B4Crisis

Sharing David Discenza’s article “Exercise is good for you, and for you and Business Continuity plan!” from The Business Continuity Monthly Advisor, Vital information to keep your business resilient, presented by Discenza Business Continuity Solutions, June, 2015 Source http://eepurl.com/bpMj2D

David wrote: ‘We all know there is a benefit to regular exercise. It strengthens muscles and our cardiovascular system. It helps to strengthen our skeletal system. It even helps improve our overall sense of happiness and well-being. And yet……

I won’t cite statistics about how many people actually exercise or how often they do. That’s not the point of this article. The point is that, despite the known benefit, most people just don’t bother or they over estimate the amount of exercise they get. The same seems to hold true for business continuity plans (BCP). “Why bother to conduct an exercise?” Some people say, “All the information we need is in the plan. All we need to do is follow it, right?”. Well,… no. This type of attitude is based on three assumptions that, to quote the old song, “ain’t necessarily so”.’

Assumption #1: the Business Continuity Plan is up to date.
Assumption #2: the plan is a “cookbook”.
Assumption #3: “We’re never going to use this anyway.”

David shared a true story: “I was the BCP manager for the risk management department of a major card payment company in New York City. Testing our plan was required annually by the central Service Continuity staff. Usually, they provided the scenario but this time I had to write the scenario for our business unit.

After doing some research with the NYC Department of Emergency Preparedness and with the management firm that operated our building I constructed a scenario with two hurricanes a week apart threatening the NYC area. The first one missed to the south. The second one was a direct hit.

In my scenario, lower Manhattan was flooded up to 23rd Street. The subways and the commuter trains were completely flooded, as were all the electrical conduits that run under the streets. Worse, our building was flooded due to the storm surge damaging the electrical distribution system, the heating and ventilation system, and the communications system. Power was lost over much of the region which meant that our employees couldn’t work from home because they’d lost both power and internet access.

The team members ran through the exercise and did a good job, though we did find some gaps in our plan that needed to be addressed. On the way out of the exercise, one of the senior VP’s pulled me aside. “You went a little over the top with this ‘doomsday’ scenario, didn’t you?” he said. “Well, maybe”, I conceded. Never argue with a senior VP. “But, it could happen”, I replied. Several months later it did in the form of Superstorm Sandy.

Sandy played out much as I had written in my scenario, except it was much worse. Because our team had practiced, we knew to shift work to other sites well before Sandy hit. We also knew our building would likely be damaged and unavailable for a period of time and so our employees were instructed to take their laptops home and plan on working from home for the near term. Because we had anticipated this type of a situation and practiced for it, we were better able to cope with the magnitude of interruption to our business operations that exceeded what my imagination was able to produce.

Business continuity plans need to be exercised for the same reason that people need to exercise; to strengthen their weaknesses, to improve their overall health, and to improve their sense of well-being. Teams which exercise their plans regularly improve their ability to respond to business interruptions and gain confidence in their ability to respond effectively, even to situations for which they have not practiced.”

If you need assistance in exercising your Business Continuity plan, then contact me at b4crisis@grapevine.net.au to discuss exercising your business continuity plan.

Sharing Charlie Maclean-Bristol, Director of Training, Business Continuity Training Ltd, writing on reputation management. Loss of reputation is a major threat to business continuity and survival. At the Business Continuity World Conference, London, Nov 2014, we discussed the data demonstrating 60% of a listed company’s shared price is attributable to reputation.

Charlie’s article is titled: “Sorry Seems To Be The Hardest Word”, 14 May 2015, using Thomas Cook as a case study and demonstrating that you can “you can outsource the activity but not the risk” to a third party provider. “(Last) week Charlie discussed how crisis management can go wrong when not handled correctly.

Occasionally in the news you hear a story and wonder how the organisation can get it so wrong when the solution seems so obvious. Thomas Cook’s handling of the deaths of Robert and Christianne Shepherd nine years ago is an example of a company which got its crisis management very, very wrong and caused major damage to its brand and reputation. The simple solution was for the company’s CEO to apologise sincerely to the family and accept responsibility for the deaths of the two children. It has taken them nine years to eventually agree to do this and within the last couple of days the CEO has been on television apologising to the family saying he would also be doing this face to face in private.

The cause of the death of the two children, which also almost caused the death of the parents, was carbon monoxide poisoning from a faulty boiler in their holiday apartment in Corfu.

It is interesting that Thomas Cook didn’t own the apartments themselves but they were owned by a third party. So although the customers were Thomas Cook’s, the people responsible for the maintenance of the boiler were a third party. Whenever I am training I always point out ‘you can outsource the activity but not the risk’. Thomas Cook’s health and safety procedures were found to be inadequate and they had not spotted the faulty boiler. So the actual organisation, which caused the death of the children, wasn’t Thomas Cook… Source http://www.b-c-training.com/Sorry-Seems-To-Be-The-Hardest-Word

Sharing Continuity Central article of 14 May 2015 on protecting your IT business continuity. It is entitled Six tips to help managed service providers ensure that downtime is kept to an absolute minimum”. David Weeks, SolarWinds N-able, wrote: “Any business – whether big or small – can be damaged as a result of even a few hours of downtime. Lost revenue equates to loss of customers, not to mention permanent loss of data. Managed service providers (MSPs) are no exception to this rule and have a responsibility to put a strong back-up policy in place to mitigate any detrimental impact on the business and its customers from downtime.

As a starting point, he offers MSPs the following six best practice tips, which are fundamental for ensuring successful protection against lost data:
1) Keeping downtime to a minimum
For an MSP, it is simply unacceptable to not have the correct hardware to restore data when a failure happens. If the customer is using proprietary server hardware, MSPs should back up at the volume level using bare metal recovery. This will restore the server to almost any other equipment, and minimises the effect on the customer’s business.
2) Offsite backup
It isn’t ideal to have a conversation with a customer in which an MSP reveals they damaged a backup, or even worse, that the backup is lost. As it is not common practice for smaller businesses who perform their own backups to keep them offsite, a responsible MSP should keep the latest data available offsite to mitigate disaster brought about by a flood, fire or storm. Offsite backups allow SMBs / SMEs to get a replacement system working in a very short space of time, enabling them to pick up right where they left off with their data.
3) Saving on space
4) Monitoring backups
5) Backups need reporting too!
6) Testing backups before a problem emerges.”
Source http://www.continuitycentral.com/index.php/news/technology/219-feature1310

Sharing Resilience as a business continuity mindset from Gary Hinson and Dejan Kosutic. Published in Continuity Central, 23 April 2015 http://www.continuitycentral.com/index.php/news/resilience-news/175-feature1306

Executive Summary – Most business continuity experts from an IT background are primarily, if not exclusively, concerned with establishing the ability to recover failed IT services after a serious incident or disaster. While disaster recovery is a necessary part of business continuity, this article promotes the strategic business value of resilience: a more proactive and holistic approach for preparing not only IT services, but also other business processes before an incident in order that an organization will survive incidents that would otherwise have taken it down, and so keep the business operating in some form during and following an incident.

Strategic approaches to business continuity

Information security is largely concerned with avoiding or preventing incidents, primarily through preventive controls. As a strategy, it clearly makes sense to invest in avoiding or preventing incidents wherever possible. In practice, however, we know only too well that despite our best intentions, incidents are inevitable due to errors in the risk management (risk assessment and risk treatment) processes. “Avoid/prevent information security incidents,” per se, is therefore a relatively risky or fragile strategy.

Incident management is normally an integral part of information security risk management, and with good reason: proactively managing the identification/notification, containment and resolution of incidents makes the associated processes more effective and efficient, and most organizations “learn the lessons” from incidents by improving their information security arrangements. (The truly clever ones don’t merely learn from their own incidents, but from those affecting others: gain without the pain!)

A resilience strategy takes the approach a step further by deliberately engineering the organization (its operations, workforce, IT systems, networks, business relationships and so on) to be inherently strong and reliable: dependable, even. A resilient organization can shrug off various incidents that might otherwise have interfered with or interrupted vital business activities, keeping operations running without a noticeable break in service.

Crisis and disaster management involve someone suitable taking charge of things during a crisis, serious incident, or disaster, bringing order to chaos and initiating the recovery activities in particular. In such a high-pressure situation, the crisis/incident/disaster managers are anticipated to take stock of what has happened, marshal the available resources, and lead the activities necessary to recover or resume business operations. Crisis and disaster management can be viewed as extensions of incident management. However, conventional incident management activities are designed to deal with individual, relatively small-scale incidents, and are well-practiced due to the routine nature of incidents. A major incident involving multiple, very serious events requires a step change in the management processes, better coordination, and strong leadership. The infrequency of major incidents also means that the associated management activities are not routinely practiced; hence, additional planning and exercises are needed.

Disaster Recovery (DR) or business resumption planning (BRP) starts with the presumption that business processes and systems have somehow been disrupted. Perhaps the organization was not sufficiently resilient to escape the specific situation that occurred (for instance, a supply chain failure that was totally out of its control and for which there were no viable alternative sources of supply), or maybe the resilience measures turned out to be inadequate in practice (perhaps the incident was more severe than anticipated, or perhaps the resilience measures simply failed when called upon: it happens!). It could also be that the incident was totally unexpected and caught the organization unprepared: in other words, the risk analysis did not identify the possibility.

Contingency management works on the assumption that “something else happens”; in other words, for some reason the controls have failed to avoid or prevent an incident, and the resilience and recovery measures have not catered adequately for the specific circumstances, perhaps because:
•the situation genuinely could not have been predicted: it is so novel that nobody could possibly have known it was coming;
•the situation was predictable, but for some reason we failed to predict it (maybe we just missed the signs of impending doom, or we each thought someone else was dealing with it);
•the situation was predicted, but we failed to control adequately against it (the control measures didn’t go far enough); or
•we had “bad luck”; in other words, we suffered an unfortunate coincidence involving one or more causes, happening at the worst possible time.

The Business Continuity Institute has released, through its newsroom, ‘a study by research firm IDC carried out on behalf of Carbonite revealing that over 80% of small to medium sized businesses (SMBs) have experienced downtime in the past, and that the costs associated with this downtime conservatively range from USD$82,200 to $256,000 for a single event. Source http://www.thebci.org/index.php/about/news-room#/news/small-businesses-investing-more-in-business-continuity-115301

Small businesses are by no means exempt from disruption and the latest Horizon Scan report carried out by the Business Continuity Institute shows that business continuity professionals working for smaller organizations have concerns about the same threats that their counterparts in larger organizations have. What is potentially a greater danger for these SMBs however, is that they often have less capacity to absorb any disruption.

The survey does show that for many SMBs, the threats they face are not going unchallenged. The survey of 700 SMBs worldwide found that 81% of those currently using business continuity solutions are considering improvements to their strategies, while 72% plan to increase investments in business continuity over the next 12 to 24 months.

“Small businesses are facing operational challenges stemming from persistent data growth, budgetary constraints and the need to produce more with less which is driving adoption of cloud computing, data analytics and mobility similar to their enterprise counterparts,” said Laura DuBois, Vice President of IDC’s storage practice. “To address these challenges, SMBs have signalled a need and intention to drive material spending on business continuity in the next 12 to 24 months.”

The main driver behind increased investment in business continuity is the threat of downtime which 76% of SMBs surveyed cited as the single biggest reason for purchasing business continuity solutions. The reason for this is clear as the study highlights that the average estimated cost for an hour of downtime for an SMB ranges from $8,220 to $25,600, and typically an unplanned event can last for as long as 24 hours – which could be devastating to a small business.

“When it comes to disaster recovery, the stakes are higher for small businesses,” said Mohamed Ali, Carbonite’s President and CEO. “SMBs realize that a business continuity solution can mean the difference between staying in business or losing everything they’ve worked for, and the data shows they are investing accordingly.”‘

Sharing Caroline Sapriel’s top 10 list of crisis management books. http://csa-crisis.com/csa-today/crisis-management-books-caroline-sapriels-top-10-list/

Caroline notes: “Crisis Management is not only about responding to crises, but also about detecting rising issues and looming crises, preventing and preparing for them, mitigating their impact and recovering from them. To build resilience companies must take an integrated approach to crisis management which includes risk management, crisis preparedness and response and business continuity. So a useful reading list on crisis management must include titles on risk management, scenario planning, crisis communication and crisis leadership.” The following is her list!

1. The Butterfly Defect, Goldin, I. And Mariathasan
I would agree with Caroline that this book is a wonderful read on understanding the systemic risks brought on by globalization and practical guidelines to be better prepared.

2. Effective Risk Management, Edmund H Conrow
Caroline assessed this book as being quite academic, but necessary for anyone wanting to understand and apply risk management in their organisation.

3. The Disasters You Should Have Seen Coming, and How to Prevent Them, Max H. Bazerman, Michael D. Watkins
These Harvard Business School authors explain why predictable surprises are so common in business and society and provide a systematic framework that leaders can use to recognize and prioritize brewing disasters and mobilize their organizations to prevent them.

4. Managing Crises – Rosenthal, Boin and Comfort
These editors with 25 notable contributors expand the knowledge of crisis management, focusing on case studies of high profile events that have occurred in recent history.

5. Scenarios, The Art of Strategic Conversation, Kees Van Der Heijden
Outlines the art and power of scenario planning, articulated by a Shell executive. I am a fan of Shell Futures webinars and ideas that always challenge me and likely many others too.

6. Why Some Companies Emerge Stronger And Better From A Crisis, Mittroff
As Caroline points out has a self explanatory title.

7. Crisis Communication Theory and Practice, Alan Jay Zaremba
A well-structured book that examines the before, during and after of a crisis. Practical guidelines for the Communicator and his team.

8. IABC Handbook Of Organizational Communication
A bible on organisational communication, including crisis communication.

9. Leadership, Rudi Giuliani
As Caroline points out, whether you agree with his politics or not, Guiliani was there and has much to share with anyone seeking to understand leadership under pressure e.g. being trapped in your crisis command center after 9/11.

10. Crisis Management – Tales from the Front Line, Caroline Sapriel & Dirk Lenaerts – available as an audio book, if you email koen.peeters@csa-crisis.com

You may also be interested to join these upcoming free webinars please browse on link – https://lnkd.in/btfa3uW These are curtain raisers for the 3rd India Business & IT Resilience Summit, 27 to 28 May, 2015, Mumbai http://bcm-india.in/. Phone +91 11 4105 5534, +91 85869 76159 or email: summit@bcm-india.in, if you are available and interested to register.

The theme of the 3rd India Business & IT Resilience Summit is “Leadership through Resilience.” The Summit is being organized by Continuity and Resilience (CORE).

As a premier 2 days event will bring together the best minds and thought leaders in the field of Business Continuity Management (BCM), IT Disaster Recovery, Risk Management, Emergency Response & Crisis management and Security from India, UK, US, Sri Lanka, Bangladesh, Pakistan and the Middle East.

The Summit has been organised with an objective to seek new thoughts, ideas & solutions to proactively manage the various stages of the BCM implementation lifecycle, including Resilience, Crisis Management and Emergency Response, Safety, Information Security and Physical Security and not just Business Continuity and IT Disaster Recovery.

The “India Business and IT Resilience Summit 2014″ was attended by around 200 participants from around the globe. 250+ participants are expected to the 2015 Summit. They will not only be sharing their experience and learning from the various BCM projects, industries and sectors.

The 2015 Summit Format is:
•Educational sessions (Keynotes, case studies and panel discussions)
•Networking Events (Reception, Lunches, Coffee Breaks and Gala Dinner)
•Business Card Exchange Session
•Table Top Displays

The Business Continuity Institute India Awards 2015 will be presented at the Summit on 27 May 2015. These Awards recognise the outstanding contribution of business continuity professionals and organizations living in or operating in Afghanistan, Armenia, Azerbaijan, Bangladesh, Butan, India, Kazakhstan, Kyrgyzstan, Maldives, Nepal, Pakistan, Sri Lanka, Tajikistan, Turkmenistan and Uzbekistan.

All winners from the India Awards will be automatically entered into the Global Awards presented in London on 4 November 2015 as part of BCI World Conference.

The British Standards Institution (BSI) have released 2 standards relevant to business continuity management. http://shop.bsigroup.com/ProductDetail/?pid=000000000030274343 BS11200:2014 Crisis Management Guidance and good practice. The BSI claims this guidance:
* is applicable to any organization regardless of location, size, type, industry or sector
* provides organisations to help management plan, establish, operate, maintain and improve their organizations crisis management capability and
* a capability to manage crises is one aspect of a more resilient organization.

Resilience requires effective crisis management, which needs to be understood, developed, applied and validated in the context of a range of risk related disciplines. These include risk, business continuity and security management.

Crisis management cannot simply be deferred until an organization is hit by a crisis, in the hope that it will never happen. It requires a forward-looking, systematic approach that creates structures, trains people to work within them and is evaluated and developed in a continuous, purposeful and rigorous way.

The development of a crisis management capability needs to be a regular activity that is proportionate to an organization’s size and capacity.

Contents are:
1.Introduction
2.Scope
3.Terms and definitions
4.Crisis management: core concepts, principles and developing a capability
5.Building a crisis management capability
6.Crisis leadership
7.Strategic crisis decision-making
8.Crisis communications
9.Training, exercising and learning from crises
10.Bibliography
11.List of figures
12.List of tables

BS65000:2014 Guidance on organizational resilience http://shop.bsigroup.com/ProductDetail/?pid=000000000030258792

The BSI notes resilience is crucial for any organization to survive and prosper. But what exactly is resilience and how can it be improved?

BS 65000:
* provides clarity and guidance, describing the nature of resilience and ways to build and enhance resilience in your organization.
* defines organizational resilience as the ability to anticipate, prepare for, respond and adapt to events – both sudden shocks and gradual change. That means being adaptable, competitive, agile and robust.
* provides ways to improve resilience integration and coordination the various operational disciplines in an organization.
* notes most organizations work within a complex web of interactions. It is essential to build resilience not only within an organization but across networks and in partnership with others.
* is valuable to anyone responsible for building resilience in their organizations. That includes risk managers and continuity practitioners and those involved with governance, emergency management and supply chain management.

Sharing http://www.b-c-training.com/Fire-In-The-Hole from Charlie Maclean-Bristol. This fire may have occurred in London and be due to ageing infrastructure. This infrastructure fragility and age are issues in Australia and the Asia Pacific region more generally.

Charlie discusses major incidents and the impact they can have on businesses and the local area.

‘Fire in the hole’ is a warning that an explosive detonation in a confined space is imminent. It originated with miners, who needed to warn their fellows that a charge had been set.

On the 1st of April 2015 in Holborn, London there was a fire in a hole which caused a major impact to the local area. It was not actually a fire in a hole but an electrical fire in a Victorian tunnel of which there are thousands in London. The fire was made more difficult to put out as the tunnel also contained an eight inch gas main which ruptured and fed the fire. Due to the difficulty of fighting the fire and the need to burn off the remaining gas in the pipe after the supply had been cut off, the fire took 36 hours to put out. Five thousand people had to be evacuated at the beginning of the incident and the whole area lost power and gas supply. Once the fire was put out there was still major disruption in the area as the services were being restored. There was also major evacuation works to repair the tunnel, which caused traffic chaos in the area. The area is only now getting back to normal.

This event has all the elements of a ‘typical’ business continuity incident.

1. When I am training I always say the next incident is always the one you have not thought of. We don’t really expect an electrical fault in a major city to last beyond a few minutes or at least beyond a few hours. This one lasted for several days. We also don’t expect a denial of access to last for days rather than a few hours.

2. Like the Germanwings plane crash which I discussed in a bulletin a couple of weeks ago, this event has happened before. In Manchester in 2004 there was a major fire in a BT tunnel which destroyed 130,000 business and residential phone lines, leaving companies without telephone lines, fax lines and access to their networks. Details of the incident can be found here. As more and more cables are routed through tunnels and often multiple utilities bundled together, it would seem that these incidents are going to be more likely. If this the case we should be preparing for them!

3. I think this incident shows how complex incidents can be and how they may occur in the most difficult places to manage. This incident happened within a tunnel which, are very difficult to fight fires in, plus the fire involved an eight inch gas main. Is there within your organisation, in terms of location or time, a particular time when you do not want an incident to take place? Are your plans ready for this event?

4. Around the same time as this incident there was a major heist taking place only half a mile away. Jewellery and other valuables up to a possible value of £200m were taken from safety deposit boxes in a vault. In various papers ‘experts’ started to connect the two events and accused those carrying out the heist of starting the fire to divert police attention from their activities. The police have said they have no information to suggest that the two incidents are connected, even if they’re not, they may be within public consciousness. When you have an incident, ‘experts’ or the media may connect your incident to a previous incident you have had or someone else has had. This compounds the effect of the incident on your organisation. Are your media or corporate communications staff ready and prepared to decouple the two incidents quickly before they become connected in the minds of the public?

More from the British Standards Institution following its launch of the first global risk management standard for supply chains, PAS 7000 brings transparency and cost savings to the procurement of supply chains. http://www.bsigroup.com/en-GB/PAS7000/

BSI, the business standards company, today launches PAS 7000, a universally applicable supply chain information standard for suppliers and buyers at organizations of all sizes around the globe. PAS 7000 Supply Chain Risk Management- Supplier prequalification helps answer three key questions relating to any organization’s supply chain partners: Who are they? Where are they? Can they be relied upon? The standard draws on the collective expertise of 240 professionals drawn from global industry associations and organizations, and it addresses product, process and behavioural criteria for supplier prequalification.

PAS 7000 has been created in response to industry demand, with three quarters of executives considering supply chain risk management important or very important[1]. As supply chains increasingly span continents, and brands become ever more exposed due to the demand for increased transparency, the challenges for procurement teams to assess the suitability of suppliers increases. 63% of EMEA companies have experienced disruption to their value chain due to unpredictable events beyond their control in the last 12 months, at an average cost of $823,289 per incident per company[2].

[1] Don’t play it safe when it comes to Supply Chain Risk Management – Accenture Global Operations Megatrends Study 2015
[2] Dynamic Markets – Managing the Value Chain in Turbulent Times – Oracle, March 2013

PAS 7000 provides companies with a uniform set of common information requirements that reduces duplication of effort in completing tender forms and aids procurement in bringing consistency to the supplier base. It establishes a model of governance, risk and compliance information for buyers to pre-qualify suppliers and confirm their intention and ability, to adhere to key compliance requirements. This in turn helps organizations make an informed decision about whether or not to engage with a potential supply chain partner.

Howard Kerr, Chief Executive at BSI said: “Today’s consumers and employees demand integrity from the organizations they deal with. Acting with integrity requires confidence in all those involved in delivering a service, anything else risks brand reputation. The benefit of this new standard is that it helps brands to align their supply chain with their corporate values by adopting an internationally defined framework of good practice for supplier pre-qualification.”

Source http://www.bsigroup.com/en-AU/About-BSI/Media-Centre/Press-Releases/2014-News/November-2014/BSI-launches-first-global-risk-management-standard-for-supply-chains/#.VS7p4KYfppo