Friday 25 May 2012

5th Business Continuity International Conference

As every year, and this is the 5th, last Tuesday 22th in Madrid and Wednesday 23th in Barcelona has taken place the 5th Business Continuity International Conference by BSi, this year with the new standard ISO 22301 being launched.  Following I summarize the event with a little description of each lecture of the conference in Madrid, to which I had the pleasure of attending.
With an attendance of more than 150 people from different industries, the maximum capacity was practically cover.
 
  • Introduction and welcome by Marcio Viergas (BSi general director). Provides the general definitions of an ISO standard, the different committees and how BSi, as a standard developer, has historically contributed with a lot of norms developments that has became international standards. ISO 22301 is called to be an important international reference and is predicted to be a boost for the industry and, seeing the attendees to the conference, looks set to become a reality.
  • From BS25999 to ISO 22301 - Business Continuity Management by Agustín Lerma (BCM Product Manager at BSi) Agustín provides in general terms the content of the standard and the correspondence with the Demming cicle, which is mainly the following :
Plan
4. Context of the organization
5. Leadership
6. Planning
7.Support
Do
8. Operation
Check
9. Performance Evaluation
Act
10. Improvement
    Agustín also define the alignment of the standard with  Guide ISO 83, about standard structure, PAS 99 about management systems and ISO 31.000 related with risk analysis.
    • The new International Standard for Business Continuity: ISO 22301. Dave Austin (member or ISO committee for standard 22301 development) Dave exposed deeply the standard, in some points overlapping with Agustín lecture. Highlighting the following points:
      • Standard is equivalent to BS 25999-2,  so the schema will be completed when ISO 22313 were published. Its publication is scheduled for next year.
      • There are a new concept MBCO (Minimum Business Continuity Objective)
      • Legal requirement specific for each country are included.
      • Risk evaluation is aligned with ISO 31000
      • Strategy had some shortages in BS25999, in the new standard it has a better definition, proposing the identification to reduce probability and impact, RTOs definition, resources needs and actions to protection and mitigation requirements compliance.
      • Incident communication: is much more complete and gives more importance. A better integration with emergency system is proposed.
    • Business Continiuty Management  end to end. Fernando Picatostes (Deloitte) The lecture was based on Deloitte business continuity methodology, focused in risk too much. Incidents in which Deloitte was involved some years ago (Windsor building and Twin Towers) were mentioned, as usual.
    • Crisis management and Business Continuity. Andrés Gonzalez (Near Technologies) made a review of the main security and business continuity incidents occurred lately and lesson learned for each one: Twin Towers, Tepco in Japan, Spanair MD-82, etc. The "prezi"ntation can be viewed here
    • Risk Management ISO 31000 and integration with new ISO 22301. Angel Escorial (AGERS) After a description of what Asociación Española de Gerencia de Riesgos y Seguros is, Angel make a deep review of the standard 31000 and the contrast between this standard and ISO 22301. From a personal point of view, the lecture was very interesting and I highlight a phrase: Risk management works with impact, while BC management works with time and impact. If we think on continuity as risk management, I think is not the better approach, aligned with the tittle of this blog.
    • Business case of Telefónica UK in Business Continuity. David Clarke (Telefonica O2) With on of the most complex business continuity management, David expose the long way he have to walk before the certification. From the lecture I highlight the benefits of implementing the BCM, what I think is key for every BCM system:
      • Increase trust from customers, partners and third parties.
      • Ability to work with suppliers to build continuity strategies
      • Industry recognition
    • Experts colloquium- Workshop about new standard ISO 22301. Julio San Jose (Bankinter), Fernando Picatostes (Deloitte), Andrés Gonzalez (Near Tech.). Moderator: Marcio Viegas. Due to agenda problems, I cannot attend this interesting colloquium.
    Conclusions
    With a great attendee, the event shows the general interest in Business Continuity from the different Spanish companies and organization. Furthermore, the fact that ISO 22301 has been launched do foresee that the directors interest in BC will rise.
    From an organizational point of view, once again, congratulate BSi by the professionalism with which held both the call as the event itself (Congratulations Patricia, Silvia, Beln and company)
    About contents, I think that attendees general feeling was they were poor, mainly those from BC service providers.

    Saturday 5 May 2012

    Business Continuity and Operational Risk

    After the last Argentine government's decision to nationalize YPF, followed by the Bolivian doing the same with REE subsidiary, in different business continuity forum has started  a debate about the requirement or not to include this scenario in the scope of the Business Continuity plans. Does Business Continuity manager really contemplate the possibility of an expropriation? and as a extension, May bankruptcy scenarios or extremely adverse economic situation, like the situations caused by economic crisis, be included into the scope of plans? It's not a trivial question since scope will determinate the economic requirements of the Business Continuity program and the roles which will be responsible of BC in the organization.

    An answer to this question can be found in operational risk management and the integration with Business Continuity management. Operational risk management look for analyze those factors that can affect negatibly to business, defining this, as in every risk analysis, by probability and impact.

    In some industries, like financial, risk operational management is a common practice. In fact, financial system regulation (Basilea iI), defines operational risk as:
    “The risk of loss resulting from inadequate or failed internal processes,
    people and systems or from external events.”

    This is quite similar to a risk analysis from a Business Continuity point of view.
    Deepening in Basilea II, it defines seven categories of risk operational:
    • Internal fraud;
    • External fraud;
    • Employment practices and workplace safety;
    • Clients, products and business practice;
    • Damage to physical assets;
    • Business disruption and systems failures;
    • Execution, delivery and process management.

    Although some of this categories seems to be quite close to Business Continuity categories and scenarios, not all of them may to be included in our business continuity plan. For example, damage to physical assets can be covered by our BC plan, including a IT service recovery plan and all the recovery procedures. However, internal and external fraud seems to be far away from Business Continuity.

    As Richar Wartered, from Marsh Risk Consulting, defined in the workshop Risk, Resilience & Continuity by BCI, BC management process and operational risk management must begin at the same tieme and independently, joining resoults when definint risk mitigatin strategies.

    It's necessary to take into account that objectives of BC are to recovery the service or delivery of product after a disaster or disruptive event occurs, since risk management has to be focused on the preventive actions, before the occurrence of the disaster.

    In order to define the BC scope, the best practice is to follow BS25999, and hope ISO 22301 soon, in which there are defined five componenet that has to be inluced in the plans:
  • people (7.3)
  • premises (7.4)
  • technology (7.5)
  • information (7.6)
  • supplies (7.7)

  • As  I defined in my previous post (Components supporting business), depending on the characteristics of business, each component will have a specific weigh in the delivery of services or products.