Announcing a New DRI Istanbul Networking Opportunity

A Letter from DRI’s President, Alan Berman:

DRI International and DRI Istanbul are pleased to announce the formation of the new Business Continuity working group of DRI Istanbul, called Exchange by DRI Istanbul. The group is being formed as a result of the demand that followed the DRI2014 Istanbul Business Continuity Forum, the first such conference ever held in Istanbul. This new organization will allow professionals from Business Continuity, Risk Management, Emergency Response, Crisis Management and other related disciplines to have a forum and a meeting place to share information, ideas and experiences.

Exchange by DRI Istanbul will serve as a professional working group, create an active networking platform for BCM professionals, and serve as a value creating professional network. Technical papers and articles will be created based upon subgroup studies by expert teams, utilizing the DRI International tacit know-how. For further details, please visit the DRI Istanbul website.

Exchange by DRI Istanbul will be chaired by Ender Bebek. Ender is the HSBC Regional Busıness Continuity Relationship Manager and Chaırman of the BCM Working Group for Turkısh Banking Association. He has over 18 years experience of Resilience, Sustainability, Crisis Management in a variety of industries. Ender has a number of articles published and is a recognized expert and frequently sought out guest speaker in and out of Turkey. He holds the IRCA Lead Auditor qualification and will receive the DRI International CBCP certification. We invite you all to contact the President of Exchange by emailing ender@drii.org.

Exchange by DRI Istanbul will periodically meet on a quarterly basis, hold annual meetings, organize annual events and implement a BCM Award program. Most importantly, Exchange will position itself as a hub networking group for East Europe, Middle East and North Africa.

Admission to the users group will be free of charge and is open to all. By creating a MyDRI account, all Exchange Members will be able to avail themselves of all materials and will be able to contribute to the Working Group studies. Exchange Members will also have access to webinars and information provided by Exchange Members, DRI International and DRI Istanbul; including all the exceptional presentations given at the DRI2014 Istanbul Business Continuity.

We look forward to having you as a part of this exciting new venture!

Thank you,

Alan Berman
President/CEO
DRI International

 

 

EXCHANGE by DRI Istanbul

DRI International and DRI Istanbul are pleased to announce the formation of the new Business Continuity working group of DRI Istanbul, called Exchange by DRI Istanbul. The group is being formed as a result of the demand that followed the DRI2014 Istanbul Business Continuity Forum,  the first such conference ever held in Istanbul.  This new organization will allow professionals from Business Continuity, Risk Management, Emergency Response, Crisis Management and other related disciplines to have a forum and a meeting place to share information, ideas and experiences.

Exchange by DRI Istanbul will serve as a professional working group, create an active networking platform for BCM professionals, and serve as a value creating professional network.  Technical papers and articles will be created based upon subgroup studies by expert teams, utilizing the DRI International tacit know-how. For further details, please visit the DRI Istanbul website.

Exchange by DRI Istanbul will be chaired by Ender Bebek. Ender is the HSBC Regional Busıness Continuity Relationship Manager and Chaırman of the BCM Working Group for Turkısh Banking Association. He has over 18 years experience of Resilience, Sustainability, Crisis Management in a variety of industries.  Ender has a number of articles published and is a recognized expert and frequently sought out guest speaker in and out of Turkey. He holds the IRCA Lead Auditor qualification and will receive the DRI International CBCP certification. We invite you all to contact the President of Exchange by emailing ender@drii.org.

Exchange by DRI Istanbul will periodically meet on a quarterly basis, hold annual meetings, organize annual events and implement a BCM Award program. Most importantly, Exchange will position itself as a hub networking group for East Europe, Middle East and North Africa.

New THRIVE! Middle East Edition Out Now

DRI is excited to present a special edition of its online magazine, THRIVE! This issue offers readers a first-hand look at the rising business continuity trends in the Middle East and the work of DRI-certified professionals in the region.

As a result of recent business continuity forums held in Abu Dhabi and Qatar, our growing community of certified professionals requested a DRI publication targeted to resiliency matters in the Middle East – matters that are universally relevant to BC pros around the world.

In this issue you’ll find:
• An interview with Mohammed Al Jenaibi, CBCP
• A guide to dealing with your vendors’ BCM planning
• A spotlight on DRI Istanbul’s first-ever Business Continuity Forum,
• And more!
Click here to read the issue, and catch up on previous issues of THRIVE! In our archives.

 

Vendor BCM Planning: Don’t Let Your Vendor’s Disaster Become Your Own!

Jerome Ryan

You’ve built your business continuity management program to the highest standards. You faithfully maintain it each year. You’ve performed exercises to ensure everyone’s role is clear. Is it enough? No.

As companies become more comfortable with their own ability to recover from a disaster, they are becoming increasingly uncomfortable with a vendor’s ability to do the same. Regulations and standards — such as, OCC Bulletin 2013-29 (United States), BDDK Official Gazette No: 26333 (Turkey), ISO 22301 (international), and NCEMA 7000 (United Arab Emirates) — are beginning to require companies to extend their continuity plans into the trusted relationships with third-party vendors. In fact, the newest version of the U.S. banking regulation, OCC Bulletin 2013-29, even requires companies to look into fourth-party vendor business continuity. Fourth parties are defined as the critical vendors of your critical vendors (thus extending the trusted relationship of continuity further).

What does all this mean to you? It means that your business continuity management program must include
vendor business continuity management to ensure protection from internal and external hazards. Vendor business continuity management (BCM) is a program that extends internal business continuity protections to critical vendors, suppliers, third parties, and in some cases fourth parties. Common components include:

  • Identifying critical vendors
  • Developing minimum business continuity guidelines and amending master service agreements (MSAs) and service level agreements (SLAs) to include the right to audit BCM programs
  • Developing an internal response plan or the failure of a critical vendor
  • Creating sample tools and templates to support critical vendors (they may not have the internal knowledge or resources to hire a consultant)
  • Implementing an assessment/verification program to ensure critical vendors’ BCM programs are compliant with your minimum BCM guidelines

The Place to Start

The first step in starting a vendor BCM program is to understand which vendors support the company’s critical business processes. This requires the company to perform an analysis of all vendors to determine those that may be:

  • Sole-sourced
  • Have cash flow issues
  • Operating under a lean/just-in-time model
  • Susceptible to other, related risks

If vendors do not fall into any of the aforementioned categories, they may not be categorized as critical or be part of the vendor BCM program. However, it is recommended critical vendors be evaluated annually or sooner if there are major changes/additions to critical vendors.

In some cases, a vendor is more than just critical. Some vendors may provide key components, without which, the company could fail. This is especially true of sole-source vendors. In the cases of manufacturing, consumer products, pharmaceutical, transportation, and other industries, the lead time to replace a critical vendor may be too long. Not having products on the shelf, combined with negative publicity, may effectively shut a company’s product out of the market.

In these special circumstances, a company should consider building an internal recovery plan to prepare for a vendor’s failure. An internal plan should consider available external supply/outsourced manufacturing, lead times to obtain government (i.e. FDA) approval for alternate manufacturing lines, as well as safety stock. The company may decide to identify alternate vendors, begin regulatory approval of second manufacturing lines, or move away from the sole-source vendor altogether.

Next Steps

For critical vendors, establish a set of guidelines that explain the BCM requirements with which they must comply. These guidelines should mirror the company building the vendor BCM program’s BCM methodology to ensure a true extension of the trusted relationship. Common components include:

  • Senior management commitment
  • An established BCM methodology
  • A BIA requirement to identify critical business processes and related impacts
  • Recovery plans
  • Regular exercises
  • Regular maintenance

These guidelines should be part of all new SLAs and MSAs with critical vendors. The company also should use the same contractual language with existing critical vendors as contracts are renewed. This will protect the company and hold vendors contractually liable for their BCM programs.

Smaller vendors may not have the ability, knowledge, or resources to comply with a vendor BCM program. It may be necessary, and certainly would be helpful, to provide vendors with a BCM toolkit to support their efforts. Companies should be careful to include legal language that holds the issuing company harmless and states that use of the BCM toolkit does not implicitly or explicitly guarantee recovery from a disaster.

The final step in the process is to monitor and verify vendors’ compliance with the vendor BCM program. This usually can be part of an annual, or regular, vendor compliance assessment. To be both productive and meaningful, the assessment can be neither overly intrusive nor superficial. Questions should dig deeper than “Was a BIA completed?” and ask about specifics such as the date of the last BIA update or the critical processes and associated recovery times.

Summary

In summary, a vendor BCM program is not only another company policy. Rather, it is enhancing and changing the behavior a company takes in selecting, evaluating, and monitoring its collective vendors. Companies must understand that recovery and protection have to extend beyond the company walls. Modern organizations are integrated with and vitally dependent upon many other entities. Even companies in service and financial sectors are vitally dependent on critical vendors. Successful companies focus on their core competencies and rely on partners to fill in the gaps.

So, the next time you’re evaluating your company’s BCM program, remember to look out the door as well as in the mirror.

For Example . . . 

The March 17, 2000 Philips microchip plant fire in Albuquerque, NM is one of the best cases for vendor BCM programs. Nokia and Ericsson, two of the largest mobile phone operators in the world at the time, both sourced critical microchip components from this Philips plant. When a lighting strike caused a small fire, the plant’s clean room was damaged resulting in the loss of production capacity.

Prior to the fire Nokia held about a 32 percent market share while Ericsson held about 12 percent in worldwide mobile phone sales. Post fire, Nokia’s mobile phone shipments increase 10.5 percent over the previous year, while Ericsson’s dropped by 35 percent. Why? Nokia reacted quickly and had already prepared for a critical vendor loss prior to the fire, identifying an alternate supplier of microchips. Ericsson, on the other hand, reacted slowly and believed early reports that the fire was small and posed no long-term supply risk to the supply of microchips.

The total cost to Ericsson was over $400 million USD, including a second quarter 2000 loss of $200 million USD.

 

Jerome Ryan is CEO of both GRM Solutions and DRI Istanbul, where he implements and oversees client deliverables in crisis management, business continuity management, emergency response, pandemic planning, and other risk management practices. GRM Solutions has offices in New York and Istanbul. He may be reached at jryan@grmsolutions.net or http://www.linkedin.com/in/jeromeryan/

Attack on Schools in Yobe, Military-Private Partnership

Philip Keshiro, DRI Nigeria

To view this article in its original location, please click here.

I had an experience that will explain the topic above.

About 2 years ago, I was in Abuja, the outskirt, during the days when bombing of churches was the order of the day. I decided around 8 pm to go round and see churches around and get a firsthand experience why they have become easy targets.

The first church gave me all the reasons I needed. The church perimeter was in total darkness. The church (in my estimation) was on minimum of 2 plots of land, with only a building at the far end. While praises was on, only two bulbs where lighted at the entrance, the inside was fully lighted, and anyone can fully see through the activities going on while the onlooker is in darkness.

What are the Issues

  • There is no official or worker outside to monitor happenings outside the church.
  • Why should the perimeter be in total darkness without any illumination?
  • I could have easily dropped a bag containing explosive materials without anyone seeing me.
  • Okada riders were moving around even dropping church members that were late for service, no process of even passive access control by way of greeting and asking questions if a visitor or new member.
  • I stood in front of the church in darkness for more than 30 minutes, nobody noticed me.

The bible says Nehemiah was building with one hand, with the sword on the other hand.

The essence of this story is that the public, private and religious organizations MUST be conscious of its environment, should know about Safety, Security, and Emergency operations/Response.

Yobe Incident.

I do not have a firsthand knowledge of what transpired (but you can relate the story above to a normal school), however, it is important that ALL schools should have the knowledge to do a simple Risk Evaluation and Control of its environment looking at the following

  • Threats (What are the negative things that could happen to us)
  • Vulnerability (Weakness) – Lack of power in an environment at night where attacks can occur is a sure weakness (send the children home, turn the school to day).
  • Probability (Can the threat occur. Once you have such occurrence close to you, in another state with same characteristics, it can happen to you). The probability is High, Medium or Low.

With this you make your decision, and make it fast, without unnecessary protocols. Either you want to improve on your control (counter measures – in military) or you want to vacate the environment, since we are looking at loss of lives.  

ALL SCHOOLS (Primary, Secondary and Universities) should start to develop appetite for Safety/Security/Emergency Response capabilities comprehensively taught in Business Continuity Planning).

For the Schools: What they need to think about:

  • Do your Risk Evaluation and Control
  • You should be able to identify Applicable Emergency Preparedness & Response Regulation (If we have any)
  • You should identify the Potential types of emergencies and the resulting Scenarios / Imparts
  • Identify the Response Capabilities Needed for
    • Protection of Life Safety
      • Evacuation, Sheltering, Shelter-in-Place, Lock down
      • Ability to Account for personnel/students
  • Protection of Property
  • Protection of Environmental Contamination

Military

Again, I cannot say I am an expert in military operations, but I can say a little with my knowledge in Business Continuity Planning.

One important thing I notice is that we do not have sophisticated communication system.

In modern warfare, communication is as important as eating with water. During the public show of the Terrorist Brigade in the army, with designing eye, I could not see any of the private, or officer with communication equipment, how do you communicate with the Operations center? It is not only the numbers that win a war in this modern warfare; communication plays a lot of role.

  • Newspaper report: How can an operation go on for 5 hours, without response?
  • How can the barracks be infiltrated (not once, or twice) and equipments damage?
  • How can we be recording deaths in hundreds or thousands on a monthly basis
  • Are there special teams within that are equipped with equipments needed?

A fighter jet even from Lagos should get to Yobe in 2 hours (at most) if informed and ready.

The damage caused by this type of reports is not good, and it makes us to be less than being happy to be called a Nigerian. We want to be proud of our military.

Communications capabilities should include the ability to gather information, coordinate activities, and disseminate instructions and information. ( DRI International) Do we have this?

 

STATE SECURITY

The State Security like the Homeland Security in US, must promote Business Continuity planning within the private and public sector. This is what is done in US by the Homeland Security. The effect of lack of preparedness is directly related to unnecessary loss of lives.

The military needs the State Security to promote this standard to help detect crimes, and resilience needed during disasters within the public and private sectors.

You CANNOT fight terrorism without the knowledge of Business Continuity Planning. Other countries WILL NOT DISCLOSE THIS INFORMATION,

Please click on the links below:

http://www.techrepublic.com/article/in-wake-of-london-terrorism-business-continuity-planning-follows-pragmatic-course/#.

http://www.slideshare.net/preparis/new-trends-in-terrorism-preparedness-business-continuity

http://www.metts.com.au/counter-terrorism-mngt.html

http://searchdisasterrecovery.techtarget.com/tip/Terrorism-and-counterterrorism-awareness-for-business-continuity-planners

http://www.ifmaphilly.org/professional-development/45-archives/156-effects-of-terrorism-on-business-continuity   

http://www.afro.who.int/en/lesotho/press-materials/item/5312-lesotho-develops-national-business-continuity-plan.html  

You can also conduct your independent search on the internet. The government need to encourage this knowledge. If the United States, and other countries are using this knowledge, it is worthwhile that we take a second look at this topic.

Course Content of BCP

Pre-Planning

1.Program Initiation and Management
2.Risk Evaluation and Control
3.Business Impact Analysis
Planning
4.Developing Business Continuity Strategies
5.Emergency Preparedness and Response
6.Developing and Implementing Business Continuity Plans

Post-Planning

7.Awareness and Training Programs
8.Business Continuity Plan Exercise, Audit, and Maintenance
9.Crisis Communications
10.Coordination with External Agencies

DRI Education Serves Growing Middle East Market

DRI International recently announced a new NCEMA component to its Business Continuity Planning for Auditors (BCLE AUD AE) and Business Continuity Planning (BCLE 2000 AE) courses. While DRI itself is standard-neutral, the organization’s leadership recognizes the need for its courses to reflect a variety of standards, of which NCEMA is now one.

“This reflects DRI’s commitment to the growing Middle East market,” says DRI Managing Director of Global Operations Chloe Demrovsky. “The UAE is a leader in the area of regional preparedness and we are thrilled to act as a key strategic partner with a knowledge and training centre to promote world-class excellence.”

About BCLE AUD AE

The BCLE AUD course (BCLE AUD AE’s parent course) is accredited by the American National Standards Institute (ANSI). BCLE AUD AE is a four-day, interactive program that provides training, tools, and hands-on experience to audit disaster/emergency management and business continuity programs. This course provides an overview of the audit process and teaches the student to audit a business continuity management program for conformity to the chosen standard. Conformity includes the areas of program management, risk assessment, business impact analysis, loss prevention, risk mitigation, emergency operations, business continuity strategies, crisis communications, incident management, training and education, testing and exercises, and program improvement.

About BCLE-2000 AE

BCLE-2000 AE is a comprehensive, four-day course covering the fundamentals of the DRI International’s Professional Practices. Students will learn the elements of a disaster/emergency management and business continuity program, understand industry terminology, and learn how to use the Professional Practices to develop a business continuity management program.

Both courses reflect the NCEMA standard and each concludes with an exam. Successful completion of the course and a passing grade on the exam, is the first step toward DRI International certification.
For information, visit http://www.drii.org.

DRI’s Interview with Mohammed al Jenaibi

In a recent interview Mohammed Ahmad Al Jenaibi, CBCP, shared his thoughts and experiences with DRI International. We are pleased to bring you this interview and are very grateful to Mohammed for taking the time to talk with us.

Mohammed is an ex-military search and rescue pilot, as former Chief of SAR Coordination Centre. He joined NCEMA (National Crisis and Emergency Management Authority) in 2008 as a Director of Safety and Prevention. He specializes in quality management, A black belt Six Sigma, he specializes in quality management and is also an EFQM Auditor, as well as a DRI International Certified Business Continuity Professional(CBCP). He is the lead of the committee which developed and published UAE’s BCM Standard and Guideline (AE/HSC 7000:2012) in 2012. This was the very first BCM Standard in the GCC. He also was the very first BC professional to be awarded a DRI International Award Of excellence as Best Program Leader of the Year for the Public Sector.

DRI: Will you provide a bit of background on NCEMA?

Mohammed Ahmad al Jenaibi: NCEMA was established in 2007 and by 2011 a resolution by president was issued for its roles and responsibilities. I joined in 2008, and by 2009, we started the business continuity management (BCM) project.

During the beginning we sought to do research, and we wanted to know what we were missing in this country and what we needed. We discovered that BCM was one of the important issues to tackle. And in August, 2013 I resigned from NCEMA.

DRI: Why Did NCEMA create its own BCM standard?

MJ: BS25999 was the standard at the time, but we thought it was not well-suited to our nation. We started to look at other standards, including the Singapore standard (SS540) , NFPA1600 (USA) and others, and then we decided to write our own standard in Arabic to be more comprehensive for the reader but still matching and using same methodologies in the standards mentioned.

When we started the first few pages, we thought it would work fine because everybody could understand it easily. We completed in one year the writing of the standard, but it took us two years to get consensus from all the federal departments and all the ministries. Finally, in 2012, the first version was issued.

DRI: In what ways is your standard different from the others?

MJ: Thank you, very good question. When I said that [other standards] were not well-suited, what I meant was that the language and the way they assumed the reader had a background in emergency management, but in our standard you can see the engagement of risk assessment taken from the ISO31000 throughout BCM.

For people without a huge background in emergency and crisis management, the format of BS25999 would be difficult. When you talk to a community, some agencies do not even have this management system in place. So, you cannot introduce them immediately to BCM. Our goal was to simplify how we did this in our standard. Within our standard, anyone can start and move from A to Z in very simple language and in very simple steps.

DRI: Can you tell me a little bit more about the state of preparedness in the UAE?

MJ: After establishing NCEMA, one of the first things they did was the National Response Plan (NRP). The NRP is complete and is being distributed to the whole government of the UAE, so all entities have prepared or are preparing their specific plans which can be plugged into the national response plan framework.

DRI: What about private sector businesses?

MJ: NCEMA has signed a mutual agreement with the Chamber of Commerce to involve the private sector, but you know we have huge companies who already have business continuity for their own interests. So, they are way ahead in advance. On the other hand, there are some other smaller businesses that have no idea about emergencies at all. I think this is because we do not have huge catastrophes in this country. Although we do not have big disasters, the private sector should realize the importance of emergency management, how they should be prepared, and how they can have their own plans.

Now NCEMA has started educating the public. There will be a lot of media and publicity by NCEMA supported by the Ministry of Interior, Civil Defense, and all the stakeholders. They will try to straighten out the education and spread the culture of emergency management. This is a challenge but it should happen within the next few years. We are already putting practice in place already and we hope By 2018, end of 2017, we should be done.

For the private sector, to refer to your question, we hope there will be some support from either the government or the other agencies to the private sector to build up their capability, because as you know the capabilities require resources and money. There may be some incentives for those businesses, to encourage them to incorporate this program into their firms.

DRI: What type of incentives?

MJ: For example, the government could encourage the relevant agencies in charge for the fees of the renewal of their license every year say if they have emergency plans, then they are category one. Category one would be 30% less or something like that. There is another incentive that was also proposed: the government would not sign with any entity or private entity unless they have BCM in place.

DRI: How would you evaluate those plans?

MJ: We would have to know whether they have plans first, if they are to contract with government. then we would have to review them in NCEMA or the appointed agency for the verification.

DRI: Tell us about the education and training that you provided to these different entities, what forms did it take and how long did it take. Were there exercises and tests involved?

MJ: In fact, NCEMA has been exercising the government agencies since 2010. The first one, of course, was like a surprise for some agencies to understand and it took some time to digest the lessons learned. I can say very proudly that in exercises five and six, everybody knew what they had to do and where they standing in emergency management

In terms of training, I am sure that more than 300 officials were trained in NCEMA. This is separate from the training that is conducted directly from the training providers to the entities because they know that they would need to train in EM.

DRI: What threats do entities in the UAE face?

MJ:. I can simply say that we do not have natural disasters. We do not have it in our history. But you remember the swine flu and the H1N1? Those threats were on the top of the list at that time, those are the kinds of threats we face. But we have practiced and NCEMA staff have gained a lot of experience, but threats are very dynamic, whether political, natural or manmade. But really what is happening internationally could happen in the UAE, without a difference bearing in mind the first rule of Emergency management “always expect the unexpected.”

DRI: You talked about the support that you have from the top people in the country. One of the challenges that I hear from people in other countries is trying to get top management support and to get people to listen when they are talking about business continuity and its importance. How did you get that?

MJ: I can say we are lucky, honestly speaking. Our top leaders, from number one down, they all have been encouraging. There is no doubt that we should be ready for any type of threat. If you talk about big resources like water, electricity, power, then you can see threats everywhere. And those threats are very devastating. I think because of these threats there was no hesitation of the leadership to give us a green light to go ahead and prepare UAE as much as we could. So it wasn’t as much our effort.

DRI: Finally, what is your hope of working with DRI? How do you think that relationship can help you and how can you help us?

MJ: I would say definitely, DRI could help us. The only words we can say to DRI is thank you for supporting our program.

DRI: You have already supported DRI tremendously through the important work that you do and by taking the time to talk with us.

MJ: Thank you. The word from the top was that education is the key to success. So, getting education from DRI on emergency management and specifically on the BCM, and the methodology DRI is following is very valuable to us. I really appreciate the efforts, the cooperation I found with DRI, and I hope this cooperation will continue for a long time.

 

Meet NCEMA

The National Emergency Crisis and Disaster Management Authority (NCEMA) works under the umbrella and supervision of the Higher National Security Council. It’s the major national standard-setting body responsible for regulating and coordinating all efforts of emergency and crisis management as well as the development of a national plan for responding to emergencies.

Therefore, its work is focused mainly in the development, consolidation and maintenance of laws, policies and procedures of emergency and crisis management at the national level.

The establishment of NCEMA was announced on 14/05/2007 within the organizational structure of the Higher National Security Council to ensure the safety of the lives of all citizens and residents on the territory of the United Arab Emirates and to preserve the property of the country.

NCEMA’s Mission is “to enhance the UAE’s capabilities in managing crisis and emergencies by: setting the requirements of business continuity, enabling quick recovery through joint planning, and coordinating communication both at the national and local level.”

For more information, visit www.ncema.gov.ae.