Auditing Providers, Intrusion or need?

By Moises Lopez Soto

During the last years, there has been a diversification in the way the services are being delivered, increasing the number of providers that conform the supply chain and, therefore, the complexity in the control of all components to provide success in the final result. Trends as Outsourcing some time ago and recently Cloud are clear examples.

We find ourself everyday facing the challenge of ensuring business continuity of our organization with a high number of external agents and, in some cases, this external agent could be absolutely essential to the future of our company. That's why we must take action and act proactively to strengthen the links in the whole chain, minimizing risks and cushioning the impact that could suppose to our business the break of a weak link. This is a complex task when we have to control process and resources internally so it's easy to assume that it would be much more complicated with external agents which have full freedom to be independent in their process and way to deliver their services.

SLA is not enough

Establishing Service Level Agreements are completely valid and necessary on areas of service such as capability and availability but when we are talking about continuity it become insufficient. Among other things, this is because we are not referring to both the supplier's ability to give service but to their ability to keep delivering it after suffer a contingency.

The most common solution is diversification is relying on a model of "duplicity" in a provider-service base, with a relation of N to 1 and with a minimum of two, just as if it were a load balancing in a data network. In some cases this is the usual way to deliver the service,  in other scenarios suppose an increase in the resources required for service management with a greater workload for staff but, nevertheless, is NOT a valid solution for all services. For example, it is usually to stablish this kind of countermeasures when we are talking about business critical services like providers of essential services (electricity , water, etc. . ), when the solution is too complex or too expensive, when there is a monopoly or when there is a single infrastructure common to different suppliers, etc. Any way, it seems absolutely clear that a relationship model in which provider and the company has to be strength enough to carry out all contingency scenarios just as if they were the same company.

Audit process, an interesting weapon

It could be close the day in which the ISO 22301 (or similar) would be required to provide some kind of services, just like there is required the ISO 28000, the ISO 9000 or, even, the ISO 20000, but until that day arrives, audit processes becomes an interesting weapon. On the one hand it would bring a very significantly strengthen in the customer-provider relationship and on the other it will help to raise awareness, work and improving business continuity in both companies.
It is true that providers can refuse, just as we can see in the event that was supported by SIA last year, but it must be the customers which would has to assign some weight to the Business Continuity countermeasures that could be included by their provider in the proposals of service delivery.

Providers should consider the audit processes just like turning point in their business continuity activities, or if they have not done anything before a staring point, to provide resilience to their own business, having the opportunity to strengthen and enhance the relationship with their customers and, at the same time, get a business-marketing revenue on their actions in this field. On the other side, customers should approach them in a constructively way, focusing on growth and providing support and advice to the audited provider. Definitively, a Win-Win relation.

Now a days, audit processes are called to be the main element in order to ensure the strength of business continuity management system and so, the resilience of the company, so it seem to be more a need than an intrusion....

BCMS testing, prepared or not…?

By Moises Lopez Soto

Let's talk about testing in a Business Continuity Management System, based on the premise that this is an absolutely crucial element, and not necessary else MANDATORY to consider that we really have a Business Continuity Management System, not vain, They have dedicated a complete phase of the Deming’s cycle (PDCA). Therefore, let's not deep into the need for them, we assume that point passed, and we focus on How we do them or the "preparation" for them?

When the time comes to check that previously planned and done, actually, does its job and that the chosen strategy will cover and give the necessary support to the company in the field of Business Continuity, nervousness often comes to those responsible for have conducted each one of the established schedules, in addition the operational part enters a brewing cycle, normally, excessive.

We want to do a test, we consult to the members of the various existing committees about their availability because there is often some component of the Senior Management whose time is money, (so far, we can be considered a normal planning) further are consulted/agreed with responsible of the different systems/applications of IT that, possibly, will be affected by the test, we head to the users and their responsible to inform them that they will participate in a test, etc. etc. Outcome: hopefully, we will have preserved secretly the day and time of the test.

Just doing a Plan - Do - Check - Act of the test itself, the question is: is it really necessary?

Perhaps the question to be answered when we analyse the performing of a test be to When we want to be fired (being largely exaggerated) during a real contingency or after performing a failed test? Personally, if I would belong to some establishment of senior management and you are assured me Continuity alleging testing, and later, for the reasons that be, it’s must activate the plan and does not work due to the logic NOT preparation of the contingency, heads would roll…

With this, we don’t mean that it is not necessary, especially in the beginning, make some preparation before launching a test, but if that too much preparation invalidate the results we get with the test.

However, if we pass to the other end and we focus on testing without notice we also can find few problems and risks, for example, breaking the maxim: "Let the Business Continuity NO jeopardize the business" and we cause ourselves a contingency of major proportions. Furthermore, it is not good that groups with functions within the business continuity plans are accustomed to receive alerts for plan activation without prior notice as they may fall into the apathy and think "one more test" when treating of a real contingency.

Therefore, the most sensible proposal is the alternation, seen as making of prepared tests and improvised tests (knowledge of it reduced to a minimum number of people) so that knowledge and culture Business Continuity is encouraged in the company while feedback is obtained much more objective.

In any case, one way or another, it is always important to keep in mind when we're going to make a test that we must seek it is the failure, the vulnerability of our plans, the unexpected, obtaining lessons learned to maintain the continuous improvement, except inclement weather, the contingencies do not call the doorbell, knock down the door, and, above all, the test carry the imperative need for further testing inasmuch as the repetition is a proven method of learning and a perfect way to embed automation that will be absolutely necessary when stress atenace reasoning ability. How can we get this?

"A Business Continuity Test should not jeopardize the company, but must take the sure knowledge of your Resilience"