POLICY BRIEFING!

Business Continuity, Civil & Organisational Resilience: implications for local authorities 27 January 2015

Alan Weaver LGiU Associate

Summary !This briefing considers:

!• The origins and evolution of Business Continuity, Civil Resilience and Organisational

Resilience

• Wider developments, including legislative developments and recent developments, i.e. 2014 Christmas and new year flooding, and associated guidance and research

• The development of Organisational Resilience, its complex qualities, strategic and cultural implications, and the practicalities associated with its implementation.

• The briefing will be of particular interest to leaders, cabinet members, chief executives and senior management in all types of council and to business continuity and risk management professionals.

!

Briefing in full

Origins !The roots of Business Continuity lie in Disaster Recovery which, in turn, developed from war gaming which can originally be traced to Sun Tzu (544-496 BC) in his book ‘The Art of War’. War gaming reached a peak during World War Two and scenario planning took off after the war during the cold war era when large organisations began to realise how dependent they were on their IT systems and the data they held. Shell Group, for example, invested in the creation of IT back up systems to protect itself against the possibility it would not have access to the data in their mainframe computers.

The evolution of Business Continuity Planning, Business Continuity Management, and ultimately Organisational Resilience can be described in terms of a series of mindsets.

© Local Government Information Unit, www.lgiu.org.uk, Third Floor, 251 Pentonville Road, London N1 9NG. Reg. charity 1113495. This briefing is available free of charge to LGiU subscribing members. Members are welcome to circulate internally in full or in part; please credit LGiU as appropriate. You can find us on Twitter at @LGiU

POLICY BRIEFING!Technological mindset - in the post war era, the basic Disaster Recovery approach focused purely on the technical aspect of recovering from disasters. It assumed that disasters were triggered by technology failure.

Auditing mindset - In the late 1970s and 1980s this was broadened because of the development of end user computing and particularly, personal computers. While still focusing on technology this auditing mind-set expanded its focus to include the protection of business activities. It called itself Business Continuity Planning.

Values based mindset - In this mindset Business Continuity Planning broadened to include the whole organisation, including employees, organisational stakeholders and external influences to become Business Continuity Management. It can be seen as a value adding process because it should result in more efficient systems and better customer value through better responsiveness, reliability and security.

This moved Business Continuity Management towards Organisational Resilience, an even wider approach, considered in more detail later.

Wider Developments !Other developments took place during this period. For instance,

Business Continuity Institute

In 1994, Business Continuity Institute (BCI) established itself to promote a more resilient world. The organisation now has 8000 members in more than 100 countries, working in an estimated 3000 organisations in private, public and third sectors. It supports ‘Continuity Central’ which provides international business continuity information portals in Asia Pacific/Australasia, North America and the UK. It produces Good Practice Guidance and has influenced terminology for ISO international Standard for Business Continuity Management Systems.

Y2K

Fears of the so-called “Millennium Bug” prompted many companies to undertake pre-emptive work to protect themselves from disaster during the period leading to January 1 2000. While the predicted doom of Y2K simply didn’t happen, the plans put in place in case it did became the first business continuity plans for many organisations.

Making Cities Resilient and Smart Cities

In 2010, The United Nations Office for Disaster Risk Reduction (UNISDR) launched the Making Cities Resilient Campaign to achieve sustainable urban communities through actions taken by local governments to reduce disaster risk. The Making Cities Resilient campaign developed several useful tools for local action, including the so-called ’10 Essentials’ a ten-point checklist and the building block for disaster risk reduction.

The concept of ‘Smart Cities’ developed to consider using technologies based on digital infrastructure and digital services as a way of monitoring and managing physical and social resource in the city.

The UK Department for Business, Innovation and Skills (BIS) commissioned the British Standards Institution (BSI) to develop a standards strategy for Smart Cities in the UK.

© Local Government Information Unit, www.lgiu.org.uk, Third Floor, 251 Pentonville Road, London N1 9NG. Reg. charity 1113495. This briefing is available free of charge to LGiU subscribing members. Members are welcome to circulate internally in full or in part; please credit LGiU as appropriate. You can find us on Twitter at @LGiU

POLICY BRIEFING!The strategy, published in August 2014, recognises that the success of a Smart City will be critically dependent on a digital infrastructure that is robust and that issues relating to resilience and planning for failure of critical systems are also likely to emerge.

There was a conference in the UK in 2013 called ‘Measuring the Resilience of Cities: The Role of Big Data’ run by the Science & Technology facilities Council (STfC) and the Royal United Services Institute for Defence and Security Studies (RUSI). The conference covered a range of perspectives on resilience in cities. Issues covered included the specific vulnerabilities that cities face today, the specific arrangements in London, and the measurement of resilience. It ended with a call for far more research.

Business Continuity Standards

Several Business Continuity standards have been published by the BSI [(BS 25999 – 1:2006) (BS 25999 – 2.2007)] although both were withdrawn in 2012 when ISO 22301: 22 succeeded it. The current ISO standards include:

ISO 22301 2012, “Societal security – Business Continuity Management systems ---Requirements”;

ISO 22313 2012, “Societal security – Business continuity management systems – Guidance” which provides more pragmatic advice concerning business continuity management.

ISO/IEC 27031 2011, “Information security – Security techniques – Guidelines for information and communication technology [ICT] readiness for business continuity”.

!Legislative Developments

Civil Contingencies Act In 2001, following 9/11 the Government concluded that existing legislation was no longer adequate to deal with climate change and terrorist incidents; and that a resilient business community helped to create a resilient country. The Government created a new government department called the Civil Contingencies Secretariat and passed the Civil Contingencies Act (CCA) 2004. As well as placing obligations for continuity and emergency preparedness on emergency services, first responders and utility companies, it mandated local authorities to provide business continuity guidance to organisations within their areas.

Category 1 responders are police forces, fire authorities, ambulance services, and local authorities. They are required to assess risk of emergencies occurring and put in place emergency plans and Business Continuity Management arrangements. They must also make information available to the public and businesses and coordinate with other local responders.

As a Category 1 responder, the type of emergencies for which a local authority would have a duty to respond is set out in the local community risk register. These include flooding and severe weather (storms, heat wave, severe snow and ice), release of chemical and hazardous materials, major transport accidents and terrorist incidents. Local resilience forums, made up of category 1 and 2 responders plus the military were made responsible for identifying and planning for the civil resilience risks for the local police force area.

The Act has had a catalytic effect. A 2008 survey by UK Chartered Management Institute indicated that the Government was playing a major role in driving Business Continuity Management through the public sector and beyond. It highlighted that the CCA appeared to already have had some impact and the trend was likely to continue.

© Local Government Information Unit, www.lgiu.org.uk, Third Floor, 251 Pentonville Road, London N1 9NG. Reg. charity 1113495. This briefing is available free of charge to LGiU subscribing members. Members are welcome to circulate internally in full or in part; please credit LGiU as appropriate. You can find us on Twitter at @LGiU

POLICY BRIEFING!The Act resulted in a marked upturn in both focus and detailed Business Continuity Management. Many workshops, seminars and presentations were held across the country to encourage business to be more responsible. Bigger companies made rapid progress, although Small and Medium Enterprises (SMEs) lagged behind. Good progress was confirmed by a similar survey in 2011. By March 2011, 58% of organisations had a Business Continuity Management programme, with the figure rising to 73% for public service organisations.

Flood and Water Management Act The CCA was followed up by The Flood and Water Management Act (FWMA) 2010 which required the Environment Agency to develop, maintain, apply and monitor a national strategy for flood and coastal erosion risk management (FCERM) in England.

The FWMA also requires a Lead Local Flood Authority (LLFA) to develop, maintain, apply and monitor a strategy for local flood risk management in its area. It must be consistent with the national strategy for FCERM and must cover local flood risk. The LGA produced a framework to assist with the development of local strategies. Please also find an example of local strategy for flood and coastal erosion risk management.

Christmas and New Year Flooding

There was a further stimulus to public sector and local authority civil resilience developments following the Christmas 2013 and New Year flooding. In January 2014, the government announced a review of the lessons learned from the Christmas and New Year flooding.

The review found that most local authorities performed well. It stated that some of the criticism in the media and elsewhere was unfair in not recognising the valuable work being undertaken. However, some local authorities were not as prepared as their residents expected to respond to those needing help in coping with homes being flooded or clearing up afterwards. In some areas, the problems were compounded by the failure of power companies to quickly reconnect supplies to homes.

The outcomes of the review were reported through a written ministerial statement to the House of Commons. This set out that in the event of the risk of a significant weather event, central government would in future invoke, in advance, crisis management arrangements to ensure that all organisations, at both national and local level, were aware and fully prepared.

DCLG – Civil Emergencies

Subsequently, the Government Review of Flooding Department of Communities and Local Government (DCLG) produced a document categorising what a local authority’s preparedness for civil emergencies would look like and brief examples and case studies of what different local authorities have done: i.e.

• Local authorities should have business critical functions and service delivery which they should exercise on a regular basis, eg. Dorset County Council working with the voluntary sector; Kent County Council working in partnership with other local authorities.

• Local authority chief officers and senior managers within the area should be familiar with the priorities of the local resilience forum and, the top risks in the community risk register, eg. arrangements in London.

• Local authorities must publish contact numbers to allow partners, residents and local businesses to contact them in an emergency, including out of hours, to get advice or

© Local Government Information Unit, www.lgiu.org.uk, Third Floor, 251 Pentonville Road, London N1 9NG. Reg. charity 1113495. This briefing is available free of charge to LGiU subscribing members. Members are welcome to circulate internally in full or in part; please credit LGiU as appropriate. You can find us on Twitter at @LGiU

POLICY BRIEFING!

activate an immediate local authority response, eg. good practice in Kent, Leeds, London and Manchester.

• Local authorities should have fully tested and exercised plans covering a range of different scenarios to enable them to put in place capabilities for which they have a lead responder role, eg. good practice in Lincolnshire.

• Local authorities should brief councillors on emergencies, particularly those for which a multi-agency response is in place, eg. good practice in Doncaster.

• All local authorities should ensure that arrangements are in place to enable the authority to be properly represented on the strategic coordinating group, eg. good practice in Devon and Cornwall and in Stoke on Trent.

• All local authorities should have a clear process for collecting and reporting information that supports shared awareness across the organisations, eg. good practice in Berkshire, Greater Manchester and Norfolk.

In addition, the Cabinet Office has set out how its policy for working to enhance the UK’s ability to prepare for, respond to and recover from emergencies.

According to the latest Committee on Climate Change report, nearly three quarters of existing flood defences on private property are not being sufficiently maintained. Furthermore, the cumulative impacts of future flood risk of new developments remains relatively unknown. A recent LGiU report has recommended that to manage flood risk effectively local authorities should set up local flood forums to provide a coherent focus for state activity and a single point of contact with the public. Also, as surface water is the principle threat for the majority of properties at risk of flooding, local authorities should control the majority of the budget for managing flood risk.

Civil Resilience Network

In 2014, SOLACE founded a Civil Resilience Network for cross sector collaboration and learning. This network provides a forum for open discussion on civil resilience policy and issues and regular updates on its research and influencing activities, as well as the latest developments in civil resilience policy, through its E-bulletin.

The Network conducted a survey about civil resilience amongst serving local authority chief executives and senior managers. The survey indicated that all respondents were familiar with local authority statutory duties and all stated that they complied with their statutory duties. The vast majority of respondents felt that they were well trained to deal with resilience issues. They also felt their councils have good relationships with their partner emergency services and had effectively responded to their most recent civil emergency.

Community Resilience

Part of the Government’s approach to resilience has been to improve community resilience. As such, it has produced a range of documents to support this, for example,

Resilience in Society: Infrastructure, community and business is a document that outlines how networks and individuals can support the country's emergency planning, response and recovery, and keep systems and services running.

The Strategic National Framework on Community Resilience is a framework which explores the role and resilience of individuals and communities before, during and after an emergency. The framework is intended to provide the national statement for how individual and community resilience can work. !© Local Government Information Unit, www.lgiu.org.uk, Third Floor, 251 Pentonville Road, London N1 9NG. Reg. charity 1113495. This briefing is available free of charge to LGiU subscribing members. Members are welcome to circulate internally in full or in part; please credit LGiU as appropriate. You can find us on Twitter at @LGiU

POLICY BRIEFING!Community Resilience Case Study Library – This library has been developed to help share some helpful practice on community resilience initiatives.

Notwithstanding their statutory responsibilities in respect of civil emergencies, flooding and water management, local authorities have additional reasons for promoting community resilience, whether it be in respect of their community leadership or development roles, or in reducing the dependency of poorer communities and vulnerable people on local authority services. Consequently, they routinely engage in a whole range of interventions from early action or involvement in troubled families to promoting digital skills amongst the elderly.

Organisational Resilience !There is a growing awareness of the links between Business Continuity and Organisational Resilience. Organisational Resilience is growing in strategic importance for all organisations, and particularly for local authorities.

However, Organisational Resilience is not a straight forward concept. There has been little consistency in its use and there is a lack of common understanding about it. Pre 2007, it was defined as the ability to bounce back to an original state after disruption. Post 2007, the academics began writing about moving forward rather than back, to take new realities, challenges and opportunities into consideration during disruptive events. Since 2010, it has moved on again.

New research has suggested Organisational Resilience isn’t primarily about being able to bounce at all: it’s about being able to avoid or negotiate potentially negative circumstances and build organisations that continue to thrive on infinite timelines. As such, it sits across many organisational disciplines and processes, including performance management, business excellence frameworks, organisational sustainability, Business Continuity Management, Disaster Recovery, Crises Management, Total Quality Management (TQM). It includes corporate strategy, competitor activities, recruiting processes, staff activity, market and customer changes, environmental factors and so on.

The emerging concept of Organisational Resilience building is holistic and strategic implying that the decisions required to achieve it have to be made by the organisation’s leaders.

In the UK, there has been the November 2014 launch of the new British Standard 65000 which outlines the principles and provides guidance behind Organisational Resilience. This parallels the development of global guidance on Organisational Resilience or ISO 22316 which is due to be launched in April 2017.

BS 65000 will help organisations to engage Crises Management and Business Continuity Management practices into a wider resilience programme. The British Standard references other activities including risk management, horizon scanning and change management, and contains a maturity model for measurement.

It defines Organisational Resilience as ‘the ability to anticipate, prepare for, respond and adapt to events – both sudden shocks and gradual change’.

This definition suggests that resilience is an organisational mindset or mind-state, and less of a definite line in the sand that can be readily measured. After all, how do you measure the capability or capacity of an organisation to cope with future events of which it cannot be aware? The logic to do so has been articulated in a paper ‘A Perspective on Organisational Resilience’ considered at the conference mentioned earlier.

© Local Government Information Unit, www.lgiu.org.uk, Third Floor, 251 Pentonville Road, London N1 9NG. Reg. charity 1113495. This briefing is available free of charge to LGiU subscribing members. Members are welcome to circulate internally in full or in part; please credit LGiU as appropriate. You can find us on Twitter at @LGiU

POLICY BRIEFING!If an organisation’s resilience capability is understood, the factors contributing to or diminishing it might be manipulated, changed and leveraged to create the capabilities and attributes that the organisation needs. Indicators of these factors might be reviewed, measured and explained in a manner that enables an organisation to identify a gap between its current position and where it wishes to be.

A body of evidence exists to suggest that to achieve resilience an organisation should strive for strong values, comprehensive governance, vulnerability identification processes, disciplined innovation, excellent knowledge management, and have crisis and continuity planning arrangements in place. The resilient organisation will also understand its networks (and interdependencies, including supply chains), cultivate appropriate social capital, and seek to embed all these elements into a culture that clearly values its people and its resilience capabilities.

British ISO Standards may prove invaluable in the future but what other tools can local authorities look to now?

Unfortunately, the ‘case studies’ offered as examples of Organisational Resilience are not that relevant. They fall into 2 categories:

• Organisations that have shown highly impressive examples of business continuity after catastrophic events eg. 9/11 terrorist attack in New York, Tsunami in South East Asia, Hurricane Katrina, Earthquake in New Zealand; etc. or

• Highly Resilient Organisations (HROs) such as nuclear power providers or traffic control operators.

While many of the case studies in these categories can be inspiring, they don’t show how the majority of private and public sector organisations can cope with the critical, but less dramatic, strategic, environmental, competitive, or resourcing challenges and threats that they routinely face, and with which Organisational Resilience is primarily concerned with.

For example, most organisations, including local authorities, are not HROs. They do not provide single services whose failure might result in rapid catastrophic loss of life. Local authorities provide ‘statutory’ and ’discretionary’ services and some ‘critical’ ones like child protection. They cannot provide the additional technical and personnel resources for ‘redundant’ back-up support that HROs can. In fact, a lack of available resources is one of the key challenges impacting on their capability to display resilience.

Organisational Resilience presents particular challenges for local authorities because council income is under pressure but demand for services and new responsibilities continue to increase. Councils have less money from government grant and minimal scope to increase income from council tax and fees and charges.

How can local authorities achieve the necessary qualities, culture and resilient capabilities highlighted above and overcome the traditional organisational problems like power politics, incompatible goals, censorship, short termism?

This is a real issue for local government. Local Government is a democratic political institution with a deep rooted bureaucratic culture flavoured by the values of different professions and different profession based departments. Add into the mix, competing priorities and power struggles between, and within senior management, political leadership and backbenchers, and simmer for a period with diminishing resources, and you have a caustic cocktail that isn’t necessarily conducive to the development of Organisational Resilience.

© Local Government Information Unit, www.lgiu.org.uk, Third Floor, 251 Pentonville Road, London N1 9NG. Reg. charity 1113495. This briefing is available free of charge to LGiU subscribing members. Members are welcome to circulate internally in full or in part; please credit LGiU as appropriate. You can find us on Twitter at @LGiU

POLICY BRIEFING!To tackle Organisational Resilience is not easy but the way to achieve it is simple to understand. It requires organisational commitment from top to bottom so that resilience permeates the culture and values of the entire organisation.

Notwithstanding this, there are some grounds for confidence and for optimism. Local Government has long experience in meeting resource challenges – the principal factor undermining its resilience. It has always had a reputation for strong probity and financial management. In the last two hundred years, only a handful of local authorities have failed to set a budget or run out of money.

And there are some emerging positive signs on the horizon. Grant Thornton’s latest report on the financial resilience of local authorities indicates that most local authorities are still delivering local services to a high standard within a balanced budget. Many are forecasting financial resilience confidently in their medium term financial strategy. Through a combination of necessity, driving cultural change, innovation and strong leadership, many have risen to the challenge and are prioritising new ways of delivering services – such as care at home, prevention and early intervention. There are very few councils with red-rated, critical risks relating to their arrangements for securing financial resilience.

In addition, the recent NAO report Financial Sustainability of local authorities 2014 states that there are signs of improvement in financial sustainability. They point out that there has been no financial failure to date – no council had failed to set and deliver a balanced budget. In fact, regulations governing the system made this extremely unlikely to happen.

Comment

!This briefing highlights that local authorities are at the forefront of Business Continuity and Civil Resilience issues.

However, confidence will be needed to deliver Organisational Resilience. More formal analysis of risk will need to play a greater role in strategic planning, cabinet leadership and senior management governance.

Above all, organisational change is a prerequisite. ‘Transformation’ is becoming a tarnished concept within the public sector, and particularly local government, because of its preoccupation with ‘restructuring’ and inability to make impact on the underlying culture and values of local government staff. Yet, ‘transformation’, in the true meaning of the term (rather than the number of officers with ‘Transformation’ within their job titles) is the key to Organisational Resilience.

Perhaps a possible way forward is to combine the ethos of ‘public service’ that underpins the values of so many of the professional front line staff who keep the show on the road day to day with the determination and vision of local government management and leaders displayed in bygone eras. These leaders delivered huge improvements in education, health and housing in circumstances and situations far more challenging and intimidating than anything we face today.

Today’s challenges are different. The type of paternalistic, uncompromising leadership employed by those managers and leaders are no longer acceptable or feasible. The new agenda involves shifting from providing services to finding ways to make things happen,

© Local Government Information Unit, www.lgiu.org.uk, Third Floor, 251 Pentonville Road, London N1 9NG. Reg. charity 1113495. This briefing is available free of charge to LGiU subscribing members. Members are welcome to circulate internally in full or in part; please credit LGiU as appropriate. You can find us on Twitter at @LGiU

POLICY BRIEFING!opening up space for collaboration with citizens, nurturing networks with communities, tapping into neighbourhood assets and listening to the needs of residents. And while this agenda is being delivered, the authority’s decision makers will need to ensure the organisation is resilient!

It will require inspirational leadership.

!Related briefings

Smart Cities – October 2013

Challenges faced by the Voluntary and Community Sector in supporting local services and developing resilient communities – March 2014

Digital Technology, social media: The Voluntary and Community Sector and Local Government – July 2014

Technology and Transformation in Town Halls – July 2014

NAO – Financial sustainability of local authorities 2014 – January 2015

Managing Floods Supporting Local Partnerships

For more information about this, or any other LGiU member briefing, please contact Janet Sillett, Briefings Manager, on janet.sillett@lgiu.org.uk

© Local Government Information Unit, www.lgiu.org.uk, Third Floor, 251 Pentonville Road, London N1 9NG. Reg. charity 1113495. This briefing is available free of charge to LGiU subscribing members. Members are welcome to circulate internally in full or in part; please credit LGiU as appropriate. You can find us on Twitter at @LGiU