The latest issue of the ContinuitySA newsletter

1. It’s all about learning valuable lessons through exercise practices; you have to ask
yourself does your organisation have an approach to resilience in place.
The article by Eugene Taylor goes into depth on analysing your vulnerabilities,
which includes a guide to an approach you can adopt, ensuring that you are
skilled to conduct a business impact assessment (BIA).
In turn Louise’s article on does your business have operational resilience, reconfirms
that companies need to be agile and be able to respond to constant change.
Both make excellent reading.
And next, have you nominated your Business Continuity Consultant and or Manager of the Year? ContinuitySA
wants to encourage all business continuity professionals to participate in the upcoming BCI Africa Awards. This in-
augural event will recognise the outstanding contribution of business continuity professionals and organisations
living in or operating in Africa, so be sure to submit your nominations, as entries close soon.
ContinuitySA has a host of upcoming training for the remainder of the year, the very next being our five-day Com-
plete Continuity Practitioner programme, which is designed to equip business continuity practitioners within any
organisation in all aspects of implementing, managing and maintaining an effective business continuity framework
in their respective environments. The course takes place from the 22nd to 26th July 2013 and you can contact
our training department directly on training@continuitysa.co.za or refer to our website under upcoming events.
Our course material is all based on the latest BCI Good Practice Guidelines and the latest ISO 22301 standards.
Triple4 shares a successful case study on how they helped optimise the Master Drilling infrastructure with a stable
and user-friendly wireless environment.
Our next issue will cover the upcoming ITWeb BC Conference taking place later this year, of which ContinuitySA
is the diamond sponsor, so be sure to watch the ITWeb website for more information on their latest events.
We are continually looking for articles, case studies and white papers to include in future issues of our newsletter,
so for any new submissions please feel free to email them to me.
Cindy Bodenstein
Q2 2013
Keeping ContinuitySA
clients informed
1
Over the last couple of months the focus on business continuity has
shifted to resilience. Resilience can be defined as the ability to
recover from or adjust easily to misfortune or change.
In this Issue
2 South African
companies must
take advantage of
new international
standard for busi-
ness continuity
management
3 Taking the sensi-
ble approach to
ICT protection
and recovery
4 Organisational
Resilience:
Analysing your
vulnerabilities
properly!
11 Master Drilling
optimises infra-
structure with help
from Triple4
12 Three steps to
enterprise cloud
migration
13 Flu season means
it is time to dust off
your pandemic
policy
14 Does your
business have
operational
resilience?
15 BCI Africa Awards!
16 Training Dates
Editor’s Note
All Links
are now
Interactive!
It’s all about Resilience

2. 2
South African companies must take
advantage of new international standard
for business continuity management
The International Standards Organisation (ISO) recently launched its first standard for Business Continuity
Management, ISO22301. “The business world is increasingly digital with systemic dependencies and a
company’s effectiveness depends on its systems’ resilience,” says Eugene Taylor, managing director
of TaGza and the UK’s Institute of Directors (IoD) constituent representative on the British Standards
Institute TC223 committee. “Adherence to a reputable standard for business continuity like ISO22301
indicates that a company is serious about its organisational resilience and is thus a suitable partner.
Think of it as a ticket to the dance – and a strategy for remaining in business.”
M
r Taylor was addressing a brief-
ing on the new ISO22301 stan-
dard, hosted by ContinuitySA
as part of Business Continuity
Awareness Week. Although South Africa
has fully adopted the new standard, ob-
taining certification here is problematic at
present as the South African National Ac-
creditation Service (SANAS) has not yet
decided whether it is viable to accredit
local companies who would in turn be
able to provide certification to local or-
ganisations. Alternatively, this certification
can be done via internationally accred-
ited certification companies through the
International Accredi- tation Forum (IAF)
who are party to the Multi Lateral Agree-
ment (MLA) currently in place, but this ap-
proach is likely to be expensive and
geographically problematic. While this
issue is being resolved, South African com-
panies should take a positive step towards
organisational resilience and begin to
align themselves with the new standard in
preparation for Certification.
“Business continuity has been incorpo-
rated into the principles of King III and so is
already on the corporate agenda,” Mr
Taylor notes. “As most of King II was incor-
porated into the new Companies Act
(2008), I would not be surprised if we found
the King III recommendations making its
way into Company legislation in due
course.”
Three valuable practical resources for
companies contemplating this move are
Hilary Estall’s Business Continuity manage-
ment systems: Implementation and certifi-
cation to ISO 22301, The BCI’s Good
Practice Guide (GPG) and Business Conti-
nuity for dummies.
Mr Taylor said that before considering the
upgrading of an existing business continu-
ity management system or implementing
one from scratch, they should follow four
steps.
“First make a strong business case,” he
says. “It’s also vital to obtain an enthusias-
tic sponsor in top management and a suit-
ably qualified implementer.”
The next step is to obtain the buy-in of the
executive team and board of directors,
which will mean identifying the benefits
and costs of the chosen approach over
the entire life cycle. Allied to this is the
process of putting together a comprehen-
sive, realistic budget that covers not just
the implementation but also delivery.
“Don’t restrict the budget discussion to
basic resourcing of personnel money,
make sure you provide for technological
support resources you will need to make
business continuity management work,”
Mr Taylor adds.
The final step is the important task of build-
ing relationships. At one level, this means
obtaining buy-in from the enterprise
as broadly as possible but also building
relationships with those who do not initially
support the move.
“There are always the doubters but if you
work closely with them, they can be
brought round to seeing the real benefits,”
Mr Taylor observes. “I’ve had instances in
which those who were most hostile at the
beginning of the process have become
business continuity champions.”
Once these four steps have been com-
pleted, the company will be prepared to
embark on its programme to comply with
ISO22301 – and thus demonstrate its relia-
bility as a business partner or service
provider across its entire value chain.

3. 3
Taking the sensible approach
to ICT protection and recovery
Data volumes are growing exponentially as the world digitises, and busi-
nessescontinue to unlock the value held intheir information. And yet there
is ample evidence that companies are not taking adequate measures to
protect their data. According to research conducted by Vanson Bourne for
EMC, 74% of European and South African companies doubt their ability to
recover fully after a disaster.
“Even more worrying, just over half of the
companies surveyed suffered some sort of
data loss or system downtime in the
course of the last year,” comments
Bradley Janse van Rensburg, solutions de-
sign manager at ContinuitySA. “Disasters
continue to happen and they are typi-
cally the result of mundane rather than
dramatic occurrences: hardware failure
(61%), power outages (42%) and data
corruption (25%). The technology to solve
this problem exists but too few companies
are using it effectively.”
“It’s important to understand what your
company’s systems and strategies are,
and the nature of the various protection
methods,” Mr Janse van Rensburg says.
The most common approaches to the
protection and recovery of ICT systems in-
clude high availability, replication,
backup and archiving. The most impor-
tant of these, because most companies
rely on it as the copy of last resort, is
backup.
One of the key things to get right from the
start is de-duplication, which can reduce
the amount of data stored by up 30 times,
and the amount of data moved by up to
95%. All of these reductions result in the
use of processing power for backup being
reduced by up to 80% and the amount of
bandwidth needed by up to 99%.
“De-duplication changes everything,” Mr
Janse van Rensburg says.
Tape backup remains surprisingly perva-
sive: 40% of European companies still rely
on it, but 80% want to move to disk-based
backup. The move to disk-based backup
is being driven by several benefits, among
them strong de-duplication capabilities,
the viability of change-only backups and
strong indexing/ search functionality. En-
cryption makes it very safe. Restore and
backup speeds are generally faster, and
the medium is more durable than tape.
Hosted backup is also gaining in popular-
ity because it offers all the benefits of disk-
based backup and pay-per-use costing
models. A local vault combined with off-
site storage means that both backing up
and restoring can be speedy; an addi-
tional benefit is the safe and quick trans-
mission of backups offsite. Companies
become highly dependent on their
provider, however, so it is important to
choose only the best.
Cloud-based backups are also gaining
momentum. Like all cloud services, they
offer pay-per-use pricing and are ex-
tremely cost-competitive thanks to
economies of scale. Because they are on-
line, they offer easy access and a high de-
gree of self-provisioning. However, notes
Mr Janse van Rensburg, clouds present
large targets for attack and users do not
know where their data is stored or under
what legal regime.
Whatever method is chosen, Mr Janse
van Rensburg says that it is very important
to keep plans current.
“The research shows that almost half the
companies review their backup and re-
covery plans (and commit more budget
to them) only after disaster strikes,” he
comments. “That’s too late. You need to
understand your current system and data
landscape well, and then agree on
meaningful metrics to measure improve-
ment. It’s important to see ICT protection
improvement as continuous, and to begin
with your biggest pain points. Finally, align
the ICT protection plan to the bigger ICT
and business strategies, and constantly
build awareness and thus trust within the
organisation.”
By Bradley Janse van Rensburg, Solutions Design Manager at ContinuitySA

4. Organisational Resilience
4
1 Read this first …
Quite remarkably (and arguably) a Busi-
ness Impact Analysis (BIA) is the foundation
of cosmic expansion but in our micro par-
ticipation within the resilience galaxy I still
find that the BIA remains the weakest link.
Yet the very essence of developing busi-
ness resilience has its roots in the BIA - so the
victorious or cataclysmic measurement of
your work stems from the BIA. Do it properly
and your overall product has meaning and
relevance. Do it as a token exercise to sat-
isfy the basic requirements of a standard
(or auditors) and you signal the demise of
your product and quite likely respect
amongst your peers and executives.
Not all BC practioners fully understand the
complex yet necessary aspects of a BIA -
so allow me to help out. I have used this
approach in both private and public sec-
tors and it works equally well.
If you're going to refer to SANS/ ISO 22301
to get a grasp of what a BIA is (section
8.2.2) then you are hamstringing yourself
as it doesn't say much about what it is - just
that you have to do it (and that’s pretty
thin on detail). If you feel your BIA should
just satisfy the requirements of SANS / ISO
22301 then you are delusional or fast track-
ing a tick-in-the-box compliance need ...
good luck!
The BCI 2013 Good Practice Guide (GPG)
does have some lovely academic (and
long) reference to the BIA (PP3 page 47)
but still leaves the implementer a little un-
certain on approach. In addition neither
ISO 22301 nor the GPG prescribe qualifica-
tions / skills needed to perform the A part
(analysis) of the BIA. I don't either - well not
just yet.
This article will take you through an ap-
proach and analysis examples of the BIA -
but be warned, it may just contradict
some of the off-the-shelf training material
you might have had.
Caveat: Your consultant or practioner
should be experienced at MBCI level if the
A bit of the BIA is to be of any quality. In
fact, I would go even further and recom-
mend getting an FBCI on board.
2 The tale of two bitties ….
Let’s be very clear about the BIA - there
are always 2 “bits”; BIA1
is the assessment
and BIA2
is the analysis (© TaGza). If you
have nothing assessed you have nothing
to analyse. Merely doing an assessment
does not qualify as an analysis and there-
fore a BIA is not a BIA if it is an assessment.
Now – for those who think a BIA is only for
critical operational services, be warned
that you are susceptible to a quagmire of
unexplored vulnerabilities.
3 Assessing vulnerabilities
properly
OK - let’s give this a go! Stay with me as
this article is long.
Resilient Shipping (a © fictitious company
used in our training) wants to do a BIA
(both BIA1
and BIA2
). For the purpose of this
article let’s not worry too much about the
status of their BCMS - or even if they have
one. Some discovery of their BC arrange-
ments will be needed, but a BIA can be
conducted without a formal BCMS in
place.
There is good reason for Resilient Shipping
to go this route. They want to fully under-
stand where their vulnerabilities lie and to
make an informed decision to set their
future resilience investment strategy. They
are keen on doing this for their organisa-
tion whose service is to provide resilient
shipping services.
They don’t have a formal BCMS but they
do have a bloke who is their contingency
advisory executive. His name is Contin
Gensy.
Not much detail in the remit but really all
you need for this article.
4 The approach
Assuming the commercials were nicely
settled and that you have the authority of
Contin Gensy to progress the BIA you still
need to establish a number of basic de-
tails about the organisation.
If Resilient Shipping had a formal BCMS
then that would be simpler. You would get
the basics from the company documents
created out of SANS / ISO 22301 (section
4) or the GPG (PP1 page 15). A good
practioner or consultant knows exactly
what to ask and look for - so we assume in
this article that this particular discovery
phase has been completed.
Armed now with the basics and the desig-
nated authority we can progress our BIA
project.
4.1Enterprise Risk Policy (ERP)
Why on earth are we dealing with risk at
this point? Well, we’re not! But we cannot
go ahead with implementing our BIA proj-
ect without first understanding a bit about
the organisation’s risk policies (which we
refer to here as the ERP). If there isn’t an
ERP you need to get one made up and
agreed super fast!
AND it’s NOT the practioner or consultant’s
job to decide risk policy for the business -
that is firmly in the executive’s domain.
OK - so what’s needed from the ERP?
By Eugene Taylor
FBCI MIoD(UK)
TaGza (UK and RSA)
www.TaGza.Biz
Analysing your
vulnerabilities
properly!

5. 5
4.1.1 Impact Categories
Most executives have a set of impact
categories which branch out across
the organisation. It can be argued
that all risk mechanisms within the or-
ganisation feed high level risks into one
or more of these categories. Typical
categories would include titles such as
Financial, Service Delivery / Product
Quality and Reputation but these are
not exhaustive.
4.1.2 Impact Levels
Each category needs to have a range
of impact levels which may be consis-
tent across the categories or alterna-
tively customised per category. So you
could have 5 levels for finance but
only 3 levels for Reputation. A typical
level structure that could be used
across all impact categories could be
No Impact, Negligible, Low, Marginal,
High for each category.
4.1.3 Impact Thresholds for Business
Continuity
For each impact category we need to
understand what the organisation
threshold tolerance level is (appetite)
for Business Continuity assessed im-
pacts. This is the level for each cate-
gory that top management have
decided impacts cannot reach or go
beyond as the consequences will se-
verely impact the business. Therefore
each activity assessed to reach or go
beyond these threshold levels needs
to be risk assessed for contingency op-
tions.
4.1.4 Risk Models
We won’t go into risk models in this ar-
ticle but suffice to say Resilient Ship-
ping has decided that any assessed
activity where any one category for
that activity reaches or goes beyond
the threshold will be considered the
Maximum Tolerable Period of Disrup-
tion (MTPoD) for that activity. You will
see how this works later in this article.
The table below is a good example of the
detail you need before designing your BIA
approach. Note it only has one category
so as to keep your attention on the article
but most organisations have at least three
(for example; Financial, Service Delivery /
Product Quality and Reputation).
Level 4 is the chosen organisational thresh-
old for this example.
4.2 Time scales
It is important to define time scales for re-
covery before you start your BIA project.
These scales might change over time, but
you need to start with an agreed set be-
fore you conduct your assessments. I
would warn practioners going the route of
having multiple complex scale configura-
tions to suit various parts of the business -
you are just making extra and unneces-
sary work for yourself and your organisa-
tion. Have one scale for the organisation.
4.2.1 Recovery Time objectives (RTO)
These are the recovery time periods
you will assess each activity against
and depending on what your organi-
sation does this can vary significantly -
even to minutes and hours.
Resilient Shipping top management
wasn’t sure but they figured the follow-
ing RTO time scales suited their busi-
ness;
1 day, 2 days, 3 days, 4 to 7 days and
>7 days.
4.2.2 Recovery Point objectives (RPO)
These are the recovery point periods
against which you will assess each ac-
tivity. Depending on what your organ-
isation does this can vary significantly -
from days to even weeks.
Resilient Shipping top management
wasn’t sure but they figured the follow-
ing RPO time scales suited their busi-
ness;
0 hour, 4 hours, 8 hours, 12 hours and >
12 hours.
4.3 Tools! Tools! Tools!
Be very careful NOT to just rush off and buy
a product off the shelf - these can be
more onerous to use than helpful.
I still use spreadsheets because in many
cases the licensing costs and limited sup-
port of “BIA” applications are extortion-
ately prohibitive.
I would strongly suggest that anyone who
hasn’t conducted a BIA rather start with
spreadsheets. But watch out - unless you
do some VBA programming, mainte-
nance of spreadsheets and templates are
administratively heavy. Not only that, but
your users might just revolt!
If you are going to use spreadsheets I
would strongly recommend you sit down
with your IT provider and consider some
programming support, but if you do just
want to go the basic cell formula route
then that can work too - just be careful.
We have a “simple” (to the user) spread-
sheet that, once completed, captures all
the required detail on various tabs and ul-
timately delivers a “recovery considera-
tion” table on one of the tabs. It does
have some clever VBA behind it though.
The assessments are then “auto” imported
into a consolidation spreadsheet which
provides the detail for analysis.
You could also just go the paper based
questionnaire route and consolidate data
into a spreadsheet - but that I suspect will
only work for small organisations.
Give thought to the tools you intend to
use and the level of consumer resistance
you might create with your personnel /
customers. If it’s difficult to use you will not
get quality returns.

6. 6
You also need a place to store the com-
pleted submissions (for audit and review
purposes) and I would suggest these are
stored centrally on something like a Share
Point environment. That way (in addition to
other advantages) you have control of
access and can set some workflows for
review.
Resilient Shipping has asked TaGza to use
their spreadsheet templates for the first BIA
- included in the cost of course! They have
provided a Share Point option for all Busi-
ness Continuity material.
4.4 Scope, objectives and
reference
The Scope is the organisation, the objec-
tive is the vulnerability assessment and we
have agreed with Contin Gensy that we
will follow the guidelines of the GPG, use
some of TaGza’s best practice reference
material and align to current practice.
Resilient Shipping trusts TaGza to use com-
monly available and relevant standards.
Scope and objectives would not change
all that much if Resilient Shipping had a
formal BCMS in place. What would be dif-
ferent are those areas that have been
identified for exclusion from Scope.
I would seriously warn practioners off
being browbeaten by operational execu-
tives to initially limit the BIA scope to the
“production line”. That’s total rubbish and
while the “production line” might very well
have critical elements they do not run the
business - they provide a service to the
business and therefore the whole business
needs equal consideration and opportu-
nity to identify vulnerabilities.
Let’s face it - the BIA is largely about
organisational vulnerability identification.
I am always amazed at the vulnerabilities
and associated risks uncovered outside the
“production line” which have gloomy and
significant consequences for the business.
Note: All too often we confuse risk assess-
ment with vulnerability assessment. The
BIA is NOT a risk assessment product - it
gives the information needed to facilitate
risk assessments - as we shall see later in
this article.
4.5 Approach design and approval
Spend some quality time in a quiet place
to design your approach and get approval
from Contin Gensy. A typical approach
design includes 4 phases, but you can
make this as complex or as light as your or-
ganisation needs. You may need to adjust
your approach dependent on how busy
the organisation gets - so be prepared.
4.5.1 Approach - phase 1 (stakeholder
engagement)
This phase involves stakeholder en-
gagements at senior level to;
• explain how you will be conducting
the BIA, expected resource needs
and timing estimates,
• gain their support and give them an
opportunity to challenge / support
you,
• get their perspective and opinions of
main products and services,
• explain the impact categories you
will be using and how those were ap-
proved,
• explain the scales you will be using
and establish if this fits all depart-
ments,
• gain insight on how best to ap-
proach their departments and who
is best placed to complete the ques-
tionnaire(s),
• discuss the required awareness train-
ing and gain commitment for the
training,
• give them a chance to engage at
initiation level and help fine tune
your approach.
4.5.2 Approach - phase 2 (communi-
cation)
Now you are ready to let the organisa-
tion know what to expect. You will
have identified the areas to be
covered, the people that are to be
engaged and the requirements. You
will also be armed with the necessary
tools and templates.
It is vital that communication stems
from senior management (even if you
are the creator of the lyrics). The com-
munication should have a strong mes-
sage on whose authority the BIA is to
be conducted, the general approach
and who will be the lead for ensuring
compliance.
By the time communication goes
across the organisation it is vital that
you have already engaged people on
a one to one basis, that you have their
support (even in principle) and that
there are no surprises. This might also
be called “customer relationship man-
agement” - for the BIA contributors
(and their line management) will in-
deed be your customer.
4.5.3 Approach - phase 3 (discovery
and assessment BIA1
)
Having agreed with heads of depart-
ment who will be fulfilling compliance
requirements and having alerted the
organisation to the approach, you now
need to gather the data. This is likely to
be the longest phase of the BIA.
During this phase you will;
• provide awareness and compliance
awareness training for BIA contribu-
tors,
• develop a list of high-level activities
performed by each function,
• assess impacts that could result from
disrupting these activities - partially or
fully, directly or indirectly,
• assess the maximum tolerable period
of disruption for each activity
(MTPoD). This is the point at which in-
ability to restore services or activities
or the inability to perform at predeter-
mined levels will severely impact Re-
silient Shipping,
• assess the maximum time period after
the start of a disruption by which
each activity needs to be resumed,
• assess the minimum level at which
each activity needs to be performed
upon resumption,
• assess the length of time within which
normal levels of operation need to be
resumed,
• categorise the activities according to
their priority for recovery and evalu-
ate resource vulnerabilities of the key
activities.

7. 7
4.5.4 Approach - phase 4 (analysis
BIA2
)
Having received and consolidated all
assessments you are ready to provide
an analysis of the data you have
gathered which will identify vulnerabil-
ities and possible risks, particularly
those vulnerabilities for which there is
inadequate resilience or contingent
arrangements;
During this phase you will;
• provide Senior Management with
consolidated assessment results to
confirm key activities and priorities,
• provide a dependency map to
identify critical paths, single points of
failure or vulnerabilities to products
and services,
• evaluate key supply chain and en-
sure alignment with Resilient Shipping
BC requirements,
• confirm the Recovery Time Objec-
tive for each activity which supports
or delivers a key activity and identify
issues relative to MTPoD,
• evaluate resources required for
each activity to recover according
to approved assessments. (For ex-
ample: premises, people, technol-
ogy, utilities and information),
• identify organisation-wide risks (the
risks that are common to each direc-
torate),
• propose mitigation and resilience
building options to minimise risk and
vulnerabilities.
4.6 BIA1
- assessment, review and
sign off
Taking into consideration ERP, time scales,
scope and approach lets see what the
finished product could look like.
4.6.1 Document Quality Management
There are oodles of articles on how
one can manage documentation but
start with the GPG (PP1 page 33) and
SANS / ISO 22301 (section 7.5) to get
the right flavour and direction. You
could structure a spreadsheet tab to
consolidate much of the document
quality management information. We
won’t go into that in this article but
bear in mind that document quality
management is mandatory for a BIA.
4.6.2 Activity detail
For Resilient Shipping we decided our
approach would aim at getting or-
ganisation functions to list (at most) 10
MAIN activities – note that I did not use
the work “key”, “critical”, “important”,
“fundamental” and so on. The assess-
ment will ultimately decide which of
these activities require recovery priori-
ties and then you can label them how
you like. On the rare occasion that ac-
tivities went past 10 we just got contrib-
utors to complete a “part 2”
questionnaire (bear in mind we had al-
ready created the 10 activity BIA1
spreadsheet template). We found that
of the 51 areas that returned assess-
ments only 2 areas needed to list more
than 10 MAIN activities. To make things
easy we had separate tabs on our
spreadsheet for each activity.
For each activity we requested the follow-
ing information;
• A short description of the functional
area completing the BIA1
, how that
related to the published org chart
and what they provided to the or-
ganisation (note that we actually
had this as part of the document
quality information sheet and we just
auto replicated this information),
• A short description of the activity
and then a separate description de-
tailing what the activity did and how
that fitted into the functional area
deliveries,
• An owner for the activity and a
place to put some detail about the
owner,
• A list of resources used by that activ-
ity compartmentalised into Roles,
Premises, Internal Functional De-
pendencies, External Dependencies
(suppliers mainly) and Technology /
Plant / Services (divided into 8 key
areas). We could have got more
complex but we assessed these to
be a good starting point from which
we could improve as Resilient Ship-
ping matured its BIA process. In the
real world many of the resources are
collated into the template and struc-
tured into drop downs (e.g. All the
enterprise applications, sites and
suppliers).
• A descriptor of each resource to ex-
plain what that resource was for and
current alternative arrangements if
that resource was not available (so -
we are already providing an indica-
tor of current resilience and vulnera-
bility mitigation),
• An area for the BIA contributor to
make comments (whether to ad-
dress shortfalls in the template, pecu-
liarities in their area activity - or to just
have a whinge),
• The “desired” RTO and RPO for that
activity. We wanted people to be re-
alistic about what they “thought”
these time scales SHOULD be (and
why), IRRESPECTIVE of what might
have been known of the current
achievable BC arrangements.
What! No MTPoD? Not yet – just finish off
gathering details of the MAIN activities for
now.

8. 8
4.6.3 Activity assessment (BAU)
The best way to explain the impact as-
sessment is to consider the chart
below. For this article we have chosen
just the one activity (and the data is
fictitious). On this tab in our spread-
sheet we consolidated the titles of all
activities populated by the BIA contrib-
utor (we did this work through some
VBA just to save contributors from extra
admin).
The qualification for the assessment of the
one activity against one impact category
was;
“Given the organisation descriptors for
each level if we cannot get the supplies
to the customer by day 3 we will face cus-
tomer financial penalties and may also
have to replace the consignment owing
to perishable and health constraints. This
situation will get progressively worse if not
sorted out immediately”.
We listed the activities and all the impact
categories mentioned earlier in this article.
We only show one activity and one im-
pact category in this example. We also
displayed the time scales for recovery (the
recovery points being static). We then
used drop downs to let people choose
the level of impact against the impact
category that would be experienced over
time. We also asked people to qualify their
decision for that choice. What they didn’t
know is that we had programmed the
“threshold” into our calculations but they
didn’t see that - well, not right away.
I just added the red shading to make this
obvious. (We wanted them to be honest
and not swayed by any suggestion of
“criticality”).
Once all activities had been assessed we
then ran a clever macro which high-
lighted which of the activities crossed the
threshold for the various impact cate-
gories and at what point in time across the
time scale. This point became the MTPoD
for that activity, i.e - the time at which im-
pacts would have serious consequences
for Resilient Shipping if they couldn’t get
that activity up and running.
4.6.4 Activity assessment (Seasonal
variations)
This tab in our spreadsheet was almost
exactly the same as the BAU tab ex-
cept for one difference - it had an ad-
ditional drop down of predefined
labels which identified specific periods
in the year such as “month end” -
where the impacts would be very dif-
ferent to those of BAU activities.
This provided contributors an opportu-
nity to highlight seasonal variations –
and in turn was a great help to fully un-
derstand the more complex vulnera-
bilities and recovery requirements
should an impact occur during a par-
ticular cycle of an activity where prior-
ities were likely to be very different to
the BAU priorities.
4.6.5 Recovery priority considerations
(vulnerabilities)
Voila! One more macro to run.
But before that we asked our BIA con-
tributors to review their data with their
line manager and make sure the as-
sessment thus far was a best endeav-
ours assessment which adequately
reflected that function’s MAIN activi-
ties and that the assessments were suit-
ably qualified. We also asked them to
review RTO and RPO against the
MTPoD and adjust those so that recov-
ery objectives were less than the
MTPoD identifier.
So you see - a little bit of discussion to
get these two in the right place. If the
assessments are good, the MTPoD is re-
alistic and the RTO / RPO should then
be less than that. (You would want to
recover the activity before it reached
a stage where Resilient Shipping could
not tolerate the consequences of the
impact - the impact threshold).
In some cases we found that the RTO was
say 2 days but the MTPoD when assessed
was >7 days. Why would you want to re-
cover that activity so early when you may
have other activities that command priori-
tisation? Would an RTO of 4 to 7 days not
have been more realistic (and allowed
the function to focus on other activities
that were more important)? Was the as-
sessment flawed or was the contributor
just keen to get everything up and running
as soon as possible? Discussion is needed
then as we don’t want to change the
contributor data - they must decide that.
We just want to understand the rationale
for our analysis (and not embarrass our
“customers”).
Now you run the macro.
You end up with a very simple chart simi-
lar to that below which sets the founda-
tion for vulnerability identification - the
analysis.
What this chart simply does is show the
activities (one in our example), the recov-
ery time scales and when the impacts of
those activities cross the threshold (red).
It furthermore gives some earlier data
captured which should be used in the
overarching analysis.
To explain the chart: I see an activity that
has a 2 day RTO, the impact crosses the
threshold on day 3 (MTPoD) and the age
of the data supporting this activity cannot
be more than 8 hours old from date of im-
pact. That looks practical.
As the BIA contributor reviews data these
may change so are really a snapshot
summary to quickly identify anomalies or
inadvertent assessment errors.

9. 9
In the real world there would be a number
of other activities and some of these might
have a lower RTO with an earlier impact
threshold. I would therefore need to look
at those activities as a priority, but we
aren’t discussing recovery planning at this
stage or in this article.
What is important for the activity in the
chart is that we consider whether we can
get this activity up and running in 2 days
and what contingent resource arrange-
ments we might require to achieve that.
Some more discussions then - but that’s for
later.
4.7 Products of the BIA1
Having completed this hard work, pat
yourself on the back. You have collected
sufficient data to perform a business im-
pact analysis (BIA2
).
You have also inadvertently created a
process to;
• identify activities that support the
provision of products and services;
• assess the impacts over time of not
performing these activities;
• set prioritised timeframes for resum-
ing these activities at a specified
minimum acceptable level, whilst
taking into consideration the time
within which the impacts of not re-
suming activities would become un-
acceptable; and
• identify dependencies and support-
ing resources for these activities, in-
cluding suppliers, outsource partners
and other relevant interested parties.
Have a look at section 8.2.2 of SANS / ISO
22301 - job done then! Or is it?
4.8 BIA2
- analysis, review and sign
off
We now have Contin Gensy baying at the
door for an analysis of impact vulnerabili-
ties (he’s got quite good with terminology
now).
So we write him a report and bearing in
mind he is a busy man we don’t want to
over-egg the detail too much - we can
drill down to that later on (as we now
have a vast collection of raw data).
4.8.1 Confirm criteria
It is very important in the Analysis
to confirm the criteria used in the foun-
dation of the BIA data gathering,
particularly those related to Resilient
Shipping’s impact categories and to
explain how the time scales and
thresholds were approved. If you
made these up you might get chas-
tised for guessing what the organisa-
tion wanted - that’s not your job!
4.8.2 Summarise the approach used
Give Contin Gensy an overview of the
approach (to remind him what was
agreed) and who was involved. Give
a clear perspective of which areas
submitted a response. You might also
want to note why certain areas were
excluded as he is likely to pick those
up.
4.8.3 Summarise the expected out-
comes
Contin Gensy wanted a vulnerability
assessment (and realises now that this
BIA is the product to provide that).
Take him for a gentle trot on what was
gathered (high level) and how these
were assessed and reviewed. Explain
how the outcomes gave intelligence
to the Analysis. In particular identify the
key resource dependencies and how
the analysis considered resource vul-
nerabilities (people, things to work with
and premises).
4.8.4 Report on assessments
In this section you will identify the
scope by listing the directorates, how
many BIA1
’s they completed, how
many activities were assessed and
who owns the top end of the BIA1
’s.
Total these figures as well.
For Resilient Shipping we conducted
51 assessments (294 MAIN activities)
covering all directorates. We broke
that up per directorate in our report.
Contin Gensy had also agreed that in
order to simply things we would cate-
gorise all activities which crossed any
impact threshold within the first 3 days
as a key activity (I forgot to tell you this
- VERY IMPORTANT TO HAVE A MECHA-
NISM TO IDENTIFY WHAT IS CONSIDERED
A KEY ACTIVITY).
In our report we reminded him under
this section and summarised the detail
(15 activities crossed the threshold on
day 1, 52 on day 2 and 45 on day 3 - a
total of 112 out of 294).
We then identified which resources the
analysis chose to focus on (this we only
got advised about late in the BIA process
when Contin Gensy realised the value).
During the BIA data gathering exercise it
was clear that Resilient Shipping had mas-
sive resilience in premises options and that
their technology was relatively resilient
but there was an obvious weakness in
succession planning for those roles
that supported the key activities. We
mentioned this in our report.
4.8.5 Report on recovery capability
In this section we reported on the capabil-
ity of Resilient Shipping to support contin-
gent arrangements. During the BIA1
phase
we had loads of discussions with facilities,
operations and HR (to name a few). Dur-
ing that period we examined outsourced
contracts (suppliers), disaster recovery ca-
pabilities for key technology (identified in
the BIA1
), alternative working options, key
personnel knowledge transfer, skills, quali-
fications, development, assessments and
succession planning.
Across the scope of Resilient Shipping we
found that the technology suite was pretty
robust and would support 90% of the key
activities’ desired RTO’s. There were also
enough geographically spread premises
with state of the art remote options to sup-
port most of the key alternate premises
needs.
What we did find was that knowledge was
not transferred; that people were not that
well developed in centralising vital infor-
mation and that the attrition rate was ab-
normal. More so people were at great risk
given the nature of their roles as well as
current volatile and competitive markets.
We summarised the key personnel, their
qualifications, skills and experience scores
and tried to assess who could replace
these people. The number of single points
of failure was massively significant. We re-
ported this.
Although there were a number of activities
whose RTO’s could not be achieved
against what Resilient Shipping could pro-
vide, we felt those were particular to that
section or department and not something
the whole business was exposed to. We
advised BIA contributors and line manage-
ment in those areas to conduct a risk work-
shop itemising where they felt vulnerable
(given the details in the BIA1
) and seek mit-
igation solutions at Directorate level.

10. 10
4.8.6 Analyse the organisation
In the analysis, given the focus on re-
covery capability, we chose to high-
light that Resilient Shipping was not
resilient at all when considering the im-
pacts and risk which could arise from
unavailability of key personnel. We
wanted to suggest Contin Gensy
changed the company name to
Vulnerable Shipping - but of course
that would have been professional sui-
cide. Instead we gave him valuable
detail to contemplate, breaking these
up into areas he could explore (vulner-
abilities and gaps, risk considerations,
recommended improvements and
planning recommendations).
At this point Contin Gensy was smiling
- he could see the BIA had been thor-
ough, he could see his whole business
had been involved, he could see a
huge change in the way people ap-
proached vulnerabilities, he could see
the really good bits but with an under-
standing that some areas needed
work. He also had a very clear per-
spective of the extent of the risk the
company faced with knowledge re-
tention and that the HR side of things
hadn’t given his people a good
enough deal to keep them.
He could also see some value-add
benefits - he now had a system he
could regularly use, he now had his
people talking to each other, there
was more transparency as he realised
the BIA process was not punitive but of
significant value.
Contin Gensy was under the impres-
sion his ships were the most vulnerable
and was pleasantly surprised to know
that it was the loyalty of his people
and their extraordinary skills that kept
his ships resilient (yes we assessed and
analysed those as well). He knows he
now has to embark on an urgent cam-
paign to get his people resilient and for
that we recommended a good con-
sulting company (TaGza HR - I just
made that up).
He got this information in the summary,
which provided the detail to take forward
to his executives for discussion - and to
agree a strategy.
Note: You may want to look at ISO 22301
(section 8.3) and the GPG (PP4 page 62)
to get a view on how the strategy can be
progressed using a lot of what you have
gathered during the BIA process.
4.9 Now what?
Phew! If you think that was hard work - try
writing it!
If we were just doing a BIA for Resilient
Shipping our job would be done. We
would encourage Resilient Shipping to get
us back on an annual basis to ensure the
process doesn’t become diluted, that we
look at improvements and actions from
the previous BIA and that we shift the
focus of the next BIA to vary vulnerability
analysis.
If, however, we were doing the BIA and
Risk assessments as part of a BCMS we
would now set the strategy to mitigate vul-
nerabilities and to plan how we are to re-
cover the key activities as prioritised. This
is also a lot of work but most of the com-
plex detail is now available for those
processes from the BIA work.
5 Other bits …
It is vitally important that one considers a
BIA and vulnerability assessment as part of
the overall resilience development pro-
gramme for an organisation. For instance,
the Information Security suite (ISO 27001
family) requires a BIA to be completed for
IT systems but that has a slightly different
exposure - focussing more on Confiden-
tiality, Integrity and Availability.
Even so it would be silly to just conduct a
BIA and leave it at that. If you’re not going
to use the value from the BIA then all well
and good - but why then do it in the first
place? From the BIA comes a decent
platform for setting your resilience and
recovery strategy framework as well as
driving the focus on business continuity re-
covery plans. Even more importantly there
is a huge interface into your response
team structure as they are now better in-
formed about the organisation’s key ac-
tivities - rather than all clambering to get
their piece of territory recovered. What
should also happen is that the scope and
context of the organisation starts to be
shaped on real data and not just from
those who shout the loudest.
I stand by my statement that the BIA is the
foundation for all the resilience disciplines
to stand united, but it does not work on its
own so do engage the “other bits” of
resilience when designing your BIA ap-
proach.
6 Summing up!
If you are still awake at this stage I must
reveal something.
Although this is a pretty good approach I
have thrown in a few references which I
have not explained, I have also made a
weenty assumption that you are all well
versed in resilience disciplines, particularly
Business Continuity Management. There
are a whole heap of training requirements
intimated in this article which you will
need to undergo to do a proper BIA.
I have, in these lyrics, also fast tracked
some processes and I have made up
quite a lot of detail, so don’t take this arti-
cle verbatim to deploy a BIA project. It’s
simply a guide to an approach you can
adopt but you still need to be very skilled
to conduct a BIA.
I would strongly suggest you contact Con-
tinuitySA in the first instance to understand
the modules that are needed to address
and interface with a BIA - and do get an
experienced person to help and coach
you.
Good luck!

11. Should you have any enquiries as to how you can make a difference or would like to be included in
regular communication, please contact:
Louise Theunissen (MBCI)(PMP), BCI SADC Chapter Board Member
Mobile: +27 82 928 7158 or Mail to: bciafricaevents@gmail.com
BCI SADC Chapter Forums
11
F
ounded in 1986, Master Drilling provides specialist drilling
services to the mining industry, from the exploration phase
right through to production. Master Drilling listed on the
Johannesburg Stock Exchange in 2012, and its services
include the design, manufacturing and maintenance of drilling
equipment, along with associated training – all of which can
be customised to the needs of each client and prevailing site
conditions.
With operations in South Africa, West Africa and Latin America,
Master Drilling is reliant on a highly available IT infrastructure to en-
able effective collaboration and access to company data.
“There’s always somebody working so we have to keep down-
time to an absolute minimum,” says IT manager Steven Naudé.
“Much of the business’s value is contained in its intellectual prop-
erty, which is largely held on the network, so again we need reli-
able back-up and storage environments.”
Master Drilling maintains its own small on-premise data centre.
With its existing servers nearing the end of their warranty periods,
Naudé wanted to upgrade the infrastructure. He called in the
team from Triple4, who had been providing services related to vir-
tualisation for some six years.
“The key consideration for Master Drilling was an infrastructure that
was highly available. With that in mind, we recommended they
opt for Fujitsu servers and storage area network,” says Scott Orton,
Triple4’s sales director. Triple4 helped design the infrastructure to
make it more resilient and scalable for future needs.
Triple4 managed the migration of both the physical and virtual
environments, and continues to provide infrastructure monitoring
and support to Master Drilling.
In a parallel project, Triple4 helped Master Drilling create a wireless
environment at its Fochville head office that was easier to man-
age and offered significant benefits to users. In this instance,
Triple4 recommended the use of a Juniper Enterprise Wireless so-
lution. Because all the wireless access points are managed by a
central controller, it is no longer necessary to manage each ac-
cess point individually. Users, who previously had to log on to each
access point with a separate password as they moved around
the offices, now only have to log on once. The solution is also very
reliable and stable.
“Both the infrastructure solutions recommended by Triple4 have
more than lived up to expectations – it’s really a case of ‘turn it on
and forget about it’. Because Triple4 does the research so well,
their recommendation is really worth something,” says Naudé.
“I must also say that their support is excellent. We usually only know
about a problem on our infrastructure when they contact us to say
it’s been fixed, and if we log a call, the turnaround is impressive.”
Triple4 is currently working on a project to help Master Drilling
design and specify a global infrastructure for its enterprise
resource planning software system.
Master Drilling optimises infrastructure
with help from Triple4
Triple4 has created a highly available infrastructure and stable, user-friendly wireless
environment for the global provider of specialist drilling solutions for the mining industry.
For more information contact Triple4
or visit www.triple4.co.za

12. “Cloud offers enterprises the benefits of
reduced capital expenditure and staff
requirements combined with scalability
and quick deployment—something
that’s hugely important in today’s fast-
moving business environment,” says
Shaheen Kalla, Managed Services
Manager at ContinuitySA. “Cloud serv-
ices coupled with service-level agree-
ments and fixed penalties make it a
viable alternative to internal hosting.”
However, there are disadvantages to
cloud that also need consideration,
among them reliance on the provider
for troubleshooting and security con-
cerns about sensitive data. It must also
be borne in mind that cloud providers
are natural targets for hackers.
In moving to the cloud model, Mr Kalla
argued that enterprises should consider
a three-phased approach. The first
stage is co-location or rack hosting, a
model in which hardware moves to an
offsite data centre.
Drivers for such a move would include
the size of the current environment, and
its requirements for power and other
peripheral services such as cooling and
humidity control.
If the organisation plans to expand, co-
location would possibly be indicated,
especially if, for example, one is reach-
ing the limit of the power available on
the site.
The next stage would be managed
services, with the hardware continuing
to be owned but the services delivered
by a third party. This model is particularly
well suited to Web-based “thin” appli-
cations, and suits companies that want
to benefit from the maximum amount
of depreciation from recently pur-
chased assets. Service-level agree-
ments govern this type of environment.
The final stage is the move to the cloud,
a move, Mr Kalla says, that requires a
mature and long-term outlook. “It’s a
totally hand’s-off environment which
might not please technical staff who
typically like control. Moving to this
model warrants an in-depth assessment
of the service provider and its levels of
security and responsiveness.”
Key things to look out for include close
reading of the fine print to understand
exactly what the service-level agree-
ment covers and does not cover, and
how and when penalties kick in. “It’s
also vital to consider the implications of
where the service provider’s data cen-
tres are located,” Mr Kalla says. “If lo-
cated outside of the country, this will
affect the latency and so the user ex-
perience on certain applications.
Location will also affect what you are
paying for the link to the centre, and will
in turn affect the costs of migrating to
cloud.”
12
Three steps to
enterprise cloud
migration
Cloud computing offers significant benefits to enterprises, and many are starting
to factor it into their long-term planning. First, however, they need to understand
the pros and cons of cloud – and how to make the move.

13. 13
Flu season means it is time to dust off
your pandemic policy
T
his latest outbreak of bird flu has had
a very serious impact on China’s
poultry sector, with losses of more
than $1.6 billion reported already.
Closer to home in South Africa, bird flu is
crippling exports of Ostrich products. Re-
portedly, 50% of ostrich farmers have had
to close their businesses resulted in signifi-
cant job losses. Estimated losses for the
sector, according to some, are running at
R100 million per month.
Over the years, the flu virus has demon-
strated its ability to mutate into more viru-
lent strains which can spread quickly.
Recently, various strains of bird flu, the
SARS virus, swine flu and Hong Kong flu
have spread rapidly around the world.
While the Spanish flu pandemic of 1918
was the big killer – 50 to 100 million people
are thought to have died around the
world – other pandemics have had severe
impacts on productivity. The Center for
Disease Control in the United States esti-
mated that a “medium-level” avian flu
pandemic could have an economic
impact of up $166.5 billion, with seasonal
flu responsible for some $10 billion in lost
productivity and direct medical
expenses – and these are 2006 estimates.
“The latest outbreak of bird flu in China
and in South Africa should act as a timely
reminder that we are now entering the flu
and cold season,” says David Bollaert, a
Senior BCM Advisor at ContinuitySA,
Africa’s leading provider of business con-
tinuity solutions. “Whether it’s just a cold or
the latest flu strain, these diseases can
spread very quickly in a company and
cause many hours of lost productivity as
people spend time at home, visiting doc-
tors or performing their duties at lower pro-
ductivity level.”
Because a pandemic can affect a busi-
ness’ ability to function, its business conti-
nuity plan should include a pandemic
policy that lays out the processes for min-
imising risk. Among these processes are in-
fection prevention and control measures
aimed at halting or at least minimising the
spread of infectious diseases.
“Companies need to guard against large
numbers of employees becoming af-
fected—that’s when the business’s capac-
ity to operate becomes compromised,”
says Mr Bollaert. “Before the flu season
starts, I advise all companies to make sure
their pandemic policy and response strat-
egy is adequate, infection prevention
measures are in place and that, most im-
portantly, employees are informed and
empowered.”
Prevention is always better than cure; this
is a good time for the company to provide
refresher information on how to improve
health and basic hygiene. Eating healthier
food, exercising and getting enough
sleep will all help boost immune systems
and lower infection rates – and getting a
flu vaccination early is also to be recom-
mended.
It is also worth reminding employees how
effective basic hygiene can be in reduc-
ing cross-infection rates. Thorough, fre-
quent hand-washing, covering one’s
mouth when sneezing and wiping down
surfaces in high-contact areas like hall-
ways and washrooms with anti-bacterial
cleaners can inhibit the spread of infec-
tions dramatically. Local research has
shown that the use of antibacterial prod-
ucts alone can reduce the incidence of
respiratory ailments by 85.8% in adults.
“Pandemics are a business issue: use your
pandemic policy wisely to make sure your
organisation stays safeand is able to
continue delivering its critical services”
concludes Mr Bollaert.
The latest figure brings the total number of human deaths to fourteen in China’s
unfolding bird flu epidemic. Infection cases that have been recorded appear to
originate from Shanghai and show that this is a new strain, H7N9,which was not
previously known to infect humans. With 63 reported cases of human infection and
fourteen deaths, the mortality rate is high.
David Bollaert

14. Does your business have
operational resilience?
Published first in Business Brief:
14
There’s much in business that’s uncertain,
but you can bank on one thing: you will
go out of business if your operations can-
not respond to unexpected change. That
change could be anything from altered
market conditions to unexpected catas-
trophe.
It’s also worth stating the obvious here: the
world is now a very small place, thanks to
our connected business models. In practi-
cal terms, changes at the other side of the
world impact us here in South Africa when
once they did not.
Two examples will make that point. The
Japanese earthquakes and consequent
tsunamis in 2011 devastated the country,
but they also affected electronic supply
chains because factories manufacturing
components were destroyed. And then
consider Kenya’s billions in wasted flowers
and vegetables when the ash cloud
from Iceland’s Eyjafjallajokull volcano
grounded flights to Europe for more than
a week in 2010.
By contrast, the potential disruptions that
the 2010 World Cup could have caused
never materialised, thanks to good ad-
vance planning. Companies need to de-
velop organisational resilience to ensure
agility in time of expected or unexpected
change, from tsunamis to fluctuating ex-
change rates. Operational resilience cov-
ers a number of elements, but where do
you start to ensure that your business
keeps functioning during unforeseen cir-
cumstances?
One important component of operational
resilience is business continuity. It plays an
important role in increasing an organisa-
tion’scapability to continue delivery of
products and/or services at acceptable
predefined levels and provide an effec-
tive response that safeguards the interest
of stakeholders following a disruptive inci-
dent.
The good news is that the International
Standards Organisation (ISO) has recently
introduced a set of standards for business
continuity management. The new ISO
22301 standard specifies requirements for
setting up and managing an effective
Business Continuity Management System
(BCMS). In other words, the new standard
takes business continuity beyond risk man-
agement by providing processes for man-
aging its implementation over the long
term, and the measurement of its matu-
rity.
Usefully, the ISO has also produced
guidelines in the companion standard,
ISO 22313.
Business continuity begins with developing
gaining a detailed understanding of your
organisation, right down to the maximum
tolerable period of disruption for each
product or service offered.
Thereafter, it’s possible to define a business
continuity strategy based on how to
bridge the gap between the company’s
business recovery requirements and its
current recovery capabilities. It’s then a
question of implementing, managing
(and monitoring) the strategy over
time:business continuity management, in
fact.
This concept of managing the whole busi-
ness continuity process is vital, particularly
because it includes testing to see how ef-
fective the solution is. For this reason, com-
panies will increasingly find that auditors
are no longer satisfied with business conti-
nuity plans but are demanding proof that
the solution has been tested and actions
to address areas of weakness have been
identified.
As the organisation’s implementation of
business continuity progresses, so will its re-
silience.
Constant change is the hallmark of business today – and business success
depends on developing agile operations that can respond to change.
By Louise Theunissen, Advisory Services at ContinuitySA

15. 15
The Categories:
There are nine judged categories and one public vote category.
Judged Categories:
• Business Continuity Consultant of the Year
• Business Continuity Manager of the Year
• Public Sector Business Continuity Manager of the Year
• Most Effective Recovery of the Year
• BCM Newcomer of the Year
• Business Continuity Team of the Year
• Business Continuity Provider of the Year (BCM Service)
• Business Continuity Provider of the Year (BCM Product)
• Business Continuity Innovation of the Year (Product/Service)
Public Vote Category (by nomination only)
• Industry Personality of the Year
Application process
Entries for the judged categories must include:
• Written submission statement of between 1500 and 2500
words in support of the application including information
mentioned in the criteria.
• An abbreviated summary of the statement – no more than
100 words
• Full contact details including name, organisation/employer
name, address, phone number, email
• Written confirmation that all permissions relating to the release
of data contained within the application have been granted
Nominations for the public vote category of Industry Personality
should include a 100-word summary of why that person is being
nominated. The 5 most popular nominations will be collated and
put to a public vote.
Please submit your completed application to
Lucy McDonnell.
Please click here for a list
of the countries included.
BCI Africa Awards!
The Awards Ceremony will take place on the 22nd August 2013. The closing date for entries is the 21st June 2013.
All winners from the BCI Africa Awards will automatically be entered into the BCI Global Awards 2013 that take place
in November during the BCM World Conference and Exhibition 2013, 6th to 7th November 2013 in London.
The Awards recognise the outstanding
contribution of business continuity
professionals and organisations living
in or operating in Africa.
For detailed descriptions of
each of these categories
click here

16. The two-day course, the IT Service Continuity Training is
targeted at IT and Business Continuity Management (BCM) pro-
fessionals responsible for the continued uptime of IT services
within their organisations.
Key elements of the IT Service Continuity Course include:
• The link between BCM and IT Service Continuity Manage-
ment;
• The evolution of IT Service Continuity;
• The latest concepts and trends in IT Service Continuity;
• Conducting an Infrastructure Impact Analysis;
• Formulating and implementing cost effective IT Service Con-
tinuity strategies to meet business requirements;
• Security management in IT Service Continuity;
• Testing the IT Service Continuity framework; and
• A Continuity-as-a-Service case study.
Attendees will not simply be bombarded with theory, but will
be taught skills proven in the real world by active BCM practi-
tioners with MBCI (Member of the Business Continuity Institute)
certifications.
The course is based on the Good Practice Guidelines of the BCI
and complies with the new ISO22301 standard to ensure it is on
par with international best practices.
The 5 day Complete Continuity® Practitioners
Programme is designed to equip business continuity prac-
titioners within any organisation in all aspects of implementing,
managing and maintaining an effective business continuity
framework in their respective environments.
The course is based on the Business Continuity Institute’s Good
Practice guidelines and ISO22301 international standard.
Key elements of the 5 day Complete Continuity® Practitioners
Programme include:
• Introduction and Origins of BCM
• Trends and Observations
• Standards and Compliance
• Elements of the BCM Lifecycle
• BCM policy and Programme Management
• Embedding BCM in the Organisations culture
• Understanding the organisation
- Business Impact Analysis
- Continuity Requirements Analysis
- Risk Assessment
• Determining BC Strategy
- Selecting strategies and tactical responses
- Consolidating Resource levels
• Developing and Implementing a BC response
• Exercising, Maintaining and Reviewing
• Measuring BC Maturity
ContinuitySA
Training Dates
Africa’s largest Business Continuity service provider, ContinuitySA,
has enhanced its Complete Continuity Training Academy
For more information on these courses, contact: training@continuitysa.co.za
or call +27 (0)11 554 8000.
16
Dates for the IT Service Continuity course are
as follows:
IT Service Continuity Programme
(2 Day Training)
13th & 14th August – Botswana
4th & 5th September – Johannesburg
Dates for the 5 day programme are as follows:
Complete Continuity Practitioner
Programme (5 Day Training)
26nd to 26th July – Johannesburg
16th to 20th September – Johannesburg
14th to 18th September – Cape Town
20th October to 1st November – Botswana
18th – 22nd November – Johannesburg