What if we win the lottery

Everybody ever thought what happen if the winning lottery ticket were shared by all employees of a company. From a Business Continuity point of view, it seems to be a significant risk but, should this scenario be part of the scope of our business continuity program?

It would depend on the probability than this situation occurs (experience say to us that is very low) and the impact that could result if they materialize.

Probability

In he worst scenario (from a BC point of view, of course): all employees of a company share the winning ticket of the Christmas Lottery, that is 400.000€ for each ticket. Assuming that each employee has only 1 ticket and that the reaction of every employee is to leave their work with this 400.000€ - at least during a year... - this represents a probability of 1 between 100.000 of loosing 90% of the workforce on 22th of December.
This probability is really low (0,00001), but anything can happen.

Impact

Impact that can cause loosing of employees will depend on each organization. As I explained in my previous post Components that support business, each organization has a different dependence percentage on the five kind of resources that support business: Premises, People, Technology Infrastructure, Information and Suppliers. Companies with a low dependence on Human Resources can stop reading. For the other companies, continue....

If we have a high impact because of lack of human resources, risk could begin to be taken into account and, so, it could make sense to identify situations that could mitigate the impact that could cause this situations. Here we have to analyze two concepts:

• Looses to the organization in case of lack of 90% of the staff. Some organization have done this analysis because of the A flu Pandemic two years ago and it would be growing in a exponential way.
• How much cost to replace personal. Here we have some different procedures to act in case of a disruption, depending on the position of the employee. Some of them will be very difficult to  replace and specific procedures has to be done for them.

Once the replace has been done, the next step is the countermeasure. Each organization has to establish their own countermeasure that would allow recover business when there are lack of human resources in the minimum time. However, there are two actions that are advisable to be done in every organization:

1. In order to grantee that the organization will have budget enough to face the lack of personal, is advisable to have a corporate participation of the ticket with the number of participations that whose prize will cover the contingency procedures cost.
2. To protect key people, organization should establish an agreement through which employees will grant they will be working after the lottery drawn, for example, shielding the contract.

Good luck to everybody next day 22th of December, hope that will be a lot of BC scenarios like this.

BCM Tools

One of the most important decisions when establishing a Business Continuity program is the fact that if an automation tool is necessary or not, which involves the election of the tool if so. The use of any tool will condition both maintenance procedures and actions to be taken in case of activation of your business continuity plan.

There are different theories about the suitability of using automation tools to manage continuity, depending on the program maturity, the company size and the scope of the program. However, as we're going to see below, there are different types of tools and each type can be useful in different environments.

In general terms, there are two main types of business continuity tools:

• pre-event tools, are tools that can be use to grant the preparation in the organization. In this set of tools we can find a lot of options, because of the different types of activities related with it: risk analysis and management, impact analysis, compliance management, workforce assessment, suppliers management, documental management, and so on. Some examples of this kind of tools are: eBRP suite , myCOOP by COOP, CMS by SunGard, ShadowPlanner by ICM, RecoveryPlanner.com. All this tolls are specific continuity tools; Apart from this tools, there are others more close to the Information Security world, like RSA-Archer and others oriented to the document management, for example PCN by Ecija, although companies usually develop their own solutions to solve this functionality using SharePoint by Microsoft or Lotus Notes. Finally, there are some tools oriented to manage infrastructure technology continuity, likeRecoverGuard by ContinuitySoftware for data recovery, or CMDB modules, like the one from BMC Atrium
• post-event tools, are used when a disruption has occurred. In this way, we have two different types of tools: notification tools (Fact24, MIR3 Intelligent Notification, imodus or notifind, etc)and incident management tools (Incident Manager by SunGard and ESi). For this kind of tools is required a reliable, intuitive and quick access and has to be reached from any location.

In this picture can be seen the use of the different kind of tools, depending on the time frame in which we should use it, taking as a reference an event or disruption.

In Spain, due to the traditional approach to Business Continuity from Information Security perspective, the BC providers have developed tools around risk management, compliance management and impact analysis. In many cases, customers have developed their own BC tools, based in Sharepoint or Lotus, with limited scope and scalability.

A really effective tool from a BC point of view has to be a unique database, or synchronized with other sources. This way is the only that can assurance than the effort of managing the tool will not be greater than the effort of managing the whole program of BC.

A threat less: Time to update the plans

We are used to enlarge the business continuity plans with new threats and risks, based on what's happening. It is normal to update plans with threats and scenarios not covered initially. But this time is just the opposite: updating business continuity plans eliminating a threat, or at least reduce the risk of a threat materializing. I'm talking about the announcement of the final of violence by ETA.

If we analyze the main causes of activation of business continuity plans (no IT), we can say there are three main causes of activation:

• Large snowfall, causing employees can not reach their workplaces.
• Lack of delivery by suppliers, for example, power outages and fires in electrical substations that affected the Retiro area in 2008.
• Consequences of terrorist attacks, dropping bombs as the one in the Bull building in Campo de las naciones in 2005, prompting the evacuation of nearby buildings (Correos, Endesa, Cepsa, etc) or the 2009, which we recall here video.

 

 

From now on, we can begin to evaluate this third threat as a minor probability threat, although unfortunately there will always be groups willing to spread terror on this way. Certainly ETA in Spain was the most important terrorist attack threat.

 

The announcement is very good news we all expected and we want to be able to become final and remove this threat from our business continuity plans. Hopefully not the last threat that we discard.

BlackBerry and Continuity

The BlackBerry incident seems to became the worts incident in the communication service history and, without any doubt, will appear in the introduction of most presentations of business continuity providers. Without services from Monday morning, the incident remembers the  ones occurred in 2003 when a the Vodafone network was unavailable in Spain during a day, affecting to 8 millions of users. From this incident, with millionaire losses for Vodafone, the operator became aware of the importance of having an effective business continuity plan and established the internal mechanism required to make it real.

70 million of  BlackBerry users which have not service shows that perhaps wouldn't such a good idea that the service and the terminal would be provide by the same company. If BB's strategy was in question for some time, now the latest incident will do to the operators questioned whether it makes sense.

From a BC point of view, the analysis of BB crisis could be done in three ways:

• As BB user, residential, self-employed, SOHO and big companies, the service test the contingency mechanism defined to grant the delivery of PIM (Personal Information Mobile) service to the users, most of them with a high criticality for some business.
• As Operator, those which has packed product around the BB service must now response to the users, because they are the service marketer and they have the responsibility. The operator must update their business continuity plan increasing the probability of failure of their provider: BB, and establishing the mechanism and funding required.
• BB as provider, must face a number of challenges to survive in a market in which there are a great competition between mobile devices OS, and with a increasing demand of the two main OS: iOS and Android. Apart from that, the company's shares on the stock are falling as quicly as the reliability feeling, what will be very difficult to recover.

We can only wish luck to the crisis managers of BB for the service to recover soon.

An positive issue to highlight form the BB crisis management is the information publication. Making an online tracking of the incident has been a good idea, although it has been carried out too late, because in some moment it have been lack of information.

Suppliers are important

Although it sounds like a cliché, providers are often the forgotten ones in the business continuity plans. Its often forgotten that there are services that are essential for our product and services to be delivered and that this services are provided by third parties,not depending on us. It's clear that, depending on the industry of our business, the dependency on providers would be different. So, also the measures we have to implement to grant continuity in their services and relicense in our business. Sometimes we have to establish a dual provider policy, in which we'll have a principal provider and a backup provider. In others, we'll have alternative methods to grant the service delivered by provider, but always will be required to make risk and impact analysis and determine the cost of the backup solution. 

Below I will give three examples of continuity of providers:

In the case of IT may be in which traditionally has taken into account the continuity of suppliers, mainly because, as I said in a previous entry, technological evolution has been ahead of business requirements. Any serious data centers has a generator that guarantees the supply of electricity, for example.
Another important role of providers in this area we can find in the fact that much has been outsourced services. In this case the dependence on suppliers is total and, as the sense of loss of control is inevitable, providers are required to delivers guarantees of service even in conditions in which the company would be unable to keep

The second example is framed in the field of distribution. It is what is called continuity of the supply chain, and is essential for any large establishment. Losses that can generate a bug in the supply chain in a department store can be worth millions, and that much of the business depends on the replenishment of the genre.

Finally, another example of importance of suppliers is in the financial sector, which, while focusing the attention of IT Service continuity, arguably could operate an office without receiving cash every morning undergoing the corresponding security company.
As a conclusion, importance of providers is vital in most business and should not be underestimated. Its necessary to look for the best plan to grant that a unavailability of the provider are not going to impact to the deliver of our services and products. .

Home Continuity

Regardless of the difference between different cultures, we can identify different scenarios that could be more or less common when talking about home business continuity. Analyzing five components supporting the business identified in the standard BS25999-1, we can determine the following:

• People: It would consist of the inhabitants of the home, whether family, people who share a flat, etc..
• Premises :  including home plus appendices (garages, etc.)
• Information, in both formats: paper and electronic. We all have documents in our homes that could be important e irreplaceable, such as contracts, deeds, official documents, etc.. Furthermore, an increasing amount of information in electronic: photos, videos, documents in our HDD, etc.
• Technology : perhaps less critical component, since their service is personal and easily restorable.
• Supplies: traditionally four: electricity, water, gas and telephone.

The following step is define the scenarios that could be part of the scope of our home continuity program and that can be identified as more probable or not depending on the threats of the area in which the home is located. Some examples of scenarios could be:

• Loss of information (mainly in hdd)
• Power outage, with different durations
• Flood
• Fire
• Severe Inclement weather: heavy snow or storms, Hurricane
• Big disasters: Earthquakes, nuclear incidents, etc.

Some of this scenarios are more or less common. For example, some years ago there was a gas blast
50 meters from my house. Although we can think that a lot of damage can be covered by insurance, perhaps there are things that can not be restored with money.

If we analyze the firs scenario of above, sure it has happened to a lot of people: we can loss all information in our hdd, including photographs, videos, etc, so our home continuity program must define the mechanisms that we're going to use to safeguard the information There are some options, like burn CDs and carry them to a different location (the hose of a relative, for example) or upload photos or videos to a cloud service, like google drive or dropbox.

We have to continue with the other scenarios in order to develop our hole Home Continuity Plan and be sure that we are not going to loss what we store in our homes. Testing would be funny, specifically if you have young children.

Personal Accreditations in BCM

In order to grant professional knowledges about Business Continuity, there are two international organism focused only in BCM. These are the agencies that are currently recognized:

• DRII (Disaster Recovery Institute International) (www.drii.org)
• BCI (Business Continuity Institute) (www.thebci.org)

For historical reasons, DRRI has more recognition and is best known in America, in both North America and Latin America, and Australia,  since BCI has more presence in Europe and Asia.

The certification schema of both entities are very similar and is based on passing an exam y accredit the experience in different Business Continuity domains.

BCI

The different types of accreditations are the following one;

• CBCI: Basically, means passing the exam. 
• AMBCI (Associate Member): Statuary member, it has the same vote right and possibilities to be elected as staff of BCI. To archive the accreditation is required to be CBCI and accredit a year of experience with two difference referenced.

• SBCI (Specialist) Specialies has to demonstrate at least two years experience in BCM one of the 6 domains of continuity:  Policy and management, analyst, strategic services, response, planning and support, testing and audit and training and awareness. It could also valid to demonstrate experience in a related discipline, like information security risk.

• MBCI (Member) must demonstrate being working as business continuity practitioners with at least three years full time experience in BCM. They will need to pass the BCI Certificate at the higher “Pass with Merit” rate.

In this link can be seen the official definitions.

The exam is managed by Prometric , although a registrarion in BCI is required befoure the exam. The exam is based in the Good Practice Guide GPG .

DRII
The accreditations are very similar:

• ABCP (Associate Business Continuity Professional) Equivalent to CBCI, thats mean accredit pass the exam without experience requirements
• CFCP (Certified Functional Continuity Professional) Requires pass the exam and demonstrate 2 years of experience in tree knowledge areas (SME: Project initiation and management, Risk Evaluation and control, Business Impact Analysis, Develping BC strategies, Emergency Response and Operations, Developing and implementing BC plans, Awareness program and Training, Maintaining and Exercising BC plans, Crisis Comunications and coordination with external agencies).
• CBCP (Certified Business Continuity Professional) Requires pass the exam and demonstrate at least 2 years of experience in 5 knowledge areas.
• MBCP (Master Business Continuity Professional) Reserved for specialists in business continuity, evaluated by DRii, with more than five years of experience in, at least, 7 knowledge areas.

In this link  can be seen the official definitions.

The exam is in-class and there are periodical scheduler all around the world. In Europe there are organized from Italy.

Business Continuity accreditations in Spain have less recognition than others accreditations related with Information Security, like CISA, from ISACA, or CISSP from ISC2, and are difficult to achive because of the language and the scheduling of exams, but they have a high value in a medium and long term.

Components supporting Business

Business continuity has been promoted mainly by two industries: financial and insurance. This two industries have some common characteristics that could explain this maturity in business continuity programs:

• They have specific regulation, usually related with economic sanctions, like Basel and Solvency.
• Their principal business process are focused in not too much locations, mainly data centers and call centers, which makes that resilience could be grant in an easy way. It would be enough backing up  this central locations because others facilities are not such important for the continuity of the business.
• The grade of industrialization and automation of their processes are very high. This makes that they are highly dependent on the information technology infrastructure, what makes that backup and restoration measures will be a in this high in a high percentage too.

In Spain, this two industries have been historically highlighted because their preparation. One of them with recovery services related with their data centers and others making a further step with recovery facilities with workstations.

As a result of the over-development of IT Service continuity, nowadays each data center, doesn't matters if is big or small or if it's hired or owned,  has their own recovery measurements, granting a false feeling of protection. A high number of directors thinks that they have a good business continuity program only because they have a recovery data center, although the main business process were not supported by IT infrastructure, and therefor, are not backed up.
 

There wouldn't be effective to recover the IT infrastructure in a hospital when a legionella virus infection has taken place, for example. In a similar way it would be in most of disaster scenarios that could be included in the scope of the business continuity program of a hospital. What's the problem then? We must identify what the components that supports business are.

The best way to identify this resources are use the ones identified in the BS-25999-2, that is:

• people (7.3)
• premises (7.4)
• technology (7.5)
• information (7.6)
• supplies (7.7)

Without using any statistic method, it could be possible to identify the dependency on business from different type of resources described above of each industry. This is what I want to describe in the following graphs:

It's clear than, in the financial industry, IT infrastructure supports a high percentage of business, taking into account other issues, like providers which are in charge of distributing cash around all customers every morning in order to cover their necessities. So it would be easyer for them to be prepared that, for example, a hospital, in which all components has to be taken into account in a similar way.

As a conclusion, one of the first steps required to develop a business continuity program is to identify which component is essential to grant product and services delivery to their customers for each of the scenarios included in the scope of the program. It's a good practice use the five components of business continuity identified in BS-25999-1.

Historical evolution of norms, standards and legislation in BCM

Before the expected ISO 22301 will be published and, probably, will be the reference standard world wide, its convenient to make a revision of the set of guides and standards that nowadays shows the way in Business Continuity.

The first standards that can be remembered is the  NIST 800-34 "Contingency Planning Guide for IT" from US government. This is the standard in which some terms and definitions begins to be used, and this terms had endured over time. This are DRP, COOP, BCP, etc. This standard were published in 2002 and, without any doubt, were the first statement of intent in the IT Service continuity.

At the same time, the Business Continuity Institute (BCI) published the first version of the Good Practice Guide (GPG) which would be later become the seed of the BS25999 standard. It was more focused in Business continuity that the 800-34. BSi decided in 2003 used as a base to develop the standard, publishing the PAS-56 (Publicly Available Specification). This PAS was in force until the publication of BS-25999-1 that repeal the PAS in 2006. At the same time, the standard BS-25999-2 was launched, with the description of the management system and the certification schema.
Standards developers organizations from Singapore and Australia has been traditionally aware about business continuity and had published different norms and standards, that complete the "occidental" standards. Singapore, for example, published the SS507 BC/DR Service Providers that looks for define the characteristics that providers has to met in other to be certificated as a BC provider. During a while, this standard was considered as a rival of BS-25999 in their fight to establish the base of the new ISO standard, but it was not very used in other countries.

In 2006 was published the PAS-77 standard by BSi. It was focused in covering the IT Service that in  was not taken into account in BS-25999 and was primarily motivated by the criticism. In 2008 this standard become BS-25777 IT Service Continuity Management and in 2011 was became in ISO 27031, although it's not expected that this standard would had a certification schema in in the future. It's important to advice that the committee in charge of the development of this standard is 27 (IT) and not 22 (Social Security).
In the following picture it can be seen a timeline that could clarify this scenarios of norms and standards:

Hope the 22301 will become in the definitely standard that give a boost to the business continuity sector from a certification perspective.

Where to begin.

There are a lot of types of organizations: government or public, bigs or smalls, SOHO, etc, and all of them has their own objectives. This heterogeneity of organizations makes that each one has their own motivation when establishing their Business Continuity program.
A key element used to be news: when a disruptive event, a natural disaster or a unexpected event occurs it could wake up some kind of awareness in directors that can say what about if it happens to me? Thereafter, the direction used to identify internally the business continuity manager, in order to carry out the program and, if there are enough budget, ask for external hep form consultants.

The next step is looking for a reference that  can show the better way to achieve the program. Both, BC guides and standards (GPG from BCI, ISO 22301, etc) and consultancy methodologies develop a inventory of business process, resources inventory, risk assessment, business impact analysis, ....

But what I' going to put forward is a different way to begin in Business Continuity, that, from my  personal experience, could be the best way. The main aspect of any initiative is the awareness so is the first thing we have to promote and this grant us the success in the others phases of the program. And, of course, the best way for awareness is with TEST. So, my recommendation: carry out a drill without a lot of preparedness but, of course, always with the complicity of direction.

An example that I have experienced in this way was a drill in an European organization  at which arrived a new director, who had been working in the military. He decided to conduit a drill based on a bomb in the main entrance of the building. Surprisingly, the results of the drill were better than expected, mainly because of the leadership of this director, but a lot of lesson could be learned and there were a lot of conclusions that were drawn and actions lines in which to work.

But be careful, because this formula perhaps is not valid for some scopes. For example, if our scope is only IT Service Continuity, we cannot conduit a drill: we can cause just the opposite of what we were looking for.

Starting the blog

This is my Business Continuity Blog, started in august 2011 in the Spanish version and in agust 2012 for the English version.  I've translated all my previous posts to English and, from now on, I'll publish all the post in Spanish and in English at the same time. I really think that  the BC sector needs this kind of initiative, at least in Spain.

In this post I'd like to justify the name of the blog, that people that has worked with me has hear about this thoughts. I've been saying from a long time: ladies, gentlemen, Business Continuity is not Information Security.
Information Security has such a big lobby in Spain that don't allow other adjacent sectors, like business continuity, because:

• BC appears in ISO 27.002 as a chapter of ISMS.
• The BC manager and the IS manager used to be the same person.
• Usually, IS responsible has a kind of obsession for get more and more responsibilities. Its a strange phenomenon but is quite often. 
• Consultancy companies usually include the BC in their IS portfolio, just because the decision maker is the same and skills of  consultants use to be the same. 
• Both management systems (BS25999 y 27000) have a lot of issues in common: policy, risk analysis, continual improvement, ...

All thins things makes that the inclusion of BC as IS was too common.

However, everybody who has been in touch with BC in any time knows that concept of Continuity referred by information security is a reduced concept of Business Continuity.
Business Continuity is more complete and multidisciplinar than Information Security, because it has to understand whole business, not only information managed by business. Depending on type of business IS and BC could be more or less aligned, but in general terms there are a lot of differences. For example, has IS anything to do with shifts?, I don't think so, isn't it? Shifts are an key piece in BC for companies with a high dependency on people: call centers, supermarket cashier, physical security companies, etc.

A good Business Continuity System must be integrated with emergency systems, building evacuation, auto protection manuals, firefighting, media relationships, human resources... and this things, usually, has not too much to be with Information Security