We already had strong baseline foundations in place with training, exercising and audit preparation, however the aim was to work with 4C to enable us to enhance these to the next level, and I believe we are now on the right path. It has been invaluable for us to explore what we can do differently to add more value to our business. Furthermore, it’s reinforced our belief that we took the right strategic decision a year ago to move beyond a traditional and internalised ISO22301 approach.”