THE MAGAZINE OF THE BUSINESS CONTINUITY INSTITUTE | Q4 2018
BCI World and Global Awards 2018 news Case study: How Hong Kong’s banks play to win in BC/R My Lightbulb Moment: Marks and Spencer’s John T Frost
SPECIAL REPORT
VISIONARY RESILIENCE
Changing mindsets key to overcoming threats of time and inaction
01 Cover_Q4_Continuity & Resilience Magazine 1
26/11/2018 14:53
An award-winning two-way mass communication platform R
E
RO
PA
TE
CT
PRE
!
CO
M M U N IC AT E
P
APP FAILURE
Incidents
Ping Messages
FLOOD Tasks
Emergency
FIRE
Incidents Ping
CYBER ATTACK
Mobile platform built from the user upwards Easy for organizations to deploy Delivering unified, dependable and secure communications Most Innovative BC Product of the Year
Cloud DR & Continuity Product of the Year
WINNER
WINNER
2016
2018
Go to www.crises-control.com/request-a-demo.html and quote “C&R” to get £100 in telecoms credit .
BCI.Q42018.002.indd 2
26/11/2018 14:02
Q4 2018 | ISSUE 4
13 REGULARS 04 Welcome 06 News BCI World 2018 round-up, our new Chairman speaks
16
F E AT U R E S
36 BCI News 10 Debate
SPECIAL REPORT
20
16 Preparing for real
20 SPECIAL REPORT: Visionary resilience
15 Tech Round-up
Institutionalising the approach to resilience, a network of global cities has joined forces to ensure the global community is ready to survive, adapt and grow whatever the future holds
Thrown in at the deep end with Cambridge Analytica, the former British Army officer explains how he dealt with a major crisis
32 Recognising the best in the industry
12 Interaction Opinion: Engaging the C-suite to create a culture of BC Expert View: Great managers look at the overall picture
An industry-wide event in Hong Kong is using realistic scenarios to help financial institutions understand how to implement BC
28 PROFILE: James Lindsay
How can BC/R professionals mitigate the risk of a rogue employee damaging or destroying the organization?
News from: Efficient IP, Fusion, DTN, Everbridge and Uncloak
28
BCI Awards 2019, Brexit Tracker, BCI World Advisory Group announced
37 Next Generation Elodie Huet, Arup
38 My Lightbulb Moment Head of Business Continuity (BC) at Marks & Spencer, John T Frost, on improving organizational resilience through collaboration
38
BCI Global Awards Gala Dinner at the Novotel London West saw around 300 guests from across the globe gather together to celebrate the best of Business Continuity and Resilience (BC/R) COVER PHOTO: GETTY IMAGES
3 Contents_Q4_Continuity & Resilience Magazine 3
27/11/2018 07:55
LEADERS’ MESSAGES
WELCOME TIM JANES
Continuation of innovation
M
y tenure as Chairman starts just ahead of a major milestone for the BCI, as it celebrates 25 years of existence in 2019. My own entry to the business continuity (BC) industry pre-dates the BCI’s birth by just one year. In 1993, I joined a company called SafetyNet in the UK. SafetyNet was consumed in series of mergers long ago, and I rode the ‘continuity wave’ over the last 25 years as it carried me around the world, from London to Sydney via Hong Kong. During that time, I believe that the most significant change to the industry has been the internet – it spawned innovative business models and
revolutionised how people work, but also came with a cost, as organizations have been confronted by threats that would have been unimaginable in 1994. I enjoy working with organizations to understand and adjust to these changes, maximising the benefits and attempting to anticipate and address uncertain risks. I was fortunate to lead the BCI Australasian chapter for five years, which served as inspiration to get involved in the BCI’s global activities, on the Global Membership Council and then the Board. Working with David James Brown and James McAlister and all the other BCI Board members since 2015 has been a fascinating learning experience and has,
I hope, provided suitable preparation for the next two years. Over its 25-year history, the BCI has adapted continually, and the current diverse Board, continued innovative engagement, and development of organizational resilience makes me confident it will continue to do so. As we head into our anniversary year, expect some well-earned retrospection from the BCI and its members on past achievements, as well as an innovative and positive approach to embracing the exciting path that lies ahead. Tim Janes Hon FBCI, MBA, BCI Chairman, Vice Chair of BCI Board
D AV I D T H O R P
S
ince assuming the role of Executive Director slightly more than two years ago, one of my ambitions has been to improve the quality of the BCI’s research outputs. We must go further than simply reporting the current situation. Expanding on the information resource built up through the research process, and turning this into genuine insights that will deliver sustaining value to our members is of paramount importance. The BCI should be a respected thought leader in the fields of Business Continuity and Resilience (BC/R). It has the potential, but to achieve this we can’t just tell people what’s happening, we need to let them know exactly what this means to them. Forbes magazine defines a thought
leader as “a firm that prospects, clients, referral sources, intermediaries and even competitors recognize as one of the foremost authorities in selected areas of specialization, resulting in its being the go-to individual or organization for said expertise”. At the BCI, we will be articulating new ideas and trends impacting our members while also acting as a voice for the profession, primarily through the generation of new content. Thought leadership is one of the key investment areas we have targeted within the BCI, as it’s our way of providing a value-added benefit to members whilst raising the profile of BC/R professionals and highlighting their vital work. Over the past 12 months, we have commissioned a new website and content management system, appointing Rachael
P H OTO G RA P H Y: A K I N FALOP E
Thought leadership is key
4 C O N TINUITY & RESILIENCE | Q4 2018
4-5 Leader_Q4_Continuity & Resilience Magazine 4
26/11/2018 14:07
DEEDEE DOKE
Editor’s comment
W
elcome to the year-end, or Q4, edition of Continuity & Resilience. At BCI, the year nears its end not by fading away but by stimulating our mental appetite for the challenges of the next 12 months with November’s two-day BCI World Conference and Exhibition and the BCI Global Awards, both in London. And stimulating the speakers, topics and debates were indeed. The sense of community was also palpable over the two days, along with the pleasure that members clearly took in renewing their acquaintances and friendships with colleagues from around the world. A lesson I took from BCI World was the pressing need for our community to think widely and globally about Business Continuity and Resilience beyond individual organizations, to the worldwide dangers threatening us today. National policies, for example, can lead to situations in which corporate BC/R must play roles in assuaging and mitigating – international sanctions are one such arena that came as a surprise to me, a sub-set lesson if you will. May your calendar year come to a memorable close, in the best possible way – and all the best for a stimulating 2019!
Elliott as our inaugural Head of Thought Leadership. In addition, Kamal Muhammad was hired as a Research and Insight Analyst to assist the existing team of Gianluca Riglietti and Lucila Aguada. I’m confident you will see a different focus brought to bear within our papers and reports, with content providing more practical value. Members will also get our new Continuity & Resilience Review, due for release in the first half of 2019. The biannual journal will carry the latest academic insights on practicing BC/R and provide a fresh look at the issues facing our profession. To become a recognised thought leader is a lofty ambition. As a process it will unfold over years rather than months, but over time we will be putting thought leadership at the heart of everything the Institute does; from standards development through to education, from CPD to conferences and events. We believe taking such an approach is key to help attract more people into our wider BC/R community, and eventually, as full members of the BCI.
DeeDee Doke Editor
David Thorp Executive Director, BCI
5 CONTINUITY & RESILIENCE | Q4 2018
4-5 Leader_Q4_Continuity & Resilience Magazine 5
27/11/2018 07:56
G LO BA L N E W S U P D AT E
33%
According to a poll at BCI World 2018, a third (33%) of business continuity professionals said gaining top management commitment was one of the biggest headaches they faced in business continuity management.
CRISIS EXERCISES
Get senior management buy-in to back an exercise By Colin Cottell Getting senior management buy-in for a Business Continuity and Recovery exercise can be a tricky business, but as BC and resilience professionals heard at BCI World 2018 there are many ways to achieve this. Chris Lewis, Senior Crisis Management Consultant at Ricardo Energy & Environment, said a good first step in persuading senior management to back an exercise was “to understand what your gaps are at an operational and a strategic level”. This would enable you to go to the CEO with a clear focus – for example, he
said, “our biggest concern is media so let’s focus on the communications part”. Non-executive directors could play an important role in influencing the board, said Sam Lascelles, Management Consultant at PA Consulting group. “They probably have as part of their CV that they weathered a challenge or a
“The thought of a cyber attack usually brings senior executives out in a cold sweat and will quite likely persuade them that running an exercise is a good idea”
crisis,” he said. In addition, Lascelles said, “they are probably a non-executive director for more than one company, so if they see it [an exercise] happening there, they can say ‘Hey, my other company is doing this’. This senior top of the shop networking and encouraging is quite a nice way of doing it.” Jim Preen, Head of Media at crisis simulation consultancy Crisis Solutions, said: “The classic answer is if we don’t have a plan and we don’t test it, it’s going to be a whole lot worse than if we do have a plan and we test it.” He added: “You have
to pitch it right. There is no point going to senior management and saying, ‘We want to have an exercise every few weeks’.” Lascelles advised putting forward a plan to senior management at the beginning of the year, saying: ‘This is what we want to do’. Getting senior management buy-in to some extent depended on the sector, Preen suggested. In a regulated industry such as finance, he said, “the thought of a cyber attack usually brings senior executives out in a cold sweat and will quite likely persuade them that running an exercise is a good idea”.
6 CONTINUITY & RESILIENCE | Q4 2018
6-9 News_Q4_Continuity & Resilience Magazine.indd 6
26/11/2018 15:49
VISIT THE WEBSITE FOR MORE NEWS: WWW.THEBCI.ORG
BCI WORLD 2018
53
440
countries represented
total conference passes
+18% average increase over 2017
BUSINESS IMPACT ANALYSIS
Talk to the right people to get the right impact By Colin Cottell Business Continuity professionals who are conducting Business Impact Analyses (BIA) should get the views of staff at both the strategic and the operational levels of the organization. That was the key message to emerge from a presentation
on ‘What Makes a Great BIA Interview?’ at BCI World 2018. During the presentation, Ian Charters, FBCI, Director, Continuity Systems, played the role of a BC professional trying to understand the impact of a disruption to operations at a call centre that was providing services to an insurance company, by interviewing the call centre manager. The
latter was played by Brian Zawada, FBCI, Director of Consulting Services, Avalution Consulting. The role-play highlighted some common failings of BIA, including not being prepared and using jargon, not asking the right questions, but also failing to involve the right people. “I should be talking to C-level people because C-level people can see the bigger picture,” said Charters. In the scenario, Charters’ character said only C-level staff could provide answers to important strategic questions about the consequences of a disruption to the service provided, such as what are the penalty clauses for failing to meet service levels, and how likely it is that the client would cancel the contract. There was a suggestion C-level executives were best placed to answer questions, such as how will customers, regulators, funders, and the press react to the disruption of a service. However, the operational staff know the resource needs of their area of the organization. Therefore “you need to talk to people at every level,” urged Zawada.
BCI WORLD
BCI World and Global Awards move to Birmingham in 2020 BCI World Conference & Exhibition and the BCI Global Awards will move from London to Birmingham in 2020, outgoing BCI Chairman James McAlister FBCI announced. The move to Birmingham’s ICC venue reflects the conference and awards’ growth and will allow further expansion of the events. “We’ve outgrown the [Novotel London West] hotel. We’ve sold out exhibition stands over the last two years,” McAlister said at the end of the 2018 conference. However, the two-day daytime event and awards will remain in London for a final year in 2019, to be held on 5 and 6 November.
7 CONTINUITY & RESILIENCE | Q4 2018
6-9 News_Q4_Continuity & Resilience Magazine 7
27/11/2018 07:59
NEWS
IN BRIEF
Barker calls for close collaboration when dealing with cyber threats
Crisis exercise proves a success despite language barrier issues
Keynote speaker Dr Jessica Barker said Business Continuity (BC) and Resilience professionals must help other professions to understand the growing threat of cyber attacks from a BC viewpoint. “The merging of the physical world and the connected world is one of the reasons our community has to work closer in collaboration with others,” she said. “Communicate more closely, and collaborate more closely.”
A crisis management exercise at the Central Bank of Eswatini was a resounding success, according to a bank official. Thabsile Dlamini said only minor language difficulties between those at the bank and the assisting KPMG officials posed a problem. “The communication was excellent,” Dlamini said. “We met our objectives and the test was contained. We even made it into the news!”
were purchased and delivered to known vulnerable people in collaboration with West Sussex Fire & Rescue Service. The lessons learnt point towards the importance of collaboration being part of everyday activities, not simply in a crisis, Trotman said. He urged integration with local resilience forums in ‘peacetime’ and joint training and familiarisation visits. Much of the response to the shortage was slowed by misinformation and panic amongst the community combined with a lack of understanding of the other parties’ plans for the situation, he said. Trotman emphasised that an important change to make in advance of a crisis is to know your counterparts personally and understand each other’s capabilities.
C R I S I S M A N AG E M E N T
Water providers battled ‘Beast from the East’ together James Trotman, AMBCI, Business Continuity Lead at the University of Sussex, has explained how the ‘Beast from the East’, a period of unusually cold weather affecting the UK in early 2018 has changed the way that water companies collaborate with communities in times of water shortage. When the ‘Beast’ struck in March, frozen water supply pipes burst, leading to the loss of 25 out of 27 sites in East England and the loss of reservoirs. Entire towns were left with intermittent or nonexistent water supplies. A hospital lost its supply entirely, requiring alternative supplies to be redirected on emergency
basis. Over the course of five days, the Sussex Strategic Coordinating Group were dealing with the potential for up to 85,000 homes losing water, a lack of information from the water company who were overwhelmed by the scale and panic stockpiling of bottled water. Trotman explained that the decision to co-locate was crucially timed, enabling the group to remain flexible with decisions. The complex logistics of moving large quantities of water and deciding who should receive it first was difficult. He says that ‘without water, everyone becomes a vulnerable person’. Over 2,500 bottles of water
Clearview CEO Charles Boffin and Paysafe Head of BC and IT Disaster Recovery Esra Erbas discussed a poll of the top BCM headaches: Engaging the business – 47% Boffin: Identify and use your local BC champions; avoid using acronyms. Erbas: Make BC fun; better marketing.
Gaining top management commitment – 33% Boffin: Be creative in engaging the C-suite champions. Erbas: Keep your exercises challenging; work with others.
Integrating disciplines in a fastgrowth organization – 33% Boffin: Use technology to ensure BCM strategy is managed and visible. Erbas: Set standard to measure your maturity. Work on your road maps.
Working with limited budget – 27% Boffin: Seek executive sponsorship; align with overall business strategy. Erbas: Don’t be shy; be smart about how you share your budget.
8 CONTINUITY & RESILIENCE | Q4 2018
6-9 News_Q4_Continuity & Resilience Magazine.indd 8
26/11/2018 15:50
VISIT THE WEBSITE FOR MORE NEWS: WWW.THEBCI.ORG
56%
of respondents to BCI’s Supply Chain Resilience Report 2018 said they suffered supply chain disruption in the past 12 months
S U P P LY C H A I N
Sort out continuity of supply chain By Colin Cottell Organizations should put practical contingency measures in place to ensure continuity of supply of strategic goods and services that could threaten their own Business Continuity and not rely on legal contracts. David Window, MBCI, Director of Continuity Shop, told the BCI World audience of an incident in which an
can put in buffer stocks – there are lots of things you can do if they won’t play ball with you,” Window advised. Nick Wildgoose, an Independent Supply Chain Risk Consultant, said there were other ways organizations could exert influence on strategic suppliers, beginning with “understanding how important you are for that strategic supplier. Are you
important supplier told the client: “‘We know we have a contract with you, and we are not going to honour it; we are going to breach the contract, and I will see you in court. Bye,’ and that was it. “I could have had as many contracts and policies as I wanted; it would have made no difference whatsoever,” said Window. “What you can do is put contingencies in place. You
the preferred customer?”. Wildgoose said that smaller organizations could make up for their relative lack of importance by building relationships with those suppliers, citing an example of the CEO of a relatively small mining company, who developed a strong relationship with the CEO of a strategic supplier through playing golf. John Frost, Head of Business Continuity at Marks & Spencer, said there were other things that organizations could do to give them leverage over suppliers, such as penalty clauses, and conditionally appointing a BC manager.
BCI CHAIRMAN
Tim Janes: stability and communication the key for incoming BCI Chairman Stability after two years of significant organizational change and better communication with members are key aims of BCI’s new Chairman Tim Janes Hon FBCI as he moves into his new role. Having succeeded outgoing Chairman James McAlister FBCI on 8 November, Janes said that as the BCI emerges from its “most significant period of change” in its 24 years, it was now “strongly positioned to maximise value and benefits” to members. Sydney-based Janes addressed members at the end of the BCI World Conference on 7 November. In conversation with C&R, he said he did not have a “grand strategy” for his two-
year tenure as BCI Chairman but did look to achieve “better engagement with members, better delivery of information to them, and raising the quality of research and reports members can use”. He said he also wanted to ensure the streamlining of “some internal inefficiencies in central office”. Members need a better understanding of what’s going on in central office and at board level, with much information disappearing into “a black hole”, Janes went on to say. In addition, while BCI’s global member/customer services had improved recently, he added that the organization should be looking for “sensible opportunities” to internationalise operations to continue its growth and value.
9 CONTINUITY & RESILIENCE | Q4 2018
6-9 News_Q4_Continuity & Resilience Magazine.indd 9
26/11/2018 15:50
D E BAT E
THE BIG QUESTION
How can BC/R professionals mitigate the risk of a rogue employee damaging or destroying the organization? RICHARD STEPHENSON, UK
Creating the right environment In my business, we have adopted the same vetting for all new recruits as those who will have access to government assets and information such as the Baseline Personal Security Standard (BPSS). Recruitment processes are the start of the defence process. Ensuring the Business Impact Analysis (BIA) has covered the impact of the insider threat is essential so that the BC team can ensure mitigating responses. BC teams need a close relationship with data security
and cyber teams and to understand the systems in place for network and DNS [domain name system] monitoring. As with any threat, reducing the risk and potential impact is best done through a holistic, cross-departmental approach that empowers HR, data security teams, managers and legal teams in order to create a workplace culture that fosters accountability and stops smaller issues and warning signs from slipping through the cracks.
Data loss through a rogue employee is a very real risk and GDPR fines will be higher if the company has not taken all reasonable steps to secure the data. Mapping who has access to sensitive information is fundamental to developing a risk profile. For this to be done reliably, HR and IT relationships have to be strong in order to keep an accurate log of access permissions. A rogue employee is a malcontent employee and if they have access to sensitive information, the systems should be able to flag this person as a risk ahead of a rogue actor. Richard Stephenson, Owner and CEO, YUDU (software as a service app)
10 CONTINUITY & RESILIENCE | Q4 2018
10-11_big _question_Q4_Continuity & Resilience Magazine 10
26/11/2018 15:50
D E B AT E
T O N YA T. YO R K , U S
A thorough vetting process is key The best way to avoid dealing with a rogue employee is to circumvent hiring one in the first place by establishing a thorough vetting process that includes drug tests, background checks, personality tests etc. All organizations I have been affiliated with in my career since the early 90s had training programmes in place to plan against, and prepare for, workplace violence. Training programmes are critical to teach employees how to identify behaviours that are indicators of potential threats and how to respond to mitigate the threats. As a BC practitioner, I have used active shooter scenarios to prepare the teams in
my organizations to respond to workplace violence situations. Practice is necessary to ensure to the fullest extent possible that reaction is rote. However, not only are employees a threat to business, anyone can commit violence against an organization. Guns are legal in the US; mass shootings happen regularly. One of the first mass shootings happened at 101 California Street in San Francisco in 1993. The shooter was a disgruntled client. While working at Charles Schwab in 1996, a gunman took hostages in the Portland [Oregan] branch; he was not an employee or client. Thankfully Schwab had been through training because of the 101 California incident and no Schwab employees or clients were hurt. [Editor’s note: two people were wounded in the Portland incident.] Tonya T. York, MBCI, MBCP, Global Business Continuity Program Manager at Lam Research
A N D R E W P. M O O R E , U S
IMAGE: GETTY IMAGES
A holistic approach In the 2016 Cyber Security Intelligence Index, IBM found that 60% of all cyber attacks were carried out by insiders. One reason that insider threat remains so problematic is that organizations typically respond to these threats with actions that monitor and constrain employee behaviour, detect and punish misbehaviour, and otherwise try to force employees to act in the best interest of the organization. However, my recent research with Dan Bauer at the Software Engineering Institute at Carnegie Mellon University in Pittsburgh suggests that organizations need to take a more holistic approach to mitigating insider threat: one that considers the impact of organizational behaviour on insider motivations.
In particular, positive incentives that attempt to encourage employees to act in the interests of the organization can be used to complement the traditional punitive approach, thereby reducing insider risk. Our research identified how effective management practice aimed at aligning the interests of the individual with the organization was the key in providing these positive incentives, and showed a connection between positive employee attitudes about their organization and the frequency of cyber-related misbehaviour. We found this could be achieved by focusing on three areas of workforce
management: in improving employee engagement with the job, boosting connectedness with colleagues, and the culture of the organization, all of which have the effect of improving employees’ feelings of being supported by the organization. In order to deal effectively with the insider threat, it is vital that organizations take a collaborative approach on the issue. This will likely involve human resources, insider threat researchers, information technology and other departments, such as security and legal. Andrew P. Moore, Lead Researcher at CERT National Insider Threat Center, Software Engineering Institute of Carnegie Mellon University
11 CONTINUITY & RESILIENCE | Q4 2018
10-11_big _question_Q4_Continuity & Resilience Magazine 11
27/11/2018 10:08
INTERACTION
OPINION LY N D S E Y O R T O N
Engaging the C-suite to create a valued BC culture
A
s Business Continuity (BC) becomes more significant across the globe, the culture of an organization will begin to play a huge role in how any company survives a setback. With risks increasing, and becoming ever more complex, such key organizational aspects will have great influence in determining the successful implementation of a Business Continuity Management System (BCMS). However, when organizations do try to implement a BCMS they often come up against challenges, regardless of their industry sector or size. The world is changing, with many businesses and organizations taking advantage of the changes by using technology to improve operational efficiency and ensure they are less reliant on human intervention. This creates the possibility to spread an organization thinly across the globe, which is essential if a business wishes to successfully operate in the global markets. As the world shrinks, companies have to adjust to a new way of thinking and operating. People are also changing; they don’t see themselves joining a company and staying there forever anymore. These matters have an impact on the way organizations operate and implement programmes such as BC because they now have to consider the staff turnover. Implementing the same standards in different countries slightly
differently each time to take into consideration the different cultures, politics and priorities is another area of focus. Once a culture has been established it can be described as a dynamic occurrence that surrounds us, being constantly created by our interactions. The interactions within an organization are shaped by values, norms and beliefs. Culture can influence all aspects of an organization’s operations, shaping the way a company operates. Recently, I conducted a survey which found that most people believe the culture of an organization has an effect on how it should implement policies and procedures, and most of those cultures were receptive to BC. The main issue which was identified was that although the culture in most areas of the organization was receptive to BC there was still a struggle to get the top management to engage, which led to the lack of proper attention being given to BC. Influencing a whole organization’s culture is important, but if we can get to the top level first it should resonate throughout a company. It is how we influence the culture of our C-suites that will enable the successful implementation of BC across the whole company.
The culture of the organization is either created by the leadership or the leadership adjusts to the culture
Lyndsey Orton MBCI is BC manager at DHL Parcel. Formerly of the British Army, she has also worked as a BC consultant for UKMail and participated in exercises at Littlebrook Power Station and Birmingham Airport.
THIS QUARTER’S BEST TWEETS TWITTER @THEBCEYE
Sridar Govardhan @SridharGovardha Oct 27 September 2018, massive data breach notification from British Airways and Cathay Pacific in October 2018. In isolation they don’t relate much, but in reality, airline industry is under cyberattack. #Airlines #Cybersecurity #Informationsecurity #Databreach
BCI @TheBCEye Nov 7 And that’s a wrap! Thank you everyone who participated to #BCIWorld18 and a special thank you to our headline #sponsor @SungardASUK for supporting us! See you next year #BCIWorld19
Airmic @Airmic Nov 7 The 10th edition of the Supply Chain Resilience Report from @TheBCEye in collaboration with @Zurich is available to download now: #supplychain #resilience #keyrisks #cyberattack #disruption http:// ow.ly/77aK50jBWcU
Tanium @Tanium Nov 15 From siloed business units to organization complexity, what are the key factors that are holding back decisions makers from achieving #BusinessResilience? http://bit.ly/2FqP2l7
12 CONTINUITY & RESILIENCE | Q4 2018
12-15 Opinion Interaction_Q4_Continuity & Resilience Magazine 12
27/11/2018 08:00
INTERACTION
EXPERT VIEW H E AT H E R M E R C H A N
Great managers look at the overall picture
I
ndustry credentials are important. They demonstrate that the individual has an understanding of the building blocks of Business Continuity (BC). As the grades become more senior they are an indicator of your experience, the insights you will have gleaned, lessons learned, and your contribution to the industry in addition to your organization. But to be a great BC manager you need to be able to demonstrate an impressive array of traits that aren’t easily identifiable when reviewing certification criteria. Many BC practitioners hold a privileged position that requires discretion, business acumen and excellent interpersonal skills. They have a bird’s-eye view of the products and services offered across their organization, a clear understanding of strategic business priorities, and an honest and open dialogue with leadership. The discipline requires different reactions and methods from practitioners depending on each scenario and its nuances, as well as an ability to look across the value chain and give respect to individual facets of the business that may seem unrelated, but are equally as vital to BC success.
1
Those with a response remit need to maintain a calm, methodical approach in difficult times, to have built and maintained trusted relationships with key stakeholders, and to have earned the respect of individuals around the crisis management table. Stakeholders will require guidance and navigation, and a great BC practitioner supports them, leads them, and does
everything in their power to ensure that each is successful in their role and objectives.
2
The very best practitioners have a genuine passion, energy and enthusiasm for what they do. They communicate complex messages in a succinct and effective manner, leverage the power of storytelling to ensure that their message is relatable, raise awareness and understanding, and articulate value. They are ambassadors for their discipline, recruiting supporters and champions. They have the ear of leadership and use this wisely to deliver both messaging and action.
The need isn’t sn’t to be an expert pert in each discipline, ipline but to recognise interdependencies, linkages, opportunities for collaboration, synergy and value creation
3
A great BC manager connects the dots across functions that contribute to their firm’s broader resilience; information security, risk, physical security and technology to name just a few. The need isn’t to be an expert in each discipline, but to recognise interdependencies, linkages, opportunities for collaboration, synergy and value creation. There are also times when the BC manager needs to play devil’s advocate, to respectfully speak up and challenge the information and assumptions presented. To listen, interpret and question. At times this requires courage.
Much of the above sounds ‘big picture’, but exceptional BC managers also demonstrate attention to detail, a high quality threshold, and project management skills to drive and deliver results. Above all, the highly effective BC manager learns from their experiences and mistakes, and continually seeks out opportunities to evolve themselves, their team, their programme and their organization.
Ready for a challenge? What are your goals to evolve yourself, your team, your programme and your organization in the year to come? Hone in on no more than five core objectives and plot out the steps required to realise each. Heather Merchan is global BC and Crisis Management Lead for Deloitte in the US. Her almost 20-year experience in the business continuity sector includes management roles at Bank of America, KPMG UK and Deloitte UK. Since 2015 she has been a BCI USA Chapter board member.
13 CONTINUITY & RESILIENCE | Q4 2018
12-15 Opinion Interaction_Q4_Continuity & Resilience Magazine 13
26/11/2018 15:52
RESILIENCE LEADER
YOU are a champion of continuity.
WE are Sungard Availability Services.
You think beyond backup to business resilience — ensuring critical data is always accessible. But when it comes to achieving resilience, changes to the production environment can be risky and complex.
We help transform IT and deliver resilient, recoverable production environments. As a recognised leader by multiple industry analysts for Disaster Recovery as a Service, we can calm the chaos of IT recovery. Imagine how we can help resilience leaders with everyday production systems. Lead with resilience at www.sungardas.com.
Transforming IT for Resilient BusinessTM
BCI.Q42018.014.indd 14
26/11/2018 14:03
TECHNOLOGY
Protection against DNS menaces
Blockchain bounty hunters
EfficientIP, a leading provider of network security and automation systems, is combining its domain name system (DNS) Guardian technology with Cisco’s network security product suite, Umbrella. The aim is to create a best-of-breed solution to protect against the widest range of DNS-based “menaces”. With increasing cloud and Internet of Things usage, DNS has become a primary target for hackers – an attack can damage an organization’s brand reputation and revenue, as well as operational efficiency. Recent research by EfficientIP shows that in the past 12 months, 77% of companies suffered DNS attacks, and the cost per DNS attack increased by 57% to $715,000 in that same period. When combined, the technology safeguards data and protects users, whether they are on or off-network, as well as the on or off-premise DNS services they are accessing. www.efficientip.com
Third-party risk management
A former hacker is launching what claims to be the world’s first blockchainpowered cyber security solution. Uncloak combines distributed ledger technology with artificial intelligence (AI) and bug bounties (where individuals can earn recognition and rewards for reporting bugs). Uncloak CEO Tayo Dada – an exhacker turned cyber security expert – explains that the solution brings together pioneering technology and the human expertise of a network of ethical hackers to create next generation cyber security threat management. Uncloak identifies potential cyber threats that are on their way, enabling businesses to be prepared and suggesting solutions to secure their systems before threats arrive. It uses advanced AI to identify hackers, their behaviour and the information they are trading publicly on the internet or via the dark web. Bug bounties are put out using an automated blockchain system. https://uncloak.io
TECH ROUND UP Best new tech this month
Fusion is providing a new third-party management offering in its latest business continuity and risk management software, which helps to directly engage with vendors and other external communities in an integrated system. It means organizations can manage and mitigate risk to the perimeter of their enterprises and throughout their supply chain. The Fusion Framework System is also designed to help Everbridge has launched its latest critical event management gement (CEM) manage the resourcemand Centre platform, a turnkey system that unifies its Visual Command intensive vendor assessment tware company (VCC) software and suite of CEM applications. The software process and incorporate onal awareness has combined real-time threat intelligence with situational third parties directly and creates an end-to-end operating environment thatt enables into their broader risk customers to take an “assess, locate, act and analyse” approach to management and resiliency managing critical events. It allows customers to detect and assess a strategies. Fusion’s vision nitiate incident threat, pinpoint the location of employees at risk and initiate is to provide organizations onducts an workflows to mitigate or eliminate its impact. It also conducts with command-and-control asure outcomes analysis of actions taken and generates metrics to measure through “a single pane itical event. and make improvements in preparation for the next critical of glass”. www.everbridge.com www.fusionrm.com
BEST NEW TECH
End-to-end critical event management gement
Making informed weather decisions Analysis and decision support solutions firm DTN is acquiring Weather Decision Technologies (WDT) to enhance its weather technology platform and help customers make weather-related decisions. WDT serves the offshore, live events, energy, agriculture, healthcare, retail and supplier, and data science industries. The acquisition brings together expert meteorological teams with advanced technology to create a scalable platform that provides accurate weather forecasts and analytics-based decision-support tools that mitigate risk and improve g y and an organization’s safety sus stainability. sustainability. www.dtn.com ww ww.dtn.com
15 CONTINUITY & RESILIENCE | Q4 2018
15 Tech round up_Q4_Continuity & Resilience Magazine 15
26/11/2018 15:52
CASE STUDY: EXERCISES
BY COLIN COTTELL
PREPARING FOR REAL Throwing up all manner of disruptive scenarios, an industry-wide exercise has been proving beneďŹ cial to BC/R professionals in Hong Kong
16 CONTINUITY & RESILIENCE | Q4 2018
16-19 Hong Kong_Q4_Continuity & Resilience Magazine 16
26/11/2018 16:04
CASE STUDY: EXERCISES
C A S E S T U DY
WISE2017 THE EVENT: WISE2017 (Whole Industry Simulation Exercise), Hong Kong, October 2017. THE SCOPE: A four-hour exercise involving around 1,000 personnel from 45 banks and other financial institutions from across Hong Kong. Aimed at testing, exercising and developing their crisis management capability and skills. WHO WAS INVOLVED: Most participants worked at senior levels within crisis management. Participating organizations included Barclays, HSBC, Bank of America Merrill Lynch, UBS, and Schroder Investment Management. Authorities participating included the Technology Crime Bureau of the Hong Kong Police Force, the Stock Exchange of Hong Kong.
A
nti-capitalist protests on the streets, floods, power outages, and nuclear accidents – all of these are among the reallife events faced by Willem Hoekstra during his 18 years as a business continuity (BC) management professional working in the banking sector. “The biggest one I have experienced was at ABN AMRO bank,” says the Dutch native, Head of Business Continuity at Nomura Asia ex-Japan, “where the sprinkler installation burst over the trading floor – a massive event – a trading floor with 650 traders.” While Hoekstra accepts that nothing can approach the intensity of real life incidents like this, in his capacity as chair of the Hong Kong Financial Services Business Continuity Management Forum Hoekstra has been the driving force behind an initiative designed to be the next best thing. WISE2017 organisers delivered two sets of scenarios. The first involved cyber threats and was made up of three strands; a malware infection, a SWIFT payment system compromise, and finally a ransomware attack. The second scenario, which began after a ‘time-jump’ to the following day, centred on a physical terror attack.
HOW IT WORKED: The banks’ crisis management teams, based in their own offices dispersed around Hong Kong’s financial district, were fed a number of scenarios through a web portal. The portal provided newsfeeds, stock market tickers, and videos (known as injects) of simulated unfolding events. Injects were also delivered through telephone calls, SMS and emails. OTHER DETAILS: Crisis Management Teams (CMTs) could also communicate with simulated parties, who had gathered in a 32-
desk command centre in central Hong Kong. Parties included a real-life member of the financial press and volunteers who played the role of the authorities, market data providers, the exchanges, clearing houses, IT companies, as well as the police and other emergency services. CMTs could also able to communicate with one another. BENEFITS: An industry-wide event draws more high-level expertise, allows need-toknow knowledge sharing between organizations, requires less effort from individual organizations, quality of and immersion in scenarios are greater. POST-EVENT REPORT: “Some firms have a well-structured, mandated and experienced major incident or Crisis Management Team (CMT). They swiftly activate the crisis management structure as a habitual response to an incident. The team uses all of its available expertise without letting this delay a prompt response. However, some organizations rely on ad-hoc gatherings in incident situations, which can mean they can be overwhelmed by events.” The report says a failing was “confusion over the delegation and execution of tasks”. RECOMMENDATIONS: Let no one individual on a CMT team dominate the activity. Create more bespoke injects so not everyone is faced with the same scenario.
17 CONTINUITY & RESILIENCE | Q4 2018
16-19 Hong Kong_Q4_Continuity & Resilience Magazine 17
26/11/2018 16:04
CASE STUDY: EXERCISES
“Senior management don’t understand IT and how it can all go wrong” Willem Hoekstra, Head of BC, Nomura Asia Ex-Japan
Leigh Farina, one of two exercise directors located in the command centre during WISE2017, was responsible for delivering the exercise to participants. A senior Business Continuity and Crisis manager in her day job at HSBC in Hong Kong, she says the industry-wide nature of the event was particularly important: it replicated both the interdependency of banks and other players in the financial services sector and the interactions that take place between them during a real market-wide incident. This interaction includes “the volume of calls between counterparties, the need to understand how other banks are responding and the pressure to maintain communications and customer relations better than our competitors”, Farina says. “We cannot really create this and really understand the issues if we don’t have other participants in the market feeling the same pain.” Feedback from participants was “very positive”, Farina adds. Participating organizations benefit from such events in other ways too, Hoekstra says: “How to make the right decision under difficult circumstances is a skill that you can train for and learn - that is part of what this exercise is about.” Other benefits to individual participants include familiarising oneself with plans and procedures, learning how to use tools such as emergency notification systems, and validating the quality of CM plans. WISE2017 was also designed to test and evaluate the capability of the industry to manage systemic risk, such as the Stock Market not being open, a natural concern to Hong Kong authorities. By way of example, Hoekstra says, “If there were to be a pandemic, would banks still be able to get their market data from Bloomberg and Reuters?” Hoekstra says WISE is a useful forum to test whether the recovery plans of different players across the sector are aligned. Both the Hong Kong
Monetary Authority and the Securities and Futures Commission welcome the initiative, he adds. Although Hoekstra is pleased with how WISE2017 went, he is keen to dig deeper to understand the lessons for both participants, and the wider industry. “The whole thing is to identify your shortcomings as well as your systemic risk to the industry,” he says. Based on feedback, CMTs were far more comfortable with the terrorist attack scenario than the cyber scenario. Hoekstra explains that while “everyone was expecting” a cyber attack and a ransomware incident, what made the cyber scenario more challenging was adding in corrupted data, meaning “that data becomes unreliable but you don’t know to what extent it is unreliable”. “We saw most companies had difficulties with this. The senior management don’t understand IT and how it works, and how it can all go wrong,” he says. A detailed evaluation report produced after the exercise showed that half of participants did not have adequate or tested plans to deal with cyber extortion.
18 CONTINUITY & RESILIENCE | Q4 2018
16-19 Hong Kong_Q4_Continuity & Resilience Magazine 18
26/11/2018 16:04
CASE STUDY: EXERCISES
HOW WISE HAS EVOLVED SINCE WISE2015 Wider industry participation
45 ORGANIZATIONS RATHER THAN 25, INCLUDING SECURITIES FIRMS AND ASSET MANAGEMENT COMPANIES An external party (Control Risks) was contracted to help plan, provide secretarial support and deliver the exercise together with a team of volunteer industry professionals Individual benchmark reporting to help participating organizations understand how they fare against industry peers Half of participants did not have adequate or tested plans to deal with cyber extortion
Similarly, the report notes that while “cyber incident response teams (CIRTS) are common, not many have a cyber incident policy or plan”. In contrast, Hoekstra says, “generally people felt their plans and their capability for dealing with a physical attack were pretty much up to standard”. He goes on to say, “Most people were comfortable with those type of scenarios – evacuating a building, going to a recovery site and so forth.” Another important finding was that while “everyone felt the exercise was very useful, cost efficient and immersive”, the performance of participants was patchy, Hoekstra says: “Some organizations are very quick in making decisions – so if you throw a lot
“The whole thing is to identify your shortcomings as well as your systemic risk to the industry”
of injects at them they are comfortable with that, otherwise they get bored. Whereas other firms felt there was too much information and too many things happening, and they couldn’t deal with it all.” In general, Hoekstra says: “the smaller local firms were struggling a bit more than the international firms”. The post-event evaluation report confirmed that crisis management capabilities vary across the industry (see box p17). Post-event feedback also revealed that while many organizations have both a Cyber Incident Response Team (CIRT) and a Crisis Management Team (CMT), often the two teams fail to work together effectively. Ideally, the CMT should deal with the stakeholders, the customers and the authorities while the CIRT “should try to solve, isolate and deal with the technicalities of the cyber event”. Instead, too often “the CMT gets dragged into solving the actual technical problem. They try to become instant experts”, Hoekstra says. “That is the biggest mistake you can make as a CMT.” WISE2017 also highlighted the importance of leadership during an incident, and in particular leaders’ ability to get the best out of their team. As the post-event evaluation notes, “Some teams are dominated by individuals, instead of using all members.” “He or she needs to make sure no people are too dominant,” responds Hoekstra. “Especially when there is a lot of stress, some people fall completely silent, and particularly when they are concerned about their family, or things going wrong.” WISE2017 also provided valuable insights into the challenges faced by those organising similar events. One of the greater challenges was to make the exercise interesting to banks right across the spectrum. For instance, some banks have ATMs, or cashpoints, in the street for consumers. On the other hand, the main activity of investment banks is business-to-business and have deep relationships with data providers, such as Bloomberg. In the same way, it is important that scenarios are designed so all CMTs’ members across the functional spectrum are engaged. “There will be someone from the HR team. How do you make it interesting for that person to sit there for four hours?” Hoekstra explains. Looking forward to WISE2019, Hoekstra says, the ambition is to build “an even bigger and even more comprehensive exercise”. “The sky’s the limit,” he says, revealing how he would like to see the biennial exercise develop into a continental event, involving Singapore, Australia and Japan. “Many of these incidents don’t have boundaries, they don’t have borders, so an exercise at regional level could be very interesting.”
19 CONTINUITY & RESILIENCE | Q4 2018
16-19 Hong Kong_Q4_Continuity & Resilience Magazine 19
27/11/2018 08:01
SPECIAL REPORT
TOMORROW’S WORLD
SPECIAL REPORT
VISIONARY R 20 CONTINUITY & RESILIENCE | Q4 2018
20-26_SPECIAL_REPORT_Q4_Continuity & Resilience Magazine 20
26/11/2018 16:06
TOMORROW’S WORLD
Y RESILIENCE BY SUE WEEKES
Institutionalising the approach to resilience, a network of cities has set its sights on ensuring the global community is ready to survive, adapt and grow, whatever the world of tomorrow holds
21 CONTINUITY & RESILIENCE | Q4 2018
20-26_SPECIAL_REPORT_Q4_Continuity & Resilience Magazine 21
27/11/2018 08:02
SPECIAL REPORT
TOMORROW’S WORLD
KEY POINT
GETTING THE SKILLS RIGHT
T
As well as having the right tools in place, the right people, processes and, especially, the right skills must be behind them. Says Graeme Parker of Parker Solutions Group, “The people behind these tools might need a slightly different skillset such as data science and data analytical skills to be able to assess why an event might suggest something suspicious is happening.” At 100 Resilient Cities (100RC), the focus on skills is centred on capabilities, or guiding principles for every city and partner the organization works with. Nicole Bohrer-Kaplan, 100RC spokeswoman, says, “Cities and organizations are complex beings, yet extensive analysis reveals a common set of factors and systems that enhance their ability to survive, adapt, and grow in the face of adversity.” These range, she adds, from economic and social systems to effective leadership and strategy. “To build resilience, these systems must be planned for and ultimately function in a way that can withstand, respond to and adapt more readily to shocks and stresses.” Systems exhibiting certain characteristics are better able to foster resilience, she says. They are: being accepting of change (as in resilient and robust) organizing resources (redundant, flexible and resourceful) engaging with other systems (inclusive and integrated).
he California wildfires that struck in November were another horrific reminder of nature’s ability to turn on itself, leaving man powerless to react. News reports told how 50mph winds caused Camp Fire, as it was called, to rapidly grow in just a few hours while flames from fires further south in the state jumped the highway and swept into the upmarket resort of Malibu. Reportedly, around 6,700 homes and businesses were destroyed in the town of Paradise. The wildfires were the latest in a swathe of global natural disasters in 2018 that included hurricanes, severe storms and major earthquakes, such as those that hit the Indonesian islands of Lombok and Sulawesi. The cost to human life has been dear and those affected go on paying for months, if not years, in terms of the losses and damage to property, livelihoods and lifestyles. For Business Continuity (BC) professionals, the events of 2018 have underlined that, even with increasing amounts of data and clever algorithms that can predict the future, uncertainty and unpredictability have to be factored in. And the best defence to these is finding ways to build resilience into their strategies. In parallel with mounting global threats though is the evolution of advanced and powerful technologies in areas such as Artificial Intelligence (AI), machine learning and big data that will play a key part in resilience strategies. Such tools can help BC professionals aggregate and integrate data into their decision-making processes, more accurately assess risk, monitor assets and resources and build resilience into their infrastructure more efficiently and effectively than ever before. 100 Resilient Cities (100RC), an organization pioneered by The Rockefeller Foundation, is dedicated to helping cities around the world become more resilient to the physical, social and economic challenges that are a growing part of the 21st century. “If we flash forward 30 years, the most
22 CONTINUITY & RESILIENCE | Q4 2018
20-26_SPECIAL_REPORT_Q4_Continuity & Resilience Magazine 22
26/11/2018 16:07
TOMORROW’S WORLD
2013
100 RESILIENT CITIES WAS FOUNDED IN 2013, FORMED OF AN INITIAL GROUP OF 32 CITIES WHAT IS 100RC? Cities in the 100RC network are provided with the resources necessary to develop a roadmap to resilience along four main pathways: Financial and logistical guidance for establishing an innovative new position in city government, a Chief Resilience Officer, who will lead the city’s resilience efforts Expert support for development of a robust resilience strategy Access to solutions, service providers, and partners from the private, public and NGO sectors who can help them develop and implement their resilience strategies Membership of a global network of member cities who can learn from and help each other.
1
2 3 4
resilient cities will be the ones that took the time today to plan for tomorrow,” says Jason Whittet, Associate Director, Innovation in Urban Data and Technology at 100RC. “Cities are facing ever-increasing threats from urbanisation, globalisation and climate change. Ever more interconnected, cities will also be home to 75% of the world’s population by the year 2050. “They will become more vulnerable to the effects of climate change in that time, in addition to growing migrant populations, inadequate infrastructure, pandemics, cyber attacks, to name a few of the most pressing challenges.” As well as what it calls the shocks – earthquakes, fires, floods – 100RC also wants to help cities manage the stresses that weaken their fabric “on a day-to-day or cyclical basis”. Examples include high unemployment, an overtaxed or inefficient public transportation system, endemic violence, or chronic food and water shortages. Its view is that by addressing both the shocks and the stresses, a city becomes more able to respond to adverse events and is in a better position to function in both good times and bad, to all populations. Cities in the 100RC network have “institutionalised” their approach to resilience by creating offices of
23 CONTINUITY & RESILIENCE | Q4 2018
20-26_SPECIAL_REPORT_Q4_Continuity & Resilience Magazine 23
26/11/2018 16:07
SPECIAL REPORT
TOMORROW’S WORLD
30
IF WE FLASH FORWARD 30 YEARS, THE MOST RESILIENT CITIES WILL BE THE ONES THAT TOOK THE TIME TODAY TO PLAN FOR TOMORROW resilience, helmed by chief resilience officers. “Resilience is what helps cities adapt and transform in the face of these challenges, helping them to prepare for both the expected and the unexpected,” says Whittet, who defines urban resilience as “the capacity of individuals, communities, institutions, businesses, and systems within a city to survive, adapt, and grow no matter what kinds of chronic stresses and acute shocks they experience”. As constituent parts of cities and towns, businesses around the globe need to adopt a similar mindset. “Recent innovations in technology are allowing cities to do things never before possible, like advanced landuse and planning, predictive crime analytics, intelligent transportation systems and robust digital service delivery,” says Whittet. “Together these comprise the foundational elements of the essential digital infrastructure that cities will build upon, as new innovations like AI, autonomy, and the Internet of Things [IoT] evolve. Making the most of this moment and these technologies is essential for building urban resilience.” (See box, right.) For BC and Resilience professionals, it isn’t just about using these technologies for building resilience and underpinning infrastructures for the years ahead, but also
how they will impact their organizations in general. At the dawn of the Fourth Industrial Revolution, technology is reinventing business processes and digital transformation is at the top of the agenda for many organizations. Technologies such as AI and robotics, the IoT, autonomous vehicles and blockchain will potentially bring major operational improvements that help to keep businesses running efficiently and effectively. While these technologies may be deployed by operations and IT, BC needs to understand how they are changing company processes if the organization’s reliance on them is to be reflected in their plans and procedures. It is not only about technology though. Dr Erica Seville, Executive Director of New Zealand-based Resilient Organizations and author of How to Survive, Thrive and Create Opportunities through Crisis and Change, reckons one of the biggest long-term threats for organizations is how “poorly suited” standard planning processes are for our rapidly changing world. “There is a great quote from Bill Gates that says, ‘We always overestimate the change that will occur
24 CONTINUITY & RESILIENCE | Q4 2018
20-26_SPECIAL_REPORT_Q4_Continuity & Resilience Magazine 24
26/11/2018 16:07
TOMORROW’S WORLD
TECHNOLOGY: THE DOUBLE-EDGED SWORD
IMAGES: GETTY IMAGES
Cities will be home to 75% of the world’s population by 2050
Cyber incidents are listed as the most feared trigger for business interruption for the first time on the Allianz Risk Barometer in 2018. Five years ago, they were ranked the 15th most important business risk overall, but have moved up to second place.
in the next two years and underestimate the change that will occur in the next 10’,” she says. “The changes coming are often hard for us to even imagine, let alone plan for. This means we are essentially needing to plan long-term investments under conditions of deep uncertainty about what the future will look like. I worry that we will continue to keep planning and preparing for today’s world rather than tomorrow’s.” Seville adds that standard techniques don’t deal with conditions of “deep uncertainty” and urges businesses to look at some of the emerging robust decision making (RDM) techniques and dynamic adaptive policy pathways. “There are some great new techniques starting to be developed for decision-making under deep uncertainty, and I hope these will become more mainstream over time,” she says. She believes that while predictive analytics could play a part in opening our minds to the different types of futures that are possible, thinking we know what will happen could mean running into trouble. “The fundamental principle underlying deep uncertainty techniques is that it is actually really difficult to predict what the future will hold and
Cyber security strategies are a key part of building resilience but the very technology that is used to make organizations work smarter can also expose organizations to new vulnerabilities. Business Continuity professionals, therefore, need to work hand-in-hand with IT rather than in silos, stresses Graeme Parker, a Cyber Security Risk Professional and Managing Director of Parker Solutions Group. The rise of the IoT and connected devices within organizations is one of the biggest areas of concern. A smart sensor, for instance, may help to make a building more energy efficient or enable it to monitor an asset but it also provides a way in for hackers. “The growth of IoT devices without proper control is providing a bigger attack platform and allows a hacker to then escalate an attack on the network,” says Parker, who cites the case of a major US retailer whose network was attacked via sensor devices on its freezers. One of the problems is that many connected devices are not deployed by IT. “Facilities, for instance, could go off and implement an internetconnected, IP-driven CCTV system and, with all due respect to those teams, they may not have network security expertise nor understand the vulnerabilities they are introducing.” Parker acknowledges that organizations need and want to embrace technology, but says they need to ensure they have the tools and technologies in place to quickly identify when a device has been added to the network, and also advises the use of segregated zones to add another layer of security. Parker points to a new generation of incident and event security monitoring tools that use AI and machine learning to pull log data from multiple devices and piece together a story that enables a security analyst to see the bigger picture. “And if you can see the bigger picture, you are more able to quickly detect a cyber attack early on,” he says, adding that there is an increasing realisation that no matter what preventative controls are in place, there is no such thing as “unbreachable security”. “It is not a case of ‘if you get compromised’, but ‘you have been compromised’, so can you spot it and do you have the ability to react to it?”
25 CONTINUITY & RESILIENCE | Q4 2018
20-26_SPECIAL_REPORT_Q4_Continuity & Resilience Magazine 25
26/11/2018 16:07
SPECIAL REPORT
TOMORROW’S WORLD
therefore we shouldn’t kid ourselves that we can predict what lies ahead, but should actually make decisions and choices now that will set us up for whatever future eventuates.” Ensuring Business Continuity and Resilience (BC/R) strategies are at the top of an organization’s agenda, though, is perhaps the biggest defence to the uncertain, volatile and complex world in which organizations continue to find themselves operating. James Royds, an independent Risk, Crisis and Continuity Management Consultant whose client base includes Middle Eastern companies, explains that the United Arab Emirates (UAE) has mandated that organizations build resilience into their operations. This is helped by having a culture of senior management engaging with BC/R strategies, as they see it as a way to improve governance and decisionmaking. “On the conference circuit, senior management will be at the front row of the auditorium,” he says, adding that organizations are focused on the “what if ?” as well as the “how much?”. “The bottom line is that people are doing Business Continuity and Resilience not because they have been told to by an auditor but because it makes good business sense.” He adds that this translates as a very simplistic model: “We need to understand what our organizations do before, during and after an event and integrate three key disciplines – risk, crisis and continuity management – in a seamless linear process. It makes good commercial sense: three disciplines for the price of one.” Royds adds that while historically organizations in the region struggled with what resilience meant and needed guidance in understanding and applying resilience concepts, once a common understanding is achieved it
ONE OF THE BIGGEST LONG-TERM THREATS FOR ORGANIZATIONS IS HOW “POORLY SUITED” STANDARD PLANNING PROCESSES ARE FOR OUR RAPIDLY CHANGING WORLD
becomes the “first bullet” at monthly management meetings. The BC community believes organizations around the globe need to take a similar approach and move resilience to the top of the business agenda before it is too late. As Whittet succinctly concludes: “The biggest threats to resilience are time and inaction.”
Smart sensors make retailers more efficient but can also make companies more vulnerable to cyber attacks
26 CONTINUITY & RESILIENCE | Q4 2018
20-26_SPECIAL_REPORT_Q4_Continuity & Resilience Magazine 26
27/11/2018 09:47
BUSINESS CONTINUITY AND DATA PROTECTION… NO “STAND-ALONE” DOMAINS! A business continuity adverse event can give false impressions...and hide or cause a data-breach! For instance, a telecom outage (Nr 1 in the hit-parade of business continuity events) can eventually cause risks to data subjects or cause nonfunctioning data protection (GDPR) processes. Our solutions in business continuity and data protection are fully interoperable and provide all needed links between both governance domains.
• • • • •
Methodic data protection compliance Integrated data protection intelligence 0DWXULW\ DQG FRPSOLDQFH SURRÞQJ Rights and freedoms case logging Breach management case logging
• Integrated continuity intelligence • Crisis VSHFLÞF UHVSRQVH V\VWHP • Risk management module for continuity-, information-, cyber- and data protection risk • Business alignment features • 3-level testing, prevention module, guidance and instructions, dashboards, storing documents,...
info@realbcp.com www.realbcp.com www.realdpg.com
BCI.Q42018.027.indd 27
26/11/2018 14:04
PROFILE
W
hen James Lindsay began working for a small datadriven advertising and political consultancy in late September 2017, little did he suspect that within six months he would be embroiled in a desperate battle to manage a crisis of such magnitude and intensity that it not only threatened the existence of the company, but would be raised in the UK parliament, the subject of US Congressional and Senate hearings, debated in the Canadian, EU and Nigerian parliaments, and also hold the front pages of the UK and US press for 10 consecutive days. Lindsay admits that he was surprised by the scale and intensity of the crisis that followed. “So you have a company of 110 and you are going to go from having a little bit of bad publicity to getting mentioned 22,000 times a day in the global press. You can’t imagine that,” he says. That company was Cambridge Analytica (CA)
THE
and as the media storm broke, Lindsay soon found himself trying to manage the crisis that occurred when the company hit the headlines in relation to the Donald Trump campaign, Steve Bannon and the use of Facebook data. CA became the subject of controversy in countries such as India, Nigeria, Sri Lanka and Mexico. Building on claims first published in the UK’s Guardian and Observer newspapers in early 2017, on 18 March 2018 multiple media outlets in the US and the UK published allegations that CA had acquired and used personal data about Facebook users from an external researcher, who had told Facebook he was collecting it for academic purposes. Lindsay describes the moment the reality of the situation hit home. “On Wednesday afternoon [14 March 2018] I went into [CA CEO] Alexander Nix’s office, and he said ‘The most terrible thing has happened’ and he showed me three letters - one from the Guardian, one from the New York Times, and from Channel 4 detailing the allegations they were about to publish.” Soon afterwards Nix was suspended by the company after Channel 4 News broadcast video footage in which
When James Lindsay was taken on as an interim consultant at Cambridge Analytica, little did he realise he would soon be in the eye of a media and political storm
TOUGHEST INTERIM BR INTERVIEW BY COLIN COTTELL
28 CONTINUITY & RESILIENCE | Q4 2018
28-31 Profile_Q4_Continuity & Resilience Magazine 28
26/11/2018 16:08
PROFILE
he was seen to be talking about unethical tactics to help political clients to win elections, including entrapment and the use of ‘honey pots’ on clients’ political opponents, all allegations that were denied by the organization at the time. In response, the Information Commissioner’s Office (ICO) applied for a warrant to search CA’s London offices. This was shortly followed by an eight-hour night raid. Ironically, CA had been working on a number of different projects with the ICO since early 2017, Lindsay says. Facebook then banned the company from advertising on its platform, cutting off a valuable source of income from the 40% of its clients who advertised on Facebook. Although Lindsay’s brief as an Interim Consultant at CA did not include crisis management, he had previously been part of crisis management teams that had successfully dealt with one-off political events, denial of building access, people and IT systems. Having seen the allegations against CA, and judging them to be “grossly unfair”, he says he felt compelled to assist the company in getting through the crisis: “I looked at my CV, and I saw ‘crisis manager’, so I thought, ‘Let’s fight this’.”
Fighting the allegations Despite his wealth of experience, Lindsay had never dealt with anything quite like this. During the media storm that followed, he says CA was mentioned in the press on average 22,000 times a day. “It was just us in the company and five people from the outside PR agency. It’s a lonely place to be,” he says. Lindsay assembled a crisis management team, made up of the heads of department in the business. In a small company such as CA, there’s little difference between the senior management and the crisis management team. “It was the same people that you have around the table at a senior management meeting – just a different but much more focused agenda.” On most days, the team he chaired met twice a day – morning and afternoon – with team members from the US dialling in. With allegations swirling around, and uncertainty prevalent, Lindsay says his primary concern was for the company’s staff: “How are they going to pay their bills and mortgage at the end of the month? That’s what it boils down to.” Conscious that these highly-qualified employees, including 40 with PhDs, might decide to leave, Lindsay knew it was vital to keep people fully
TR IEF EVER? PHOTOGRAPHY BY PETER SEARLE
29 CONTINUITY & RESILIENCE | Q4 2018
28-31 Profile_Q4_Continuity & Resilience Magazine 29
26/11/2018 16:09
PROFILE
informed. Central to this, he explains, were ‘town hall’ meetings “held pretty much every afternoon”, at which staff were told what the media was saying, and what the company was doing: “We were very conscious that we needed to tell the staff first before any bad news got out there.” Staff could ask questions anonymously, and they didn’t hold back. Lindsay says one asked the new CEO – Nix’s successor – how long he was going to remain in his job. “There was a complete flow of information,” he says. As the media spotlight intensified, the pressure on staff became enormous. Despite the distractions and uncertainty, Lindsay says that ultimately, only 12 of the 110 staff resigned. “I think we treated our staff really well,” CAREER he says. JAMES LINDSAY Lindsay too felt the strain of working 24/7 for seven weeks, MARCH – MAY 2018 saying: “Of course that gives you Interim Head of Crisis Management, Cambridge a problem, because you have so Analytica much stuff going around in your head that sleep becomes a real OCT 2017 – FEB 2018 issue.” In fact, getting enough Management Consultant, SCL sleep was an item on his crisis Group management agenda: “You must SEP – OCT 2017 be rested; otherwise, it is draining, Programme Manager – absolutely exhausting.” Contractor, Crowe Howarth International
NOV 2016 – AUG 2017 Programme Manager – Contractor – Agile, RBS
2014 – 2016 Programme Manager – business continuity, then compliance, Sainsbury’s Bank
2013 – 2014 Senior Programme Manager – resilience, RBS
2004 –2013 Various compliance, change management, resilience and regulatory roles at Department for Work and Pensions, Constellation Europe, Lloyds Banking Group, Torus Insurance
1986 – 2007 Officer – British Army & Territorial Army
Battling the bad press In response to “voracious needs of the newspapers” and facing a torrent of media coverage, as well as a constant stream of claims and allegations, PR was a key element in the company’s efforts to manage the crisis. Rather than entertaining the impossible task of trying to rebut every allegation as it arose, he says the PR strategy was “to create a baseline and to draw a line in the sand. We were a small team and company. You can’t possibly manage and respond to 22,000 mentions in the press every day. You just can’t do it”. The company’s head of PR worked with a small external PR company to develop a coherent communications strategy and counter the allegations. One approach was to push out and
“You can’t possibly manage and respond to 22,000 mentions in the press every day. You just can’t do it” keep repeating ‘10 things you need to know about Cambridge Analytica’. This was eventually published on a dedicated website to manage the publicity. Twitter was used to distribute the message worldwide, with the aim of having the 150 most influential global journalists look at the company’s Twitter feed first thing in their morning. From day one, he says, the strategy was always to be completely truthful: “We didn’t publish any statement unless it was thoroughly researched and signed off by a director and the head of PR.” However, the company’s ability to respond effectively to the tide of allegations was limited by the lack of media-trained staff. In a small company such as CA, trying to justify media training for multiple people on the one-off chance that a media storm is unlikely. However, this was to prove costly, especially after Nix, the sole CA person with media experience, was suspended by the company. Although the company eventually found a spokesperson in the UK, the strength of media pressure meant this move did little to stem the tide of damaging publicity. However, an effective spokesperson in the US in particular would have made a big difference, Lindsay suggests. A simple example of misleading information being spread about the company involved photographs taken of some crates being moved out of the office block it shared with other companies. This was reported as showing that CA was trying to hide something from the ICO. In fact, Lindsay says, “the crates had nothing to do with us”. However, the matter was still brought up by a parliamentary select committee months later. “The reality was, there was just too much noise out there to get our voice heard,” Lindsay says. The biggest challenge that he and his team faced was simply being so stretched: “We were responding to press enquiries, preparing people
30 CONTINUITY & RESILIENCE | Q4 2018
28-31 Profile_Q4_Continuity & Resilience Magazine 30
26/11/2018 16:10
PROFILE
for select committee hearings, getting people presstrained, managing our security, feeding information to the board, looking after our clients, running the town halls, setting up an alternative brand and trying to find a spokesperson for the company – at the same time as continuing to evolve and implement both a recovery and a PR strategy, trying to set up another brand, and we were trying to do all this within the seven weeks,” he explains.
Critical challenges As the crisis deepened, concerns grew about the effect on the company’s clients. The organization attempted to hold the line mainly by encouraging account managers to openly communicate with their clients. “Customers had confidence in Cambridge, so they wanted to carry on working with the company,” says Lindsay. But as the crisis continued, Lindsay adds “they got to a certain point when they went onto hold”. He notes: “Additionally, 40% of their customers used Facebook for advertising and Facebook cut us off; this was unhelpful.” Matters took a further turn for the worse after the Channel 4 News broadcast on Nix. However, even as the situation worsened daily, Lindsay and the management team were not prepared to take it lying down. “We decided the Cambridge Analytica name was so tainted that the only approach was to rebrand. “We had been considering rebranding in late 2017 and thus had done some of the thinking. This crisis was about the political side of the business, and it was unfair that the commercial side was getting blamed for something which had nothing to do with them.” He saw that part of his role as crisis manager was to give the board options allowing them to decide what to do next. Faced with an ICO investigation that he estimates would have taken up to eight months, the need to pump at least seven to nine months’ worth of operating money into the company to keep it going, and with clients in a holding pattern, as well as 22 potentially costly litigation cases in the US, the directors chose to close CA. They filed for insolvency on 1 May in the UK and in the US less than two months after the crisis began. “The board felt it too costly to carry on,” he says. Cambridge Analytica is no more, but when asked whether in retrospect he would have done anything differently, after a pause, Lindsay reflects: “If I look at it purely in terms of a crisis management role, my role was to create time and space to keep the company together so the board could make a decision. We achieved that.”
31 CONTINUITY & RESILIENCE | Q4 2018
28-31 Profile_Q4_Continuity & Resilience Magazine 31
27/11/2018 08:02
BCI GLOBAL AWARDS
Around 300 guests from around the world attended the BCI Global Awards Gala Dinner on 6 November at the Novotel London West to see an international array of Business Continuity/ Resilience practitioners and organizations be recognised for their contributions to the profession
RECOGNISING
THE BEST IN THE INDUSTRY 32 CONTINUITY & RESILIENCE | Q4 2018
32-35 BCI Awards_Q4_Continuity & Resilience Magazine 32
26/11/2018 16:11
BCI GLOBAL AWARDS
BCI GLOBAL AWARDS WINNERS
2018
Industry Personality Vikrant Varshney MBCI (India) Most Effective Recovery Walgreens Business Continuity (Americas) Continuity and Resilience Consultant Steve Mellish Hon FBCI (Europe) Continuity and Resilience Provider Mimecast Mailbox Community by Mimecast (Africa) Continuity and Resilience Professional (Private Sector) Wasim Malik AFBCI (Australasia) Continuity and Resilience Professional (Public Sector) Matthew Coffey AFBCI (Australasia) Outgoing BCI Chair James McAlister becomes Chair of the Judging Panel in 2019
Continuity and Resilience Newcomer Morgan Perry AMBCI (Americas) Continuity and Resilience Innovation Cognizant Technology Solution, Cognizant Corporate BCM – OneBCM Tool Team Continuity and Resilience Team Standard Life Aberdeen PLC – Business Resilience Team
K
icked off by headline sponsor ReadiNow with a series of Beatles-themed jokes offered by company General Manager Digital Transformation Eric De Vos, the evening got underway with presentations of BCI Gifted and Honorary Grades. The nine global awards followed. And rounding off the celebration was a nightcap of dancing to the RnB sounds of HandfullaSoul.
33 CONTINUITY & RESILIENCE | Q4 2018
32-35 BCI Awards_Q4_Continuity & Resilience Magazine 33
26/11/2018 16:11
BCI GLOBAL AWARDS
Iain Taylor has been the first and only Chair of the Judging Panel
Judging panel Chair calls it a day By DeeDee Doke One of the most recognisable faces of the BCI Global Awards is stepping away from his role as Chair of the BCI Judging Panel. Named Chair five years ago, Iain Taylor, Hon FBCI, was the first to hold the position. He is handing over the reins to outgoing BCI Chairman James McAlister for the 2019 awards season. He is also stepping away from his other BCI volunteer role of Lead Assessor. “I firmly believe that this is now the right time in my life for me to step away and let others take up the mantle,” Taylor said of his decision. “My life has changed dramatically with two granddaughters, and my wife and I want to spend more precious time with them. “Additionally,” he said, “my other recreational passions are golf and tableofficiating basketball, both of which take up a lot of time. By stepping down in both my volunteer roles at the BCI, I won’t be tied down to the timelines
required for judging the awards and any queries on assessments.” The strongest memory of his time at the helm of the judging panel was, Taylor said, “probably seeing how the awards have blossomed over the years. They’re now showing record numbers of submissions across the globe, and within the BC and wider resilience fraternity, they now recognise these awards as the most prestigious.
“Where they started from to where they are today shows how the world of business continuity has evolved and continues as a pure discipline within the wider context of resilience”
“Where they started from to where they are today shows how the world of Business Continuity has evolved and continues as a pure discipline within the wider context of resilience.” A new approach was introduced this year in selecting the recipient of the Global Industry Personality of the Year Award. A judging panel incorporating two judges from each region adjudicated the entries, which were the winners of the regional personality of the year awards. “We believe that by this approach, it’s eliminated any regional bias,” he said. Reflecting on his tenure, he said he expected he would miss attending the awards ceremonies “especially the global one. The people I’ve met over the years are characters in their own right, and I think I’ll miss the interaction I have with them”. However, he added jokingly, “I will not miss the phone calls from the central office when there is a problem!” A BCI member since 1994, asked what advice he would give his successor, Taylor said: “I don’t think I have to offer him any advice. We had a great hand-over meeting after the conference, and we discussed ways the process and the awards could be improved. “He’s his own man, and I’m confident the awards will continue to flourish over the next few years under his stewardship. “But advice?” he mused. “Be ready for some very strange calls!”
34 CONTINUITY & RESILIENCE | Q4 2018
32-35 BCI Awards_Q4_Continuity & Resilience Magazine 34
26/11/2018 16:11
BCI.Q42018.035.indd Cont Shop FP.indd 1 35
26/11/2018 15:39 14:04 15/11/2018
NEWS FROM THE BCI
BCINEWS BCI AWARDS 2019
EVENTS
BCI Awards 2019 Dates
BCI World 2019 Programme Advisory Group Ahead of BCI World 2019, we invited members
The BCI Awards honour Business Continuity and Resilience professionals and organizations worldwide. It’s the most prestigious event in the Business Continuity calendar. Here are all the important dates you need to know regarding entry dates, submission deadlines and the dates and locations for the 2019 Awards: Awards
Open for entry
Entry deadline
Date
Location
India & South Asia
9 Nov
4 Jan
1 March
Bangalore, India
Middle East
20 Dec
14 Feb
11 April
Dubai, UAE
Americas
22 Dec
16 Feb
14 Apri
New Orleans, US
European
17 Jan
28 Feb
9 May
Hamburg, Germany
Australasia
11 March
22 April
1 July
Sydney, Australia
Africa
22 May
3 July
11 Sept
Johannesburg, South Africa
Asia
21 Feb
18 April
13 June
Hong Kong
5 Nov
London, UK
Global
of the Business Continuity and Resilience community to express their interest in assisting with designing the 2019 conference programme. We received 72 submissions and are delighted to announce that 12 people have been selected to be part of the advisory group to shape the conference of the future. Meet the Group:
There are nine BCI award categories. Eight are scored by a panel of judges. The Industry Personality award is open for a member vote. Winners from the regional awards are automatically entered into the BCI Global Awards, which will take place 5 November 2019 at BCI World, London. For more details, visit thebci.org/comm/awards.html
Agnidipta Sarkar, Global Information Risk & Continuity Officer at DXC Technology; David Freeman, Head of Crisis, Risk and Resilience EMEA at Amazon; Scott Baldwin MBCI, Director of Enterprise Resilience at Symantec; John Bernard, Director of Group Corporate Security (Global) at Aviva; Yew Kwong Bernard Ng AFBCI, Head of Business Continuity at AIA; Marcus Oxley, Director/Principal Consultant at Resilience Solutions; Wasim Malik AFBCI, Global Head of BCM at Bravura Solutions; Rolf Von Roessing FBCI, Partner at FORFA CONSULTUNG AG; David Warham MBCI, Head of Response and Recovery Planning at Dubai Airports; Sarah Armstrong-Smith MBCI, Head of Continuity and Resilience at Fujitsu; Eve-Marie Cormier MBCI, Senior Advisor at Caisse de dépôt et placement du Québec (CDPQ); Mike Blinko, Business Continuity Manager – Controls Systems at Rolls-Royce.
REPORT prepared global businesses are, as well as providing respondents with the ability to benchmark themselves against their peers. As Brexit will have a global impact, we welcome entries from organizations based all over the world. Brexit has the potential to be a disruptive event for the UK and EU, but it could also be an opportunity for other countries to build
Brexit Readiness Tracker We are pleased to announce that the BCI has launched its first ‘Brexit Preparedness Report’ based on the Brexit Readiness Tracker, designed to provide insight on how prepared organizations are across the globe to deal with Brexit coming into action in March 2019. This report will be published every month in the
run-up to the exit date. The tracker is intended to provide both a barometer of companies’ sentiment towards the various Brexit options as the leave date approaches, but also to give a rounded view of business preparedness. From the results, the BCI research team will be able to build a powerful picture of how
new relationships and agreements with the UK and vice versa. That is why we believe it is important to get a global picture on the level of preparedness for Brexit. The survey will be running every month in the run up to Brexit to help gauge how sentiment is changing. To participate, please keep an eye out for the monthly survey on our website.
36 CONTINUITY & RESILIENCE | Q4 2018
36 BCI News_Q4_Continuity & Resilience Magazine 36
27/11/2018 08:03
N E X T G E N E R AT I O N P R A C T I T I O N E R
Q&A
Elodie Huet
What attracted you into the industry and how did you get into it? I was working in Mexico in 2012, doing a graduate job for a CSR [Corporate Social Responsibility] agency, and there was a huge earthquake – 7.8 on the Richter Scale – and another one a couple of days later. I found it really stressful. I couldn’t sleep properly or do my job properly. Afterwards, I felt that if I had known more about earthquakes, what to do and what not to do, I would have reacted better. So I decided to do a Master’s degree in Risk Disaster and Resilience at University College London, focusing on business continuity (BC). It took me a year to find a job after graduating.
NATIONALITY: French TIME IN THE PROFESSION: Three-and-a-half years FIRST JOB IN BUSINESS CONTINUITY/RESILIENCE: This is my first proper job in the industry CURRENT EMPLOYER: Arup www.arup.com CURRENT ROLE: Business Continuity Consultant FAVOURITE ASPECT OF THE WORK: I like interacting with people, and I really like analysis. You have all this information and have to make sense of it. You have to decipher everything that is given to you, really analyse the data and put it into a business continuity picture
What is your biggest learning to date? Some myth busting around IT. I always thought I wouldn’t understand IT, but I’ve learnt that you don’t need to be a techie to understand the concepts – how the IT side works, about cyber risks and how IT fits with and supports the business as a whole.
N E X T G E N E R AT I O N
Continuity & Resilience is the magazine of the Business Continuity Institute and is published four times a year. BUSINESS CONTINUITY INSTITUTE 10-11 Southview Park, Marsack Street, Caversham, Berkshire, RG4 5AF tel: +44 (0) 118 947 8215 bci@thebci.org | www.thebci.org
ISSN 2517-8148
EDITOR DeeDee Doke deedee.doke@redactive.co.uk A S S I STA N T E D I TO R Patrick Appleton patrick.appleton@redactive.co.uk REPORTERS Colin Cottell colin.cottell@redactive.co.uk Graham Simons graham.simons@redactive.co.uk CONTRIBUTING WRITERS Sue Weekes LEAD DESIGNER Carrie Bremner
PRODUCTION EDITOR Vanessa Townsend PICTURE EDITOR Claire Echavarry SENIOR SALES EXECUTIVE Andrew Penny Tel: +44 (0) 20 7880 7661 andrew.penny@redactive.co.uk
PRINTER The Manson Group, St. Albans PUBLISHED BY Redactive Publishing Ltd Level 5, 78 Chamber Street, London, E1 8BL Tel: +44 (0) 20 7880 6200 www.redactive.co.uk
What is the best career advice you have received? To keep learning. You need to be curious about other disciplines, such as risk management and psychology – managing people, people’s behaviour, dealing with culture change, etc. A former mentor gave me this advice. In your opinion, why should more people join the BC community? You get to engage with people. You discover things about the business that others don’t necessarily see or understand. And because you really understand how the business works, you have the opportunity to influence how the business needs to change in order to make it more resilient.
© Business Continuity Institute 2018 The views expressed in C&R are not necessarily those of the Business Continuity Institute. All efforts have been taken to ensure the accuracy of the information published in C&R. However, the publisher accepts no responsibility for any inaccuracies or errors and omissions in the information produced in this publication.
PRODUCTION DIRECTOR Jane Easterman Tel: +44 (0) 20 7880 6248 jane.easterman@redactive.co.uk PUBLISHING DIRECTOR Aaron Nicholls Tel: +44 (0) 20 7880 8547 aaron.nicholls@redactive.co.uk
What is your career ambition? To become a BC manager. I want to be implementing what I think needs to happen, producing tangible results, being able to influence an organization and people, which is the most challenging thing.
Recycle your magazine’s plastic wrap. Check your local facilities to find out how.
No information contained in this publication may be used or reproduced without the prior permission of the Business Continuity Institute.
37 CONTINUITY & RESILIENCE | Q4 2018
37 Next Gen_Q4_Continuity & Resilience Magazine 37
27/11/2018 08:04
W H A T A G R E AT I D E A
MY LIGHTBULB U MOMENT O
“I don’t think BC can survive by just living on its own”
John T Frost Head of Business Continuity Marks & Spencer
Last year, we took the decision at Marks & Spencer cerr to galvanise resilience functions across the organization tion ti i to t create a more collaborative approach to resilience, rather than Business Continuity (BC) being a stand-alone ffunction. tii For one, I don’t think BC can survive by just living g on its ow own; and two, the risks, hazards and incidents that affect ff t any sk teams. organization now always seem to involve multiple risk d My M Therefore, when developing the My Safety Channel and Safety App, we saw this as a fantastic opportunity to deliver the resilience message in our organization across eight ing different risk functions as one team, rather than just having o one app. What sparked it for me was the opportunity to C to improve organizational resilience in our business – for BC f be the conductor and lead the collaboration. As the lead for BC across M&S, what struck me was crisis management was b ber, implicated for reasons that weren’t core BC – potential cyber, ce data or security incidents. Rather than talk about a place i where I was, it’s been more about a number of moments in time when with the incidents that were happening, for me, we needed a different approach; it was time for change. 38 CONTINUITY & RESILIENCE | Q4 Q 2018
38 Light Bulb moment_Q4_Continuity & Resilience Magazine 38
IMAGES: GETTY, SHUTTERSTOCK CK
Time for a change
26/11/2018 16:12
AWARDS
The BCI Awards honour business continuity and resilience professionals and organizations worldwide. Visit thebci.org/comm/awards.html on the open dates listed below to ďŹ nd out how to enter a nomination in your region: Awards
Open for Entry
Date of Event
Location
India & South Asia
9th November
1st March
Bangalore, India
Middle East
20th December
11th April
Dubai, UAE
Americas
22nd December
14th April
New Orleans, USA
European
17th January
9th May
Hamburg, Germany
Australasia
11th March
1st July
Sydney, Australia
Africa
22nd May
11th September
Johannesburg
Asia
21st February
13th June
Hong Kong
5th November
London, UK
Global
There are nine BCI award categories. Eight are scored by a panel of judges. The Industry Personality award is open for a public vote. Winners from the regional awards are automatically entered into the BCI Global Awards, which will take place 5th November 2019 at BCI World, London.
For more details about the BCI Awards visit:
thebci.org/comm/awards.html
www.thebci.org BCI.Q42018.039.indd 39
26/11/2018 14:04
THANK YOU TO EVERYONE WHO ATTENDED BCI WORLD 2018
Super Early Bird Tickets for BCI World 2019 are now available from thebci.org/bciworld2019 5-6th November 2019 Register now to secure your place at the lowest price
www.thebci.org BCI.Q42018.040.indd 40
26/11/2018 14:05