IX Business Continuity International Conference

by Jorge García Carnicero

As every year, BSI has been the promotor of the Business Continiuty International Conference, in its IX edition. The place that has been chosen this year was the Gran Melia Fénix Hotel, in Madrid, where the conference took place at first hour of the morning. In a room almost full, with 50 or 60 people, BSI shows that their ability for calling business continuity professional is healthy.

The first speech was driven by Jose Luis Miguel, Country Manager at BSI, that was exposing the BSI capabilities in both generating standards and auditing and in training. Then, he presented the results of the Horizon Scan Report 2016, led by the BCI and promoted by BSI, highlighting aspects such as the top ten threats of continuity, which can be seen in the image or the percentage of companies seeking to increase its budget business continuity for the coming months / years .

The second speech was done by Julio San Jose, from EY, in tandem with Cristina Pereira, continuity responsable at Abanca. Julio emphasize about the key aspects related with continuity:

• Need of deploying tests and drills.
• The importance of crisis communication.

He comment aspects as the different estrategias of communications that existe (in a good or a bad way): Silence, Negation, Responsability transference, Confession and controlled discretion, been Confession the best communication strategy.
(I would call it Transparency)

Cristina Pereira exposed the case of Abanca, commenting the different problems with which she has been to deal with when deploying the Business Continuity Plan in the organization. In the same direction than Julio’s speech, she also emphasized the importance of drills.

Before the break, took place the third speech carried out by Agustin Lopez, as representative of DRI in Spain. Agustin exposed the different contingency scenarios in the datacenter with an original presentation, using classical films as a thread (back to the future, Groundhog Day, etc)

When the Confee Break and Networking moment finish, we come back to the room, in which GMV was responsible for the fourth speech in the morning. It was based on the business continuity management system (ISO 22301) and the possibility of integration with other management systems standards, like security (27000), IT Management (20000), quality (9000), etc, with an orientation to certification.

The fifth speech was performed by Uxía Fernandez, from Grupo Ozona. Uxia expose the concept of IRBC (ICT Readiness for Business Continuity) that is used in the standard 27031. Uxia expose the content of the standard with the 5 mainstays as a elements to protect: Facilities, technology, people, data, providers and process. Since usually only technology and data was taken into account, Uxia would like to make special consideration about the other elements. It was a long speech.

Finally, the sixth speech was done by Ricardo Mesias, Risk Management Director at EDP. Ricardo made a speech showing the main problems that he had to deal with in developing the business continuity plan in EDP. He talk about the team, about achieve the complicity of all departments of the company, about the importance of test, about the metrics and about the external support, which is always important.

Conclusion

As a conclusion, I think that the role of BSI maintaining this event year after year is laudable and all the business continuity professional should be thankful about that. This event is a meeting point and is also a way to measure the state of the art of business continuity in spain.

However,  I think that messages has to be improve, since many of them are not showing the actual situation of customers. Recently I was reading an article of Amy DeMartine, senior analyst research in Forrester research for Devops, for Computer World that I think is applicable in Business Continuity. She said: “I think the reason why a lot of companies start with DevOps activities and forget the security staff is that there is a cultural gap. Security people speak a language almost different - incidents, vulnerabilities, risks - , so everybody put them at the end of the development life cycle”. This could be applicant also to business Continuity, that should be included in all the processes of the company but, however, it’s not, at least in Spain. If we focus on the management system and we forget that continuity should be practical it will drive us to see Business Continuity as a waste instead of an investment.  

Recently has took place the Business Continuity Awareness Week, led by the BCI, with a main objective: to show the ROI of the continuity and I think we should learn about int.
Although obviously, BIS as a promotor of the event has to focus speech on management systems, is urgent and essential to update the messages to a market reality different, mainly in the IT area.  It makes no sense to talk about take a tape out of the datacenter when all companies are talking about backup in the cloud, making a third copy in a public cloud, for example.

Auditing Providers, Intrusion or need?

By Moises Lopez Soto

During the last years, there has been a diversification in the way the services are being delivered, increasing the number of providers that conform the supply chain and, therefore, the complexity in the control of all components to provide success in the final result. Trends as Outsourcing some time ago and recently Cloud are clear examples.

We find ourself everyday facing the challenge of ensuring business continuity of our organization with a high number of external agents and, in some cases, this external agent could be absolutely essential to the future of our company. That's why we must take action and act proactively to strengthen the links in the whole chain, minimizing risks and cushioning the impact that could suppose to our business the break of a weak link. This is a complex task when we have to control process and resources internally so it's easy to assume that it would be much more complicated with external agents which have full freedom to be independent in their process and way to deliver their services.

SLA is not enough

Establishing Service Level Agreements are completely valid and necessary on areas of service such as capability and availability but when we are talking about continuity it become insufficient. Among other things, this is because we are not referring to both the supplier's ability to give service but to their ability to keep delivering it after suffer a contingency.

The most common solution is diversification is relying on a model of "duplicity" in a provider-service base, with a relation of N to 1 and with a minimum of two, just as if it were a load balancing in a data network. In some cases this is the usual way to deliver the service,  in other scenarios suppose an increase in the resources required for service management with a greater workload for staff but, nevertheless, is NOT a valid solution for all services. For example, it is usually to stablish this kind of countermeasures when we are talking about business critical services like providers of essential services (electricity , water, etc. . ), when the solution is too complex or too expensive, when there is a monopoly or when there is a single infrastructure common to different suppliers, etc. Any way, it seems absolutely clear that a relationship model in which provider and the company has to be strength enough to carry out all contingency scenarios just as if they were the same company.

Audit process, an interesting weapon

It could be close the day in which the ISO 22301 (or similar) would be required to provide some kind of services, just like there is required the ISO 28000, the ISO 9000 or, even, the ISO 20000, but until that day arrives, audit processes becomes an interesting weapon. On the one hand it would bring a very significantly strengthen in the customer-provider relationship and on the other it will help to raise awareness, work and improving business continuity in both companies.
It is true that providers can refuse, just as we can see in the event that was supported by SIA last year, but it must be the customers which would has to assign some weight to the Business Continuity countermeasures that could be included by their provider in the proposals of service delivery.

Providers should consider the audit processes just like turning point in their business continuity activities, or if they have not done anything before a staring point, to provide resilience to their own business, having the opportunity to strengthen and enhance the relationship with their customers and, at the same time, get a business-marketing revenue on their actions in this field. On the other side, customers should approach them in a constructively way, focusing on growth and providing support and advice to the audited provider. Definitively, a Win-Win relation.

Now a days, audit processes are called to be the main element in order to ensure the strength of business continuity management system and so, the resilience of the company, so it seem to be more a need than an intrusion....

BCAW webminars

This are the webminars deployed regarding the Business Continuity Awareness Week, sponsored by BCI.

Adopting Cloud In Your Backup Strategy
BCM Frameworks: From Best Practices to Standards to Overarching Models
Burst out of you own personal silo, Find out who else is interested in disasters
Business Continuity Awareness for Senior Management
Business Continuity in the Supply Chain
Business Continuity Management Systems
CM² Maturity Model
Conscientisation pour la continuité des affaires auprès de la direction
Contact Centre Continuity
Continuity as a Service (CaaS)
Corporate Business Impact Analysis-Why Bother?
Cyber Preparedness-Time is Not on Your Side
Establishing a Governance framework for an effective BCM
Getting Started with BCM
Horizon Scanning - What could Business Continuity look like in 2040
Horizon Scanning, new threats, new skills, new challenges the next 5 years
How to check your Business Continuity Management System?
How to Effectively Use Social Media Before and During Disasters
How to Successfully Implement a Business Continuity Management Program..
Identifying Key Suppliers
Infrastructure Impact Analysis
Integrating Cyber Threat Protection and Business Continuity Planning
ISO 22301 Business Continuity Management Systems
Learning from Earthquakes, Non-Structural Retrofitting and Other Mitigation Meas
Preparing for the 2012 Games- What should you do in the time left?
Preparing for the 2012 Release of ISO 22301
Preparing your Communications Strategies for London 2012
Puzzle Pieces: Are You Seeing the Entire Planning Landscape
Risk Management Strategies for Protecting Enterprise Supply Chains
Why a formal certified BCMS? “Due Diligence”-Talking the Language Management

Historical evolution of norms, standards and legislation in BCM

Before the expected ISO 22301 will be published and, probably, will be the reference standard world wide, its convenient to make a revision of the set of guides and standards that nowadays shows the way in Business Continuity.

The first standards that can be remembered is the  NIST 800-34 "Contingency Planning Guide for IT" from US government. This is the standard in which some terms and definitions begins to be used, and this terms had endured over time. This are DRP, COOP, BCP, etc. This standard were published in 2002 and, without any doubt, were the first statement of intent in the IT Service continuity.

At the same time, the Business Continuity Institute (BCI) published the first version of the Good Practice Guide (GPG) which would be later become the seed of the BS25999 standard. It was more focused in Business continuity that the 800-34. BSi decided in 2003 used as a base to develop the standard, publishing the PAS-56 (Publicly Available Specification). This PAS was in force until the publication of BS-25999-1 that repeal the PAS in 2006. At the same time, the standard BS-25999-2 was launched, with the description of the management system and the certification schema.
Standards developers organizations from Singapore and Australia has been traditionally aware about business continuity and had published different norms and standards, that complete the "occidental" standards. Singapore, for example, published the SS507 BC/DR Service Providers that looks for define the characteristics that providers has to met in other to be certificated as a BC provider. During a while, this standard was considered as a rival of BS-25999 in their fight to establish the base of the new ISO standard, but it was not very used in other countries.

In 2006 was published the PAS-77 standard by BSi. It was focused in covering the IT Service that in  was not taken into account in BS-25999 and was primarily motivated by the criticism. In 2008 this standard become BS-25777 IT Service Continuity Management and in 2011 was became in ISO 27031, although it's not expected that this standard would had a certification schema in in the future. It's important to advice that the committee in charge of the development of this standard is 27 (IT) and not 22 (Social Security).
In the following picture it can be seen a timeline that could clarify this scenarios of norms and standards:

Hope the 22301 will become in the definitely standard that give a boost to the business continuity sector from a certification perspective.