THE MAGAZINE OF THE BUSINESS CONTINUITY INSTITUTE | Q3 2018
THROUGH How businesses addressed continuity and resilience in the face of terror
Cover_Q3_Continuity & Resilience Magazine 1
15/08/2018 11:05
An award-winning incident management platform UDGLFDOO\ GLÎ?HUHQW IURP LWV FRPSHWLWRUV
Our USPs Š 3ODWIRUP EXLOW IURP WKH XVHU XSZDUGV ZLWK DQ LQWXLWLYH QDWLYH PRELOH DSS Š (DVH RI GHSOR\PHQW ZLWK D TXLFN VWDUW VHOI LPSOHPHQWDWLRQ RSWLRQ Š 7HPSODWHV DQG LQFLGHQW OLEUDU\ WR KHOS RUJDQLVDWLRQV ZLWKRXW D %& SODQ Š 6LPSOH SULFLQJ PRQWKO\ VXEVFULSWLRQ RSWLRQ ORZ WRWDO FRVW RI RZQHUVKLS
Go to www.crises-control.com/request-a-demo. html and quote “C&Râ€? to get ÂŁ100 in telecoms credit
2XU YLVLRQ LV WR GHOLYHU XQLČ´HG GHSHQGDEOH secure communications to organisations and WKHLU SHRSOH DW WLPHV RI GLVUXSWLRQ
www.crises-control.com Š Š 35(3$5( &20081Ζ&$7( 3527(&7
BCI.Q32018.002.indd 2
15/08/2018 11:24
Q3 2018 | ISSUE 3
12 REGULARS 04 Welcome 06 News BCI World 2018 awaits, Q&A with our outgoing Chairman
16
F E AT U R E S
36 BCI News 10 Debate
SPECIAL REPORT
20
16 Mastering the servers
20 SPECIAL REPORT: Battling through barriers
32 Telling the untold story
37 Appointments Who’s moved and where in the industry
38 My Lightbulb Moment Resilience Operations Manager at Barclays, Prakash D’mello, says business continuity starts at home
15 Tech Round-up
The London Bridge terror attack saw companies in the surrounding area facing an unprecedented challenge as they and the community struggled to return to normality
Looking after people emotionally is key to ensuring organizations are prepared for an incident, says the businesswoman and scholar
Continuity & Resilience Review set for launch in 2019, Education Month
12 Interaction Opinion: In being resilience-ready, synergy is the equaliser Expert View: Workplace mental health – getting it right
The Internet of Things offers plenty of opportunities to business continuity professionals, but security is vital
28 PROFILE: Dr Aarti Anhal
Testing your BC plan is essential, but often neglected. How can testing be made as realistic and effective as possible?
News from: Sirius Computer Solutions, Rubrik, Veeam, AVDS and Orbital Insight
15
28
BCI India Chapter’s Think Tank offers solutions to aid continuity and resilience as India’s rapid economic growth continues
COVER PHOTO: GETTY IMAGES
contents_Q3_Continuity & Resilience Magazine 3
15/08/2018 16:08
LEADERS’ MESSAGES
WELCOME JAMES MCALISTER FBCI
Intelligent use of info is key
T
he centrepiece of this quarter’s Continuity & Resilience looks at terrorism’s impact on business continuity and in particular, what has become known as the London Bridge attack. As a former police officer, I strongly believe that the best way to deal with the consequences of terrorism, following the emergency response phase, is good information management. Since moving from the public to the private sector, I have found a general lack of understanding of how to turn information into intelligence. Many crisis management teams do not even see the difference between the two. I view information as merely unprocessed
data. Data on its own has no meaning without context. The purpose of managing information in a crisis is to enable the decision-makers to be ‘situationally aware’ so that they can make the best possible decisions, based on what is actually happening. As organizational resilience practitioners, the context for us is, how will the aftermath of the attack impact our organization in terms of people, workspace, transportation, suppliers? Information without context can make people panic, resulting in poor decisions. The UN uses an information management model which any organization could adopt. In summary,
it covers: Collect – obtaining credible information from reliable sources; Process – store it so that it can be found easily; Analyse – apply context; and Disseminate – give it to the right people, in the right format, at the right time. The most difficult aspect is analysis. However, most large 21st century companies have analysts who, with some alternative thinking could adapt their skills and become excellent information managers, able to produce the kind of intelligence that really makes a difference in a terrorist attack or crisis. James McAlister FBCI Chairman, BCI
D AV I D T H O R P
I
n Q2’s opinion piece in Continuity & Resilience, one of our long-standing supporters and good friend of the BCI, Geoff Howard, Chairman of Continuity Shop, set out the growing opportunity for spreading the BCM message in China and contrasted this with the BCI’s decline in real terms there since 2012. Indeed between 2009 and 2012 we held four conferences in China yet achieved a high-water mark of only 91 members during that time. It’s relatively easy to understand why the board took the view that the effort and expenditure was unsustainable in the long-term; that’s a lot of investment of time, effort and money for less than 100 members after
four years of continuing effort. Perhaps it’s less apparent why the BCI has not subsequently returned to a market that is undergoing rapid growth in both the need for and its awareness of BCM. In explaining this I’m reminded of Peter Drucker, one of the great business thinkers of the 20th Century. He explained that usually an organization can’t be successful unless it concentrates its resources; these resources might be defined as time, money, or anything else that might lead to effective market penetration and growth. Drucker’s thinking can be paraphrased in two sentences. It is concentration of resources rather than a specific solution that leads to success in a market. Massing and concentration of resources are critical to success in new markets, particularly where those resources are finite. The BCI is currently in the second
P H OTO G RA P H Y: A K I N FALOP E
Growth needs a strategy
4 C O N TIN UITY & R E S IL IE N C E | Q3 2 0 18
Chairs message_Q3_Continuity & Resilience Magazine 4
15/08/2018 11:16
DEEDEE DOKE
Editor’s comment
W
hen terror strikes, understandably it is the violence and the human toll of death and injury that make the headlines. However, the story that must also be told is of resilience – getting a community and its businesses back on their feet and back at work as soon as is practical and possible. The loss of human life and horrific life-changing injuries cannot be mitigated. But resilience lets us deny the perpetrators of terrorism their ultimate goal of long-term devastation and loss. That’s the story we share with you in this issue of Continuity & Resilience. Have you ever noticed how themes emerge sometimes in conversations over a period of weeks? In our Q3 issue, a number of threads developed around organizational silos. It’s a red flag to all of us involved in BC/R that siloing is a problem at its tipping point. How do we move our organizations towards better communications and interaction? See our stimulating Opinion column by Anthony Pizzitola and Profile of Dr Aarti Anhal for their thoughts on necessary changes to the silo tradition. I look forward to meeting you at BCI World Conference and Exhibition in November!
year of a five-year strategy cycle and this strategy requires that we target our resources where they will be most effective. We currently have strategic growth markets elsewhere than China that require this concentration to be successful. An organization our size can’t concentrate and be strong everywhere. Only once we have hit our pre-determined targets, delivered on our goals and created a sustainable and growing presence in these markets will the BCI move on to focus our resources on the next growth market if the investment will bear fruit. What’s happening in China does provide temptation. However, concentration of resources in pursuit of strategy does mean economising the use of resources elsewhere. To pursue a tempting market that is outside the strategic plan will result in diverted resource and a less effective application of the strategy to the carefully targeted markets. BCI members can be reassured, however, that spreading the BCI’s influence and voice to new markets is very much part of our work and excellent inroads are being made already in several markets.
DeeDee Doke Editor
David Thorp Executive Director, BCI
5 C O N TIN UITY & R E S IL IE N C E | Q3 2 0 18
Chairs message_Q3_Continuity & Resilience Magazine 5
15/08/2018 11:16
G LO BA L N E W S U P D AT E
B C I WO R L D CO N F E R E N C E
Leaders in continuity and resilience gearing up for BCI World By Colin Cottell Business continuity (BC) and resilience professionals from around the world will descend on London in November to attend this year’s BCI World Conference & Exhibition. BCI World 2018, which takes place at the Novotel London West on 6 and 7 November, is an opportunity for the business continuity and resilience community to hear from some of the sector’s leading practitioners, learn about the latest industry developments and best practice, stay up-to-date with the latest research, and network with their peers. Adjoining the conference, the BCI World Exhibition, the largest of its type in Europe, will provide attendees with the opportunity to learn about the many
“will bring an outsider perspective on our industry”. In addition to these
innovative and exciting products and services designed for the BC/R professional market. The theme of this year’s conference is ‘Resilience Through Relationships’. “We will be exploring what influence a BC team can have when there is greater trust and discussion between departments within an organization,” says Ruth Elmore, events manager at the BCI. Last year 376 delegates attended the conference, also held in London, with a total footfall of 1,020 – including speakers, staff, volunteers, visitors and delegates – over the two days. Elmore says bookings for this year “are currently tracking well against last year”. The conference programme features three exciting keynote speakers, who according to Elmore,
KEYNOTE SPEAKERS
1
Scott Gould, advisor and author of The Shape of Engagement, will discuss strategies that he has seen work with other large-scale industries to win over staff in global settings to conform willingly to new practices.
2
James Lindsay will share the experience of finding himself in the centre of a global news story and having to move from another role and step up to the crisis management plate at the headline-making Cambridge Analytica.
3
Jessica Barker will provide a sneak peek into the mindset of cyber security teams to help you find common ground to start an effective working relationship.
plenary keynotes, attendees have the choice of a wide range of thought-provoking and informative breakout sessions, including workshops and a panel discussion, led and facilitated by leading BC professionals and experts. Topics include corporate resilience, supply chain risk management, crisis management, and psychology, among many others. To supplement the programme content, this year will see the launch of a conference app. “This will feature a networking facilitation, games, live polling, programme
6 CONTINUITY & RESILIENCE | Q3 2018
Amended by Jane for online.indd 6
22/08/2018 12:57
VISIT THE WEBSITE FOR MORE NEWS: WWW.THEBCI.ORG
376
1,020
delegates attended
total footfall in 2017
the conference last year which was also held in London
including speakers, staff, volunteers, visitors and delegates over the two days
BCI World Conference and Exhibition 2017 saw delegates attend from all over the world to discuss the issues facing business continuity and resilience
notifications and competitions, plus immediate feedback options,” says Elmore. Among the companies in attendance this year will be the headline sponsor Sungard Availability Services, supported by platinum sponsors ClearView Continuity, BlackBerry and Daisy Group, and gold sponsors Everbridge, Regus, Fusion Risk Management and Business Continuity Training Ltd. An exciting range of organizations have already signed up for the exhibition, and many more are expected to come onboard to showcase products and services.
“I am particularly pleased that we will be hosting a careers room, open to delegates and exhibition visitors alike, which will specifically delve into professional development, transferrable skills, and perspectives from newcomers and experienced hands” skills, and perspectives from newcomers and experienced hands,” Elmore says. Supplementing this will be ‘bite-sized’ seminars presented by exhibitors and Research Room workshops, which are 60-minute discussion-based sessions, led by the BCI’s Research &
Elmore expresses her delight at the breadth and depth of experience on offer. “I am particularly pleased that we will be hosting a careers room, open to delegates and exhibition visitors alike, which will specifically delve into professional development, transferrable
Insight Manager, Gianluca Riglietti CBCI. Those attending the exhibition will also have the opportunity to meet the Editor of BCI’s quarterly magazine Continuity & Resilience, DeeDee Doke. Following the daytime conference and exhibition on 6 November, delegates can join their fellow professionals for the BCI Global Awards at a gala dinner. The talent and achievements of BC/R professionals and organizations from around the world will be celebrated in highlighting the very best of the industry. Tickets for BCI World Conference and Exhibition 2018, including the gala dinner and Awards are available by visiting www.bciworld2018.com
7 CONTINUITY & RESILIENCE | Q3 2018
Amended by Jane for online-NEW.indd 7
29/08/2018 16:01
NEWS
Q&A JAMES MCALISTER, BUSINESS CONTINUITY INSTITUTE CHAIRMAN
‘Five-year strategy must remain in place’ Interview by Graham Simons
How would you characterise business continuity and resilience during your tenure? I feel it’s been one of evolution – moving from a purist business continuity approach to a more inclusive organizational resilience style. Good BC Managers always did organizational resilience but it’s now making everyone involve the complimentary resilience disciplines when planning including facilities, physical and, cyber security, logistics, ITC, HR, legal, risk. etc. they’ve all got to be involved. Otherwise, you can’t do business continuity really and you certainly can’t do organizational resilience. Describe the BCI when you became chairman and how would you assess the state of play as you leave this role? I believe the BCI is a true membership institute. It’s run by members for the business continuity and organizational resilience community. We have members at our heart and every strategic decision the board takes, and all that central office does is for the good of the members. We support our people through forums and chapters globally and the whole idea is to promote a community where people can exchange ideas, find help, assist each
other. I feel my tenure with regard to the institute was actually to look inwards. Central office had grown from a cottage industry without any real professional, modern business acumen. Even though it was doing very well, there was a lot of internal processes and working practices that needed dragging into the 21st century. I feel my role for the two years that I’ve been the chairman has been to try and achieve just that.
There’s been a new website, magazine and manifesto for organizational resilience – what has driven these? The old website was really clunky. It was very hard to navigate. It had a really awkward continued professional development module and lots of documents on it were out of date. What we needed to do was make the website and therefore ourselves more attractive to the wider organizational resilience group as well as our members. The BCI’s shop window to the world is our website nowadays. We had the old magazine
a really long time. We wanted the new magazine to reflect our dynamic approach going forward and we wanted it to be more business continuity and resilience focused. We wanted it to feel less like a newsletter and more like a professional news offering. With the manifesto, what we wanted to do was stimulate debate, let the world know that we believe business continuity is at the heart of organizational resilience. We wanted to reassure our community that we still have our fingers on the pulse of the changing discipline and thought leadership – we want to feature new ideas and methodologies to keep the institute and industry current and moving forward.
Knowing what you know now, what would you have done differently? The problem is, four years on the board and a two-year tenure as chairman is a short time to achieve anything. My aim was to professionalise central office, the administration arm of the institute. I definitely drove staff extremely hard. I put staff at central office under a lot of pressure to achieve results very quickly. With that in mind, we are looking at whether the positions on the board need to be of longer tenure.
There’s no such thing as quick wins in business continuity or organizational resilience. Everything is about getting it right medium-tolong-term where you will see your ideas blossom later
What’s been your biggest challenge in your role? It’s been changing central office culture and practices into a professional, modern administrative team. Which has meant from me providing a corporate
8 C O N TIN UITY & R E S IL IE N C E | Q3 2 0 18
QandA McAlister_Q3_Continuity & Resilience Magazine 8
15/08/2018 12:47
VISIT THE WEBSITE FOR MORE NEWS: WWW.THEBCI.ORG
Contracts and Deals Software provider Cordis Solutions has announced that 1&1 Internet has chosen its myFIdoc application in a bid to ensure uninterrupted business processes and improve overall efficiency
vision for central office and a few helpful suggestions. But I want to give the real thanks to David Thorp, his management team and every member of central office staff who over the past two years have made huge leaps towards achieving the board’s goals.
What would you regard as your most significant accomplishment? We have the institute heading towards a position where they are fit to fight for the future. We’ve got a new executive director, new management structure, new project management approach, a real robust five-year strategy that we will follow. I think one of my main accomplishments is bringing on three fantastic Non-executive Directors to the board. Nick Whittaker, who specialises in finance, Michael Truscott,
and productivity. 1&1 Internet is a web-hosting company that employs more than 7,000 people in 10 countries and has data centres in Europe and US. Medical and travel security services firm International
international legal, and Paul Baines, academia. We have really utilised their skills and experience, driving towards our strategic vision for the future. Nick is my right-hand man when it comes to looking at the accounts. In a previous life he was a big hitter in the corporate finance and audit world. He really scrutinises every penny we spend to make sure we stay on budget. We are a global institute and we’re looking to grow; Michael’s background in international legal franchises is perfect. He’s brought superb expertise in this area, as we want to make sure that as we expand we do it safely, avoiding any potential legal hiccups. Paul is a professor at Cranfield University. We’ve tapped into him for his strategy, academia and research abilities. And not forgetting we’ve got an all-new risk and governance committee, which is revitalising our approach in this area.
FA C T F I L E
IMAGE: GETTY IMAGES
A life in the force... I retired from the police four years ago, having spent most of my time either in specialist departments dealing with crisis, emergencies or civil protection. That’s how I spent almost my entire career dealing with major incidents both here and internationally. The later part of my career was dealing with international disasters. I was part of the European civil protection team that responded to the Chengdu earthquake in China 2008 and my final
SOS and professional services firm KPMG LLP have signed an agreement which will see the two organizations working together to help clients streamline their travel risk management processes. The firms will be collaborating across
mission before retiring was Operation Haiyan, the Philippines super typhoon in 2013. I first developed my interest in BC when working for the Association of Chief Police Officers back in 2004 where I was developing UK policing’s resilience plans.
That’s where my interest in BC started but everybody does BC really. It’s all about making sure that you have the right people and resources in place so that can continue to do your critical things. I feel that business continuity is in my blood. The police force is constantly under stress and pressure to meet its legal obligations – even during times of extreme pressure – terrorist incidents, disasters, floods etc. The police is all about saving lives and if you can’t save lives, then you are not much of a police force.
a number of their services, including high quality medical and security advice and assistance (provided by International SOS) and expertise in cross-border taxation, social security, immigration and HR policy (by KPMG).
How much is there still left to do? Plenty! I’ve planted lots of acorns and we’re watering and developing them, but I am never going to sit under their oak trees. When I was in the police – I hated that everybody was fixated with quick wins. There are no such things as quick wins in BC. Everything is about getting it right medium-to-long-term. That’s my position with the chairman’s role; there is plenty left to do for Tim Janes when he takes over in November. Have you got any advice for your successor? Stick to our five-year strategy and have confidence in the foundations that we are building. What does the future hold for you? As the chairman is a volunteer role, it takes up quite a bit of time. I have been running my own organizational resilience consultancy in tandem. I’m going to go back to focusing on that. And as all former chairmen of the BCI do, I’m looking forward to heckling from the backbenches. I can get involved in debates that as chairman I have not been able to. Also, because of my background, I’m keen on how business continuity works during a significant incident or crisis. I think I’ve got quite a lot to offer in that area because of my previous life. I want to get more involved driving that area of thought leadership. Any final word for BCI members? The BCI, from a board perspective, is in very safe hands. We have member services as our focus, and the membership should trust that business continuity will be at the heart of organizational resilience going forward.
9 CONTINUITY & RESILIENCE | Q3 2018
QandA McAlister_Q3_Continuity & Resilience Magazine-NEW 9
29/08/2018 16:00
D E BAT E
THE BIG QUESTION Testing your business continuity plan is essential, but often neglected. How can testing be made as realistic and effective as possible? A L A N T R U P, U K
Put people outside their comfort zone There is always going to be a difference in realism between an actual incident and an exercise, however there are various techniques I have developed to ensure maximum engagement from the participants. When participants start arguing in a passionate way with each other you know you have achieved the realism needed. Images: Add relevant pictures to the slides, find relevant images on the internet to the scenario, e.g. fire, flood. Image editing skills are useful but not essential.
Website modifications: Virtually all websites can be downloaded to your computer so go to bbc.co.uk or local newspaper website, save locally and then edit the html file in Notepad to change the headline or image to fit the scenario to be shown to the participants. It looks much more realistic especially if one of the participants is named in the ‘adjusted page’. You don’t need any coding skills – just Notepad and search and replace. Phone recording: Before the meeting pre-record a conversation with elements of the scenario and use as a tool by playing at an appropriate time in the exercise. Multiple rooms: If usually the incident team is split geographically, then run the exercise in two different rooms and only allow communication between rooms by phone/Skype. Alan Trup, MBCI, Consultant, ADT Business Continuity
SAC H I N KU M A R , A B U D H A B I
Don’t leave anything to chance Many surveys published recently seem to show that testing and exercising of business continuity (BC) plans and strategies is generally a weak area. There are a number of reasons for this, such as cost and time in staging the exercise/test, availability of resources, priorities, lack of top management engagement etc. To ensure the testing/exercising process is as realistic and effective as possible, the following should be considered. Objective: Defining realistic/appropriate objectives, single focus or integrated objectives. Audience: Consider relevance to the audience by ensuring the team composition is
10 C O N TIN UITY & R E S IL IE N C E | Q3 2 0 18
Big question_Q3_Continuity & Resilience Magazine 10
15/08/2018 11:18
D E B AT E
LISA JONES, US
Use a varied approach There are several approaches I use to ensure realistic and effective testing, such as organization-centric testing, using technology and validating disruption. A key to realistic testing is including your organization’s culture in the exercise. Use company-specific terminology such as employee titles and facility names. Also, use scenarios based on probable disruptions to your region. Events like terrorist attacks or active shooter are major threats, but weather events, loss of a facility or technology are more common occurrences to an organization. Also consider tailoring your exercise to recent disruptions to similar organizations within your industry.
I M A G E : I STO C K
appropriate to the incident scenario and the subsequently impacted teams and support functions are identified. Format: Exercise/test format should be relevant to the maturity level of the organization’s BCM programme i.e. desktop walk-through, component, ringfenced integrated or fully integrated. Scenario: An appropriate scenario to exercise against should be developed and must be relevant i.e. based on a realistic potential incident, an area of high risk or an impact that has already occurred in the organization. If the objective is to be able to respond to a given scenario, that needs to be made clear from the start; otherwise scenario finalisation can be left towards the end of the planning phase and designed accordingly. Time: Make sure there is plenty of time for the planning and execution and not a ‘last minute effort’ where quality is compromised and people cannot be engaged due to short notice. Sachin Kumar, BC Manager, Yas Marina Circuit, Abu Dhabi
Although a primary objective of BC practitioners is planning for the unavailability of technology, certain tools can still be incorporated into testing. Emergency notification tools are great ways to test communications within your teams. These can be sent by text messaging, voice broadcast or email to engage participants. Utilise business continuity planning (BCP) software by accessing plans or monitoring recovery steps. Many BCP software tools have the capability for users to track steps as they are completed. A lesson I’ve learned in test development is confirming the validity
of the testing scenario. During a test centred on loss of electrical power, I made certain assumptions without confirming backup capabilities. During the test, credibility in the scenario was lost due to the inaccuracy of the anticipated outcome and participants became disengaged. Talk to subject matter experts within your organization to ensure accuracy. Ultimately, realistic testing helps stakeholders build competencies for successful outcomes during real-time disruptions. Lisa Jones, CBCP, MBCI, BC Lead, Philadelphia & Thomas Jefferson University, and board member, BCI US Chapter
HENRY EE, SINGAPORE
Gradually build your plans In Asia it is common to see organizations adopt BCMS (business continuity management system) to adhere to customer or regulatory requirements. They test the bare minimum to attain audit conformity of ISO 22301 with diminutive input, effort and resources. These organizations tend to disregard the importance of verifying their recovery capabilities. Organizations should adopt a progressive approach when testing BCP. It is important to note that the scale of tests conducted greatly depend on the organization’s readiness, capability and familiarity with BCM. The more complicated an exercise is, the higher the risk and resources incurred. Organizations new to BCM may choose to start ‘small’ (e.g. emergency evacuation drills) as it inculcates familiarity with BCP, employee readiness and organizational preparedness.
As they mature, simulation exercises and functional tests that exude an added element of realism can be used to examine the integrity of the BCP and organizational response. This is done by carefully crafting scenarios and injecting threats that are imminent to the organization. Doing so enables organizations to verify recovery capabilities and to address risks that have been clearly defined during the organizational risk assessment. Maintaining a gradual approach to testing, while refining scenarios to address identified organizational risks is key to a more effective and realistic plan. Henry Ee, FBCI, CBCP, PMC, ACTA, ISO 22301 – Lead Auditor, Managing Director – Business Continuity Planning Asia, and Chairman – BCI Asia Chapter
11 C O N TIN UITY & R E S IL IE N C E | Q3 2 0 18
Big question_Q3_Continuity & Resilience Magazine 11
15/08/2018 11:19
INTERACTION
OPINION A N T H O N Y P I Z Z I TO L A
In being resilience-ready, synergy is the equaliser
A
s T.S. Eliot’s renowned poem The Waste Land says, “I will show you fear in a handful of dust”. In view of the magnitude of crisis organizations face daily, the famous line has grown exponentially beyond its 1922 publication date to 2018 where disasters are not only the new normal but the unspoken expectation. Shock permeates the workplace as pink slips are distributed when orders are cancelled. Most often professionals in risk, facilities and emergency management with disaster recovery and business continuity hibernate in office cubicles with no time to network, collaborate and prepare for pending disasters. Once a disaster strikes impacting a particular business line, that department investigates to ascertain where their prevention methods were compromised. And finger-pointing is inevitable. ‘Pay me now or pay me twice later’ is the warning and eventual reality of all disasters. Organizations pay now by insisting departments team and schedule proactive collaboration meetings to jointly inspect their facilities and initiate a plan to eliminate or at a minimum mitigate damages from disasters. The strategy is simple. During the facility inspection, each department should point out infractions that once cured will implement resilience measures required. Business executives should not balk at the
labour time allotment or cost of corrective measures as they could be victimised by the ‘pay me twice later’ warning. As business continuity professionals, our primary objective is to allow executives to continue business operations under adverse conditions. Most departments will suggest they do not have an orientation to another department’s issues and corrections. The rebuttal is that another’s issues may be everyone’s downfall. Synergy is the equaliser against this. In one form or another we all perform risk analysis and business impact analysis specific to our department and notice potential issues within our expertise. It takes a village. The synergy can be increased to include participation in exercises and drills. Disaster plans can be practiced by all departments. Vendors, suppliers and external agencies should be invited to determine gaps in exercises and drills and assist for process improvement. Our synergy will build a wall of organization resilience and become the equaliser for known and unknown threats. After all, we are 24/7 organizations.
Departments will suggest they do not have an orientation to another department’s issues, but this may be everyone’s downfall
THIS QUARTER’S BEST TWEETS TWITTER @THEBCEYE
Neil Cattermull @NeilCattermull June 13 Here we go again! When are we ever going to take Information Security seriously! Dixons Carphone has admitted a huge data breach involving 5.9m payment cards and 1.2m personal data records @rebeladm #infosec #cloud #cybersecurity #iot #bigdata
BCM Germany @BCM_Germany July 23 By investing in ongoing awareness and training, ensuring that people, processes and technology are all harnessed effectively together, organizations have a better chance of stopping breaches, and relentless attacks by cybercriminals. #businesscontinuity
John Eary @JohnEaryJEC July 26 So how often do you test your Business Continuity Plans with an exercise? #crisismanagement #businesscontinuityexercise https://t.co/xou7D4elzO
Jim Mitchell @JMitchell52 August 3
Anthony Pizzitola CFM MBCP AFBCI is a facilities and disaster recovery professional. His wealth of experience includes drawing up a hurricane response plan and 16 emergency disaster response plans for ExxonMobil’s 385acre campus in Spring, Texas.
Your assumption that Responders will – or can – be available in a #BusinessContinuity emergency, could be a route to Disaster http://ow.ly/41Nn30hAiXQ #ITDR
12 C O N TIN UITY & R E S IL IE N C E | Q3 2 0 18
Interaction opin_Q3_Continuity & Resilience Magazine 12
15/08/2018 11:20
INTERACTION
EXPERT VIEW L I Z R OY L E
Improving workplace mental health – how to get it right
W
ithout recovering our people, we can’t fully recover our business. However, misconceptions about the management of mental health in a crisis can mean we are less efficient than we could be. The spotlight is increasingly on people as an integral part of business continuity. Sickness absence tends to peak after a crisis at work, leaving staffing levels critically low. For employees remaining in work, acute stress can lead to problems with concentration, focus and decision-making leaving the organization vulnerable to human error. When managing this impact, most organizations want to do the right thing, but a lack of knowledge can cause problems. Here are three of the biggest misconceptions about the management of mental health in a crisis.
1
“Having an Employee Assistance Provider (EAP) is enough.”
Many organizations believe that, with an Employee Assistance Plan (EAP), they can just refer everyone who needs help. Research shows that most people only need good social support and psychological education about common reactions and self-help strategies. Offering referrals to mental health professionals in the EAP is the equivalent of sending every physical injury to a hospital. Many people will not want this level of support and either get no help – or wait until their symptoms escalate before accessing it.
2
“We can get counsellors in to support our people.”
A number of well-intentioned organizations arrange for “counsellors” to be available at work for people to speak to if they wish. Whilst this may sound reasonable, it is usually ineffective. There are two important clinical facts to consider here: firstly, those who most need help are least likely to seek it; secondly, where people are simply talking about what happened, there is no evidence this will help, and unstructured counselling is potentially harmful at this stage.
So how can organizations improve their people response? To improve their people response, organizations must have a needs-based continuum of care including self-help information, management support, psychological first-aiders (in high-risk organizations) and access to crisis mental health support. All these clinically effective measures ensure a range of support for the range of reactions. If mental health professionals are brought into work, their focus should be on regaining psychological stability, mobilising personal resources and normalising reactions. Give them an opportunity to introduce themselves to groups, briefly offer some simple advice and strategies on reactions. This breaks down barriers and increases the chances of people using the service. Involve managers. They know their teams and can pick up on subtle changes. Encourage a working environment where issues can be raised in a timely manner and identify those who may need more assistance. Effective treatments, social support, leadership, psychological education and early intervention not only lead to faster recovery for those affected but also positively influence productivity, motivation, attendance (short and longterm) and retention. And that’s good for everyone.
Research shows that managers are crucial to the recovery of their teams. Good leadership and workplace support not only promote resilience but facilitate recovery
3
“It’s best left to the professionals.”
Research shows that managers are crucial to team recovery. Good leadership and workplace support not only promote resilience but facilitate recovery. However, there is often a delegation of responsibility to HR, the EAP or other health professional. Managers are at the frontline of managing distressed people in work, the impact on daily operations and sickness absence. They are ideally placed to provide a consistent, familiar, supportive presence. We spend most of our waking life at work and delegating to the professionals can be perceived as lack of interest, stigmatising and isolating.
Dr Liz Royle started her career in psychological trauma in 1996. Her experience includes working within the police where she was responsible for developing policies and procedures for managing the psychological impact of major incidents. She has substantial hands-on experience of providing 24/7 emergency cover following traumatic incidents.
13 C O N TIN UITY & R E S IL IE N C E | Q3 2 0 18
Interaction opin_Q3_Continuity & Resilience Magazine 13
15/08/2018 11:20
Arriving September 2018…
Discover Organizational Resilience
Join us throughout the month of September when the BCI will be delivering: Educational Webinars
Exclusive Content
Thought-leading Resources
Generous BCI Course Discounts
Education Month is the BCI’s leading annual campaign promoting business continuity and resilience training and learning opportunities across the globe. Students and Newcomers: Boost your potential with discounted BCI training courses and thought leadership promoting best practice Professionals: Enhance your professional development and improve your skills with our packed webinar programme, exclusive content and more…
For more information, visit www.thebci.org/events/event-calendar.html and find the event in September’s listings.
BCI.Q32018.014.indd 14
15/08/2018 11:24
TECHNOLOGY
Shaping inbound and outbound customer contact during a disaster Contact centre communications specialist Automated Voice & Data Solutions (AVDS), is partnering with ContactRelief to offer its clients in the credit collections industry improved communications in both natural and man-made disasters. ContactRelief’s Disaster Decision Engine uses multiple authoritative information sources and configurable rules to make precise recommendations to amplify, suspend or resume contact in areas affected by disasters. As a disaster passes, accurate recovery data enables contact centres to resume customer interactions, reducing its impact. AVDS is a Gold Partner for the Genesys customer experience range of solutions, and the Disaster Decision Engine will work with Genesys PureCloud, PureConnect and PureEngage telephony systems. www.avds.com www.contactrelief.com
Disaster recovery in a package
Geospatial bundle comes to the rescue of government organizations Orbital Insight is exclusively bundling its geospatial analytics technology products with the emergency flood mapping services of e-GEOS for US government organizations. It provides government customers with a timely understanding of both full flood extent, extracted from SAR (synthetic aperture radar) satellite data, and the magnitude of the impact, based on multiple data inputs including hydraulic modelling, field observations and social media. The US government relies on multiple information sources during a natural disaster and this partnership, combined with Orbital’s core capabilities in geospatial analytics, enables immediate, multi-sensor intelligence to better serve first responders, disaster risk management and humanitarian relief efforts. www.orbitalinsight.com www.e-geos.com
TECH ROUND UP Best new tech this month
IT solutions integrator Sirius Computer Solutions and managed services provider Recovery Point Systems are expanding their partnership to offer a packaged and multi-platform disaster recovery-as-aservice (DRaaS) solution. It enables clients to build a robust and compliant business continuity and disaster recovery strategy and helps organizations to evolve their IT operations to support hybrid cloud-base deployments. It means they can build resilience into their Rubrik has launched an cloud-based IT environment intelligent application to rather than bolt it on at defend against ransomware. Polaris Radar, built on the Polaris a later date. With clients’ software-as-a-service platform, uses machine learning to understand resiliency requirements how users behave and how data evolves over time so it can generate extending beyond simple alerts when it detects anomalies. It continuously analyses environments server recovery, the packaged and maps activity so enterprises can quickly identify which applications DRaaS solution can be and data were affected. It also automates a manual recovery process deployed as a fully managed with intelligent workflows and is designed to help establish a single service level agreementcrisis management team. Rubrik and third-party developers can use based business process Polaris’ open APIs (application programming interfaces) to integrate resilience solution. Radar into existing monitoring dashboards and security operations. www.siriuscom.com www.rubrik.com www.recoverypoint.com
BEST NEW TECH
Putting crisis management on the radar
Protecting critical Microsoft applications Veeam Software has extended back-up for Microsoft Office 365 with 50 new features that claim to provide fast and efficient data protection and recovery, as well as helping customers to meet legal and compliance requirements. Backup for Microsoft Office 362 v2 protects data inside the Office 365 infrastructure and enhances the automatic data replication Microsoft provides across its data centres. When combined, Veeam and Microsoft’s technology enables enterprises to have complete control of their data and ensures availability to users across Exchange Online, SharePoint Online and OneDrive for Business. With Veeam, IT departments can back-up Office 365 on-premise or to the cloud with Microsoft Azure, Amazon AWS, IBM Cloud and more than 18,000 service providers. www.veeam.com
15 C O N TIN UITY & R E S IL IE N C E | Q3 2 0 18
Tech round up_Q3_Continuity & Resilience Magazine 15
15/08/2018 11:20
INTERNET OF THINGS
MASTERING THE SERVERS The Internet of Things offers plenty of opportunities for business continuity, but addressing them accurately and securely is vital BY SUE WEEKES
16 CONTINUITY & RESILIENCE | Q3 2018
Internet of thin_Q3_Continuity & Resilience Magazine 16
15/08/2018 13:12
INTERNET OF THINGS
INTERNET OF THINGS
AN EXPLAINER Why do certain objects need the powers of communications offered through the Internet of Things (IoT)? The answer to this question can be either long – given the myriad of uses of the IoT – or short: to provide a stakeholder in that object with useful information. A good current example of the latter is the smart meter that can be connected via an IoT network to transmit accurate meter readings to utility companies about a household’s usage. Today, the IoT appears to be present in virtually every industry sector. When it comes to transport, vehicleto-everything (V2X) technology
W
e were told it would revolutionise life and work in the 90s, that the ‘Internet of Things’ (IoT) would soon see our kitchen appliances able to talk to us. The phrase was first coined almost 20 years ago, but the IoT will soon be arriving at an appliance near you, if it hasn’t already. With devices graduating from interaction with humans to now connecting independently with other devices, business continuity (BC) professionals are being advised to be proactive in addressing the opportunities this brings, before those opportunities mutate into significant problems. The IoT is a network of ‘things’, which can range from big objects such as a car or streetlamps to smaller ones such as home and office appliances that are embedded with electronics, software, sensors and connectivity. This enables them to communicate and
is helping cars to exchange information about, for instance, road and traffic conditions. In healthcare, wearable devices with sensors are helping monitor air quality for those with respiratory conditions. Meanwhile, cities are increasingly making use of the IoT to gain information on subjects such as pollution or traffic and transportation, with sensors embedded in streetlights streaming large amounts of data back to councils.
transmit and exchange data about themselves or even what they ‘see’. In June, the analyst IDC Research said the IoT is at a turning point with projects moving from proofof-concept into commercial deployments and global spending is likely to hit $1.2tn (£930bn) by 2022. Meanwhile, Machina Research predicts that there will be 27bn connected devices by 2025, but some put the total even higher with the latest Business Insider Intelligence report putting the figure at more than 55bn by the same year, up from around 9bn in 2017. For business continuity professionals, the IoT is a double-edged sword. There is a raft of applications where it can be used to build more resilience into processes (see box on pp18-19) but it also introduces new vulnerabilities and has huge implications in areas such as cyber security. An area in which it has clear-cut applications is the monitoring of assets, enabling organizations to put in place far more proactive and predictive maintenance strategies. This can bring major cost and time-saving benefits when it comes to
17 CONTINUITY & RESILIENCE | Q3 2018
Internet of thin_Q3_Continuity & Resilience Magazine 17
15/08/2018 13:12
INTERNET OF THINGS
remote assets in far-flung, hard-to-reach locations such as in the oil industry. As the IoT constantly expands and becomes ever more pervasive with a foot in almost every possible industrial sector, BC professionals must educate themselves of its potential benefits and downsides. “At the business level, your business is going to be disrupted. The only question is whether you do the disruption or someone else eats your lunch,” says Stephen Mellor, chief technical officer for the Industrial Internet Consortium, which seeks to set the standards, best practices and processes of the Industrial Internet/ and Industrial Internet of Things (IIoT). “At a technical level, the benefits are improved asset efficiency, and the collection of data for analysis can also engender insights into operations and the business.” The risks are considerable, though, especially when it comes to security. “Once you breach the ‘air gap’ your systems are open to the whole world, from the hacker in his mother’s basement to governments trying to steal your intellectual property,” says Mellor. “Consequently, security has to be taken very seriously from boardroom to the chief security officer and on down. But it’s not that simple. Security is only one aspect of trustworthiness, which is your ultimate goal. Trustworthiness is a combination of security, privacy, reliability, safety and resilience. These key system
5
1
Internet of thin_Q3_Continuity & Resilience Magazine 18
characteristics can conflict and they must be reconciled across information technology (IT) and operational technology (OT).” Compounding the security problems is that most IoT interfaces have not been designed with security in mind, says Colin Tankard, managing director of data security specialist Digital Pathways. He explains that the user log-on is “generally weak” and allows for a ‘man in the middle’ attack as the protocols used for the connection tend not to be secure. “Security needs to be the starting point, not an afterthought. It needs to have a layered approach with areas such as encryption being the foundation of the security strategy,” he explains. “From this point, access control and encryption can be linked together to ensure that only the correct person, with the right credentials, is allowed to access the data. Far too often, administrators have access to everything rather than the few servers for which they are responsible.” To make matters worse, today’s networks can suffer from other attacks that are hard to detect. Tankard highlights something called “fileless attacks” – a new breed of malware with no signature of recognised profile, meaning it is not detected by anti-virus software. “What is needed is a system which detects unusual behaviour in machines, servers or users and from this, recognises the attack and proactively stops it,
INTERNET OF THINGS
FIVE EXAMPLES OF THE IOT IN ACTION Cutting the cost of corrosion repair CorrosionRADAR, a spin-out from Cranfield University, and Scotland’s Innovation Centre for Sensor and Imaging Systems (Censis) are involved in a 12-month project using the IoT to tackle a huge challenge for the oil and gas, nuclear, renewables and construction sectors of how to detect corrosion hidden under insulation. It will explore the use of remote sensors to monitor corrosion without the need to physically remove it. In the oil and gas industry alone, the cost of monitoring corrosion under insulation is estimated at £3.5bn annually. As well as cost-cutting, the project also reduces the need for people to work in hazardous conditions.
2
Locating maintenance crews for urgent repairs The Port of Barcelona launched a pilot programme earlier this year which uses the IoT to help dispatch the closest maintenance crews available for urgent facility repair work. IoT specialist firm Kerlink, and DataLong16, a leader in assetmonitoring solutions, are running the pilot which can determine the exact location of the 10 vehicles in the port’s maintenance fleet in real-time. The companies also claim the network will aid urgent facility and equipment repairs by deploying staff nearest to the scene using a similar method.
18 CONTINUITY & RESILIENCE | Q3 2018
15/08/2018 13:12
INTERNET OF THINGS
reducing the spread of the malware to other users or networks,” he says. Business continuity professionals must ensure that they have the right people around the table when it comes to security discussions related to the IoT. Not only is it a highly complex area in terms of IT, but the IoT is also evolving continuously. Mellor says that the single biggest challenge of an IoT project is “understanding what you don’t know”. “Put your operations manager in charge, and there’s a risk they will miss key IT issues. Conversely, the IT guy may miss critical features of the process,” he warns. “So you need to converge not just operational and information technologies, but also the people, with their different vocabularies and emphases.” Clearly, such discussions must involve a data security expert, and BC professionals should quiz them on the level of device protection being considered and what it means, as well as the approach used for all of the interconnections. The business continuity plan must also spell out how all systems are updated and audited. Tankard adds that the plan itself needs security consideration, too: “In so far as how any updates are
“What is needed is a system which detects unusual behaviour in machines, servers or users and from this, recognises the attack and proactively stops it, reducing the spread of the malware to other users or networks”
3
The power to monitor critical utility assets New York state’s largest public power organization, the New York Power Authority (NYPA), is using predictive analytics technology to monitor its critical assets network. Israeli software development mPrest developed the IoT-based Asset Health Management application alongside the NYPA. The platform is in use at the Niagara Power Plant where it monitors the operational health of NYPA transformers in real time, assisting to improve reliability and maximize efficiencies at the plant, which is one of the largest renewable energy sources in the US.
4
done and what security protocols are in place to ensure the updates are controlled. Security needs to be part of the development process of any business continuity strategy.” The phrase ‘threats and opportunities’ is probably overused in today’s business climate and the era of digital transformation and disruption. However, it perfectly sums up the IoT for BC professionals. And those who want to head off the former and maximise the latter may have limited time left to get their house in order. To help organizations, the Industrial Internet Consortium has put together the IIC Industrial Internet Security Framework (IISF). For more information on the IISF, visit www.iiconsortium.org/IISF.htm.
Improving aviation operations KLM Equipment Services (KES) has formed a strategic partnership to use technology company Inseego’s Ctrack intelligent Aviation Asset Tracking IoT-based platform to address a range of airline and operational challenges. It is being used at Amsterdam and Hong Kong airports to maximise ground equipment efficiency, asset visibility and cost optimisation. The two companies are also teaming up to develop specialised management services for the global commercial aviation market following the success of the initial project.
NHS tracks hospital beds
5
NHS Highland’s Caithness General Hospital in Wick, Scotland, is using the Internet of Things to monitor and track the whereabouts of its high-tech medical beds as part of a new initiative aimed at automating bed maintenance, which has traditionally been a manual process for the NHS. Property technology company Beringar and the Scottish Innovation Centre for Sensor and Imaging Systems (Censis) have collaborated to develop a system which uses Bluetooth tags attached to beds to transfer real-time data via an IoT network.
19 CONTINUITY & RESILIENCE | Q3 2018
Internet of thin_Q3_Continuity & Resilience Magazine 19
15/08/2018 13:12
SPECIAL REPORT
T E R R O R : T H E A F T E R M AT H
BATTLING THROUGH Forcing the local council, police and businesses to adapt and improvise, the June 2017 London Bridge attack brought home the realities of business continuity in a terror context BY COLIN COTTELL AND DEEDEE DOKE
20 C O N TIN UITY & R E S IL IE N C E | Q3 2 0 18
Special report_Q3_Continuity & Resilience Magazine 20
15/08/2018 11:37
T E R R O R : T H E A F T E R M AT H
SPECIAL REPORT
BARRIERS 21 C O N TIN UITY & R E S IL IE N C E | Q3 2 0 18
Special report_Q3_Continuity & Resilience Magazine 21
15/08/2018 11:37
SPECIAL REPORT
T E R R O R : T H E A F T E R M AT H
t was just after 10pm on 3 June 2017 when a white Renault van containing three men with murderous intent ploughed into pedestrians on London Bridge. On crashing the van, the terrorists – now armed with knives – then rampaged through nearby Borough Market, a well-loved destination for Londoners and tourists alike for its diverse food and drink offerings, stabbing virtually anyone they encountered. Within eight minutes of receiving the first 999 call, police had shot the three terrorists dead, and eight members of the public lay dead or dying. A further 48 people were injured. Queueing to get the London Underground back home from a night out was Stephen Gaskell, Head of the Chief Executive’s Office at the London Borough of Southwark, the city area including London Bridge and Borough Market. Gaskell, whose responsibilities include the council’s emergency planning, recalls the moment when he realised that initial reports of “just Borough Market was closed to the public for almost two weeks after the deadly attack, with some another tube [Underground] delay” were businesses hit harder than others as customer numbers plummeted in the aftermath something far more sinister and serious. “You have that initial feeling that you want to run away from it,” says Gaskell. “You appreciate this is not The next few days would find Gaskell, his colleagues and an exercise, and that you are not able to make a mistake and go representatives from other agencies, organizations and the ‘oh well it is only an exercise’. You know that every thought and London Bridge-Borough Market community not only focused decision you are going to make is going to be important.” on the horrific human toll of the atrocity – but also responding to and managing the force multiplier impact on businesses in the local area. Business as usual was impossible. So identifying the scale of the devastation to be faced by local businesses and ensuring that business operations could soon safely resume with confidence were also crucial responsibilities that had to be met. This crude terrorist attack brought with it myriad unknowns to unravel over the following days. Staggeringly, it was one of five terrorist attacks in England in the first six months of 2017 that led to a potential loss of £3.5bn to the UK economy – not to mention the events’ impact on human life. At the same time as Gaskell was digesting the news reports on the night of 3 June, his colleague Andy Snazell, the London Borough of Southwark’s Emergency Planning and Resilience Manager, was moving to activate the council’s emergency plan. Within an hour of being contacted by the council’s oncall liaison officer, the Borough’s Emergency Control Centre The attack affected an unspecified number of businesses, including all 620-plus (BECC) in Tooley Street, 50m outside the hastily-erected police belonging to the Better Bankside Business Improvement District, across a wide span cordon, was up and running. Along with Snazell, it was staffed of area around London Bridge
22 C O N TIN UITY & R E S IL IE N C E | Q3 2 0 18
Special report_Q3_Continuity & Resilience Magazine 22
15/08/2018 11:38
T E R R O R : T H E A F T E R M AT H
by another specialist officer, a press officer and two volunteers. “Within 10 minutes I had spoken to the [Southwark] Chief Executive [Eleanor Kelly] even though she was on holiday and wasn’t even in the country,” says Snazell. With events on the street confused, the initial focus of his team was information gathering. “We were clearing the decks, and trying to get information from the police about the size of the cordon, which we didn’t know until next morning,” he says. Buildings in the area needed to be evacuated and scoured. People who lived locally had to be relocated in the event that more terrorists were operating in the area than just the original trio. Southwark officials said it was difficult to estimate how many people live and work in the area. Also, there were no estimates available of the number of buildings in the area. Overall, the cordons surrounding the area where the attack had occurred and where police were searching for both other potential victims and other terrorists, lasted between three and 11 days, depending on their proximity to the crime scene. According to Peter Williams, CEO of the Better Bankside Business Improvement District that includes Borough Market
A PLANNED RESPONSE 1
21:58 BST: Van crosses London Bridge twice before attack 2
22:07 BST: First emergency call after van hits pedestrians on bridge
5
People stabbed in market area 4
Three men continue on foot
3 Possible route
BOROUGH MARKET
Van abandoned
taken by attackers
6 Van attack On foot
22:16 BST: Wheatsheaf pub: Police shoot dead three attackers
GOOGLE MAPS
First crossing
The initial police cordon thrown up after the attack covered a wide area, with some restrictions north of the River Thames. Over the following seven days parts of the barrier were lifted allowing for greater access, but a concentrated cordon remained in place until Borough Market reopened on 14 June, to allow for market repairs. Volunteers played a major role in the response, including council staff in the Borough Emergency Control Centre, London Southbank University staff and the British Red Cross in a rest centre. Cruise Bereavement and Victim Support assisted in the Community Assistance Centre. The first recovery group meeting held on 7 June was chaired by the Chief Executive of the London Borough of Southwark Eleanor Kelly, with the heads of a number of different council departments in attendance. A wide range of outside agencies contributed their knowledge and expertise, including Public Health England, London Resilience Group, and Transport for London. Manchester City Council estimated that the impact of the May 2017 attack on Manchester Arena cost the council, police and health services some £17m locally. Southwark is about one third of a Manchester in population terms.
23 C O N TIN UITY & R E S IL IE N C E | Q3 2 0 18
Special report_Q3_Continuity & Resilience Magazine 23
15/08/2018 11:38
SPECIAL REPORT
T E R R O R : T H E A F T E R M AT H
and the surrounding area, all of the organization’s 620-plus corporate members were affected by the attack to some extent. Most disruption was caused by the cordons affecting staff ’s normal routes to work. While larger firms were able to cope by, for example, allowing staff to work from home, it was smaller businesses and traders in Borough Market that were among the most seriously affected. In fact, Borough Market did not reopen to the public until 14 June, 11 days after the attack. Better Bankside Operations Manager Tom Harris says that communications amongst the area’s business people suffered because in the rush to evacuate the area, a lot of business owners had no time to pick up laptops and mobiles. “It was difficult to contact them because they didn’t have a record of their email passwords,” he says. In contrast, because some knew their social media passwords, communicating with them via, say, Twitter was often easier. “We learned that it was important to communicate in as many different ways as you possibly can.” With some businesses unable to access their premises, Better Bankside was able to offer a matching service for those in need of office space and anyone able to provide it. A local Novotel, part of AccorHotels, made its business centre conference rooms available for free for several days, and was among half a dozen businesses that rallied around to help others. Another was a Better Bankside member that offered a pro-bono legal advice service, with special regard to insurance. Thanks to its database of members, Better Bankside was
£3.5bn
able to provide businesses with information about updates on public transport and the police cordons in two daily bulletins, via email and Twitter, and whether it was a ‘hard’ cordon so that nobody got in, or a ‘soft’ cordon that allowed selective access. For Southwark Council, mapping software was a key tool in its response to the emergency. The software, which includes the use of Geographic Information System (GIS) mapping technology, gave the team in the emergency centre the ability to produce maps showing the area that had been cordoned off by police. The team could then map changes in the position of the cordon until the situation stabilised after three or four days. “This helped officers working in the emergency control centre to check access routes for key buildings and infrastructure as well as identifying if any particular groups of residents may have been particularly affected,” says Snazell. For instance, the software was used to confirm the existence and presence of sheltered council accommodation, initially right on the boundary of the police cordon but just outside it as the cordon widened. With use of a filter, the software can
FIVE TERRORIST ATTACKS IN THE UK IN THE FIRST SIX MONTHS OF 2017 LED TO A POTENTIAL LOSS OF £3.5BN TO THE UK ECONOMY 24 CONTINUITY & RESILIENCE | Q3 2018
Special report_Q3_Continuity & Resilience Magazine-NEW 24
30/08/2018 10:52
T E R R O R : T H E A F T E R M AT H
KEY LESSONS
IMAGES: G ETTY IMAGES
Better Bankside Business Improvement District advised businesses daily about the conditions via email and Twitter, making people aware of whether a ‘soft’ cordon that allowed some access or a no-entry ‘hard’ cordon was in place
GETTING THE COMMUNICATIONS RIGHT
pull out records of all the people living in a designated area to which the council provides a service. However, Snazell points out that this data is not held by the emergency planning department but by other departments, such as adult services. The software’s 2D and 3D functionality is regularly used for scenario planning and in desktop exercises to help build up a visual picture of how an incident might affect a particular location. In addition, the software also allows the team to build up a more detailed picture over key sites by layering in other data sets, such as those related to transport in the area, air quality information, and heat maps based on population, Snazell says. The practice of logging events was also vital in the aftermath of the traumatic events and in the days that followed. Gaskell, who took over silver – aka tactical – command of the incident from 3pm on 4 June, says: “It’s absolutely critical. It means you are clear about where you are, what the current response is and what is outstanding and what you still need to do.” The log was used to record events, such as when the council closed a hastily set-up rest centre and replaced it with a bigger one. Gaskell points out that it is also an important source of verified information for the communications team. Such information can then be confidently shared with the emergency
A lesson Gaskell learnt was that it is better not to release any information until you have the full picture. “It’s about saying ‘I have got to hold my nerve because sending out misguided messages is just going to cause more problems’,” he explains. Despite the pressure to say something, he adds, “You have got to tell yourself that you have to pause and wait for the right moment.” He also became further aware of the need to establish a clear and reliable communications pathway with the police. “We learned about the importance of establishing that from the outset,” says Gaskell.
STAFFING Be clear about the command and control structure, who is taking strategic gold command, and who is responsible for silver tactical arrangements, but also ensuring that the crucial roles of loggist and communications officer are filled at all times.
STAFFING SHIFTS Staff were prepared to work longer than their normal shifts. However, this should be resisted, both from the point of view of their effectiveness and their welfare. Workers were tired and emotionally affected by the event. “I had to tell them ‘Actually you are not helping now because you are tired, and you need to go home’,” Gaskell says.
VOLUNTEERS Do not put all of your volunteers to work during the initial stages. “Save them for later as you will need them more than you probably realised,” Gaskell urges.
EMOTIONS The emotional effect on staff involved in dealing with such an incident may not be immediately apparent, warns Gaskell. “I had an officer burst into tears several months later. I told this member of staff ‘Don’t worry, it affects everyone differently’.” Gaskell says he kept reminding council staff that support was available to them just as much as those directly affected by the attack.
THE SHOW MUST GO ON No matter the magnitude of the incident, Gaskell says it is vital that the rest of an organization carries on. Gaskell admits this is hard, but “what you can’t do is suck up all your resources in dealing with an incident”.
25 C O N TIN UITY & R E S IL IE N C E | Q3 2 0 18
Special report_Q3_Continuity & Resilience Magazine 25
15/08/2018 12:47
SPECIAL REPORT
T E R R O R : T H E A F T E R M AT H
services. “It is also important after an incident, as it provides an audit trail showing why you took the decisions you did,” he adds (See box on p25). The aftermath: In the days following the attack, the focus of Southwark Council and the various groups that had rallied around began to shift to the recovery phase. A strategic recovery board and a business recovery group formed. Among the results were coordinated efforts between businesses to help one another. Business rate relief was provided to some. The importance of creating BC plans has been a key theme of subsequent business recovery education efforts by the council and two area Business Improvement District organizations (Better Bankside and London Bridge). Planning is essential, says Acting Chief Inspector Jim Cole from the operations & response section at Southwark Police: “So it is thinking about those things in advance so that if something terrible were to happen, you have a network of staff who know what to do, and there is not that immediate crisis of leadership.” Building a close relationship with police so that they are aware of your procedures for handling a crisis, especially as a larger business, and vice versa can be helpful, Cole says.
620+
CORPORATE MEMBERS WERE AFFECTED BY THE ATTACK TO SOME EXTENT. MOST DISRUPTION WAS CAUSED BY THE CORDONS AFFECTING STAFF’S NORMAL ROUTES TO WORK
C A S E S T U DY
THREAT TO SURVIVAL – DEALING WITH RISK Jan McCourt is owner and founder of Northfield Farm, whose business has sold meat from rare and traditional British breeds at Borough Market since 1999. The market’s 10-day shutdown meant “a very major threat to our survival”, McCourt says. With no income, all stock condemned and staff salaries still to be paid, he says the business suffered an initial loss of £23k to £24k. To make matters worse, McCourt says customer numbers didn’t return to normal until “at least into the winter”, resulting in a total loss of two or three times the original figure. McCourt, who employs between 10 and
15 staff, says he had anticipated a terrorist attack and at the previous annual review with his insurers asked for terrorist cover. He says he was able to recoup “the lion’s share” of his losses from his insurers, with the balance coming from a local charity. From anecdotal evidence, he believes his was one of very few businesses in the market whose insurance claims were met. McCourt also credits the company’s bankers, HSBC, for extending its overdraft. With a background in risk management
in banking, McCourt says he does his best to manage risk. This includes cloud storage, hard disk back-up, and not having everything in one physical location. Since the attack, he says individual businesses in the market “have thought as best they can, if they hadn’t before, about how to prepare for disaster”. As for his own business, he says “We are better prepared for a physical attack, we are more aware, and have a very tight team so hopefully communication would be good and quick.”
26 C O N TIN UITY & R E S IL IE N C E | Q3 2 0 18
Special report_Q3_Continuity & Resilience Magazine 26
15/08/2018 11:38
REGISTER NOW FOR BCI WORLD 2018! www.bciworld2018.com 6th and 7th November | Novotel London West, London
Resilience Through Relationships Join us for BCI World conference & Exhibition 2018 for 2 days of networking and presentations from an outstanding line up of speakers and insightful workshops and research sessions. Whether you are looking to improve your business continuity plans, share your experiences or grow your industry network, BCI World 2018 will deliver unparalleled continuity and resilience expertise.
Join our Keynote Speakers
BOOK YOUR CONFERENCE TICKET NOW
bciworld2018.com James Lindsay, Crisis Manager and Resilience Expert. 6th November 9:10 ‘Being a crisis manager at Cambridge Analytica’
BCI.Q32018.027.indd 27
Scott Gould, Advisor and Author, The Shape of Engagement. 6th November 10:00 ‘Professional strategies for engaging your colleagues’
Dr Jessica Barker, World expert on aspects of Cyber Security. 7th November 9:10 ‘The psyche of cyber’
1 day and 2 day conference tickets are available. You can register for a free BCI World exhibition-only ticket.
15/08/2018 11:24
PROFILE
CREATING RESILIENCE FROM WITHIN INTERVIEW BY COLIN COTTELL
As a woman of many talents, Dr Aarti Anhal tells Colin Cottell the benefits of investing emotionally in people to negotiate difficult times is a must for business continuity
28 C O N TIN UITY & R E S IL IE N C E | Q3 2 0 18
Dr Aarti_Q3_Continuity & Resilience Magazine 28
15/08/2018 12:02
PROFILE
D
r Aarti Anhal is a business coach and mentor, certified mindfulness teacher, yoga practitioner, te teache qualifi ua ed lawyer, and has degrees Applied Positive Psychology in Ap App Coaching Psychology and and C International Studies, including Intern a PhD on Tibet. Oh, and she happens to be a business also ha resilience practitioner. But she continuity co ty (BC) aand res is tthe firstt to admit m that her professional journey traditional path. has as deviated te from m a trad “It’s been “I n quite a long and winding road,” she says Continuity & Resilience magazine’s as w we meett at Continuit t London. offices c in the h City of o Lon Itt is this eclecticc background and breadth of back interest, however, that has led the multi-talented e o t h University graduate away from n y of Cambridge Cambridg m what the industry’s traditional rather wh she ssees as th ind narrow and based on plans and na an siloed ed approach appr processes, one that embraces the p e and towards to missing g ‘third p’ p – people. peop Anhal argues that among those that ill-served by th have ve been particularly pa thee industry’s ry approach approac ac are BC managers and senior business leaders. After first entering the b le lea field and risk in the early ld of cyber security sec s 2000s before into crisis and risk 2 fo moving m management and resilience, it was this ge realisation ali tthat led Anhal to set up her Before Nine, in he own consultancy, co September Septembe be 2017. “I felt that there was a really t powerful argument that for so long powerfu we in risk management, business m continuity continu and crisis management – but aalso in business generally – the missing piece has been the m people ple piece,” says Anhal. “I started to realise that you s could have all the plans and processes in the world, but proce if your you people didn’t enjoy wellbeing – for example, wellb psychological wellbeing, if psycc they the themselves weren’t able to overcome pressure and ov challenge and the tough times – chal then it would be very difficult for you to ask them to manage your risks, or the challenges of a major incident or crisis.” As founder and a managing director
of Before Nine, Anhal manages an eclectic team of senior business consultants, coaches and psychologists, all working towards bridging the needs of individuals and organizations by combining personal wellbeing, resilience and agility with organizational performance. Anhal says the big idea behind her company is “to bring together what I had learned from an organizational perspective and the passion businesses have for developing people, while also helping them shift and reframe their mindsets”. A lot of Before Nine’s work is developing personal resilience. This entails recognising and developing the characteristics associated with a resilient mindset, such as self-awareness, emotional selfcontrol, calmness and having a sense of perspective (see box below right). She argues that business continuity managers are in particular need of developing their own personal resilience, and that this is an area that has been “hugely ignored”. One reason, she says, is that being responsible for running organizations’ BC tests and exercises prevents them from getting an opportunity to be tested themselves. This became clear from her conversations with BC managers at a BCI Forum at which she spoke, she says. “They said to me, ‘How do THE EIGHT we develop our resilience? Because CHARACTERISTICS one minute we could be called into OF RESILIENT ‘gold’ (most senior figure in charge of INDIVIDUALS handling incidents/crisis at strategic level) to log; the next minute we could These characteristics/traits/qualities be taking calls from HR telling us relate to a person’s resilience i.e. ability to deal with, recover people that we know have died.’ It’s – and learn – from challenging a very challenging situation to be in experiences. These qualities – being in the heart of the response are based on a combination of coordinating and also having a lot of emotional/physical state, beliefs, emotional muscles and behaviours. the trauma associated with the event. “Business continuity managers are They are: living in a world where if they are Wellbeing fortunate enough not to have had Self-Awareness a major incident,” she continues, Calmness under pressure Perspective “they still don’t know whether they Purpose & Meaning have the confidence and whether the Realistic Optimism organization can have the confidence Connection in their ability to withstand the Flexibility
29 C O N TIN UITY & R E S IL IE N C E | Q3 2 0 18
Dr Aarti_Q3_Continuity & Resilience Magazine 29
15/08/2018 12:02
PROFILE
CAREER
DR AARTI A ANHAL A 2017 – P PRESENT T Before Nine, n Founder and d MD
2010 – 2 2017 g d UKI 4C Strategies, Partner and O Chief Saless Officer, and COO
2008 – 2 2010 Crisis Solutions, o Director e – Future Operations
2006 – 2008 0 Olive Group, Senior e Consultantt
2001 – 2002 02 RAND Europe, Associate Analyst
2000 – 2001 European Commission, n, ta Policy Planning Consultant
1999 – 2000 Goldman Sachs, Executive Assistant
E D U C AT I O N
2018 – 2019 Masters in Applied Psychology & Coaching Psychology, University of East London
2003 – 2006 PhD, International Studies, University of Cambridge
1998 – 1999 MA International Peace & Security, King’s College London
1994 – 1998 LLB, English & French Law, King’s College London
pressures of that type of situation.” Having been chosen on the basis of their expertise or knowledge rather than mindset or behaviour, executives assigned to crisis management roles within organizations are not necessarily equipped to perform effectively under the pressure of a crisis, or even to know how they will perform. “The pressure to perform under ‘business as usual’ conditions will be different to the pressure in a crisis. Time is sped up, there is a need for quicker decision-making, and you are not going to be able to wait for all the information,” she says. “Ultimately, if you consider what organizational resilience is – which is to adapt and react to the market, future-proof your organization and its success – we can’t move forward in our organizations if our people, the assets we depend on most, aren’t functioning and thriving in the best possible way.” Among the services the consultancy offers are one-to-one coaching, team workshops and advisory for clients including airports, banks and schools.
Anhal says the aim is to move beyond the usual knowing what plans and processes to use during a major incident to include “people understanding their own mindset when they are under pressure”. “It’s about how to press the reset button for themselves if they find that the pressure is getting too much, how to recognise pressure and perhaps diminished performance among their team members, and how to support people’s wellbeing during a major incident,” Anhal says. “So you have people performance, you have got great plans and great processes coming together.” With her background and interest in psychology, it is perhaps no surprise that Anhal is an advocate of the power of the mind to make a difference. “Outside of my professional life I have always believed in the ability of a person’s mind and their mindset and their energy to create real success,” she says. Not only did this interest manifest itself in Anhal learning a whole range of psychology-based techniques, she is also a certified meditation and mindfulness teacher and master of Reiki (a healing therapy that originated in Japan). Anhal says she is not stipulating that to cover all eventualities organizations must have “a range of people to do x, y and z, because actually you are only going to have the people you are given. And that’s the bottom line about crisis management, it’s actually
30 C O N TIN UITY & R E S IL IE N C E | Q3 2 0 18
Dr Aarti_Q3_Continuity & Resilience Magazine 30
15/08/2018 12:02
PROFILE
bring that improved way of doing things “to everything they do, thereby helping to build organizational resilience in a broader sense”. “What we are saying is that if you can give people mindsets and behaviours that help them thrive under pressure that is not just going to help you when there is a major incident, it will help you when that department is under pressure because its performance is falling and it hasn’t hit its targets,” she says. Anhal’s approach is about bringing together the traditionally distinct worlds of psychology and BC. However, she does not go so far as to say that all business continuity professionals need a background or training in psychology, just “as long as they have access to that expertise”. Looking ahead, and returning to her theme of developing organizational resilience, Anhal would like to see BC develop partnerships with other disciplines and departments within organizations, such as risk teams, HR and those with “horizon scanning” capabilities. “The biggest challenge has always been people working in silos and creating great bits of information about an organization, its interdependencies, its supply chain, its risk. And yet time after time when you walk into an organization nobody knows that information. So I see the industry as a whole opening itself up to partner more.” While Anhal is a true believer in the power of mindset to make a difference, she is open in admitting that she doesn’t know whether it will work in the BC and resilience space. “It may be that after two years of having tried to work at the level of mindset and behaviours, and having tried to shift them, it doesn’t deliver a considerable difference, in which case we will reassess.” The next couple of years will undoubtedly test Anhal’s own resilience and that of her colleagues at Before Nine. Equally apparent is her determination to give it her best shot on her own terms, as she concludes: “Our ambition is to help as many individuals, teams and organizations as possible to develop the resilience they need in good times and bad. We just want them to thrive so they can deliver what they need to deliver in that moment.”
“I started to realise that you could have all the plans and processes in the world but if your people weren’t able to overcome pressure and challenge and the tough times – then it would be very difficult for you to ask them to manage your risks, or a major crisis”
about what behaviours you can help develop”. Nor does she believe that the crisis leader who thinks shouting and screaming at people is the best approach is necessarily better or worse than one “who withdraws and goes quiet”. “It’s helping them understand what is the ‘go-to’ behaviour they defer to in a crisis, and how you can help them reflect on that and think about a different way of going about things,” she suggests. It is also about recognising that one person can’t do everything on their own, and how to best utilise the strengths of others: “If I need someone who is great at agile thinking and creative thinking, who in my team am I going to allocate?” What is more, Anhal believes that not only will this approach help organizations when those unexpected events occur, but also during those more frequent periods of ‘business as usual’. By helping organizations to frame their resilience strategies around their employees’ wellbeing and resilience – “how they help their teams become more flexible, more adaptive and agile” – Anhal argues the resultant better performance of their people and teams will lead to those organizations’ enjoying greater success “both in good times and in bad”. She sees the value of this approach going well beyond crisis events and incidents so that people
31 C O N TIN UITY & R E S IL IE N C E | Q3 2 0 18
Dr Aarti_Q3_Continuity & Resilience Magazine 31
15/08/2018 12:02
I N N OVAT I O N
TELLING THE UNTOLD STORY
India’s rapidly growing economic sectors need robust business continuity plans to inform domestic and global responses – a BCI Think Tank has offered up solutions BY COLIN COTTELL
32 32 C O N TIN I UIT UUITY IT Y & R E SSIIILL IEN IIEEENN CE C E | Q3 Q 3 2 0 18
BCI India THINK_Q3_Continuity & Resilience Magazine 32
15/08/2018 12:03
I N N O V AT I O N
IMAGES: G ETTY IMAGES
I
n July, a report from the BCI’s India Chapter are related to the domestic or to the global offshoring Next Practice Think Tank was published on the market. These differences could even apply within the BCI website. The topic? The evolution of risk same organization. Referring to IT consultancy, Varshney and resilience in India’s still burgeoning yet says, “Your BC practice for 20 consultants for the domestic world-leading $150bn IT/IT enabled services market would be radically different to 20,000 consultants industry, which performs 70% of all outsourced operating in one office for global clients. And that is what IT work globally. As significant as the topic our reports will reflect.” itself is the fact that the report is the first output The think tank aims to highlight the special challenges from the BCI’s newest think tank. Launched in faced by BC in India. Varshney explains that whereas a September last year, the India Chapter Think UK domestic bank only has to make BC arrangements for Tank is the BCI’s fourth, with think tanks in the banking within the UK, “a certain international banking US, UK and Australia already up and running. and financial services organization in India [that he did According to the chair of the BCI India Chapter Think not wish to name publicly] could be doing banking for Tank, the India Chapter’s first paper is just the start of 55 countries”. things to come. According to Varshney, the story of business continuity “There is not much literature that talks about the in India and how to deal with it has “never been told”. The realities of business continuity (BC) and risk and how think tank’s report will educate BCI members across the it is handled in an Indian world of the issues facing the discipline context,” Arunabh Mitra, in the South Asian country, he says. A STRUCTURED MBCI, tells Continuity & “We wanted to start afresh and APPROACH to create our own think tank and Resilience. However, the think road map, something that was fit for tank aims to change that. “We Arunabh Mitra, chair of the BCI India Chapter Next Practice Think Tank, purpose and met our own professional have an untold story of BC and says he is proud of the structure standards,” says Mitra, adding that resilience in India that we want and the governance that have been another core reason for setting up the the world to know,” he says. incorporated from the beginning. “We think tank was “to set a benchmark for “The intention is that if a put in so much structure because thought leadership”. person has (a) zero knowledge we want to work on things that are When it comes to the sort of subject of India, and (b) is not a scalable in nature,” he explains. the think tank’s nine individual resident of India, and that The key elements are: councils would be expected to carry person wants to understand the Nine councils cover key sectors out research into, he says, “Everything resilience landscape of India, of the Indian economy, and specific that we want to cover, we want it to be if they pick up our output, subject areas; unique to India because that is how we they should be comfortably Council members are selected from will differentiate.” onboarded with the concept of 90 applicants following a rigorous For instance, the Indian IT sector, BC in India,” explains Mitra, selection process run by the steering with its 4m workers and concentration who is also chief continuity committee and assisted by two of the world’s top specialist IT officer at HCL Technologies. independent experts from industry; companies in India, is an industry Vikrant Varshney, MBCI, Councils are assisted by 12 that characterises the country’s Chair of BCI Hyderabad, and volunteers – “the budding leaders contemporary economy. “How we deal a fellow member of the think of resilience”, who work across with those nuances is always going to tank’s steering committee, several councils; be unique to India,” says Mitra. says it is vital that the research Ecosystem partners: industry Mitra goes on to say that the think output from the think tank partners/confederations/ tank has been specifically structured reflects the unique aspects communities, who are keen to bring “to ensure comprehensive coverage of the Indian economy: “It is value to their members, and from of the Indian landscape around important to realise that while whom the think tank can obtain continuity and resilience”. India has its own companies valuable data – for example through “We wanted to pick up all the and industries focused on a survey of their members; industries in India that have global the domestic market, it also Two expert advisors valued for eminence and see how the resilience has large outsourcing and their independence and wider landscape is going to evolve in those offshoring sectors.” business perspective. They were industries,” he explains. involved in selecting the council BC arrangements and members, and had input into how This meant taking a multi-sector practice in India differ radically the think tank was structured. approach with nine councils either depending on whether they
33 C O N TIN UITY & R E S IL IE N C E | Q3 2 0 18
BCI India THINK_Q3_Continuity & Resilience Magazine 33
15/08/2018 12:04
I N N OVAT I O N
covering individual sectors such as banking, aviation, pharma and telecoms, or subject areas that were sector agnostic, such as cyber that cut across all the others (see box p33 on how the think tank has been structured). Mitra says the sectors chosen were at different stages in their BC journey. While banking and IT were well advanced, others such as pharma were less mature. However, Mitra is clear that while the focus of the think tank’s work is solely on India, the target audience for its output is not restricted to the sub-continent. “Our work is born out of India but our audience is global,” he explains. Some work, such as on developing a cyber resilience framework that has already begun, “is going to be equally applicable across geographies”, he adds. R Vaidhyanathan (known as RV) Hon. FBCI, MBCP, President of the BCI India Chapter, says that irrespective of the driving factors of regulation or customer requirements affecting their sector, the think tank’s research will help industry leaders “understand the need for implementation of BCM with a focus on the survival of their business”. A number of criteria must be met before councils are given the green light to go ahead with research.
BCI INDIA THINK TANK CAN AID BC LEARNING WORLDWIDE – THORP David Thorp, Executive Director
in India as one where the
at the BCI, attended the
best minds congregate
inaugural meeting of the BCI
and work together,” Thorp
India Think Tank in September
continues. He explains that
2017. Thorp tells Continuity &
central office’s role is “to give it
Resilience he is “delighted” with
a global audience and to take
the think tank’s progress so far:
current Indian thinking and
“From my point of view they
practice to the world”. Thorp says the way the think
have created something from a standing start that has already
tank had been structured into
created work of a very high
discrete areas “is something
quality that has got learnings
that we can benefit from
for BC practitioners globally.”
moving forward”. The India
“It is an excellent vehicle to promote the BCI’s community
think tank also fits very well with Thorp’s vision for the BCI’s
“The intention is that if a person wants to understand the resilience landscape of India, if they pick up our output, they should be comfortably onboarded with the concept of BC in India”
Such points include: “Will it provoke a constructive debate, and how much originality will the author bring to the research?”. It is only after getting over this quality threshold and after it is approved by the BCI in the UK that the council can go ahead. Although so far only the one paper has been published, “there are multiple topics underway”, says Mitra. In addition to developing a cyber resilience framework, other work includes mapping out the resilience landscape in the pharma/ telecoms industry. Some councils had not yet come to an agreement with the steering committee about the topics they would focus on, while reports had only reached first draft stage. Other papers were being reviewed by the BCI, with a view to possible alterations. With each report taking between six to nine months to create, Mitra says it was never the plan “to start producing reports in the first two or three months of activity”. Looking to the future, progression, which he explains Varshney says there is a is “to be at the forefront of definite possibility that the practitioner-led thinking about output of the BCI India the way that the practice of Chapter Think Tank could BC and its relationship with be used both by the BCI and resilience is evolving over time”. by outside agencies in India. The India organization also There’s also the possibility ties in with repositioning and of developing links with changing the terms of reference academia. However, he says away from 2020 Think Tanks these possible developments and towards the idea of Next are a few years down the Practice Groups. “What are the line. Today he says the focus issues BC managers are going “is on creating forwardto be dealing with not today looking content for the needs or tomorrow but in one or two of the sector and helping to years’ time, and what are the build preparedness, things issues they are going to be India never thought confronted with?” says Thorp. about before”.
34 C O N TIN UITY & R E S IL IE N C E | Q3 2 0 18
BCI India THINK_Q3_Continuity & Resilience Magazine 34
15/08/2018 12:04
Give your organization the upper hand in resilience Join the BCI Corporate Partnership today, and you could potentially save over £25,000 per year*! With Associate, Standard and Premium plans available, there is a level to suit your organization no matter the size, industry or location. The Partnership is flexible to meet your requirements, and our dedicated Corporate Partnership team are on hand to curate a solution tailored to your needs.
Benefits of becoming a BCI Corporate Partner IMPROVE RESILIENCY
BOOST YOUR VISIBILITY Value
EVENT DISCOUNTS 30k+
Get featured in the BCI eNewsletter.
INVEST IN YOUR TEAM
GLOBALLY RECOGNIZED CREDENTIALS
BCI GOOD PRACTICE GUIDELINES
Get 20% off corporate in house training including the CBCI Certification Course.
FREE annual BCI Good Practice Guidelines internal intranet licence.
Get 20% discount on BCI e-Learning corporate licenses that can be shared across your organization.
20% discount
contacts
20% off
Receive complimentary / discounted place at BCI World or a regional BCI conference of your choice.
Worth up to
Get access to the latest knowledge £82pp & research, generous discounts and the BCI mentoring scheme.
£1000
Value
£300
RAISE YOUR PROFILE
EMBED BC Value
Free annual licence to our online incident simulation game.
For more information and to discuss the best solution for your organization contact:
£250
Become an active player in the BCI community with attendance at local Chapter & Forum networking events, research launches and virtual networking opportunities.
Email partnership@thebci.org
+44 (0) 1189 478215 Visit www.thebci.org/membership/corporate-partnership.html Call
Additional sponsorship opportunities are available at
thebci.org/membership/corporate-partnership/sponsorship-opportunities.html
*This is an illustrative example. Actual savings will depend on specific benefits used and involvement. BCI.Q32018.035.indd 35
15/08/2018 11:25
NEWS FROM THE BCI
BCINEWS REVIEW LAUNCH
BCI and Emerald Publishing to launch Continuity & Resilience Review We are delighted to announce the forthcoming launch of the Continuity & Resilience Review in association with Emerald Publishing. The journal will feature two issues in 2019 and will be the first journal dedicated entirely to the concept of resilience. We aim to be the thought leaders in this field by ensuring high-quality and relevant articles. The Continuity & Resilience Review is intended to provide academics and practitioners with a holistic perspective across resilience research themes in other disciplines along the spectrum. It will deliver an authoritative and authentic interdisciplinary perspective on a body of knowledge that is still developing in a time of great change and upheaval for companies, governments and other organizations. The disciplines to be covered in relation to resilience include: Disaster recovery Business continuity
Risk management Information security Physical security Facilities management Emergency management Organizational resilience David Thorp, Executive Director at the BCI, commented: “One of the key goals of the BCI is to promote a productive dialogue between the academic research community and practitioners. The Continuity & Resilience Review is an essential part of this process. There is an increasing amount of leading research coming from universities globally and a lot of this can pass practitioners by. We intend to ensure that our members are kept fully appraised of emerging thought leadership in their discipline and hope the Review will become essential reading for every BCM and resilience professional who wishes to remain ahead of the curve.”
EVENTS
Upcoming in 2018 Chennai Forum and BCI India & South Asia Awards 2018. 7 September 2018 Chennai, India BCI World Conference and Exhibition 2018. 6- 7 November London, United Kingdom
C A M PA I G N collaboration is essential in implementing and delivering it. The campaign promotes learning opportunities and activities for professionals of all levels. It also features three competitions tailored to newcomers in the industry, wishing to learn more about organizational resilience, and to BCI members and
Education Month Education Month is the leading annual campaign that promotes business continuity and resilience training and learning opportunities across the globe including webinars, blogs, white papers, training discounts and more. The campaign runs every
September and explores a different theme each year. ‘Discover Organizational Resilience’ is the theme for Education Month 2018, which aims to raise awareness of what organizational resilience is, why it is so important for any organization, and how
experienced business continuity professionals, who wish to improve their knowledge and have the chance to upgrade their BCI membership. To find out more about Education Month, visit www.thebci.org/event-detail/ event-calendar/educationmonth-2018.html
36 C O N TIN UITY & R E S IL IE N C E | Q3 2 0 18
BCI news_Q3_Continuity & Resilience Magazine 36
15/08/2018 12:05
APPOINTMENTS
PEOPLE MOVES Assure APM Scottish IT cyber security firm Assure APM has appointed John Waddell as Chairman. Waddell was previously CEO of Edinburgh-based investment firm Archangels.
Caveonix Computer and network security startup Caveonix welcomes Tom McDonough (above) and Tom Noonan (below) to its board of directors. Noonan co-founded and serves as partner of Atlanta-based technology investment firm TechOperators, while McDonough is an advisor for corporate development and integration at US multinational technology conglomerate Cisco Systems. The duo, who have 50 combined years of cyber security experience, have also invested in the company.
TO P M OV E
Mary O’Connor Professional services firm KPMG welcomes Mary O’Connor as Chief Risk Officer. The former senior regulator joins KPMG from multinational risk management, insurance brokerage and advisory company Willis Towers Watson.
Continuity & Resilience is the magazine of the Business Continuity Institute and is published four times a year. BUSINESS CONTINUITY INSTITUTE 10-11 Southview Park, Marsack Street, Caversham, Berkshire, RG4 5AF tel: +44 (0) 118 947 8215 bci@thebci.org | www.thebci.org
ISSN 2517-8148
EDITOR DeeDee Doke deedee.doke@redactive.co.uk A S S I STA N T E D I TO R Patrick Appleton patrick.appleton@redactive.co.uk REPORTERS Colin Cottell colin.cottell@redactive.co.uk Graham Simons graham.simons@redactive.co.uk CONTRIBUTING WRITERS Sue Weekes LEAD DESIGNER Carrie Bremner
PRODUCTION EDITOR Vanessa Townsend PICTURE EDITOR Claire Echavarry SENIOR SALES EXECUTIVE Matthew Burls Tel: +44 (0) 20 7880 7661 matthew.burls@redactive.co.uk
PRINTER The Manson Group, St. Albans PUBLISHED BY Redactive Publishing Ltd Level 5, 78 Chamber Street, London, E1 8BL Tel: +44 (0) 20 7880 6200 www.redactive.co.uk
Global consultancy Parker Fitzgerald has appointed Kyle Hastings as partner and Cyber Risk Practice Lead. Parker joins from professional services firm Deloitte, where he was director, cyber risk advisory.
EdgeWave Email security solutions firm EdgeWave welcomes Steve Kelley (above) as President and John Randall (below) has joined as Vice President of Product Management. The duo join from network security firm Trustwave, where Kelley was chief marketing officer and worldwide sales leader and Randall was vice president of product and marketing.
© Business Continuity Institute 2018 The views expressed in C&R are not necessarily those of the Business Continuity Institute. All efforts have been taken to ensure the accuracy of the information published in C&R. However, the publisher accepts no responsibility for any inaccuracies or errors and omissions in the information produced in this publication.
PRODUCTION DIRECTOR Jane Easterman Tel: +44 (0) 20 7880 6248 jane.easterman@redactive.co.uk PUBLISHING DIRECTOR Aaron Nicholls Tel: +44 (0) 20 7880 8547 aaron.nicholls@redactive.co.uk
Parker Fitzgerald
Recycle your magazine’s plastic wrap. Check your local facilities to find out how.
No information contained in this publication may be used or reproduced without the prior permission of the Business Continuity Institute.
37 C O N TIN UITY & R E S IL IE N C E | Q3 2 0 18
Appointments fla_Q3_Continuity & Resilience Magazine 37
15/08/2018 12:06
W H A T A G R E AT I D E A
MY LIGHTBULB U MOMENT O
“My personal business continuity arrangements had come to a standstill”
Prakash D’mello, Manager, Resilience Operations, Barclays
The monsoon season in India brought home the importancee of personal continuity and resilience plans. It comes to the Mumbai area of India every year, but the heavy rain between n 7-10 July this year caused more than usual disruption to the district of Vasai, where I live. Without electricity for two days, there were no lights, fans, TV or internet, while mobile networks went down. Flood water made it difficult for businesses to carry on, while transport was badly affected. With no phone network available, I was forced to walk several kilometres to contact my office. Unable to work from home or travel, my personal business continuity had come to a standstill. As BC professionals, we spend our working lives preparing organizations to operate through all eventualities. We train employees and prepare continuity plans. We assess different processes, and we educate staff to understand the importance of preparedness. Yet it struck me, here I was with an empty water tank, my phone battery dying, and the telecoms networks going down, struggling with my own personal business continuity. It is something all of us would do well to consider once in a while. 38 C O N TIN UITY & R E S IL IE N C E | QQ3 2 0 18
Light bulb momen_Q3_Continuity & Resilience Magazine 38
I M A G E S: GE T T Y I M A G E S, I STO C K
BC/R starts at home
15/08/2018 12:06
BCI.Q32018.039.indd 39
15/08/2018 11:25
RESILIENCE LEADER
YOU are a champion of continuity. You
WE are Sungard Availability Services.
think beyond backup to business resilience— ensuring critical data is always accessible. But when it comes to achieving resilience, changes to the production environment can be risky and complex.
We help transform IT and deliver resilient, recoverable production environments.
As a recognized leader by multiple industry analysts for Disaster Recovery as a Service, we can calm the chaos of IT recovery. Imagine how we can help resilience leaders with everyday production systems. Lead with resilience at www.sungardas.com.
Transforming IT for Resilient BusinessTM
BCI.Q32018.040.indd 40
15/08/2018 11:26