Tag Archives: case study

Reflections on the Bristow Helicopter Crash in Lagos (August 2015)

Philip Keshiro, DRI Nigeria

Appreciation

We would like to appreciate all the agencies and officials that took part in responding during the recent Bristow Helicopter crash.

Review of the incident

From reports we were told that the first responding agency got to the scene at least one hour after the incident as reported.

From the visuals shown most if not all of rescue efforts (diving) were carried out by local divers with their boats.

Preparedness Issues from Incident

a. Total reliance on local divers with inadequate tools only compound or elongate the timing for rescue.

b. Timeliness of responding – Getting to the scene of accident in one (1) hour needs improvement, the reason simply is that it takes less than 2 minutes for a submerged victim to die. Therefore one hour before official rescue commence is too long.

c. Too many agencies performing same role leads to confusion and does not show there is a plan, or joint exercise with TEAMS from each agency.

d. Lack of command center to take charge of the incident can also cause further damages to victims and properties

e. In this type of technical disaster, who should be in charge?

Our Opinion

A. Agencies such as FAAN, NCAA and the company Bristow Helicopters, and the coordinating agency LASEMA should have a plan that should looks at an instance where a plane or Helicopter will fail to get to the airport, looking beyond ICAO regulation which stipulates a specific radius, reference to Airport Emergency Response plan.

Questions to be asked at the data gathering stage (Risk Evaluation)

• Is it possible for plane or helicopters to drop or develop problems before getting to the airport?

o Probability is Yes (It has happened before – Dana)

• Can we get to such site at the required response time (Less than 10 minutes)

o Yes / No – Answer – NO

o What are the Resources required to meet this response time?

Please note that because of the nature of our roads and traffic, should we be looking at Medical Power Bike? As first initial response followed by the ambulances and aircraft ambulances?

• Do we have teams trained for rescue at sea or lagoons based on flight plans?

• Do we need to develop some response capabilities for these areas such as U.S Coast Guards?

• Do we need to involve Navy boats personnel to frequent our sea and lagoons?

B. Training on Disaster Management

Before agencies can come together for rescue efforts, it is presupposed that each agency should have a plan and would have developed some level of proficiencies within its purview, before coming together as one on TEAM basis to work on an incident.

Why did we say Training is lacking

a. Many agencies were in charge – Everybody getting on to the camera. Who is in charge? A look at the Incident Command System will explain this

b. Teams were not clearly visible or seen to be doing a particular assignment based on their regular legal job. You expect FRSC and Police at the perimeter of the cordon area. If incident have been on land, we would have had encroachment.

c. We noted that both strategic and operational personnel of the State and Agencies were at the scene. We need to avoid this practice to guide against secondary occurrence.

d. No visible sign of Command Center, therefore we can safely say there is no Emergency Operations Center (EOC).

Conclusion

We will conclude by appreciating the efforts of responders; however issues raised here are not to rubbish the good works of our various agencies but to point the way forward for improvement.

What is the plan? It is called Business Continuity. Take a look at the Nigerian Pandemic Plan; it appears more than 40 times, It is the tool for managing disaster for the Private Sector BUT the principles are also used by the Public Sector to mitigate and plan against incidents and disasters, the publicity, enforcement of Business Continuity ought to be the responsibility of the Federal Republic of Nigeria according to the Nigerian Pandemic Plan.

PHILIP KESHIRO
DRI NIGERIA

Courtesy: DRI Professionals in Nigeria.
www.drii.org
www.dri-nigeria.org

unnamed (3)

Nyanya Bomb Blast – Another Wake Up Call

Philip Keshiro, DRI Nigeria

To view this article in its original location, please click here.

I would have commented on the Malaysian Air Incident but for the fact that my mother died during this period and was buried on the 11th April 2014. The various activities relating to the burial were too much for me to sit and write.

The recent Nyanya bomb blast is another tragedy with no answer and most of the things I have been reading or commentaries on TV are not the solution.

What then is the solution?

It is unfortunate that when you want to hide a secret from people in our race, just put it in the book. This is with a lot of apology.

Issues of Security and Emergencies should be handled bottom up, not top down approach. A top down approach breeds passivity, lack of coordination, and makes mockery of our nation.

Please in your mind kindly compare what occur in Boston last year with what happened in Nyanya.

Nyanya

Boston

We are yet to identify those that drove the car and ran away as reported Within 24 hours the identity of the culprits were known and broadcasted – No sentiment
All agencies worked together without any statement such as ;we are on red alert etc We witnessed actions televised live.
No periodic update to members of the public – No concrete information yet There was periodic information, with the US President categorically saying, we will get ‘you’.
This may be the end of the investigation as the Kano case. The terrorists were caught with one dead and another injured within a week of the incident

What is the difference between security personnel abroad and ours?

–          They have data gathering capability (even on the spot)

–          Trained to focus first on issues of life (Human Life comes first)

–          Well trained to read and analyze situation

–          Aware of new technology or trends

Example:

The Nigerian DRAFT Pandemic Response Plan categorically states the following as shown below, breaking down how the nation should plan for pandemic related disasters, however, IT IS THE SAME PRINCIPLE FOR TERRORISM;

  • 1. National Government Planning & Coordination
    • Government is committed to multisectoral pandemic preparedness
    • Federal government assures continuity of essential services
    • Criteria:Essential service role and responsibilities identified
      Promotes Business Continuity Planning
      Provides basic planning assumptions
  • 2. All sub-national government levels involved
    • Whether States and FCT level have multisectoral preparedness and response plan and operationalised. Including Local Governments
  • 3. Whole of society planning ie Civil Society, INGO and IGOs, Private Sector, Vulnerable groups.
    • All the above must have Preparedness and response structures to protect vulnerable groups …
  • 4. Sectoral planning and Continuity of Essential Services
    • These are listed as:
      • Health – Whether sector has response and business continuity plan that has been tested
      • Food – Whether sector has response and business continuity plan that has been tested
      • Water & Sanitation ( Portable water sewage & waste management) – Whether sector has response and business continuity plan that has been tested
      • Energy Sector – Whether sector has response and business continuity plan that has been tested
      • Public Security and Order – Whether sector has response and business continuity plan that has been tested
      • Finance – Whether sector has response and business continuity plan that has been tested
      • Telecommunications – Whether sector has response and business continuity plan that has been tested
      • Transport – Whether sector has response and business continuity plan that has been tested
        • Criteria:
        • Key Sector actors (public & private) are identifies and have been encouraged to plan
        • Guidance for key actors in sector is available
        • Hazard & Risk analysis has been completed for the sector.

All ministries, agencies, and infrastructures i.e NYANYA Park and others should have a BCP plan in place.  

Why this write up.

The Pandemic plan was co-authored by the USAID and other US related agencies, if they can slot in BUSINESS CONTINUITY PLANNING as the BASIS for managing disasters why are we not looking in this direction to solve our problems. A large number of our top and middle level government officials do not know anything about this subject matter.

A Business Continuity plan will have helped to mitigate this NYANYA Park disaster in the following ways;

A Risk assessment – will have brought out through imagination, foresight, and prior incidents that the park is vulnerable. Control measures to mitigate will be the following;

  • Separate Passenger drive in from the Bus Parks – Let the passengers walk with their load or with trolleys.
  • Have in place CCTV to capture movement of passengers and ongoing activities within.
  • Restructure the market to meet the 1st condition if possible.
  • etc

The effect is that, should there be an incident or a bomb blast, the POLICE, SSS and other agencies will have some form of intelligence to work with. Without this, we are laughing stock in the comity of advanced nations.

The steps within the BCP are:

The Ten Professional Practices are as follows:

Pre-Planning Stage

1. Program Initiation and Management

2. Risk Evaluation and Control

3. Business Impact Analysis

Planning Stage

4. Developing Business Continuity Strategies

5. Emergency Preparedness and Response

6. Developing and Implementing Business Continuity Plans

Post-Planning Stage

7. Awareness and Training Programs

8. Business Continuity Plan Exercise, Audit, and Maintenance

9. Crisis Communications

10. Coordination with External Agencies

Conclusion:

The security agencies should start to have appetite and understand what business continuity planning is all about and how to use it to reduce to the barest minimum this incident of mass killing.

The words we hear such as ‘Citizens should go about their normal duty as the government or Police…’. These words are not inspiring, not soothing, they are reactive, not proactive. We should not be counting casualties in hundreds and thousands, not to talk of one life. The answer lies within the government archive and in possession of some of us reading this write-up.

Reacting after each blast is wickedness, mental laziness, a lack of ability to work, and lack of love for human lives.  

Please check the Nigerian Pandemic Response Plan.

I will explain more and break down the components of BCP if required.

You can ask for an extract of areas quoted above if interested.

Thank you.

Philip Keshiro

Business Continuity Amidst the Recent Middle East Turmoil

Omar Sherin

In late January of this year, the Middle East was the scene of unprecedented and rapid political and social changes that took the most mature businesses and industries by surprise, and left them virtually paralyzed.  Not even the most sophisticated and knowledgeable secret intelligence agencies predicted the massive scale social uprisings that emerged throughout the region.

It is worth analyzing business continuity strategy in Egypt because it witnessed what was probably the first international incident ever recorded of a government using the internet “kill switch,” as well as the ripple effect of the consequences resulting from the decision. Additionally, as Egypt is the second largest economy on the African continent following South Africa and it has the most diversified economy in the region by United Nations standards; therefore, the impact on diversified businesses is clearly visible and not
sector-specific.

How It Happened

After days of continuous anti-government demonstrations that used the Internet and social networks such as Facebook and Twitter as coordination platforms, the former administration decided to cut the Internet just minutes before midnight on January 27, 2011 with the hope of preventing protesters from using their communication tools. Minutes later, it was confirmed that there was no Internet connectivity whatsoever across the entire country. What was once deemed technically impossible was proven to be technically
possible. In such authoritarian countries, much of the physical telecommunications infrastructure is under the direct ownership and control of the government.

We saw firsthand the catastrophic impact of the government’s impulsive decision. Imagine a country or a modern business deprived “overnight” of emails, VoIP services, e-commerce, online conferencing, web-browsing, running a corporate website or even seeking remote online support. This unprecedented situation lasted for five consecutive business days.

Immediate Impact

Companies working in the IT outsourcing industry were among the first to be affected. The direct loss in revenue for those five days  is estimated at $90–$120 million USD, which does not include lost business opportunities and possible SLA violations and lawsuits. Another example is the banking sector. Several national and multinational banks announced key services such as international money transfer and online banking were unavailable or unreliable. With the national ATM network shutdown and the standalone ATM machines vandalized, millions of bank customers resorted to standing in long queues in front of their local bank branches.

Plans Exercised

Very few companies appeared to be unaffected and resilient. Some companies survived due to exercising solid BC plans yet others were sustained just because of pure luck.  One major mobile operator provides a good example of a company that survived the disruption. This company’s actions demonstrated effectiveness of having a solid and comprehensive business continuity plan in place.

On January 27, the BCP was triggered by the government cutting off the Internet. Then, the crisis management team (CMT) met and activated the disaster recovery plan (DRP) to safely shut down the local IT services and focus on securing the physical assets, data centers, key cellular towers, and power generation stations, from sabotage and perhaps the unsafe street conditions.

Initially, the customer call center was bombarded with calls complaining about difficulties using communication services like mobile Internet, Blackberry, international calls. Although the customer service representatives tried to explain the situation to callers, they soon realized it was a national problem.

On January 29, the government announced a national state of emergency and a curfew was enforced. Furthermore, all the mobile operators in the country received orders from the government to shut down all mobile communications including voice and SMS services as a last attempt to cripple the demonstrators’ communications. Due to a provision in the mobile regulatory license agreements signed with all the mobile operators, companies had to comply. This decision proved to have significant costly and negative
corporate image implications that later left those companies with no option but to embark on massive damage control and PR campaigns.
At this stage, the CMTs ordered the shutdown of the customer call center and landlines, activated the internal call tree and ordered all staff to remain at home until further notice. After receiving confirmation that all headquarters and branch offices countrywide had been evacuated and locked, the CMT started the crisis
communication plan which had to deliver several messages to international media and foreign stock markets where the company is listed.

On the IT side of the disruption, the DRP of this company was designed to mitigate the risk of total and complete loss in connectivity by developing a replica of its web services hosted in Europe, as well as by signing with a prominent cloud-based
managed services provider to manage the security and availability of the corporate emails for its 5,000 users in the cloud. This managed service had a provision that allowed them to save drafts of undelivered emails “in the cloud” for up to seven days. Once the former president and his administration announced his resignation, the Internet was back online and the employees’ mailboxes were flooded with week-old emails, certainly a better situation than an empty mailbox and angry customers.

On the other hand, entities such as the Egyptian stock exchange (egyptSE.com), which appeared to be online and reachable throughout the Internet blackout, proved to be on a single and fairly
small ISP in terms of market share. It is unclear if it survived the former government’s decision by coincidence, as the Stock Exchange is one of its few subscribers. On the other hand, it could be that the ISP was purposely spared because of the Stock Exchange and that the other few subscribers were incidental beneficiaries.

Based on available information, nearly 80 percent of the businesses in Egypt did not list the scenario of a national Internet blackout as a strong possibility and were therefore unprepared. The remaining 20 percent of companies were well-prepared with alternative and varied means of international communication, such as satellite connectivity “VSAT” and companies that do not exclusively rely on the Internet for business.

Who Survived?

The most advanced secret intelligence agencies in the world, such as the US Central Intelligence Agency (CIA), did not anticipate this revolution. The United States Secretary of State Hilary Clinton described the Egyptian government as “stable” after three days of events. Interestingly, none of the traditional risk assessment methods available or practiced in most of the companies in Egypt would have predicted the risk of a major political overhauling and social uprising.

The event was the world premiere of a government using the Internet kill switch, coupled with a nationwide mobile communication blackout. It simply caught everyone off guard. However,
corporate risk experts should have learned from their previous experience in 2008 when there was a major Internet services disruption due to human error when an undersea Internet cable was cut.

The failure to anticipate this major incident in the corporate risk matrix was impermissible. Perhaps the only companies that continued operation throughout the disruption were those with rigorous, dynamic, and active risk assessment practices that learned from the 2008 events and translated those lessons into viable disaster scenarios.

One key observation is that companies that used cloud computing were noticeably more resilient and capable of working around this disruption because of the flexibility and availability offered by cloud computing infrastructure.

Many small to mid-sized businesses with traditional BC and DR plans found that their plans had many shortcomings in regard to this particular situation, as there was a dependency on modern technology. Ironically, many companies could not activate their call trees since mobiles and SMS were unavailable and disseminating a message to the branch offices across the country was nearly impossible.

Even companies with expensive disaster recovery sites (located over 100 miles away) had problems activating the DRP due to the complete and prolonged loss in connectivity and the inability to seek technical support from partners or vendors, including industry blue chip companies.

The recent events emphasized how modern businesses really depend on technology and, particularly, the Internet. These events also provided the unfortunate reminder that we take these modern technologies for granted.

 

References:
1 Internet Kill Switch
(http://www.infowars.com/egypts-internet-killswitch-coming-to-america/)
2 Hillary Clinton comment on the events on the 28th
(http://af.reuters.com/article/topNews/idAFJOE70O0KF20110125)
3 Undersea cable cut
(http://news.bbc.co.uk/2/hi/7792688.stm)

 

Omar Sherin holds a bachelor of science degree in computer engineering, with more than 10 years of professional information systems security, resiliency and SCADA security experience. He is a member of the OWASP organization leaders board and a voting member on the IEC/ISA-99 standard for critical infrastructures security. He has worked for several multinational firms in the oil and gas sector, and he is a certified ISO27001LA, CEH, and a CBCP.

The Xceed Experience: Implementing the Plan

Khaled Embaby, Mahmoud Marzouk, Waleed Yasser, and Mohamed Al Awwa

The role of the business continuity management team at Xceed is to identify potential external and internal risks to the organization and set prevention and recovery plans. This role is not exclusive to planning, but rather it extends to include the management of staff and other resources with the objective of helping the organization to stay in business in the event of a disaster.

In light of the concerns of multiple political forces in Egypt about the possibility of the former president’s son coming to power, Xceed’s BCM Team considered the political unrest in Egypt as a potential risk, so they activated their plan. One precautionary measure was to follow opposition forces through various news sources and social platforms on the Internet.

There was increased social media activity as a result of the extreme dissatisfaction with the outcome of the parliamentary elections. Rumors began to spread that there would be widespread demonstrations.

Events at Xceed proceeded as follows:

January 24: The BCM team took control from the emergency operations center (EOC) at Xceed’s two sites in Egypt, Smart Village and Maadi Call Center Park, to monitor all activities that might affect the normal business flow.

January 25: The Egyptian Youth Coalition announced protests across Egypt. Xceed’s BCM action plans were immediately put in place with special consideration given to the possibility of an imposed countrywide curfew. Such a curfew would pose a major threat to the company’s ability to operate.

January 27: The Egyptian government cut off the Internet throughout the entire country including the corporate links. The resulting impairment to business function caused a dramatic impact on 30 percent of our business.

January 28: Demonstrators declared January 28 as Anger Day in reaction to the violent action taken by police forces to control the persistent and widening demonstrations. It was no misnomer. Egypt witnessed severe and violent confrontations between police forces and protestors. Around 5:00 p.m. the president announced that the Egyptian army would take over the security management of the country. As anticipated, a curfew was imposed from 6:00 p.m. until 8:00 a.m. daily.

The challenge at Xceed began. At the time the curfew was imposed, 880 employees were present at the Smart Village and Maadi Call Center Park sites. It was impossible to send them home because security conditions on the roads were alarming. It was considered much safer to stay at the office. We took immediate action to accommodate those 880 employees by serving hot meals and creating sleeping areas for them. At the same time, we let all the employees call their families to inform them that they were in a safe place and would spend the night on company premises. Additionally, we decided to let employees with small children choose whether or not to come in, as we expected to face the curfew situation during
the Anger Day. Fortunately, all the employees with small children decided not to come in on this day. Accordingly with the work force management team in cooperation with the operations team scheduled only those with no small children for work.

January 29: Egypt reached the red level of security. Police forces withdrew from their positions, prisoners escaped from prisons, looters were on the streets and chaos was everywhere. Xceed’s BCM team made the decision to work with the minimum number of employees required to run operations for our critical business service, which is the Ambulance 123 Hotline. Running only the one service meant accommodating 100 employees for a potentially infinite number of days.

Relying on the previously implemented plans with new daily inputs, and with the support of members of different teams—such as administration, facility management, physical security, and IT support—continuous action was in place to keep the business running and our employees safe. For the following six days, 100 employees were accommodated at Xceed around the clock. For the next three days, 250 employees were accommodated and then over a period of twelve days, we gradually increased the number of employees present until we successfully returned to normal operations.

The BCM team managed to recover business operations successfully in the face of political unrest and despite unforeseen challenges as a result of our precautionary plans. The timing and the size of the political unrest was unexpected as the anticipated political unrest was expected to take place later in the year and at a much smaller magnitude. The chaos that resulted from the reported escape of prisoners and the widespread looting were expected and caused a major physical security threat to employees and the community. Finally, the scheduled internet outage was unexpected, but Xceed’s BCM Team managed to counteract this challenge with only a 30 percent impact on business operations.

 

Xceed is a global provider of quality, multi-lingual Business Process Outsourcing (BPO) services. Xceed has two sites within Egypt, with its headquarters located in Cairo’s technology park, The Smart Village. Xceed has an additional contact center, geographically
and culturally proximate to Europe, at Morocco’s technology park, CasaNearshore Park.