Tuesday, 4 November 2014

Business continuity importance to an integrated view when assessing critical infrastructures

As result of EDP Distribuição's responsibilities, its involvement was required in Portuguese efforts to comply with the European Council Directive 2008/114/EC, on the identification and designation of National Critical Infrastructures (NCI) and the assessment of the need to improve their protection.

EDP Distribuição is the Portuguese mainland Distribution System Operator, serving over 6 million customers in a regulated business with clearly defined responsibilities, being the holder of the concession to operate the Distribution Electric Power Network in Medium Voltage and High Voltage, and holding municipal concessions for the distribution of electricity in Low Voltage.

With EDP Distribuição under having responsibility for several assets and systems which are essential for the maintenance of vital societal functions - health, safety, security, economic or social well-being of people, the challenges were many. The selection of a manageable number of assets from a set of more than 400 main premises, the identification of their major threats and vulnerabilities, and writing down their emergency response procedures, were some.

With EDP Distribuição’s Business Continuity Department coordination, an integrated view of the organization was possible, enabling the address of critical infrastructure in the perspective of personal safety, facility security and information security, involving several departments from operational ones (Maintenance and Dispatch) to support departments (Automation & Remote Control, Information Systems, Health and Safety).

The key points and the key learning points we plan to cover in our presentation are:
  • Identification of major threats, vulnerabilities and cross-business risks for each NCI typology;
  • Development of risk assessment methodology in safety and security aspects and;
  • Application to each distinct vectors: people, facilities, system and communications;
  • Definition of emergency response procedures and supporting chain command enabling effective risk mitigation;
  • Upgrading the organization resilience through the implementation of this PDCA process.
Maria Luisa Pestana will be discussing business continuity importance to an integrated view when assessing critical infrastructures on day one of the BCI World Conference and Exhibition on Wednesday 5th November. You will find her in seminar room 2 starting at 13.10.

Friday, 31 October 2014

Resource-based contingency planning – an alternative approach to ISO22301 certification

Business continuity is, especially in the Anglo-American world, not that much a new concept. Being not new also means that it probably is due to be redesigned. Since the inception of Business Continuity Management in the late 80s and early 90s of the last century, the world has changed quite a bit. The main concepts, procedures and processes of BCM however have not changed that much in the past 25 or so years. We are still talking PDCA, we are still talking process-based business impact analysis, we are still trying to do the work of risk managers with our task in the fields of operational and reputation risks. We still have the BCM Lifecycle.

Those who are practitioners in the profession may have already realized that the theoretical strategies and tactics as outlined by the BCM Lifecycle approach may not always meet the needs and possibilities of an organization seeking to implement BCM. The business impact analysis for instance needs processes, since it aims to operationalize the damage because of failed process. But, which organization does have a complete and operationalized process document which allows it to just sum up losses and damages along process chains? And, how can the BCM organization define the so-called BCM-Strategies when they haven’t even asked the business what they think they need as workarounds to cover a resource which was lost or damaged because of some crisis situation?

Here we already have the word, what this presentation is about: Resources. What I do call resource-based contingency planning is actually not just contingency planning, but part of a new approach to business continuity, which offers an alternative to the BCM Lifecycle. In the first part of the presentation, I will briefly introduce this system, which covers all parts of what we know is demanded by the BCM Lifecycle, however in a quite different sequence and with partly completely different methods and tools, and which addresses all controls of the ISO22301 standard.

In the few minutes I have for the presentation, I cannot go through the complete methodology what I call resource-based business continuity. I only show a core part of it, one of the 15 deliverables and work objects of a business continuity management system – the business continuity plan, the probably most important one of five different plan types which need to be created for a complete BCMS (the others being the disaster recovery plans, the emergency and rescue plans, the crisis communication plan and the crisis management plan).

The most astonishing part of these BCPs may be the inclusion of a risk assessment as a part of this plan. The risk assessment, being a core element of ISO22301 requirements, is no longer a work package of its own, but an integral part of contingency planning. The reasons for this, and why this makes much more sense than to emulate the work of a risk manager prior to actually planning for catastrophes, will be given in my presentation. The same by the way, is true for the identification of critical suppliers and clients, which also is done in the course of discussing and deciding on a workaround in the case of the loss of a critical resource.

However, in the title of my presentation, you find the most important difference between the BCM Lifecycle approach to business continuity compared to what I am doing. Where the lifecycle’s objective and basis of action and contingency planning is the business process, in my world it is the resource. One does not need the availability of documented and operationalized business processes to implement a BCMS, but only knowledge about what resources an organization has. And, differently from processes, this bit of information is most often readily available, and if not, can be created without much work.

With the presentation, I will provide a view into a core part of an alternative approach to ISO22301 certification, which delivers some novel ideas how to structure a contingency plan, how to identify critical clients and suppliers, and how to identify and assess operational risks. And if you pay attention, you might get an idea, why this approach to implement business continuity allows for applying for certification some six months after start of the project already, and why this approach reduces the cost of BCM between 50% and 80%.

Rainer Hubert will be discussing ISO22301 further on day two of the BCI World Conference and Exhibition on Thursday 6th November. You will find him in seminar room 1 starting at 13.10.

Thursday, 30 October 2014

Becoming certified to ISO22301 - what NOT to do! (Why auditors get grumpy!)

Tip number 1: The lack of a regular supply of good quality biscuits is the first non-conformity!

Looking forward to my presentation at 13:10hrs on November 6th in seminar room 2 of the free exhibition part of this year’s BCI World Conference and Exhibition. I realise that there are many BC practitioners who, although practiced in the creation and maintenance of a Business Continuity Management System (BCMS), have yet to seek certification to a standard. Additionally I recognise that others may have only assisted in achieving certification and even those though certified constantly struggle with a stream of nonconformities found by external auditors and which if left unresolved threaten the organisations certification.

During the past three years I have been working as an externally contracted assessor and ‘Technical Specialist’ with one of the top assessment organisations in the world who, via audit, assess companies for the suitability of their BCMS for certification to initially the BS25999:2006 standard and subsequently its replacement ISO22301:2012. Over this time I have been fortunate to audit the BCMS of around 100 companies by pre-assessments, Stage 1, Stage 2 and Continuous Assessment Visits (CAV’s).

Fellow practitioners sometimes ask me if I get bored with assessing to the same standard day after day. Fortunately this is not a problem as although the same standard no BCMS is alike and understanding the multiple ways of constructing a BCMS compliant with the standard has been fascinating and provides me with continuous opportunities for my own personal development, sometimes by observing good practice but unfortunately all too often from seeing practices which fail to meet the basic requirements.

I should make it clear, and possibly surprising for those who know me, that I am a big supporter of the 22301 standard. Now it is by no means the perfect standard, if indeed that could ever be achieved. However, I am someone who began in this business when training courses, good practice guides and the words “Business Continuity Management System” were things of the future and, to be frank, “making it up as we went along” was the name of the game. As a result it is in my view great to have a common structure around which to create a Business Continuity Management System. Now of course we need to improve it.

So what will I be presenting? Will it be the secret formula which all Business Continuity practitioners seek to create the perfect BCMS? Will it be the best way to smooth the ego of your auditor to the point where they are purring over your perfect creation? Only one way to find out, be there, oh and bring a biscuit or two.

Colin Ive has been a Member of the Business Continuity Institute since 2001 and is a qualified Lead Auditor for ISO9001, ISO22301 & ISO28000. He is a regular presenter at European & USA Business Continuity and Business Resilience Conferences and a contributing author to both the ‘BCI Good Practice Guide for Business Continuity Planning’ and the acclaimed ‘Business Continuity for Dummies’, in addition to numerous articles.

Colin will be discussing ISO22301 further on day two of the BCI World Conference and Exhibition on Thursday 6th November. You will find him in seminar room 2 starting at 13.10.

Wednesday, 29 October 2014

Developing simple recovery plans for key processes

If a major incident affected your business tomorrow, what are the processes, machinery or even suppliers that would be really hard to replace quickly – the really awkward ones, the unique machinery or equipment that perhaps there isn’t really a plan for, let alone a plan that gets you back within an acceptable recovery time?

Spotting the problems is relatively easy, particularly when you get into manufacturing or supply chain businesses. The challenge for Business Continuity Managers is to do something about them and develop practical, simple recovery plans – even for the hard stuff.

I lead Business Continuity Management at Rolls-Royce Plc, where we have several key manufacturing processes that are both important and challenging to recover quickly.

Over the last year, we have developed a simple but effective approach to business recovery planning for these processes and it fits in just two pages.

This approach has helped the business to understand the risk, recover more efficiently and to prioritise capital investment decisions.

At the 2014 BCI World Conference and Exhibition, I’ll be showing you how this works along with providing practical hints and tips so that you can make it work in your business too.

James Stevenson will be discussing this issue further on day one of the BCI World Conference and Exhibition on Wednesday 5th November. You will find him in seminar room 2 starting at

Tuesday, 28 October 2014

A case study of the integration of ERM and BCM as an independent function

At the 2014 BCI World Conference and Exhibition, participants will have an opportunity to listen to a real case study of the integration of Enterprise Risk Management (ERM) and Business Continuity Management (BCM) as an independent function. This is an innovative and forefront role for the ERM and BCM function.

In my presentation, I will show how the traditional reporting structure and work functions of ERM and BCM in an organisation are usually separated from each other. The ERM and BCM functions are typically part of the executive management team and the head of ERM and BCM reports to the executives such as the CEO or the CFO.

I will share with you the real life case in Malaysia where the ERM and BCM functions are integrated as a 'single' function and act as an 'independent' unit - assuming the roles and responsibilities similar to those of the Internal Audit - separated from the Management. The integrated ERM and BCM independent function reports functionally to the Board of Directors via the Board Audit Committee and administratively to the CEO.

The integrated ERM and BCM function will serve as the foundation for a well-governed and well-managed organisation that is built on a solid resilient foundation of BCM and supported by three pillars of Corporate Governance - Governance, Risk and Compliance.

In order to ensure the effectiveness of an integrated ERM and BCM independent function in an organisation, the following pre-requisite criteria must be established:
  1. An integrated ERM and BCM Charter clearly stating the independent, authority, position, roles and responsibilities of the ERM and BCM functions
  2. Unbiased support from the Board of Directors and the CEO on the independent roles and responsibilities of the integrated ERM and BCM function. The Board of Directors via Board Audit Committee is responsible for the oversight of the work of the integrated ERM and BCM function and for the performance and oversight of the Head of Integrated ERM and BCM function, and ensures that it has a sufficient amount, and quality of resources to fulfil its roles
  3. The appointment of the Head of integrated ERM and BCM function must be approved by the Board of Directors. The Chair of the Board Audit Committee is consulted before the appointment of the Head of integrated ERM and BCM function or the termination of his/her employment and conducts entry and exit interviews with the same
  4. The Head of integrated ERM and BCM function and the supporting subordinates should possess strong knowledge in the disciplines on both ERM and BCM
  5. The Management shall know its role as risk owners and BCM process owners, and these must be clearly communicated and supported by the Management
I will also share with you the benefits of an integrated ERM and BCM independent function and some of the limitations that you may face if you implement the said function in your organisation.

In conclusion, I will share the key takeaways on the lessons learnt from the Malaysian experience that can be adapted to your organisation since there is no 'one-size-fits all' integrated ERM and BCM function. The ultimate goal of the integration is to have a synergy between the two functions as an independent function that will contribute towards a well-governed and well-managed organisation.

Chong Chen Voon is currently the Managing Director of GRC Consulting Services and an Executive Director of EJF Group, a group of consulting firms providing Consulting, Advisory and Training services.

Chong will be discussing 'the integration of ERM and BCM as an independent function' on day one of the BCI World Conference on Wednesday 5th November. You will find him in seminar room 3 starting at 13:10.
There was an error in this gadget