Auditing Providers, Intrusion or need?

By Moises Lopez Soto

During the last years, there has been a diversification in the way the services are being delivered, increasing the number of providers that conform the supply chain and, therefore, the complexity in the control of all components to provide success in the final result. Trends as Outsourcing some time ago and recently Cloud are clear examples.

We find ourself everyday facing the challenge of ensuring business continuity of our organization with a high number of external agents and, in some cases, this external agent could be absolutely essential to the future of our company. That's why we must take action and act proactively to strengthen the links in the whole chain, minimizing risks and cushioning the impact that could suppose to our business the break of a weak link. This is a complex task when we have to control process and resources internally so it's easy to assume that it would be much more complicated with external agents which have full freedom to be independent in their process and way to deliver their services.

SLA is not enough

Establishing Service Level Agreements are completely valid and necessary on areas of service such as capability and availability but when we are talking about continuity it become insufficient. Among other things, this is because we are not referring to both the supplier's ability to give service but to their ability to keep delivering it after suffer a contingency.

The most common solution is diversification is relying on a model of "duplicity" in a provider-service base, with a relation of N to 1 and with a minimum of two, just as if it were a load balancing in a data network. In some cases this is the usual way to deliver the service,  in other scenarios suppose an increase in the resources required for service management with a greater workload for staff but, nevertheless, is NOT a valid solution for all services. For example, it is usually to stablish this kind of countermeasures when we are talking about business critical services like providers of essential services (electricity , water, etc. . ), when the solution is too complex or too expensive, when there is a monopoly or when there is a single infrastructure common to different suppliers, etc. Any way, it seems absolutely clear that a relationship model in which provider and the company has to be strength enough to carry out all contingency scenarios just as if they were the same company.

Audit process, an interesting weapon

It could be close the day in which the ISO 22301 (or similar) would be required to provide some kind of services, just like there is required the ISO 28000, the ISO 9000 or, even, the ISO 20000, but until that day arrives, audit processes becomes an interesting weapon. On the one hand it would bring a very significantly strengthen in the customer-provider relationship and on the other it will help to raise awareness, work and improving business continuity in both companies.
It is true that providers can refuse, just as we can see in the event that was supported by SIA last year, but it must be the customers which would has to assign some weight to the Business Continuity countermeasures that could be included by their provider in the proposals of service delivery.

Providers should consider the audit processes just like turning point in their business continuity activities, or if they have not done anything before a staring point, to provide resilience to their own business, having the opportunity to strengthen and enhance the relationship with their customers and, at the same time, get a business-marketing revenue on their actions in this field. On the other side, customers should approach them in a constructively way, focusing on growth and providing support and advice to the audited provider. Definitively, a Win-Win relation.

Now a days, audit processes are called to be the main element in order to ensure the strength of business continuity management system and so, the resilience of the company, so it seem to be more a need than an intrusion....

When Goverment shutdowns

By Jorge García Carnicero

The decision taken by the Congress of United States of not to finance the Government is a continuity scenario that is going to bring multiples inconveniences to citizens and that it would provoke the activation of different contingency plans in organization, and people.

But first of all, what is a Government shutdown? It’s a situation in which Government stops to deliver public services that are not basic because of lack of money to pay it. This situation is due to the separation in the decisions groups established by the USA law in which the federal budget depends on Congress (composed by Senate and House of representatives) and have to be countersigned by President. In some circumstances, like President and parliaments groups that control the Congress, are different in political terms it could be that there would be divergences between them and not to approve the budgets, and consequently, the lack of financial for the public activity.

Last 30th of September, House of Representatives, controlled by Republicans, and Democart-controlled Government didn’t agree about deadline of health assistance law, which provoke the government shutdown. This brought along with sending 800.000 public servant to their homes and the activity of all the agencies in United State which are considered not critical stopped. Moreover, and due to the government has reached the top of approved budget, if new budget is not approved, United States will declare suspension of payments next 17th of October.

Government Shutdown consequences are a lot, as it can be imaged. Following we are going to analyses this situation from different perspectives:

 For agencies in United States:

Agencies are stopping their activities and carrying out the different contingency plans associated to each one. Those plans will be published in the following link of the White House

For Government agencies providers

It’s clear that the Government activity generate business for a lot of providers. These providers will be affected, because activity is going to decrease and so the ingress. Depending on the time that takes the shutdown, the looses in the providers will be growing. It’s difficult to thin on a contingency plan covering this situation, but assurance.

For companies depending on services of Government

There are a lot of companies which have dependencing on the government activity. Apart from the administrative activities, we are talking about, for example, public transport, needed to take people to their workplaces or custom services, needed to imports.

For Public servants

As said before, the shutdown is going to send close to 800.000 public servants to their homes, without salary, until the Congress approve the new budget. This situation can carry some finantial problems to their families, and each public servant will have to manage with measures that will anticipate, if they have done before.

There are other agents afected, like those ecompanies with a very high dependency on retail trade or al thouse business denpending on agencies actions. As an example, the validation of mobile phones.

From a the perspectgive of administration as a provider of business continuity services, companies and continuity responsables in United States has to take into account that the following services are affected:

• FEMA: the disaster recovery information is not beeing up to date, although it has been asking for help trough disasterassistanc.gov
• Ready.gov, the website information is not up to date.
• The NOAA (National  Oceanic and Atmospheric Administration) is not operative, and the NHC(National Hurricane Center) is operative and working properly.

BCAW webminars

This are the webminars deployed regarding the Business Continuity Awareness Week, sponsored by BCI.

Adopting Cloud In Your Backup Strategy
BCM Frameworks: From Best Practices to Standards to Overarching Models
Burst out of you own personal silo, Find out who else is interested in disasters
Business Continuity Awareness for Senior Management
Business Continuity in the Supply Chain
Business Continuity Management Systems
CM² Maturity Model
Conscientisation pour la continuité des affaires auprès de la direction
Contact Centre Continuity
Continuity as a Service (CaaS)
Corporate Business Impact Analysis-Why Bother?
Cyber Preparedness-Time is Not on Your Side
Establishing a Governance framework for an effective BCM
Getting Started with BCM
Horizon Scanning - What could Business Continuity look like in 2040
Horizon Scanning, new threats, new skills, new challenges the next 5 years
How to check your Business Continuity Management System?
How to Effectively Use Social Media Before and During Disasters
How to Successfully Implement a Business Continuity Management Program..
Identifying Key Suppliers
Infrastructure Impact Analysis
Integrating Cyber Threat Protection and Business Continuity Planning
ISO 22301 Business Continuity Management Systems
Learning from Earthquakes, Non-Structural Retrofitting and Other Mitigation Meas
Preparing for the 2012 Games- What should you do in the time left?
Preparing for the 2012 Release of ISO 22301
Preparing your Communications Strategies for London 2012
Puzzle Pieces: Are You Seeing the Entire Planning Landscape
Risk Management Strategies for Protecting Enterprise Supply Chains
Why a formal certified BCMS? “Due Diligence”-Talking the Language Management

BlackBerry and Continuity

The BlackBerry incident seems to became the worts incident in the communication service history and, without any doubt, will appear in the introduction of most presentations of business continuity providers. Without services from Monday morning, the incident remembers the  ones occurred in 2003 when a the Vodafone network was unavailable in Spain during a day, affecting to 8 millions of users. From this incident, with millionaire losses for Vodafone, the operator became aware of the importance of having an effective business continuity plan and established the internal mechanism required to make it real.

70 million of  BlackBerry users which have not service shows that perhaps wouldn't such a good idea that the service and the terminal would be provide by the same company. If BB's strategy was in question for some time, now the latest incident will do to the operators questioned whether it makes sense.

From a BC point of view, the analysis of BB crisis could be done in three ways:

• As BB user, residential, self-employed, SOHO and big companies, the service test the contingency mechanism defined to grant the delivery of PIM (Personal Information Mobile) service to the users, most of them with a high criticality for some business.
• As Operator, those which has packed product around the BB service must now response to the users, because they are the service marketer and they have the responsibility. The operator must update their business continuity plan increasing the probability of failure of their provider: BB, and establishing the mechanism and funding required.
• BB as provider, must face a number of challenges to survive in a market in which there are a great competition between mobile devices OS, and with a increasing demand of the two main OS: iOS and Android. Apart from that, the company's shares on the stock are falling as quicly as the reliability feeling, what will be very difficult to recover.

We can only wish luck to the crisis managers of BB for the service to recover soon.

An positive issue to highlight form the BB crisis management is the information publication. Making an online tracking of the incident has been a good idea, although it has been carried out too late, because in some moment it have been lack of information.

Suppliers are important

Although it sounds like a cliché, providers are often the forgotten ones in the business continuity plans. Its often forgotten that there are services that are essential for our product and services to be delivered and that this services are provided by third parties,not depending on us. It's clear that, depending on the industry of our business, the dependency on providers would be different. So, also the measures we have to implement to grant continuity in their services and relicense in our business. Sometimes we have to establish a dual provider policy, in which we'll have a principal provider and a backup provider. In others, we'll have alternative methods to grant the service delivered by provider, but always will be required to make risk and impact analysis and determine the cost of the backup solution. 

Below I will give three examples of continuity of providers:

In the case of IT may be in which traditionally has taken into account the continuity of suppliers, mainly because, as I said in a previous entry, technological evolution has been ahead of business requirements. Any serious data centers has a generator that guarantees the supply of electricity, for example.
Another important role of providers in this area we can find in the fact that much has been outsourced services. In this case the dependence on suppliers is total and, as the sense of loss of control is inevitable, providers are required to delivers guarantees of service even in conditions in which the company would be unable to keep

The second example is framed in the field of distribution. It is what is called continuity of the supply chain, and is essential for any large establishment. Losses that can generate a bug in the supply chain in a department store can be worth millions, and that much of the business depends on the replenishment of the genre.

Finally, another example of importance of suppliers is in the financial sector, which, while focusing the attention of IT Service continuity, arguably could operate an office without receiving cash every morning undergoing the corresponding security company.
As a conclusion, importance of providers is vital in most business and should not be underestimated. Its necessary to look for the best plan to grant that a unavailability of the provider are not going to impact to the deliver of our services and products. .