Policies and Standards in Business Continuity – Old Hat or Essential?

Policies? Sometimes that sounds like something from the 1960s, when companies were all ‘command and control’ and corporate rules couldn’t even be bent, let alone broken. In that sense, applying policies to business continuity could almost be an oxymoron: policies were what often hindered or halted enterprises, instead of encouraging continuity. Standards don’t always get good press either. But if there’s a problem concerning ‘policies’ and ‘standards’ for business continuity, it’s more one of perception. Policies and standards, when used correctly, become a useful, indeed essential, backbone for business continuity across the organization. So how can you make them work for you, and not against you?

The first thing to understand is that policies and standards, just like products and services, are defined after correctly identifying and specifying needs. When the requirements for business continuity for critical business processes are well-understood, they then translate naturally enough into policies and standards. Strategic e-commerce platforms, financial trading applications and medical systems may only be able to tolerate downtimes of a second or less. That might be the equivalent of “five nines” (99.999%) availability or better, in which a system or network has on average less than 6 seconds of downtime per week. By comparison, a human resources or back-office accounting application may be able to tolerate 1 to 2 hours of downtime a week (although of course you’d rather avoid it). That’s the equivalent of “two nines or 99% availability.

The problem comes when applications with low criticality get wastefully high availability (99.999% availability costs money!), or worse – the really critical applications suffer unacceptable levels of outage. Some policies and standards were defined years ago. Since then, business goals and needs have often moved on. The solution is to go back to the needs analysis, the risk analysis and the risk matrix that are all part of good business continuity planning, rework them and then redefine policies and standards accordingly. That way you’ll apply resources where they’re needed, when they’re needed to achieve business continuity efficiently and effectively.

KL2014 Featured Speaker: Nazrah Rosli

The DRI KL2014 Regional Conference and Awards of Excellence will be held in Grand Millennium, Kuala Lumpur, Malaysia. The theme this year “Managing Crisis and Organizational Resilience – Issues and Challenges” will feature a comprehensive program that includes a pool of variety speakers from different industry and countries, who will share on emerging threats and issues that we face today.

In preparation for the conference, Thrive! Asia is featuring the topics and profiles of select speakers.

Nazrah Rosli, CBCP

Nazrah Rosli, CBCP
Executive Vice President, Group BCM, Maybank (Malaysia)
Topic: Strengthening Resiliency Towards Regional Aspiration

Nazrah is the winner of the 2013 Program Leader of the Year (Private Sector) Award

Nazrah currently heads the Group Business Continuity Management and also leads the Group BCM Secretariat for Maybank Group. She has 10 years’ experience in implementing and managing the BCM programme, facilitating BCM exercises and activation throughout all levels of Maybank Group – local and overseas. Strategise to meet the evolution of a global business continuity program, including ongoing changes specific to the organisation as well as the external environments, industry best practices and technology advancements. Nazrah also represents the Association of Banks in Malaysia (ABM) as member in the Technical Committee on Societal Security for establishment of Malaysian Standards under SIRIM Berhad and also member of the Committee for Asian Bankers Association (ABA) in promoting cooperation among member banks in disaster-preparedness and recovery. Nazrah has also won the coveted title of Program Leader of the Year – Private Sector at the DRIKL2013 Awards of Excellence.

Disaster Recovery is Purely an IT Function – Or is It?

DRI ANZ

To view this article in its original location, please click here.

There is a temptation to consider disaster recovery as an IT-specific activity, conducted by IT staff to get IT systems running properly again after an incident or a mishap. Part of that notion is true. Disaster recovery is a term that is reserved for computer systems and networks, and recovering after an IT outage. With enterprises and organisations increasingly dependent on information technology, that also makes DR a large and essential part of business planning. However, as IT-centric as disaster recovery may be, trying to make it the exclusive responsibility of the IT department could be a big mistake. Here’s why.

If IT systems are down, departments must be able to continue functioning. Even e-commerce websites need some backup mechanism whereby they can continue to accept orders, whether this is as sophisticated as a mirrored online store or as basic as a temporary email address on another system. Being able to continue functioning in adverse conditions of any kind is the definition of business continuity. In the event that IT systems fail, it doesn’t matter whether you call it ‘BC’ or ‘enterprise DR’. The fact is that departments and business units must plan ahead to be able to operate in the absence of computer systems. Sitting back and trusting in the ability of the IT department to get things running again is insufficient, to say the least.

And while IT is battling to bring systems and networks back up again, somebody needs to give appropriate information to stakeholders – including customers – about what happened and what is being done to fix it. There are not many IT departments that combine excellence in both technical knowhow and relationship management. To calm down external ‘interested parties’ is the job of the public relations director or, often as not, the CEO. Indeed, as ‘enterprise DR’ involves the whole organisation, who better than the CEO to lay down the DR law by which all departments must abide? So while disaster recovery is naturally IT-centric, effective DR will often involve not just the IT department, but also the business continuity manager and the CEO too.

KL2014 Featured Speaker: Waleed J. Al-Dakheel

The DRI KL2014 Regional Conference and Awards of Excellence will be held in Grand Millennium, Kuala Lumpur, Malaysia. The theme this year “Managing Crisis and Organizational Resilience – Issues and Challenges” will feature a comprehensive program that includes a pool of variety speakers from different industry and countries, who will share on emerging threats and issues that we face today.

In preparation for the conference, Thrive! Asia is featuring the topics and profiles of select speakers.

Waleed J. Al-Dakheel, CBCP

Waleed J. Al-Dakheel, CBCP
BCM Head of Business Continuity Department of Banque Saudi Fransi (Saudi Arabia)
Topic: Pandemic Influenza – Latest Developments and Concerns

Waleed Al-Dakheel has 20 years of experience in BCM, IT Service Management, Risk Assessment & Analysis, Audit & Compliance, Vendor & Contract Management, and PMO. He also specializes in Business Continuity Planning / Disaster Recovery and Crisis Management. DRI International certified Instructor and Exam Proctor, for Business Continuity & Disaster Recovery for the Middle East & North Africa. Waleed has created in-house BCM standards, developed risk-based business continuity strategies, implemented and tested plans, and conducted training to BCM professionals throughout the region. His work includes a solid track record in incident management in real world situations ranging across in-house incidents, BC planning and developing as well as BCP and DRP simulation exercise. Waleed draws from his professional experience to guide participants through all aspects of a holistic BCM program and to apply these practices for their organizations. He has been teaching for DRI since 2013 in Middle East.

Business Continuity Depends on a Culture of Security Too

DRI ANZ

To view this article in its original location, please click here.

While protecting your organisation against disasters and blunders is a necessary step, it’s not sufficient for solid business continuity. Security breaches are a threat to all businesses and public agencies. With information fast becoming one of the most valuable assets an organisation can have, the natural consequence is that it also needs to be protected against theft or sabotage. But where should an enterprise start? The fact is that while technologies can be complex and security measures for those technologies doubly so, much of the protection required concerns the attitude and behaviour of employees. So while you’re evaluating the latest in anti-virus software and Internet firewalls, remember the following key points as well.

  1. Have a clear information security definition and policy. Make sure it includes relevant details on what is to be considered as confidential information and how to work with and safeguard that confidentiality, as well as suitable information retention and destruction rules. That also means versions for paper-based and electronic information, with shredders, locked disposal containers, computer hard disk wiping and any other necessary items.
  2. Tell staff that information security is essential. People don’t always work this out for themselves. Use regular training and awareness campaigns to make the information security policy a practical reality.
  3. Make sure that management sets the example in how to handle confidential information properly. Top management must be the role model for this. Weakness at higher levels will make it doubly difficult to reinforce information security at lower levels.

Audit your information security on a periodic basis. Check awareness levels in staff, verify that the right solutions are in place and operational, and check for possible gaps or holes. And remember to think like an attacker, as well as like a conscientious business continuity or security manager. After all and as the saying goes, ‘it takes a thief to catch a thief’!

KL2014 Featured Speaker: Gary Villeneuve

The DRI KL2014 Regional Conference and Awards of Excellence will be held in Grand Millennium, Kuala Lumpur, Malaysia 4 – 5 November, 2014. The theme this year “Managing Crisis and Organizational Resilience – Issues and Challenges” will feature a comprehensive program that includes a pool of variety speakers from different industry and countries, who will share on emerging threats and issues that we face today.

In preparation for the conference, Thrive! Asia is featuring the topics and profiles of select speakers.

Gary Villeneuve, MBCP, CPSCP, CBCLA

Gary Villeneuve, MBCP, CPSCP, CBCLA
Director of Education at DRI International (USA)
Topic: Keynote Address

Mr. Villeneuve has a Master’s Degree in Systems Analysis/Business and Master Business Continuity Professional (MBCP), Certified Public Sector Continuity Professional (CPSCP) and Certified Business Continuity Lead Auditor (CBCLA) certifications with over thirty years experience in business continuity, disaster recovery, emergency management and information technology.

Mr. Villeneuve is the Director of Education for DRI International (DRI). He has worked as a contingency planner, data center manager, database administrator, computer specialist and university professor. He has developed Business Continuity Plans, Business Impact Analyses, Disaster Recovery Plans and Strategies, Emergency Response Plans, Risk Assessments, and conducted disaster recovery exercises. His experience spans both the private sector and government. He has been a Continuity of Operations (COOP) coordinator and was instrumental on projects implementing information technology/continuity solutions for the Defense Department. In addition to teaching business continuity classes for DRI, he has taught computer science classes as an Associate Professor at colleges and universities.

Digging Down to the Real Causes of Business Disruption

DRI ANZ

To view this article in its original location, please click here.

Sometimes, despite the best laid plans for business continuity, something breaks and business is disrupted. While the priority is to get business operations back in working order, it’s often worth taking a moment afterwards to reflect on the cause of the problem. There may be a big difference between the symptoms of the problem (for instance, a production line keeps breaking down); and the real cause (nobody renewed the maintenance and support contract). These two aspects must be distinguished and handled properly. In our example, you’d get the production line working again first, then put a contract in place for regular preventive maintenance. Symptoms are usually obvious. But what’s the best way of finding out the underlying cause?

A popular technique that applies to business continuity and disaster recovery as well is Root Cause Analysis (RCA). It involves five main steps:

  1. Define the problem. Observe and describe the specific symptoms.
  2. Collect data. Find out how long the problem has been in existence and the impact it is having.
  3. Identify factors that could cause the problem (and its symptoms). Look for the conditions under which the problem occurs, sequences of events that trigger the problem, and any other associated problems.
  4. Identify root causes. Don’t stop at the first one or two factors in step 3 above. Keep digging and asking ‘why’ until you get down to the real roots. For instance, you may find that the product line keeps breaking, because there’s no preventive maintenance, which in turn is because an IT system failed to alert management, all because the IT department reorganised 6 months ago, and this particular application ‘fell through the cracks’ (hint: now start looking at what else might have fallen through the cracks too!)
  5. Recommend and implement solutions.

There are several management tools and methods that can help you to do better RCA, including impact analysis, fishbone diagrams and failure mode and effect analysis. But you can also prevent a good part of any future business disruption simply with the five RCA steps above and common sense.