The social housing sector is at significant and growing risk of disruptive incidents that can affect housing providers and their tenants. The fallout from the Grenfell Tower fire has rightly heightened all housing providers’ sensitivity to their duty of care towards tenants when a potentially life-threatening disaster strikes; even a lift breakdown in a tower block now takes on a greater sense of urgency.
At the same time, the publicity surrounding the implementation of GDPR and the increasing regularity of cyber breaches have raised the bar on taking adequate measures to protect the sensitive personal data of tenants.
On top of all this comes the growing vulnerability of all organisations to unplanned IT and telecoms outages, given their increasing dependency on cloud-based services for data storage, enterprise software and telecommunications, as well as increasingly unpredictable weather events, energy-supply, uncertainty around Brexit and the remote but real threat of terrorist attacks.
According to the Business Continuity Institute Horizon Scan 2018, the top three business disruption events during the previous 12 months were unplanned IT and telecoms outages, adverse weather events and interruptions to utility supplies.
The impact of these disruptive events can vary widely, from the failure to comply with data protection laws to a breakdown in customer services or utility supplies to residents, or even injury and death, all of which can have financial, reputational and moral consequences.
What steps can be taken to mitigate business disruption events?
- Review your risk register to make sure that it covers all of your possible threats. Many risk registers are only based on what has happened in the past, leaving you vulnerable to more unpredictable events. The BCI Horizon Scan (mentioned above) provides current information on the top threats and disruption events.
- For CTOs and CIOs, the top risks will be unplanned power outages and data breaches, but also consider more unpredictable events that could affect your data storage facilities, such as a small fire in the same building as your server room, which may lead to water damage to your servers from sprinklers.
- Make sure that you have a business continuity (BC) plan which is fit for purpose. The local authority and social housing sector is ahead of many other sectors in having BC plans in place across the board because of the requirements that the Civil Contingencies Act imposes on them. However, this can mean that the process is in danger of becoming a tick box exercise.
- Ensure that your plan is fit for use during the panic that will probably happen when an event strikes by creating a series of shorter action plans to fit each of your major threat scenarios. These actions should include specific tasks for specific individuals, such as taking responsibility for locking-down access to data until a suspected cyber breach is resolved and informing residents and the regulator if necessary.
- Make sure that your action plans will be available to you under all circumstances. Having a well-written plan is no use to you if you can’t access it in an emergency because your on-premise IT infrastructure has been taken out by the same flood, fire or power failure.
- Consider the benefits of a cloud-based, multi-channel communications platform; an emergency communications platform is essential to successful incident management, but it’s only useful if it is always available.
- Make sure that you have a testing and exercising programme in place. This should include a mix of virtual, desktop and live tests and exercises. Having a testing programme in place is standard BC good practice for everyone and greatly increases the chances of an effective incident response. And for local authority providers, who are ‘category one’ responders under the Civil Contingencies Act, a regular testing programme is an emergency planning requirement.
Consider these steps and you will be much better prepared to handle a business disruption event and return to business as usual as quickly as possible.
Remember that the only thing harder than planning for an emergency is explaining why you didn’t if that day comes.
Shalen Sehgal is the managing director of Crises Control.
