Tag Archives: government

National Continuity Plan vs Total Business Resilience: In whose court is the ball?

Adewale Akinwale

Winning in a game of Tennis revolves around a player’s ability to hit the ball back at the opposing player with as much dexterity as possible. Getting the ball back across the net ensures that the bulk does not end in your half of the court, in which case you would have lost a point. The flurry of warnings and notices of closure/service outages from core service providers to Nigerian customers in the last week of May 2015 was rather suggestive of a weakened tennis player who could do no more than swing his racket and hit the ball in the direction of the hapless spectators rather than at the terrifying opponent.

12It was undoubtedly the toughest of times for the nation and its citizenry faced what commentators arguably  referred to as the worst fuel scarcity situation ever recorded in a country that has become synonymous for fuel queues over the years, despite being a major global exporter of crude oil. So this was clearly not the characteristic, walk in the park fuel scarcity situation that everyone had gotten used to; agreed. However, the actions and reactions of many corporate organizations ranging from radio and TV stations, banks and financial service providers to telecoms service providers and airliners could not have painted a grimmer picture of hopelessness for the customers at such a difficult time. Two major telecommunications service providers were the first to throw up their hands in submission to the monstrosity of the situation, and just about then, core service providers in other sectors started throwing in the towel in record time as if in a game of firsts.

The shutdown not only caused stress for customers but almost threatened the national sovereignty of the country. The critical question therefore to be asked is, should we hold the national government responsible for lacking a national continuity plan that applies to fuel scarcity situations or should businesses have had their own comprehensive continuity plans independent of any government intervention?

Interestingly, amidst the doom and gloom, a start-up ecommerce firm, Jumia Nigeria stood out and positioned strategically to take advantage of the situation. It was prepared for such a situation and also used the opportunity to promote its energy efficient product lines. That is resilience in the face of adversity and the big businesses have a lot to learn from the fast growing online retailer.

As a continuity professional, I would hope that lessons were learnt from the past experience and that both the government and private organizations are better prepared to manage any such distressing situation in the future. A national continuity art on the part of the government and a total business resilience plan for privately run businesses will definitely save valuable downtime hours and greatly impact on both national and corporate competitive advantage.  The wow factor is in that simple question that observers will be asking “how are they able to stay open?”

123

Adewale Akinwale is the Head of Enterprise Risk Management at the Nigerian Aviation Handling Company (Nahco Aviance). He was named finalist under the Awards category of Industry Newcomer of the year 2015 by the Disaster Recovery Institute USA.

DRI’s Interview with Mohammed al Jenaibi

In a recent interview Mohammed Ahmad Al Jenaibi, CBCP, shared his thoughts and experiences with DRI International. We are pleased to bring you this interview and are very grateful to Mohammed for taking the time to talk with us.

Mohammed is an ex-military search and rescue pilot, as former Chief of SAR Coordination Centre. He joined NCEMA (National Crisis and Emergency Management Authority) in 2008 as a Director of Safety and Prevention. He specializes in quality management, A black belt Six Sigma, he specializes in quality management and is also an EFQM Auditor, as well as a DRI International Certified Business Continuity Professional(CBCP). He is the lead of the committee which developed and published UAE’s BCM Standard and Guideline (AE/HSC 7000:2012) in 2012. This was the very first BCM Standard in the GCC. He also was the very first BC professional to be awarded a DRI International Award Of excellence as Best Program Leader of the Year for the Public Sector.

DRI: Will you provide a bit of background on NCEMA?

Mohammed Ahmad al Jenaibi: NCEMA was established in 2007 and by 2011 a resolution by president was issued for its roles and responsibilities. I joined in 2008, and by 2009, we started the business continuity management (BCM) project.

During the beginning we sought to do research, and we wanted to know what we were missing in this country and what we needed. We discovered that BCM was one of the important issues to tackle. And in August, 2013 I resigned from NCEMA.

DRI: Why Did NCEMA create its own BCM standard?

MJ: BS25999 was the standard at the time, but we thought it was not well-suited to our nation. We started to look at other standards, including the Singapore standard (SS540) , NFPA1600 (USA) and others, and then we decided to write our own standard in Arabic to be more comprehensive for the reader but still matching and using same methodologies in the standards mentioned.

When we started the first few pages, we thought it would work fine because everybody could understand it easily. We completed in one year the writing of the standard, but it took us two years to get consensus from all the federal departments and all the ministries. Finally, in 2012, the first version was issued.

DRI: In what ways is your standard different from the others?

MJ: Thank you, very good question. When I said that [other standards] were not well-suited, what I meant was that the language and the way they assumed the reader had a background in emergency management, but in our standard you can see the engagement of risk assessment taken from the ISO31000 throughout BCM.

For people without a huge background in emergency and crisis management, the format of BS25999 would be difficult. When you talk to a community, some agencies do not even have this management system in place. So, you cannot introduce them immediately to BCM. Our goal was to simplify how we did this in our standard. Within our standard, anyone can start and move from A to Z in very simple language and in very simple steps.

DRI: Can you tell me a little bit more about the state of preparedness in the UAE?

MJ: After establishing NCEMA, one of the first things they did was the National Response Plan (NRP). The NRP is complete and is being distributed to the whole government of the UAE, so all entities have prepared or are preparing their specific plans which can be plugged into the national response plan framework.

DRI: What about private sector businesses?

MJ: NCEMA has signed a mutual agreement with the Chamber of Commerce to involve the private sector, but you know we have huge companies who already have business continuity for their own interests. So, they are way ahead in advance. On the other hand, there are some other smaller businesses that have no idea about emergencies at all. I think this is because we do not have huge catastrophes in this country. Although we do not have big disasters, the private sector should realize the importance of emergency management, how they should be prepared, and how they can have their own plans.

Now NCEMA has started educating the public. There will be a lot of media and publicity by NCEMA supported by the Ministry of Interior, Civil Defense, and all the stakeholders. They will try to straighten out the education and spread the culture of emergency management. This is a challenge but it should happen within the next few years. We are already putting practice in place already and we hope By 2018, end of 2017, we should be done.

For the private sector, to refer to your question, we hope there will be some support from either the government or the other agencies to the private sector to build up their capability, because as you know the capabilities require resources and money. There may be some incentives for those businesses, to encourage them to incorporate this program into their firms.

DRI: What type of incentives?

MJ: For example, the government could encourage the relevant agencies in charge for the fees of the renewal of their license every year say if they have emergency plans, then they are category one. Category one would be 30% less or something like that. There is another incentive that was also proposed: the government would not sign with any entity or private entity unless they have BCM in place.

DRI: How would you evaluate those plans?

MJ: We would have to know whether they have plans first, if they are to contract with government. then we would have to review them in NCEMA or the appointed agency for the verification.

DRI: Tell us about the education and training that you provided to these different entities, what forms did it take and how long did it take. Were there exercises and tests involved?

MJ: In fact, NCEMA has been exercising the government agencies since 2010. The first one, of course, was like a surprise for some agencies to understand and it took some time to digest the lessons learned. I can say very proudly that in exercises five and six, everybody knew what they had to do and where they standing in emergency management

In terms of training, I am sure that more than 300 officials were trained in NCEMA. This is separate from the training that is conducted directly from the training providers to the entities because they know that they would need to train in EM.

DRI: What threats do entities in the UAE face?

MJ:. I can simply say that we do not have natural disasters. We do not have it in our history. But you remember the swine flu and the H1N1? Those threats were on the top of the list at that time, those are the kinds of threats we face. But we have practiced and NCEMA staff have gained a lot of experience, but threats are very dynamic, whether political, natural or manmade. But really what is happening internationally could happen in the UAE, without a difference bearing in mind the first rule of Emergency management “always expect the unexpected.”

DRI: You talked about the support that you have from the top people in the country. One of the challenges that I hear from people in other countries is trying to get top management support and to get people to listen when they are talking about business continuity and its importance. How did you get that?

MJ: I can say we are lucky, honestly speaking. Our top leaders, from number one down, they all have been encouraging. There is no doubt that we should be ready for any type of threat. If you talk about big resources like water, electricity, power, then you can see threats everywhere. And those threats are very devastating. I think because of these threats there was no hesitation of the leadership to give us a green light to go ahead and prepare UAE as much as we could. So it wasn’t as much our effort.

DRI: Finally, what is your hope of working with DRI? How do you think that relationship can help you and how can you help us?

MJ: I would say definitely, DRI could help us. The only words we can say to DRI is thank you for supporting our program.

DRI: You have already supported DRI tremendously through the important work that you do and by taking the time to talk with us.

MJ: Thank you. The word from the top was that education is the key to success. So, getting education from DRI on emergency management and specifically on the BCM, and the methodology DRI is following is very valuable to us. I really appreciate the efforts, the cooperation I found with DRI, and I hope this cooperation will continue for a long time.

 

Meet NCEMA

The National Emergency Crisis and Disaster Management Authority (NCEMA) works under the umbrella and supervision of the Higher National Security Council. It’s the major national standard-setting body responsible for regulating and coordinating all efforts of emergency and crisis management as well as the development of a national plan for responding to emergencies.

Therefore, its work is focused mainly in the development, consolidation and maintenance of laws, policies and procedures of emergency and crisis management at the national level.

The establishment of NCEMA was announced on 14/05/2007 within the organizational structure of the Higher National Security Council to ensure the safety of the lives of all citizens and residents on the territory of the United Arab Emirates and to preserve the property of the country.

NCEMA’s Mission is “to enhance the UAE’s capabilities in managing crisis and emergencies by: setting the requirements of business continuity, enabling quick recovery through joint planning, and coordinating communication both at the national and local level.”

For more information, visit www.ncema.gov.ae.

 

 

Business Continuity Amidst the Recent Middle East Turmoil

Omar Sherin

In late January of this year, the Middle East was the scene of unprecedented and rapid political and social changes that took the most mature businesses and industries by surprise, and left them virtually paralyzed.  Not even the most sophisticated and knowledgeable secret intelligence agencies predicted the massive scale social uprisings that emerged throughout the region.

It is worth analyzing business continuity strategy in Egypt because it witnessed what was probably the first international incident ever recorded of a government using the internet “kill switch,” as well as the ripple effect of the consequences resulting from the decision. Additionally, as Egypt is the second largest economy on the African continent following South Africa and it has the most diversified economy in the region by United Nations standards; therefore, the impact on diversified businesses is clearly visible and not
sector-specific.

How It Happened

After days of continuous anti-government demonstrations that used the Internet and social networks such as Facebook and Twitter as coordination platforms, the former administration decided to cut the Internet just minutes before midnight on January 27, 2011 with the hope of preventing protesters from using their communication tools. Minutes later, it was confirmed that there was no Internet connectivity whatsoever across the entire country. What was once deemed technically impossible was proven to be technically
possible. In such authoritarian countries, much of the physical telecommunications infrastructure is under the direct ownership and control of the government.

We saw firsthand the catastrophic impact of the government’s impulsive decision. Imagine a country or a modern business deprived “overnight” of emails, VoIP services, e-commerce, online conferencing, web-browsing, running a corporate website or even seeking remote online support. This unprecedented situation lasted for five consecutive business days.

Immediate Impact

Companies working in the IT outsourcing industry were among the first to be affected. The direct loss in revenue for those five days  is estimated at $90–$120 million USD, which does not include lost business opportunities and possible SLA violations and lawsuits. Another example is the banking sector. Several national and multinational banks announced key services such as international money transfer and online banking were unavailable or unreliable. With the national ATM network shutdown and the standalone ATM machines vandalized, millions of bank customers resorted to standing in long queues in front of their local bank branches.

Plans Exercised

Very few companies appeared to be unaffected and resilient. Some companies survived due to exercising solid BC plans yet others were sustained just because of pure luck.  One major mobile operator provides a good example of a company that survived the disruption. This company’s actions demonstrated effectiveness of having a solid and comprehensive business continuity plan in place.

On January 27, the BCP was triggered by the government cutting off the Internet. Then, the crisis management team (CMT) met and activated the disaster recovery plan (DRP) to safely shut down the local IT services and focus on securing the physical assets, data centers, key cellular towers, and power generation stations, from sabotage and perhaps the unsafe street conditions.

Initially, the customer call center was bombarded with calls complaining about difficulties using communication services like mobile Internet, Blackberry, international calls. Although the customer service representatives tried to explain the situation to callers, they soon realized it was a national problem.

On January 29, the government announced a national state of emergency and a curfew was enforced. Furthermore, all the mobile operators in the country received orders from the government to shut down all mobile communications including voice and SMS services as a last attempt to cripple the demonstrators’ communications. Due to a provision in the mobile regulatory license agreements signed with all the mobile operators, companies had to comply. This decision proved to have significant costly and negative
corporate image implications that later left those companies with no option but to embark on massive damage control and PR campaigns.
At this stage, the CMTs ordered the shutdown of the customer call center and landlines, activated the internal call tree and ordered all staff to remain at home until further notice. After receiving confirmation that all headquarters and branch offices countrywide had been evacuated and locked, the CMT started the crisis
communication plan which had to deliver several messages to international media and foreign stock markets where the company is listed.

On the IT side of the disruption, the DRP of this company was designed to mitigate the risk of total and complete loss in connectivity by developing a replica of its web services hosted in Europe, as well as by signing with a prominent cloud-based
managed services provider to manage the security and availability of the corporate emails for its 5,000 users in the cloud. This managed service had a provision that allowed them to save drafts of undelivered emails “in the cloud” for up to seven days. Once the former president and his administration announced his resignation, the Internet was back online and the employees’ mailboxes were flooded with week-old emails, certainly a better situation than an empty mailbox and angry customers.

On the other hand, entities such as the Egyptian stock exchange (egyptSE.com), which appeared to be online and reachable throughout the Internet blackout, proved to be on a single and fairly
small ISP in terms of market share. It is unclear if it survived the former government’s decision by coincidence, as the Stock Exchange is one of its few subscribers. On the other hand, it could be that the ISP was purposely spared because of the Stock Exchange and that the other few subscribers were incidental beneficiaries.

Based on available information, nearly 80 percent of the businesses in Egypt did not list the scenario of a national Internet blackout as a strong possibility and were therefore unprepared. The remaining 20 percent of companies were well-prepared with alternative and varied means of international communication, such as satellite connectivity “VSAT” and companies that do not exclusively rely on the Internet for business.

Who Survived?

The most advanced secret intelligence agencies in the world, such as the US Central Intelligence Agency (CIA), did not anticipate this revolution. The United States Secretary of State Hilary Clinton described the Egyptian government as “stable” after three days of events. Interestingly, none of the traditional risk assessment methods available or practiced in most of the companies in Egypt would have predicted the risk of a major political overhauling and social uprising.

The event was the world premiere of a government using the Internet kill switch, coupled with a nationwide mobile communication blackout. It simply caught everyone off guard. However,
corporate risk experts should have learned from their previous experience in 2008 when there was a major Internet services disruption due to human error when an undersea Internet cable was cut.

The failure to anticipate this major incident in the corporate risk matrix was impermissible. Perhaps the only companies that continued operation throughout the disruption were those with rigorous, dynamic, and active risk assessment practices that learned from the 2008 events and translated those lessons into viable disaster scenarios.

One key observation is that companies that used cloud computing were noticeably more resilient and capable of working around this disruption because of the flexibility and availability offered by cloud computing infrastructure.

Many small to mid-sized businesses with traditional BC and DR plans found that their plans had many shortcomings in regard to this particular situation, as there was a dependency on modern technology. Ironically, many companies could not activate their call trees since mobiles and SMS were unavailable and disseminating a message to the branch offices across the country was nearly impossible.

Even companies with expensive disaster recovery sites (located over 100 miles away) had problems activating the DRP due to the complete and prolonged loss in connectivity and the inability to seek technical support from partners or vendors, including industry blue chip companies.

The recent events emphasized how modern businesses really depend on technology and, particularly, the Internet. These events also provided the unfortunate reminder that we take these modern technologies for granted.

 

References:
1 Internet Kill Switch
(http://www.infowars.com/egypts-internet-killswitch-coming-to-america/)
2 Hillary Clinton comment on the events on the 28th
(http://af.reuters.com/article/topNews/idAFJOE70O0KF20110125)
3 Undersea cable cut
(http://news.bbc.co.uk/2/hi/7792688.stm)

 

Omar Sherin holds a bachelor of science degree in computer engineering, with more than 10 years of professional information systems security, resiliency and SCADA security experience. He is a member of the OWASP organization leaders board and a voting member on the IEC/ISA-99 standard for critical infrastructures security. He has worked for several multinational firms in the oil and gas sector, and he is a certified ISO27001LA, CEH, and a CBCP.