The themes developed from the Focus Group were tabulated in Table 4.5 Interpretation: Focus Group, using the template provided by Adu, 2016 (Table 13 in the Research Methodology chapter).
Table 4.5: Interpretation: Focus Group
Research Question 1: What was the understanding of business continuity?
Theme(s) Business continuity was when an organization was faced with a disruptive event (could be man-made or natural), it required a plan of processes to be able to continue with critical business to meet objectives. It involved the development of a business continuity plan. Required conducting a business impact analysis to identify the following: an alternate site, critical staff required, core business functions and recovery times. It also involved the development of a business continuity plan.
Evidence The following responses have been paraphrased but reflect the sentiment of the focus group:
Business continuity was a plan of processes to ensure if a disaster or unexpected thing happens it enabled the continuation of business.
It was a plan to recuperate after the event.
The process could allow the organization to continue with the business especially the critical business; the organization to actually meet its objectives and its core business. It focused on the critical business of the organization to continue without the full staff compliment.
A disaster or event causing a disruption could be natural example drought, fires or man-made example load shedding.
It required the scaling down what critical staff was needed.
The contingency plan was attached to the BCP.
Identify an alternate site in order to continue with business off site.
The impact analysis will determine what business can continue and for how long.
Research Question 2: What do you think are the key processes in business continuity management?
Theme(s) The key processes were the identification of the critical business and critical units to ensure the continuation of business. A business impact analysis needed to be conducted in order to prioritize functions / business, determine the resources required, identifying an alternate site and resourcing of the alternate site. Identification of key persons for business continuity management, and clarifying roles and responsibilities including decision makers.
Evidence The following responses reflected have been paraphrased to reflect the sentiment of the focus group:
The identification of critical business / units.
Allocation of resources, where to locate; equipment, vehicles, laptops required; technology, the human factor and a generator.
The identification of an alternate site to continue with business.
Conduct a business impact analysis to prioritize functions / business.
The BIA will provide an indication as to what business was considered to be the critical businesses that cannot function when the BCP kicks in.
The identification of the people and business continuity management. The people that will manage the whole process and who will be the shot callers need to be identified.
Conduct an assessment of the alternate site, where the information was going to be kept and whether it was in line with the risk management process.
Research Question 3: As the lead department, you are expected to support departments with the development of business continuity plans. How do you see your role?
Theme(s) The participants viewed their role as facilitator and advisor. They advised in respect of business continuity and also analysed documentation. The business continuity plan was communicated through awareness and information sessions. The participants stated that they were responsible for risk management in the business continuity plan.
Evidence The following responses have been paraphrased but reflect the sentiment of the focus group:
Participated by sitting with the security manager.
They saw their role as purely advisory.
They indicated that they were managing departments business continuity plans
Their role was articulated in the BCP document where they facilitated the risk management part of the BCP.
They also had a responsibility in respect of communicating business continuity by creating awareness. Staff need to be informed because should a disaster strike there shouldn’t be chaos, therefore it was important to ensure that staff were informed.
Research Question 4: Do you think that you could influence processes within departments in favour of business continuity?
Theme(s) Business continuity could be influenced through engagements with security managers to build and maintain trust. The establishment of a network with those that function in the business continuity environment. Making use of existing platforms and processes to influence. Required flexibility as departments were different. By virtue of the security risk management function, processes could be influenced in favour of business continuity.
Evidence The following responses have been paraphrased but reflect the sentiment of the focus group:
The relationship with the security manager was important. It allowed for communication where inputs were taken to the security committee and EXCO of the department and feedback provided. The processes could be influenced because security risk management was their core function.
The platforms to influence differs from department to department. Some indicated that they were influential when it came to the budget, processes or technology in departments. The MoU between departments and the lead department could also be seen as a platform to influence.
The provision of expert advice to departments were standard based.
Research Question 5: What does enterprise risk management mean to you?
Theme(s) Enterprise risk was seen as a management issue and highly classified as it was a line function. Categories of risk related to the explicit distinction between security risk and enterprise risk. Security risks were identified in terms of MISS whereas enterprise risk was seen to more financial or budget related. Enterprise risks were considered internal based on departmental inputs. Management were better influenced to influence EXCO and have risks placed on the risk register.
Evidence The following responses have been paraphrased but reflect the sentiment of the focus group:
Enterprise risk management was a management issue, it was seen to be highly classified.
Enterprise risk management was aligned with 31000. The lead department was concerned with physical security and different elements of the industry. Enterprise risk management was better suited to influence on an EXCO level as it comprised management. There were some risks that were identified and registered on the risk register of the department based on the ERM finding. The HoD or whoever would decide whether the risk would be accepted and reflected on the risk register.
Enterprise risk management was basically on a different methodology pertaining their risks which might be internal from department’s inputs.
Research Question 6: How in your opinion should risks be identified?
Theme(s) The internal and external context of the organization was a determinant in identifying risk. The internal context related to policies, legislation. External context related to dependencies on other stakeholders. The internal and external environment with reference to the organizational cultures, political and technological environments were also determinants in the identification of risks. The various approaches to identifying risks were mentioned: stakeholder engagement, pestle, SSRAs, RSATs, reports, incidents, root cause analysis technique, situational analysis, PDCA and hazards.
Evidence The following responses have been paraphrased but reflect the sentiment of the focus group:
The way risks were identified was based on stakeholder engagement and consultation, it started from there.
The external context has different elements example technology, political, social environment and the legal environment.
The internal context was in line with the four strategic thrusts of the WCG which was polices, organizational culture, applied methodologies, leadership and management.
PESTLE was identified as a method to identify risks.
The RSAT process was also identified as a method to identify risk.
The SSRA was a full-scale assessment of the safety and security risks.
Implementing PDCA – in terms of the ISO standard.
The root cause analysis technique would lead to the exact risk.
To identify risk a situational analysis could be conducted, advise department to proactively identity risk before something happens. In some instances, the response was reactive.
Research Question 7: Do you think you could influence the risk management processes within departments?
Theme(s) The consensus was yes that the risk management processes could be influenced. The view was held that in order to influence the process one needed to become a subject expert. The establishment of relationships with departments and having a partnership with security manager was also deemed as a means to influence. A key success would be understanding department’s business processes which in turn could be used as a means of doing a risk assessment against. As a subject expert it would facilitate the provision of responses and to get buy-in to convince stakeholders. Not all risks were security related but related to projects. Due to the non-participation in service delivery loan itself to the inability to identify service delivery risks.
Evidence The following responses have been paraphrased but reflect the sentiment of the focus group:
Agreement that processes could be influenced but it did not necessarily mean that the risk goes onto the risk register.
Having a partnership with the security manager was very important. It was also important that the business processes of the department were understood.
In order to be successful required the understanding of department’s key processes in order to use against them.
It was important that the risk assessment was conducted against the department’s standards which were implemented by the department.
Agreement that processes could be influenced by required to first establish a relationship with the department, ascertain who was responsible for risk management.
Secondly the lead department needed to educate themselves to become the subject expert to respond appropriately to get the required buy-in.
Some participants indicated that they were already influencing because they have managed to integrate the different business units.
Research Question 8: Would you agree that a link exists between business continuity and resilience? Kindly elaborate your thinking.
Theme(s)
Resilience was concerned with the ability of an organization to survive, and adapt to change. The sentiment expressed was that a link existed between business continuity and resilience.
Evidence The following responses have been paraphrased but reflect the sentiment of the focus group:
There was a link. Being resilient allows one to make a comeback.
Source: adapted from Adu (2016)