Friday, 24 October 2014

Business continuity and information security – a good fit?

During my interaction with senior management as a business continuity/information security consultant, especially amongst IT centric organisations, I am invariably asked a question: "We come across too many ISO standards which have common themes. In your opinion, which are some of the Standards that come very close especially from an implementation perspective?"

As you can see this is a very loaded question from the senior management who are typically fed up with too many rules, regulations and standards trying to govern their lives. Also, whilst they want to adhere to all applicable regulations and standards they want some optimisation of their costs in implementation.

My typical answer to this is as follows: "If your emphasis is on service management please combine ISO 9001:2008 and ISO 20000:2011. In fact implement only one standard and ignore the other. If your emphasis is on information security and business continuity please combine ISO 27001:2013 (ISMS) and ISO 22301:2012 (BCMS) implementation."

From historical perspective both ISO 27001 and ISO 22301 have emerged from British Standards and have a sort of a common past. Leaving that aside, information security, as the pundits drum into us, is all about confidentiality, integrity and availability of information. Business continuity, on the other hand, is about availability (of information or business) in case of a disaster. In companies where information is business, these two standards merge quite well.

All this however, has to start with scope of the ISMS/BCMS. What is the context of the organisation that is planning to implement the BCMS/ISMS and does the context match in both cases? If the context matches we have a winner and we can choose to implement both management systems together with a common project plan/team. Typically, BCMS and ISMS (at least in mature organisations), come under the ‘Risk Department’ organisationally. If this is not the case, it would be worthwhile to make organisational changes before commencing implementation of BCMS/ISMS.
In my address at the BCI World Conference and Exhibition, I will be looking at this from a practical perspective to explain how we can implement BCMS and ISMS together along with common features of both the standards.

So …happy interactions!

Ramesh Ramani will be discussing 'Business continuity and information security – a good fit?' on day one of the BCI World Conference and Exhibition on Wednesday 5th November. You will find him in seminar room 3 starting at 9.20.

Wednesday, 22 October 2014

Genoa: The city where maths kills people

On October 9th, 2014 - with HI CARE Association and PANTA RAY - the BCI Italian Forum was launched, the first Business Continuity Institute affiliated network in Italy for business continuity professionals. In a conference held in Milan, I had the chance to point out how the culture on this topic in our country is still very low and how it is important to pursue a radical change in mentality and in the approach to crisis management.

There was no need for the umpteenth flood in Genoa to confirm how urgent the need for change is. But unfortunately just a few nights before our forum, the Bisagno river overcame its embankments killing one person (in 2011 the victims were 6). The city woke up with a widely spread black-out, Enel declared that over 2,000 clients had no power, schools and universities were closed, several blocks were flooded and economic and infrastructural damages were significant (circa €200 million of public expenses and approximately €100 million of private damages to companies and shops).

A scene we are used to, not only in Genoa unfortunately. But there is a good piece of news, we finally found the guilty party: maths! The President of the Liguria Region Burlando declared: “It is the first time that mathematical models are wrong.” He must have missed all the financial slumps in the history of the world. “The phenomenon that was registered yesterday has never happened before and our weather forecasting models could not anticipate it. The model is still valid though, until now it has always predicted the weather so that we never made mistakes related to severe crises”. Good to know.

I think we can list thousands of reasons that led to the umpteenth tragedy: bureaucracy, soil consumption (which in Italy is twice the European average), the lack of resources, the typical Italian mentality that is nothing but focused on prevention and planning, etc. All valid considerations that highlight the need for careful reflections. But, maths?

I really do not want to concentrate the attacks on President Burlando, but I do have to highlight these statements because they reveal a problem that I have to face quite often as a business continuity and crisis management consultant, either with public entities and private companies. Here is the deal: Business continuity is often confused with risk management, a discipline that – by definition – is based on probability calculation and therefore on mathematical models. This is a problem, since business continuity is meant to ensure resilience to an organization regardless of the probability of occurrence of a potential disruption. Business continuity is applied on the so-called 'residual risk', or the part of risk which is not manageable or computable. Outcome: when mathematical models fail and no business continuity practices are embedded in the organization, disasters happen!

Risk management (and math, of course) is a fundamental discipline, as weather forecasting is fundamental as well. But thinking that they never fail is crazy and not doing anything but rely just on math models is criminal. It has to be said pretty clear, because people die and companies fail. The Ferraris Stadium in Genoa is right next to the Bisagno river. What if the 'math models' fail again on a football match day, when the area is full with thousands of supporters?

Earlier this year, we held a conference at the Chamber of Deputy with Joseph Bruno - Commissioner of the New York City Office of Emergency Management as the guest speaker. We discussed these topics and we presented the crisis management model of the City of New York to politicians and the highest members of institutional entities. Now we have launched this BCI Italian Forum, which is completely free and aims at aggregating the most important competencies on the subject to create a network in Italy as well. I want to stress a concept I already mentioned during my speech at the conference in Milan: there are no excuses anymore! Each of us needs to accept his/her own responsibilities and act to raise the awareness on prevention and preparedness in this country. Otherwise, to find the guilty party you just need to look in the mirror.

Alberto Mattia is Managing Director at Panta Ray, a management consulting company specialized in business continuity and crisis management and Secretary-General at HI CARE Association, a non-profit organization dealing with territorial security projects in Italy. Graduated in Economics and Finance at the Università Bocconi in Milan - Italy, Alberto has started his career in the US at BT Radianz and then JPMorgan Chase Bank. He has then worked as a Project Manager at Centrobanca and as a Risk Manager at UniCredit Group.

Monday, 20 October 2014

Business continuity vs risk management

According to ISO22301, business continuity is defined as the capability of an organisation to continue the delivery of its products or services at acceptable predefined levels following a disruptive incident.

Risk management on the other hand is the systematic process of understanding, evaluating and addressing the risks that an organisation faces in order to mitigate against them.

So that all sounds quite clear. The former is more concerned with the management of a disruptive incident after the event and so deals with the consequences, while the latter focusses on the management prior to any incident taking place and so deals with the threats. Two very distinct disciplines, aren’t they?

If you go back to the basics however, risk management assesses the likelihood of an incident occurring and the impact that it would have on the organisation. If one of the aims of risk management is to mitigate against the impact of an incident, then isn’t this moving into business continuity territory? Doesn't this mean that business continuity is just a function of risk management?

This is the issue that is up for discussion on day two of the BCI World Conference and Exhibition on the 6th November. Panel members from a wide variety of organisations on both sides of the debate will clash as they discuss the motion ‘business continuity can only ever be subservient to risk management’. Don’t miss out on this opportunity, book your place at the conference and join the debate.

Friday, 17 October 2014

Deriving X factors to support your BCM programme

Obtaining management commitment for resources and funding for BCM programme implementation and sustainability is always a prime challenge for most of our fellow professionals. We are continuously struggling in selecting the most effective approach to secure a dynamic business continuity programme.

Unavoidably many times in our career we have presented a powerpoint slide with some standard statistics from Google before our management, with best persuasive techniques trying to convince them to allocate the necessary funding to set the programme in motion.

Most of us are using facts and figures as an inspiring method of persuasion, in this case, it can prove to be a downfall to arm you with general information and scare tactics that may potentially overwhelm management and provoke the common reason that many businesses are without a business continuity plan: “It will never happen to me”.

Across-the-board examples and generalizations are vulnerable to being inapplicable or unconfirmed, which is a complete contradiction to what we are striving for in trying to integrate business continuity within our organisations in the first place. So, the number one way to make your management team not only aware of the risks you seek to diminish, but to gain their commitment for your business continuity programme is to outline the specific threats to your specific business. An evident reason for management to commit to a business continuity proposal is risk vs cost. If the risk far outweighs the cost, we are likely to be successful in securing funding for solutions that mitigate that risk.

In my presentation I shall present a practical model case of an organization and the journey of their BCM Manager that secured management commitment by identifying their own 'X' factors that are derived from information within the organisation. These factors are the basis for any legitimate business continuity programme and were mainly driven from the following areas:
  • Regulatory
  • Legal
  • Revenues
  • Shares Price
  • Productivity
  • Brand – Marketing
  • Customer – Opportunity
  • Insurance
  • Operational
I will give the delegates proven approach to understand the current risks and their impacts to the business in terms of financial loss and how it can be presented to convince and secure management commitment.
  • Delegates will benefit from how to identify monetary loss of various impacts and the financial loss implications of not having the right BCM arrangements
  • They will get practical understanding of on how to use these factors to support their BCM programme
  • They shall get an understanding on how information available within the organisation can and support their case
  • This model case can be applied to any type of organisation or sector
Nisar Khan has 14 years of professional career, with 11 years of experience in managing Corporate Business Continuity programmes at public and private sectors. Previously he functioned as a BC/DR Manager for a consultancy firm, delivering end-to-end BCM programmes and training to leading companies. He is a dedicated ambassador of the discipline and has earned the following recognitions:
  • Highly Commended at the BCI Global Awards 2013 as ‘BCM Manager of the Year’
  • Winner of the BCI Middle East Awards 2013 as ‘BCM Personality of the Year’
  • Winner of the first BCI Middle East Awards 2012 as ‘BCM Manager of the Year’
  • Winner of the BCI Asia Awards 2012 as ‘BCM of the Year’
  • Highly Commended at the BCI Global Awards 2012 as ‘BCM Manager of the Year’
Nisar will be discussing 'Deriving X factors to support your BCM program' on day one of the BCI World Conference on Wednesday 5th November. You will find him in seminar room 3 starting at 15:10.

Thursday, 16 October 2014

Design and implementation of a business continuity management programme

The BCI World Conference and Exhibition is split into three streams - listen, learn and lead - and the idea behind the middle of these streams is to enable delegates to explore the full BCM Lifecycle training experience.

I will be doing this through presenting a selection of the material used in the Business Continuity Institute’s five day BCM course, highlighting the main elements of the process, and exploring some of the issues that need to be understood in the Design and Implementation stages of the process. The exploration will be through discussion and debate, into which I will provide the knowledge and experience that I have obtained over many years both teaching and practicing BCM in a wide variety of types of organisation.

In the Design session we will be exploring two issues which, in my experience, most people struggle with both in learning the theory of BCM and in practice when applying the theory to their own organisation:
  • How close should the Recovery Time Objective be to the Maximum Tolerable Period of Disruption?
  • What is a safe separation distance for recovery sites, alternative facilities, and backups?
In the Implementation session we will be exploring three issues, which although they are simpler than the two Design issues, still give rise to considerable debate:
  • What is a Business Continuity Plan (BCP)?
  • What are the common elements of all plans at all levels?
  • What resources do you think are needed for a response team meeting room, and how do you think that space should be best utilised?
In each session I will take the delegates quickly through the main steps of the BCM process as they are taught in the BCI’s five day BCM course, pointing out some of the more important concepts and techniques that need to be learnt, and then, at the appropriate point, raise the issues that I have decided to explore. I will be asking the delegates for their views, encouraging debate on what the most appropriate solutions appear to be, and attempting to bring the discussion to a conclusion through explaining what the BCI’s Good Practice Guidelines (the GPG) recommends.

By attending the two sessions that I am presenting, you will get not only a flavour of what you’d learn on the BCI’s five day BCM course, but you will also get the opportunity to explore some of the Design and Implementation issues that you will need to know how to tackle if you are to help your organisation to successfully implement an effective BCM programme. It will also give you an opportunity to take part in a discussion and debate on some of the Design and Implementation issues that even experienced BCM professionals have difficulty with.

Mel Gosling MBCI has been an instructor for Continuity Shop on the BCI’s five day BCM course ever since it was first launched in 2008, when it was based on the 2008 version of the GPG, and has contributed to developing both the course and the GPG through the 2010 and 2013 versions. Throughout the past six years he has helped over 200 students achieve certification through passing the BCI’s exam, and has learnt how best to present the extensive and concentrated material in the GPG to enable students to both learn and understand the BCM process. Attending these two sessions will give you an insight into how Continuity Shop presents this course, and a taste of some of the issues that you will encounter.

Mel will be discussing design and implementation within the 'Learn' stream at the BCI World Conference on Thursday 6th November, starting at 10:30.
There was an error in this gadget