Learing how to improvise....

By Diego Pieruz

The other day Beatriz Portela (workmate belonging to the Tiger Team) surprised me with the following theme: “I’ve subscribed myself to a theater courses about improvisation” I immediately ask her: “Is it possible to learn how to improvise? , Could we use this concept in Business Continuity?”

It’s very curious that most workmates in the industry are agree with that it doesn’t matter how complete are the continuity plans, it doesn’t matter the level of awareness would be the organization and it doesn’t matter the number of tests and training that we had carried out, real scenarios usually are worst than the worse expected scenario. Then, shouldn’t we practice improvisation?

A lot of business continuity test and trainings are aligned with plans stabilized in the companies, and this is OK, but being realistic, fire is not always affecting in the same way, hurricanes doesn’t  cause the same damage and people who are supposed to act in an incident could have the mobile out of service. So, could be the strictness of plans incompatible with an adequate crisis management? Obviously not, but what is sure is that we have to be prepared in order than in every moment of a crisis it could happen an unexpected event and our response team has to be prepared to respond in the better way.

Going deep in the improvisation techniques, two fundamental concepts are practiced in Performing Arts:

• Listening: It’s difficult to adapt to a situation if is not attended by oneself. In case of business continuity, we should be aware to possible changes that can be done in the plan, being aware of it at all times.
• Acceptance + proposition: understand the situation, accept it and make proposals based on it, that is, and answer that manage what has happened. In improvisation there is no room for denial; if something has happened, it’s not the moment identify why of looking for causes, but to respond in order to redirect the situation.

In a globalized world where there are a lot of cultures close to improvisation and other cultures stricter, is important to learn how to react in a joint way against the unexpected events that can occur.  In order to do that we should think about convenience of introduce in the business continuity teams training plans, improvisation practices that can help to deal with this circumstances. Perhaps introducing these simulation activities for example different plans combining between them or include bizarre situations, can help in real crisis scenarios to our teams to be better prepared and react in a proper way. This can help to understand each role and their responsibility, knowing their improvisation scope.

What is clear is that there is not possible to foresee everything and we want to provide resilience to our business, so there is no other way: we have to practice improvisation.

Spanish Critial Infrastructure Protection Law and Business Continuity

By Daniel Blanco Real

The Spanish Law 8/2011 or Ley  de Protección de Infraestructuras Críticas (LPIC) its related to grant essential services that support specific infrastructures considered critical mainly because of two properties:

1. because its required and there are not other alternative solutions that could replace it and/or
2. because a disruption or destruction should have very important impacts in essential services. 

But What is considered a essential service in the law? LPIC identify essential service as those services required to maintain social basic functions (health, security, social welfare and economics, Public administration, etc), although there is difficult to identify it based on the definition above.

Looking for activities and definitions carried out by other countries, we can take a look to the information published by Swedish Civil Contingencies Agency, (MSB in Swedish), that in 2007 established a set of criteria to identify Social critical functions, very close to what is described in LPIC as essential services.

Sector	Functions
Energy supply	Production and distribution of electricity, district heating, fossil fuels and vehicle fuels.
Information and communication	Telephone services, Internet, radio and TV broadcasts, postal services, production and distribution of newspapers, radio and TV.
Financial services	Money transmission, cash access, private insurance and securities trading.
Social insurances	Payment of sickness and unemployment benefits and the national pension system.
Public health and medical services, and special social services	Emergency hospitals, primary care, psychiatry, pharmaceutical supplies, infectious disease control, and special social services for children, disabled persons and the elderly.
Protection, security and safety	Rescue services, police, courts, correctional institutions and SOS Alarm, military, coast guard, and customs, border and immigration control.
Transport	Road, rail, sea and air transport, and transport infrastructure management.
Municipal services	Drinking water, sewage treatment, streetcleaning, public meeting places, refuse collection and roads.
Food Agriculture and the production, distribution and control of food.º	Trade and industry Retail, IT operations and service, construction and contract work, guard and security services and the manufacturing industry.
Public administration  governance  support functions  service sector	National management, regional management and local management, diplomatic and consular services, inspection and permit services, expert and analytical services, detection and laboratory services, collection and provision of population data, meteorological services, training services and burial services.

It can be seen in the original document.

In order to clarify what is considered as a essential service, the document offers some questions that have to be answered for those who think that can be critical operators, grouped by two different blocks: preventive measures and respond measures

From a preventive measures perspective:

• What is the potential scope of a shutdown?
• How many people would be affected?
• What levels of society would be affected by a shutdown?
• To what degree would people’s lives and health be affected?
• What financial, environmental, societal and cultural values could be lost?
• How would public trust be affected?
• How long would it take to repair the damage?

 From a response measures perspective:

• Is the function essential for Leading and coordinating society’s response?
• Is the function essential for Providing the public with enough information about the situation?
• Is the function essential for Responding operatively to the emergency?
• Is the function essential for Minimising the consequences?
• Is the function essential for Restoring functions?

Once essential services are clearly defined, all organizations (obviously critical operator, but also if not)  must focus on:

• How products and services that are delivering can affect to those essential services (This is clear in critical operators)
• How lack of this essential services could affect to products and services delivered.

As a conclusion, Business Continuity in an organization has not only focus in how to recover products and service delivery, but also to take into account how the lack of this products and services affect to the society and the essential services. Without support of those essential services it's probably that organizations will not be able to recover their business and this is something that a lot of organizations don't take into account in their plans and business continuity management systems.

When Goverment shutdowns

By Jorge García Carnicero

The decision taken by the Congress of United States of not to finance the Government is a continuity scenario that is going to bring multiples inconveniences to citizens and that it would provoke the activation of different contingency plans in organization, and people.

But first of all, what is a Government shutdown? It’s a situation in which Government stops to deliver public services that are not basic because of lack of money to pay it. This situation is due to the separation in the decisions groups established by the USA law in which the federal budget depends on Congress (composed by Senate and House of representatives) and have to be countersigned by President. In some circumstances, like President and parliaments groups that control the Congress, are different in political terms it could be that there would be divergences between them and not to approve the budgets, and consequently, the lack of financial for the public activity.

Last 30th of September, House of Representatives, controlled by Republicans, and Democart-controlled Government didn’t agree about deadline of health assistance law, which provoke the government shutdown. This brought along with sending 800.000 public servant to their homes and the activity of all the agencies in United State which are considered not critical stopped. Moreover, and due to the government has reached the top of approved budget, if new budget is not approved, United States will declare suspension of payments next 17th of October.

Government Shutdown consequences are a lot, as it can be imaged. Following we are going to analyses this situation from different perspectives:

 For agencies in United States:

Agencies are stopping their activities and carrying out the different contingency plans associated to each one. Those plans will be published in the following link of the White House

For Government agencies providers

It’s clear that the Government activity generate business for a lot of providers. These providers will be affected, because activity is going to decrease and so the ingress. Depending on the time that takes the shutdown, the looses in the providers will be growing. It’s difficult to thin on a contingency plan covering this situation, but assurance.

For companies depending on services of Government

There are a lot of companies which have dependencing on the government activity. Apart from the administrative activities, we are talking about, for example, public transport, needed to take people to their workplaces or custom services, needed to imports.

For Public servants

As said before, the shutdown is going to send close to 800.000 public servants to their homes, without salary, until the Congress approve the new budget. This situation can carry some finantial problems to their families, and each public servant will have to manage with measures that will anticipate, if they have done before.

There are other agents afected, like those ecompanies with a very high dependency on retail trade or al thouse business denpending on agencies actions. As an example, the validation of mobile phones.

From a the perspectgive of administration as a provider of business continuity services, companies and continuity responsables in United States has to take into account that the following services are affected:

• FEMA: the disaster recovery information is not beeing up to date, although it has been asking for help trough disasterassistanc.gov
• Ready.gov, the website information is not up to date.
• The NOAA (National  Oceanic and Atmospheric Administration) is not operative, and the NHC(National Hurricane Center) is operative and working properly.

Conference AENOR-Continuam: Business Continuity Management

By Moises Lopez Soto

Last Friday, 27th of September, has taken place a conference about Business Continuity Management: ISO22301, promoted and organized by AENOR and Continuam with a high success of attendance and a great level of lectures. There has been perhaps for the first time that there were people of a great variety of industries, like Telcom such as Telefonica, energy companies like Iberdrola, or transport, represented by the Municipal Transport Company of Madrid (EMT).


Although this pot is not intended to be a wide summary of the session and there will probably be a lot of details not covered, I’d like to make widely known the event and some points that were covered by the different experts invited.

The session started with the exposition of the content and scope by Mr. José Luis Tejera, business development director of AENOR, who made a review about the different security standards and who made the first reference to an issue that was emphasized in the lectures after him: it’s really necessary to collaborate with supply chain, that is providers, because of the dependences on them.

After that, a round table was established about Regulation and Certification, in which there were reviewed different contents of ISO 22301 by Mr. Tomas Marín Iñurrieta, chief of Regultations service and Coordination of CNPIC, and Mr. Carlos Manuel Fernández Sánchez, Business Development TIC manager of AENOR, who emphasizes about the importance of deploying business continuity system instead of certificate it, although certification requires you to keep your deployment up to date.

Mr Juan José Miguez Iglesias, technology risks associate of PwC, contribute with the experience of PwC in Business Continuity consultancy, defining a four phases methodology (Document review, BCMS gap analysis, verification and tests and support to audit process) with which they intend to cover most of their customer requirements for deployment of BCMS. PwC metohodology also can include fast track actions, with which they will test in a first approach through a role play the knowledge and maturity of the company take this test as a starting point and developing the plans and procedures in a second approach. This combines Latin character (based in improvisation) with Anglo-Saxon character (based in procedures).

Closing this first round table, Cristo Perez, Busines Continuity Manager of Sanitas, made a presentation of the pocess follow by Sanitas for deployment and certification of BCMS, showing an example of a DRP evolution since it was not enough to cover the varity of scenarios typically included as Business Continuity scope. He used two examples: thread of terrosit attack in Campo de las Naciones, that caused a unavailability scenario and Aviar flu. As a resasault their have a global management system in which they include the business decision makers and, over all, that put People as cornerstone of all system.

In the second part of the session, Mr. Cesar Perez Chirions, President of Continuam, and Ms Maria Parga, general director assessor of BME-INNOVA and vicepresident of Cotinuam, made a presentation about the “Instituto de continuidad de negocio” and about their objective of connect professionals who want to share their knowledge and try to to make widely known and promote Business Continuity activities.

Closing the session, there toke place a second round table with the following professionals:

• Mr. Manuel Carpio Cámara, Information Security and Fraud Prevention director in Telefonica, who apart from giving information about specific cases and present the global BCM structure of such a big company, made his particular vision of BCM, with two dimensions: a vertical dimension with BCMS and a horizontal dimension which put together particular requirments). He also expose the way they support the different BCM plans of each telco belonging  to Telefonica Group through SUNGARD BCM tool in DRASS model. I would like make two highlights of his lecture: The phrase “Continuity is NOT an option” and Event Correlation, which can bring information about where is anybody at any time during an incident.
• Mr. Ángel Robles Rodríguez, Deputy lawyerd at EMT, presented how from his organization they have to think on buses as if they was an employee.
• Mr. Pedro Pablo, Security, privacy and Global Continiuty Manager of RSI, talk about necessity of reinforce supply chain and make emphasis in problem trying to grant the service level agreed with providers, especially with big ones.
• Mr. Javier García Carmona, responable of information security and communications in Iberdrola, was the autor of an other phrase that I consider it a great phrase: “In Spain there is not Business Continuity Culture”. Apart from that he sent a calming message about Spanish electric infrastructure, considered one of the critical infrastructures.
• Mr Roberto Rodriguez, Business Continuity Director in Grupo Santander, made an exposition remarking the  value of test as a way establish automatism responses to a contingency and serving as a catalyst that avoid the potential shock of personal selected to answer the incident because of the type of crises that could be close to their environment, or because of their own character and their ability to answer to a contingency, being critical to the success to the Business Contintuity program the election of this people and we do not usually pay to much attention to this.
• Mr Victor Llorente, bussiness consultor at Grupo SIA, go into detail about the need of support Business Continuity programs in tools that allow the automation of BCMS processes.

The closing lecture was carrying out by Mr Avelino Brito, general director at AENOR, who toured the organization and put into relevance the meaning of AENOR as a unifying knowledge organization.

In general terms, I feel has been an interesting event, which highlights the progress in Business Continuity industry. Business Continuity professionals begin to look for strengths and obtain resilience, ensuring not only our internal capabilities but also the dependencies by third parties. This requires focus much more towards people, towards their responsiveness, to heard and given the capacity of business decision makers as opposed to the old IT disposal. And all this is done under a global international framework, which is ISO22301 in which to look and be bound to improve.

Conference SIA - Continuam. Summary

With a relevant number of attendees, about 100 people, last 20th of March took place a conference sponsored by SIA Group and Continuam in which there were given an overview of the different activities that are taking place within the sector. The conference took place in the restaurant Loft39, at C/Velazquez in Madrid, calling for assistants at 12:00 and elongating until 16:00.

Introduction to the conference was provided by Enrique Palomares, CEO of SIA Group, who highlighted the commitment of this company for business continuity and the path along the last years, with both services consulting and automation tools, with SunGard AS.

First lecture was given by Daniel Blanco, BCM consultant at SIA Group. Under the title “Continuity, state of the art” Daniel gave an overview of the various standards and their evolution over time. He identified the main differences between BS25999-2 and ISO 22301 and highlighted the relevance of training and drills, specifically to provide visibility to the rest of the organization.

After Daniel, Juan Manuel Gil, CEO of F24, continued putting in value the relevance of notifications and how this notifications should change from traditional models (calls, SMS, emails, etc) to latest channels, dependent on the resources available for the employees of the organization.

In the third lecture Alfonso Costa, BCM Manager of Mutua Madrileña, stated which, from his point of view, are the cornerstones of business continuity within an organization:

• Alignment of objectives, mission and vision. The strategy of the organization must be aligned with the continuity management program.
• Governance model. Management should be involved. It is important to have a good sponsor.
• Visibility: must publicize the work done since continuity areas. You have to "come out". Testing is the largest showcase of business continuity
• Report: The record of what is becoming essential to show activity.

Then Pablo de Vera and Luis Sancho exposed the management structure of the business continuity used in BBVA, providing continuity of different committees depending on the severity of the incidents that occur: corporate continuity committee, country continuity committee and plan continuity committee. They gave a clear message which is the aim of his plans to ensure the service that BBVA provides to their customers and, therefore, their business.

 

Luis made it clear what is and is not a contingency BBVA, going more in detail about different scenarios to which BBVA had faced in recent years: pickets impeding access to a center, Hurricane Katrina and Ike, fire "neighbor" in the Windsor building, falling bank communications, critical power drop, the Icelandic volcano ash, etc..

 

To conclude the presentations, Tomas Martin, from CNPIC, outlined the activities being developed as a national critical infrastructure center, in collaboration with other European bodies: BUCOPCI standard, workgroup with AENOR, Smart grids: Spanish industrial safety platform, collaboration with coesga, among others.

 

To round off the event, it took place a panel discussion, moderated by Cesar Perez Chirinos (Continuam president) in which there was in an interesting representation: CNPIC, Bank of Spain, RSI, BSI, AENOR, Arsys and SIA. Cesar was moderating the table with different speakers that were answering the questions and gave their views on business continuity.

 

As a conclusion, the event was very well organized by SIA. Perhaps the time of lectures was extended in excess, but the speakers transmitted very pragmatic views, changing the discourse of IT by business discourse, closest to a comprehensive understanding of business continuity. The BC industry is maturing every day in Spain.

Crisis management in Madrid Arena party

There has been a lot of information about Madrid Arena Halloween party, in which four women was killed in a stampede. Most of this information is related to political responsabilities, but there are an issue that has gone unnoticed and I think there Is very important from business continuity perspective. It’s  the role played  by mobile communications in whole crisis.

According to the testimony of the participants, it seems that there were a mobile communications breakdown, mainly due to the great amount of people in such a small space. It similar to what happen in a sport event with huge crowds, for example a football match each weekend or to what happened last year in the Mobile World Conference in Barcelona. 

However, when this situation occurs in crisis scenarios we have  two problems:

• Those affected cannot communicate or make emergency calls
• Emergency teams cannot communicate with each other in order coordinate if this communications depend on the mobile generic infrastructure. 

In order to avoid this kind of situations, there are two options: make the service stronger or use an alternative service.

Thinking on the attendees, there could be explored the possibility of providing an alternative coverage (wifi network). With such a large crowd, it will probably has the same problem than the generic mobile infrastructure, but it will not be dependent on a mobile operator and could be offered as an aggregated service to the whole infrastructure.

There are mobile cells to allow operators improve mobile coverage in special locations, moreover, there are companies focused on offer coverage in public locations with a large crowds, for example Spring.

However, although could be technical solutions to avoid this kind of situations, neither facilities responsible will include wifi service, nor mobile operators will strengthen coberage in an altruistic way.  Government should include this as a requirement for license this kind of events with the guarantee that mobile communications will be delivered.

On the other hand, in order to allow the communications between members of emergency teams they use the RF network, Tetra. This network were not working because the walls were of concrete, so emergency staff had to use they own personal mobiles to allow the communications with other members. This situation is complicate to avoid without valuing the architectural problems of the building.

A good practice could be to advise the attendees about the problem that they could have when using their mobiles, specially when the location are not prepared to host a very huge crowd, form example in public demonstrations. Generalitat of Catalunya do it every year when is near the day of National Day of Catalunya.