1

Most Common Blind Spot in Business Continuity Plans Even though the company’s BCP has been thoroughly tested, the rehearsals involved capable people. In real-life disasters, those people might not be around ...

Business Continuity Software

What should you look for?

Data Protection in the Cloud

The challenges ahead

Technology Helping Drive Maturity

Effective business resiliency

On the Road to Resilience

Are we there yet?

Edition 5 - July 2017

2

03 From the Presidents Pen

04 Data Protection in the Cloud

The challenges ahead

06 The Most Common Blind Spots in Business Continuity Plans Even though the company’s BCP has been thoroughly tested, the rehearsals involved capable people. In real-life disasters, those people might not be around...

08 The Australian Chapter Thanks Two of its Longstanding Members

09 Choosing Business Continuity Software

What you should look for?

The 7 key considerations.

11 Australasian BCI Awards

Registrations for the Awards Dinner are open! Don’t miss out on this gala event.

12 How Technology is Helping Drive Maturity in the Resiliency Space

Technology drives effective business resiliency across the organisation. It seems much of the time the critical internal processes of keeping the business running and operational do not have the same technology focus.

14 Business Continuity Awareness Week - Bringing BCM to all Organisations

An update from the Wellington Forum Team

15 Standards Update

16 On the Road to Resilience

Are we there yet?

17 Training Opportunities

18 Upcoming Events

JULY 2017

In this edition ...

About this Publication

Continuity & Resilience Australasia

Magazine is a publication of the

Australasian BCI Chapter. The magazine is

published three times per year and is an

excellent source for all things Business

Continuity and Resilience related. Articles

include thought leadership pieces, case

study presentations, discussion papers, top

tips, upcoming events and professional

advice on a wide range of business

continuity topics designed to keep you in

the loop as well and get you thinking.

Continuity & Resilience Australasia Business Continuity Institute Australasia L33, 264 George Street

Sydney NSW 2001

Corporate Service Manager & Editor: Lisa

Riordan

The views expressed in this magazine are

not necessarily those of the Business

Continuity Institute Australasia. All efforts

have been taken to ensure the accuracy of

information published. The publisher

accepts no responsibility for any

inaccuracies or error and omission in the

information provided in this publication. All

original content in this magazine is

protected by copyright and cannot be used,

reprinted, distributed, or republished for

any commercial use without prior written

consent. Continuity and Resilience

Australasia Magazine is only responsible for

the copyright of original material published

in this newsletter. In the case of materials

submitted by members it is assumed that

the original source has secured copyright

and/or obtained permission to publish the

materials.

Coloured “Continuity Band” Logo created by

Joel Foffani for enquires please email

joelfoffani@gmail.com

4 6

9 12

3

Introducing …

Kia ora and greetings from the shaky isles.

Thanks for the warm reception I’ve received as I’ve moved into the President's role. The first six months as President has been pretty hectic, and Howard informs that it won’t change. We’ve had a great attendance at BCI Summit Australasia 2017, a heap of great events for BCAW, and the Board are working on strategies to help our chapter deliver the new global vision of the BCI. I’ll be heading to Sydney for the BCI Australasian Awards ceremony in late August and on the way I’ll be attending Forum meetings in Melbourne and Canberra. I’m looking forward to catching up with many familiar faces at all these events, and meeting a whole lot of new faces too. Don’t be shy, just bowl up and say g’day. Cheers Glen Redstall MBCI President and Chair BCI Australasia

From the President’s Pen

4

Data Protection in the Cloud

The Challenges Ahead There’s no denying that cloud technology is continually changing the way we conduct business. Research indicates that private cloud infrastructure is growing at 10.3% to $13.8 billion (IDC).

While it offers agility and scalability for SMEs and large organisations, cloud based solutions have also created issues surrounding data security and privacy. Given the global shift to data storage in the cloud, the implications of data protection and the challenges ahead are something that businesses should be aware of.

The 3 Types of Data to Protect Cloud technology has enabled businesses to outline a true global strategy in the delivery of data resources i.e. using data centres within a geographical distance to your core users is one way of improving the user experience of your service or product. But what are the implications? This depends on the type of data you’re looking at. When it comes to data protection, you’ll need to consider the vulnerability of data in store, data on the move, and data in processing.

Data in Store According to the Australian Cyber Security Centre 2016 Threat Report, the Australian private sector is ‘persistently targeted by a broad range of malicious cyber activity’.

Attacks can come in many forms and are ever evolving, and keeping infrastructure up-to-date with the latest security can be challenging and costly. Understanding how your data is protected when it ’s at rest, or in store, will help you minimise vulnerability to attacks.

Another factor to consider is data sovereignty. As laws around data privacy will continue to change by country, global organisations will need to ensure they are compliant when it comes to collecting, storing, and processing data. If your business has data stored outside of your country of operation, the data is subject to the laws of the country in which your business operates. To ensure your business is compliant, review Australian Privacy Principles’ (APPs) guidelines.

Data on the Move Data migration can pose a risk of corruption or modification when in transit i.e. when copying data from one location to another. If your data is hosted in a managed cloud environment, the security of

your data becomes the responsibility of your managed service provider. However, there are some key challenges that still lie ahead for businesses wanting to protect their data, even those who are

Harish Sidhartha, Cyber Security Architect, Interactive Pty Ltd

5

outsourcing their data storage to the experts. One example is ‘shadow IT’ and the BYOD (Bring your own device) movement, where your staff are now not only bringing in their own mobile, but everything else too. With an intractable number of combinations of hardware and software, it is proving to be challenging for IT teams to manage security.

Data in Processing Data in processing is another risk businesses may need to consider. As transactions between businesses and consumers increase, businesses will need to strengthen the reliability of infrastructure and the health of its systems to ensure data isn’t jeopardised when being processed i.e. end of month billing, one off payments, ongoing commerce…etc.

Data protection is a complex practice When it comes to data protection, availability, integrity and confidentiality are the key security pillars to keep in mind. Encryption is a common tactic in data protection but what matters more is the environment the data is stored in. Before you put encryption and other security measures into practice, ensure your business has a clean IT environment free from malware and viruses.

No matter how you store your data, whether it’s through in-house services or a third-party option, there is always going to be a risk that your sensitive data will be stolen. Here are tips to ensure your data is protected in the cloud:

Tips to protect your data in the cloud

• Keep security software up to date

• Use hard-to-guess passwords

• Scan external drive for viruses and malware before accessing

• Beware of malicious mail - don’t open the attachments from unknown sources

• Use a modern encryption algorithm

• Employ a robust key management policy for your encryption keys, and ensure your provider does the same

• Prepare for disaster

• Education is key

• Enable a remote wipe facility if devices are lost

References:

1 Cloud Spending Will Top $37 Billion In 2016, IDC Reports, Information Week, http://www.informationweek.com/cloud/infrastructure-as-a-service/cloud-spending-will-top-$37-billion-in-2016-idc-reports/d/d-id/1326193

2 Australian Cyber Security Centre 2016 Threat Report, https://www.acsc.gov.au/publications/ACSC_Threat_Report_2016.pdf

3 Office of the Australian Information Commissioner, https://www.oaic.gov.au/privacy-law/privacy-act/australian-privacy-principle

ABOUT THE AUTHOR - Harish Sidhartha, Cyber Security Architect, Interactive Pty Ltd

Harish is a PhD with more than 18 years of experience in Information Security and networks.

Specialities: Governance, Risk and Compliance - ITIL, ISO 270001, ISO27017, ISO127018, ISO20000, ISO22301, PCIDSS, Privacy, Cloud security, Enterprise Security, Incident response risk assessment, Business Continuity, Security Engineering, Security Design, Intrusion Detection/Prevention, Incident Handling, System Hardening, and Information System Audit.

6

Most Common Blind Spot in Company X is proud of its comprehensive Business Continuity Plan (BCP).

If a flood or some other disaster prevents Company X from using its main facility, production will shift to an alternative plant in an elevated area about 20 kilometres away. Supplies will be redirected to this new location. Data stored on the intranet and other information systems will gradually become available over the next 24 hours.

Staff will receive communication by SMS, voice, personal email and Whatsapp. A media release will explain the recovery plan and any implications for customers, investors, suppliers and staff, and provide reassurance for all stakeholders. Staff will return to work the next day, and everything will happen pretty much as it did in the rehearsals that Company X has been conducting religiously every 6-12 months.

Is this a fairytale?

Yes, it is. Let’s look at a few realistic scenarios of what might happen if a flood really were to strike and Company X had to invoke its plan.

Joe is an operations manager responsible for a key product manufactured by Company X. Much of the daily decision-making rests on Joe’s shoulders. He lives with his wife and two children in a high area that’s nice and safe from floods.

Joe’s sister Elly lives in their hometown, 10 kilometres away, and her situation is different. Her house is severely damaged and the area she lives in has been evacuated.

So Elly, her husband and their three children are welcomed with open arms by Joe and his wife. Many public services are closed, including local schools, and Joe’s kids are having the time of their lives at home with their cousins.

But the fun doesn’t last for long. Four adults and five kids in Joe’s small house is creating problems: not least, there’s hardly enough food in the fridge to feed everyone and local stores are unable to re-stock. On top of this, Joe’s boss expects him back at work straight away because his house is unaffected, even though Elly and her husband need help with theirs. Joe finds himself unable to handle the stress. He secretly wishes his house had gone with the floods too.

Joanna works in the accounting department at Company X. She’s in charge of the ledgers, purchases, invoicing and payroll: complex and specific functions. Joanna’s husband is a volunteer in the flood rescue team, helping people evacuate from the flood. But he’s been missing for two days. Joanna is very emotional and hasn’t returned to work. Someone else has stepped in to cover for her, and they’re making a lot of mistakes.

These are just two examples. Company X will likely have many more staff like Joe and Joanna. Potentially the entire workforce.

The blind spot

Even though the company’s BCP has been thoroughly tested, the rehearsals involved capable people. In real-life disasters, capable people might not be around. We often talk about BCP training, staff safety and creating a ‘risk culture’, but very

Most Common Blind Spot in Business Continuity Plans

Article by

Ms Rinske Geerlings

7

little is said about who activates the plan when staff aren’t coping, or how an organisation should help staff return to ‘normal’ when they’re suffering from post-traumatic stress disorder (PTSD), or even how an organisation should ensure the longer-term wellbeing of its staff to prevent burn-out.

BCPs tend to concentrate on scenarios such as damage to buildings, denial of access to offices and loss of IT, but the most important ingredient to successful disaster recovery is an organisation’s greatest asset: its people.

Hard-hitting, often sudden phenomena such as earthquakes, fires, wars and floods do not give people time to create individual or collective responses. For organisations that value corporate social responsibility highly, this creates another pressure: in addition to looking after business continuity, they will need to help staff with their domestic and personal recovery. And even organisations that haven’t formally committed to their social responsibility are likely to end up with the same challenge because, in a disaster, there are usually no ‘spare people’ who are unaffected and available to be engaged as temporary or permanent relief staff.

Types of impact that disasters could have on your staff

Being directly affected by the disaster, as in the situations described above, causing inability to get to work, or to cope with work and life in general can have a major impact on the organisation.

Experiencing fatigue during recovery activities, which is particularly relevant to key staff/departments involved with the restoration of systems, facilities and services, is high. I’m thinking back and remembering IT staff working 20-hour sessions, surrounded by cold coffee and pizza boxes, becoming less productive and more prone to errors ... and all of this during critical work, applying procedures that might have been poorly tested and poorly documented, were not validated recently, or were simply never tried.

Trying to stay effective in a nerve-wracking work environment, including dealing with stressed-out bosses and co-workers, and irate customers. Knock-on effects can include a breakdown in work relationships, an increase in absenteeism/sick leave, attrition, premature retirement, accidents/mistakes, low productivity, less creativity and more customer complaints. It's a vicious circle.

Some real-life examples

1. Hurricane Katrina, 2005: New Orleans Police Department and the Health Department reported up to 70 per cent staff absenteeism after the storm, due to destruction of staff homes, danger to staff and their families, and related stress. There were also longer-term labour market changes and unemployment due to staff displacement after Hurricane Katrina, and other disasters.

2. World Trade Centre attack, 11 September 2001: Even before this major event, studies had found that in disaster situations managers may be overwhelmed by the emotional needs of survivors returning to the workplace. Managers in these situations often lack the experience, resources and training to support staff emotionally and help them adapt back into the workplace when they return. This was decidedly the case after September 11.

3. Athens earthquake, 1999: An earthquake in Athens, Greece, seriously affected the social and economic life of the city, including the functioning of the Bank of Greece. Although its IT systems and communication components were up and running, staff were unwilling to get back to work as they were suffering from fear, anxiety and acute stress. This resulted in a temporary stop of all the bank’s operations, even the most critical ones.

A few relevant ways to get better prepared

1. Adopt proactive measures that will enable staff to cope better with unforeseen events. These could include regular rehearsals/simulations, but also initiatives that promote a physically and mentally healthy workforce. Apart from the day-to-day productivity benefits, staff will be in a better position to cope if a disaster strikes.

2. Promote a cooperative culture and positive morale. This will enable staff to rely on each other effectively in times of need and make job rotation a realistic concept.

3. Create multidisciplinary business recovery teams. Nominate first and second ‘additional’ team members ... and then put this practice to the test during BCP walk-throughs and disaster simulation exercises.

4. Set up business recovery provisions and staff assistance programs that do not rely on local services, and test them. For example, recovery service providers located in the same area as your

8

BCI Australasia Chapter recognised the contribution of two of its longstanding members at the NSW Forum meeting

As a volunteer-led organisation, the BCI has always relied

on the active efforts of its members around the world for its

growth and success. For example, over a decade ago a

small group of committed volunteers sowed the seeds for

the Australasian Chapter that exists today as an active com-

munity of over 800 members.

Greg Dickson MBCI was one of the founding pioneers of the

BCI in Australia. The length of his involvement with the BCI

can be seen from his impressively low member number;

coming in at just 61.

Greg along with Bruce Edwards was responsible for setting

up the first BCI NSW Forum; he was the first secretary and

its second leader. He has been an active member of the

wider Australian BC community and was involved in the BC

industry before it was called business continuity.

Roger King MBCI was also an attendee at the original NSW

BCI Forum meeting.

Roger has also had a long and diverse career in IT and

Business Continuity, with many organisations in

Australia. Roger was a member of the NSW Forum Team

from 2014 to 2016, and won the Continuity and Resilience

Professional of the Year (Public Sector) award in the BCI

Australasian Awards 2017. He is currently the NSW Area

Director and sits on the BCI Australasian Board.

At this point when Roger and Greg are both enjoying life

beyond the 9 to 5, it was entirely appropriate that the NSW

Forum thanked them and recognised their contributions to

the growth and success of the BCI in Australia.

THANK YOU THE

AUSTRALASIAN

CHAPTER THANKS

TWO OF ITS

LONGSTANDING

MEMBERS

organisation are prone to the same disasters and

will probably be overloaded with enquiries just

when you need them. Have a plan B, C and D at

the ready. In addition to business recovery services

(for spare parts, continuity equipment, IT data

recovery and so on), it’s advisable to be able to

activate staff assistance programs with remote

counsellors (on a phone basis). Proper

psychological assessment of staff should be part of

every organisation’s BCP.

If you want your BCP to work when you need it most, contact me at www.businessasusual.net.au.

And if you’re keen on ISO 22301 / ISO 31000 / ISO 27001 training, see the calendar on www.tinyurl.com/bau-events.

Ms Rinske Geerlings is an internation-

ally known, award winning

consultant, speaker and certified

trainer in Business Continuity,

Security, Disaster Recovery and Risk Management with

over 20 years global experience. She founded Business

As Usual (www.businessasusual.net.au) in 2006.

9

Choosing Business Continuity Management software can be an overwhelming task. There are many software products to choose from and not all of them will suit your needs. To avoid feeling misled and disappointed, here are some tips on what to look for.

1. Determine Your Requirements

What do you want the software to achieve? Are you looking for a simple business continuity tool for a single location, or a more complex system that can be utilised in multiple sites – even worldwide? The main goal for some organisations is to automate the administration of their business continuity program, whereas others want a mobile tool, or in-depth analysis and reporting. Clearly understanding, listing and prioritising your requirements will ensure you know the right questions to ask.

2. Look for an Established Product and Provider

A well-established product will give you peace of mind that the system is more stable and predictable, having been tried and tested by many users. However, will you be getting the latest technology and user experience? If the software is new it is important to weigh up the pros and cons of being an early adopter. You may land a great price and get some great new interfaces or technology but you could face frequent updates during the start-up phase. Who are their clients, have they won any awards, and what type of industry presence do they command?

Another important factor is the provider. Are they business continuity experts, or are they just a software vendor? When it comes to training, tips and tricks and advice, you will get so much more out of an industry expert.

3. Take a Look at the Product

By now you’ve shortlisted systems and you’re ready for demonstrations. At this stage, you should revisit your initial requirements and make sure the software matches your needs. Vendors will focus on highlights and “best bits”, so have your questions ready. It will be hard to find a product that does everything, and you should be prepared to compromise. Be realistic about your ‘must haves’ and ‘nice to haves’. As a minimum, systems should be:

1. Easy to use and have a simple interface

2. Align to ‘best practice’

3. Cover the full lifecycle of business continuity

4. Able to store supporting documents

5. Able to automate administrative tasks like plan reviews

6. Accessible via mobile devices

7. Provide comprehensive data analytics and reporting

8. Robust in terms of data security and privacy policies

The vendor should be willing to provide numerous demonstrations with stakeholders, either in person or via web conference.

4. Is the Software Being Continually Improved?

Technology becomes outdated quickly so you want an innovative product that is going to continue to grow and improve as new technologies emerge. The innovation curve tends to slow down rapidly for many software vendors when a critical mass of clients are using their system.

On the flipside, too much change can be disruptive when trying to build engagement with your users, so there needs to be a good balance of continual improvement and stability. One major release each year and minor quarterly releases are a good indication of a product that is moving in the right direction.

You also need to determine if releases are mandatory, and if upgrades are included in your license fees or are going to cost additional each release.

5. What Training/Support Options Are Available?

Once you’ve shortlisted the right software for your organisation, it’s time to assess the training and support options. A comprehensive implementation project is key to the success of the software and ongoing user engagement.

Choosing Business Continuity Software

Article by Anita Gover Manager, Technology Solutions

RiskLogic

10

Onsite training may not be possible with an overseas vendor. Considerable training will be required for more active users and this is best done face-to-face in small groups and over several days or weeks.

E-learning is a great training method for end users, and is a cost-effective option for geographically dispersed teams and for regular refresher training. You need to ensure that the e-learning package is easy to understand and that the terminology is digestible for users.

Support is the most important consideration for the ongoing success of your purchase. You need to be comfortable with the service level timeframes on offer, and that the support staff can respond when you need them. If your chosen software doesn’t have local representation, what are the support hours? Are they available when you will need them? What support methods are available? Phone, email, online portal?

6. How Are Systems Generally Priced?

All vendors will determine pricing differently. You can expect to pay an ongoing license fee for access to the system based on several factors:

1. Size of your organisation

2. Geographic use of the system

3. Functionality required

4. Number of users in the system

5. Contract term – generally a minimum 3 years

6. Payment options, usually either upfront or annual

In addition to the license fee, there will be an upfront implementation cost. This can vary based on the level of support and customisation required.

A general benchmark for standard implementations is about 20-30% of the annual license fee. There may be additional fees for support and training. Again, this depends on the level of support and training - such as service level timeframes, format of support and training, travel costs for overseas vendors. Standard support costs will be between 10-20% of the annual license fee.

7. System Hosting and Security

Security is a crucial factor when considering a hosted solution. Your IT department will more than likely throw you a very long list of requirements.

The key questions you need to consider are:

1. Where are servers located?

2. Are these secure environments which meet international standards (e.g. ISO27001)?

3. Is your data encrypted? Or maybe your organisation has regulatory requirements to keep data onshore?

4. Will your information be backed up instantly, nightly etc. and how long are backups kept for?

5. What is the system uptime? And how quickly can the system be recovered if there is a failure?

In conclusion, to select the perfect solution, you need to understand your functional and technical requirements for the software, look at what's out there, decide what level of support you will need and be comfortable that the vendor can provide this for you. You need to establish that you can work happily with the vendor and of course ensure you have the budget.

Author Anita Gover

Manager, Technology Solutions - RiskLogic Anita Gover heads up the Technology Solutions division at RiskLogic and is responsible for sales, development, implementation, and support of BC-3 business continuity software, as well as CQCommand crisis management software and the Activate emergency management tool. She has been a BCI member for almost 10 years and is a BCI NSW Forum Committee member. Anita is passionate about using technology to enable organisational resilience.

11

The BCI Australasian Awards recognize the outstanding contributions of Business Continuity, Risk and Resilience professionals and organizations living and operating within the Australasian region, including Australia, New Zealand, New Guinea, New Caledonia, Lombok, Sulawesi Eastward, Borneo and Bali.

Winners from the 2017 Australasia Awards are entered automatically into the BCI Global Awards that take place in London each November as part of the BCI Gala Dinner and Awards Ceremony, in conjunction with BCI World Conference & Exhibition.

Australasian Gala Dinner & Ceremony: Thursday 31 August 2017 7:00pm

Location: Museum of Contemporary Art (MCA) The Rocks, Sydney

There are 8 peer judged categories open to individuals, companies and vendor organisations, plus 1 public voted category.

2016 BCI Australasian Awards Winners

To book your seat and register your attendance at this amazing event, go to events.thebci.org.au

Continuity & Resilience Consultant Paul Trebilcock FBCI, Director at JBT Global

Continuity & Resilience Professional Private Sector Wasim Malik AFBCI, DR/BCP Specialist at Bravura Solutions

Continuity & Resilience Professional Public Sector Roger King MBCI, IT SCM Consultant at TasNetworks

Continuity & Resilience Newcomer Tammie Horton AMBCI, BC Manager at Shared Services Centre

Continuity & Resilience Team NBN Business Continuity & Resilience Team

Continuity & Resilience Service/Product Provider Avalias Avalanche TTX

Continuity & Resilience Innovation Westpac Group Protective Services Education & Awareness Team

Most Effective Recovery The Australian Taxation Office

Industry Personality 2016: David Tickner FBCI, Independent Business Continuity Consultant & Strategist

2017 BCI Awards Major Sponsors

12

How technology is helping drive

maturity in the resiliency space Technology drives effective business resiliency across the organisation by embedding automation and consistent processes to help improve collaboration and visibility across the three lines of defence.

Most organisations rely heavily on technology these days. From reliance on communications, databases for capturing key information, to mobile phones and websites for interfacing externally with customers. Unfortunately, it seems much of the time the critical internal processes of keeping the business running and operational do not have the same technology focus.

Many organisations are still running Governance, Risk and Compliance frameworks manually (such as maintaining documents and spreadsheets) which on the surface provide a workable solution. The reality however is that it can also foster some bigger problems for organisations including inefficiency, confusion in ownership, poor communications and limited visibility. This can severely restrict a busi-ness’s ability to adapt, mature and keep pace with the organisation's strategic vision, mission, goals and objectives.

To help address this the first step is for organisations to have a greater awareness of what technology can offer and understand how technology helps businesses move away from being reactive, and help them become visionaries.

How technology is helping drive maturity in the resiliency space by providing:

Accountability: By engaging technology, user ownerships and responsibilities are enabled to be made

clear across three lines of defence and drives improvement in risk culture across the business.

13

Standardisation: By moving to a technology platform, organisations are empowered to remove their

reliance on individuals who manually update their own spreadsheets and reports. Technology can help

leverage a standardised interface to allow everyone to complete their responsibilities in a standardised

manner and helps break information silos by allowing information to be shared across business areas.

Automation: By utilising technology and removing manual processes, regular business activities can be

processed in a timely and cost effective manner. This enables the business to focus on areas that re-

quire attention, rather than managing manual logistics.

Communication: Modern technology provides multiple communication options from emails to dash-

board reporting and SMS. With worldwide 24/7 access enabled on any device, businesses are aligned,

updated and aware in real time.

Aggregation: Technology brings people and data together from a variety of sources. Organisations can

reliably manage the entire business and aggregate the information to provide visibility on all facets of

the organisation’s resilience.

In Summary:

Forward thinking organisations adopt technology in the resiliency space to help drive maturity and

provide greater accountability, visibility and collaboration across the three lines of defence (LOD)

through automation, reporting and standardisation.

To speak with a specialist in how your business could engage, adapt and be empowered with

technology, contact ReadiNow Corporation on 1800 153 153 or visit www.readinow.com

14

In its on-going efforts to spread the word about Business Continuity Management, the Wellington Forum took advantage of Business Continuity Awareness Week 2017 to promote business continuity within the wider Wellington business community.

This year, instead of running a public expo, the Forum sought to provide some more targeted messages. As the 14 November 2016 earthquake is still very topical in Wellington (with a significant number of organisations still unable to access some or all of their premises due to the earthquake), the Forum decided to focus on this event for BCAW.

We kicked off April with a Discussion @ Lunch for Members. In this meeting, we shared the two themes (cyber security and/or earthquakes) that our Members could take within their own organisations. This was followed by members sharing their experiences of working with their InfoSec Teams using the BCI’s BCAW posters.

During BCAW, the Forum hosted 3 public lunchtime sessions and an Executive Breakfast, all that were well attended by both members of BCI and those on the periphery of our industry.

The lunchtime sessions had a progressive strand to cover the theme which ranged from:

“The Kaikoura Earthquake - What happened and what does it mean?” with Professor John Townend, Professor and Head of School, School of Geography, Environment and Earth Sciences, Victoria University, to;

“What could happen in Wellington” with Richard Mowll, Project Manager, Wellington Lifelines and finishing with;

“Human responses to threat and uncertainty and how to help” with Associate Professor Sarb Johal, Centre for Disaster Research, Massey University.

Professor John Townend addressing the first BCAW lunchtime session

The Executive Breakfast was held at the Intercontinental Hotel and featured Craig Pomare, Chief Executive of the Motor Trade Association (MTA) and Ian Forrester, Managing Director of Plan B. Ian discussed the range of threats facing businesses, and how business continuity planning was essential to ensure critical functions could continue. Craig then shared the story of the impact his organisation suffered in the 14 November earthquake, and how Plan B assisted in resolving them.

The breakfast was attended by 33 people with a range of titles including, Chief Executive, Managing Director, Chief Operating Officer, General Manager, CIO, CTO, Operations Manager, Head of Risk & Assurance.

At each session, Forum leaders were also able to relate how BCM worked to manage the situations being dealt with in the main presentations and how the BCI supported BCM in NZ and around the world.

Overall the week has been rated a great success with attendees, many being non-BCI members expressing much interest in the sessions. Numbers for the week also confirm this with 95 people registered to attend one or more of these events, with many coming to multiple events.

Business Continuity Awareness Week Bringing BCM to all Organisations A Report by the Wellington Forum

15

We continued this theme with our next event on 31 May, which was jointly hosted by the BCI Wellington Forum and the Chartered Institute of Procurement and Supply (CIPS). The focus was on lessons learnt from the Kaikoura earthquake, and how procurement and business continuity special-ists can work together to strengthen supply chains.

A number of people and organisations contributed to making this BCAW a huge success and we would like to express our thanks to:

The Ministry of Social Development and Datacom NZ for hosting the Lunchtime Sessions.

RiskLogic, our major sponsor for the week.

Resultex and Plan B as Executive Breakfast supporting sponsors.

The BCAW Project Team of Cari Ramsay, Ken McWilliams and David Thompson.

Wellington Forum Team Members Debbie McCoard and Eric Sidoti who hosted meetings and manned the Executive Breakfast.

Saul Midler FBCI

The final draft of ISO 22316 (Organizational Resilience) was recently issued globally for ratification. You

may recall from my previous reports that there has been great concern about this standard.

Unfortunately, the final draft did not adequately address the concerns of the Australian Technical

Committee and as a result Australia has voted NO for publication (as did a number of other countries).

We’ll have to wait a few more months to see whether this Standard will be published or not. One of the

key issues that lead to the NO vote was that of measurement. We felt that given the type of standard

22316 is (i.e. Principles and Attributes) that it should NOT include a section on Evaluation.

Regarding:

ISO TS 22330 - People Aspects of BCM

ISO TS 22331 - Strategy Development of BCM

These standards have made solid progress over the last few months and are taking shape with Australia

being a key contributor.

On the Australian front, I’m please to advise that Standards Australia has approved the rewrite of AS5050

by the Risk Management Technical Committee. This will allow for the Australian adoption of ISO 22301,

ISO 22313 and ISO 22317. I’ll know more about the timing in the coming months.

Saul Midler FBCI

16

As a practitioner for over 26 years in business continuity management, I struggle to understand why many practitioners believe that resilience can be achieved in our workplace. Harvard Business Review claims that Resilience is defined by most as the ability to recover from setbacks, adapt well to change, and keep going in the face of adversity. Why then change the term continuity to resilience, which I believe has a broader context than businesses are geared up to focus?

Admittedly, since the late 80s and early 90s, our practice has progressed from an Information Technolo-gy disaster recovery focus through to business resumption and continuity. More organisations, whether they are financial institutions, manufacturing or even agriculture are relying heavily on Information Technology and electronic data for their daily operations. The need for automated processing and information is immediate and loss of data is rarely tolerated. Adding to this complexity, more organisations are also reliant on 3rd party service providers to deliver operational capabilities, which takes away a degree of control from the organisation's business continuity planning capability. Howev-er, reliance on premises or physical locations for their staff is less of an issue as many organizations have given staff telecommuting capability and/or have their staff geographically dispersed. But the best laid plans seem to assume the availability of key staff members and fail to address succession planning.

As BCM practitioners we should educate business managers on the relevance of business continuity and to change their view of business continuity as being a regulatory compliance issue. The key to changing this view is by operationalizing business continuity planning and raising business awareness:

• We, business continuity practitioners, must understand the business in detail so we can highlight the key resource dependencies, technology, staff, 3rd party services providers and the perceived and likely threats to the business

• Actively discuss the risks associated with the unavailability of these resources beyond the maximum outage tolerance for a critical end to end service rather than a single critical business process

• Engage with the business at the time when they are strategizing their business plans, so aspects of continuity of business are considered and included at the business planning stage

• Simulate outage scenarios and test the business continuity strategies throughout the year

• Move away from scripted test exercises and make testing as part of business as usual activity

• Test end to end service delivery capability in case of denial of access to key resources to highlight the importance of business continuity planning to the senior management as well as their direct reports.

In conclusion, businesses should break away from the traditional “let’s document manual workarounds” to “let’s plan to think on our feet and be ready to respond quickly to lessen the impact to business”. I believe businesses have still a long way to go before reaching resilience.

Opinion piece contributed by Nelum Cowell (nee Jayaratne) Business Continuity Manager, Genworth Australia Nelum is a Senior Business Continuity Management Practitioner and a member of the Business Continuity Institute with significant experience in all aspects of business continuity planning and management across multiple industries in the private sector in Australia and Asia Pacific as well as in the public sector in Australia.

On the road to resilience ...

Are we there yet?

By Nelum Cowell (nee Jayaratne)

17

Often we are so caught up with our jobs that we forget the joy of learning and putting into practice new skills. The BCI offers world-class, high-quality, award winning education services, delivered in partnership with BCI licenced Training Providers and Approved BCI Instructors located around the globe.

All Approved BCI Instructors are highly experienced and respected business continuity and resilience

professionals, bringing a wealth of expertise to enhance your learning experience.

So what are you waiting for? Make 2017 the year to move, learn and grow in your professional development!

UPCOMING TRAINING SCHEDULE

Good Practice Guidelines Training Course (CBCI) From July 31, 2017 09:00 until August 04,

2017 17:00 At Australia, Brisbane Categories: All BCI Training Courses, Good Practice Guide-

lines Training Course (CBCI Certification) - Classroom

Good Practice Guidelines Training Course (CBCI) From July 31, 2017 09:00 until August 04,

2017 17:00 At Australia, Canberra Categories: All BCI Training Courses, Good Practice Guide-

lines Training Course (CBCI Certification) - Classroom

Incident Response and Crisis Management From September 11, 2017 09:00 until September

12, 2017 17:00 At Australia, Perth Categories: All BCI Training Courses, Incident Response and

Crisis Management

Good Practice Guidelines Training Course (CBCI) From September 12, 2017 09:00 until

September 15, 2017 17:00 At New Zealand, Wellington Categories: All BCI Training Cours-

es, Good Practice Guidelines Training Course (CBCI Certification) - Classroom

Good Practice Guidelines Training Course (CBCI) From September 25, 2017 09:00 until

September 29, 2017 17:00 At Australia, Melbourne Categories: All BCI Training Courses, Good

Practice Guidelines Training Course (CBCI Certification) - Classroom

Good Practice Guidelines Training Course (CBCI) From September 26, 2017 09:00 until

September 29, 2017 17:00 At Australia, Sydney Categories: All BCI Training Courses, Good

Practice Guidelines Training Course (CBCI Certification) - Classroom

18

BCI Australasia will run over 50 events throughout Australia and New Zealand during 2017.

Events will include Area Forum meetings, the BCI Summit Australasia, the BCI Awards Night, as well as special interest events.

We will also support and advertise other local events approved by the BCI, as well as key sponsor events.

A number of the event dates are still to be firmed up and dates/details will be made available as soon as confirmed.

Upcoming events can always be viewed at http://events.thebci.org.au

BCI Australasia

Area Forum Events

SA/NT Forum Meeting 25 Jul

WA Forum Meeting 27 Jul

VIC/TAS Meeting 31 Jul

Auckland Forum Meeting 8 Aug

Wellington Forum Meeting 9 Aug

VIC/TAS Lunch with the

President 29 Aug

ACT Forum Meeting 30 Aug

BCI Australasian Awards 31 Aug

Auckland Forum Meeting 12 Sep

SA/NT Forum Meeting 12 Sep

Wellington Breakfast Briefing 13 Sep

WA Forum Meeting 21 Sep

NSW Forum Meeting 21 Sep

VIC/TAS Forum Meeting 25 Sep

Chapter AGM 28 Sep

BCI Australasia wish to thank its members

and sponsors who contributed to this

edition of

Continuity & Resilience Australasia

If you would like to contribute, have

feedback or have ideas for our future editions please contact us via email

info@thebci.org.au