Thursday 28 July 2011

Where to begin.

There are a lot of types of organizations: government or public, bigs or smalls, SOHO, etc, and all of them has their own objectives. This heterogeneity of organizations makes that each one has their own motivation when establishing their Business Continuity program.
A key element used to be news: when a disruptive event, a natural disaster or a unexpected event occurs it could wake up some kind of awareness in directors that can say what about if it happens to me? Thereafter, the direction used to identify internally the business continuity manager, in order to carry out the program and, if there are enough budget, ask for external hep form consultants.

The next step is looking for a reference that  can show the better way to achieve the program. Both, BC guides and standards (GPG from BCI, ISO 22301, etc) and consultancy methodologies develop a inventory of business process, resources inventory, risk assessment, business impact analysis, ....

But what I' going to put forward is a different way to begin in Business Continuity, that, from my  personal experience, could be the best way. The main aspect of any initiative is the awareness so is the first thing we have to promote and this grant us the success in the others phases of the program. And, of course, the best way for awareness is with TEST. So, my recommendation: carry out a drill without a lot of preparedness but, of course, always with the complicity of direction.

An example that I have experienced in this way was a drill in an European organization  at which arrived a new director, who had been working in the military. He decided to conduit a drill based on a bomb in the main entrance of the building. Surprisingly, the results of the drill were better than expected, mainly because of the leadership of this director, but a lot of lesson could be learned and there were a lot of conclusions that were drawn and actions lines in which to work.

But be careful, because this formula perhaps is not valid for some scopes. For example, if our scope is only IT Service Continuity, we cannot conduit a drill: we can cause just the opposite of what we were looking for.

Tuesday 26 July 2011

Starting the blog



This is my Business Continuity Blog, started in august 2011 in the Spanish version and in agust 2012 for the English version.  I've translated all my previous posts to English and, from now on, I'll publish all the post in Spanish and in English at the same time. I really think that  the BC sector needs this kind of initiative, at least in Spain.

In this post I'd like to justify the name of the blog, that people that has worked with me has hear about this thoughts. I've been saying from a long time: ladies, gentlemen, Business Continuity is not Information Security.
Information Security has such a big lobby in Spain that don't allow other adjacent sectors, like business continuity, because:
  • BC appears in ISO 27.002 as a chapter of ISMS.
  • The BC manager and the IS manager used to be the same person.
  • Usually, IS responsible has a kind of obsession for get more and more responsibilities. Its a strange phenomenon but is quite often. 
  • Consultancy companies usually include the BC in their IS portfolio, just because the decision maker is the same and skills of  consultants use to be the same. 
  • Both management systems (BS25999 y 27000) have a lot of issues in common: policy, risk analysis, continual improvement, ...
All thins things makes that the inclusion of BC as IS was too common.

However, everybody who has been in touch with BC in any time knows that concept of Continuity referred by information security is a reduced concept of Business Continuity.
Business Continuity is more complete and multidisciplinar than Information Security, because it has to understand whole business, not only information managed by business. Depending on type of business IS and BC could be more or less aligned, but in general terms there are a lot of differences. For example, has IS anything to do with shifts?, I don't think so, isn't it? Shifts are an key piece in BC for companies with a high dependency on people: call centers, supermarket cashier, physical security companies, etc.

A good Business Continuity System must be integrated with emergency systems, building evacuation, auto protection manuals, firefighting, media relationships, human resources... and this things, usually, has not too much to be with Information Security