DRI Nigeria’s Philip Keshiro was interviewed on EKO 89.75FM, where he offered insights on about why business continuity is the modern way of managing disasters. (Note: Sound quality improves at the 2-minute mark). Visit DRI Nigeria.
DRI Nigeria’s Philip Keshiro was interviewed on EKO 89.75FM, where he offered insights on about why business continuity is the modern way of managing disasters. (Note: Sound quality improves at the 2-minute mark). Visit DRI Nigeria.
Adewale Akinwale, ABCP, is a top professional with a strong background in risk management, strategic planning, business development and business process re-engineering. He started his professional career in the retail logistics and supply chain industry working for major organizations such as IKEA Tottenham (UK) and Barratts PriceLess (UK) Limited. He returned to Nigeria and joined the management consulting practice of Messrs S.I.A.O Professional Services, an indigenous audit and consulting firm in 2011. He joined the enterprise risk management department of the Nigerian Aviation Handling Company (Nahco Aviance Plc.) in January of 2013 as an Enterprise Risk Officer, and now sits as Head of Enterprise Risk Management. He holds a Diploma of Higher Education (DipHE) in Business Management (Human Resource) from the University of East London (UK) and a Bachelor of Arts Degree (B.A. Hons.) in Business Management from the University of Sunderland (UK). He was nominated as a finalist at the DRI2015 Awards of Excellence in the Category of Industry Newcomer of the Year 2015.
How did you become involved in resilience and its related industries (business continuity, disaster recovery, emergency management, etc.)?
I got into the world of business resilience when a major aviation handling company in West Africa approached my employers at the time, a boutique management consulting firm, to create a business continuity plan for its operations. I was drafted into the team at the last minute to offer generic support because my background is in strategic risk management. I ended up taking up employment with the client due to my energetic contribution to the development of the resilience plan.
What is your current position?
I currently sit as Head of Enterprise Risk Management at the Nigerian Aviation Handling Company (Nahco Aviance). I am responsible for all aspects of risk management and business continuity in our aircraft handling, passenger and cargo handling businesses across 8 stations in Nigeria.
How would you describe your job to someone who is unfamiliar with the industry?
As a resilience professional, I am responsible for preventing threats and all forms of controllable disaster and reducing loss times in the event of an uncontrollable crisis or disaster for Nahco Aviance. I am trained in the use of DRI’s Professional Practices to prevent or consequently manage disasters in our operations by evaluating risks, quantifying the impact on the organization and developing strategies for emergency and business continuity management. I am also responsible for guiding the operations team in the documentation and communication of the defined strategies and effective coordination with public agencies for simulation of resilience plans.
What do you consider the greatest advantage of being a resilience professional?
I believe the greatest advantage of being a resilience professional is being a resourceful person for the organization and also being the go-to guy when strategic decisions need to be made with reference to managing possible threats and crisis situations.
What is your biggest challenge as a resilience professional?
My biggest challenge in this part of the world is lack of effective coordination with public authorities. The level of commitment of some of these public agencies to resilience is below global average and according to DRI’s Professional Practice, coordination with public authorities is critical to achieving effective resilience. The dearth of infrastructural facilities and a laissez-faire national attitude to emergency management is also a major challenge.
What do you consider your greatest achievement or milestone as a resilience professional?
My greatest achievements as a business continuity professional include effectively managing the continuation of all core operations when a significant number of our client airline team had to be quarantined for 28 days due to the outbreak of the Ebola Virus Disease in Africa and the management of the coordination of the delivery of over five thousand metric tonnes of cargo over Christmas
Why do you consider resilience and its related industries to be significant?
Resilience is critical to organizations because it is unique a business strategy that can help organizations achieve customer satisfaction and competitive advantage in the face of adversity. The ability to stay up and running at a time when competitors could have been paralyzed and customers left hapless is a unique selling point for new business development and existing customer retention.
The most important issues facing resilience professionals today are emerging threats which are totally alien to their local environments and as such may not have been planned for. The pace at which a terrorism incident or cyber-attack could disastrously affect an organization could be so unexpected and the resources to guarantee continuity may not be readily available. This is why it is important for a resilience professional to stay on top of emerging risks and continuously review best practice crisis management plans to address such threats.
What advice do you have for those just beginning in this field?
I would advise new entrants into the resilience industry to focus their specializations in industries that they are familiar with. Ultimately, you may hope to become a Business Continuity Consultant where you can cross-carpet from one industry to another. My expertise is in resilience planning for organizations in the transport and logistics industry.
The DRI Ten Professional Practices for Business Continuity Professionals are now available in Turkish. The Professional Practices are a body of knowledge designed to assist the entity in the development and implementation of a Business Continuity Management program. Use of the Professional Practice framework can increase the likelihood that no significant gaps will be present in your program as well as increase the likelihood that the various parts of the program will work cohesively in an actual disruptive event. This important resource will help DRI Istanbul serve Turkish-speaking business continuity and resilience professionals.
To download the Profesyonel Deneyimler, please visit MyDRI.
The Sendai Framework for DRR 2015 is a great improvement to the Hygo Framework for Action 2005 – 2015: Building Resilience of Nations and Communities to Disasters.
Having gone through the Hygo Framework, I summarized it with a statement ‘Developing countries help your citizens’.
It was generally not ‘punchy’ and clear BECAUSE any time I get in contact with those implementing DRR, the question is “what has Business Continuity got to do with DRR? ”. Hence, the understanding was flawed (my opinion), implementation was without a clear direction, and coordination was very poor.
I have gone through the Sendal DRR 2015-2030, and I am impressed with the detail and technical terms as shown below – as lifted from the document
The Hyogo Framework for Action: lessons learned, gaps identified and future challenges
1. It is urgent and critical to anticipate, plan for and reduce disaster risk in order to more effectively protect persons, communities and countries, their livelihoods, health, cultural heritage, socioeconomic assets and ecosystems, and thus strengthen their resilience.
It is important to know that my concept of developing countries is basically AFRICA (Nigeria).
Expected outcome and goal
1. To attain the expected outcome, the following goal must be pursued:
Prevent new and reduce existing disaster risk through the implementation of integrated and inclusive economic, structural, legal, social, health, cultural, educational, environmental, technological, political and institutional measures that prevent and reduce hazard exposure and vulnerability to disaster, increase preparedness for response and recovery, and thus strengthen resilience
The pursuance of this goal requires the enhancement of the implementation capacity __and capability of developing countries, in particular the least developed countries, small island developing States, landlocked developing countries and African countries, as well as middle-income countries facing specific challenges, including the mobilization of support through international cooperation for the provision of means of implementation in accordance with their national priorities.
1. The goals if it has to be pursued, the knowledge base of the custodians of the DRR must be improved. The international community and the United Nations MUST come out with CLEAR statement that gives direction to help the developing countries who may not understand how to get this ‘implementation capacity’. Most developed countries and leaders within DRR do not even have a clear understanding of Risk Management, Continuity Of Operations Plan (COOP), Business Continuity Planning/Management, Crisis Communication. They do not know how this concept can be used as effective tool in reducing disasters.
III. Guiding principles
(b) Disaster risk reduction requires that responsibilities be shared by central Governments and relevant national authorities, sectors and stakeholders, as appropriate to their national circumstances and system of governance;
(e) Disaster risk reduction and management depends on coordination mechanisms within and across sectors and with relevant stakeholders at all levels, and. it requires the full engagement of all State institutions of an executive and legislative nature at national and local levels and a clear articulation of responsibilities across public and private stakeholders, including business and academia, to ensure mutual outreach, partnership, complementarity in roles and accountability and follow-up;
(g) Disaster risk reduction requires a multi-hazard approach and inclusive risk-informed decision-making based on the open exchange and dissemination of disaggregated data, including by sex, age and disability, as well as on the easily accessible, up-to-date, comprehensible, science-based, non-sensitive risk information, complemented by traditional knowledge;
(l) An effective and meaningful global partnership and the further strengthening of international cooperation, including the fulfillment of respective commitments of official development assistance by developed countries, are essential for effective disaster risk management;
As beautiful as this guiding principles is, it can ONLY be achieve when different agencies and organizations have a level of understanding which is derived from a standard. Only then can there be coordination (on the field). Each of this organization would have acquired some level of capacity development, have a functional plan in place (within their “different” agencies), which would have been exercise (based on this standard) before coming together as one.
For (I), This is where DRI International has to form a global partnership with UN to train different nations on the basic knowledge required to anticipate disaster, plan, with the ability to respond, and recover and build better facility that have been damaged or destroyed, using the principles of Business Continuity Planning
1. Taking into account the experience gained through the implementation of the Hyogo Framework for Action, and in pursuance of the expected outcome and goal, there is a need for focused action within and across sectors by States at local, national, regional and global levels in the following four priority areas:
Priority 1. Understanding disaster risk
1. Policies and practices for disaster risk management should be based on an understanding of disaster risk in all its dimensions of vulnerability, capacity, exposure of persons and assets, hazard characteristics and the environment. Such knowledge can be leveraged for the purpose of pre-disaster risk assessment, for prevention and mitigation and for the development and implementation of appropriate preparedness and effective response to disasters
(a) Promote the collection, analysis, management and use of relevant data and practical information. Ensure its dissemination, taking into account the needs of different categories of users, as appropriate;
(d) Systematically evaluate, record, share and publicly account for disaster losses and understand the economic, social, health, education, environmental and cultural heritage impacts, as appropriate, in the context of event-specific hazard-exposure and vulnerability information;
(l) Promote the incorporation of disaster risk knowledge, including disaster prevention, mitigation, preparedness, response, recovery and rehabilitation,__ in formal and non-formal education, as well as in civic education at all levels, as well as in professional education and training;
V. Role of stakeholders
1. While States have the overall responsibility for reducing disaster risk, it is a shared responsibility between Governments and relevant stakeholders. In particular, non-state stakeholders play an important role as enablers in providing support to States, in accordance with national policies, laws and regulations, in the implementation of the framework at local, national, regional and global levels. Their commitment, goodwill, knowledge, experience and resources will be required.
(c) Business, professional associations and private sector financial institutions, including financial regulators and accounting bodies, as well as philanthropic foundations, to: integrate disaster risk management, including business continuity, into business models and practices via disaster risk-informed investments, especially in micro, small and medium-sized enterprises; engage in awareness-raising and training for their employees and customers; engage in and support research and innovation as well as technological development for disaster risk management; share and disseminate knowledge, practices and non-sensitive data; and actively participate, as appropriate and under the guidance of the public sector, in the development of normative frameworks and technical standards that incorporate disaster risk management;
(o) Increase business resilience and protection of livelihoods and productive assets throughout the supply chains. Ensure continuity of services and integrate disaster risk management into business models and practices;
(g) Ensure the continuity of operations and planning, including social and economic recovery, and the provision of basic services in the post-disaster phase;
I have tried to highlight areas where developing countries or individuals will find simple and direct instructions as road map.
It is important to state here that based on my personal knowledge and experience, the knowledge of business continuity planning as packaged by DRI International, is the basic knowledge required that can help executives in DRR Management, DRR staff and ALL agencies of government and ministries. Without this knowledge, the African continent will only be moving round in circles without direction, this will be evidence in the following ways;
▪ Lack of understanding of basic terms used in disaster management evidenced during regional and international forums (some officials will ask what is COOP, or Business Continuity Planning – What are these got to do with disaster).
▪ Lack of coordinated response during disasters
▪ Without appropriate plans, proper exercising which should improve plan will not be conducted, if conducted it is used as ‘public show‘ without any aim
▪ Different agencies will be working at cross road, trying to gain popularity from disaster incidents instead of focusing on safety and prevent loss of lives.
It is important that we all take the management of disaster as a profession, and create an appetite for more knowledge in disaster management.
DRR/Safety Institutes, Federal Government, State Governments and Local Governments MUST strive to have the knowledge of Business Continuity Planning principles which is an appropriate tool for Disaster Risk Reduction and a MUST.
May I ask, are you certified?
Kindly contact us on the following; 08054561141, 08125377462, or email@example.com for further inquiries.
PHILIP KESHIRO ABCP, CISSP, CISA, COBIT 5, AIMIS, ACIA, AISPON, MBA
Ayesha Al Bakoush, CBCP, CRA
Businesses and organizations are not immune to crises and therefore planning for the unexpected must be considered as a sound practice. Many organizations are unprepared to handle workplace crises, operating under the myth that “those things won’t happen here.” While most of us do not like to think about crises happening to us, planning to deal with them proactively and effectively would help protect human lives, prevent damage and reduce the likelihood of financial and non-financial impacts.
The whole concept of business continuity is relatively new to the UAE. Subsequent to the issuing of the first Emirati business continuity standard – AE/HSC/NCEMA 7000:2012, the majority of the government organizations have started to adopt business continuity into their strategies and have initiated plans from scratch. There are many factors that contribute to the success of business continuity plans, for example: obtaining the executive management support, completing the Business Impact Analysis and Risk Assessment. However, those elements alone cannot guarantee the effectiveness of the business continuity plans.
Business continuity should be more than just a plan, ideally it should be integrated into the culture of the organization and be part of daily operations. This article will undertake analysis of various reasons why business continuity plans might fail even if they cover all critical planning aspects.
Although learning the hard way is not always the best option, but the lack of experience in disasters usually leads to wrong decisions as well as the focus on areas that might not be crucial to the organization. Due to the fact that our country is considered to be a safe country and we do not face fatal disasters of any kind, it might be a challenge for organizations to plan and consider events that they have never faced and they don’t even know whether those events are going to ever happen.
Ideally training and professional accreditation is one of the best solutions, it helps professionals broaden their horizon about the topic through their networking with other professionals and help them gain more insight about the topic. Also, exploring other organizations who have robust business continuity plans in place and learning from their lessons.
The embedding of the business continuity into the culture of the organization is key to the success of the program. An experienced business continuity professional who knows and understands the culture of the organization he/she is working for, should be able to put plans and ideas to slowly and steadily engage the staff and make it easy for them to absorb the business continuity concept and make it fit into their business and operating models.
Training and testing usually shows how serious an organization is about its business continuity plans. Due to the resistance factors to new projects, business continuity plans might just end up as a document on the shelf that is never used or looked into. In addition, the safe culture and the lack of exposure to disasters might encourage organizations to skip testing and training which might be considered as a disturbance to normal operations and an unwanted task.
Training & testing are the best indicators to ensure the proper execution of a business continuity plan. As per DRI’s 10 Professional Practices, BC plans should be tested at least once a year to ensure the awareness of the employees about their roles and responsibilities and what is expected from them in case of disasters. It is also important to utilize different types of testing ranging from table-top to full scale exercises, each organization should choose the type of testing that suits the nature of its operations taking into consideration the maturity level of the Program.
Many organizations fall into adding too much operational details to their business continuity plans to ensure the availability of all required information.
Another common mistake is “abusing” management support to force the implementation and execution of business continuity-related or non-related processes. In other words, business continuity related terminology might be used the wrong way to drive change into the organization which will demotivate staff and minimize their sense of engagement and ownership.
Business continuity plans should contain the information about critical staff and functions in a brief and well-structured way that makes it easy for the staff to read and execute. Details and long processes should be eliminated from the plan and kept into a separate appendix to minimize confusion, save time and effort. Also, shortcuts to long processes should be taken into consideration and activated during disasters to overcome human resource shortages.
With regard to the use of management support, business continuity professionals should know the required amount of pressure they should use with their staff to enforce rather than force change. Also, staff should feel that they are engaged and involved which will motivate them to contribute towards improving the plans.
Understanding the nature and culture of the organization is a key element in building a successful business continuity program. Business continuity objectives should be aligned to the organization’s objectives to ensure maximum benefits. The ideal way to plan for disasters is to plan for the worst case scenario, but the question is: how bad the worst case can be? In this case, professionals should be realistic while planning for the worst case.
Business continuity professionals should flawlessly understand management expectations from the business continuity program. The most successful program is one that is tailored according to the needs and expectations of a specific organization. It is also required from business continuity professionals to have a strong vision about what might make a disaster even worse, and what would be the potential solutions or backups if further incidents do materialize.
In some cases outsourcing might be a suitable solution to transfer risk and accountability to a third party. However, if an organization is planning to keep its critical functions up and running during a disaster, outsourcing or signing a contract with a third party promising to deliver a service or a product during a disaster is not enough. No matter how strict the legal terms and conditions are, if the service provider fails then the whole process fails.
Before outsourcing or transferring accountability to a third party, an organization should make sure the service provider has their own business continuity plans updated and tested. Also, service providers and third parties should be part of any organizations business continuity testing and training to help define expectations and outcomes from both sides. In addition, it is very critical to always have a backup plan in case the initial plan fails. In this case, finding more than one provider for the same service or product and keep their information documented and updated. And most importantly get them engaged and updated regularly.
Business continuity is a holistic approach based on simple and clear methodologies, if planned properly will ensure the continuity of an organization’s critical functions during disasters, and safeguards its human and physical assets. The implementation of best practices and international standards alone are not enough to ensure the effectiveness and the success of a business continuity plan, rather, it should be realistic, simple, flexible, and up-to-date.
Creating and maintaining a successful business continuity program is more than following a set of best practices; nevertheless, avoiding the above mistakes can enable a more effective capability that aligns to organizational needs and drivers.
Ayesha Al Bakoush is currently working as Principal Business Continuity Specialist with Abu Dhabi Crown Prince Court. With over 10 years of professional experience, she possess strong experience and domain knowledge, ranging from implementing and auditing business continuity management programs, enterprise risk management, and project management. She has done her Bachelors in Information Management from the Higher Colleges of Technology in Abu Dhabi and currently pursuing Masters in International and Civil Security at Khalifa University for Science and Technology Research. The author is a Certified Business Continuity Professional and can be contacted at: firstname.lastname@example.org
Bill DelGrosso, CBCP, CEM
Commercial business lives with risk every day from competitors, cash flow, and changing technology. They also face threats from recent events including the outbreak of the Ebola virus, including in the US, increasing natural disasters, and protests in Hong Kong. These external, uncontrollable events suggest that you review the Emergency Response Operations, and the Coordination with External Agencies Professional Practices elements of your continuity plans. In each of these examples, organizational business continuity management system (BCMS) planning will be dependent on external agencies level of sophistication, legal jurisdiction, and response capability. Effective BCMS planning reviews, given this framework, should include three key areas:
The core of any business is the people that you employ to do the job. Incidents that interrupt your business will likely impact your personal extending the time that they will get back to work. The Ebola outbreak is having significant personal impacts, as well as economic ones. Viruses don’t respect national boundaries, so consider how your BCMS would address these issues;
There are broad critiques of how public agencies globally have responded to the Ebola virus outbreak; much of it is second guessing, and misinformation. Emergency managers, including BCMS directors or planners can address that if they add External Agency Capability as a risk category in their risk assessment/ calculations. When I worked at Miami-Dade County Emergency Management, we met often with our business and industry groups to underline for them what to expect pre and post hurricane incidents. It was crucial for them to understand how evacuation orders and post incident recovery. Reaching out to local authorities as part of your risk assessment is a step toward understanding what their response capabilities, priorities, and legal authorities are. The latter is especially important when legal actions like evacuation or medical quarantine are put into place.
If you recall the 2013 Boston Marathon bombing, millions of people cooperated with the extraordinary measure taken by State and local officials for entire sections of Boston to shelter in place. The economic cost may never be calculated, and revealed the response mechanisms that public safety entities have available to them. They could not have implemented it without public cooperation. As part of your outreach to local responders, offer to exercise your plan with their participation and get feedback on what to expect. The more transparent the local officials are, the lower the risk; so be advised that you may need to raise the risk level if your research or outreach doesn’t reveal much. If your response officials know you before an event, the easier your integration into their plans and continue your prioritized business functions will be.
Information technology (IT) is either integrated into your operations, or is integrated into the vital systems your organization or business relies on every day. A good BCMS planner should have the vision and the experience to identify, inventory, categorize and maintain the vital systems you can control, or manage as well as public infrastructure that you are dependent on. Determining how something that doesn’t destroy the systems, but limits access to their physical presence (like a protest that blocks access or a quarantine) would impact your IT infrastructure.
Learning from other peoples Emergency Response/ External agency coordination Professional Practices lessons can drive quality updates to your BCMS strategy and plan.
Bill DelGrosso is a Resiliency Strategist in the risk and business continuity practice for Booz Allen Hamilton’s Middle East/North Africa (MENA) office. He advises commercial and public clients globally on governance, critical infrastructure protection, enterprise risk management, emergency management, business continuity, and exercise programs in various industries and sectors. email@example.com
DRI is excited to present a special edition of its online magazine, THRIVE! This issue offers readers a first-hand look at the rising business continuity trends in the Middle East and the work of DRI-certified professionals in the region.
As a result of recent business continuity forums held in Abu Dhabi and Qatar, our growing community of certified professionals requested a DRI publication targeted to resiliency matters in the Middle East – matters that are universally relevant to BC pros around the world.
In this issue you’ll find:
• An interview with Mohammed Al Jenaibi, CBCP
• A guide to dealing with your vendors’ BCM planning
• A spotlight on DRI Istanbul’s first-ever Business Continuity Forum,
• And more!
Click here to read the issue, and catch up on previous issues of THRIVE! In our archives.