Gert Kogenhop argues that dependencies need more attention in business continuity management. He presents the case that organizations must identify, analyze, and take action to treat all dependencies, as relying solely on external partners or resources poses risks. Kogenhop then outlines a proposed dependency assessment process in accordance with ISO 22301 standards. This involves identifying, systematically analyzing, evaluating, and identifying treatments for dependencies. He stresses that such an assessment requires collaboration across departments and must be ongoing to account for changes to dependencies over time. Kogenhop questions whether simply updating impact assessments during reviews is sufficient, arguing a separate dependency assessment is needed to properly manage risks from dependencies.

1. Dependencies need
more attention
Gert Kogenhop

2. Who’s on stage?
•Gert Kogenhop
•bcm+ - ClearView Benelux
•Chair BCM & CM standards
committee ISO-NEN in the
Netherlands
•Used to be in “Finance’
•Nowadays focused on BCM since
publication BS25999 in 2007
•Trying to prepare organization
for the unexpected
Welcome

3. Value secure &
create

4. Business Continuity
capability of the organization to continue
delivery of products or services at acceptable
predefined levels following disruptive incident

5. 8.2.2 Business impact analysis (ISO 22301)
The business impact analysis shall include the
following:
d) identifying dependencies and supporting resources
for these activities, including suppliers, outsource
partners and other relevant interested parties.

6. 8.3.1 Determination and selection of the business
continuity strategy (ISO 22301)
The organization shall determine an appropriate
business continuity strategy for
b) stabilizing, continuing, resuming and recovering
prioritized activities and their dependencies and
supporting resources

7. DEPENDENCY
▪ Something that is dependent on something
else
DEPENDENT
▪ Determined or conditioned by another
▪ Relying on another for support

8. Question for you:
Can you afford
to simply rely on
‘another’?

9. So
Ta da da daaaaaaah

10. Introducing the
Dependency
Assessment

11. Why?
Because
1. I say so and I am the expert ... Why else should I
be standing here?
2. We need to Identify, Analyse and Action ALL
dependencies since we can not afford to rely on
‘another’
3. We need to continually improve our BCMS and this
fills part of that requirement
4. It’s a basis for setting Key Performance Indicators
and that always is a challenge

12. Dependency Assessment
In ISO 22301 ‘style’:
The organization shall
a) identify dependencies within the organization related to prioritized
activities (processes, systems, information, people, assets, outsource
partners and other resources that support them),
b) systematically analyse these dependencies,
c) evaluate which disruption related dependencies require treatment, and
d) identify treatments commensurate with business continuity objectives
and in accordance with the organization’s goals and objectives.

13. DEPENDENCY
PEOPLE
RAW
MATERIALS
ICT
SITES
SUPPLIERS
DATA
UTILITIES
….
EQUIPMENT
PROCESSES
PARTNERS
VITAL
RECORDS
Identify

14. Analyse
People
1. Knowledge
2. Skills
3. Right authorisation level
4. Number of (enough)
5. When needed (Xmas)
6. …

15. Evaluate
People
1. Knowledge (theoretical or practical understanding)
2. Skills (proficiencies developed through training or experience)
3. Right authorisation level
4. Number of (enough)
5. When needed (Xmas)
6. …
- People strategy in the BCP
- People strategy in the BCP

16. Treatments
People
1. Knowledge (theoretical or practical understanding)
2. Skills (proficiencies developed through training or experience)
a) Personal development plans
b) Training on the job
c) Manuals and support documents/data
d) Cross training
e) Job rotation
f) …

17. You can’t do this on your own!

18. So
We need to work together with
other parts of the organisation
limiting dependencies

19. Who to TEAM up with?
1. People – HRM and Operations
2. ICT and Data – ICT department
3. Raw materials – Operations and Purchasing
4. Suppliers – Operations and Purchasing
5. Partners – Operations and Purchasing
6. Equipment – Operations and Project Office
7. Utilities – Facilities and Maintenance
8. Sites – Operations and Facilities
9. …

20. You can’t do this on your own!
But there is a constant change
• We buy new equipment
• We need to reduce cost of raw materials
• Moving from two sites into one site
• Restructuring (Roles, Responsibilities, ..)
• New suppliers
• Lean program
• Further automation
• …

21. • We buy new equipment (replacing 2 ‘old ones’)
Cap. 1,000 Cap. 2,500
Cap. 1,000
• More capacity
• Easier to clean
• Safer (H&S)
• Energy savings
• Less maintenance
• Less depreciation
• Less space
But:
Less flexibility,
a BCM risk?
Is this taken into
account?

22. So, on the review date of my BIA I
simply replace under the ‘required
resources’ section the two old
machines by the new one and submit
my BIA for approval.
It’s up to date again
Done! – CU next year…

23. • We need to reduce cost of raw materials
• New suppliers
What are the goals and the objectives of the
Purchasing Department?
• Cost savings
• Best deal, best price – one suppliers takes it all?
Is BCM (capability) a standard item in the Supplier
Relationship Management System and a standard item in
KPI’s and part of the Supplier Performance Management
approach?

24. So, on the review date of my BIA I
simply replace under the ‘external
dependencies’ section the three
suppliers by the (only) new one and
submit my BIA for approval.
It’s up to date again
Done! – CU next year…

25. Final question for you:
Is it overkill to state we
need a separate
Dependency
Assessment
to manage this?

26. Thank you!

27. This presentation was delivered at a
BCI event
To find out more about upcoming
events please visit our website