continuitysa chronicles q2 2015
TRANSCRIPT
The annual BC Conference hosted by ITWeb will take place atThe Maslow in Sandton on the 18th August 2015 and runs handin hand with the BCI Africa Awards banquet. ContinuitySA isproud to announce that we are the event sponsor and would
like to encourage all industry players within BCM to attend. The corediscussion at this conference will be around, where business continuitymanagement meets strategy.
The BCI Africa Awards is in its third year and nominations are still open so be sure to click here and read further how to nominate somebody in the various categories listed.
Pete Frielinghaus discusses how to build a career in business continuity management as well as creatingbusiness continuity exercises that work. Humbulani Sigidane covers how ISO22301 for business continuity provides an international standard against which businesses can now be audited.
ContinuitySA is also one of the sponsors of the breakfast seminar hosted by the CGF Research Institute onthe 21st July 2015, where there will be discussions around business standards and the critical function of acorporate governance framework. There are a few seats available so be sure to book, more detail can befound on page 6.
Also read the 7 practical tips for success for Work Area Recovery Testing.
I hope you enjoy the latest ContinuitySA Chronicles. Join the discussions on our latest blog posts and let ushave your feedback, the more we interact the more we can help with all issues related to Resilience, Riskand Recovery.
Wishing you health, wealth and resilience.Cindy Bodenstein
Q2 2015Keeping ContinuitySA
clients informed
In this Issue
Editor’s NoteBusiness Continuityand ResilienceThe next couple of weeks are filled with ahost of business continuity events and not tomention media exposure for the industry.
Click on the
interactivelinks
1
2 How business continuity planningcan save you froma burning platform
3 BCI Africa Awards
4 How to build a career in businesscontinuity management
5 Training helpsbring ISO22301BCM standard tolife
6 Breakfast Seminar: Business Standards
8 When failure is thegoal
9 ITWeb BusinessContinuity 2015
10 7 Practical tips forsuccess for WorkArea Recoverytesting
11 ContinuitySA Training Dates
2
When a company finds itself on a burning platform,it’s in a desperate situation with no good choices.The burning platform metaphor derives from areal disaster in 1988, when an oil rig in the NorthSea caught alight. The worst oil rig disaster to
date, it resulted in 166 deaths. One of the 63 saved was a mannamed Andy Mochan, who chose to jump into the freezing NorthSea rather than be fried alive. Against all the odds, Mochan wasrescued within a few minutes, and lived to tell the tale.
“The real point is that on a burning platform, the only options arepoor, bad and disastrous,” notes Miles Murray, General Manager:Sales at ContinuitySA, presenting a webinar as part of BusinessContinuity Awareness Week for 2015. “In that sense, a burningplatform is the worst possible catalyst for a change that leads toa positive outcome. To the contrary, I believe that to be effective,change needs to be incremental and well thought out. Businesscontinuity management has a vital role to play in helping com-panies avoid finding themselves on a burning platform, and inidentifying the changes that need to be made early on.”
Business continuity provides the alternative course of action, orPlan B, in case the official strategy, or Plan A, fails. Creating a busi-ness continuity plan is thus an important activity not only becauseit is a way of mitigating risk, but also because it forces the businessto identify what could go wrong, and where its weaknesses are.
In other words, creating Plan B leads to improving Plan A; thus cre-ating a virtuous cycle that builds a company’s resilience. Onecould see it as an evolution of the scenario planning that Shellpopularised as a way not to predict the future, but to integrateall the organisational processes that take place in a company:strategy-making, innovation, risk management, public relationsand leadership development. Business continuity managementdoesn’t just look at the big picture; it delves down into the indi-vidual components of all the organisational processes as well.
Michael Brown, who co-presented with Murray and is an AccountManager at ContinuitySA, recommends using Porter’s value chain to understand the interdependencies between businessprocesses, and key weaknesses.
“A lot of the elements of business continuity are being undertakenalready because studying the value chain is something business-people do – what we’re doing is making the process a little morescientific,” Brown comments.
He adds that a key element is the need for leadership – businesscontinuity planning does not happen automatically.
“Aside from leadership, frequent testing is critical for successfulbusiness continuity management. A business continuity plan is likea reserve parachute – frequent testing is necessary to be sure thatwhen you need it, it works!” Murray concludes.
How business continuityplanning can save youfrom a burning platform
When a company finds itself on a burning platform, it’s in a desperate situation withno good choices. The burning platform metaphor derives from a real disaster in 1988,when an oil rig in the North Sea caught alight. The worst oil rig disaster to date, it resulted in 166 deaths. One of the 63 saved was a man named Andy Mochan, whochose to jump into the freezing North Sea rather than be burnt alive. Against all theodds, Mochan was rescued within a few minutes, and lived to tell the tale.
3
wwww.thebci.org
4
The disaster could be anything from a strike or power outage to afire, a tsunami or outbreak of flu or Ebola.
Business continuity needs to be managed because a company’srisk profile keeps changing, as do its business processes and staff.All of these factors need to be assessed regularly, and the neces-sary mitigation measures put in place and then exercised/ tested.
“Business continuity managers need to be able to identify risksand what their impact on the business would be, before estab-lishing what level of risk mitigation is appropriate – strong analyti-cal skills are a must, along with objectivity,” explains PeteFrielinghaus, Senior Advisor at ContinuitySA, Africa’s leadingprovider of business continuity services. “Business continuity managers also need to be good communicators because theyare constantly interacting with people regarding the value ofbusiness continuity management, and extracting from them therisks that threaten their particular portion of the business as well asascertaining the potential impacts of not being able to providethe service or product they are responsible for.”
Business continuity managers also need a high level of self-confi-dence—they will have to interact with everybody within the company, from the chairperson to the cleaners, says Frielinghaus.
Traditionally, business continuity managers drifted into the disci-pline, mostly because their companies asked them to fulfil thisrole. But as the role grew and became more professional – the industry body, the Business Continuity Institute, has issued The Good Practice Guideline and the International Standards Organisation has established a set of standards, the most impor-tant of which is the ISO 22301 – professional consulting firms wereestablished.
Although no dedicated degree in business continuity exists, Frielinghaus believes that it’s only a matter of time before it makesits way onto university curriculums, however Diploma courses already exist. Graduates in Risk Management are the most com-mon original source of “career” business continuity managers atpresent.
So if you’re thinking of business continuity as a career, how to goabout acquiring the necessary skills?
Provided you have the necessary combination of analytic andcommunication skills, Frielinghaus advises starting with acquiringproject management skills first. It’s also important to hone presen-tation and wider communication skills – especially the ability to listen, he stresses. Providers like ContinuitySA also give short coursesin the standards mentioned above.
“Then decide if you’re going to specialise or remain a generalist,”says Frielinghaus. Specialisation areas would include business impact analysis, crisis management, exercising and testing, train-ing and auditing in terms of the standards. There’s also the oppor-tunity for those with a technical background to specialise in ITdisaster recovery.
“Courses are one side of the equation; equally important is theneed to get practical experience,” Frielinghaus says. “Finding amentor is perhaps the most important thing you should do.Whether you’re working within a company or for a business con-tinuity consultancy put your hand up for any of the practical activities related to business continuity. These are great ways tobuild experience.”
Business continuity is a great career choice for women, Frieling-haus adds, noting that many of the best consultants are female.
How to build a career in business continuity management
As the risks facing business grow, and the obligation to manage those risks becomes entrenched in law and codes like King III, a new profession has emerged: business continuitymanagement. These professionals have the responsibility of ensuring that the business under-stands the risks to which it is exposed, and can recover its critical business functions as quicklyas possible in the event of a disaster – thus ensuring business continuity.
5
Training helps bring ISO22301 BCMstandard to life
ISO22301 for business continuity provides an international standard against which businessescan now be audited and awarded a certification of compliance. But, for those tasked with put-ting the Business Continuity Management (BCM) systems in place, the standard offers little orno guidance about how to put the processes in place to satisfy the auditors that the companyis complying with the standard.
Humbulani Sigidane, BCM advisor at ContinuitySA saysthat training offers a way for corporate executives whotake on the BCM responsibility to come to grips withwhat the standard means in practical terms.
“ISO22301 standard is essentially what the company will get audited against, but the ISO document itself doesn’t specifywhat the company’s BCM programme and activities need to look like in order to be judged compliant with the standard,”Sigidane explains. “It’s the old problem of turning theory into practice, you could say.”
Having recently completed ContinuitySA’s Lead Implementer forISO22301 training, a five-day course, Sigidane says that the de-tailed training did a great job of showing how to create an actionplan for implementing and managing a BCM system based onthe standard. Each module, he says, breaks down the various el-ements of the standard in order to understand what actions needto be taken in order to plan and then implement a BCM system.
“The training first helps you to understand what the goals of eachclause in the standard are, why you would want to achieve them,and then how to do it,” Sigidane says. “It basically aligns the plan/do/ check/ act Deming cycle renowned with ISO standards withBCM best practices.”
Another big benefit of the training is that it gives the BCM imple-menter insight into various specialist disciplines that are part ofthe broader BCM environment, and that he or she might not understand, especially given that BCM practitioners frequentlyhave a project management background. Examples of thesespecialist areas include the audit process itself (what are auditorslooking for?), writing a business continuity policy and general riskmanagement.
The fifth day of training is an examination which can be rewrittenif necessary during the following 12 months. ContinuitySA’s Lead Implementer for ISO22301 training is accredited by the Professional Evaluation and Certification Board (PECB), and theexamination is recognised by the American National StandardsInstitute (ANSI). Candidates that successfully completed the training and exam and can demonstrate prior BCM experienceare then awarded an ISO 22301 Lead Implementer certification.
“The certifications mean that the training helps to build a careerin BCM but, even more important, it makes you much more effective in your job,” Sigidane concludes.
88
When failure is the goal: Creating business continuity exercises that workThis year’s Business Continuity Awareness Week was focussed on testing because, clearly, that’s theonly way to ensure that a business continuity plan works in reality as well as on paper. However, asPeter Frielinghaus, Senior BCM Advisory at ContinuitySA points out, validating the business continuityplan is itself a process more than an event.
“That’s why the ISO 22301 standard requires exercising and testingof business continuity procedures to ensure they meet your ob-jectives and are reliable. To my mind, the exercising is where themost value lies because it helps the organisation assess where itis and where it needs to improve, whereas a test simply delivers apass or fail,” he says. “When you do a test, you aim to pass it butwhen designing exercises, it’s best to fail them so you learn themaximum amount—especially what is wrong.”
Exercises allow organisations to rehearse plans, verify informationin plans and train all relevant personnel, including their deputies,Frielinghaus notes. He goes on to say that aside from being ro-bust, exercises need to be carefully constructed to be realistic inregard to likely threats and a company’s business.
“To give an extreme example, doing an exercise based ontsunamic damage for a company that is based inland would re-duce buy-in from employees,” he says. “It’s also good advice tobegin gradually with fairly simple exercises, building up in com-plexity as the teams become more proficient and your sense ofthe organisation’s actual level of business continuity maturity becomes more exact.”
Following this approach will enable the organisation to confirmwhether its business continuity capability reflects its scale and
complexity, that its business continuity plan works and that its busi-ness continuity management programme meets its policy objec-tives. Perhaps most important of all, Frielinghaus says, an ongoingprogramme of exercises would ensure that the organisation’sbusiness continuity capability is continually being improved.
As a guide, Frielinghaus says that over a 12-month cycle, the ex-ercises should test whether the equipment required by the planworks, that procedures and plans are correct and dovetail witheach other, and that procedures are manageable. In addition,the exercises should be designed to reveal whether the requiredrecovery time objective for business process can be met, andwhether the personnel involved have the skills, authority and ex-perience needed.
Key elements for the success of any exercise are that every par-ticipant undertakes to document his or her experience and rec-ommendations for review, and that problems are highlighted.
“Remember that the exercise is testing the plan and not the par-ticipants, and that it is not testing what caused the disruption inthe first place, or the measures put in place to mitigate risks,” Friel-inghaus concludes. “It’s particularly important to remember thatan exercise is not a test, and thus that it’s preferable to fail in orderto learn as much as possible.”
10
7 practical tips for success forWork Area Recovery testing
So you’ve got a business continuity management plan in place, and it includes a work-arearecovery (WAR) component. Now, of course, you need to make sure that the plan works. “When you physically move a group of people to a new site andexpect them to be productive almost immediately, in a sense theeasy part is ensuring they have the basic tools: desks, computerswith the right programmes, washrooms and so on,” says TraceyLinnell, General Manager: Advisory at ContinuitySA. “But thereare a host of practicalities that need to be thought through thatwill make all the difference, and that should be integrated intothe practice routines. This will make the testing of your plan muchmore successful, and will pay off should a disaster occur.”
Linnell offers the following seven tips to think about:
• Show the way. When people arrive at the WAR for the first timein a group, they don’t know where to go. Make sure thateach team leader has a lollipop-style sign with the teamname clearly marked so people can find where they need tobe quickly, roll calls can be taken, and the team can proceedto their designated area in an orderly fashion.
• Put together a battle box. This contains all the additional thingspeople need to do their jobs. It is primarily a set of physicalitems stored in a case that is taken to the WAR (or stored atthe WAR site), but it might also be stored virtually if the require-ments are all digital.
Examples of physical items would be stamps, stationery, trainingor reference manuals. Other elements that need to be consid-ered would be security tokens that people need to authenticatecertain financial transactions, as well as all the many passwordspeople need to access multiple applications – and sometimesthe telephony system instruction manual! The former might bestored in a sealed envelope in the battle box or in a virtual, en-crypted form in the cloud.
“Also important are the links and shortcuts to the websites andcorporate applications that staff members use regularly. Usuallythese are on people’s computer desktops in a normal operatingenvironment, and then when they need to work at the WAR, theycannot find their shortcut, nor do they know the URL of the website /application. Make sure everybody has a list of the actual URLs in the Business Continuity Plans,” Linnell advises.
“Also make sure that people have the correct media players thatthey will need on their computers – having to download themcan add to the confusion and load IT even more.”
• Get them there. When testing, it’s likely that the company willtake staff to the WAR site by bus, but give some thought tohow they will get there over several days or weeks if there is areal disaster. For many people, especially in South Africa,transport is a major factor as regards expense and availability.
• Don’t forget the food. People tend to rely on canteens ornearby restaurants for creature comforts during the workday—make sure that there are tea and coffee facilities on siteand that you have thought through how they will get lunch,chocolate bars and whatever else they need to survive thework day.
• Keep collaboration happening. Make sure that lists of exten-sion numbers at the WAR are distributed so that workers cancontinue to consult with colleagues easily.
• Include outsourcing providers. The outsourcing of parts of thebusiness process is increasingly common, and so it is essentialthat outsource providers are included in WAR testing and planning so that things work smoothly in the event of adisaster.
• Make the test credible. One thing to bear in mind when testing is to ensure that the WAR is not simply connecting backto the IT production environment (when it should be pointingto the DR environment) – thus rendering the test null and voidin the truest sense. Another point to remember is that thesame people should not be used for each test cycle – makesure that as many people as possible go through the testingprocess and know how the WAR works.
“Over the course of various testing cycles, it’s likely that additionalthings will come up,” Linnell concludes. “It’s important to makesure they are included in the plan so that future tests – and in the event of a real incident – that things will run as smoothly aspossible.”
The one-day course, the ICT Continuity Training is tar-geted at IT and Business Continuity Management (BCM) profes-sionals responsible for the continued uptime of IT services withintheir organisations.
Key elements of the ICT Continuity Course include:
• The link between BCM and ICT Continuity Management;
• The evolution of ICT Continuity;
• The latest concepts and trends in ICT Continuity;
• Conducting an Infrastructure Impact Analysis;
• Formulating and implementing cost effective ICT Continuitystrategies to meet business requirements;
• Security management in ICT Continuity;
• Testing the ICT Continuity framework; and
• A Continuity-as-a-Service case study.
Attendees will not simply be bombarded with theory, but will be taught skills proven in the real world by active BCM practi-tioners with MBCI (Member of the Business Continuity Institute)certifications.
The course is based on the Good Practice Guidelines of the BCIand complies with the new ISO22301 standard to ensure it is onpar with international best practices.
The 5 day Complete Continuity® Practitioners Programme is designed to equip Business Continuity prac-titioners within any organisation in all aspects of implementing,managing and maintaining an effective Business Continuityframework in their respective environments.
The course is based on the Business Continuity Institute’s GoodPractice guidelines and ISO22301 international standard.
Key elements of the 5 day Complete Continuity® PractitionersProgramme include:
• Introduction and Origins of BCM• Trends and Observations• Standards and Compliance• Elements of the BCM Lifecycle• BCM policy and Programme Management• Embedding BCM in the Organisations culture• Understanding the organisation
- Business Impact Analysis- Continuity Requirements Analysis- Risk Assessment
• Determining BC Strategy- Selecting strategies and tactical responses- Consolidating Resource levels
• Developing and Implementing a BC response• Exercising, Maintaining and Reviewing• Measuring BC Maturity
Make the ReactionRoutine
Africa’s largest Business Continuity service provider, ContinuitySA, has enhanced its Complete Continuity Training Academy
To register or to find out more please contact the training department on 011 554 8000 or email us on [email protected] or simply register online
via www.continuitysa.co.za
11
ICT Continuity Training Programme (1 Day Training)3 August 2015 – Botswana25 August 2015 – Cape Town28 October 2015 – Johannesburg2 November 2015 – Botswana25 November 2015 – Cape Town
Complete Continuity Practitioner Programme(5 Day Training)13 to 17 July – Cape Town27 to 31 July – Johannesburg7 to 11 September – Cape Town19 to 23 October – Johannesburg16 to 20 November – Cape Town30 November to 5 December – Johannesburg