Archivo de la etiqueta: business continuity

EDUARDO FERNÁNDEZ: MI EXPERIENCIA COMO PROFESIONAL EN RESILIENCIA

Eduardo Fernández, CBCP, Costa Rica

Eduardo Fernández labora para Hewlett Packard Enterprise en Costa Rica, como parte del equipo de continuidad de negocio para TI para los clientes de HP. Con más de dos años y medio de experiencia y certificado CBCP por el DRI, Eduardo nos comparte su experiencia como un profesional en Resiliencia.

¿Cómo se involucró en la resiliencia y sus industrias relacionadas (continuidad de negocios, recuperación de desastres, gestión de emergencias, etc.)?

Hace alrededor de 2 años y medio, se propuso abrir en Hewlett Packard Costa Rica (actualmente Hewlett Packard Enterprise), un equipo para dar mantenimiento a clientes de la empresa, en áreas de continuidad de negocio para TI. El equipo ya existía en otros países, pero se nos abrió la oportunidad en nuestro país para comenzar a trabajar en esta área. Para ese momento yo era Administrador de Bases de Datos, pero tenía cierta inquietud de moverme de puesto. Debido a que tenía alguna experiencia en Ejercicios de atención de desastres para bases de datos, participé en el proceso y de esa manera ingresé al equipo, como parte de los primeros cuatro en el equipo de Costa Rica. Actualmente somos más de treinta.

¿Cuál es su puesto de trabajo actual?

Actualmente me desempeño como líder de cuentas de continuidad de negocios de TI y coordinador de recuperación ante desastres para diferentes clientes de la empresa Hewlett Packard Enterprise.

¿Cómo describiría su trabajo a alguien que no tiene familiaridad con la industria?

Mi trabajo consiste en garantizarles a mis clientes que, ante un eventual desastre, su infraestructura de TI (aplicaciones, servidores, red), podrá ser recuperada de forma completa y funcional y en un tiempo conveniente. Esto lo logramos evaluando su infraestructura y ofreciendo diferentes alternativas de recuperación, y probando estas alternativas en ejercicios de recuperación ante desastres.

¿Cuál considera que es la mejor ventaja de ser un profesional en resiliencia?

En mi caso, considero que es el ser un profesional que conoce un amplio panorama de las organizaciones y que puede trabajar en conjunto con diferentes equipos de diferentes disciplinas. Considero que da un valor agregado el ir adelante en lo que puede pasar y no solo trabajar atendiendo incidentes cuando suceden.

¿Cuál es su mayor desafío como profesional de la resiliencia?

La concientización. Lograr que los empleados, tanto ejecutivos como operativos, den la importancia requerida a esta área, ya que muchas veces se le da más importancia a lo que se tiene a simple vista y a lo inmediato que hay que atender, y no siempre la preparación o el presupuesto para recuperación ante desastres es el adecuado. Muchas veces debemos enfrentarnos a comentarios despectivos con respecto a nuestra área y otras veces no se logra obtener la participación requerida en ejercicios debido a la falta de interés o al poco tiempo que tienen los empleados requeridos.

¿Cuál considera usted su mayor logro o hito como un profesional de la resiliencia?

La participación y coordinación en un desastre real producto de un tornado, que afectó a una planta de una empresa en los Estados Unidos, el cual afectó notablemente el lugar. Se lograron probar protocolos de desastre y se lograron atender los diferentes problemas para poner a la planta a trabajar en un tiempo aceptable. Todo el equipo que participó en dicha emergencia recibió elogios por la coordinación del evento.

¿Por qué considera que la resiliencia y sus industrias relacionadas son significativas?

Porque una empresa no puede darse el lujo de perder todo lo que ha construido en el poco o mucho tiempo que tenga. Porque hay que saber reaccionar ante diferentes eventualidades y moverse en la dirección correcta. Porque los desastres pueden ocurrir todo el tiempo y ninguna compañía puede considerarse infalible o excluida de un desastre natural o incluso producido por el hombre. Porque las empresas deben poder demostrarles a sus accionistas y a sus clientes que no importa la amenaza, siempre deben estar listos para levantarse.

¿Cuáles considera que son las cuestiones más importantes que enfrentan los profesionales de la resiliencia?

Concientizar a la gerencia empresarial, realizar análisis correctos del riesgo y el impacto al negocio, ofrecer las mejores opciones para recuperar su negocio en el menor tiempo posible, con la menor pérdida de datos y a un costo aceptable.

¿Qué consejo tiene para aquellos que están empezando en este campo?

Estudiar, leer, investigar casos de éxito y de fracaso. Conversar con personas involucradas en el negocio y con diferentes personas involucradas en la empresa. Recordar que toda área de la empresa tiene algo para aportar. Certificarse es una opción que lo lleva a uno a conocer más allá de su propia área específica.

¿Cuáles han sido los avances más importantes en la resiliencia en la última década? ¿Por qué?

Específicamente en el área de TI, la utilización de sistemas de replicación en la nube a bajo costo, virtualización de servidores y de sistemas de tapes que agilizan la recuperación de los sistemas.

¿Qué avances espera ver en la resiliencia en la próxima década? ¿Por qué?

Que se continúe cada vez más con la virtualización y que se consiga reducir a mínimos los tiempos de recuperación de sistemas de TI. Una mayor inclusión de servicios móviles para recuperación en sitios.


Thrive Iberoamérica! está publicando perfiles de profesionales certificados que quieran compartir su “Experiencia como un Profesional en Resiliencia”. Para participar, contáctenos al correo kcordero@drii.org

Bruno Nunes de Oliveira: My Experience as a Resilience Professional

Bruno Nunes de OliveiraBruno Nunes de Oliveira has been acting for over 10 years with governance, risk and information security. He started his career in IT services companies, has experience in consultancies such as PwC and is currently Consultant Information Security and Business Continuity Manager on T-Systems Brazil. He holds a degree in Computer Science and a post graduate degree in Strategic IT Management and is studying for an MBA in Entrepreneurial Management. He has specialized certifications in Information Security and Business Continuity – including CBCP with DRI, MBCI from BCI, CISM from ISACA, ITIL, and also Lead Auditor in ISO standard 27001: 2013.

How did you learn about Resilience and/or Business Continuity Management (BCM)?

I started my career acting as an analyst of IT processes with ITIL and COBIT, developed some processes of continuity of IT services and then went to work in consultancy that specialized in business continuity, risk management and information security. I specialized in the BS25999 standard, then made sure to become certified, including as a CBCP by DRI. But the best learning is experience, implementing projects, meeting new types of businesses and strategies, and figuring out the peculiarities of each.

What is your biggest challenge as a business continuity (resilience) professional?

In Brazil, the biggest challenges are to show the value of business continuity and resiliency to the board, and get other departments committed to the topic – to understand the need for the organization, and not just a standard or legal requirement to be met.
Another major challenge: integrating the process of business continuity to other business processes, such as compliance, human resources, infrastructure, etc. There are also other issues, such as social responsibility and government.

What are the common misconceptions that others have about your role?

It was normal for people to think that the business continuity professional makes a mapping of areas (BIA) to show human resources where you can reduce, or which area is not critical and suggest changes, which currently has not happened.

What are the common misconceptions that others have about business continuity (resilience)?

Usually people understand and know the role of business continuity and resilience, but do not see the added value of a well-implemented process. In Brazil, as we do not suffer from climatic problems, or terrorism, it is difficult to raise awareness.

What is your favourite advice about Business Continuity (resilience)?

Understand the company’s business – it is impossible to implement any strategic process without the full understanding of the business in which the company operates.

What is your greatest reward in your role as a BCM Professional?

When the client company understands the value of business continuity and supports not only the implementation, as the process life cycle, ensuring that will have maintenance, improvements and actions and when I help other professionals to seek certification and specialize in the subject.

Where do you hope to see organisations in 5 years’ time?

In Brazil, I expect to see most companies be more conscious of business continuity. Right now, there is still a culture of “with us does not happen,” or “this is only for audit.” I also think that the number of trained professionals should increase, and this can bring the resilience culture forward in every way.

For multinational companies, global resilience programs should become stronger; in the company I work with, we have a global implementation of business continuity management rollout for all its units in the world, and works very well, both as commitment and as a cultural exchange of knowledge and experience.

 

 

Retos durante el desarrollo de Disaster Recovery Management

Este artículo se fundamenta en las actividades que he realizado a lo largo de mi experiencia profesional dedicada a gestionar el Proceso de Resiliencia, donde se incluyen proyectos de Continuidad de Negocio y proyectos de Recuperación de Desastres.

Existen teorías de lo que es Continuidad de Negocio y lo que es Recuperación de Desastres. Me he encontrado con algunas empresas de diversos sectores, en las que hay una confusión de lo que son esas teorías, entre un Proyecto de Continuidad de Negocio y lo que es un Proyecto de Recuperación de Desastres; no pretendo contradecir ningún concepto, sencillamente lo diferenciaré de acuerdo a la larga documentación que he generado y que pertenecen a mis Lecciones Aprendidas para actividades, para éste articulo en particular, como Disaster Recovery Manager.

Las experiencias aquí descritas, se mencionan pero no están limitadas, sencillamente comparto algunas que pueden coadyuvar a los lectores para sus propias actividades, y generar sus propias lecciones aprendidas.

Mis Lecciones Aprendidas – Actividades Post prueba de DRP

Una vez terminado el ejercicio de Recuperación de Desastres, con uno de nuestros clientes del sector de aseguradoras, se reportaba vía email el resultado de esta prueba al corporativo en New York y en México, donde personal ejecutivo por parte del Cliente y por parte de nosotros (en ése entonces, laboraba para IBM), con un reporte de resultados completo. La visibilidad del resultado era desde un alto nivel.

Las principales actividades que se realizaban durante esta etapa son las siguientes:

  1. Una vez terminado el ejercicio, debía de existir una notificación vía email, por parte del Cliente para realizar la desactivación del ambiente o en caso de aplicar, el Roll-Back a operación normal (como en el caso de Metlife Brasil).
  2. Una vez recibida la notificación del Cliente, el Disaster Recovery Manager proporcionaba la instrucción a las demás Líneas de Servicio Técnicas para realizar la actividad de desactivación de ambientes (me refiero a ambientes Unix, Wintel, o los que aplicasen de acuerdo a la infraestructura asociada), la cual debía estar acompañada, la evidencia del ambiente y el nombre del Ingeniero técnico que realizó la actividad.
  3. Toda ésta actividad coordinada, por medio del Disaster Recovery Manager debía completar el script de desactivación o Roll-Back según aplique (mismo que ya se había generado y que solo es completar los tiempos de desactivación y seguimiento del orden de actividades), hasta asegurar que todas las tareas estuvieran debidamente completadas y que no exista corrupción de ambientes entre Producción y el ambiente destinado para DRP (Disaster Recovery Program, por sus siglas en inglés).
  4. Ya terminado el evento, un punto fundamental que el Disaster Recovery Manager debía considerar para documentar las evidencias, era que si existió algún problema durante la ejecución y que se resolvió o quedó pendiente, en el reporte de resultados debe de estar muy bien documentado el problema y cómo se resolvió, además de lo que se hará para que no ocurra nuevamente. En caso de no resolverse, se abría un ticket con Mesa de Ayuda para que a su vez, por medio de gestión de Incidentes, se gestionara el seguimiento para la corrección completa del problema, se documente en las lecciones aprendidas, en el procedimiento de la Línea de Servicio que correspondiera en caso de aplicar y por supuesto, para que no volviese a ocurrir el mismo.
  5. La documentación de las Lecciones Aprendidas debe de ser parte fundamental para compartirlo con las Líneas de Servicio y que no volviera a ocurrir el problema, tener el antecedente documentado e identificado y en caso de volver a aparecer, solucionarlo.

Estos puntos mencionados, son algunas actividades que he incluido en éste artículo, los cuales ayudan a formar todo el reporte final de resultados que se entrega al cliente o en todo caso, al archivo de histórico de estas actividades que bien, sirven para futuras auditorías, como evidencia clara de que estamos ejercitando nuestro plan de Recuperación para Desastres.

Mis Lecciones Aprendidas – Actividades de documentación de Lecciones Aprendidas

Caso de otra empresa del mismo giro, de aseguradoras, en particular, la documentación de las lecciones aprendidas fueron divididas en dos secciones:

Temas que salieron bien:

  1. Recuperación los aplicativos dentro del RTO (Recovery Time Objective, por sus siglas en inglés) y RPO (Recovery Point Objective, por sus siglas en inglés) acordados
  2. Definir previamente alcances y matrices de prueba
  3. Involucrar activamente a los usuarios en la revisión de alcances
  4. Establecer al War Room como punto de contacto con los usuarios para canalizar dudas, hallazgos y seguimiento de la prueba
  5. Resolución adecuada de hallazgos menores

Temas que a considerar en el futuro:

  1. Se requiere depurar la lista de aplicaciones en el alcance del Plan de Recuperación en casos de Desastre debido a que:
    1. se identificaron aplicativos que ya están fuera de producción
    2. se identificaron aplicativos duplicados se identificaron aplicativos que están ubicados fuera de GNP Plaza
  2. Se requiere que los aplicativos dentro del alcance del plan inicial estén liberados a Producción; de otro modo no es posible recuperarlos.
  3. Los cambios de la fecha original de ejecución de la prueba de Recuperación para Desastres tuvieron impacto en la participación de los usuarios (cambios de usuarios de último momento, usuarios de vacaciones, etc.)
  4. Concentrar a los usuarios en un punto común para la ejecución de pruebas para mejorar la logística de ejecución
  5. Establecer un mecanismo de notificación al War Room para casos de cambios de participantes de último momento que permita realizar los ajustes requeridos al Grupo Coordinador
  6. Validar que los usuarios agregados por sus gerentes de último momento cuenten con los accesos adecuados a los sistemas alternos previo al inicio de pruebas
  7. Identificar a los usuarios participantes y hacer una validación
  8. Fijar una fecha límite para obtener retroalimentación de las matrices de prueba por parte de los usuarios
  9. GNP requiere reforzar la importancia del flujo de notificación (sólo el 47% de los usuarios se reportó a Service Desk)

Estas lecciones aprendidas, por supuesto que deben ser compartidas con los clientes internos y externos, según el caso, para que todos tengamos conciencia de lo que hacemos y que debemos mejorar.

Mis Lecciones Aprendidas – Consideraciones que no debemos pasar por alto

Como lo comenté anteriormente, el Disaster Recovery Manager deberá obtener las evidencias, issues encontrados y resueltos, issues encontrados y no resueltos, plan de acción de resolución de issues no resueltos, y todo ésto debe de incluirse en el reporte de resultados, el cual, adicional a evidenciar toda la actividad llevada a cabo, se debe de obtener las firmas de las personas que firmaron el plan de ejecución inicial: el Ejecutivo del Proyecto, el punto focal por parte del Cliente, y el Disaster Recovery Manager o Consultor que lideró la actividad.

Recordatorio importante: Si hubo issues abiertos, se da continuidad al Action Plan (Plan de acción) que se estableció en el reporte de resultados, abriendo el ticket correspondiente, en la mesa de ayuda,  hasta el cierre del mismo.

Parte fundamental para el Cliente, dependiendo de éste y del manejo del mismo, es documentar las conclusiones.

Mis Lecciones Aprendidas – Conclusiones en base a cada experiencia

El ejemplo siguiente, expongo algunos de los resultados obtenidos de la prueba del Plan de Recuperación en casos de Desastre (DRP) para uno de mis clientes, lo cual permitieron:

  1. Validar que el Proyecto de Recuperación para Desastres es funcional y está alineado a los objetivos de negocio de la empresa como parte de su programa de Administración de la Continuidad del Negocio.
  2. Validar la correcta funcionalidad de los aplicativos por parte de los usuarios dentro de los procesos de negocio
  3. Identificar aplicativos fuera del alcance y que son requeridos por los usuarios para mantener la operación del negocio

En mi caso, la especialización me ayuda a convertirme en un SME (Subject Matter Expert, Experto en el tema), lo cual indica que estoy especializado en el tema de Continuidad, pero que en mi perspectiva, nada está escrito, no hay verdad absoluta, en cualquier evento puede ocurrir lo inesperado, positivo o negativo. Lo único posible por hacer, es intentar mitigar la devastación del mismo.

Dado este comentario, con otros clientes he concluido lo siguiente – caso Servicio de Administración de Gobierno:

  1. Para la Estrategia de Recuperación y Respaldos, se utilizó la redefinición del Análisis de Impacto al Negocio definido por Modelo de Gobierno.
  2. Se utilizó como marco teórico el código de práctica del estándar británico BS 22301 y los criterios metodológicos que marca el DRII.org.
  3. Se hizo referencia a los servicios de administración y soporte a aplicaciones (Alcance del BIA para las 57 aplicaciones críticas del negocio).
  4. Se encontró que al momento, el Negocio no tiene un sitio de Recuperación definido – se tienen los sitios de Producción en Triara Querétaro y Triara Monterrey. Éstos a su vez, tienen ciertas limitantes si se desean utilizar como Centro de Datos alterno. Tomando en cuenta dos escenarios de recuperación:
    • Sitio Producción Monterrey no disponible, Producción direccionada a Querétaro.
    • Sitio Producción Querétaro no disponible, Producción direccionada a Monterrey.
      • Aplicativos que utilizan Procesamiento desde Monterrey y Querétaro, lo que haría complicada la recuperación si se realizara desde cualquier sitio mencionado.
      • Comunicaciones configuradas que actualmente no son capaces de realizar un Switcheo a una red de Recuperación que permita homologar las configuraciones IPs que actualmente los Aplicativos mantienen en su código interno (Hard Code) y dentro de las mismas Bases de datos (como usuarios y passwords de servicio)
      •  Enlace de Comunicaciones que es utilizado para únicamente comunicar los sitios de trabajo, pero no se cuenta con un enlace dedicado para los Servicios de Resiliencia.
      • Se requiere de espacio suficiente, así como las instalaciones eléctricas, de red, racks entre otros requerimientos físicos, para alojar la infraestructura requerida para recuperar los aplicativos críticos del negocio.
      • No se cuenta con infraestructura de respaldos y restauraciones homologadas en ambos sitios preparada para realizar este tipo de actividades de Resiliencia; además se debe implementar la estrategia de tal modo que se pueda realizar dicha actividad sea en Triara Monterrey o Triara Querétaro.
      • No se tiene un esquema de resguardo de cintas de respaldos de información crítica en un sitio alterno fuera de los centros de datos.
      • No se tiene un esquema de traslado de cintas de un sitio a otro con fines de recuperar datos en el sitio de producción diferente.
      • En caso de contar con Infraestructura en alguno de los sitios como Monterrey y Querétaro, se deberá considerar una administración distinta a la actual, con red distinta y deberá contar con el proceso de cambios implementado para hacer los ajustes que se requieran una vez aplicados en Producción y que estén alineados a la infraestructura que se utilizaría para Recuperación.
      •  No se cuenta con infraestructura dedicada, en línea para recuperarse, misma que deberá estar alineada al RTO establecido.
  5. No se cuenta con réplica de datos, por lo que la estrategia actual de respaldos se vería muy limitada para cumplir con los requerimientos que marca el negocio dentro de los tiempos de punto de recuperación (RPO´s) y el objetivo de recuperación (RTOs). Ello a su vez, comprometería la reputación de la empresa con la posibilidad de ocurrencia alta en los Impactos al Negocio que ya se mostraron en el BIA (Business Impact Analisys, por sus siglas en inglés).
  6. Se utilizó la información previamente validada del BIA, relacionada a los periodos de interrupción, prioridades de recuperación, usuarios responsables, impactos por la no disponibilidad; que son la base para el desarrollo de las mejores estrategias de recuperación; ésta información se deberá confirmar por parte del Negocio.
  7. El Negocio deberá contemplar los insumos requeridos mostrados dentro del Plan de Recuperación para Desastres, para que pueda contar con una recuperación real de servicios requerida por el Negocio. Deberá considerar:
    • Un sitio de Recuperación Alterno (Hot Site o Sitio Caliente)
    • Enlaces y comunicaciones configuradas para el Sitio e Infraestructura de Recuperación ante contingencias.
    • Réplica de Información crítica en modo síncrono que refleje cambios realizados desde el sitio de Producción, al Sitio de Recuperación; entre las que como SME identifico son en modo general:
      • Bases de datos críticas
      • Equipos o configuraciones virtuales
      •   File Systems o Repositorios que utilizan los aplicativos críticos para operar y funcionar correctamente (procesos temporales, localización de archivos de sistema, etc).
    • Infraestructura dedicada donde residan los Sistemas Operativos, Software, Configuraciones, así como accesos especiales como VPN, replica de LDAP y/o Directorio Activo.
    • Procesos de Cambios y Configuraciones que permita controlar por medio de proceso, los cambios que se realicen en Producción y afecten el Sitio e Infraestructura de Recuperación, para que ambos sitios se encuentren en perfecto mantenimiento. A su vez, monitoreo dedicado para la infraestructura de recuperación que complementará éste mantenimiento de tal forma que el sitio de recuperación esté listo para cuando el negocio lo requiera.
  8. Recomiendo tener el Sitio de Recuperación en Tiempo Real (Sitio Caliente), dado que el aplicativo a nivel Negocio y de acuerdo al BIA, demandan cumplir con los RTOs y RPOs definidos en ése análisis. Esta configuración permitirá al Negocio estar alineado con su estrategia de Continuidad, evitando las pérdidas que ya se evaluaron en el BIA, mismas que impactarán directamente al Negocio.
  9. Se debe considerar que no se puede diseñar un Plan de Recuperación en caso de Desastres, debido a los insumos que no se tienen y por ende, no pudiéramos documentarlo apropiadamente de modo que se lleguen a recuperar los requerimientos del Negocio establecidos en el BIA.
  10. Finalmente, se propone realizar un ejercicio de respaldos, el cual consistirá en tomar los tiempos reales que las bases de datos críticas identificadas en la Estrategia de Recuperación, así como los equipos con su información de aplicativo. Esta información será entregada al Negocio como evidencia del tiempo real que se toman a partir de los respaldos efectuados al momento y éstos sean comparados con los tiempos que el negocio requiere referenciados en el BIA.

Finalmente, confirmo que de estas experiencias vividas, es que nada está escrito. Cada profesional de Continuidad de Negocio generará sus propias experiencias, lo que hará más rico el contenido de lo que se vive en esta sorprendente carrera. Sin duda, siempre saldrán cosas nuevas que aprender, aunque el común denominador es, para las lecciones aprendidas, documentar todo ello y no dejar de revisarlas, puesto que algo nos servirá, para mitigar los riesgos de ejecución durante nuestras actividades de resiliencia.


Inline image 1Adrian Sanchez V holds the Informatics Degree with current Master of Managing e-Commerce in progress. Adrian is certified in the following specialties: ITIL, IT Specialist, ISO27001 LI and Business Continuity Professional, with more than 19 years of experience in the Information Technology industry. Adrian has worked for several Companies as Manager and Leader, such as Delivery Services, Assurance, Bank, Pharmaceutical and others sectors in the IT department and supporting complex projects.  Additionally, Adrian is working as Subject Matter Expert, building several solutions for customers, and Business Continuity and Disaster Recovery Consultant. Adrian’s goal is to keep all IT Services, using best practices, in a good shape of Work, Operations and Management, Providing and achieving all Business Targets and Objectives, aligned with the Mission and Company Values.


Image: “Risk down arrow” by Jagbirlehl – Own work. Licensed under CC BY-SA 3.0 via Wikimedia Commons -https://commons.wikimedia.org/wiki/File:Risk_down_arrow.png#/media/File:Risk_down_arrow.png

April 2014 Earthquake in Chile: We Are on the Right Track — Lessons Learned

Hector Miguel Opazo Santis

On April 1, a powerful 8.2-magnitude earthquake struck off the coast of northern Chile, triggering landslides, cutting power, and generating a tsunami. Hector Miguel Opazo Santis, an industrial civil engineer and CBCP, offers insights into how the region responded to the disaster, using lessons learned from a devastating earthquake that affected the region in 2010.

When DRI International approached me about the possibility of writing about the April 1 earthquake in Chile, I had no doubt that I wanted to contribute, because of my personal conviction regarding what is happening in my country with respect to the management of catastrophes after the earthquake of February 2010.

Because of the different magnitudes, distinct geographic areas, and a much lower population density in the 2014 affected area, among other factors, it’s not easy to compare the two earthquakes. However, it is necessary to work with these facts in order to fundamentally understand the elements of business continuity that allowed for the mitigation of the impact.

The public domain figures in Table A (page 14) are a comparison in terms of the existing information and estimated data for the most recent disaster.

With these statistics, we can draw certain conclusions. According to experts, the more recent earthquake in April released almost eight times less energy, meaning the force with which the ground moved was less severe than it had been in 2010. The number of households affected in the 2014 quake is 20 or 30 smaller than number of sufferers in 2010, a reflection of greater height of the 2010 tsunami and resulting destructive capacity. In the end, one can make comparisons from different angles and with different ends, but what is possible to conclude is that the 2014 earthquake was less severe than the one that took place in February 2010.

However, we should not fail to understand the importance of the 2014 earthquake’s magnitude and impact in the affected region. The April 2014 earthquake had a magnitude of 8.2 on the Richter scale. Comparable earthquakes of this magnitude include Haiti in 2010 (Richter magnitude 7.0, 200,000 dead), Pakistan in 2005 (Richter magnitude 7.6, 86,000 dead), Indonesia in 2004 (Richter magnitude 8.9, 280,000 dead), and perhaps the most apt example, Chile in 2010. Without doubt, we are in the presence of an impressive earthquake.

Most interesting from a business continuity perspective is understanding the actions that Chile has taken since the 2010 earthquake and how these actions profoundly helped us to better manage the emergency. Without these initiatives, we would be lamenting a much worse scene; though it may not have been as bad as 2010, we would have experienced a much worse impact. These actions have put us precisely on the right track in terms of business continuity.

Lessons Learned from the 2010 Earthquake

From the previously stated facts it is clear that there has been a notable advance in the management of many actions, rooted in the DRI Professional Practices, which mitigated the impact of the 2014 earthquake.

1. Preventative measures and risk controls

a. Preventative evacuation

The concept of preventative evacuation along Chile’s coasts has existed for quite some time. There is a historic precedent amongst coastal inhabitants of evacuating in case of earthquake, but without clear indications of when or how to do so.

In light of the grave consequences of the 2010 earthquake and resulting tsunami that hit Chilean coasts, with the tsunami being the cause of more deaths, coastal communities have since implemented various procedural improvements.

The concept of self-evacuation was created, encouraging people to leave if the earthquake caused them to lose their footing in a coastal area. It is important to keep in mind that tsunamis take time to arrive at a coast after an earthquake has ended. The population was able to use this indicator as a primary parameter for evaluation.

Communities also communicated evacuation routes: the roads that they should use, and the predetermined meeting points. All of this was reinforced through signage installed on the beaches.

b. Training and awareness

Training and awareness programs at the time of the 2010 earthquake were unclear. There were supportive programs such as the civil protection academy, the implementation of trainings in high schools, and others, but there was no formal program. This resulted from a failure to realize the importance of training, and/or a lack of resources available to do so.

In the last four years, an official training program has been created, called “Chile Preparado.” This program contains simulation exercises for tsunamis (the processes of which were utilized during the recent tsunami), avenues to increase public awareness and participation, and the distribution of graphic material and awareness videos to large venues (cinemas, stadiums, concerts, high schools), among others. There has been an enormous advance since 2010.

Screen shot 2014-07-07 at 2.03.19 PM

2. Alert messages (crisis communications)

a. Emergency alert management protocols

In 2010, there was an emergency alert protocol. Messages were published through the federal government, but there were likely gaps in its implementation, resources, and processes. What stands out here is the centralized decision- making, which resulted in little regional autonomy with respect to preventative alerts – making it impossible for the affected regions to order their own evacuations.

As a result of the difficult experience during the 2010 earthquake, the protocol was recreated, establishing autonomy for Regional Alert Centers allowing preventative evacuations. Additionally, the government redesigned the structure of the National Emergency Operations Center and Regional Emergency Operation Centers. Each office was responsible for running drills that allowed participants to prepare themselves for emergencies such as the 2014 earthquake. The regional centers were also provided with spaces outside of flood zones in which they could continuously evaluate the management of the emergency and coordinate the response.

b. Alert mechanisms

In 2010, Chile’s oceanography agency, SHOA, was only beginning to implement its 24/7 alert management system. And Chile’s seismology agency, SSN – which should have been providing the seismic parameters that allowed SHOA to determine the risk of a tsunami – did not have any type of 24/7 alert system at all. Additionally, Chile’s seismological network was only really prepared for scientific investigation and needed a minimum of ten minutes to obtain new infor- mation. All of this, compounded by weak existing telecom- munications, prevented authorities and technical bodies from being able to communicate with affected regions. By the time announcements were made about the tsunami, the first waves had already started to hit some zones.

In the last four years, we have seen real advancements. The National Office of Emergency Management (ONEMI), SHOA and SSN have 24/7 alert systems in place. They have also determined clear protocols for coordination that have been tested, and created clearly defined and understandable messages for listeners. The effects of these improvements were seen in 2014, as ONEMI was able to quickly order a preventative evacuation, while SSN and SHOA effectively publicized the magnitude of the earthquake, and rang the alarm for the coming tsunami.

3. Emergency response

a. Coordination of the Emergency Operations Center (COE)

Without doubt, the federal government made a great advance in emergency management between the years 2010 and 2014. The function of the COE in 2010 was not very clear. Its structure, roles, and processes gave the impression that the COE lacked predesigned coordination.

Despite having been established, the centers of emergency operations on a regional level were not yet operating (at least not in a formal capacity), remaining isolated from the central agency. There weren’t many initiatives for training and awareness either at the federal or state level.

In light of the experience in 2010, the agencies took the opportunity to define roles and reformulate their alert system, including mechanisms for activation, scaling, and announcement locations. They were also able to execute exercises on national and regional levels.

All of these improvements were in place when authori- ties responded to the 2014 earthquake, clearly defining response procedures and the roles of the responsible parties.

b. State of emergency

The state of emergency, perhaps the most effective control in terms of social protection, has been a controversial tool. In its simplest form, a state of emergency consists of relinquishing control to national armed forces to create order in disaster zones.

During the 2010 earthquake, a state of emergency was only declared 36 hours after the earthquake. This allowed for a series of lootings in the Bio Bio region and a lack of citizen security.

Here is a major lesson learned: As a result of the technical advances previously discussed, a state of emergency was declared only 2 hours after the 2014 earthquake, preventing any vandalism attempts in the north of the country.

c. Management of emergency communications

During the April 2014 earthquake, important changes in terms of communications were evident.

In 2010, all communications were delivered by the president, creating some confusion regarding the roles of the emergency managers.

But as a result of the strategy designed by the Secretary of Communications between 2010 and 2014, all communications to the press are now given by the Minister of the Interior, who also presides over the national COE. In the event that he is unavailable, the natural replacement spokesman was the director of ONEMI. It was always one of these two people who delivered technical news.

Meanwhile, the president’s communications role is to maintain calm amongst the people and deliver summaries of the information provided by the technical spokesman.

All of the actions described, resulting from the lessons learned during the traumatic events of 2010, positively impacted emergency management in April 2014. Furthermore, if you examine them in detail, you see that they are very aligned with the DRI Ten Professional Practices. In this way, Chile aligned itself with the best practices of business continuity professionals.

Possibilities for future improvements

Now comes what may be the most difficult part: reconstruction and the return to normal. The goal of any organization is to be able resume normal business functions as soon as possible following a disruption. However, the effects of earthquakes of the magnitudes we have discussed are always costly, and the recovery process can be too long, due to the collapse of public and private infrastructures and the loss of lives, services, and much more.

The challenges in the future are many and varied. Therefore, I have established some improvements.

1. Reinforce the concepts of evacuation, habitable locations, continuing drills and more

Prevention, training and awareness will always be important. There are zones to the south of the country that have not had a disruptive event in many years. We must work diligently to improve preparedness in these areas so they can benefit from having a trained, coordinated population.

2. Revise the structure of the COE depending on the emergency and flexibility

The structure of the national COE remains the same. We have different types of disasters and therefore distinct recovery plans. Emergency and operations teams should be able to conform to the nature of the emergency. Here there are many opportunities for improvement in terms of training and the functionality of the COE staff and their roles.

3. Continue alert measures such as the installation of seismographs

Investment in preventative measures is always desirable. In the case of Chilean coastlines, it is necessary to continue investing in a more complete, functional network of seismographs in such at-risk areas.

4. Possible shelters for basic functions; recovery process for essential functions

It is very important to continue developing efforts related to this theme. What if we are not able to return to normal as quickly as we thought, and people remain evacuated or in shelters for an extended period of time? We need to develop a structure that allows for affected populations to remain in temporary housing for longer periods of time, until their communities are able to achieve at least partial recovery.

5. Facilities in critical areas

In some critical zones there are technical and public agency facilities that can still be reached by the effects of a tsunami. These actors are part of emergency management and in some cases participate in regional COEs (municipalities, hospitals, airports, armed forces bases, and others). Therefore, we must establish a plan to relocate the technical and public agencies that are necessary during emergency response and management.

6. Regulation and standards

Chile has high standards for construction. We are a country with constant seismic activity, forcing us to build and create standards with this reality in mind. We should continue advancing in terms of regulation and inspection as we discover new building techniques.

7. Recovery and restoration

This is perhaps the biggest challenge ahead of us – we must emphasize actions related to recovery and restoration. There has been little development and there is much to do. To start, we must analyze international cases to provide a basis for initiatives such as the creation of reconstruction processes, and the establishment of frameworks for short- and long-term restoration.

Conclusions

Chile is a country that has been and will always be constantly exposed to earthquakes and tsunamis, many on a grand scale. The strongest earthquake in Chile’s history occurred in 1960. This threat will always exist and we must learn to live with it.

The implementation of a government continuity of operations plan (COOP) is urgent and business continuity plans are necessary. We are moving forward on the right track, but it is only the tip of the iceberg. These recent experiences have tested us as a country, but they have also taught us invaluable lessons. The reforms carried out since 2010 in emergency management, controls, and training were justified when positive effects were seen in 2014. We cannot directly compare the circumstances of the two earth- quakes – but many of the events of 2010 could have been mitigated or even eliminated with proper planning on the part of the planning administration.

The road ahead is clear, but we cannot know when we will next be struck by an earthquake: in a month, a year, or a decade. We are left to gather the experiences of the recent disaster, fix what seems to be broken, and hit the gas. There is much to do, and we don’t have a second to waste.

Translated by Kelsey Rose.

BIO: Hector Miguel Opazo Santis is an industrial civil engineer in Chile with a degree in Master Business Engineering and credentials in project evaluation and information systems management. He is a DRI Certified Business Continuity Professional (CBCP) with almost 20 years of experience in the technological world, working as a consultant and in applied technology development in Latin America and the United States. He has served in management positions in various industries: consulting, banking, commerce and others. He has specialized in project management, online sales, disaster recovery, and project evaluation for technology. Currently, Opazo works as a consultant with Resilience Chile and is a professor at Andres Bello University working with technological innovation projects. He can be contacted at hmopazo@resilchile.cl

Vendor BCM Planning: Don’t Let Your Vendor’s Disaster Become Your Own!

Jerome Ryan

You’ve built your business continuity management program to the highest standards. You faithfully maintain it each year. You’ve performed exercises to ensure everyone’s role is clear. Is it enough? No.

As companies become more comfortable with their own ability to recover from a disaster, they are becoming increasingly uncomfortable with a vendor’s ability to do the same. Regulations and standards — such as, OCC Bulletin 2013-29 (United States), BDDK Official Gazette No: 26333 (Turkey), ISO 22301 (international), and NCEMA 7000 (United Arab Emirates) — are beginning to require companies to extend their continuity plans into the trusted relationships with third-party vendors. In fact, the newest version of the U.S. banking regulation, OCC Bulletin 2013-29, even requires companies to look into fourth-party vendor business continuity. Fourth parties are defined as the critical vendors of your critical vendors (thus extending the trusted relationship of continuity further).

What does all this mean to you? It means that your business continuity management program must include
vendor business continuity management to ensure protection from internal and external hazards. Vendor business continuity management (BCM) is a program that extends internal business continuity protections to critical vendors, suppliers, third parties, and in some cases fourth parties. Common components include:

  • Identifying critical vendors
  • Developing minimum business continuity guidelines and amending master service agreements (MSAs) and service level agreements (SLAs) to include the right to audit BCM programs
  • Developing an internal response plan or the failure of a critical vendor
  • Creating sample tools and templates to support critical vendors (they may not have the internal knowledge or resources to hire a consultant)
  • Implementing an assessment/verification program to ensure critical vendors’ BCM programs are compliant with your minimum BCM guidelines

The Place to Start

The first step in starting a vendor BCM program is to understand which vendors support the company’s critical business processes. This requires the company to perform an analysis of all vendors to determine those that may be:

  • Sole-sourced
  • Have cash flow issues
  • Operating under a lean/just-in-time model
  • Susceptible to other, related risks

If vendors do not fall into any of the aforementioned categories, they may not be categorized as critical or be part of the vendor BCM program. However, it is recommended critical vendors be evaluated annually or sooner if there are major changes/additions to critical vendors.

In some cases, a vendor is more than just critical. Some vendors may provide key components, without which, the company could fail. This is especially true of sole-source vendors. In the cases of manufacturing, consumer products, pharmaceutical, transportation, and other industries, the lead time to replace a critical vendor may be too long. Not having products on the shelf, combined with negative publicity, may effectively shut a company’s product out of the market.

In these special circumstances, a company should consider building an internal recovery plan to prepare for a vendor’s failure. An internal plan should consider available external supply/outsourced manufacturing, lead times to obtain government (i.e. FDA) approval for alternate manufacturing lines, as well as safety stock. The company may decide to identify alternate vendors, begin regulatory approval of second manufacturing lines, or move away from the sole-source vendor altogether.

Next Steps

For critical vendors, establish a set of guidelines that explain the BCM requirements with which they must comply. These guidelines should mirror the company building the vendor BCM program’s BCM methodology to ensure a true extension of the trusted relationship. Common components include:

  • Senior management commitment
  • An established BCM methodology
  • A BIA requirement to identify critical business processes and related impacts
  • Recovery plans
  • Regular exercises
  • Regular maintenance

These guidelines should be part of all new SLAs and MSAs with critical vendors. The company also should use the same contractual language with existing critical vendors as contracts are renewed. This will protect the company and hold vendors contractually liable for their BCM programs.

Smaller vendors may not have the ability, knowledge, or resources to comply with a vendor BCM program. It may be necessary, and certainly would be helpful, to provide vendors with a BCM toolkit to support their efforts. Companies should be careful to include legal language that holds the issuing company harmless and states that use of the BCM toolkit does not implicitly or explicitly guarantee recovery from a disaster.

The final step in the process is to monitor and verify vendors’ compliance with the vendor BCM program. This usually can be part of an annual, or regular, vendor compliance assessment. To be both productive and meaningful, the assessment can be neither overly intrusive nor superficial. Questions should dig deeper than “Was a BIA completed?” and ask about specifics such as the date of the last BIA update or the critical processes and associated recovery times.

Summary

In summary, a vendor BCM program is not only another company policy. Rather, it is enhancing and changing the behavior a company takes in selecting, evaluating, and monitoring its collective vendors. Companies must understand that recovery and protection have to extend beyond the company walls. Modern organizations are integrated with and vitally dependent upon many other entities. Even companies in service and financial sectors are vitally dependent on critical vendors. Successful companies focus on their core competencies and rely on partners to fill in the gaps.

So, the next time you’re evaluating your company’s BCM program, remember to look out the door as well as in the mirror.

For Example . . . 

The March 17, 2000 Philips microchip plant fire in Albuquerque, NM is one of the best cases for vendor BCM programs. Nokia and Ericsson, two of the largest mobile phone operators in the world at the time, both sourced critical microchip components from this Philips plant. When a lighting strike caused a small fire, the plant’s clean room was damaged resulting in the loss of production capacity.

Prior to the fire Nokia held about a 32 percent market share while Ericsson held about 12 percent in worldwide mobile phone sales. Post fire, Nokia’s mobile phone shipments increase 10.5 percent over the previous year, while Ericsson’s dropped by 35 percent. Why? Nokia reacted quickly and had already prepared for a critical vendor loss prior to the fire, identifying an alternate supplier of microchips. Ericsson, on the other hand, reacted slowly and believed early reports that the fire was small and posed no long-term supply risk to the supply of microchips.

The total cost to Ericsson was over $400 million USD, including a second quarter 2000 loss of $200 million USD.

BIO: Jerome Ryan is CEO of both GRM Solutions and DRI Istanbul, where he implements and oversees client deliverables in crisis management, business continuity management, emergency response, pandemic planning, and other risk management practices. GRM Solutions has offices in New York and Istanbul. He may be reached at jryan@grmsolutions.net or http://www.linkedin.com/in/jeromeryan/

DRI’s Interview with Mohammed Al Jenaibi

In a recent interview Mohammed Ahmad Al Jenaibi, CBCP, shared his thoughts and experiences with DRI International. We are pleased to bring you this interview and are very grateful to Mohammed or taking the time to talk with us.

Mohammed is an ex-military search and rescue pilot, as former Chief of SAR Coordination Centre. He joined NCEMA (National Crisis and Emergency Management Authority) in 2008 as a Director of Safety and Prevention. He specializes in quality management, A black belt Six Sigma, he specializes in quality management and is also an EFQM Auditor, as well as a DRI International Certified Business Continuity Professional(CBCP). He is the lead of the committee which developed and published UAE’s BCM Standard and Guideline (AE/HSC 7000:2012) in 2012. This was the very first BCM Standard in the gulf region. He also was the very first BC professional to be awarded a DRI International Award Of excellence as Best Program Leader of the Year for the Public Sector.

DRI: Will you provide a bit of background on NCEMA? 

Mohammed Ahmad al Jenaibi: NCEMA was established in 2007 and by 2011 a resolution by president was issued for its roles and responsibilities. I joined in 2008, and by 2009, we started the business continuity management (BCM) project.

During the beginning we sought to do research, and we wanted to know what we were missing in this country and what we needed. We discovered that BCM was one of the important issues to tackle. (See Sidebar “Meet NCEMA,” page xx) And in August, 2013 I resigned from NCEMA.

DRI: Why Did NCEMA create its own BCM standard?

MJ: BS25999 was the standard at the time, but we thought it was not well-suited to our nation. We started to look at other standards, including the Singapore standard (SS540) , NFPA1600 (USA) and others, and then we decided to write our own standard in Arabic to be more comprehensive for the reader but still matching and using same methodologies in the standards mentioned.

When we started the first few pages, we thought it would work fine because everybody could understand it easily. We completed in one year the writing of the standard, but it took us two years to get consensus from all the federal departments and all the ministries. Finally, in 2012, the first version was issued.

DRI: In what ways is your standard different from the others?

MJ: Thank you, very good question. When I said that [other standards] were not well-suited, what I meant was that the language and the way they assumed the reader had a background in emergency management, but in our standard you can see the engagement of risk assessment taken from the ISO31000 throughout BCM.

For people without a huge background in emergency and crisis management, the format of BS25999 would be difficult. When you talk to a community, some agencies do not even have this management system in place. So, you cannot introduce them immediately to BCM. Our goal was to simplify how we did this in our standard. Within our standard, anyone can start and move from A to Z in very simple language and in very simple steps.

DRI: Can you tell me a little bit more about the state of preparedness in the UAE?

MJ: After establishing NCEMA, one of the first things they did was the National Response Plan (NRP). The NRP is complete and is being distributed to the whole government of the UAE, so all entities have prepared or are preparing their specific plans which can be plugged into the national response plan framework.

DRI: What about private sector businesses?

MJ: NCEMA has signed a mutual agreement with the Chamber of Commerce to involve the private sector, but you know we have huge companies who already have business continuity for their own interests. So, they are way ahead in advance. On the other hand, there are some other smaller businesses that have no idea about emergencies at all. I think this is because we do not have huge catastrophes in this country. Although we do not have big disasters, the private sector should realize the importance of emergency management, how they should be prepared, and how they can have their own plans.

Now NCEMA has started educating the public. There will be a lot of media and publicity by NCEMA supported by the Ministry of Interior, Civil Defense, and all the stakeholders. They will try to straighten out the education and spread the culture of emergency management. This is a challenge but it should happen within the next few years. We are already putting practice in place already and we hope By 2018, end of 2017, we should be done.

For the private sector, to refer to your question, we hope there will be some support from either the government or the other agencies to the private sector to build up their capability, because as you know the capabili- ties require resources and money. There may be some incentives for those businesses, to encourage them to incorporate this program into their firms.

DRI: What type of incentives?

MJ: For example, the government could encourage the relevant agencies in charge for the fees of the renewal of their license every year say if they have emergency plans, then they are category one. Category one would be 30% less or something like that. There is another incentive that was also proposed: the government would not sign with any entity or private entity unless they have BCM in place.

DRI: How would you evaluate those plans?

MJ: We would have to know whether they have plans first, if they are to contract with government. then we would have to review them in NCEMA or the appointed agency for the verification.

DRI: Tell us about the education and training that you provided to these different entities, what forms did it take and how long did it take. Were there exercises and tests involved?

MJ: In fact, NCEMA has been exercising the government agencies since 2010. The first one, of course, was like a surprise for some agencies to understand and it took some time to digest the lessons learned. I can say very proudly that in exercises five and six, everybody knew what they had to do and where they standing in emergency management

In terms of training, I am sure that more than 300 officials were trained in NCEMA. This is separate from the training that is conducted directly from the training providers to the entities because they know that they would need to train in EM.

DRI: What threats do entities in the UAE face?

MJ:. I can simply say that we do not have natural disasters. We do not have it in our history. But you remember the swine flu and the H1N1? Those threats were on the top of the list at that time, those are the kinds of threats we face. But we have practiced and NCEMA staff have gained a lot of experience, but threats are very dynamic, whether political, natural or manmade. But really what is happening inter- nationally could happen in the UAE, without a difference bearing in mind the first rule of Emergency management “always expect the unexpected.”

DRI: You talked about the support that you have from the top people in the country. One of the challenges that I hear from people in other countries is trying to get top management support and to get people to listen when they are talking about business continuity and its importance. How did you get that?

MJ: I can say we are lucky, honestly speaking. Our top leaders, from number one down, they all have been encour- aging. There is no doubt that we should be ready for any type of threat. If you talk about big resources like water, electricity, power, then you can see threats everywhere. And those threats are very devastating. I think because of these threats there was no hesitation of the leadership to give us a green light to go ahead and prepare UAE as much as we could. So it wasn’t as much our effort.

DRI: Finally, what is your hope of working with DRI? How do you think that relationship can help you and how can you help us?

MJ: I would say definitely, DRI could help us. The only words we can say to DRI is thank you for supporting our program.

DRI: You have already helped a lot to DRI through the important work you do and by taking the time to talk with us.

MJ: Thank you. The word from the top was that education is the key to success. So, getting education from DRI on emergency management and specifically on the BCM, and the methodology DRI is following is very valuable to us. I really appreciate the efforts, the cooperation I found with DRI, and I hope this cooperation will continue for a long time.

Screen shot 2014-07-07 at 11.14.47 AM

DRI Istanbul’s Business Continuity Forum

Istanbul is a city of culture, history and astonishing architecture – and it’s about to become host to DRI Istanbul’s first-ever Business Continuity Forum.

On March 11 at the Radisson Blu in Ortakoy, Istanbul, business continuity and risk management professionals from all over will have the opportunity to learn from top industry experts and network with colleagues.

“We’re extremely excited to bring our premier business continuity conference to Istanbul, Turkey,” said DRI President and CEO Al Berman, who also will speak at the event. “It’s one of the world’s greatest cities with a rich history and is home to many excellent continuity programs. Business continuity, risk management, security, audit and other professionals will simply not find a more satisfying learning and networking opportunity.”

“DRI Istanbul has put together an outstanding program,” said Chloe Demrovsky, DRI managing Director of Global Operations. “The agenda offers unique and insightful presentations on a variety of important topics, and meaningful discussions for all of our guests. DRI International is proud to be a part of this event.”

Featured Speakers

DRI Istanbul has brought together a variety of business continuity experts from the public and private sectors to share their experience and expertise, including:

Mustafa Komut

As Business Continuity Senior Manager for Vodafone Turkey, Komut offers a unique perspective on Information and Corporate Security in the telecommunica- tion industry.Orhan Topcu

Currently the Regional Security Manager for Microsoft, he has also worked with the UN and the Turkish Emergency Management Authority. Not only that, he’s has the distinc- tion of being DRI Istanbul’s first designated instructor.

Behcet Cimbaz

With a background working in public service as well as recent experience in pharmaceuticals, Pfizer Business Resilience Officer Behcet Cimbaz has insight into fostering resilience in multiple sectors.

Registering for the Conference

You can attend the conference at a rate of $349 (USD), which includes all sessions, lunch, coffee breaks and a cocktail reception.

Want to come for free? Register for the BCP 501 refresher course, and you can! This 2.5-day course features 16 hours of instruction, followed by the Qualifying Examination. Instructors take a fast-paced approach to the Professional Practices with emphasis on BC planning and the knowledge, skills and procedures needed to effectively implement each step of the planning process. Registration in the March 12-14 course entitles you to free conference attendance on March 11.

About DRI Istanbul

The regional affiliate of DRI International, DRI Istanbul was founded in 1988 on a mission to make the world prepared. It serves business continuity and risk management professionals in Turkey, Europe and the Middle East.

DRI Istanbul’s certifications add value to individual business continuity professionals and the organizations where they work, by promoting a base of common knowledge for the profession and promoting the credibility and professionalism of certified individuals.

Recipients of DRI Istanbul’s training agree. “Not only did we learn how to protect our business, but we learned how to protect our people and customers,” says certified organi- zation Microsoft.

According to Pfizer, “In one short week, we learned useful information on implementing emergency management, crisis management and business continuity management to cover any business interruption.”