Conference AENOR-Continuam: Business Continuity Management

By Moises Lopez Soto

Last Friday, 27th of September, has taken place a conference about Business Continuity Management: ISO22301, promoted and organized by AENOR and Continuam with a high success of attendance and a great level of lectures. There has been perhaps for the first time that there were people of a great variety of industries, like Telcom such as Telefonica, energy companies like Iberdrola, or transport, represented by the Municipal Transport Company of Madrid (EMT).


Although this pot is not intended to be a wide summary of the session and there will probably be a lot of details not covered, I’d like to make widely known the event and some points that were covered by the different experts invited.

The session started with the exposition of the content and scope by Mr. José Luis Tejera, business development director of AENOR, who made a review about the different security standards and who made the first reference to an issue that was emphasized in the lectures after him: it’s really necessary to collaborate with supply chain, that is providers, because of the dependences on them.

After that, a round table was established about Regulation and Certification, in which there were reviewed different contents of ISO 22301 by Mr. Tomas Marín Iñurrieta, chief of Regultations service and Coordination of CNPIC, and Mr. Carlos Manuel Fernández Sánchez, Business Development TIC manager of AENOR, who emphasizes about the importance of deploying business continuity system instead of certificate it, although certification requires you to keep your deployment up to date.

Mr Juan José Miguez Iglesias, technology risks associate of PwC, contribute with the experience of PwC in Business Continuity consultancy, defining a four phases methodology (Document review, BCMS gap analysis, verification and tests and support to audit process) with which they intend to cover most of their customer requirements for deployment of BCMS. PwC metohodology also can include fast track actions, with which they will test in a first approach through a role play the knowledge and maturity of the company take this test as a starting point and developing the plans and procedures in a second approach. This combines Latin character (based in improvisation) with Anglo-Saxon character (based in procedures).

Closing this first round table, Cristo Perez, Busines Continuity Manager of Sanitas, made a presentation of the pocess follow by Sanitas for deployment and certification of BCMS, showing an example of a DRP evolution since it was not enough to cover the varity of scenarios typically included as Business Continuity scope. He used two examples: thread of terrosit attack in Campo de las Naciones, that caused a unavailability scenario and Aviar flu. As a resasault their have a global management system in which they include the business decision makers and, over all, that put People as cornerstone of all system.

In the second part of the session, Mr. Cesar Perez Chirions, President of Continuam, and Ms Maria Parga, general director assessor of BME-INNOVA and vicepresident of Cotinuam, made a presentation about the “Instituto de continuidad de negocio” and about their objective of connect professionals who want to share their knowledge and try to to make widely known and promote Business Continuity activities.

Closing the session, there toke place a second round table with the following professionals:

• Mr. Manuel Carpio Cámara, Information Security and Fraud Prevention director in Telefonica, who apart from giving information about specific cases and present the global BCM structure of such a big company, made his particular vision of BCM, with two dimensions: a vertical dimension with BCMS and a horizontal dimension which put together particular requirments). He also expose the way they support the different BCM plans of each telco belonging  to Telefonica Group through SUNGARD BCM tool in DRASS model. I would like make two highlights of his lecture: The phrase “Continuity is NOT an option” and Event Correlation, which can bring information about where is anybody at any time during an incident.
• Mr. Ángel Robles Rodríguez, Deputy lawyerd at EMT, presented how from his organization they have to think on buses as if they was an employee.
• Mr. Pedro Pablo, Security, privacy and Global Continiuty Manager of RSI, talk about necessity of reinforce supply chain and make emphasis in problem trying to grant the service level agreed with providers, especially with big ones.
• Mr. Javier García Carmona, responable of information security and communications in Iberdrola, was the autor of an other phrase that I consider it a great phrase: “In Spain there is not Business Continuity Culture”. Apart from that he sent a calming message about Spanish electric infrastructure, considered one of the critical infrastructures.
• Mr Roberto Rodriguez, Business Continuity Director in Grupo Santander, made an exposition remarking the  value of test as a way establish automatism responses to a contingency and serving as a catalyst that avoid the potential shock of personal selected to answer the incident because of the type of crises that could be close to their environment, or because of their own character and their ability to answer to a contingency, being critical to the success to the Business Contintuity program the election of this people and we do not usually pay to much attention to this.
• Mr Victor Llorente, bussiness consultor at Grupo SIA, go into detail about the need of support Business Continuity programs in tools that allow the automation of BCMS processes.

The closing lecture was carrying out by Mr Avelino Brito, general director at AENOR, who toured the organization and put into relevance the meaning of AENOR as a unifying knowledge organization.

In general terms, I feel has been an interesting event, which highlights the progress in Business Continuity industry. Business Continuity professionals begin to look for strengths and obtain resilience, ensuring not only our internal capabilities but also the dependencies by third parties. This requires focus much more towards people, towards their responsiveness, to heard and given the capacity of business decision makers as opposed to the old IT disposal. And all this is done under a global international framework, which is ISO22301 in which to look and be bound to improve.