Continuing Operations in a modern & efficient manner

1. Continuing operations in a modern and efficient manner
John N. Zeppos1
1
COSMOTE Mobile Telecommunications S.A./NATO, Athens, Greece. E-mail: yzeppos@cosmote.gr;
i.zeppos@gmail.com
ABSTRACT: Business continuity management has always been perceived by some organizations as well as individuals as a
strictly technical discipline that mostly focuses on the so called “disaster recovery” process.
Nowadays, things and needs are changing momentarily around us and the need to have an embedded protecting framework
around an organization is more critical than ever. It doesn’t really matter if your critical products and services are interrupted
because of a fire, an earthquake a tsunami, a terrorist attack, the only thing that really matters in today’s business world is the
ability of an organization or a community to withstand any unforeseen incident that may occur at any given time and would
certainly not respect borders, time and calendar events and prove it’s resilience to it’s customers and all other critical publics.
That said, disaster recovery is yesterdays’ news, whilst resilience is the new trend.
In order to make things a bit clearer, let us all think for a while about “disaster recovery”… It quite easily get us to the conclusion
that this specific approach has an embedded idea of interruption even before it becomes reality, because Disaster Recovery means
that we will “recover after a disaster”. That – of course – is not bad at all, exactly the opposite but again, there is a hugely
increasing demand for “resilience” that insists that we should plan for no interruption if possible. There is a saying perfect to
describe this one that reads: Aim for the stars, if you miss you'll still hit the sky.
During this presentation you’ll be introduced to the most modern approach for doing business continuity, making everyone’s
work much more efficient and much easier to get board buy-in as well as always visible support from them, delivered to you by
the Highly Commended Business Continuity Manager of the year 2011.
Keywords: business; continuity; resilience; recovery; incident; risk; disaster
1. INTRODUCTION
It is not uncommon to come across businesses that tend to think that they have already covered their critical and precious assets,
processes and people just by having a Recovery Data Centre set up somewhere within a range of 1 mile or so from their main
Data Centre. Is it their way of strategic thinking or is it just them struggling to convince their Interested Parties that what they
have spent some serious amount of money on, is well worth it and will save the day should an unforeseen incident occur?
One will most frequently get to see this happening in businesses dealing with technology, as their main focus is not to lose their
infrastructure, feeling that for some strange reason their staff will be there if something happens, the buildings will be there no
matter what the incident was and most importantly, their customers will continue to be there waiting for their services to be
delivered.
This – I have to admit – is old school business continuity technique, going back to the seventies where all that one could do was
to have another server ready to take over, should the primary one fail.
Today, we will be evidencing why this approach is not only wrong, but – above all – dangerous.
2. THAT WAS THEN THIS IS NOW
Business Continuity is much more of an intellectual process than ever before and that is simply because one has to think of every
single critical aspect of the organization one tries to protect.
First thing to keep in mind is that there is no single solution that fits all needs, meaning that the best Business Continuity Plan,
should always be your Business Continuity Plan. It is a common mistake for many organizations to try and adopt others success
stories thinking that this might be a low cost solution for them and will manage to keep their Management as well as their
Interested Parties happy, but this might just happen till the next incident gets to you. Chances are that one will most likely not
manage to survive just because of the fact that the low cost Business Continuity Plan and their low cost solutions in place (?)
were never meant to fit their needs but some other’s ones.
As mentioned a little bit earlier, people back in the seventies, realized that IT systems tended to fail from time to time therefore
they needed some redundancy. Later in the 80s, most technology companies had their so called “Disaster Recovery site” in place,
feeling somewhat safe that external ( or even internal ) disruptions will not happen or will just be minimized using some kind of
magic wand to do so.
1

2. Only very few of those companies ever tested their arrangements in order to make sure they were fit for purpose and ready to
really take over should an incident occur.
Even less were the ones that were documenting and evidencing their tests, mostly because of the generic perception at the time
that testing the investment might jeopardize their existing customer base, as it might not operate as planned, indirectly admitting
that they were not really taking care of their customers, just trying to follow what seemed to be a trend and keep investors happy
that their money was well spent.
In the nineties, when the first attempts for drafting a series or procedures and processes that would be covering the whole
business aspects rather than just the technology infrastructure – be it IT or any other kind of heavy machinery used in production
and manufacturing plants – people came across to a fact they were not really expecting but seemed as an eventuality at the same
time as well : They had to start thinking about the whole business, not just the technical bit.
This is when it all started to form up as something quite interesting at the time, as terms such as interdependencies, maximum
tolerable period of disruption and alternative means of continuing traditional business such as sales and customer services or even
media relations, started to kick in.
Later in the new millennium, we managed to have an officially recognized standard even if just British back then, BS25999. It
was the first time ever that what was drafted as a pile of processes and procedures were transformed to a Management System,
similar to the ISO9001, even if not an ISO yet.
This caused a lot of friction internationally as different regions had already drafted their own standards for their own world so not
everybody ever admitted that BS25999 was a global standard, even if the product called BS25999-2:2007, is the best ever selling
product of the British Standards Institution (BSI) globally.
Nowadays and in fact 3 months ago the International Standards Organization (ISO), finally published the long awaited ISO22301
global standard on Business Continuity Management System. Funny thing is that even if BS was not always regionally accepted
as best practice, almost 80% of the ISO22301 input, comes straight out of the BS25999-2:2007 itself, proving that it was the best
standard for one to get certified against – and will remain as such till November 2012 when it will be withdrawn as it is
considered to be superseded by ISO22301.
3. ALL THAT GLITTERS IS NOT GOLD
Returning to today’s reality we get to face a funny issue that most organizations try really hard to cover up from their Interested
Parties as well as their customers: their Business Continuity Arrangements only exist on paper which is taken out of the drawer a
week before the assessor’s arrival on site!
One might not easily believe this but trust me, it’s a common issue that all the documentation along with the assessment report
gets into the drawer and so are the Non-Conformities raised during the process. People tend to think they will be getting away
quite easily with neglecting their duties and will have enough time to make up for it some days before the next assessment. This
is not true of course as retaining a certification might prove to be a tough cookie and one has to work even more in order to
always excel and maintain the certificate. In fact it might as well require much more effort to do so in some cases, especially if
the organization within focus is a relatively small one.
Others, bothered so as to purchase an out-of-the-shelf solution that has nothing common with their business and the really
disappointing fact is that they get to realize so when they only need to invoke their planning.
Napoleon used to say that time spent planning is always invaluable and I tend to agree to that as the plan itself does nothing, as
it’s just a piece of paper. People do things and respond to situations so one has to become very extraverted with their planning
within the organization in order for it to really do what is supposed to – save the day.
Thing is that it’s not just a problem with the organizations not willing to comply to what a Management System requires and see
the real benefits of it, it’s also a problem with the certification bodies that in some cases and mostly when it comes to local and
not international ones, only thing an organization has to do seem to be its capability of spelling correctly their Credit Card
number on the Accreditation Application Form and the rest are instantly becoming history. Of course, one can quite easily
understand that Accreditation Bodies are also businesses that are expected to make profit but in some cases this goes way too far.
There is always a balance to be had there and one should be very careful with the choice of the respectable Accreditation Body to
get on board and then enjoy the mutual value and benefit of a fruitful cooperation that will make everyone happy, customers
included.
2

3. 4. MANAGING EFFICIENCY & STRATEGISING FOR SUCCESS
There are always two ways to do things: the easy one and the tough one. Doing business in a mostly challenging environment
such as today’s’ political, social and economical scenery globally is a risk itself.
Nevertheless, we have to be positive because wherever a risk lies, an opportunity is nearby and if we all manage to foresee what
future needs might be we’ll have completed half the way to success.
Living and operating in a hugely unstable environment like nowadays, reminds us about the Survival of the Fittest. Fittest used to
just be a bunch of super-performers that would and could do anything in order to succeed, driving the whole business strategy
forward and keep the revenue streams increasingly flowing. But it feels like they would not care about their dependencies on
external partners, third parties, regulators and suppliers.
Suppliers seem to have the biggest part of the puzzle as your customers only know you as the service provider and not the X
supplier that supplies you with the Y product, rebranded with your own company logo. Will they stand their grounds when a
major issue hits not yours but their door ? Do they have Business Continuity arrangements in place as well ? Will they be seeing
you as their best and only customer so as to be served first after a disruption or are there others that will have increased priority to
be serviced against you ? Will they also remain unaffected if a wide incident such as big earthquake or country financial default
occur or will they be forced to close down their business ? What if they are your most critical suppliers ? Do you have alternate
arrangements in place ?
These are some really difficult questions that nobody would like to answer in total honesty, but in some cases you might as well
need to be the one answering these and it’s always better to be prepared beforehand.
Modern operational environment do not forgive mistakes, nor do they forgive lack of proper solutions. You always have to be
alert and plan based on others failures mostly than successes as that way one will have the benefit of knowing how it feels to be a
failure – something that nobody wants or needs as it reminds us of the naughty step.
If you’ve spent time planning for the unforeseen you’ll get to see the real benefits of it sooner or later. One thing is for sure that
no rocket science solutions are always the best. Again, there is a balance to be had and one should always try to take the best
advantage out of the efficiency planning.
Always keep an eye on what the competition does, because not of the fact that “they know best” but because you might as well
see very clearly what practices you have to avoid. This is efficiency as well. Try to make best use of your resources because you
do not really need a sledgehammer in order to break a nut. Super Data Centers should not have mirror ones as the cost of
procurement as well as the cost of maintenance is huge and you’ll never get to see the real return of investment there. A smaller
scale solution hosting just the critical services that you quite successfully managed to identify during the Business Impact
Analysis process is usually more than enough – if tested and documented appropriately.
5. SCENARIOS ARE FOR MOVIES NOT BUSINESS
Probably the biggest hit nowadays if you are a Business Continuity consultant is the Scenario Based Planning for BCM. It keeps
the money flowing in the consultancy company for ever as scenarios are countless! One might have planned and really well
documented processes in order to withstand a thousand different scenarios that might happen and if something changes just
slightly, the whole planning and the time spent is instantly becoming useless.
More importantly, when people are trained to only respond to specific scenarios, not all of them will be the right ones to react if
something different than planned happens. Business Continuity Management is a Habitual thing that is why I tend to call the
whole process Habitual Business Continuity, because people do what they are used to do, the same way we do perform
evacuation drills in buildings cause we need people to act without thinking when the real incident happens.
Instead of using scenarios for planning one should focus on impact. It really makes no huge difference if your building is hit by a
fire, flood, power outage or else, only thing that matters is that you cannot get it. This really makes a planner’s life significantly
easier, maintenance a piece of cake and people much more confident when responding to incidents. This – again – is efficiency.
6. IS BOARD ON BOARD?
One of the most common questions i get to be asked is how to get board buy-in. I will use my German hat to answer this : Well, it
depends. Again there is not a single solution that fits all, you just need to be a clever manager in order to get the feeling regarding
what are their worst fears and make them feel – I mean really feel – that you’re there to ease their worries.
In some cases, it all gets down to the specific culture and management style of the organization one works for. There might be
management teams liking to hear about figures, investments, revenues, expansions, takeovers etc but one thing is for sure. When
3

4. the next incident happens, they will all be asking the same things: 1. What are the consequences to the business? 2. How much
time do you need to fix it? 3. How much money will it cost to be fixed?
My personal suggestion would be to have one to one meetings with all the top board members, listen carefully to their fears
having to do with their own part of the business and having done your homework, go back to the board meeting room, ask for 15
minutes presentation on BCM, spend 12 instead and show them their worst fears, what the chances are of them being
materialized in the near or not future and how you can help them overcome those with some relatively small investments, mostly
dealing with human resources and smart use of existing arrangements.
Next time, during your first wide rehearsal for the Crisis Management Team, do just one thing : Scare them. They need to
understand that crises do not respect positions, calendars or borders. If they did, they would then become predictable and routine
and we all know they are not.
Last one about boards: Best performing Crisis Management Teams are the small and flexible ones. Get more than 5-6 members
in the CMT meeting and you’ll have to at least double the reaction time.
7. SOME FINAL WORDS OF WISDOM
One may think that doing Business Continuity is relatively easy but this is wrong. BCM is a tough discipline that in many cases
does not forgive mistakes if done the wrong way. It’s not rocket science, it’s just a series of practical arrangements that one has to
put in place and make ends meet always trying to be ahead of the game, realizing and accepting at the same time that not every
risk can be mitigated.
One thing we should always keep in mind and try to have as a moto in order to succeed is: Nothing Left To Chance, as “Five
minutes before the party is too late to learn how to dance”. Stay En guard !
8. ADDED VALUE TO INTEGRATIVE RISK MANAGEMENT
The subject discussed here is one which continuously gains significant importance in the Board Agenda within organizations
internationally and is a discipline that walks hand in hand with Enterprise Risk Management, sometimes overlapping, sometimes
not.
Intention is to be honest to the attendees of the presentation with regard what is a myth and what really is true regarding the real
benefits of a Business Continuity Management System and how it should be addressed properly.
4