BCMS testing, prepared or not…?

By Moises Lopez Soto

Let's talk about testing in a Business Continuity Management System, based on the premise that this is an absolutely crucial element, and not necessary else MANDATORY to consider that we really have a Business Continuity Management System, not vain, They have dedicated a complete phase of the Deming’s cycle (PDCA). Therefore, let's not deep into the need for them, we assume that point passed, and we focus on How we do them or the "preparation" for them?

When the time comes to check that previously planned and done, actually, does its job and that the chosen strategy will cover and give the necessary support to the company in the field of Business Continuity, nervousness often comes to those responsible for have conducted each one of the established schedules, in addition the operational part enters a brewing cycle, normally, excessive.

We want to do a test, we consult to the members of the various existing committees about their availability because there is often some component of the Senior Management whose time is money, (so far, we can be considered a normal planning) further are consulted/agreed with responsible of the different systems/applications of IT that, possibly, will be affected by the test, we head to the users and their responsible to inform them that they will participate in a test, etc. etc. Outcome: hopefully, we will have preserved secretly the day and time of the test.

Just doing a Plan - Do - Check - Act of the test itself, the question is: is it really necessary?

Perhaps the question to be answered when we analyse the performing of a test be to When we want to be fired (being largely exaggerated) during a real contingency or after performing a failed test? Personally, if I would belong to some establishment of senior management and you are assured me Continuity alleging testing, and later, for the reasons that be, it’s must activate the plan and does not work due to the logic NOT preparation of the contingency, heads would roll…

With this, we don’t mean that it is not necessary, especially in the beginning, make some preparation before launching a test, but if that too much preparation invalidate the results we get with the test.

However, if we pass to the other end and we focus on testing without notice we also can find few problems and risks, for example, breaking the maxim: "Let the Business Continuity NO jeopardize the business" and we cause ourselves a contingency of major proportions. Furthermore, it is not good that groups with functions within the business continuity plans are accustomed to receive alerts for plan activation without prior notice as they may fall into the apathy and think "one more test" when treating of a real contingency.

Therefore, the most sensible proposal is the alternation, seen as making of prepared tests and improvised tests (knowledge of it reduced to a minimum number of people) so that knowledge and culture Business Continuity is encouraged in the company while feedback is obtained much more objective.

In any case, one way or another, it is always important to keep in mind when we're going to make a test that we must seek it is the failure, the vulnerability of our plans, the unexpected, obtaining lessons learned to maintain the continuous improvement, except inclement weather, the contingencies do not call the doorbell, knock down the door, and, above all, the test carry the imperative need for further testing inasmuch as the repetition is a proven method of learning and a perfect way to embed automation that will be absolutely necessary when stress atenace reasoning ability. How can we get this?

"A Business Continuity Test should not jeopardize the company, but must take the sure knowledge of your Resilience"

In a desaster like the one in New York, Can we be prepared?

Colaboration by Moises Lopez Business Continuity Consultant at Grupo SIA

From my point of view, except multinational companies with a global and diversificated market which don’t depend on one or two locations, in disaster like this one very few companies can resist.

When identifying resources required to business continuity, every organization can estimate the amount of resources they will need to assure their resilience for each activity. Having a deeply look into some of the main resources supporting business, can find:

• People: welfare has to be a priority and, in this case, forecast and advertising is an advantage to assure their safety. Except emergency services, nobody should be in their jobs, moreover, in this case there has been some victims.

With city paralyzed and employees only available in their houses, Will only technology support all the business? Are workforce prepared to develop their activities when their city is under emergency?

• Technology: with power outages and floods, it’s very difficult to maintain a adequate service level, even if our IT infrastructures are based in Cloud. Even more, Can we assure that our employees’ communication provider will still deliver services in this scenario?
• Providers: We can have the most restrictive service level agreement that, in this scenario will be wet paper. Moreover, we can have back up providers, but Can they will deliver the service in a proper way?  Can they deliver services even in scenarios in which we can’t?
• Locations: When city is not available, Will our facilities be available?

We can have a business continuity plan, with a communications plan properly defined, the response and emergency procedures also established,  even we could have decided to establish our backup datacenter in other city, but our budget and technology could be enough to put it in New Jersey, for example,… If despite all this measures we cannot restore our business, then we can only hope the help of the government or pay of insurance premium.

As a conclusión, if the scope of unavailability is as big as our city and around, it will be time to start from the beginning.. or  Would be realistic to consider as an scenario in our plan about “unavailability of the whole city”, if the city is our main operation center?  How many companies in Spain would be able to assure it resilience in such a big disaster situation? 

Sabotage

Yesterday, talking with the chief of Business Continuity consultancy in one of the main companies of the industry in Spain, we have doubts about if the case of sabotage in the power infrastructure in Rayo Vallecano's stadium should be consider as a scenario in Business Continuity plans.

On the one hand, it could be clear that a scenario of lack of power, no matter the origin, must be included in BC plans. Measures to assure power are very common: generators, two power providers, etc.

On the other hand, the sabotage in football match between Rayo Vallecano - Real Madrid has two special considerations:

• The stadium must be available at a specific time and during a relatively short period (2 hours)  There is not possibility to play the match in other stadium - it would be impossible to move 15.000 - and it's not possible to play at other time, since the main business to be continued is the is the television retransmission.
• Internal electrical infraestructure were damaged, so there is no way to use an alternative infrastructure. It has to be repaired.

Since Business Continuity has to focus on moments after an events occurs, and the plans covers the actions to be taken on this moments, its seems to be difficult that the staff of Rayo Vallecano could done something different if they would have a Business Continuity plan. Traditional measures would be not effective in this scenario because it was damaged the internal infrastructure. So this scenario is only useful to analyze risks and define the mitigation measures.

In general terms, when business depends on somebody doing something in a certain location, business continuity plans doesn't help too much: It's not possible to change actors, location or time, so we can only make a good risk analysis and try to mitigate it as far as we can.

Thoughts about blackouts in India

It seems that last blackouts in India have activated a lot of Business Continuity plans and have made the different between companies with and without a BC program. Lack of power supply is a clear continuity scenario to which most companies are prepared, mainly through power generators able to support the sites demand of electricity, or at least, of the most important.

Other issue to take into account is how to assure that workforces are going to reach their workplaces, since public transport are not available. Moreover, if telework is the alternative, How can they work from their homes if there is a lack of telecommunications?

ICTs are one of the resources that will be affected most because of their dependency on power supply. Blackout in India scenario shows resiliency examples of companies which principal business is IT services, as we can read on this article about Winpro, Genpact and WNS, but is not a trivial matter.

However my thoughts go in other way: Can this scenario be really included in the BC scopes?
In a first approach it seems clear that this scenario has to be included, but thinking on it deeply, our customers will probably be affected by the same problem, so it has no sense to be able to deliver our service if our customers are not going to receive it.
In a globalized world, in which we can have customer located near us or in the most remote place of the earth perhaps this thoughts has no sense, but we have to take into account that most business are done locally, with companies and organizations very close one to the others. Resource investments on this scenarios are not justified too much.
As an example, we can think on a clothing store: It’s difficult to have our store plenty of customers in a situation of a blackout like the one taken place in India. Every street and every shopping center are in dark

As a conclusion, and as an advise as well, when defining the scope of our Business Continuity plans we must evaluate the scenario thinking on the situation of our customers because perhaps I recover my services and there is nobody use it.

Legionella, a real threat

As every year at this time, we face in Spain with recurring news about Legionella, which impact is very high, not only from a health point of view, but also about business continuity. This year the focal point has been in a hotel in Calpe, closed since last 3th of July and in a restaurant in Mostoles, where there is 52 people affected and a dead person.

Legionella first infection of large proportions occurred in 1977, during a congress of the American Legion in Philadelphia. In the hotel in which the congress took place there was an outbreak of an infectious disease that killed 34 people and affected more than 180. Studies determined that the source of infection was a bacterium that had been spread by the air-conditioned hotel and, due to the nature of the conference attendees, was named as Legionella

In Spain, Legionella prevention is regulated by the Real Decreto 865/2003, from 4th of July of 2003, in which are identified different health and hygiene procedures for prevention and control of legionellosis. As every health activity, the RD identifies actions to carry out in both, to prevent and to act in case of an outbreak takes place.

Leaving aside the health and hygiene aspect, from a business continuity point of view the most important chapter of whole RD is the number 12, which identifies activities to do in facilities when an outbreak is detected. This chapter describes the following:

"In the presence of cases or outbreaks, very poor facilities, contaminated by Legionella, obsolete, or poor maintenance, the health authority may order the temporary closure of the facility until the defects are corrected or decommissioning. May not be placed back on track these facilities without the express permission of the competent health authority."

If we rely on the historical cases that have product in recent years, we could say that the risk important, and therefore the scenario of facilities unavailability is more than justified. Mainly, for the facilities most likely to proliferation and spread of Legionella, identified in the RD as follows:

• Cooling towers and evaporative condensers.
• Hot water systems with storage and return circuit.
• Heated water systems with constant stirring and recirculation through high-speed jets or air injection (spas, Jacuzzis, pools, glasses or therapeutic tubs, whirlpools, jets treatments, etc.).
• Industrial humidifiers centrals.

That’s mean every installation with refrigeration systems and/or air conditioner is likely to host a Legionella outbreak,mainly if a proper maintenance is not done that grant everything is clean.
Even more, the RD also includes sanctions, classified as minor, serious or very serious, which have economic penalties from 30.000€ to 600.000€, that also should also be taken into account by business continuity responsibles.

As a conclusion we can say that the Legionella must be taken into account when identifying business continuity scenarios and carrying out the following actions:

1. Identify the level of responsibility of the company in the refrigeration system and cooling towers.
   • If the site is an owned site, the company has to make reviews and regular checks.
   • If the site is rented, company has to require the leaseholder to perform the checks
2. Perform an impact analysis, with changes over the time, in which economic sanctions will be taken into account.
3. Define actions to be performed in case of outbreak will be detected: alternative sites, communication procedures to employees and customers, media communications, etc.

Business Continuity and Operational Risk

After the last Argentine government's decision to nationalize YPF, followed by the Bolivian doing the same with REE subsidiary, in different business continuity forum has started  a debate about the requirement or not to include this scenario in the scope of the Business Continuity plans. Does Business Continuity manager really contemplate the possibility of an expropriation? and as a extension, May bankruptcy scenarios or extremely adverse economic situation, like the situations caused by economic crisis, be included into the scope of plans? It's not a trivial question since scope will determinate the economic requirements of the Business Continuity program and the roles which will be responsible of BC in the organization.

An answer to this question can be found in operational risk management and the integration with Business Continuity management. Operational risk management look for analyze those factors that can affect negatibly to business, defining this, as in every risk analysis, by probability and impact.

In some industries, like financial, risk operational management is a common practice. In fact, financial system regulation (Basilea iI), defines operational risk as:

“The risk of loss resulting from inadequate or failed internal processes,

people and systems or from external events.”

This is quite similar to a risk analysis from a Business Continuity point of view.
Deepening in Basilea II, it defines seven categories of risk operational:

• Internal fraud;
• External fraud;
• Employment practices and workplace safety;
• Clients, products and business practice;
• Damage to physical assets;
• Business disruption and systems failures;
• Execution, delivery and process management.

Although some of this categories seems to be quite close to Business Continuity categories and scenarios, not all of them may to be included in our business continuity plan. For example, damage to physical assets can be covered by our BC plan, including a IT service recovery plan and all the recovery procedures. However, internal and external fraud seems to be far away from Business Continuity.

As Richar Wartered, from Marsh Risk Consulting, defined in the workshop Risk, Resilience & Continuity by BCI, BC management process and operational risk management must begin at the same tieme and independently, joining resoults when definint risk mitigatin strategies.

It's necessary to take into account that objectives of BC are to recovery the service or delivery of product after a disaster or disruptive event occurs, since risk management has to be focused on the preventive actions, before the occurrence of the disaster.

In order to define the BC scope, the best practice is to follow BS25999, and hope ISO 22301 soon, in which there are defined five componenet that has to be inluced in the plans:

people (7.3)

premises (7.4)

technology (7.5)

information (7.6)

supplies (7.7)

As  I defined in my previous post (Components supporting business), depending on the characteristics of business, each component will have a specific weigh in the delivery of services or products.

BCAW webminars

This are the webminars deployed regarding the Business Continuity Awareness Week, sponsored by BCI.

Adopting Cloud In Your Backup Strategy
BCM Frameworks: From Best Practices to Standards to Overarching Models
Burst out of you own personal silo, Find out who else is interested in disasters
Business Continuity Awareness for Senior Management
Business Continuity in the Supply Chain
Business Continuity Management Systems
CM² Maturity Model
Conscientisation pour la continuité des affaires auprès de la direction
Contact Centre Continuity
Continuity as a Service (CaaS)
Corporate Business Impact Analysis-Why Bother?
Cyber Preparedness-Time is Not on Your Side
Establishing a Governance framework for an effective BCM
Getting Started with BCM
Horizon Scanning - What could Business Continuity look like in 2040
Horizon Scanning, new threats, new skills, new challenges the next 5 years
How to check your Business Continuity Management System?
How to Effectively Use Social Media Before and During Disasters
How to Successfully Implement a Business Continuity Management Program..
Identifying Key Suppliers
Infrastructure Impact Analysis
Integrating Cyber Threat Protection and Business Continuity Planning
ISO 22301 Business Continuity Management Systems
Learning from Earthquakes, Non-Structural Retrofitting and Other Mitigation Meas
Preparing for the 2012 Games- What should you do in the time left?
Preparing for the 2012 Release of ISO 22301
Preparing your Communications Strategies for London 2012
Puzzle Pieces: Are You Seeing the Entire Planning Landscape
Risk Management Strategies for Protecting Enterprise Supply Chains
Why a formal certified BCMS? “Due Diligence”-Talking the Language Management

Megaupload and Spanair

There have been written a lot about Megaupload shutdown, most of articles related with ethics and with piracy in Internet, however, there are some consecuences of the shutdown that can be useful from a Business Continuity perspective: the cloud service that Megaupload delivered.
There were a lot of users that stored information in Megaupload as an alternative site to backup their data and in some cases even as a primary site. In my past post Home Continuity it was described this kind of cloud services, like Youtube, Picassa or Dropbox,  were a good solution to backup data. However, Megaupload experience make us think about the election of the cloud service provider if the information that we're going to store is relevant. In the worst scenario, this information can disappear.
Carried to the business, perhaps we can think that is complicated that a cloud service provider stop delivering their services and, if this occurs, we can continue with old provider until we find a new one. But, I suggest to every company to review the agreement they have with cloud service providers to check it this agreement really give you right in circumstances like a legal shutdown or a company bankruptcy. In this line, we can see the example of Spanir, if one of this circumstances occurs, the less important are customers, because they have not to maintain a good branch,  and in a company in bankruptcy the last collective receiving compensations are customers. Customers for AirMadrid are still waiting to be payed 5 years after.

About Spanair, we can make a final thought: I don't know if the bankruptcy has been produced by business criteria, because of profit and loos balance, or perhaps the company has been extremely injured by the plane crash in 2008, but what is cleare is that there have been a deficient business management. For a lot of Spanair providers it will be a domino effect and they are going to be forced to stop their activities.
From a BC perspective the question is, Can we include a scenario in which our main customers goes bust?

What if we win the lottery

Everybody ever thought what happen if the winning lottery ticket were shared by all employees of a company. From a Business Continuity point of view, it seems to be a significant risk but, should this scenario be part of the scope of our business continuity program?

It would depend on the probability than this situation occurs (experience say to us that is very low) and the impact that could result if they materialize.

Probability

In he worst scenario (from a BC point of view, of course): all employees of a company share the winning ticket of the Christmas Lottery, that is 400.000€ for each ticket. Assuming that each employee has only 1 ticket and that the reaction of every employee is to leave their work with this 400.000€ - at least during a year... - this represents a probability of 1 between 100.000 of loosing 90% of the workforce on 22th of December.
This probability is really low (0,00001), but anything can happen.

Impact

Impact that can cause loosing of employees will depend on each organization. As I explained in my previous post Components that support business, each organization has a different dependence percentage on the five kind of resources that support business: Premises, People, Technology Infrastructure, Information and Suppliers. Companies with a low dependence on Human Resources can stop reading. For the other companies, continue....

If we have a high impact because of lack of human resources, risk could begin to be taken into account and, so, it could make sense to identify situations that could mitigate the impact that could cause this situations. Here we have to analyze two concepts:

• Looses to the organization in case of lack of 90% of the staff. Some organization have done this analysis because of the A flu Pandemic two years ago and it would be growing in a exponential way.
• How much cost to replace personal. Here we have some different procedures to act in case of a disruption, depending on the position of the employee. Some of them will be very difficult to  replace and specific procedures has to be done for them.

Once the replace has been done, the next step is the countermeasure. Each organization has to establish their own countermeasure that would allow recover business when there are lack of human resources in the minimum time. However, there are two actions that are advisable to be done in every organization:

1. In order to grantee that the organization will have budget enough to face the lack of personal, is advisable to have a corporate participation of the ticket with the number of participations that whose prize will cover the contingency procedures cost.
2. To protect key people, organization should establish an agreement through which employees will grant they will be working after the lottery drawn, for example, shielding the contract.

Good luck to everybody next day 22th of December, hope that will be a lot of BC scenarios like this.

A threat less: Time to update the plans

We are used to enlarge the business continuity plans with new threats and risks, based on what's happening. It is normal to update plans with threats and scenarios not covered initially. But this time is just the opposite: updating business continuity plans eliminating a threat, or at least reduce the risk of a threat materializing. I'm talking about the announcement of the final of violence by ETA.

If we analyze the main causes of activation of business continuity plans (no IT), we can say there are three main causes of activation:

• Large snowfall, causing employees can not reach their workplaces.
• Lack of delivery by suppliers, for example, power outages and fires in electrical substations that affected the Retiro area in 2008.
• Consequences of terrorist attacks, dropping bombs as the one in the Bull building in Campo de las naciones in 2005, prompting the evacuation of nearby buildings (Correos, Endesa, Cepsa, etc) or the 2009, which we recall here video.

 

 

From now on, we can begin to evaluate this third threat as a minor probability threat, although unfortunately there will always be groups willing to spread terror on this way. Certainly ETA in Spain was the most important terrorist attack threat.

 

The announcement is very good news we all expected and we want to be able to become final and remove this threat from our business continuity plans. Hopefully not the last threat that we discard.

Components supporting Business

Business continuity has been promoted mainly by two industries: financial and insurance. This two industries have some common characteristics that could explain this maturity in business continuity programs:

• They have specific regulation, usually related with economic sanctions, like Basel and Solvency.
• Their principal business process are focused in not too much locations, mainly data centers and call centers, which makes that resilience could be grant in an easy way. It would be enough backing up  this central locations because others facilities are not such important for the continuity of the business.
• The grade of industrialization and automation of their processes are very high. This makes that they are highly dependent on the information technology infrastructure, what makes that backup and restoration measures will be a in this high in a high percentage too.

In Spain, this two industries have been historically highlighted because their preparation. One of them with recovery services related with their data centers and others making a further step with recovery facilities with workstations.

As a result of the over-development of IT Service continuity, nowadays each data center, doesn't matters if is big or small or if it's hired or owned,  has their own recovery measurements, granting a false feeling of protection. A high number of directors thinks that they have a good business continuity program only because they have a recovery data center, although the main business process were not supported by IT infrastructure, and therefor, are not backed up.
 

There wouldn't be effective to recover the IT infrastructure in a hospital when a legionella virus infection has taken place, for example. In a similar way it would be in most of disaster scenarios that could be included in the scope of the business continuity program of a hospital. What's the problem then? We must identify what the components that supports business are.

The best way to identify this resources are use the ones identified in the BS-25999-2, that is:

• people (7.3)
• premises (7.4)
• technology (7.5)
• information (7.6)
• supplies (7.7)

Without using any statistic method, it could be possible to identify the dependency on business from different type of resources described above of each industry. This is what I want to describe in the following graphs:

It's clear than, in the financial industry, IT infrastructure supports a high percentage of business, taking into account other issues, like providers which are in charge of distributing cash around all customers every morning in order to cover their necessities. So it would be easyer for them to be prepared that, for example, a hospital, in which all components has to be taken into account in a similar way.

As a conclusion, one of the first steps required to develop a business continuity program is to identify which component is essential to grant product and services delivery to their customers for each of the scenarios included in the scope of the program. It's a good practice use the five components of business continuity identified in BS-25999-1.