Tag Archives: standards

Avoiding Fatal Mistakes in Business Continuity – The Middle East Perspective!

Ayesha Al Bakoush, CBCP, CRA

Businesses and organizations are not immune to crises and therefore planning for the unexpected must be considered as a sound practice. Many organizations are unprepared to handle workplace crises, operating under the myth that “those things won’t happen here.” While most of us do not like to think about crises happening to us, planning to deal with them proactively and effectively would help protect human lives, prevent damage and reduce the likelihood of financial and non-financial impacts.

The whole concept of business continuity is relatively new to the UAE. Subsequent to the issuing of the first Emirati business continuity standard – AE/HSC/NCEMA 7000:2012, the majority of the government organizations have started to adopt business continuity into their strategies and have initiated plans from scratch. There are many factors that contribute to the success of business continuity plans, for example: obtaining the executive management support, completing the Business Impact Analysis and Risk Assessment. However, those elements alone cannot guarantee the effectiveness of the business continuity plans.

Business continuity should be more than just a plan, ideally it should be integrated into the culture of the organization and be part of daily operations. This article will undertake analysis of various reasons why business continuity plans might fail even if they cover all critical planning aspects.

  1. Experience & Right Skillset

Although learning the hard way is not always the best option, but the lack of experience in disasters usually leads to wrong decisions as well as the focus on areas that might not be crucial to the organization. Due to the fact that our country is considered to be a safe country and we do not face fatal disasters of any kind, it might be a challenge for organizations to plan and consider events that they have never faced and they don’t even know whether those events are going to ever happen.

1

Ideally training and professional accreditation is one of the best solutions, it helps professionals broaden their horizon about the topic through their networking with other professionals and help them gain more insight about the topic. Also, exploring other organizations who have robust business continuity plans in place and learning from their lessons.

The embedding of the business continuity into the culture of the organization is key to the success of the program. An experienced business continuity professional who knows and understands the culture of the organization he/she is working for, should be able to put plans and ideas to slowly and steadily engage the staff and make it easy for them to absorb the business continuity concept and make it fit into their business and operating models.

  1. Training and testing

Training and testing usually shows how serious an organization is about its business continuity plans.  Due to the resistance factors to new projects, business continuity plans might just end up as a document on the shelf that is never used or looked into. In addition, the safe culture and the lack of exposure to disasters might encourage organizations to skip testing and training which might be considered as a disturbance to normal operations and an unwanted task.

FeaturedTraining & testing are the best indicators to ensure the  proper execution of a business continuity plan.  As per DRI’s 10 Professional Practices, BC plans should be tested at least once a year to ensure the awareness of the employees about their roles and responsibilities and what is expected from them in case of disasters. It is also important to utilize different types of testing ranging from table-top to full scale exercises, each organization should choose the type of testing that suits the nature of its operations taking into consideration the maturity level of the Program.

  1. Over doing it

Many organizations fall into adding too much operational details to their business continuity plans to ensure the availability of all required information.

Another common mistake is “abusing” management support to force the implementation and execution of business continuity-related or non-related processes. In other words, business continuity related terminology might be used the wrong way to drive change into the organization which will demotivate staff and minimize their sense of engagement and ownership.

Business continuity plans should contain the information about critical staff and functions in a brief and well-structured way that makes it easy for the staff to read and execute. Details and long processes should be eliminated from the plan and kept into a separate appendix to minimize confusion, save time and effort. Also, shortcuts to long processes should be taken into consideration and activated during disasters to overcome human resource shortages.

With regard to the use of management support, business continuity professionals should know the required amount of pressure they should use with their staff to enforce rather than force change. Also, staff should feel that they are engaged and involved which will motivate them to contribute towards improving the plans.

  1. Wrong assumptions

4Understanding the nature and culture of the organization is a key element in building a successful business continuity program. Business continuity objectives should be aligned to the organization’s objectives to ensure maximum benefits. The ideal way to plan for disasters is to plan for the worst case scenario, but the question is: how bad the worst case can be? In this case, professionals should be realistic while planning for the worst case.

Business continuity professionals should flawlessly understand management expectations from the business continuity program. The most successful program is one that is tailored according to the needs and expectations of a specific organization. It is also required from business continuity professionals to have a strong vision about what might make a disaster even worse, and what would be the potential solutions or backups if further incidents do materialize.

  1. Outsourcing

5In some cases outsourcing might be a suitable solution to transfer risk and accountability to a third party. However, if an organization is planning to keep its critical functions up and running during a disaster, outsourcing or signing a contract with a third party promising to deliver a service or a product during a disaster is not enough. No matter how strict the legal terms and conditions are, if the service provider fails then the whole process fails.

Before outsourcing or transferring accountability to a third party, an organization should make sure the service provider has their own business continuity plans updated and tested. Also, service providers and third parties should be part of any organizations business continuity testing and training to help define expectations and outcomes from both sides. In addition, it is very critical to always have a backup plan in case the initial plan fails. In this case, finding more than one provider for the same service or product and keep their information documented and updated. And most importantly get them engaged and updated regularly.

Conclusion

Business continuity is a holistic approach based on simple and clear methodologies, if planned properly will ensure the continuity of an organization’s critical functions during disasters, and safeguards its human and physical assets. The implementation of best practices and international standards alone are not enough to ensure the effectiveness and the success of a business continuity plan, rather, it should be realistic, simple, flexible, and up-to-date.

Creating and maintaining a successful business continuity program is more than following a set of best practices; nevertheless, avoiding the above mistakes can enable a more effective capability that aligns to organizational needs and drivers.

 

Ayesha Al Bakoush is currently working as Principal Business Continuity Specialist with Abu Dhabi Crown Prince Court. With over 10 years of professional experience, she possess strong experience and domain knowledge, ranging from implementing and auditing business continuity management programs, enterprise risk management, and project management. She has done her Bachelors in Information Management from the Higher Colleges of Technology in Abu Dhabi and currently pursuing Masters in International and Civil Security at Khalifa University for Science and Technology Research. The author is a Certified Business Continuity Professional and can be contacted at: ayesha.albakoush@gmail.com

 

Vendor BCM Planning: Don’t Let Your Vendor’s Disaster Become Your Own!

Jerome Ryan

You’ve built your business continuity management program to the highest standards. You faithfully maintain it each year. You’ve performed exercises to ensure everyone’s role is clear. Is it enough? No.

As companies become more comfortable with their own ability to recover from a disaster, they are becoming increasingly uncomfortable with a vendor’s ability to do the same. Regulations and standards — such as, OCC Bulletin 2013-29 (United States), BDDK Official Gazette No: 26333 (Turkey), ISO 22301 (international), and NCEMA 7000 (United Arab Emirates) — are beginning to require companies to extend their continuity plans into the trusted relationships with third-party vendors. In fact, the newest version of the U.S. banking regulation, OCC Bulletin 2013-29, even requires companies to look into fourth-party vendor business continuity. Fourth parties are defined as the critical vendors of your critical vendors (thus extending the trusted relationship of continuity further).

What does all this mean to you? It means that your business continuity management program must include
vendor business continuity management to ensure protection from internal and external hazards. Vendor business continuity management (BCM) is a program that extends internal business continuity protections to critical vendors, suppliers, third parties, and in some cases fourth parties. Common components include:

  • Identifying critical vendors
  • Developing minimum business continuity guidelines and amending master service agreements (MSAs) and service level agreements (SLAs) to include the right to audit BCM programs
  • Developing an internal response plan or the failure of a critical vendor
  • Creating sample tools and templates to support critical vendors (they may not have the internal knowledge or resources to hire a consultant)
  • Implementing an assessment/verification program to ensure critical vendors’ BCM programs are compliant with your minimum BCM guidelines

The Place to Start

The first step in starting a vendor BCM program is to understand which vendors support the company’s critical business processes. This requires the company to perform an analysis of all vendors to determine those that may be:

  • Sole-sourced
  • Have cash flow issues
  • Operating under a lean/just-in-time model
  • Susceptible to other, related risks

If vendors do not fall into any of the aforementioned categories, they may not be categorized as critical or be part of the vendor BCM program. However, it is recommended critical vendors be evaluated annually or sooner if there are major changes/additions to critical vendors.

In some cases, a vendor is more than just critical. Some vendors may provide key components, without which, the company could fail. This is especially true of sole-source vendors. In the cases of manufacturing, consumer products, pharmaceutical, transportation, and other industries, the lead time to replace a critical vendor may be too long. Not having products on the shelf, combined with negative publicity, may effectively shut a company’s product out of the market.

In these special circumstances, a company should consider building an internal recovery plan to prepare for a vendor’s failure. An internal plan should consider available external supply/outsourced manufacturing, lead times to obtain government (i.e. FDA) approval for alternate manufacturing lines, as well as safety stock. The company may decide to identify alternate vendors, begin regulatory approval of second manufacturing lines, or move away from the sole-source vendor altogether.

Next Steps

For critical vendors, establish a set of guidelines that explain the BCM requirements with which they must comply. These guidelines should mirror the company building the vendor BCM program’s BCM methodology to ensure a true extension of the trusted relationship. Common components include:

  • Senior management commitment
  • An established BCM methodology
  • A BIA requirement to identify critical business processes and related impacts
  • Recovery plans
  • Regular exercises
  • Regular maintenance

These guidelines should be part of all new SLAs and MSAs with critical vendors. The company also should use the same contractual language with existing critical vendors as contracts are renewed. This will protect the company and hold vendors contractually liable for their BCM programs.

Smaller vendors may not have the ability, knowledge, or resources to comply with a vendor BCM program. It may be necessary, and certainly would be helpful, to provide vendors with a BCM toolkit to support their efforts. Companies should be careful to include legal language that holds the issuing company harmless and states that use of the BCM toolkit does not implicitly or explicitly guarantee recovery from a disaster.

The final step in the process is to monitor and verify vendors’ compliance with the vendor BCM program. This usually can be part of an annual, or regular, vendor compliance assessment. To be both productive and meaningful, the assessment can be neither overly intrusive nor superficial. Questions should dig deeper than “Was a BIA completed?” and ask about specifics such as the date of the last BIA update or the critical processes and associated recovery times.

Summary

In summary, a vendor BCM program is not only another company policy. Rather, it is enhancing and changing the behavior a company takes in selecting, evaluating, and monitoring its collective vendors. Companies must understand that recovery and protection have to extend beyond the company walls. Modern organizations are integrated with and vitally dependent upon many other entities. Even companies in service and financial sectors are vitally dependent on critical vendors. Successful companies focus on their core competencies and rely on partners to fill in the gaps.

So, the next time you’re evaluating your company’s BCM program, remember to look out the door as well as in the mirror.

For Example . . . 

The March 17, 2000 Philips microchip plant fire in Albuquerque, NM is one of the best cases for vendor BCM programs. Nokia and Ericsson, two of the largest mobile phone operators in the world at the time, both sourced critical microchip components from this Philips plant. When a lighting strike caused a small fire, the plant’s clean room was damaged resulting in the loss of production capacity.

Prior to the fire Nokia held about a 32 percent market share while Ericsson held about 12 percent in worldwide mobile phone sales. Post fire, Nokia’s mobile phone shipments increase 10.5 percent over the previous year, while Ericsson’s dropped by 35 percent. Why? Nokia reacted quickly and had already prepared for a critical vendor loss prior to the fire, identifying an alternate supplier of microchips. Ericsson, on the other hand, reacted slowly and believed early reports that the fire was small and posed no long-term supply risk to the supply of microchips.

The total cost to Ericsson was over $400 million USD, including a second quarter 2000 loss of $200 million USD.

 

Jerome Ryan is CEO of both GRM Solutions and DRI Istanbul, where he implements and oversees client deliverables in crisis management, business continuity management, emergency response, pandemic planning, and other risk management practices. GRM Solutions has offices in New York and Istanbul. He may be reached at jryan@grmsolutions.net or http://www.linkedin.com/in/jeromeryan/

DRI’s Interview with Mohammed al Jenaibi

In a recent interview Mohammed Ahmad Al Jenaibi, CBCP, shared his thoughts and experiences with DRI International. We are pleased to bring you this interview and are very grateful to Mohammed for taking the time to talk with us.

Mohammed is an ex-military search and rescue pilot, as former Chief of SAR Coordination Centre. He joined NCEMA (National Crisis and Emergency Management Authority) in 2008 as a Director of Safety and Prevention. He specializes in quality management, A black belt Six Sigma, he specializes in quality management and is also an EFQM Auditor, as well as a DRI International Certified Business Continuity Professional(CBCP). He is the lead of the committee which developed and published UAE’s BCM Standard and Guideline (AE/HSC 7000:2012) in 2012. This was the very first BCM Standard in the GCC. He also was the very first BC professional to be awarded a DRI International Award Of excellence as Best Program Leader of the Year for the Public Sector.

DRI: Will you provide a bit of background on NCEMA?

Mohammed Ahmad al Jenaibi: NCEMA was established in 2007 and by 2011 a resolution by president was issued for its roles and responsibilities. I joined in 2008, and by 2009, we started the business continuity management (BCM) project.

During the beginning we sought to do research, and we wanted to know what we were missing in this country and what we needed. We discovered that BCM was one of the important issues to tackle. And in August, 2013 I resigned from NCEMA.

DRI: Why Did NCEMA create its own BCM standard?

MJ: BS25999 was the standard at the time, but we thought it was not well-suited to our nation. We started to look at other standards, including the Singapore standard (SS540) , NFPA1600 (USA) and others, and then we decided to write our own standard in Arabic to be more comprehensive for the reader but still matching and using same methodologies in the standards mentioned.

When we started the first few pages, we thought it would work fine because everybody could understand it easily. We completed in one year the writing of the standard, but it took us two years to get consensus from all the federal departments and all the ministries. Finally, in 2012, the first version was issued.

DRI: In what ways is your standard different from the others?

MJ: Thank you, very good question. When I said that [other standards] were not well-suited, what I meant was that the language and the way they assumed the reader had a background in emergency management, but in our standard you can see the engagement of risk assessment taken from the ISO31000 throughout BCM.

For people without a huge background in emergency and crisis management, the format of BS25999 would be difficult. When you talk to a community, some agencies do not even have this management system in place. So, you cannot introduce them immediately to BCM. Our goal was to simplify how we did this in our standard. Within our standard, anyone can start and move from A to Z in very simple language and in very simple steps.

DRI: Can you tell me a little bit more about the state of preparedness in the UAE?

MJ: After establishing NCEMA, one of the first things they did was the National Response Plan (NRP). The NRP is complete and is being distributed to the whole government of the UAE, so all entities have prepared or are preparing their specific plans which can be plugged into the national response plan framework.

DRI: What about private sector businesses?

MJ: NCEMA has signed a mutual agreement with the Chamber of Commerce to involve the private sector, but you know we have huge companies who already have business continuity for their own interests. So, they are way ahead in advance. On the other hand, there are some other smaller businesses that have no idea about emergencies at all. I think this is because we do not have huge catastrophes in this country. Although we do not have big disasters, the private sector should realize the importance of emergency management, how they should be prepared, and how they can have their own plans.

Now NCEMA has started educating the public. There will be a lot of media and publicity by NCEMA supported by the Ministry of Interior, Civil Defense, and all the stakeholders. They will try to straighten out the education and spread the culture of emergency management. This is a challenge but it should happen within the next few years. We are already putting practice in place already and we hope By 2018, end of 2017, we should be done.

For the private sector, to refer to your question, we hope there will be some support from either the government or the other agencies to the private sector to build up their capability, because as you know the capabilities require resources and money. There may be some incentives for those businesses, to encourage them to incorporate this program into their firms.

DRI: What type of incentives?

MJ: For example, the government could encourage the relevant agencies in charge for the fees of the renewal of their license every year say if they have emergency plans, then they are category one. Category one would be 30% less or something like that. There is another incentive that was also proposed: the government would not sign with any entity or private entity unless they have BCM in place.

DRI: How would you evaluate those plans?

MJ: We would have to know whether they have plans first, if they are to contract with government. then we would have to review them in NCEMA or the appointed agency for the verification.

DRI: Tell us about the education and training that you provided to these different entities, what forms did it take and how long did it take. Were there exercises and tests involved?

MJ: In fact, NCEMA has been exercising the government agencies since 2010. The first one, of course, was like a surprise for some agencies to understand and it took some time to digest the lessons learned. I can say very proudly that in exercises five and six, everybody knew what they had to do and where they standing in emergency management

In terms of training, I am sure that more than 300 officials were trained in NCEMA. This is separate from the training that is conducted directly from the training providers to the entities because they know that they would need to train in EM.

DRI: What threats do entities in the UAE face?

MJ:. I can simply say that we do not have natural disasters. We do not have it in our history. But you remember the swine flu and the H1N1? Those threats were on the top of the list at that time, those are the kinds of threats we face. But we have practiced and NCEMA staff have gained a lot of experience, but threats are very dynamic, whether political, natural or manmade. But really what is happening internationally could happen in the UAE, without a difference bearing in mind the first rule of Emergency management “always expect the unexpected.”

DRI: You talked about the support that you have from the top people in the country. One of the challenges that I hear from people in other countries is trying to get top management support and to get people to listen when they are talking about business continuity and its importance. How did you get that?

MJ: I can say we are lucky, honestly speaking. Our top leaders, from number one down, they all have been encouraging. There is no doubt that we should be ready for any type of threat. If you talk about big resources like water, electricity, power, then you can see threats everywhere. And those threats are very devastating. I think because of these threats there was no hesitation of the leadership to give us a green light to go ahead and prepare UAE as much as we could. So it wasn’t as much our effort.

DRI: Finally, what is your hope of working with DRI? How do you think that relationship can help you and how can you help us?

MJ: I would say definitely, DRI could help us. The only words we can say to DRI is thank you for supporting our program.

DRI: You have already supported DRI tremendously through the important work that you do and by taking the time to talk with us.

MJ: Thank you. The word from the top was that education is the key to success. So, getting education from DRI on emergency management and specifically on the BCM, and the methodology DRI is following is very valuable to us. I really appreciate the efforts, the cooperation I found with DRI, and I hope this cooperation will continue for a long time.

 

Meet NCEMA

The National Emergency Crisis and Disaster Management Authority (NCEMA) works under the umbrella and supervision of the Higher National Security Council. It’s the major national standard-setting body responsible for regulating and coordinating all efforts of emergency and crisis management as well as the development of a national plan for responding to emergencies.

Therefore, its work is focused mainly in the development, consolidation and maintenance of laws, policies and procedures of emergency and crisis management at the national level.

The establishment of NCEMA was announced on 14/05/2007 within the organizational structure of the Higher National Security Council to ensure the safety of the lives of all citizens and residents on the territory of the United Arab Emirates and to preserve the property of the country.

NCEMA’s Mission is “to enhance the UAE’s capabilities in managing crisis and emergencies by: setting the requirements of business continuity, enabling quick recovery through joint planning, and coordinating communication both at the national and local level.”

For more information, visit www.ncema.gov.ae.

 

 

New CBN Regulation on IT Standards

Philip Keshiro, DRI Nigeria

To view this article in its original location, please click here.

The Central Bank of Nigeria has just released an IT Standards Blueprint Final document for the financial service industry. The IT standards will not stop with the banks but will also include other financial sectors such as Pension, Insurance and others as times go on.

The document presents the IT Standards that have been defined and agreed by Banks’ CIOs. For each defined standard, the documentation includes the objective and intention, description, minimum acceptable maturity level, derivable benefits, requirements for compliance, and consequences for deviations.

The IT Standards provide expected industry practices in respect of:

– Enterprise IT Architecture

– Process architecture

– Systems integration/ Interoperability

– Network/ Communications

– Data Centre Infrastructure

Adoption and compliance to the defined standards will improve IT leverage and significantly enhance operating efficiency and cost effectiveness of Banks. The impact of the IT Standards in Bank operations will include improvements in:

  • Processing
  • Up time and availability
  • Service quality
  • Enterprise Control and Management
  • Risk Management and Assurance
  • Regulatory reporting
  • Business Continuity

Expected Impacts and Benefits

Implementation of these standards is expected to provide the following benefits:

  • Increased up-time / availability of Banks leading to increased cost savings
  • Establishment of a reference point for objective assessment of the IT function leading to improved IT performance measurement
  • Improved data integrity and electronic information exchange
  • Increased efficiency and productivity of staff due to interoperability of IT systems
  • Business Continuity / Recovery and reduced risk of prolonged downtime
  • Improved data security assurance to customers leading to increased customer confidence

Implication:  

Years back, Business Continuity (part of the IT standards) was taken as a nice-to-have concept, now it has now become a standard for IT, this means that IT professional must brace up and get professional certification to be recognized and to carry out their work with confidence to meet the standard.

Opportunities abound for the IT professional

  1. The knowledge of Business Continuity Planning is not restricted to IT alone, it is a management course that will not restrict owners of the certification to IT.
  2. The knowledge does not restrict you to any sector of the economy. BCP principles that can be used in ANY sector of the economy.
  3. BCP knowledge can be applied to manage real disaster; to mitigate respond and recover..
  4. Getting certified helps you to progress in your chosen career.
  5. There are very few people in Nigeria with BCP certification
  6. The demand for people with this special skill is increasing daily.
  7. BCP certification and knowledge can help you in your post employment years.

Where we come in:  

We represent DRI International in Nigeria, Ghana and Cote D’ivore.

DRI is a non-profit organization committed to:

  • Promoting a base of common knowledge for the continuity management industry
  • Certifying qualified individuals in the discipline of Business Continuity
  • Promoting the credibility and professionalism of certified individuals
  • DRI is the industry’s premier education and certification program body.
  • DRI International has certified people in over 100 Countries.
  • DRI International conducts training courses in over 50 countries.
  • More individuals choose to maintain their certification through us than all other organizations in our industry combined.
  • DRI International certifies and teaches in ten languages.

DRI COLLABORATIONS :

 Government Organizations

  • Chaired the Alfred P. Sloan Committee that drafted the Framework for Preparedness that has been the foundation for the Title IX Implementation.
  • Member U.S. Chamber of Commerce Homeland Security Task Force
  • Member of the Council of Experts for ANSI-ANAB who will set the credentialing standard for certifying bodies for PS-Prep
  • Member of FEMA National Advisory Council Private Sector Subcommittee
  • Member of Advisory Committee for Congressionally funded Project for National Security Reform

Non-Government Organizations

  • Member of the NFPA 1600 Technical Committee
  • Member of the BS25999 – ASIS Technical Committee
  • Participant RIMS (Risk Insurance Managers Society) PERK (Professional Exchange of Risk Knowledge) Program
  • Cooperative Education Credit Sharing with ISACA (Information Systems Audit and Control Association)
  • Cooperative Education Credit Sharing with (ISC)2 – (International Information Systems Security Certification Consortium, Inc.)
  • Audit Course Development and Training for Auditors with NFPA (National Fire Prevention Association)
  • Meeting with Special Assistant to The President for Homeland Security Standards Policy
  • Chairman of Safe America Drill Down for Safety

** APEC (Asia Pacific Economic Cooperation) has endorsed DRI’s (Disaster Recovery Institute International) CBCP (Certified Business Continuity Professional) and MBCP (Master Business Continuity Professional) certifications into their Information Security Certification Guide Book.  The DRII’s 10 Professional Practices is mapped onto the ISO17799 & FIPS200.  APEC has 21 Member Economies which account for more than one third of the world’s population (2.6 billion people), over 50% of world GDP (US$ 19, 254 billion) and in excess of 41% of world trade.  APEC also proudly represents the most economically dynamic region in the world having generated nearly 70% of global economic growth in its first 10 years.

APEC’s 21 Member Economies :

Australia; Brunei Darussalam; Canada; Chile; People’s Republic of China; Hong Kong, China; Indonesia; Japan; Republic of Korea; Malaysia; Mexico; NewZealand; Papua New Guinea; Peru; The Republic of the Philippines; The Russian Federation; Singapore; Chinese Taipei; Thailand; United States of America; Vietnam. This creates the largest global recognition of any BCP Certification in the world.

DRI CERTIFICATION RESPECTED WORLDWIDE

A holder of DRI certification is automatically requested by other BCP institutes i.e BCI for membership without any form of examination. For DRII, it is compulsory for holders of other Institute to take DRI examination.

Course Fees

Our course fees is very moderate, almost half of what will be paid if taken outside the country or by other institutes.