For the past week I have been working with a company in California and getting them ready for ISO22301 certification. I will speak more on the lessons learned from the certification in next week’s bulletin. In preparation for the audit I have been helping the local coordinator and senior managers develop their local business continuity plan for the loss of their Californian Headquarters. The other half of the company which is in Sweden has already been ISO22301 certified.
As well as developing a local plan for their California Headquarters, I was building into the plan how an incident that impacted on Sweden would be managed. A number of senior managers are based in California, their marketing department is there and they are NASDAQ listed. This means that any disaster which could have a major impact on company operations has to have a California element. This applies to worldwide sales offices, as well as their Swedish office, where most of their IT is housed.
In developing their plan I suddenly realised that this was the first plan I have ever written that spans across time zones. Plans I have written in the past have involved the incident team, especially the strategic team, working almost office hours with a slightly early start and a later finish. On the whole no interested parties wanted to hear from them in the middle of the night, so they could go home ready for the next day. As people prepare to pack up and go home for the day in Sweden, the working day in California is just beginning. If you worked long hours over both time zones then the team would be working 24/7. With a small senior management team this would not be possible.
Working with a company that has such an international operation has given me a lot of food for thought about the handling of incidents.
1. Think about how you are going to manage an incident if it is going to be across many time zones.
2. The second point is about managing the media. When I was talking to the senior managers as part of the exercise it occurred to me that most media case studies and learning points come from businesses that service customers rather than business to business companies. This company does something quite obscure and before working with them I didn’t know what their technology did. That got me thinking, would anybody in the media actually be interested in an incident that involved them? I thought that the only people who would be interested are their customers, the industry and their investors. An incident involving them is never likely to make the news so they have to think about their reputation amongst a very small pool of people rather than the “court of public opinion”. This makes their communications strategy easier as there are fewer players but also more difficult in that it is difficult to hide an incident in a small industry. There will inevitably be a lot of speculation, especially from your rivals! If you are a B2B organisation, you should think about how your communications strategy could differ from the usual ones you hear about.
3. My final point was this, how do you tell the customer? This company provides an ongoing support service to their customer in terms of bug fixes and new security upgrades. An incident could delay these. If there is an incident that could delay routine fixes for a short while, do you tell your customers or not? They may not notice the incident at all. On the other hand if you’re spending millions with a supplier, would you not think you are entitled to hear about any potential delay in a bug fix or a support call? We decided after a long debate it depends on the circumstances. This I think is a very difficult call. The lesson to be learnt here is that you should think through different types of scenarios and practice this during exercises.