Monday, 24 December 2012

Planning for major events

Donna Monkhouse, Your BC Eye
2012 will always be synonymous with the UK staging one of the most successful ever Olympic and Paralympic Games.   Its success has become part of Britain’s legacy.  But despite the strong positivity that surrounds the smooth operation of the Games, on the planning front, there were many that complained about a state of over-preparedness, declaring that too much time and effort had been squandered on unnecessary planning. 
 
Wide-spread traffic chaos, business disruptions, terrorist attacks and a grid-locked London were all predicted, but never actually occured.   So perhaps the question we need to be asking is not whether we did too much planning, but whether the quantity and quality of the planning undertaken helped to minimise any disruptions and whether without it, we would have experienced more chaos, more incidents and a less successful hosting of this major event

Wednesday, 12 December 2012

10 tips to avoid tipsy digital disasters at office parties

A few too many drinks at the office Christmas party could cost you more than your dignity!
 
In a digital age many of us won’t leave our work behind when we head for the bar for a festive tipple. Smart phones, iPads and laptops are likely to contain our work contacts at the very least and, in some cases, may store even more confidential information.
 
Making a fool of yourself on the dance floor will be the least of your worries if your phone or laptop is lost or stolen. Data falling into wrong hands could cost you your job; your employer their reputation or even, in the worst case scenario, their business.
 
Here are my 10 seasonal security tips:
 
1.    Phones, laptops and tablets all come with the facility to set a password – so use it.
 
2.    Twitter and alcohol don’t mix. Your Tweets may seem witty after a few glasses, but you may embarrass or even offend.
 
3.    You may be keen to share photos of your festive fun on Facebook but colleagues who over indulged won’t thank you.
 
4.    Lock your laptop in the office rather than take it out with you.
 
5.    Empty pockets and handbags of USB sticks and take them off your keyring.  Lock them safely in a drawer.
 
6.    If you’re an employer consider the timing of your office party. Will staff work productively, and securely, with a hangover?
 
7.    Is your office party being held in the office?  If so, remind your employees about the need to clear desks, lock down computers and screens.
 
8.    As an employer, introduce a clear desk concept and stick to it all year round.  That way no one leaves confidential information or data lying around ….ever.
 
9.    Don’t be tempted to access company data on the free wifi available at your Christmas party venue.
 
10.  Finally, if you’re a boss don’t leave IT and social media security until the festive season.   Build cyber security and awareness into your culture and have policies in place, including guidance on social media use.  
 
Alan Cook, Director, the Agenci, specialists in information security and business continuity
 
 
 

How lessons from Skyfall can prevent businesses plunging into IT freefall

The new James Bond film Skyfall parachutes 007 into a chilling cyberspace of computer hacking and cyber terrorism in which malicious software – known as malware which infects and damages computers – is more dangerous than exploding pens.      
 
In true Bond style the battle of good versus evil submerges audiences into an explosion of special effects where fantasy villains such as Jaws, Blofeld and Oddjob are replaced by the hero’s more chilling nemesis Raoul Silva - a former agent turned vengeful computer hacker. 
 
As Gary Hibberd, director at The Agenci which specialises in information security and business continuity for small and medium sized enterprises, explains, Silva’s dastardly mission of cyber destruction mirrors the harsh reality of the off-screen bad guys who can eradicate micro business and corporations - leaving a trail of devastation in their wake.       
 
The real threat of cyber crime and the vulnerability of organisations is nowhere more apparent than when the youthful MI6 boffin Q tells Bond: “I can do more damage on my laptop in my pyjamas than you can do in a year in the field.” Such a warning reinforces the unprecedented importance of implementing robust security processes.
 
We only have to swap the cinema screen for the TV screen to see and hear big name brands reporting serious breaches of customer data. The repercussions can be catastrophic and include financial loss, incurring substantial fines for breaching legislation – and even irreparable damage to their reputation. 
 
In a more understated way than the flamboyant Bond, The Agenci helps companies to ‘beat the baddies’ and prevent information from falling into the wrong hands by supporting wide-ranging sectors to boost their processes and feel more secure when running their businesses. 
 
Gary Hibberd explains: “Irrespective of the size or sector in which your enterprise operates, it’s crucial to protect yourself against the bad guys. Time and again we find that companies leave themselves open for attack when a few simple steps could save much cost and heartache.” 
 
Here are five top tips to getting the fundamentals right:
 
1. Install Antivirus Software
 
The simplest forms of defence are surprisingly often overlooked. Antivirus stops people employing bad code on your computer and infecting it with a virus.  If you connect an unprotected computer to the internet it can be infected with a virus within 20 seconds!
 
Check your computer to ensure that you have software installed and ensure that it is kept up to date.
 
2. One User One I.D.
 
Ensuring that each employee has a unique user name and password can go a long way to protect your business assets. Following this process is helpful if you need to track an incident to find out who did what and when. 
 
3. Set up a Firewall
 
A little more technical but critical because it essentially operates like a locked front door and only allows those people to whom you want to give access to be able to get in. You wouldn’t leave your front door open to criminals – why would you leave your business open to computer hackers? 
 
4. Establish a Policy
 
Your employees can only be expected to follow the rules and guidelines if you have communicated to them exactly what they are. Compile a Computer Usage Policy which educates your employees and partners and spells out clearly what staff can and can’t do on a business computer.
 
5. Draw up Contracts
 
From customers to suppliers, it is essential that you have contracts setting out the provisions for the management and protection of company assets such as information, levels of controls, service levels expected - and a right to audit.
 
In the adage that prevention is better than cure, these simple steps will enable you to savour the Skyfall experience without worrying that fiction could turn into reality.
 The Agenci - A specialist in information security and business continuity.

Black Swans – something for senior managers to hide behind or to action?

Lyndon Bird FBCI
Some business continuity practitioners have argued that Risk Management techniques provide a tried and tested approach to dealing with conventional threats, but have limited effectiveness in identifying or evaluating rare but potentially catastrophic issues.  
 
There has even been a host of terms that have entered our common lexicon simply to try and define these types of high impact situations.  The former US Defence Secretary Donald Rumsfeld was much satirised when he talked about “known, unknowns” and “unknown, unknowns” etc. but it is proving to be a useful way of distinguishing types of threat.   
 
The idea of “Black Swans” to define things that are outside of personal experience, and therefore missed when trying to register potential risks has also been much debated.  Many have treated “Black Swans” as if they are the same as “unknown, unknowns”, but in most circumstances they are more akin to “unknown, knowns”  - perhaps unknown to key decision makers but certainly not unknown to everyone.  
 
For example the volcano ash cloud which closed European airspace is often called a “Black Swan” event – but every aspect of that drama was well-known by some people - the volcano might erupt (meteorologists); there is a level of ash that airplanes were not allowed to fly through (aviation authorities); and there is a relatively high tolerance to ash levels in more recently designed jet engines (aerospace engineers).  So the problem was less to do with lack of knowledge but the failure to share and assimilate the significance of that knowledge.
 
This is at the heart of the debates we have about apparent failures of risk management; the Libor rate scandal; the sub-prime mortgage crisis that bankrupted many banks; the collapse of the once impregnable Arthur Anderson global business empire.  All came as a great shock at the time, not only to outsiders, but apparently also to the Board and C-Suite executives of the organizations concerned.  
 
Lack of available knowledge was not the problem; lack of knowledge by those who had the power to stop dangerous things happening was.  Claiming such things as “Black Swans” helps deflect blame on the premise that “how can we have done anything about it if it was an inconceivable incident?” This excuse might work if a meteorite hits the earth, but not if we simply have failed to look at signs, talk to people who know what is happening and adjusted our behaviour accordingly.
 
I wonder if there is now a risk that we are headed towards another problem which is not being properly confronted at the right level. The Business Continuity Institute and the Chartered Institute of Purchasing and Supply conduct an annual survey into how well Business Continuity is being handled within the Supply Chain.  As a basic question, we collect data about the main causes of operational disruptions across the world.  One item has been steadily rising up the list until today this year it finished 3rd – after the perennial top-two of Adverse Weather and IT/Telecoms failure.  That factor is “failure or serious disruption to services provided by an outsourcer”.  In the world of globalization, low cost manufacturing and just-in-time delivery, we have treated outsourcing (and its close cousin off-shoring) as self-evidently good things.  It allows management to concentrate on core business; it manages external costs better through competitive bidding processes and it buys in a higher level of specialist expertise than might be affordable in-house.
 
The problem is that some of this accepted wisdom is being questioned by supply chain and BCM professionals in organizations, but this message is not being heard by those who could change it.  
 
As the global economy continues to stagnate, more and more pressure is placed on cost-saving and often this leads to excessive price pressure on those organizations bidding to gain or even retain their accounts.  It also leads to more single source suppliers in return for lower prices and service provision from more geographically, politically and culturally unstable regions.  This seems to be a trade-off between cost and reliability, and some feel the balance has gone too far with significantly more disruptions ensuing - which are then causing higher levels of dissatisfied customers and eventual loss of business.  
 
There is always a need to make a judgment and a sensible balance between “no risk at any costs” and “any risk at lowest cost” has to be taken – but for those who favour the higher risk end of that scale do they really know what consequences they might be facing.  Is this perhaps another “unknown, known” that top management might try to pass of as a “black swan” if all goes wrong?
 

Wednesday, 5 December 2012

Preparing for the worst, whatever the weather


Deborah Higgins MBCI

Set against the background of the recent severe flooding that was affected or at least threatened to affect large areas of the UK, putting both business and homes at risk, there is no better time than now for businesses to think about how prepared they are to deal with such disruptions and to take the first steps towards preparing for the worst.

But how do we prepare?
 
Business continuity is all about having the capability to cope with disruptions no matter what they are.  So when there is calm before a storm, it is important that businesses take the time to develop and implement comprehensive business continuity arrangements to provide confidence in an organization’s resilience and ability to survive whatever the incident or weather. 
What do businesses need to do?
  • Understand what risks the business is vulnerable to – for example, are premises or assets at risk of flooding? Do all staff live locally and will they be impacted by the same event? Would the ability to communicate with staff, customers and suppliers be affected?
  • Determine the most urgent business activities – which activities must be continued in order to stay in business? Which activities could be temporarily put on hold and for how long?
  • Understand the impact of any disruption to the most urgent business activities – what could happen if these activities were lost or disrupted? 
  • Identify key suppliers for the urgent activities – which suppliers are critical to the delivery of key products and services? How might they be impacted by a disruption?
  • Understand the business impact of a supply chain disruption or supply failure - for example, even if the business is not directly impacted by the flooding, a supplier may be, so having an alternative arrangement in place (where possible) will minimise disruption to the ability to carry on delivering products and services.
  • Consider what alternative arrangements could be put in place to enable the business to carry on operating.
  • Make sure a well-rehearsed incident response plan is in place as part of business continuity arrangements.
There are good examples in the news today of a business whose competitor assisted them with continuing to make a product after their premises were disrupted by a fire. Another business owner who was severely affected by the riots in London utilised an arrangement with a neighbouring premise that was not affected and has now seen massive growth in his business as a result.  
Taking time to consider the potential impacts and making alternative arrangements in advance makes good business sense.
Business continuity is a way to help businesses become more resilient to the increasing number of risks and threats they are facing. Good business continuity practice means businesses will know ahead of time, what threats there are to their organisation and what the impacts of these could be. Even when we cannot predict the exact scope of a problem, we can at least plan to resume key activities in the speediest and most cost-effective manner.
So no matter what is predicted or what comes to bite us, we can be assured that we know what we will do when the time comes by adopting good business continuity practice.  
 

Tuesday, 4 December 2012

How to ride the peaks and flatten the troughs of executive engagement

Lee Glendon CBCI
If your experience of engaging senior and executive management feels like a constant struggle to sustain momentum or defend investment, then you should take 15 minutes to look at the C-Suite EngagementToolkit that has just been launched by the BCI.
In 2011, the BCI published its report on members’ experience of board-level engagement, and some of the comments are reprised here:
  • The board has implemented a corporate BC plan after a study from consultants but the momentum isn’t there any more
  • No sustained interest shown, despite a variety of constructive efforts
  • The board has received papers on BCM at its last two meetings but the time and discussion were limited. 
  • BC resourcing is under increasing pressure in all areas of the company
  • There was great interest in 2006 but less since the auditors’ requirements were met
  • We are still working on board buy-in
  • Some projects were approved by the board but I do not have access to what is discussed on BCM
  • The interest in BCM goes in peaks and troughs dependent on what current risks are high profile e.g. severe weather, volcanic ash, pandemic flu, IT failure
It’s important to counter-balance these comments with a different experience enjoyed by others:
  • The board has an understanding of what BCM has to offer the organization and is now beginning to understand that it protects the organization’s assets and reputation during an incident or crisis
  • BCM is an advisor in many decisions, adding to the information available to senior management to support informed decisions regarding risk, resilience and continuity
  • Business Continuity is playing an ever increasing role within the procurement process and this is changing the way the tender process is approached
  • Our senior management team is very supportive and committed, if it is presented and implemented well
C-Suite Toolkit
The toolkit was developed to help address this disparity of experience by trying to understand what can be done to build and sustain engagement.  In short, if you want to have more of the latter experiences than the former, then it is worth thinking about developing a structured approach to executive engagement. 
Even if you do not have an incident, near miss, or industry peer that has suffered from a crisis, your organization will have key projects and programmes with related risks and key performance indicators.  These risks and indicators are likely to be assigned to key executives.  One of the key benefits of business continuity, as expressed by BCI members, is its value in better understanding critical processes and vulnerabilities, valuable information for decision makers, so it is important to be clear on this area of value add.
So how does the toolkit help?
The development of the C-Suite Engagement Toolkit has been practitioner-led from the start.  It is not an academic paper on the importance of engaging executives – anyone running a business continuity programme already recognises this requirement– this toolkit sets out a framework for achieving sustained board and senior management engagement by drawing upon insights and expertise from disciplines such as sales, third party research into executive interests, and the world of psychology and soft skills.
The first part of the toolkit contains profiles on common C-Suite, or senior management roles from Chief Executive Officers to Chief Financial Officers and their equivalents in IT, Marketing, Operations, HR and many more.  These profiles include suggestions on areas of their interest where business continuity has a contribution to make.  Naturally, exercising is a proven way of engaging executives, so ideas for shaping the exercise to fit the interests of the C-Suite executive are provided as well.
The second part of the toolkit asks you to think more closely about your existing programme and the information it delivers and how this can provide the facts and evidence to build a compelling story to support engagement with executives based around the interests identified in the first part of the toolkit. 
The third part of the toolkit takes the facts from the second part and the broad understanding of functional interests from the first and asks whether this is sufficient for successful and repeatable engagement.   Through a series of videos, you are taken into a scenario where it becomes evident that a key element is still missing.  This element is sometimes called soft skills, other terms may include building rapport, or simply communicating effectively.  Through the scenario, you are introduced to the value of understanding personality types, and how soft skills such as speed reading can improve the likelihood of success.  In other words, all three elements of the toolkit need to be understood and applied if we are to expect more consistent results from engagement with executives.
In addition to the videos and information provided on the website, worksheets are provided for each section of the toolkit, to help plan your own engagement approach.  Links are also provided to third party and BCI resources.  For those who are keen to develop their understanding of different personality types, including their own, reference is made to available models.  And for those looking to revamp their executive-level communication skills, a master class training course has been specifically designed to support you.
So now over to you!  Let us know what you think of the toolkit, please try some of the ideas and let us have your feedback (research@thebci.org). 
 

Tuesday, 13 November 2012

So you think you can audit a Business Continuity programme?

Lyndon Bird FBCI
As Business Continuity has grown in significance, so has the desire to measure it effectiveness. Hence the internal audit function, who believe themselves to be the “eyes and ears” of the Board, have an increasingly important role to play.  To do this, however, they need to understand the process they are auditing and the rationale for the decisions that they might be evaluating.  This is not easy.
 
Although Business Continuity is in many ways relatively straightforward, it is not really a technical or scientific discipline compared with Security or Quality.  Auditors need fixed points of reference for comparisons.  Standards (in various guises) provide them with a route map to follow.  This allows them to check process but not really effectiveness of the programme.  For example, it is easy to check the number of employees who have been through a BCM induction, but much more difficult to determine if this has had any impact upon corporate resilience.
 
This has often caused full-time BC practitioners to claim that they alone can properly audit a BC plan or programme.   There might be some justification for this.  An ISO inspector could successfully audit a hospital for its compliance against pre-agreed hygiene standards, but would not be credible at determining a surgeon’s technical competence at performing a difficult operation.
 
However few BC practitioners have the formal audit skills that colleagues in internal audit possess. Many consultants try to gain these skills by undertaking various audit training courses, but often find the concentration on process and compliance frustrating.  
 
To be successful in auditing a Business Continuity programme, both professional knowledge of BCM and appropriate audit skills are required.  The goal of a BCM programme is to protect the organization, to ensure adequate levels of resilience exist to withstand the consequences of disruptions and to ensure that there is company wide-scale BCM awareness and operational consistency.
 
To continue with the medical analogy, there is little value in a surgeon claiming an operation was a technical success if the patient died of poor aftercare.  Similarly there is little point in an organization gaining BCM certification from ISO if it goes out of business as soon as a serious problem occurs. Resilience, not process consistency, is the ultimate measure of success.

So given these warnings and caveats what must an auditor do to add value to a BCM programme?  Firstly, he or she must understand the business fully.  There are some good places to start like the company’s annual report to understand missions and values; the external auditors report to highlight weaknesses or exposures; as well as risk registers, previous business impact analyses and other available management reports.  It is rarely useful to start with the Business Continuity plan itself.

The second stage is to familiarise oneself with the BCM process that is in place.  Does it follow any recognized standard (internal or external)?  How well has it documented?  Do people know about it and their role in it?  Conducting selective interviews with senior management and other interested parties can help judge how serious they are in supporting BCM.  Remember a significant budget for commercial IT recovery capability does not in itself demonstrate management commitment to an embedded Business Continuity culture.
Having acquired this level of contextual understanding auditors can start to ask questions and review the applicability of the responses.  Many of the questions are basic but often throw up uncomfortable issues. Typical areas to cover include:
  • Do you have plans for all critical systems, processes and functions and how do you  know which are the most critical?
  • Are the plans accurate, complete and up to date?
  • Is the documentation easy to follow in an emergency?
  • Have roles and responsibilities been defined?
  • Are the response strategies devised appropriate to the potential level of disruption?
  • Are the plans tested and how, when and by whom?
  • Are the test results evaluated, lessons learned and plans enhanced?
  • Are the initial response structures well-known and fully tested?
  • Are appropriate communications with external parties defined and tested?
  • If pre-defined alternate locations are designated, do staff know how to access them?
  • Are all critical resources backed up and recoverable?
  • Are personnel trained in their post-incident roles?
The most important thing for the auditor to reflect on is not the documentation but the resilience capability that can be demonstrated.  A poor audit is one in which the auditor treats it as a document review.  It is not enough to have a well written plan unless that plan is part of a tried and tested process.
 

Friday, 9 November 2012

‘Temporary disruptions’ can have serious consequences - BCM is vital for Kuwait's business environment


Muhammad Ghazali MBCI

IN A COUNTRY like Kuwait which has oil production as the backbone of its economy, even a temporary disruption in production can have serious consequences for the economy. That’s where Business Continuity Management (BCM), a fast developing management discipline, becomes extremely crucial. Muhammad Ghazali, Associate Director, Head of BCM Services, Protiviti Member Firm (Middle East Region), in this interview, talks about BCM and its applications and advantages in Kuwait’s business environment. He says that with increasing complexity of businesses, BCM will become an inevitable entity in any business firm or organization.
 
Question: What is Business Continuity Management (BCM)?

Answer: Business Continuity Management is a management domain that focuses on development of strategies, plans and capabilities that provide protection or alternative modes of operation for those activities or business processes which, if they were to be interrupted, might bring about a serious business or potentially fatal loss to an organization.
An increasing number of organizations and their Executive Management are recognizing the importance of the Business Continuity Planning, Resiliency and Crisis Management as part of Enterprise Risk Management program. Many governmental agencies and all regulators around the world have recognized and incorporated Business Continuity and Crisis Management Planning into their requirements. Investors, as well as Boards of Directors, are increasingly interested in management’s capability to continue critical operations through a disruption and their plans to ensure a resilient enterprise.
 
Q: What do you mean by: “… critical operations through a disruption…” please explain?
A: Critical operations are those activities which facilitate the organization to deliver its key product and services. The critical activities should be delivered to clients even when its primary method or mode of delivery is affected due to any disastrous event. For example, for an internet service provider, it is critical for them to provide internet access to its customer, at an acceptable level, even when its primary method or mode is disrupted.
 
Q: Does BCM cover even financial crisis? If yes, could effective BCM have averted crises like the subprime mortgage crisis in the US and the more recent Eurozone debt crises etc.? Explain how?
A: BCM preparedness does not directly cover financial crisis. Subprime mortgage and Eurozone debt crises are effectively covered by Financial Risk Management initiatives such as Credit and Market Risk management. BCM focuses on developing resiliency to those activities that are ‘time’ critical and required to be ‘available’ all the time. However, BCM does assist Financial Risk Management in an indirect manner by developing resiliency or fail-over options to time critical activities that come under Financial Risk Management processes, thereby indirectly protects an organization from financial losses.
 
Q: Which sector in Kuwait do you think is in most need of BCM? Logically organizations that contain the most risk, like oil companies etc, should have the greatest need for BCM, isn’t it?
A: Absolutely correct. As Kuwait Economy is largely driven by Oil and Gas sector, BCM assumes larger importance at the national level. However, Business Continuity preparedness is equally important for other sectors as well. In today’s world, how far can we afford to be without a telephone connection or Internet? In modern e-Government environment, where every single national and resident is connected, can we tolerate the downtime of e-Government services? In a technology driven banking business operation, how long can we tolerate the ATMs to be down and not working? In our modern lifestyle where electrical utilities and gadgets become inevitable, how far can we go without electrical power? Therefore, in my opinion, BCM is needed in every sector that has time-critical processes and activities.
 
Q: What systems are currently in place in the various companies of Kuwait for Crisis Management? As these companies have been functioning well so far, don’t you think the existing system is fine? Then, what is the need for BCM?
A: Crisis Management is an important element of BCM. In my personal view, the BCM and the Crisis Management disciplines are catching up progressively in Kuwait. Though BCM preparedness and capabilities are established within an organization, they operate in isolation and at times limited to the technological recovery only. BCM, like any other management function, requires equal attention and recognition. BCM activities should be integrated with all other business processes. For example, at the time of acquiring or upgrading an application system, an assessment should be carried out to identify all threats which may cause interruptions to the system or to any of the business process being supported by the system. This type of integration can only be achieved by implementing a Business Continuity Management framework within an organization.
 
Q: How vast is the paradigm of Business Continuity for organizations today?
A: In a highly competitive and dynamic business environment, it is important for every organization to remain ‘available’ and serve customers virtually every minute. Take an example of the banking sector. Few years ago, banking business was limited to business hours only. But now with the advent of Mobile Banking Apps in addition Internet Banking and ATMs, the banking operation needs to be available 24 hours in a day. Likewise every organization is expected be available all the time to retain and serve their customers. If they are not available for some reason or other, they may run the risk of losing their market share and migration of customer base to competitors providing better availability. Therefore, any organization that has time critical operation will have to embrace BCM discipline to be available for the customers.
 
Q: Give an example as to how BCM can prevent events like the recent fire in a popular warehouse in Kuwait. Take us through it in a step by step fashion.
A: Excellent question. A well-structured BCM function can prevent such incidents and more importantly, it can contain damages and financial losses. BCM involves a number of work procedures. As an important initial step, BCM identifies critical business processes and availability risks challenging those critical processes. Based on the risk assessment, control measures are established to prevent such incidents and to reduce damages arising out of such incidents. In the specific case referred, the concerned organization had BCM plans in place which assisted them in containing the damages and resuming the business operation within the acceptable downtime period.
 
Q: How does a BCM structure fit into an organization? Will there be a separate BCM team or will the employees be trained to handle it?

A: As of any management function, BCM has both strategic and operational sets of activities to be performed on a continuous basis. While the organizational fitment will have to be specific based on its nature of business, it is ideal for organizations to assign the responsibility of establishing and maintaining the BCM strategies and plans to a dedicated corporate-level entity. Good practices recommend formation of a number of committees and a cross-functional recovery teams to work as needed. BCM training is absolutely required for both dedicated BCM strategy unit and operational teams, and the training program should be provided periodically.
 
Q: How is business continuity different today than it was a decade ago?

A: A decade ago, the initial paradigm was much focused on Technology recovery and was popularly referred to as ‘IT Disaster Recovery Planning’. However, organizations slowly recognized that BCM will have to equally focus on elements such as people, process, premises, records and suppliers. Hence, the concept of a cross-functional Management System for Business Continuity started evolving and are maturing over the period of time. Leading organization don’t consider the BCM program relating only to the Technological recovery.
 
Q: What are the international best practices available for Business Continuity? And how feasible is it to apply all of them in the Kuwait market?

A: Fortunately, there are a number of best practices available as of today. There is an ISO Standard for Business Continuity Management System popularly referred to as ISO 22301:2012. Besides, there is a ‘Good Practice Guidelines’ released by The Business Continuity Institute (BCI), UK. Besides, there are a number of other Standards for Data Centre, ICT Readiness, etc. These Standards and Guidelines are equally useful for the organization operating in Kuwait and provide an adaptable model to structure the BCM function as per the organizational requirement and Kuwait specific requirements. 
 
Q: What is the role of leadership in the implementation of Business Continuity Management?
A: Organizational leaders play an important role in establishing, managing and operating the Business Continuity Management function. They provide strategic direction to the function by reviewing and approving BCM strategies and plans. They also allocate required resources and investments in developing the required capabilities and arrangements. More importantly, they are responsible for analyzing and declaring emergency situations, and accordingly advising business recovery teams to continue business operations from the alternative workspace. They conduct periodical reviews over the operating effectiveness of the BCM strategies and plans with an aim to improve its preparedness and effectiveness. Protiviti Member Firm for the Middle East (Protiviti) considers the role of the leaders in the BCM program as crucial for the success of the BCM program. The ISO Standard (ISO 22301:2012) also mandates their involvement as a major requirement to qualify for certification and compliance. 
 
Q: In your opinion, how can corporates in Kuwait establish and implement effective BCM Program?
A: Leading organizations have already established and are effectively practicing BCM programs. However, the level of implementation with the rest of the organizations in Kuwait is not very encouraging. Many of them are under a false assumption that they will not be impacted by any contingent event and even if any contingent event strikes them, they tend to believe that they can respond back to it on a reactive manner. Therefore, they consider any investment in the BCM capabilities may not yield the required returns to them. However, the fact is quite opposite. Available statistics prove that marginal investment in resiliency and fail-over capabilities insure them from major damages, financial losses, regulatory non-compliance and reputational risks. Protiviti encourages organization in Kuwait to take the first effective step - determine the organizational availability requirements and assess the availability risks. Protiviti believes this initial first step will enable them to understand their risk exposure and accordingly take a cost-effective continuity measure. It is not necessary that risk mitigation activities may not be prohibitively expensive. There are many international best practices such as ISO 22031:2012 Standard and BCI’s Good Practices Guidelines that provide a comprehensive framework to take effective measures.      
 
Q: Being the official leader of Business Continuity Institute Kuwait Forum what are the plans during the year 2013?
A: The BCI Kuwait forum was the first country forum from the Middle East that participated in the ‘Global Business Continuity Awareness Week’ in 2012. The BCI Kuwait forum plans to participate in Global Business Continuity Awareness Week 2013 that is scheduled in March 2013. During this week, the BCI Kuwait forum will conduct a full day conference in Kuwait inviting local, regional and international speakers to share their valuable experiences and their knowledge. Besides, there will be quarterly knowledge-sharing events for the BCM professionals to share case studies through general awareness workshops to the existing and potentials members of the BCI in Kuwait.
 
Q: What are the qualifications a person should have to join the forum? How is the training offered, and examination held? Is a BCM certification a lifelong one, or do graduates have to take retests to keep the degree?
A: Any professional can join The BCI Kuwait Forum by signing a simple Membership Form. The BCI Licensed Trainings are offered in the Middle East through licensed training partners. Any professional can attend these training programs and appear for a Certification Examination, if desired. On successfully passing the examination, they can earn the credentials of CBCI (Certified by The Business Continuity Institute). Due to emerging nature of the domain, the certified professionals are required to appear for retest after three years to retain their credentials. The main objective of the retest is to enable the professionals to continue their professional education.
 

There was an error in this gadget