Security role in Business Continuity
With the Covid-19 pandemic now in its second year, the topic of business continuity has entered our lives and continues to affect us and the businesses around us, and we are all forced to adapt to the new realities of life.
Within this article, I would like to look at the role of security function in ensuring business continuity, which it perform, can and should deliver to fulfil their primary purpose – ensuring security.
In my opinion, it is the specificity of security that allows you to be best prepared to deal with a crisis.
By this specificity I mean the knowledge and practical experience of security managers and staff in dealing with crisis situations, uncertainty, danger, limited resources, and time.
Discipline, resilience to stress, a willingness to take risks and take responsibility are qualities inherent in security officers. This experience is most often gained in the military, law enforcement or special services.
It is impossible to foresee and predict all crisis situations, but organizations where proper attention is paid to risk management and business continuity have a greater chance of overcoming them with the least impact and of returning to normal operations, and sometimes even to a better position than before the crisis.
In my article, I will refer to the experience and practice I gained while working in the Russian division of an international company, British American Tobacco (BAT), where I have worked for almost 10 years and for the last 5 years, I have had the good fortune to head the security function.
Before joining corporate security, I served in the Russian Border Guard Service and faced crisis situations as a cadet during the events in Nakhichevan in 1990 and later as an officer in 1995 in the North Caucasus and in 2001 in Kosovo.
The range of tasks of security at BAT Russia is quite standard, it covers all business processes of the company and is based on an in-depth analysis of security risks.
I will not dwell on each of the activities of security, as virtually every security service in a modern company has this functionality.
Coordinating business continuity management processes within an organization is not the most common area of responsibility for security, but it is where security is able to demonstrate the most tangible and visible results for the business.
According to international best practices and standards[1], which of course also apply at BAT, the General Manager (head of a business unit) is responsible for the business continuity of the organization, while the function heads are responsible for the respective business continuity plans together with the functional managers for business continuity.
In turn, Head of Security is both the head of the security function with responsibility for several business continuity plans and the facilitator of business continuity programs, and is responsible for 'facilitating' and 'coordinating' business continuity activities across the organization, which is expressed in his participation in:
ü in the annual review of the organization’s risk register,
ü in functional assessments of business processes,
ü testing of existing business continuity plans,
ü training of new employees
ü and, where necessary, participation in the development of new business continuity plans.
Such as happened in 2019 with the pandemic plan that appeared on the list of mandatory business continuity plans.
So, what is business continuity management? “This is" The strategic and tactical ability of an organization to plan and respond to incidents and disruptions to keep business operations at an acceptable predetermined level."
This is the case when the tone is set from above in the organization and the decision to develop and maintain a culture of business continuity management is made at the very top of the strategic management of the company.
The strategy, principles and key objectives of business continuity management emerged very clearly during the pandemic in the BAT Group's and the region's commitment to protecting lives and businesses while strictly complying with national legislation. While the immediate decisions to achieve them were taken at the end market/country level, by the relevant crisis committee.
This was due to a significant difference in the response to the pandemic in the various countries. I think everyone remembers the difference in approach in Russia and Belarus, Sweden, and Germany.
The center and the region were more focused on coordination and on ensuring that best practice in resisting the pandemic could be brought to all countries and markets.
As in many modern international global companies, business continuity management at BAT complements and is subordinate to the risk management process. The business unit's risk register is reviewed on a regular basis (at least twice a year). Functional managers are responsible for functional risks and the corporate finance aggregates everything together and approve it at the Top Team with notification to the region.
BAT Group takes a cyclical approach to manage business continuity and ensure an effective business continuity culture in the organization.
The first stage is Analysis and includes "Understanding the organization" and "Identifying business needs".
Understanding the organization is particularly important when initially introducing this approach in the organization, in the case of BAT when incorporating new employees into business continuity management.
This is very useful and applicable information for new security staff as well, as it is the best way to immerse yourself in the business as quickly as possible, being able to highlight the critical business processes.
The next step in the process is 'Identifying Business Needs', which is carried out using a specially developed Business Impact Analysis[2] methodology which provides the basis for assessing business processes, assessing the impact on the organization if these processes are disrupted, the criticality of these processes, the resources required at each stage (people, information, infrastructure, facilities, resources and partners), the outcomes of these processes and, importantly, the workarounds available.
Based on the information from the analysis phase, in the second design phase business continuity plans are developed or refined and supplemented.
For example, when a new product category appeared, additional sections were added to existing plans.
In the third Implementation phase, individual plans are woven into the broader business structure, and intersections and interdependencies are explored to ensure integration and synergy between the various functional plans.
This process is not limited to internal interdependencies between different functions or between end markets, it also includes third-party partners.
For example, the response to a distribution outage will have limited effect unless key partners (federal retail chains and wholesalers) are ready and prepared with their own plans and these plans are integrated with the company's plans, and vice versa.
The fourth stage of the business continuity management process - Validation - is the final and very important step.
At this stage, all business continuity plans are tested through exercises (workshops), simulations of individual elements by trained staff and contractors, or exercises with full or partial simulation.
Business impact analysis and business continuity plans are reviewed and adapted when there are changes in the business processes or operating environment. If the processes and operating environment remain unchanged, the process is reviewed and validated annually.
Testing and training is also conducted as needed or according to the training cycle on an annual basis.
BAT Russia has developed and annually tests several business continuity plans, the main one of course, the Crisis Management plan, which formulates the strategy, goals and objectives, as well as the structure and principles of crisis management, based on global policy requirements, but taking into account the realities of Russian reality. An important part of this plan is also the Communications plan.
It is worth noting that testing of the Crisis Management plan does not usually take place in a simulation mode, but during 'combat' situations such as an ongoing pandemic, or other significant business incidents such as a legislative ban on certain categories of nicotine-containing products.
Another plan that I would like to mention briefly is the Loss of Head Office, which provides a procedure for dealing with the loss of access to the company's head office.
Until relatively recently, this plan was tested by a simulation with the actual departure of key personnel to the office of the Moscow business unit.
The renovation of the company's head office in 2019 not only made it possible to update the interiors and make the working conditions in the office more comfortable and modern, but also to test remote working not only for the critical staff, but for almost every employee in the head office. Many employees worked from home for several weeks at a time, allowing the company to end up being orders of magnitude more prepared to work remotely during a pandemic.
The format and theme of this article does not allow us to go into detail on each plan, so I will go directly to the Pandemic plan. It contains guidance on how to prepare for and respond to pandemic scenarios that directly or indirectly affect company personnel and business operations in all phases of a pandemic emergency, as well as protocols for how to deal with infected people, etc.
The company's actions were aimed at achieving such a result in which the factory in St. Petersburg, the head office in Moscow and the field structure operate as close as possible to "Business As Usual", while fully complying with the decisions of state authorities in the locations, including those of the Federal Service for Supervision of Consumer Rights Protection and Human Welfare (RPN) and recommendations of the World Health Organization to reduce the risk of possible contamination and limit the risk of infection.
The Crisis Management Team (CMT) consists of Top Team members and additionally the Head of Security and the Regional Environment, Health and Safety Manager.
Three Incident Response Teams (IRT) have been formed (factory, head office, field force), led by senior managers of the respective functions.
Each response team has a designated disease prevention coordinator and includes representatives from health and safety department, lawyers, and communicators.
Let me just briefly outline the chronology of the initial activities following the activation of the pandemic plan:
· On Mar 5, 2020, the Pandemic plan went into effect following a decision by headquarters to suspend all non-business critical international travel
· On 6 Mar 2020, in accordance with Moscow Mayor's Decree №12 of 5 March 2020 "On the introduction of a high alert regime" in Moscow, all employees of the company were sent the appropriate communication:
o requested to inform Line Manager and Security about personal trips abroad
o introduced 14-day self-isolation at home for arrivals from 7 countries
o 100% thermal monitoring of employees, contractors and visitors introduced (by the security service provider)
o the factory in St. Petersburg introduced a questionnaire for visitors and contractors to identify and avoid admittance of persons with potential risks of infection.
· On Mar 10, 2020, Security department prepared the first Daily report on the situation with Covid-19 for the RUCAB sub-region, including confirmed cases of infection by country, employee status, government recommendations, status of international freight traffic, and measures taken and planned by the company.
· On Mar 11, 2020, the day that the WHO first characterized the Covid-19 situation as a pandemic, a communication was issued to employees about the measures taken by the company and an order was announced guaranteeing payment of downtime at average earnings.
· Mar 30, 2020 – shutdown of the factory in St. Petersburg for a week, after the announcement of the high alert mode and until our enterprise was included in the corresponding regional List of Continuously Operating Enterprises.
· Apr 2020 – all trade marketing representatives worked two weeks from home during the strictest lockdown period.
It would take too long to enumerate all the activities in the pandemic plan, and I am sure that all these measures have been fully implemented in your organizations. I would like to highlight only the main activities of security, which were carried out together with colleagues from other functions.
Recommended by LinkedIn
1. 24/7 monitoring of the Covid-19 pandemic situation, factors affecting business, decisions of authorities, RPN guidelines and WHO recommendations in conjunction with the Regional Health and Safety Manager and company lawyers.
2. Collection, verification, and synthesis of sub-regional situation information for Daily report to the CMT, informing the region and IRTs, including:
ü confirmed cases of infection by country,
ü status per staff member,
ü decisions by national authorities,
ü the status of international communications (focus on cargo shipments)
ü measures taken and planned by the company.
3. Detailed personalized register of employees (confirmed cases with treatment at home or hospitalization, self-isolation, quarantine, etc.) with strict adherence to personal data protection requirements.
HR and EHS departments were the main providers and consumers of this information, but security was the owner of the register.
4. All CMT communications were sent to the staff from the security department's email address.
We all understand how much information flows to each employee, however, messages from security are always correctly perceived due to the importance and practical nature of the information provided.
Employees were also kept informed by publishing information in the corporate Intranet and a SharePoint resource was made available to IRT members where all important information was accumulated.
5. Minutes, decisions of the crisis committee and their implementation were drawn up and recorded by the Head of Security.
6. The Security Help Line assisted staff in vulnerable situations. This was particularly relevant in Moscow and St. Petersburg in the early days of the pandemic when not all services worked smoothly and consistently.
7. Additional training for IRT members on crisis management and the pandemic plan conducted.
8. Timely and complete provision of information to the Moscow Mayor's Office and the St. Petersburg Government via the organization’s personal account, certified by digital electronic signature (headcount and lists of employees in remote work).
Sometimes it was not easy to do due to failures in the servers of state bodies, but most importantly, the CMT supported the lawyers' proposal to provide the requested information in the required format.
I think that many people remember the debate about the legitimacy of such requests, especially in Moscow, as well as the media coverage of the reaction of the state regulatory authorities to the offending companies.
9. Refinement of the evacuation plan for foreign employees. Fortunately, the plan did not have to be activated. Only one employee was abroad at the time of the restriction on international flights. He continued to work from home. International assignments of our colleagues were not interrupted either.
10. Identification of cases of using the organization's details when issuing digital passes in Moscow. Their timely cancellation to minimize reputational risks.
11. Monitoring compliance with social distance requirements and the use of personal protective equipment.
ü The use of video surveillance to prevent breaches of the safe operating standard and, in some cases, as evidence in the consideration of such breaches by the disciplinary committee.
ü Installation of additional video surveillance equipment. Video recorders in factory shuttles ensured above mentioned requirements.
ü Changing corporate transport routes to minimize the number of employees having to use public transport. Additional routes were promptly created and tested during the St. Petersburg metro bombings in April 2017.
Other activities of the Security department include coordinating the activities of RUCAB Crisis Management Teams, learning, sharing, and implementing best practices from other countries, and active participation in Incident Response Teams.
Key success criteria
· A strong corporate culture in BAT in terms of business continuity, which is evolving and improving and where security plays an important coordinator role.
· A proven strategy of delegating business decisions to the end-market level, with unconditional compliance with national legislation and adherence to best practices in other markets and WHO recommendations.
· Involvement and proactive approach of all Incident Response Teams, including security personnel, to tackle complex challenges with limited resources and resources, as well as a high degree of uncertainty and novelty.
· The readiness and resilience of the IT infrastructure, and the equipment and preparedness of employees to work remotely.
Outcome
The company was able to adapt existing business processes to the changed realities, preserving the life and health of employees, ensuring uninterrupted production and distribution of its products, continuing marketing activities to take account of the new realities, and confirming its reputation as one of the best manufacturers and employers.
The cross-functional pandemic response team, which included almost the entire security department, was recognized at the BAT Stars ceremony for 2020!
Security department has effectively demonstrated its contribution to business security through a wide range of tasks, to the benefit of every employee in the company.
International experience and trends
While preparing the article, I came across an interesting report on the development of business continuity from the international company Castellan[3] - one of the providers of business continuity management solutions, including consulting, software and recruiting.
This report is the 12th of its kind and focuses on trends in business continuity and resilience programs, including reporting structures, current program status, dedicated program budgets and staffing, etc.
The data presented in this report was collected between August 2020 and May 2021.
The main findings of the study are as follows:
1. The data this year indicated a substantial shift in centralizing programs to be equally focused on business and IT initiatives, increasing from 34% in 2018 to 49% in 2021.
2. The data has historically shown that most organizations exercise their critical Business Continuity and IT Disaster Recovery plans on an annual basis with less of a focus on the non-critical plans. Since 2018, however, there has been a major shift.
3. Organizations are increasingly consolidating ownership of the Business Continuity program, along with other risk and resilience related disciplines, under Risk Management (22%, up from 10% in 2009). This reflects an increased focus on enterprise-level resilience as well as the interdependencies between resilience disciplines in identifying and managing organizational risk. This corresponds to ownership of the program by IT dropping from 26% to 16%.
4. An analysis of their business continuity budgets has shown that more organizations are increasing the cost of business continuity management programs.
5. More organizations indicated the need to recruit dedicated program personnel (increasing from 14% in 2018 to 25% in 2021).
Program Department Positioning and Sponsor Engagement rankings
ü Corporate Executive Offices and Security – Information received the highest approval ratings with each receiving 73% of the respondents noting they either agreed or strongly agreed that their program was positioned for maximum effectiveness.
ü Physical security received the lowest approval ratings as a program department owner with 47% of the respondents indicating that they either strongly disagreed or disagreed with the placement of the program.
Ideally organizations strive to identify a program sponsor who will be very engaged in championing the Business Continuity program forward.
ü While only focusing on the top 10 Business Continuity program sponsors, the survey authors found that the CSO / CISO received the highest approval ratings with 81% of the respondents indicating that their program sponsor was involved or very involved with the program.
ü Those who noted Other Chief Title seemed to be the most displeased with their program sponsor as 63% indicated little involvement or very little involvement.
Conclusion
Market and industry specifics undoubtedly play a big role but getting back to the topic of the article about the role of Security in business continuity management, I would like to use this report as another independent proof that it is Security that provides comprehensive business security (not just physical security) that has all the chances through coordination of business continuity processes to make the business more secure and better prepared for emergencies.
I believe the example of BAT Russia fully fits the matrix of this report, where the coordination of risk management is handled by the Corporate Finance department, as having more experience in financial assessment of the realization of all organizational risks, and the Security department ensures the coordination of business continuity management processes.
By adding functional business continuity managers and IDT experts to the cross-functional team, we have a full-fledged team capable of ensuring that the organization moves forward, no matter what cataclysmic events occur!
[1] ISO 22301, 22313, 22317
[2] ISO 22317
[3] BCM Trends Report / BC Management – a Castellan Company
Head of Security
3yСлава, мне очень понравилась эта статья. Надеюсь, не последнее твоё изыскание.
Chief Operating Officer at Nickel Industries Limited
3yVery interesting article . Well written and shows how the intergration of good people and systems assist in safe project delivery at all levels .
Security Professional with more than 23 years of experience in LEA & Intelligence and 10 years in corporate security, latest - BAT Russia Head of Security. 4 years in UNMIK. 1st Security manager of W St. Petersburg.
3yThanks Andriy, very kind of you. How're you doing?