View stunning SlideShares in full-screen with the new iOS app!Introducing SlideShare for AndroidExplore all your favorite topics in the SlideShare appGet the SlideShare app to Save for Later — even offline
View stunning SlideShares in full-screen with the new Android app!View stunning SlideShares in full-screen with the new iOS app!
It’s all about learning valuable lessons through exercise practices; you have to askyourself does your organisation have an approach to resilience in place.The article by Eugene Taylor goes into depth on analysing your vulnerabilities,which includes a guide to an approach you can adopt, ensuring that you areskilled to conduct a business impact assessment (BIA).In turn Louise’s article on does your business have operational resilience, reconfirmsthat companies need to be agile and be able to respond to constant change.Both make excellent reading.And next, have you nominated your Business Continuity Consultant and or Manager of the Year? ContinuitySAwants to encourage all business continuity professionals to participate in the upcoming BCI Africa Awards. This in-augural event will recognise the outstanding contribution of business continuity professionals and organisationsliving in or operating in Africa, so be sure to submit your nominations, as entries close soon.ContinuitySA has a host of upcoming training for the remainder of the year, the very next being our five-day Com-plete Continuity Practitioner programme, which is designed to equip business continuity practitioners within anyorganisation in all aspects of implementing, managing and maintaining an effective business continuity frameworkin their respective environments. The course takes place from the 22nd to 26th July 2013 and you can contactour training department directly on firstname.lastname@example.org or refer to our website under upcoming events.Our course material is all based on the latest BCI Good Practice Guidelines and the latest ISO 22301 standards.Triple4 shares a successful case study on how they helped optimise the Master Drilling infrastructure with a stableand user-friendly wireless environment.Our next issue will cover the upcoming ITWeb BC Conference taking place later this year, of which ContinuitySAis the diamond sponsor, so be sure to watch the ITWeb website for more information on their latest events.We are continually looking for articles, case studies and white papers to include in future issues of our newsletter,so for any new submissions please feel free to email them to me.Cindy BodensteinQ2 2013Keeping ContinuitySAclients informed1Over the last couple of months the focus on business continuity hasshifted to resilience. Resilience can be defined as the ability torecover from or adjust easily to misfortune or change.In this Issue2 South Africancompanies musttake advantage ofnew internationalstandard for busi-ness continuitymanagement3 Taking the sensi-ble approach toICT protectionand recovery4 OrganisationalResilience:Analysing yourvulnerabilitiesproperly!11 Master Drillingoptimises infra-structure with helpfrom Triple412 Three steps toenterprise cloudmigration13 Flu season meansit is time to dust offyour pandemicpolicy14 Does yourbusiness haveoperationalresilience?15 BCI Africa Awards!16 Training DatesEditor’s NoteAll Linksare nowInteractive!It’s all about Resilience
2South African companies must takeadvantage of new international standardfor business continuity managementThe International Standards Organisation (ISO) recently launched its first standard for Business ContinuityManagement, ISO22301. “The business world is increasingly digital with systemic dependencies and acompany’s effectiveness depends on its systems’ resilience,” says Eugene Taylor, managing directorof TaGza and the UK’s Institute of Directors (IoD) constituent representative on the British StandardsInstitute TC223 committee. “Adherence to a reputable standard for business continuity like ISO22301indicates that a company is serious about its organisational resilience and is thus a suitable partner.Think of it as a ticket to the dance – and a strategy for remaining in business.”Mr Taylor was addressing a brief-ing on the new ISO22301 stan-dard, hosted by ContinuitySAas part of Business ContinuityAwareness Week. Although South Africahas fully adopted the new standard, ob-taining certification here is problematic atpresent as the South African National Ac-creditation Service (SANAS) has not yetdecided whether it is viable to accreditlocal companies who would in turn beable to provide certification to local or-ganisations. Alternatively, this certificationcan be done via internationally accred-ited certification companies through theInternational Accredi- tation Forum (IAF)who are party to the Multi Lateral Agree-ment (MLA) currently in place, but this ap-proach is likely to be expensive andgeographically problematic. While thisissue is being resolved, South African com-panies should take a positive step towardsorganisational resilience and begin toalign themselves with the new standard inpreparation for Certification.“Business continuity has been incorpo-rated into the principles of King III and so isalready on the corporate agenda,” MrTaylor notes. “As most of King II was incor-porated into the new Companies Act(2008), I would not be surprised if we foundthe King III recommendations making itsway into Company legislation in duecourse.”Three valuable practical resources forcompanies contemplating this move areHilary Estall’s Business Continuity manage-ment systems: Implementation and certifi-cation to ISO 22301, The BCI’s GoodPractice Guide (GPG) and Business Conti-nuity for dummies.Mr Taylor said that before considering theupgrading of an existing business continu-ity management system or implementingone from scratch, they should follow foursteps.“First make a strong business case,” hesays. “It’s also vital to obtain an enthusias-tic sponsor in top management and a suit-ably qualified implementer.”The next step is to obtain the buy-in of theexecutive team and board of directors,which will mean identifying the benefitsand costs of the chosen approach overthe entire life cycle. Allied to this is theprocess of putting together a comprehen-sive, realistic budget that covers not justthe implementation but also delivery.“Don’t restrict the budget discussion tobasic resourcing of personnel money,make sure you provide for technologicalsupport resources you will need to makebusiness continuity management work,”Mr Taylor adds.The final step is the important task of build-ing relationships. At one level, this meansobtaining buy-in from the enterpriseas broadly as possible but also buildingrelationships with those who do not initiallysupport the move.“There are always the doubters but if youwork closely with them, they can bebrought round to seeing the real benefits,”Mr Taylor observes. “I’ve had instances inwhich those who were most hostile at thebeginning of the process have becomebusiness continuity champions.”Once these four steps have been com-pleted, the company will be prepared toembark on its programme to comply withISO22301 – and thus demonstrate its relia-bility as a business partner or serviceprovider across its entire value chain.
3Taking the sensible approachto ICT protection and recoveryData volumes are growing exponentially as the world digitises, and busi-nessescontinue to unlock the value held intheir information. And yet thereis ample evidence that companies are not taking adequate measures toprotect their data. According to research conducted by Vanson Bourne forEMC, 74% of European and South African companies doubt their ability torecover fully after a disaster.“Even more worrying, just over half of thecompanies surveyed suffered some sort ofdata loss or system downtime in thecourse of the last year,” commentsBradley Janse van Rensburg, solutions de-sign manager at ContinuitySA. “Disasterscontinue to happen and they are typi-cally the result of mundane rather thandramatic occurrences: hardware failure(61%), power outages (42%) and datacorruption (25%). The technology to solvethis problem exists but too few companiesare using it effectively.”“It’s important to understand what yourcompany’s systems and strategies are,and the nature of the various protectionmethods,” Mr Janse van Rensburg says.The most common approaches to theprotection and recovery of ICT systems in-clude high availability, replication,backup and archiving. The most impor-tant of these, because most companiesrely on it as the copy of last resort, isbackup.One of the key things to get right from thestart is de-duplication, which can reducethe amount of data stored by up 30 times,and the amount of data moved by up to95%. All of these reductions result in theuse of processing power for backup beingreduced by up to 80% and the amount ofbandwidth needed by up to 99%.“De-duplication changes everything,” MrJanse van Rensburg says.Tape backup remains surprisingly perva-sive: 40% of European companies still relyon it, but 80% want to move to disk-basedbackup. The move to disk-based backupis being driven by several benefits, amongthem strong de-duplication capabilities,the viability of change-only backups andstrong indexing/ search functionality. En-cryption makes it very safe. Restore andbackup speeds are generally faster, andthe medium is more durable than tape.Hosted backup is also gaining in popular-ity because it offers all the benefits of disk-based backup and pay-per-use costingmodels. A local vault combined with off-site storage means that both backing upand restoring can be speedy; an addi-tional benefit is the safe and quick trans-mission of backups offsite. Companiesbecome highly dependent on theirprovider, however, so it is important tochoose only the best.Cloud-based backups are also gainingmomentum. Like all cloud services, theyoffer pay-per-use pricing and are ex-tremely cost-competitive thanks toeconomies of scale. Because they are on-line, they offer easy access and a high de-gree of self-provisioning. However, notesMr Janse van Rensburg, clouds presentlarge targets for attack and users do notknow where their data is stored or underwhat legal regime.Whatever method is chosen, Mr Jansevan Rensburg says that it is very importantto keep plans current.“The research shows that almost half thecompanies review their backup and re-covery plans (and commit more budgetto them) only after disaster strikes,” hecomments. “That’s too late. You need tounderstand your current system and datalandscape well, and then agree onmeaningful metrics to measure improve-ment. It’s important to see ICT protectionimprovement as continuous, and to beginwith your biggest pain points. Finally, alignthe ICT protection plan to the bigger ICTand business strategies, and constantlybuild awareness and thus trust within theorganisation.”By Bradley Janse van Rensburg, Solutions Design Manager at ContinuitySA
54.1.1 Impact CategoriesMost executives have a set of impactcategories which branch out acrossthe organisation. It can be arguedthat all risk mechanisms within the or-ganisation feed high level risks into oneor more of these categories. Typicalcategories would include titles such asFinancial, Service Delivery / ProductQuality and Reputation but these arenot exhaustive.4.1.2 Impact LevelsEach category needs to have a rangeof impact levels which may be consis-tent across the categories or alterna-tively customised per category. So youcould have 5 levels for finance butonly 3 levels for Reputation. A typicallevel structure that could be usedacross all impact categories could beNo Impact, Negligible, Low, Marginal,High for each category.4.1.3 Impact Thresholds for BusinessContinuityFor each impact category we need tounderstand what the organisationthreshold tolerance level is (appetite)for Business Continuity assessed im-pacts. This is the level for each cate-gory that top management havedecided impacts cannot reach or gobeyond as the consequences will se-verely impact the business. Thereforeeach activity assessed to reach or gobeyond these threshold levels needsto be risk assessed for contingency op-tions.4.1.4 Risk ModelsWe won’t go into risk models in this ar-ticle but suffice to say Resilient Ship-ping has decided that any assessedactivity where any one category forthat activity reaches or goes beyondthe threshold will be considered theMaximum Tolerable Period of Disrup-tion (MTPoD) for that activity. You willsee how this works later in this article.The table below is a good example of thedetail you need before designing your BIAapproach. Note it only has one categoryso as to keep your attention on the articlebut most organisations have at least three(for example; Financial, Service Delivery /Product Quality and Reputation).Level 4 is the chosen organisational thresh-old for this example.4.2 Time scalesIt is important to define time scales for re-covery before you start your BIA project.These scales might change over time, butyou need to start with an agreed set be-fore you conduct your assessments. Iwould warn practioners going the route ofhaving multiple complex scale configura-tions to suit various parts of the business -you are just making extra and unneces-sary work for yourself and your organisa-tion. Have one scale for the organisation.4.2.1 Recovery Time objectives (RTO)These are the recovery time periodsyou will assess each activity againstand depending on what your organi-sation does this can vary significantly -even to minutes and hours.Resilient Shipping top managementwasn’t sure but they figured the follow-ing RTO time scales suited their busi-ness;1 day, 2 days, 3 days, 4 to 7 days and>7 days.4.2.2 Recovery Point objectives (RPO)These are the recovery point periodsagainst which you will assess each ac-tivity. Depending on what your organ-isation does this can vary significantly -from days to even weeks.Resilient Shipping top managementwasn’t sure but they figured the follow-ing RPO time scales suited their busi-ness;0 hour, 4 hours, 8 hours, 12 hours and >12 hours.4.3 Tools! Tools! Tools!Be very careful NOT to just rush off and buya product off the shelf - these can bemore onerous to use than helpful.I still use spreadsheets because in manycases the licensing costs and limited sup-port of “BIA” applications are extortion-ately prohibitive.I would strongly suggest that anyone whohasn’t conducted a BIA rather start withspreadsheets. But watch out - unless youdo some VBA programming, mainte-nance of spreadsheets and templates areadministratively heavy. Not only that, butyour users might just revolt!If you are going to use spreadsheets Iwould strongly recommend you sit downwith your IT provider and consider someprogramming support, but if you do justwant to go the basic cell formula routethen that can work too - just be careful.We have a “simple” (to the user) spread-sheet that, once completed, captures allthe required detail on various tabs and ul-timately delivers a “recovery considera-tion” table on one of the tabs. It doeshave some clever VBA behind it though.The assessments are then “auto” importedinto a consolidation spreadsheet whichprovides the detail for analysis.You could also just go the paper basedquestionnaire route and consolidate datainto a spreadsheet - but that I suspect willonly work for small organisations.Give thought to the tools you intend touse and the level of consumer resistanceyou might create with your personnel /customers. If it’s difficult to use you will notget quality returns.
6You also need a place to store the com-pleted submissions (for audit and reviewpurposes) and I would suggest these arestored centrally on something like a SharePoint environment. That way (in addition toother advantages) you have control ofaccess and can set some workflows forreview.Resilient Shipping has asked TaGza to usetheir spreadsheet templates for the first BIA- included in the cost of course! They haveprovided a Share Point option for all Busi-ness Continuity material.4.4 Scope, objectives andreferenceThe Scope is the organisation, the objec-tive is the vulnerability assessment and wehave agreed with Contin Gensy that wewill follow the guidelines of the GPG, usesome of TaGza’s best practice referencematerial and align to current practice.Resilient Shipping trusts TaGza to use com-monly available and relevant standards.Scope and objectives would not changeall that much if Resilient Shipping had aformal BCMS in place. What would be dif-ferent are those areas that have beenidentified for exclusion from Scope.I would seriously warn practioners offbeing browbeaten by operational execu-tives to initially limit the BIA scope to the“production line”. That’s total rubbish andwhile the “production line” might very wellhave critical elements they do not run thebusiness - they provide a service to thebusiness and therefore the whole businessneeds equal consideration and opportu-nity to identify vulnerabilities.Let’s face it - the BIA is largely aboutorganisational vulnerability identification.I am always amazed at the vulnerabilitiesand associated risks uncovered outside the“production line” which have gloomy andsignificant consequences for the business.Note: All too often we confuse risk assess-ment with vulnerability assessment. TheBIA is NOT a risk assessment product - itgives the information needed to facilitaterisk assessments - as we shall see later inthis article.4.5 Approach design and approvalSpend some quality time in a quiet placeto design your approach and get approvalfrom Contin Gensy. A typical approachdesign includes 4 phases, but you canmake this as complex or as light as your or-ganisation needs. You may need to adjustyour approach dependent on how busythe organisation gets - so be prepared.4.5.1 Approach - phase 1 (stakeholderengagement)This phase involves stakeholder en-gagements at senior level to;• explain how you will be conductingthe BIA, expected resource needsand timing estimates,• gain their support and give them anopportunity to challenge / supportyou,• get their perspective and opinions ofmain products and services,• explain the impact categories youwill be using and how those were ap-proved,• explain the scales you will be usingand establish if this fits all depart-ments,• gain insight on how best to ap-proach their departments and whois best placed to complete the ques-tionnaire(s),• discuss the required awareness train-ing and gain commitment for thetraining,• give them a chance to engage atinitiation level and help fine tuneyour approach.4.5.2 Approach - phase 2 (communi-cation)Now you are ready to let the organisa-tion know what to expect. You willhave identified the areas to becovered, the people that are to beengaged and the requirements. Youwill also be armed with the necessarytools and templates.It is vital that communication stemsfrom senior management (even if youare the creator of the lyrics). The com-munication should have a strong mes-sage on whose authority the BIA is tobe conducted, the general approachand who will be the lead for ensuringcompliance.By the time communication goesacross the organisation it is vital thatyou have already engaged people ona one to one basis, that you have theirsupport (even in principle) and thatthere are no surprises. This might alsobe called “customer relationship man-agement” - for the BIA contributors(and their line management) will in-deed be your customer.4.5.3 Approach - phase 3 (discoveryand assessment BIA1)Having agreed with heads of depart-ment who will be fulfilling compliancerequirements and having alerted theorganisation to the approach, you nowneed to gather the data. This is likely tobe the longest phase of the BIA.During this phase you will;• provide awareness and complianceawareness training for BIA contribu-tors,• develop a list of high-level activitiesperformed by each function,• assess impacts that could result fromdisrupting these activities - partially orfully, directly or indirectly,• assess the maximum tolerable periodof disruption for each activity(MTPoD). This is the point at which in-ability to restore services or activitiesor the inability to perform at predeter-mined levels will severely impact Re-silient Shipping,• assess the maximum time period afterthe start of a disruption by whicheach activity needs to be resumed,• assess the minimum level at whicheach activity needs to be performedupon resumption,• assess the length of time within whichnormal levels of operation need to beresumed,• categorise the activities according totheir priority for recovery and evalu-ate resource vulnerabilities of the keyactivities.
74.5.4 Approach - phase 4 (analysisBIA2)Having received and consolidated allassessments you are ready to providean analysis of the data you havegathered which will identify vulnerabil-ities and possible risks, particularlythose vulnerabilities for which there isinadequate resilience or contingentarrangements;During this phase you will;• provide Senior Management withconsolidated assessment results toconfirm key activities and priorities,• provide a dependency map toidentify critical paths, single points offailure or vulnerabilities to productsand services,• evaluate key supply chain and en-sure alignment with Resilient ShippingBC requirements,• confirm the Recovery Time Objec-tive for each activity which supportsor delivers a key activity and identifyissues relative to MTPoD,• evaluate resources required foreach activity to recover accordingto approved assessments. (For ex-ample: premises, people, technol-ogy, utilities and information),• identify organisation-wide risks (therisks that are common to each direc-torate),• propose mitigation and resiliencebuilding options to minimise risk andvulnerabilities.4.6 BIA1- assessment, review andsign offTaking into consideration ERP, time scales,scope and approach lets see what thefinished product could look like.4.6.1 Document Quality ManagementThere are oodles of articles on howone can manage documentation butstart with the GPG (PP1 page 33) andSANS / ISO 22301 (section 7.5) to getthe right flavour and direction. Youcould structure a spreadsheet tab toconsolidate much of the documentquality management information. Wewon’t go into that in this article butbear in mind that document qualitymanagement is mandatory for a BIA.4.6.2 Activity detailFor Resilient Shipping we decided ourapproach would aim at getting or-ganisation functions to list (at most) 10MAIN activities – note that I did not usethe work “key”, “critical”, “important”,“fundamental” and so on. The assess-ment will ultimately decide which ofthese activities require recovery priori-ties and then you can label them howyou like. On the rare occasion that ac-tivities went past 10 we just got contrib-utors to complete a “part 2”questionnaire (bear in mind we had al-ready created the 10 activity BIA1spreadsheet template). We found thatof the 51 areas that returned assess-ments only 2 areas needed to list morethan 10 MAIN activities. To make thingseasy we had separate tabs on ourspreadsheet for each activity.For each activity we requested the follow-ing information;• A short description of the functionalarea completing the BIA1, how thatrelated to the published org chartand what they provided to the or-ganisation (note that we actuallyhad this as part of the documentquality information sheet and we justauto replicated this information),• A short description of the activityand then a separate description de-tailing what the activity did and howthat fitted into the functional areadeliveries,• An owner for the activity and aplace to put some detail about theowner,• A list of resources used by that activ-ity compartmentalised into Roles,Premises, Internal Functional De-pendencies, External Dependencies(suppliers mainly) and Technology /Plant / Services (divided into 8 keyareas). We could have got morecomplex but we assessed these tobe a good starting point from whichwe could improve as Resilient Ship-ping matured its BIA process. In thereal world many of the resources arecollated into the template and struc-tured into drop downs (e.g. All theenterprise applications, sites andsuppliers).• A descriptor of each resource to ex-plain what that resource was for andcurrent alternative arrangements ifthat resource was not available (so -we are already providing an indica-tor of current resilience and vulnera-bility mitigation),• An area for the BIA contributor tomake comments (whether to ad-dress shortfalls in the template, pecu-liarities in their area activity - or to justhave a whinge),• The “desired” RTO and RPO for thatactivity. We wanted people to be re-alistic about what they “thought”these time scales SHOULD be (andwhy), IRRESPECTIVE of what mighthave been known of the currentachievable BC arrangements.What! No MTPoD? Not yet – just finish offgathering details of the MAIN activities fornow.
84.6.3 Activity assessment (BAU)The best way to explain the impact as-sessment is to consider the chartbelow. For this article we have chosenjust the one activity (and the data isfictitious). On this tab in our spread-sheet we consolidated the titles of allactivities populated by the BIA contrib-utor (we did this work through someVBA just to save contributors from extraadmin).The qualification for the assessment of theone activity against one impact categorywas;“Given the organisation descriptors foreach level if we cannot get the suppliesto the customer by day 3 we will face cus-tomer financial penalties and may alsohave to replace the consignment owingto perishable and health constraints. Thissituation will get progressively worse if notsorted out immediately”.We listed the activities and all the impactcategories mentioned earlier in this article.We only show one activity and one im-pact category in this example. We alsodisplayed the time scales for recovery (therecovery points being static). We thenused drop downs to let people choosethe level of impact against the impactcategory that would be experienced overtime. We also asked people to qualify theirdecision for that choice. What they didn’tknow is that we had programmed the“threshold” into our calculations but theydidn’t see that - well, not right away.I just added the red shading to make thisobvious. (We wanted them to be honestand not swayed by any suggestion of“criticality”).Once all activities had been assessed wethen ran a clever macro which high-lighted which of the activities crossed thethreshold for the various impact cate-gories and at what point in time across thetime scale. This point became the MTPoDfor that activity, i.e - the time at which im-pacts would have serious consequencesfor Resilient Shipping if they couldn’t getthat activity up and running.4.6.4 Activity assessment (Seasonalvariations)This tab in our spreadsheet was almostexactly the same as the BAU tab ex-cept for one difference - it had an ad-ditional drop down of predefinedlabels which identified specific periodsin the year such as “month end” -where the impacts would be very dif-ferent to those of BAU activities.This provided contributors an opportu-nity to highlight seasonal variations –and in turn was a great help to fully un-derstand the more complex vulnera-bilities and recovery requirementsshould an impact occur during a par-ticular cycle of an activity where prior-ities were likely to be very different tothe BAU priorities.4.6.5 Recovery priority considerations(vulnerabilities)Voila! One more macro to run.But before that we asked our BIA con-tributors to review their data with theirline manager and make sure the as-sessment thus far was a best endeav-ours assessment which adequatelyreflected that function’s MAIN activi-ties and that the assessments were suit-ably qualified. We also asked them toreview RTO and RPO against theMTPoD and adjust those so that recov-ery objectives were less than theMTPoD identifier.So you see - a little bit of discussion toget these two in the right place. If theassessments are good, the MTPoD is re-alistic and the RTO / RPO should thenbe less than that. (You would want torecover the activity before it reacheda stage where Resilient Shipping couldnot tolerate the consequences of theimpact - the impact threshold).In some cases we found that the RTO wassay 2 days but the MTPoD when assessedwas >7 days. Why would you want to re-cover that activity so early when you mayhave other activities that command priori-tisation? Would an RTO of 4 to 7 days nothave been more realistic (and allowedthe function to focus on other activitiesthat were more important)? Was the as-sessment flawed or was the contributorjust keen to get everything up and runningas soon as possible? Discussion is neededthen as we don’t want to change thecontributor data - they must decide that.We just want to understand the rationalefor our analysis (and not embarrass our“customers”).Now you run the macro.You end up with a very simple chart simi-lar to that below which sets the founda-tion for vulnerability identification - theanalysis.What this chart simply does is show theactivities (one in our example), the recov-ery time scales and when the impacts ofthose activities cross the threshold (red).It furthermore gives some earlier datacaptured which should be used in theoverarching analysis.To explain the chart: I see an activity thathas a 2 day RTO, the impact crosses thethreshold on day 3 (MTPoD) and the ageof the data supporting this activity cannotbe more than 8 hours old from date of im-pact. That looks practical.As the BIA contributor reviews data thesemay change so are really a snapshotsummary to quickly identify anomalies orinadvertent assessment errors.
9In the real world there would be a numberof other activities and some of these mighthave a lower RTO with an earlier impactthreshold. I would therefore need to lookat those activities as a priority, but wearen’t discussing recovery planning at thisstage or in this article.What is important for the activity in thechart is that we consider whether we canget this activity up and running in 2 daysand what contingent resource arrange-ments we might require to achieve that.Some more discussions then - but that’s forlater.4.7 Products of the BIA1Having completed this hard work, patyourself on the back. You have collectedsufficient data to perform a business im-pact analysis (BIA2).You have also inadvertently created aprocess to;• identify activities that support theprovision of products and services;• assess the impacts over time of notperforming these activities;• set prioritised timeframes for resum-ing these activities at a specifiedminimum acceptable level, whilsttaking into consideration the timewithin which the impacts of not re-suming activities would become un-acceptable; and• identify dependencies and support-ing resources for these activities, in-cluding suppliers, outsource partnersand other relevant interested parties.Have a look at section 8.2.2 of SANS / ISO22301 - job done then! Or is it?4.8 BIA2- analysis, review and signoffWe now have Contin Gensy baying at thedoor for an analysis of impact vulnerabili-ties (he’s got quite good with terminologynow).So we write him a report and bearing inmind he is a busy man we don’t want toover-egg the detail too much - we candrill down to that later on (as we nowhave a vast collection of raw data).4.8.1 Confirm criteriaIt is very important in the Analysisto confirm the criteria used in the foun-dation of the BIA data gathering,particularly those related to ResilientShipping’s impact categories and toexplain how the time scales andthresholds were approved. If youmade these up you might get chas-tised for guessing what the organisa-tion wanted - that’s not your job!4.8.2 Summarise the approach usedGive Contin Gensy an overview of theapproach (to remind him what wasagreed) and who was involved. Givea clear perspective of which areassubmitted a response. You might alsowant to note why certain areas wereexcluded as he is likely to pick thoseup.4.8.3 Summarise the expected out-comesContin Gensy wanted a vulnerabilityassessment (and realises now that thisBIA is the product to provide that).Take him for a gentle trot on what wasgathered (high level) and how thesewere assessed and reviewed. Explainhow the outcomes gave intelligenceto the Analysis. In particular identify thekey resource dependencies and howthe analysis considered resource vul-nerabilities (people, things to work withand premises).4.8.4 Report on assessmentsIn this section you will identify thescope by listing the directorates, howmany BIA1’s they completed, howmany activities were assessed andwho owns the top end of the BIA1’s.Total these figures as well.For Resilient Shipping we conducted51 assessments (294 MAIN activities)covering all directorates. We brokethat up per directorate in our report.Contin Gensy had also agreed that inorder to simply things we would cate-gorise all activities which crossed anyimpact threshold within the first 3 daysas a key activity (I forgot to tell you this- VERY IMPORTANT TO HAVE A MECHA-NISM TO IDENTIFY WHAT IS CONSIDEREDA KEY ACTIVITY).In our report we reminded him underthis section and summarised the detail(15 activities crossed the threshold onday 1, 52 on day 2 and 45 on day 3 - atotal of 112 out of 294).We then identified which resources theanalysis chose to focus on (this we onlygot advised about late in the BIA processwhen Contin Gensy realised the value).During the BIA data gathering exercise itwas clear that Resilient Shipping had mas-sive resilience in premises options and thattheir technology was relatively resilientbut there was an obvious weakness insuccession planning for those rolesthat supported the key activities. Wementioned this in our report.4.8.5 Report on recovery capabilityIn this section we reported on the capabil-ity of Resilient Shipping to support contin-gent arrangements. During the BIA1phasewe had loads of discussions with facilities,operations and HR (to name a few). Dur-ing that period we examined outsourcedcontracts (suppliers), disaster recovery ca-pabilities for key technology (identified inthe BIA1), alternative working options, keypersonnel knowledge transfer, skills, quali-fications, development, assessments andsuccession planning.Across the scope of Resilient Shipping wefound that the technology suite was prettyrobust and would support 90% of the keyactivities’ desired RTO’s. There were alsoenough geographically spread premiseswith state of the art remote options to sup-port most of the key alternate premisesneeds.What we did find was that knowledge wasnot transferred; that people were not thatwell developed in centralising vital infor-mation and that the attrition rate was ab-normal. More so people were at great riskgiven the nature of their roles as well ascurrent volatile and competitive markets.We summarised the key personnel, theirqualifications, skills and experience scoresand tried to assess who could replacethese people. The number of single pointsof failure was massively significant. We re-ported this.Although there were a number of activitieswhose RTO’s could not be achievedagainst what Resilient Shipping could pro-vide, we felt those were particular to thatsection or department and not somethingthe whole business was exposed to. Weadvised BIA contributors and line manage-ment in those areas to conduct a risk work-shop itemising where they felt vulnerable(given the details in the BIA1) and seek mit-igation solutions at Directorate level.
104.8.6 Analyse the organisationIn the analysis, given the focus on re-covery capability, we chose to high-light that Resilient Shipping was notresilient at all when considering the im-pacts and risk which could arise fromunavailability of key personnel. Wewanted to suggest Contin Gensychanged the company name toVulnerable Shipping - but of coursethat would have been professional sui-cide. Instead we gave him valuabledetail to contemplate, breaking theseup into areas he could explore (vulner-abilities and gaps, risk considerations,recommended improvements andplanning recommendations).At this point Contin Gensy was smiling- he could see the BIA had been thor-ough, he could see his whole businesshad been involved, he could see ahuge change in the way people ap-proached vulnerabilities, he could seethe really good bits but with an under-standing that some areas neededwork. He also had a very clear per-spective of the extent of the risk thecompany faced with knowledge re-tention and that the HR side of thingshadn’t given his people a goodenough deal to keep them.He could also see some value-addbenefits - he now had a system hecould regularly use, he now had hispeople talking to each other, therewas more transparency as he realisedthe BIA process was not punitive but ofsignificant value.Contin Gensy was under the impres-sion his ships were the most vulnerableand was pleasantly surprised to knowthat it was the loyalty of his peopleand their extraordinary skills that kepthis ships resilient (yes we assessed andanalysed those as well). He knows henow has to embark on an urgent cam-paign to get his people resilient and forthat we recommended a good con-sulting company (TaGza HR - I justmade that up).He got this information in the summary,which provided the detail to take forwardto his executives for discussion - and toagree a strategy.Note: You may want to look at ISO 22301(section 8.3) and the GPG (PP4 page 62)to get a view on how the strategy can beprogressed using a lot of what you havegathered during the BIA process.4.9 Now what?Phew! If you think that was hard work - trywriting it!If we were just doing a BIA for ResilientShipping our job would be done. Wewould encourage Resilient Shipping to getus back on an annual basis to ensure theprocess doesn’t become diluted, that welook at improvements and actions fromthe previous BIA and that we shift thefocus of the next BIA to vary vulnerabilityanalysis.If, however, we were doing the BIA andRisk assessments as part of a BCMS wewould now set the strategy to mitigate vul-nerabilities and to plan how we are to re-cover the key activities as prioritised. Thisis also a lot of work but most of the com-plex detail is now available for thoseprocesses from the BIA work.5 Other bits …It is vitally important that one considers aBIA and vulnerability assessment as part ofthe overall resilience development pro-gramme for an organisation. For instance,the Information Security suite (ISO 27001family) requires a BIA to be completed forIT systems but that has a slightly differentexposure - focussing more on Confiden-tiality, Integrity and Availability.Even so it would be silly to just conduct aBIA and leave it at that. If you’re not goingto use the value from the BIA then all welland good - but why then do it in the firstplace? From the BIA comes a decentplatform for setting your resilience andrecovery strategy framework as well asdriving the focus on business continuity re-covery plans. Even more importantly thereis a huge interface into your responseteam structure as they are now better in-formed about the organisation’s key ac-tivities - rather than all clambering to gettheir piece of territory recovered. Whatshould also happen is that the scope andcontext of the organisation starts to beshaped on real data and not just fromthose who shout the loudest.I stand by my statement that the BIA is thefoundation for all the resilience disciplinesto stand united, but it does not work on itsown so do engage the “other bits” ofresilience when designing your BIA ap-proach.6 Summing up!If you are still awake at this stage I mustreveal something.Although this is a pretty good approach Ihave thrown in a few references which Ihave not explained, I have also made aweenty assumption that you are all wellversed in resilience disciplines, particularlyBusiness Continuity Management. Thereare a whole heap of training requirementsintimated in this article which you willneed to undergo to do a proper BIA.I have, in these lyrics, also fast trackedsome processes and I have made upquite a lot of detail, so don’t take this arti-cle verbatim to deploy a BIA project. It’ssimply a guide to an approach you canadopt but you still need to be very skilledto conduct a BIA.I would strongly suggest you contact Con-tinuitySA in the first instance to understandthe modules that are needed to addressand interface with a BIA - and do get anexperienced person to help and coachyou.Good luck!
Should you have any enquiries as to how you can make a difference or would like to be included inregular communication, please contact:Louise Theunissen (MBCI)(PMP), BCI SADC Chapter Board MemberMobile: +27 82 928 7158 or Mail to: email@example.comBCI SADC Chapter Forums11Founded in 1986, Master Drilling provides specialist drillingservices to the mining industry, from the exploration phaseright through to production. Master Drilling listed on theJohannesburg Stock Exchange in 2012, and its servicesinclude the design, manufacturing and maintenance of drillingequipment, along with associated training – all of which canbe customised to the needs of each client and prevailing siteconditions.With operations in South Africa, West Africa and Latin America,Master Drilling is reliant on a highly available IT infrastructure to en-able effective collaboration and access to company data.“There’s always somebody working so we have to keep down-time to an absolute minimum,” says IT manager Steven Naudé.“Much of the business’s value is contained in its intellectual prop-erty, which is largely held on the network, so again we need reli-able back-up and storage environments.”Master Drilling maintains its own small on-premise data centre.With its existing servers nearing the end of their warranty periods,Naudé wanted to upgrade the infrastructure. He called in theteam from Triple4, who had been providing services related to vir-tualisation for some six years.“The key consideration for Master Drilling was an infrastructure thatwas highly available. With that in mind, we recommended theyopt for Fujitsu servers and storage area network,” says Scott Orton,Triple4’s sales director. Triple4 helped design the infrastructure tomake it more resilient and scalable for future needs.Triple4 managed the migration of both the physical and virtualenvironments, and continues to provide infrastructure monitoringand support to Master Drilling.In a parallel project, Triple4 helped Master Drilling create a wirelessenvironment at its Fochville head office that was easier to man-age and offered significant benefits to users. In this instance,Triple4 recommended the use of a Juniper Enterprise Wireless so-lution. Because all the wireless access points are managed by acentral controller, it is no longer necessary to manage each ac-cess point individually. Users, who previously had to log on to eachaccess point with a separate password as they moved aroundthe offices, now only have to log on once. The solution is also veryreliable and stable.“Both the infrastructure solutions recommended by Triple4 havemore than lived up to expectations – it’s really a case of ‘turn it onand forget about it’. Because Triple4 does the research so well,their recommendation is really worth something,” says Naudé.“I must also say that their support is excellent. We usually only knowabout a problem on our infrastructure when they contact us to sayit’s been fixed, and if we log a call, the turnaround is impressive.”Triple4 is currently working on a project to help Master Drillingdesign and specify a global infrastructure for its enterpriseresource planning software system.Master Drilling optimises infrastructurewith help from Triple4Triple4 has created a highly available infrastructure and stable, user-friendly wirelessenvironment for the global provider of specialist drilling solutions for the mining industry.For more information contact Triple4or visit www.triple4.co.za
“Cloud offers enterprises the benefits ofreduced capital expenditure and staffrequirements combined with scalabilityand quick deployment—somethingthat’s hugely important in today’s fast-moving business environment,” saysShaheen Kalla, Managed ServicesManager at ContinuitySA. “Cloud serv-ices coupled with service-level agree-ments and fixed penalties make it aviable alternative to internal hosting.”However, there are disadvantages tocloud that also need consideration,among them reliance on the providerfor troubleshooting and security con-cerns about sensitive data. It must alsobe borne in mind that cloud providersare natural targets for hackers.In moving to the cloud model, Mr Kallaargued that enterprises should considera three-phased approach. The firststage is co-location or rack hosting, amodel in which hardware moves to anoffsite data centre.Drivers for such a move would includethe size of the current environment, andits requirements for power and otherperipheral services such as cooling andhumidity control.If the organisation plans to expand, co-location would possibly be indicated,especially if, for example, one is reach-ing the limit of the power available onthe site.The next stage would be managedservices, with the hardware continuingto be owned but the services deliveredby a third party. This model is particularlywell suited to Web-based “thin” appli-cations, and suits companies that wantto benefit from the maximum amountof depreciation from recently pur-chased assets. Service-level agree-ments govern this type of environment.The final stage is the move to the cloud,a move, Mr Kalla says, that requires amature and long-term outlook. “It’s atotally hand’s-off environment whichmight not please technical staff whotypically like control. Moving to thismodel warrants an in-depth assessmentof the service provider and its levels ofsecurity and responsiveness.”Key things to look out for include closereading of the fine print to understandexactly what the service-level agree-ment covers and does not cover, andhow and when penalties kick in. “It’salso vital to consider the implications ofwhere the service provider’s data cen-tres are located,” Mr Kalla says. “If lo-cated outside of the country, this willaffect the latency and so the user ex-perience on certain applications.Location will also affect what you arepaying for the link to the centre, and willin turn affect the costs of migrating tocloud.”12Three steps toenterprise cloudmigrationCloud computing offers significant benefits to enterprises, and many are startingto factor it into their long-term planning. First, however, they need to understandthe pros and cons of cloud – and how to make the move.
13Flu season means it is time to dust offyour pandemic policyThis latest outbreak of bird flu has hada very serious impact on China’spoultry sector, with losses of morethan $1.6 billion reported already.Closer to home in South Africa, bird flu iscrippling exports of Ostrich products. Re-portedly, 50% of ostrich farmers have hadto close their businesses resulted in signifi-cant job losses. Estimated losses for thesector, according to some, are running atR100 million per month.Over the years, the flu virus has demon-strated its ability to mutate into more viru-lent strains which can spread quickly.Recently, various strains of bird flu, theSARS virus, swine flu and Hong Kong fluhave spread rapidly around the world.While the Spanish flu pandemic of 1918was the big killer – 50 to 100 million peopleare thought to have died around theworld – other pandemics have had severeimpacts on productivity. The Center forDisease Control in the United States esti-mated that a “medium-level” avian flupandemic could have an economicimpact of up $166.5 billion, with seasonalflu responsible for some $10 billion in lostproductivity and direct medicalexpenses – and these are 2006 estimates.“The latest outbreak of bird flu in Chinaand in South Africa should act as a timelyreminder that we are now entering the fluand cold season,” says David Bollaert, aSenior BCM Advisor at ContinuitySA,Africa’s leading provider of business con-tinuity solutions. “Whether it’s just a cold orthe latest flu strain, these diseases canspread very quickly in a company andcause many hours of lost productivity aspeople spend time at home, visiting doc-tors or performing their duties at lower pro-ductivity level.”Because a pandemic can affect a busi-ness’ ability to function, its business conti-nuity plan should include a pandemicpolicy that lays out the processes for min-imising risk. Among these processes are in-fection prevention and control measuresaimed at halting or at least minimising thespread of infectious diseases.“Companies need to guard against largenumbers of employees becoming af-fected—that’s when the business’s capac-ity to operate becomes compromised,”says Mr Bollaert. “Before the flu seasonstarts, I advise all companies to make suretheir pandemic policy and response strat-egy is adequate, infection preventionmeasures are in place and that, most im-portantly, employees are informed andempowered.”Prevention is always better than cure; thisis a good time for the company to providerefresher information on how to improvehealth and basic hygiene. Eating healthierfood, exercising and getting enoughsleep will all help boost immune systemsand lower infection rates – and getting aflu vaccination early is also to be recom-mended.It is also worth reminding employees howeffective basic hygiene can be in reduc-ing cross-infection rates. Thorough, fre-quent hand-washing, covering one’smouth when sneezing and wiping downsurfaces in high-contact areas like hall-ways and washrooms with anti-bacterialcleaners can inhibit the spread of infec-tions dramatically. Local research hasshown that the use of antibacterial prod-ucts alone can reduce the incidence ofrespiratory ailments by 85.8% in adults.“Pandemics are a business issue: use yourpandemic policy wisely to make sure yourorganisation stays safeand is able tocontinue delivering its critical services”concludes Mr Bollaert.The latest figure brings the total number of human deaths to fourteen in China’sunfolding bird flu epidemic. Infection cases that have been recorded appear tooriginate from Shanghai and show that this is a new strain, H7N9,which was notpreviously known to infect humans. With 63 reported cases of human infection andfourteen deaths, the mortality rate is high.David Bollaert
Does your business haveoperational resilience?Published first in Business Brief:14There’s much in business that’s uncertain,but you can bank on one thing: you willgo out of business if your operations can-not respond to unexpected change. Thatchange could be anything from alteredmarket conditions to unexpected catas-trophe.It’s also worth stating the obvious here: theworld is now a very small place, thanks toour connected business models. In practi-cal terms, changes at the other side of theworld impact us here in South Africa whenonce they did not.Two examples will make that point. TheJapanese earthquakes and consequenttsunamis in 2011 devastated the country,but they also affected electronic supplychains because factories manufacturingcomponents were destroyed. And thenconsider Kenya’s billions in wasted flowersand vegetables when the ash cloudfrom Iceland’s Eyjafjallajokull volcanogrounded flights to Europe for more thana week in 2010.By contrast, the potential disruptions thatthe 2010 World Cup could have causednever materialised, thanks to good ad-vance planning. Companies need to de-velop organisational resilience to ensureagility in time of expected or unexpectedchange, from tsunamis to fluctuating ex-change rates. Operational resilience cov-ers a number of elements, but where doyou start to ensure that your businesskeeps functioning during unforeseen cir-cumstances?One important component of operationalresilience is business continuity. It plays animportant role in increasing an organisa-tion’scapability to continue delivery ofproducts and/or services at acceptablepredefined levels and provide an effec-tive response that safeguards the interestof stakeholders following a disruptive inci-dent.The good news is that the InternationalStandards Organisation (ISO) has recentlyintroduced a set of standards for businesscontinuity management. The new ISO22301 standard specifies requirements forsetting up and managing an effectiveBusiness Continuity Management System(BCMS). In other words, the new standardtakes business continuity beyond risk man-agement by providing processes for man-aging its implementation over the longterm, and the measurement of its matu-rity.Usefully, the ISO has also producedguidelines in the companion standard,ISO 22313.Business continuity begins with developinggaining a detailed understanding of yourorganisation, right down to the maximumtolerable period of disruption for eachproduct or service offered.Thereafter, it’s possible to define a businesscontinuity strategy based on how tobridge the gap between the company’sbusiness recovery requirements and itscurrent recovery capabilities. It’s then aquestion of implementing, managing(and monitoring) the strategy overtime:business continuity management, infact.This concept of managing the whole busi-ness continuity process is vital, particularlybecause it includes testing to see how ef-fective the solution is. For this reason, com-panies will increasingly find that auditorsare no longer satisfied with business conti-nuity plans but are demanding proof thatthe solution has been tested and actionsto address areas of weakness have beenidentified.As the organisation’s implementation ofbusiness continuity progresses, so will its re-silience.Constant change is the hallmark of business today – and business successdepends on developing agile operations that can respond to change.By Louise Theunissen, Advisory Services at ContinuitySA
15The Categories:There are nine judged categories and one public vote category.Judged Categories:• Business Continuity Consultant of the Year• Business Continuity Manager of the Year• Public Sector Business Continuity Manager of the Year• Most Effective Recovery of the Year• BCM Newcomer of the Year• Business Continuity Team of the Year• Business Continuity Provider of the Year (BCM Service)• Business Continuity Provider of the Year (BCM Product)• Business Continuity Innovation of the Year (Product/Service)Public Vote Category (by nomination only)• Industry Personality of the YearApplication processEntries for the judged categories must include:• Written submission statement of between 1500 and 2500words in support of the application including informationmentioned in the criteria.• An abbreviated summary of the statement – no more than100 words• Full contact details including name, organisation/employername, address, phone number, email• Written confirmation that all permissions relating to the releaseof data contained within the application have been grantedNominations for the public vote category of Industry Personalityshould include a 100-word summary of why that person is beingnominated. The 5 most popular nominations will be collated andput to a public vote.Please submit your completed application toLucy McDonnell.Please click here for a listof the countries included.BCI Africa Awards!The Awards Ceremony will take place on the 22nd August 2013. The closing date for entries is the 21st June 2013.All winners from the BCI Africa Awards will automatically be entered into the BCI Global Awards 2013 that take placein November during the BCM World Conference and Exhibition 2013, 6th to 7th November 2013 in London.The Awards recognise the outstandingcontribution of business continuityprofessionals and organisations livingin or operating in Africa.For detailed descriptions ofeach of these categoriesclick here
The two-day course, the IT Service Continuity Training istargeted at IT and Business Continuity Management (BCM) pro-fessionals responsible for the continued uptime of IT serviceswithin their organisations.Key elements of the IT Service Continuity Course include:• The link between BCM and IT Service Continuity Manage-ment;• The evolution of IT Service Continuity;• The latest concepts and trends in IT Service Continuity;• Conducting an Infrastructure Impact Analysis;• Formulating and implementing cost effective IT Service Con-tinuity strategies to meet business requirements;• Security management in IT Service Continuity;• Testing the IT Service Continuity framework; and• A Continuity-as-a-Service case study.Attendees will not simply be bombarded with theory, but willbe taught skills proven in the real world by active BCM practi-tioners with MBCI (Member of the Business Continuity Institute)certifications.The course is based on the Good Practice Guidelines of the BCIand complies with the new ISO22301 standard to ensure it is onpar with international best practices.The 5 day Complete Continuity® PractitionersProgramme is designed to equip business continuity prac-titioners within any organisation in all aspects of implementing,managing and maintaining an effective business continuityframework in their respective environments.The course is based on the Business Continuity Institute’s GoodPractice guidelines and ISO22301 international standard.Key elements of the 5 day Complete Continuity® PractitionersProgramme include:• Introduction and Origins of BCM• Trends and Observations• Standards and Compliance• Elements of the BCM Lifecycle• BCM policy and Programme Management• Embedding BCM in the Organisations culture• Understanding the organisation- Business Impact Analysis- Continuity Requirements Analysis- Risk Assessment• Determining BC Strategy- Selecting strategies and tactical responses- Consolidating Resource levels• Developing and Implementing a BC response• Exercising, Maintaining and Reviewing• Measuring BC MaturityContinuitySATraining DatesAfrica’s largest Business Continuity service provider, ContinuitySA,has enhanced its Complete Continuity Training AcademyFor more information on these courses, contact: firstname.lastname@example.org call +27 (0)11 554 8000.16Dates for the IT Service Continuity course areas follows:IT Service Continuity Programme(2 Day Training)13th & 14th August – Botswana4th & 5th September – JohannesburgDates for the 5 day programme are as follows:Complete Continuity PractitionerProgramme (5 Day Training)26nd to 26th July – Johannesburg16th to 20th September – Johannesburg14th to 18th September – Cape Town20th October to 1st November – Botswana18th – 22nd November – Johannesburg