IX Business Continuity International Conference

by Jorge García Carnicero

As every year, BSI has been the promotor of the Business Continiuty International Conference, in its IX edition. The place that has been chosen this year was the Gran Melia Fénix Hotel, in Madrid, where the conference took place at first hour of the morning. In a room almost full, with 50 or 60 people, BSI shows that their ability for calling business continuity professional is healthy.

The first speech was driven by Jose Luis Miguel, Country Manager at BSI, that was exposing the BSI capabilities in both generating standards and auditing and in training. Then, he presented the results of the Horizon Scan Report 2016, led by the BCI and promoted by BSI, highlighting aspects such as the top ten threats of continuity, which can be seen in the image or the percentage of companies seeking to increase its budget business continuity for the coming months / years .

The second speech was done by Julio San Jose, from EY, in tandem with Cristina Pereira, continuity responsable at Abanca. Julio emphasize about the key aspects related with continuity:

• Need of deploying tests and drills.
• The importance of crisis communication.

He comment aspects as the different estrategias of communications that existe (in a good or a bad way): Silence, Negation, Responsability transference, Confession and controlled discretion, been Confession the best communication strategy.
(I would call it Transparency)

Cristina Pereira exposed the case of Abanca, commenting the different problems with which she has been to deal with when deploying the Business Continuity Plan in the organization. In the same direction than Julio’s speech, she also emphasized the importance of drills.

Before the break, took place the third speech carried out by Agustin Lopez, as representative of DRI in Spain. Agustin exposed the different contingency scenarios in the datacenter with an original presentation, using classical films as a thread (back to the future, Groundhog Day, etc)

When the Confee Break and Networking moment finish, we come back to the room, in which GMV was responsible for the fourth speech in the morning. It was based on the business continuity management system (ISO 22301) and the possibility of integration with other management systems standards, like security (27000), IT Management (20000), quality (9000), etc, with an orientation to certification.

The fifth speech was performed by Uxía Fernandez, from Grupo Ozona. Uxia expose the concept of IRBC (ICT Readiness for Business Continuity) that is used in the standard 27031. Uxia expose the content of the standard with the 5 mainstays as a elements to protect: Facilities, technology, people, data, providers and process. Since usually only technology and data was taken into account, Uxia would like to make special consideration about the other elements. It was a long speech.

Finally, the sixth speech was done by Ricardo Mesias, Risk Management Director at EDP. Ricardo made a speech showing the main problems that he had to deal with in developing the business continuity plan in EDP. He talk about the team, about achieve the complicity of all departments of the company, about the importance of test, about the metrics and about the external support, which is always important.

Conclusion

As a conclusion, I think that the role of BSI maintaining this event year after year is laudable and all the business continuity professional should be thankful about that. This event is a meeting point and is also a way to measure the state of the art of business continuity in spain.

However,  I think that messages has to be improve, since many of them are not showing the actual situation of customers. Recently I was reading an article of Amy DeMartine, senior analyst research in Forrester research for Devops, for Computer World that I think is applicable in Business Continuity. She said: “I think the reason why a lot of companies start with DevOps activities and forget the security staff is that there is a cultural gap. Security people speak a language almost different - incidents, vulnerabilities, risks - , so everybody put them at the end of the development life cycle”. This could be applicant also to business Continuity, that should be included in all the processes of the company but, however, it’s not, at least in Spain. If we focus on the management system and we forget that continuity should be practical it will drive us to see Business Continuity as a waste instead of an investment.  

Recently has took place the Business Continuity Awareness Week, led by the BCI, with a main objective: to show the ROI of the continuity and I think we should learn about int.
Although obviously, BIS as a promotor of the event has to focus speech on management systems, is urgent and essential to update the messages to a market reality different, mainly in the IT area.  It makes no sense to talk about take a tape out of the datacenter when all companies are talking about backup in the cloud, making a third copy in a public cloud, for example.

Evaluating the Protocol for the prevention of pollution in Madrid.

by Jorge García Carnicero

Traffic restriction in Madrid because of high levels of pollution offers different analysis from a business continuity perspective, since the difficulties of employees to reach their workplaces (already driven in different posts in the past, like traffic jumps or snow storms, etc) to the supply problems that could impact to small  shops. 

However, I would like to focus on the measures and the response carried out by citizens to the restrictions imposed by the council.

 

From a general perspective, the problem could be summarized as the following: during the last week a powerful anticyclone has installed in the Iberian Peninsula which has bring a very stable situation from a climatological perspective, but that has led an grow of the concentration of nitrogen dioxide, NO2, which is a pollutant produced mainly in the fossil fuel combustion process, and cause serious health problems.

The Madrid Council has decided to try to reduce the pollution level activating the Protocol for the Prevention of Pollution in Madrid, which is a set of measures that has to be adopted during this scenarios the high level of pollution by nitrogen dioxide. 

Beyond the political analysis, which is probably debatable and subjective, I think it is worth analyzing the mentioned Protocol and the answer is having citizenship.

The Protocol is divided into 4 blocks:

1. Introduction, in which is described the air pollution problem and their risks. 
2. Zoning the city: in order to propone the correc measueres, there are defined 4 zones: M-30 interior, South-east, North-east, Northeast and Northwest.
3. Actuation levels definition. There are three differents actuation levels, depending on the Nitrogen Dioxide concentration: Prenotice, Notice and Alert. Recollected data from the measures stations are used to do so. 
4. Possible Scenarios: There are described different scenarios depending on the level of contamination and the time since citizens has been under this contamination level, going from Scenario 0 (informative), level 1, 2 and 3 (Notice or Prenotice) and reaching the highest level as an Alert Scenario. 
5. Measures: Define the different measures that are going to be carried out in each scenario.  
6. Activation and deactivation of levels. Activation and  deactivation criteria
7. Description of operational activities: Identifies the Group which is responsible of the application of the Protocol as a group of coordination and implementation of the protocol. 
8. Effective date.  Date in which the Protocol will ve effective (march the 1st 2016)

As it could be seen, the Protocol has a tipical squema of a Business Continuity Plan, except for a point which I personally consider highly important: Test. Perhaps if these tests were defined before the activation of the protocol and this test should be carried out there wouldn’t haapened such a lack of understanding and mistakes that has happened during today. 

Even so, activation of the protocol itself can be considered a test of coordination and citizen response to an exceptional scenario, because in this case the scenario is important, but not critical. It can be used as way to test the agility when transferring information to citizens, stablishing the response measures and evaluating the response of the compliance of proposed actions. 

In a permanent connected world, like today, in which citizens are continuously getting information about what happen, there are opportunities to define scenarios and response measures by big cities councils more ambitious than the ones defined by now. This is what should to be seen by governments in order to increase the resilience of cities and the services that are delivered to the citizens and the companies in which the citizens are working. 

Transport Problems

By Jorge García Carnicero

This week there has been two events that should be attended by business continutiy managers in their continuity scenarios. There are the huge traffic jam that occurred in Madrid last Monday and the problem because of a sabotage in the rail singaling system in the  highspeed traing (AVE) between Madrid and Barcelona. Both events has had the same consecuence: lack of certain profiles in their work places, that could be in their usual work place or after traveling to other city.

Analyzing possible solutions for this problem, and assuming that  it’s not possible to foresee the problem before it happen, the best option is to establish the mechanism required to:

1. Warn the employees that there has been a problem related with transport, which requires that the company must realize that there is a problem
2. Establish the mechanism required in ordert the employees could work remotely, through teleworking/homeworking.

 Undoubtedly, to allow the employees to be warned there has to be established a supervision system by the company, which requires a 7x24 alert system. This system could be rolled out internally or could be outsourced, always taking into account the cost-benefit relation. It could be also interesting to be incorporated in the early alert system, in the security SOCs, for example.

From teleworking, are still valid the solutions described in my post Legionella, a real threat

Dangers of poor crisis communication: a plane in the water?

By Jorge García Carnicero

There has been talking a lot in business continuity forums about crisis communication and about how social networks could help to broadcast information to our stakeholders in an easy way, but needless to say that it is always necessary to have some restraint in sending these communications and that the people who should be responsible for these activities should be sufficiently trained to give the right information to meet strictly our needs.

The case that has made up to develop this post in the blog is the fake alarm that took place last Thursday 27th of march, when the canary emergency service 112 (@112canarias), send the following tweet:

«Control Canarias confirma caída al mar de avión a 2 millas costa #GranCanaria a la altura de Jinamar. Se desconoce el número de pasajeros». 

Canarias control comfirms that a plane has fallen into the sea, 2 miles from the #GranCanaria cost, in Jinamar. It's not identified the number of passengers.

Until this moment all activities were in within normal, with the activation information exchange protocol between the airport authorities and the emergency service. But with this communication, validating the visual evidence that were being received from different points, the event went to another dimension. Media around the world assume that the news were true since canary emergency services is suppose to be a reliable source. In fact, the Canary 112 service has one the emergencies twitter profiles with more followers, more than 53,000,

The story was not greater because the 112 service itself gave the lie to the news 9 minutes after:

 Respecto posible accidente avión, SAR, Control Aéreo y helicóptero #GES confirman que se trata de remolcador tirando de una embarcación

About the possible plane accident, SAR, aerial control and helicopter #GES confirms that is a tugboat.

However, the tweet had been resent ad retweeted a lot of times, suffering a major impact and opening the debate of whether social networks are an appropriate communication channel for crisis notifications . In many cases, reaching the demonization of social networks.

Some links to the news

http://www.bbc.com/news/world-europe-26774885

http://www.ciutat.es/portada/sucesos/item/12758-asi-fue-la-pifia-del-accidente-aereo-de-canarias-un-avion-en-el-agua-ni-idea

http://www.abc.es/sociedad/20140328/abci-cronologia-avion-canarias-201403282017.html

Jazztel and the Crisis Communication

By Daniel Blanco Real

Last Wednesday 12th of march Spanish telco company Jazztel suffered a outage on its mobile phone network, both data and voice, since 13:30 to 21:00 approximately. From a Business Continuity point of view, there could be a lot of different analysis, but with the information that has been brought we can not define if it could be a problem in the continuity plan of Jazztel or if the service was activated in the recovery time objective or how the outage affected to the enterprises and what kind of alternative services they activated. What we can do is to analyse the crisis communication plan.

The internal communication plan will be out of the scope of this article, although it will be very interesting to know what kind of strategy would be carried out by Jazztel to this kind of unavailability scenario. Each time that we talk about alert notification, we think on call to mobile phones of persons included in the plan. As interruption was in business hours, it’s easy to assume that the communication was made by internal communication systems, like landline or any media based on IP. But would be highly interesting to study other alternatives in the carrier’s case:

• To have Dual SIM mobile phones, with a SIM of another carrier to carry out the crises communication (However this involves removing the vast majority of managers in Spain from crisis committees. I have still not seen any Iphone dual SIM)
• Communicate to personal phones, if there are not Jazztel phones and assuming that the managers has two mobile phones (something as unusual as the iphone dual SIM).
• Other kind of communications: landline, email (not too much reliable since there are not certainly received by the receptor), searh engines?

About the communications plan that carry out in the media and the users, could be analyse by information published in the news and social media, and also by customers itself.
Adslzone did a follow up of all notifications realized by Jazztel, and also of messages sent by Jazztel users to what they created a foro
The first messages sent during this kind of incidents is essential and must be clear, precise and use the best channels in order that all receivers will be reached in the fastest way.
Jazztel need three hours from the beginning of the outage to send the first official message at 16:15 and used its twitter account and its official blog to send the following message:

“We have an incident in our mobile phone service that affect to a big amount of our customers, not to all. The company is working on restablishing the service as soon as possible. We’ll keep you informed.”

Analysing what happen until the official Jazztell communication, we can realise:

Time until the first message
Three hours. Taken into account that since 13:30 there was a lot of topics in social media, it seems that it would be too much time to send such a short message and with very short information.

The selected media was twitter and the Jazztel official blog 
Is this the best way to communicate to their customers?
It could be yes or not, but is a good way to ensure that the message will reach all the national communications media that are following the social media in the big companies or IBEX35 companies and in this way, advice to the customers.
It’s also a way not to waste time organizing media rooms to deliver an official communication, apart from avoid, obviously, undesirably questions or questions not easily answerable in a moment in which there are a lot of details clearly identifies about what are carrying on.

Call Center
Apart from the official message, the customers calling the call center was informed through an answering machine indicating that there was an incident in the mobile phone service of voice and data, ant that Jazztell was working in recovering the service and tell the customer to call later to know if the incident was solved.

The Message
Both in the call center and in the social media there was no information about what had been the issue that could cause the problem, the estimated resolution time or the scope of the issue and number of customers affected.
There are a lot of factors that are not kwon and perhaps it would be better not to communicate certain issues as, form example, service restoration time, but the extent of the damage, if they knew, should be included. The message was launched trhee hours after the outage and it could be identified customers talking about their problems and located in different places, so it could be quickly identified that the problem was not a local incident but a national problem. This generate untrust about the capacity of Jazztel to solve the problem, the severity of the error that caused the problem and so the time that users are going to be without service (at the end the most important thing)

It took close to five hours to Jazztel since the first official message in deliver another message, at 20:07, in which they say that will compensate the users affected by the incident.

“We’re still working in reestablishing our mobile service as soon as possible and to solve the incident. Jazztell will compensate automatically to all customers affected by this incident without any kind of request by them.
Once the service will be reestablished, the company will contact immediately with all  the customers affected to keep them informed about the resolution."

The message
Although the message begins with a clear statement of intent to fix the problem as soon as possible, still no report on the fault that caused the problem, the approximate time resolution, or what the extent of the damage and the number of clients affected. This time the message focuses on talk of rewards to those affected, without really knowing applications without injury or damage caused in this way and try to mitigate as far as possible the damage ratio and confidence that is causing the incident.

At 22:00 the mobile phone service begins to recover, but is not until the next day when users recevies a SMS at about 11:00 or 12:00 askin

A las 22:00 horas se comienza a recuperar el servicio de telefonía móvil, pero no es hasta el día siguiente cuando los usuarios reciben un mensaje SMS sobre las 11:00 – 12:00 apologizing for the damage and report back to the next bill.

A communication plan should be well prepared in order to facilitate that such communications are carried out effectively and in time with accurate and concise information and allow especially and foremost that the situation is under control. It’s important not to generate more questions than existing ones, mistrust and causing a impact in the image that can immediately affect to the business, short and long term.
Now it’s time for  everyone to judge if whether jazztel communications was performed properly?

Whatsapp service availability.

By Jorge García Carnicero

Whatsapp is the mobile application that has been adopted faster by most messaging users, becoming essential in a short period of time. Beyond the typical messaging functions, sending messages to groups of users has been established as the most common way to communicate between people, specifically when using the telematics platforms to coordinate activities of the real life.

Last February, 22nd, Whatsapp suffered one of the most important outages of its history, or at least it was the outage that affected a greatest number of users. A big amount of users didn't realize the service unavailability until about 7:30 pm., loosing their communications with their virtual environment without having an alternative way. But why?, because there are a lot of alternatives: SMS, Line, Telegram, Skipe and applications that are part of bigger systems, like Facebook Messenger or Google Hangouts. Because not all user though on the same alternative and two parts are required to establish a communication. The easiest solutions for most users was to make a telephone call.

Further than the panic and anxiety attacks suffered by some users, the analysis of the outage of Whatsapp from a business continuity perspective must be done taking into account that Whatsapp is becoming a real communications provider.

There are a lot of self-employed and SME that are using Whatsapp as a communications channel with their customers, making advertising with the green logo of the messaging company. It brings the company a modern branding  and a feeling of beeing close to the clients because the logo has positive emotional connotations: it’s associated with the contact with our most close environment in the mobile, our family and our friends. Without any doubt, it could be a very good decision from a neuromarketing strategies perspective. I wouldn't want to raise the debate of whether this use could be considered as legal, since in the Terms of Service Whatsapp expose clearly that it must be used only for non-commercial purposes. But, Can be Whatsapp be considered as a real corporate communication tool?

Little by little, step by step, people using Whatsapp for communications related with their professional activity are becoming more dependent of its service, but nobody ensures them that the service will be available in the terms they could need. Moreover, in their Terms of Service  Whatsapp avoid any kind of responsibility or damaged that can cause by their unavailability. In combination with the lax requirements defined by the regulatory organism (CNMC in Spain), makes the service should be considered unreliable in terms of business continuity.


In order that this could change, the service should be submitted, at least, to the same regulatory requirements that a telco operator. But it seems that is not going to happen in short terms, at least it's not included in the new Spanish telecommunications law  (ley general de telecomunicaciones) that is being processed during this months. So the recommendation that we have to make from a business continuity perspective is that Whatsapp should not be used as a corporate communication tool (and of course neither should be Line, Telegram, Skipe or whatever under the same circumstances). At least is has not to be used as a main communication channel and if used, their would be always an alternative way to establish the communication with the customer.

Last point of the analysis is the lack of agility of Whatsapp when communicating their problems. Although the services outage was at 7:30 pm the incident was recognized and communicated by the company at 21:16 by twitter in its account @wa_status. Could it be because Whatsapp founder and CEO was in Barcelona, in the MWC, this weekend?

Auditing Providers, Intrusion or need?

By Moises Lopez Soto

During the last years, there has been a diversification in the way the services are being delivered, increasing the number of providers that conform the supply chain and, therefore, the complexity in the control of all components to provide success in the final result. Trends as Outsourcing some time ago and recently Cloud are clear examples.

We find ourself everyday facing the challenge of ensuring business continuity of our organization with a high number of external agents and, in some cases, this external agent could be absolutely essential to the future of our company. That's why we must take action and act proactively to strengthen the links in the whole chain, minimizing risks and cushioning the impact that could suppose to our business the break of a weak link. This is a complex task when we have to control process and resources internally so it's easy to assume that it would be much more complicated with external agents which have full freedom to be independent in their process and way to deliver their services.

SLA is not enough

Establishing Service Level Agreements are completely valid and necessary on areas of service such as capability and availability but when we are talking about continuity it become insufficient. Among other things, this is because we are not referring to both the supplier's ability to give service but to their ability to keep delivering it after suffer a contingency.

The most common solution is diversification is relying on a model of "duplicity" in a provider-service base, with a relation of N to 1 and with a minimum of two, just as if it were a load balancing in a data network. In some cases this is the usual way to deliver the service,  in other scenarios suppose an increase in the resources required for service management with a greater workload for staff but, nevertheless, is NOT a valid solution for all services. For example, it is usually to stablish this kind of countermeasures when we are talking about business critical services like providers of essential services (electricity , water, etc. . ), when the solution is too complex or too expensive, when there is a monopoly or when there is a single infrastructure common to different suppliers, etc. Any way, it seems absolutely clear that a relationship model in which provider and the company has to be strength enough to carry out all contingency scenarios just as if they were the same company.

Audit process, an interesting weapon

It could be close the day in which the ISO 22301 (or similar) would be required to provide some kind of services, just like there is required the ISO 28000, the ISO 9000 or, even, the ISO 20000, but until that day arrives, audit processes becomes an interesting weapon. On the one hand it would bring a very significantly strengthen in the customer-provider relationship and on the other it will help to raise awareness, work and improving business continuity in both companies.
It is true that providers can refuse, just as we can see in the event that was supported by SIA last year, but it must be the customers which would has to assign some weight to the Business Continuity countermeasures that could be included by their provider in the proposals of service delivery.

Providers should consider the audit processes just like turning point in their business continuity activities, or if they have not done anything before a staring point, to provide resilience to their own business, having the opportunity to strengthen and enhance the relationship with their customers and, at the same time, get a business-marketing revenue on their actions in this field. On the other side, customers should approach them in a constructively way, focusing on growth and providing support and advice to the audited provider. Definitively, a Win-Win relation.

Now a days, audit processes are called to be the main element in order to ensure the strength of business continuity management system and so, the resilience of the company, so it seem to be more a need than an intrusion....