As a student in the not too distant past, a 1968 blue Morris Traveller was my chosen means of transport. Cheap to run, full of character and with a top speed of 68mph I loved it. Reader, I’ll spare you the blushes of detailing all my student priorities, but evidently getting places quickly was not high on my agenda. Whilst many happy times were had, it did have its downsides; if I actually needed to get somewhere I’d choose the train, bus or bike every time; I also had to make a hefty investment in roadside recovery insurance, which quickly proved its worth as I was soon on first name terms with many of their mechanics; and I had to call upon the car-repairing knowledge and skills of family and friends to get the beast back on the road on far too many occasions, every time learning something new.
So, apart from locks so dodgy they could be opened with any key, what has the little blue Morris got to do with security?
Business Continuity in HMRC
Whilst bringing in over £500bn of tax revenue to fund public services every year is a slightly different objective than getting from A to B whilst at university, making sure the funds continue to flow in and out, despite the unexpected, relies on considerations not dissimilar from the calls I made as a student. Availability is key to security, but when setting out on any journey the unforeseen can happen. Whilst we cannot realistically prevent all possible causes of disruption to HMRC, our new Business Continuity strategy does set out how we reduce the consequences of these unexpected events through proportionate and considered prioritisation, planning, testing and assurance.
This is all the more important given the landscape of change we operate in. HMRC is becoming a smaller organisation of more highly skilled people, based in fewer locations delivering work which is increasingly driven by real-time, less-manual/more data-driven processing, with more services provided on-line.
Prioritising what’s important to the Business
Like leaving the Morris at home when I actually needed to get somewhere, prioritisation is at the heart of HMRC’s Business Continuity strategy. Maintaining and improving the list of key business locations, processes and services through a Departmental Business Impact Analysis allows us to focus resources on understanding and supporting the parts that are critical to achieving our objectives. Whilst maintaining this picture becomes increasingly challenging as systems become more inter-connected, the importance of understanding business priorities only increases when things get more complex.
Planning for Incidents
And what about the extensive spares kit I used to carry along with the phone number for calling upon trained mechanics? Those were my attempts to plan for the unexpected; HMRC relies on business owners making plans to ensure they can continue to deliver when faced by the unexpected. They are supported in this responsibility by recently introduced Business Continuity planning software, which also helps with consistency, strategic planning, assurance and de-confliction of fallback plans. Whilst it’s often said ‘no plan survives first contact with the enemy’, plans definitely stand a better chance of success if we know that they don’t all rely on the same fallback location. But software does not provide the whole answer, and so Business Continuity Institute training is available for those with significant Business Continuity responsibilities in addition to the Security and Information education and training programme which helps embed the key Business Continuity messages across the organisation.
Testing and Assuring for the future
We also aim to improve continuously through testing, assurance and feedback. In future, significant Business Continuity incidents will be reviewed by Internal Audit to see where improvements can be made. The new software will enable more effective assurance of the quality and coverage of existing plans, and testing continues to take place at all levels within HMRC and across Government to help ensure the objectives of bringing in the funds for vital public services and distributing targeted assistance to individuals and families can continue to be met even in the face of adversity.
So, finally, how was the Morris assured? Unfortunately for me, testing came in the guise of an MOT that revealed the wheels to be attached to the chassis in no meaningful way. A sad day indeed. But by then my objectives had also changed anyway, meaning a more reliable, resilient 21st century car was needed more suited to getting places on time. Whilst HMRC’s objectives remain unchanged, the new civil-service reform inspired, digital environment that we work in means we will continue to focus on our business priorities, planning around challenges and assuring our preparations to help make sure the key systems and processes are available to support HMRC meet its goals.