Tag Archives: featured

BUSINESS CONTINUITY MANAGEMENT & DISASTER RISK REDUCTION (DRR)

Philip Keshiro, DRI Nigeria

The Sendai Framework for DRR 2015 is a great improvement to the Hygo Framework for Action 2005 – 2015: Building Resilience of Nations and Communities to Disasters.

Having gone through the Hygo Framework, I summarized it with a statement ‘Developing countries help your citizens’.

It was generally not ‘punchy’ and clear BECAUSE any time I get in contact with those implementing DRR, the question is “what has Business Continuity got to do with DRR? ”. Hence, the understanding was flawed (my opinion), implementation was without a clear direction, and coordination was very poor.

I have gone through the Sendal DRR 2015-2030, and I am impressed with the detail and technical terms as shown below – as lifted from the document

The Hyogo Framework for Action: lessons learned, gaps identified and future challenges

1. It is urgent and critical to anticipate, plan for and reduce disaster risk in order to more effectively protect persons, communities and countries, their livelihoods, health, cultural heritage, socioeconomic assets and ecosystems, and thus strengthen their resilience.
2. There has to be a broader and a more people-centred preventive approach to disaster risk. Disaster risk reduction practices need to be multi-hazard and multisectoral based, inclusive and accessible in order to be efficient and effective.
There is a need for the public and private sectors and civil society organizations, as well as academia and scientific and research institutions, to work more closely together and to create opportunities for collaboration, and for businesses to integrate disaster risk into their management practices.

It is important to know that my concept of developing countries is basically AFRICA (Nigeria).

Expected outcome and goal

1. To attain the expected outcome, the following goal must be pursued:

Prevent new and reduce existing disaster risk through the implementation of integrated and inclusive economic, structural, legal, social, health, cultural, educational, environmental, technological, political and institutional measures that prevent and reduce hazard exposure and vulnerability to disaster, increase preparedness for response and recovery, and thus strengthen resilience

The pursuance of this goal requires the enhancement of the implementation capacity __and capability of developing countries, in particular the least developed countries, small island developing States, landlocked developing countries and African countries, as well as middle-income countries facing specific challenges, including the mobilization of support through international cooperation for the provision of means of implementation in accordance with their national priorities.

Findings

1. The goals if it has to be pursued, the knowledge base of the custodians of the DRR must be improved. The international community and the United Nations MUST come out with CLEAR statement that gives direction to help the developing countries who may not understand how to get this ‘implementation capacity’. Most developed countries and leaders within DRR do not even have a clear understanding of Risk Management, Continuity Of Operations Plan (COOP), Business Continuity Planning/Management, Crisis Communication. They do not know how this concept can be used as effective tool in reducing disasters.
2. Economic disasters are not even regarded as disasters, because industries are not generally seen as part of the SYSTEM, meaning that there is no direct connection between financial disaster (collapse of one bank) and physical disasters. To us, until you have deaths running into millions, then you have disaster, without mincing word, you will be told that according to the UN definition of a disaster, ‘this is not a disaster’.
3. A need to go down to the basic of what constitute a disaster and what is a ‘disaster chain’.

III. Guiding principles

(b) Disaster risk reduction requires that responsibilities be shared by central Governments and relevant national authorities, sectors and stakeholders, as appropriate to their national circumstances and system of governance;

(e) Disaster risk reduction and management depends on coordination mechanisms within and across sectors and with relevant stakeholders at all levels, and. it requires the full engagement of all State institutions of an executive and legislative nature at national and local levels and a clear articulation of responsibilities across public and private stakeholders, including business and academia, to ensure mutual outreach, partnership, complementarity in roles and accountability and follow-up;

(g) Disaster risk reduction requires a multi-hazard approach and inclusive risk-informed decision-making based on the open exchange and dissemination of disaggregated data, including by sex, age and disability, as well as on the easily accessible, up-to-date, comprehensible, science-based, non-sensitive risk information, complemented by traditional knowledge;

(l) An effective and meaningful global partnership and the further strengthening of international cooperation, including the fulfillment of respective commitments of official development assistance by developed countries, are essential for effective disaster risk management;

Comments

As beautiful as this guiding principles is, it can ONLY be achieve when different agencies and organizations have a level of understanding which is derived from a standard. Only then can there be coordination (on the field). Each of this organization would have acquired some level of capacity development, have a functional plan in place (within their “different” agencies), which would have been exercise (based on this standard) before coming together as one.
Most cases, you find out that confusion and stampede is the order of the day, where you have those wielding executive power without basic disaster management skill. This is an area we need to walk on.

For (I), This is where DRI International has to form a global partnership with UN to train different nations on the basic knowledge required to anticipate disaster, plan, with the ability to respond, and recover and build better facility that have been damaged or destroyed, using the principles of Business Continuity Planning
.
IV. Priorities for action

1. Taking into account the experience gained through the implementation of the Hyogo Framework for Action, and in pursuance of the expected outcome and goal, there is a need for focused action within and across sectors by States at local, national, regional and global levels in the following four priority areas:
2. Understanding disaster risk;
3. Strengthening disaster risk governance to manage disaster risk;
4. Investing in disaster risk reduction for resilience;
5. Enhancing disaster preparedness for effective response, and to “Build Back Better” in recovery, rehabilitation and reconstruction.

Priority 1. Understanding disaster risk

1. Policies and practices for disaster risk management should be based on an understanding of disaster risk in all its dimensions of vulnerability, capacity, exposure of persons and assets, hazard characteristics and the environment. Such knowledge can be leveraged for the purpose of pre-disaster risk assessment, for prevention and mitigation and for the development and implementation of appropriate preparedness and effective response to disasters
National and local levels
2. To achieve this, it is important to:

(a) Promote the collection, analysis, management and use of relevant data and practical information. Ensure its dissemination, taking into account the needs of different categories of users, as appropriate;

(d) Systematically evaluate, record, share and publicly account for disaster losses and understand the economic, social, health, education, environmental and cultural heritage impacts, as appropriate, in the context of event-specific hazard-exposure and vulnerability information;

(l) Promote the incorporation of disaster risk knowledge, including disaster prevention, mitigation, preparedness, response, recovery and rehabilitation,__ in formal and non-formal education, as well as in civic education at all levels, as well as in professional education and training;

V. Role of stakeholders

1. While States have the overall responsibility for reducing disaster risk, it is a shared responsibility between Governments and relevant stakeholders. In particular, non-state stakeholders play an important role as enablers in providing support to States, in accordance with national policies, laws and regulations, in the implementation of the framework at local, national, regional and global levels. Their commitment, goodwill, knowledge, experience and resources will be required.

(c) Business, professional associations and private sector financial institutions, including financial regulators and accounting bodies, as well as philanthropic foundations, to: integrate disaster risk management, including business continuity, into business models and practices via disaster risk-informed investments, especially in micro, small and medium-sized enterprises; engage in awareness-raising and training for their employees and customers; engage in and support research and innovation as well as technological development for disaster risk management; share and disseminate knowledge, practices and non-sensitive data; and actively participate, as appropriate and under the guidance of the public sector, in the development of normative frameworks and technical standards that incorporate disaster risk management;

(o) Increase business resilience and protection of livelihoods and productive assets throughout the supply chains. Ensure continuity of services and integrate disaster risk management into business models and practices;

(g) Ensure the continuity of operations and planning, including social and economic recovery, and the provision of basic services in the post-disaster phase;

Conclusion

I have tried to highlight areas where developing countries or individuals will find simple and direct instructions as road map.

It is important to state here that based on my personal knowledge and experience, the knowledge of business continuity planning as packaged by DRI International, is the basic knowledge required that can help executives in DRR Management, DRR staff and ALL agencies of government and ministries. Without this knowledge, the African continent will only be moving round in circles without direction, this will be evidence in the following ways;

▪ Lack of understanding of basic terms used in disaster management evidenced during regional and international forums (some officials will ask what is COOP, or Business Continuity Planning – What are these got to do with disaster).

▪ Lack of coordinated response during disasters

▪ Without appropriate plans, proper exercising which should improve plan will not be conducted, if conducted it is used as ‘public show‘ without any aim

▪ Different agencies will be working at cross road, trying to gain popularity from disaster incidents instead of focusing on safety and prevent loss of lives.

It is important that we all take the management of disaster as a profession, and create an appetite for more knowledge in disaster management.

DRR/Safety Institutes, Federal Government, State Governments and Local Governments MUST strive to have the knowledge of Business Continuity Planning principles which is an appropriate tool for Disaster Risk Reduction and a MUST.

May I ask, are you certified?

Kindly contact us on the following; 08054561141, 08125377462, or onaskme@dri-nigeria.org for further inquiries.

Please see www.drii.org, www.dri-nigeria.org

Yours sincerely,

PHILIP KESHIRO ABCP, CISSP, CISA, COBIT 5, AIMIS, ACIA, AISPON, MBA
PROGRAM DIRECTOR

DRI Course Content

BCM - Year 2015 Schedule

1

Avoiding Fatal Mistakes in Business Continuity – The Middle East Perspective!

Ayesha Al Bakoush, CBCP, CRA

Businesses and organizations are not immune to crises and therefore planning for the unexpected must be considered as a sound practice. Many organizations are unprepared to handle workplace crises, operating under the myth that “those things won’t happen here.” While most of us do not like to think about crises happening to us, planning to deal with them proactively and effectively would help protect human lives, prevent damage and reduce the likelihood of financial and non-financial impacts.

The whole concept of business continuity is relatively new to the UAE. Subsequent to the issuing of the first Emirati business continuity standard – AE/HSC/NCEMA 7000:2012, the majority of the government organizations have started to adopt business continuity into their strategies and have initiated plans from scratch. There are many factors that contribute to the success of business continuity plans, for example: obtaining the executive management support, completing the Business Impact Analysis and Risk Assessment. However, those elements alone cannot guarantee the effectiveness of the business continuity plans.

Business continuity should be more than just a plan, ideally it should be integrated into the culture of the organization and be part of daily operations. This article will undertake analysis of various reasons why business continuity plans might fail even if they cover all critical planning aspects.

  1. Experience & Right Skillset

Although learning the hard way is not always the best option, but the lack of experience in disasters usually leads to wrong decisions as well as the focus on areas that might not be crucial to the organization. Due to the fact that our country is considered to be a safe country and we do not face fatal disasters of any kind, it might be a challenge for organizations to plan and consider events that they have never faced and they don’t even know whether those events are going to ever happen.

1

Ideally training and professional accreditation is one of the best solutions, it helps professionals broaden their horizon about the topic through their networking with other professionals and help them gain more insight about the topic. Also, exploring other organizations who have robust business continuity plans in place and learning from their lessons.

The embedding of the business continuity into the culture of the organization is key to the success of the program. An experienced business continuity professional who knows and understands the culture of the organization he/she is working for, should be able to put plans and ideas to slowly and steadily engage the staff and make it easy for them to absorb the business continuity concept and make it fit into their business and operating models.

  1. Training and testing

Training and testing usually shows how serious an organization is about its business continuity plans.  Due to the resistance factors to new projects, business continuity plans might just end up as a document on the shelf that is never used or looked into. In addition, the safe culture and the lack of exposure to disasters might encourage organizations to skip testing and training which might be considered as a disturbance to normal operations and an unwanted task.

FeaturedTraining & testing are the best indicators to ensure the  proper execution of a business continuity plan.  As per DRI’s 10 Professional Practices, BC plans should be tested at least once a year to ensure the awareness of the employees about their roles and responsibilities and what is expected from them in case of disasters. It is also important to utilize different types of testing ranging from table-top to full scale exercises, each organization should choose the type of testing that suits the nature of its operations taking into consideration the maturity level of the Program.

  1. Over doing it

Many organizations fall into adding too much operational details to their business continuity plans to ensure the availability of all required information.

Another common mistake is “abusing” management support to force the implementation and execution of business continuity-related or non-related processes. In other words, business continuity related terminology might be used the wrong way to drive change into the organization which will demotivate staff and minimize their sense of engagement and ownership.

Business continuity plans should contain the information about critical staff and functions in a brief and well-structured way that makes it easy for the staff to read and execute. Details and long processes should be eliminated from the plan and kept into a separate appendix to minimize confusion, save time and effort. Also, shortcuts to long processes should be taken into consideration and activated during disasters to overcome human resource shortages.

With regard to the use of management support, business continuity professionals should know the required amount of pressure they should use with their staff to enforce rather than force change. Also, staff should feel that they are engaged and involved which will motivate them to contribute towards improving the plans.

  1. Wrong assumptions

4Understanding the nature and culture of the organization is a key element in building a successful business continuity program. Business continuity objectives should be aligned to the organization’s objectives to ensure maximum benefits. The ideal way to plan for disasters is to plan for the worst case scenario, but the question is: how bad the worst case can be? In this case, professionals should be realistic while planning for the worst case.

Business continuity professionals should flawlessly understand management expectations from the business continuity program. The most successful program is one that is tailored according to the needs and expectations of a specific organization. It is also required from business continuity professionals to have a strong vision about what might make a disaster even worse, and what would be the potential solutions or backups if further incidents do materialize.

  1. Outsourcing

5In some cases outsourcing might be a suitable solution to transfer risk and accountability to a third party. However, if an organization is planning to keep its critical functions up and running during a disaster, outsourcing or signing a contract with a third party promising to deliver a service or a product during a disaster is not enough. No matter how strict the legal terms and conditions are, if the service provider fails then the whole process fails.

Before outsourcing or transferring accountability to a third party, an organization should make sure the service provider has their own business continuity plans updated and tested. Also, service providers and third parties should be part of any organizations business continuity testing and training to help define expectations and outcomes from both sides. In addition, it is very critical to always have a backup plan in case the initial plan fails. In this case, finding more than one provider for the same service or product and keep their information documented and updated. And most importantly get them engaged and updated regularly.

Conclusion

Business continuity is a holistic approach based on simple and clear methodologies, if planned properly will ensure the continuity of an organization’s critical functions during disasters, and safeguards its human and physical assets. The implementation of best practices and international standards alone are not enough to ensure the effectiveness and the success of a business continuity plan, rather, it should be realistic, simple, flexible, and up-to-date.

Creating and maintaining a successful business continuity program is more than following a set of best practices; nevertheless, avoiding the above mistakes can enable a more effective capability that aligns to organizational needs and drivers.

 

Ayesha Al Bakoush is currently working as Principal Business Continuity Specialist with Abu Dhabi Crown Prince Court. With over 10 years of professional experience, she possess strong experience and domain knowledge, ranging from implementing and auditing business continuity management programs, enterprise risk management, and project management. She has done her Bachelors in Information Management from the Higher Colleges of Technology in Abu Dhabi and currently pursuing Masters in International and Civil Security at Khalifa University for Science and Technology Research. The author is a Certified Business Continuity Professional and can be contacted at: ayesha.albakoush@gmail.com

 

External Agency Coordination Goes Viral: Time to Update Your BCM Plan

Bill DelGrosso, CBCP, CEM

Commercial business lives with risk every day from competitors, cash flow, and changing technology. They also face threats from recent events including the outbreak of the Ebola virus, including in the US, increasing natural disasters, and protests in Hong Kong. These external, uncontrollable events suggest that you review the Emergency Response Operations, and the Coordination with External Agencies Professional Practices elements of your continuity plans. In each of these examples, organizational business continuity management system (BCMS) planning will be dependent on external agencies level of sophistication, legal jurisdiction, and response capability. Effective BCMS planning reviews, given this framework, should include three key areas:

  1. Make This about People

The core of any business is the people that you employ to do the job. Incidents that interrupt your business will likely impact your personal extending the time that they will get back to work. The Ebola outbreak is having significant personal impacts, as well as economic ones.  Viruses don’t respect national boundaries, so consider how your BCMS would address these issues;

  • 2715873958_8bfe15f561_bInfection of your personal:  If Thomas Eric Duncan were an employee, how would your HR policies support him and his treatment, as well as interacting with public health entities that will need to track movement and exposure of clients and coworkers.  Is your corporate communications personnel ready for the social and traditional media frenzy?
  • Contamination of your workplace:  If your work place has been contaminated, you may not only have to take internal steps to decontaminate, you may be required to by the jurisdiction where the facility exists.  Draconian measures in some countries have brought micro economies to a standstill to put public health measures into place.  You will also have to make sure that employee accountability measures and contact procedures are in place so you can notify employees. You will need to be fully aware of necessary medical screening, understanding the disease, the level of their exposure so that they can take actions to protect their health, and aid in the investigation of the event.
  • Absenteeism:   Every incident I have responded to include the no-show of personnel that were unable or unwilling to respond, including public safety personnel. Your BCMS plan should account for that, especially with something as personal as a health threat. Keep in mind that home and personal preparedness elements should also be part of your personnel awareness program.
  1. Risk Based Decision Making based on External Agency Capabilities

There are broad critiques of how public agencies globally have responded to the Ebola virus outbreak; much of it is second guessing, and misinformation. Emergency managers, including BCMS directors or planners can address that if they add External Agency Capability as a risk category in their risk assessment/ calculations.  When I worked at Miami-Dade County Emergency Management, we met often with our business and industry groups to underline for them what to expect pre and post hurricane incidents. It was crucial for them to understand how evacuation orders and post incident recovery.  Reaching out to local authorities as part of your risk assessment is a step toward understanding what their response capabilities, priorities, and legal authorities are.  The latter is especially important when legal actions like evacuation or medical quarantine are put into place.

imagesIf you recall the 2013 Boston Marathon bombing, millions of people cooperated with the extraordinary measure taken by State and local officials for entire sections of Boston to shelter in place.  The economic cost may never be calculated, and revealed the response mechanisms that public safety entities have available to them.  They could not have implemented it without public cooperation. As part of your outreach to local responders, offer to exercise your plan with their participation and get feedback on what to expect. The more transparent the local officials are, the lower the risk; so be advised that you may need to raise the risk level if your research or outreach doesn’t reveal much.  If your response officials know you before an event, the easier your integration into their plans and continue your prioritized business functions will be.

  1. Manage the Technology Dependency

8475764430_076d38b951_kInformation technology (IT) is either integrated into your operations, or is integrated into the vital systems your organization or business relies on every day. A good BCMS planner should have the vision and the experience to identify, inventory, categorize and maintain the vital systems you can control, or manage as well as public infrastructure that you are dependent on. Determining how something that doesn’t destroy the systems, but limits access to their physical presence (like a protest that blocks access or a quarantine) would impact your IT infrastructure.

Learning from other peoples Emergency Response/ External agency coordination Professional Practices lessons can drive quality updates to your BCMS strategy and plan.

Bill DelGrosso is a Resiliency Strategist in the risk and business continuity practice for Booz Allen Hamilton’s Middle East/North Africa (MENA) office.  He advises commercial and public clients globally on governance, critical infrastructure protection, enterprise risk management, emergency management, business continuity, and exercise programs in various industries and sectors. delgrosso_bill@bah.com