Sudeban instruye a instituciones financieras en venezuela a implementar proyectos de continuidad operativa

Fredling Pavon 

En la actualidad, no deja de ser significativa la concentración de actividades económicas en nuestras grandes ciudades de Iberoamérica, principalmente aquellas relacionadas estrechamente al sistema financiero de cada país. No obstante en su mayoría, dichas ciudades consolidan una diversidad importante de factores de riesgo, enmarcadas dentro del ámbito social, político, geográfico y ambiental. En Venezuela, concretamente en el valle de Caracas (ubicado dentro de la cordillera de la costa venezolana), es por naturaleza una cuidad de alto riesgo sísmico, de acuerdo a estudios formalizados por la Fundación Venezolana de Investigaciones Sismológicas (FUNVISIS). Por otra parte,  en su condición natural de valle con clima tropical, experimenta constantes  precipitaciones en época de lluvia, previstas entre los meses de Junio y Septiembre de cada año, lo cual incrementa de manera importante, las probabilidades de inundaciones en sectores residenciales, industriales y empresariales  distribuidos a lo largo y ancho de la cuidad. No podemos dejar a un lado el alto clima de tensión socio-política que sufre Venezuela en los últimos años, ésta situación mantiene latente  las probabilidades de manifestaciones en diversos sectores de la sociedad, conformados en esencia por estudiantes, partidos políticos, sindicatos, entre otros.  Caracas concentra al menos el 90% de las instituciones financieras distribuidas a lo largo de su eje central, diagramado por la Línea 1 del Sistema Metropolitano de Transporte Ferroviario (Metro de Caracas).  Gran parte de éstas instituciones, han emprendido proyectos de contingencia tecnológica en centros de datos alternos en la misma cuidad de Caracas, medida que inicialmente podría apoyar una contingencia muy puntual y focalizada dentro todas sus sedes operativas.

En respuesta a esta realidad, la Superintendencia de las Instituciones del Sector Bancario y el gobierno central de Venezuela, instan con carácter normativo y regulatorio a todas las instituciones financieras del territorio nacional, a emprender proyectos que garanticen el debido proceso para la continuidad operativa y resguardo del patrimonio de los  usuarios y clientes del sistema financiero venezolano. Ésta iniciativa, tiene su origen a inicios del año 2012 a través de un comunicado formal emitido a todas las instituciones financieras del país, donde plantea vehementemente la necesidad de implementar un centro de procesamiento de datos alterno como estrategia de recuperación de información y continuidad operativa en caso de desastres, manteniendo como premisa, una distancia de 150 km distancia a cada uno de los centros principales de operaciones. La fecha prevista para la puesta en marcha de éste proyecto se estima al cierre del primer semestre del año 2014, de acuerdo al cronograma de proyecto  acordado entre la banca y el ente regulador.  Como reflexión, podemos comentar que dada la alta concentración en caracas del aparato productivo de la nación, es todo un reto implementar acciones que mitiguen los riesgos de desastres identificados en ésta ciudad, debido a las deficientes condiciones de acceso, infraestructura, factibilidades técnicas y operativas en el resto de las ciudades del país, sin mencionar el limitado acceso a divisas en moneda extranjera para la adquisición de tecnologías que contribuyan a la implementación de proyectos de ésta magnitud.

 

Fredling headshotFredling Pavon

Gerente de Planificación y Proyectos en 100% Banco, Banco Universal – Caracas, Ven Ingeniero de Sistemas, Magíster en Administración de Empresas (MBA), PMP.

Especialista en Implementación de Sistemas Financieros,  medios de pago electrónico y Continuidad de Negocios

Email: FPavon@100x100banco.com

Vendor BCM Planning: Don’t Let Your Vendor’s Disaster Become Your Own!

Jerome Ryan

You’ve built your business continuity management program to the highest standards. You faithfully maintain it each year. You’ve performed exercises to ensure everyone’s role is clear. Is it enough? No.

As companies become more comfortable with their own ability to recover from a disaster, they are becoming increasingly uncomfortable with a vendor’s ability to do the same. Regulations and standards — such as, OCC Bulletin 2013-29 (United States), BDDK Official Gazette No: 26333 (Turkey), ISO 22301 (international), and NCEMA 7000 (United Arab Emirates) — are beginning to require companies to extend their continuity plans into the trusted relationships with third-party vendors. In fact, the newest version of the U.S. banking regulation, OCC Bulletin 2013-29, even requires companies to look into fourth-party vendor business continuity. Fourth parties are defined as the critical vendors of your critical vendors (thus extending the trusted relationship of continuity further).

What does all this mean to you? It means that your business continuity management program must include
vendor business continuity management to ensure protection from internal and external hazards. Vendor business continuity management (BCM) is a program that extends internal business continuity protections to critical vendors, suppliers, third parties, and in some cases fourth parties. Common components include:

  • Identifying critical vendors
  • Developing minimum business continuity guidelines and amending master service agreements (MSAs) and service level agreements (SLAs) to include the right to audit BCM programs
  • Developing an internal response plan or the failure of a critical vendor
  • Creating sample tools and templates to support critical vendors (they may not have the internal knowledge or resources to hire a consultant)
  • Implementing an assessment/verification program to ensure critical vendors’ BCM programs are compliant with your minimum BCM guidelines

The Place to Start

The first step in starting a vendor BCM program is to understand which vendors support the company’s critical business processes. This requires the company to perform an analysis of all vendors to determine those that may be:

  • Sole-sourced
  • Have cash flow issues
  • Operating under a lean/just-in-time model
  • Susceptible to other, related risks

If vendors do not fall into any of the aforementioned categories, they may not be categorized as critical or be part of the vendor BCM program. However, it is recommended critical vendors be evaluated annually or sooner if there are major changes/additions to critical vendors.

In some cases, a vendor is more than just critical. Some vendors may provide key components, without which, the company could fail. This is especially true of sole-source vendors. In the cases of manufacturing, consumer products, pharmaceutical, transportation, and other industries, the lead time to replace a critical vendor may be too long. Not having products on the shelf, combined with negative publicity, may effectively shut a company’s product out of the market.

In these special circumstances, a company should consider building an internal recovery plan to prepare for a vendor’s failure. An internal plan should consider available external supply/outsourced manufacturing, lead times to obtain government (i.e. FDA) approval for alternate manufacturing lines, as well as safety stock. The company may decide to identify alternate vendors, begin regulatory approval of second manufacturing lines, or move away from the sole-source vendor altogether.

Next Steps

For critical vendors, establish a set of guidelines that explain the BCM requirements with which they must comply. These guidelines should mirror the company building the vendor BCM program’s BCM methodology to ensure a true extension of the trusted relationship. Common components include:

  • Senior management commitment
  • An established BCM methodology
  • A BIA requirement to identify critical business processes and related impacts
  • Recovery plans
  • Regular exercises
  • Regular maintenance

These guidelines should be part of all new SLAs and MSAs with critical vendors. The company also should use the same contractual language with existing critical vendors as contracts are renewed. This will protect the company and hold vendors contractually liable for their BCM programs.

Smaller vendors may not have the ability, knowledge, or resources to comply with a vendor BCM program. It may be necessary, and certainly would be helpful, to provide vendors with a BCM toolkit to support their efforts. Companies should be careful to include legal language that holds the issuing company harmless and states that use of the BCM toolkit does not implicitly or explicitly guarantee recovery from a disaster.

The final step in the process is to monitor and verify vendors’ compliance with the vendor BCM program. This usually can be part of an annual, or regular, vendor compliance assessment. To be both productive and meaningful, the assessment can be neither overly intrusive nor superficial. Questions should dig deeper than “Was a BIA completed?” and ask about specifics such as the date of the last BIA update or the critical processes and associated recovery times.

Summary

In summary, a vendor BCM program is not only another company policy. Rather, it is enhancing and changing the behavior a company takes in selecting, evaluating, and monitoring its collective vendors. Companies must understand that recovery and protection have to extend beyond the company walls. Modern organizations are integrated with and vitally dependent upon many other entities. Even companies in service and financial sectors are vitally dependent on critical vendors. Successful companies focus on their core competencies and rely on partners to fill in the gaps.

So, the next time you’re evaluating your company’s BCM program, remember to look out the door as well as in the mirror.

For Example . . . 

The March 17, 2000 Philips microchip plant fire in Albuquerque, NM is one of the best cases for vendor BCM programs. Nokia and Ericsson, two of the largest mobile phone operators in the world at the time, both sourced critical microchip components from this Philips plant. When a lighting strike caused a small fire, the plant’s clean room was damaged resulting in the loss of production capacity.

Prior to the fire Nokia held about a 32 percent market share while Ericsson held about 12 percent in worldwide mobile phone sales. Post fire, Nokia’s mobile phone shipments increase 10.5 percent over the previous year, while Ericsson’s dropped by 35 percent. Why? Nokia reacted quickly and had already prepared for a critical vendor loss prior to the fire, identifying an alternate supplier of microchips. Ericsson, on the other hand, reacted slowly and believed early reports that the fire was small and posed no long-term supply risk to the supply of microchips.

The total cost to Ericsson was over $400 million USD, including a second quarter 2000 loss of $200 million USD.

BIO: Jerome Ryan is CEO of both GRM Solutions and DRI Istanbul, where he implements and oversees client deliverables in crisis management, business continuity management, emergency response, pandemic planning, and other risk management practices. GRM Solutions has offices in New York and Istanbul. He may be reached at jryan@grmsolutions.net or http://www.linkedin.com/in/jeromeryan/

DRI Education Serves Growing Middle East Market

DRI International recently announced a new NCEMA component to its Business Continuity Planning for Auditors (BCLE AUD AE) and Business Continuity Planning (BCLE 2000 AE) courses. While DRI itself is standard-neutral, the organization’s leadership recognizes the need for its courses to reflect a variety of standards, of which NCEMA is now one.

“This reflects DRI’s commitment to the growing Middle East market,” says DRI Managing Director of Global Operations Chloe Demrovsky. “The UAE is a leader in the area of regional preparedness and we are thrilled to act as a key strategic partner with a knowledge and training centre to promote world-class excellence.”

About BCLE AUD AE

The BCLE AUD course (BCLE AUD AE’s parent course) is accredited by the American National Standards Institute (ANSI). BCLE AUD AE is a four-day, interactive program that provides training, tools, and hands-on experience to audit disaster/emergency management and business continuity programs. This course provides an overview of the audit process and teaches the student to audit a business continuity management program for conformity to the chosen standard. Conformity includes the areas of program management, risk assessment, business impact analysis, loss prevention, risk mitigation, emergency operations, business continuity strategies, crisis communications, incident management, training and education, testing and exercises, and program improvement.

About BCLE-2000 AE

BCLE-2000 AE is a comprehensive, four-day course covering the fundamentals of the DRI International’s Professional Practices. Students will learn the elements of a disaster/emergency management and business continuity program, understand industry terminology, and learn how to use the Professional Practices to develop a business continuity management program.

Both courses reflect the NCEMA standard and each concludes with an exam. Successful completion of the course and a passing grade on the exam, is the first step toward DRI International certification.
For information, visit http://www.drii.org.

DRI’s Interview with Mohammed Al Jenaibi

In a recent interview Mohammed Ahmad Al Jenaibi, CBCP, shared his thoughts and experiences with DRI International. We are pleased to bring you this interview and are very grateful to Mohammed or taking the time to talk with us.

Mohammed is an ex-military search and rescue pilot, as former Chief of SAR Coordination Centre. He joined NCEMA (National Crisis and Emergency Management Authority) in 2008 as a Director of Safety and Prevention. He specializes in quality management, A black belt Six Sigma, he specializes in quality management and is also an EFQM Auditor, as well as a DRI International Certified Business Continuity Professional(CBCP). He is the lead of the committee which developed and published UAE’s BCM Standard and Guideline (AE/HSC 7000:2012) in 2012. This was the very first BCM Standard in the gulf region. He also was the very first BC professional to be awarded a DRI International Award Of excellence as Best Program Leader of the Year for the Public Sector.

DRI: Will you provide a bit of background on NCEMA? 

Mohammed Ahmad al Jenaibi: NCEMA was established in 2007 and by 2011 a resolution by president was issued for its roles and responsibilities. I joined in 2008, and by 2009, we started the business continuity management (BCM) project.

During the beginning we sought to do research, and we wanted to know what we were missing in this country and what we needed. We discovered that BCM was one of the important issues to tackle. (See Sidebar “Meet NCEMA,” page xx) And in August, 2013 I resigned from NCEMA.

DRI: Why Did NCEMA create its own BCM standard?

MJ: BS25999 was the standard at the time, but we thought it was not well-suited to our nation. We started to look at other standards, including the Singapore standard (SS540) , NFPA1600 (USA) and others, and then we decided to write our own standard in Arabic to be more comprehensive for the reader but still matching and using same methodologies in the standards mentioned.

When we started the first few pages, we thought it would work fine because everybody could understand it easily. We completed in one year the writing of the standard, but it took us two years to get consensus from all the federal departments and all the ministries. Finally, in 2012, the first version was issued.

DRI: In what ways is your standard different from the others?

MJ: Thank you, very good question. When I said that [other standards] were not well-suited, what I meant was that the language and the way they assumed the reader had a background in emergency management, but in our standard you can see the engagement of risk assessment taken from the ISO31000 throughout BCM.

For people without a huge background in emergency and crisis management, the format of BS25999 would be difficult. When you talk to a community, some agencies do not even have this management system in place. So, you cannot introduce them immediately to BCM. Our goal was to simplify how we did this in our standard. Within our standard, anyone can start and move from A to Z in very simple language and in very simple steps.

DRI: Can you tell me a little bit more about the state of preparedness in the UAE?

MJ: After establishing NCEMA, one of the first things they did was the National Response Plan (NRP). The NRP is complete and is being distributed to the whole government of the UAE, so all entities have prepared or are preparing their specific plans which can be plugged into the national response plan framework.

DRI: What about private sector businesses?

MJ: NCEMA has signed a mutual agreement with the Chamber of Commerce to involve the private sector, but you know we have huge companies who already have business continuity for their own interests. So, they are way ahead in advance. On the other hand, there are some other smaller businesses that have no idea about emergencies at all. I think this is because we do not have huge catastrophes in this country. Although we do not have big disasters, the private sector should realize the importance of emergency management, how they should be prepared, and how they can have their own plans.

Now NCEMA has started educating the public. There will be a lot of media and publicity by NCEMA supported by the Ministry of Interior, Civil Defense, and all the stakeholders. They will try to straighten out the education and spread the culture of emergency management. This is a challenge but it should happen within the next few years. We are already putting practice in place already and we hope By 2018, end of 2017, we should be done.

For the private sector, to refer to your question, we hope there will be some support from either the government or the other agencies to the private sector to build up their capability, because as you know the capabili- ties require resources and money. There may be some incentives for those businesses, to encourage them to incorporate this program into their firms.

DRI: What type of incentives?

MJ: For example, the government could encourage the relevant agencies in charge for the fees of the renewal of their license every year say if they have emergency plans, then they are category one. Category one would be 30% less or something like that. There is another incentive that was also proposed: the government would not sign with any entity or private entity unless they have BCM in place.

DRI: How would you evaluate those plans?

MJ: We would have to know whether they have plans first, if they are to contract with government. then we would have to review them in NCEMA or the appointed agency for the verification.

DRI: Tell us about the education and training that you provided to these different entities, what forms did it take and how long did it take. Were there exercises and tests involved?

MJ: In fact, NCEMA has been exercising the government agencies since 2010. The first one, of course, was like a surprise for some agencies to understand and it took some time to digest the lessons learned. I can say very proudly that in exercises five and six, everybody knew what they had to do and where they standing in emergency management

In terms of training, I am sure that more than 300 officials were trained in NCEMA. This is separate from the training that is conducted directly from the training providers to the entities because they know that they would need to train in EM.

DRI: What threats do entities in the UAE face?

MJ:. I can simply say that we do not have natural disasters. We do not have it in our history. But you remember the swine flu and the H1N1? Those threats were on the top of the list at that time, those are the kinds of threats we face. But we have practiced and NCEMA staff have gained a lot of experience, but threats are very dynamic, whether political, natural or manmade. But really what is happening inter- nationally could happen in the UAE, without a difference bearing in mind the first rule of Emergency management “always expect the unexpected.”

DRI: You talked about the support that you have from the top people in the country. One of the challenges that I hear from people in other countries is trying to get top management support and to get people to listen when they are talking about business continuity and its importance. How did you get that?

MJ: I can say we are lucky, honestly speaking. Our top leaders, from number one down, they all have been encour- aging. There is no doubt that we should be ready for any type of threat. If you talk about big resources like water, electricity, power, then you can see threats everywhere. And those threats are very devastating. I think because of these threats there was no hesitation of the leadership to give us a green light to go ahead and prepare UAE as much as we could. So it wasn’t as much our effort.

DRI: Finally, what is your hope of working with DRI? How do you think that relationship can help you and how can you help us?

MJ: I would say definitely, DRI could help us. The only words we can say to DRI is thank you for supporting our program.

DRI: You have already helped a lot to DRI through the important work you do and by taking the time to talk with us.

MJ: Thank you. The word from the top was that education is the key to success. So, getting education from DRI on emergency management and specifically on the BCM, and the methodology DRI is following is very valuable to us. I really appreciate the efforts, the cooperation I found with DRI, and I hope this cooperation will continue for a long time.

Screen shot 2014-07-07 at 11.14.47 AM