Lost Password? No account yet? Register
  • Increase font size
  • Decrease font size
  • Default font size

WWW.BS25999.COM

Sunday
Jul 06th
Home arrow Content arrow Communications arrow Comparing the Risks of Automated versus Manual Notification Methods
Comparing the Risks of Automated versus Manual Notification Methods PDF Print E-mail
In the immediate aftermath of a business threatening event, an organisation needs to invoke its business continuity plans and organise the recovery. Communicating ‘immediate actions’ and important information are vital to the overall success of the process. This stage is a critical choke point and an organisation should carry out a specific risk assessment on its ability to effectively communicate on a large scale in a short time frame.

There are a number of methods and systems that can be deployed in order to address this critical issue, each with specific risks.

The traditional method of communicating rapidly with large numbers of people is the so called ‘manual cascade’, where a message is relayed in a sequential fashion from person to person. For example, one person may call three; that three then call six; and so on.

Manual cascade - risks

Risks associated with this method are as follows:

The message not getting through

Manual cascades are notoriously slow. People unfamiliar with the dynamics of manual cascades often drastically underestimate the amount of time needed to contact people. Even assuming that all contact numbers are correct, everyone answers the call immediately, and no one person is ever out of contact, the time taken to contact even small numbers of people is usually measured in hours not minutes.

The message becoming distorted

Most people are familiar with the ‘Send three and fourpence we are going to a dance’ story where a simple message was passed on sequentially through a manual cascade but the output did not match the input. Manual cascades, whatever modern communication technology is used, are subject to the same issues of distortion, misinterpretation and confusion. Stress and language differences often colour a person’s perception of a message and the context in which it is delivered.

The message becoming out of date before it is completely disseminated

Because of the ponderous nature of manual cascades there is a significant risk of any given message being out of date by the time it is successfully delivered. Crises by their very nature are dynamic events, and effective command and control relies on rapid communication. The lack of dynamism in manual cascades are a significant constraining factor.

Lack of control

Like ripples on the surface of a pond, once a manual cascade utilising multiple levels is started, the ripples can only go outwards. If the message needs to be changed, updated or stopped, it simply cannot be done effectively with this method.

Lack of management information

Who has got the message? Which message have they got? And what are they doing about it? Are typical questions. Manual cascades cannot effectively deliver answers to these questions. In the aftermath of an incident, critical information on which to base an improvement process is at best anecdotal and at worst just not available.

Uncontrolled information and reactions

Even in a highly disciplined environment, control over the direction of information flow is practically impossible. People naturally want to know what is going on and to help. This results in informal cascades taking place that cut across organisational divides. Apart from creating a problem of ‘who knows what and when’, this cross group calling effect drastically decreases the effectiveness of the cascade, because it means that people are ‘chattering’ and consequently unavailable for the correct incoming message.

Information being out of date

In a pyramid cascade, it is assumed that everyone has the correct contact information for their own sub group. Contact details change frequently and, because this information needs to be communicated to multiple groups, it creates a document control and issue problem. Manual cascades also rely on people actually being in possession of their ‘calling cards’. Again, this is impossible to enforce and manage. The higher up the chain a person is, the more significant a problem it will create, should they not have this information to hand.

 

 

In summary, there are significant risks associated with relying on manual cascades for effective crisis information delivery. Recognition of these risks has created the need for both equipment vendors and customers to seek technological solutions in order to address them.

  

Automated systems - risks

Business continuity, risk management and emergency planning practitioners have realised that they can deploy technology to address the shortcomings of manual cascades, but in turn these systems also create their own significant risks which should also be carefully assessed.

There are many excellent technology systems on the market from a number of equipment vendors, but deployment of these systems also has inherent risks as described below:

Resilience

If technology is being relied upon to deliver an absolutely critical element of an organisation’s recovery capability, resilience risk should be at the top of the list. Real resilience is more than having redundant disk arrays. The following questions should be asked:

  • Location. Is it sited in an area or building that may actually be part of the crisis?
  • Can members of the recovery team access the equipment 24 hours a day and from any location?
    If remote access technology is used to access the equipment, is this dependant on other technology systems? Ask the same resilience risk questions about this access technology.
  • Is equipment maintained on a 24 hour basis? If so what is the response time?
  • What do maintenance agreements cover? For example, do they provide for complete duplicate hardware replacement and software/data restore? Read the small print.
  • What happens if the telecommunication feeds to the system are lost? Are redundant carriers available? If so, is this transition automatic or does it require IT support? Is this support available on a 24 hours a day basis?
  • What happens if the whole site, equipment and telecommunication feeds are lost? Are duplicates available?
  • If duplicate facilities are available, are they activated automatically or do they require IT support?
  • Do duplicate facilities support real time data mirroring, or do lengthy backup procedures need to be invoked?
  • If the system can only be used by certain individuals can their availability be assured?

The simplest way to assess risk associated with technology solutions is to ask the simple question: “what if this element failed” then ask the same question at 3 o’clock on a Sunday morning.

Ease of use

It is a simple fact that crises do not happen every day. Whilst most people can achieve basic levels of proficiency in software applications with training, only with regular use can applications be mastered. Regular use of crisis communications technology is not likely in most organisations. In the heightened stress situation of a real event, can users be guaranteed to use applications to a level of proficiency that does not introduce risk?

Security

Automated systems are tremendously powerful, able to deliver messages rapidly to large numbers of people. Systems must be protected against accidental and malicious use. Security risk assessments should include access to both the equipment and the data held on it. Access should be restricted to only competent and authorised personnel but should not be too restrictive as this can also create issues with too few people having access. If access to systems is controlled with multi level passwords alone, an area of potential security risk is introduced. Easy to remember passwords are also easy to guess; complex passwords are secure but hard to remember and tend to be written down. If hosted solutions are used, does the hosting company operate a recognised information security management standard such as the BS7799?

Keeping information up to date

Automated systems are only as good as the information they contain. Maintenance of contact data should not be underestimated, and suitable control systems implemented to ensure that updates to recipients’ contact data are mirrored onto the system in a timely fashion.

Accidental or malicious callout

No matter what type of automated system is deployed, there is always a risk of accidental or malicious callouts. Because of the rapidity of message throughput of automated systems the consequences of such an event are significant and sufficient planning and risk treatment should be applied to the issues of prevention, dealing with the consequences and recovering back to a stable state.

Summary

Whilst the risks attached to the use of manual cascade systems are obvious in their significance, it has been proven that deployment of automated systems can address and solve many of these. Yet it must be taken into account that automated systems introduce a completely new set of risks related to the management and operation of the technology.

 

Document Author: Harvey Fawcett

 

 

Comments (0)add
Write comment
smaller | bigger

security image
Write the displayed characters


busy
 
< Prev   Next >
[ Back ]