Tuesday 24 May 2016

IX Business Continuity International Conference

by Jorge García Carnicero


As every year, BSI has been the promotor of the Business Continiuty International Conference, in its IX edition. The place that has been chosen this year was the Gran Melia Fénix Hotel, in Madrid, where the conference took place at first hour of the morning. In a room almost full, with 50 or 60 people, BSI shows that their ability for calling business continuity professional is healthy.

The first speech was driven by Jose Luis Miguel, Country Manager at BSI, that was exposing the BSI capabilities in both generating standards and auditing and in training. Then, he presented the results of the Horizon Scan Report 2016, led by the BCI and promoted by BSI, highlighting aspects such as the top ten threats of continuity, which can be seen in the image or the percentage of companies seeking to increase its budget business continuity for the coming months / years .


The second speech was done by Julio San Jose, from EY, in tandem with Cristina Pereira, continuity responsable at Abanca. Julio emphasize about the key aspects related with continuity:

  • Need of deploying tests and drills.
  • The importance of crisis communication.

He comment aspects as the different estrategias of communications that existe (in a good or a bad way): Silence, Negation, Responsability transference, Confession and controlled discretion, been Confession the best communication strategy.
(I would call it Transparency)

Cristina Pereira exposed the case of Abanca, commenting the different problems with which she has been to deal with when deploying the Business Continuity Plan in the organization. In the same direction than Julio’s speech, she also emphasized the importance of drills.

Before the break, took place the third speech carried out by Agustin Lopez, as representative of DRI in Spain. Agustin exposed the different contingency scenarios in the datacenter with an original presentation, using classical films as a thread (back to the future, Groundhog Day, etc)

When the Confee Break and Networking moment finish, we come back to the room, in which GMV was responsible for the fourth speech in the morning. It was based on the business continuity management system (ISO 22301) and the possibility of integration with other management systems standards, like security (27000), IT Management (20000), quality (9000), etc, with an orientation to certification.

The fifth speech was performed by Uxía Fernandez, from Grupo Ozona. Uxia expose the concept of IRBC (ICT Readiness for Business Continuity) that is used in the standard 27031. Uxia expose the content of the standard with the 5 mainstays as a elements to protect: Facilities, technology, people, data, providers and process. Since usually only technology and data was taken into account, Uxia would like to make special consideration about the other elements. It was a long speech.

Finally, the sixth speech was done by Ricardo Mesias, Risk Management Director at EDP. Ricardo made a speech showing the main problems that he had to deal with in developing the business continuity plan in EDP. He talk about the team, about achieve the complicity of all departments of the company, about the importance of test, about the metrics and about the external support, which is always important.

Conclusion

As a conclusion, I think that the role of BSI maintaining this event year after year is laudable and all the business continuity professional should be thankful about that. This event is a meeting point and is also a way to measure the state of the art of business continuity in spain.

However,  I think that messages has to be improve, since many of them are not showing the actual situation of customers. Recently I was reading an article of Amy DeMartine, senior analyst research in Forrester research for Devops, for Computer World that I think is applicable in Business Continuity. She said: “I think the reason why a lot of companies start with DevOps activities and forget the security staff is that there is a cultural gap. Security people speak a language almost different - incidents, vulnerabilities, risks - , so everybody put them at the end of the development life cycle”. This could be applicant also to business Continuity, that should be included in all the processes of the company but, however, it’s not, at least in Spain. If we focus on the management system and we forget that continuity should be practical it will drive us to see Business Continuity as a waste instead of an investment.  

Recently has took place the Business Continuity Awareness Week, led by the BCI, with a main objective: to show the ROI of the continuity and I think we should learn about int.
Although obviously, BIS as a promotor of the event has to focus speech on management systems, is urgent and essential to update the messages to a market reality different, mainly in the IT area.  It makes no sense to talk about take a tape out of the datacenter when all companies are talking about backup in the cloud, making a third copy in a public cloud, for example.