Archivo de la etiqueta: management

We Need You! DRI Professional Practices Quadrennial Review

Fred Sebren

Do you have opinions or ideas about DRI International Professional Practices? We hope so, and we want to hear them! The DRI International Commission’s Professional Practices Committee is seeking comments from DRI Certified Professionals on the current edition of the Professional Practices.

How It Works

The Professional Practices Committee is responsible for maintaining the DRI Professional Practices. In order to accomplish this, the committee uses a four-year update cycle that has been adopted by the DRI Commission. The cycle works as follows:

Year One: Solicit feedback on the current edition of the Professional Practices from DRI Certified Professionals. In addition to this article, you’ll see announcements and requests in all of DRI’s media outlets. Please respond!

Year Two: Feedback in each area is reviewed by the committee. Modification to each Professional Practice is selected for consider- ation and incorporated into the draft of the next release. Upon review by the Commission, and with the approval by DRI executive staff, drafts of the new practices are made available on the MyDRI web portal at the end of year two and comments on the proposed changes are sought.

Year Three: Final versions are created for each Professional Practice and submitted to the DRI Commission and executive staff for approval prior to distribution. Education material is updated.

Year Four: Professional Practices are exercised in the field, and at the end of the fourth year it all begins again!

Your Input

Input will be collected for the duration of 2014, after which the Professional Practices committee will create a version for comment. Once the comment period has been completed, then a final version will be published.

So, all you have to do is review the current Professional Practices, focusing on those areas that you believe may need updating and revising, and provide your comments. To view the Professional Practices and provide input, log in to your MyDRI account. Please note that DRI Professional Practices were established as a basis for business continuity development across all industries, not any one specific sector.

Thank you, in advance, for your comments.

The DRI Professional Practices

Here’s a quick overview of the Professional Practices. Log into your MyDRI account to read them in their entirety and to comment.

1. Program Initiation and Management

Establish the need for a Business Continuity Management Program within the entity and identify the program components from understanding the entity’s risks and vulnerabilities through develop- ment of resilience strategies and response, resto- ration and recovery plans. The objectives of this professional practice are to obtain the entity’s support and funding and to build the organizational framework to develop the BCM program.

2. Risk Evaluation and Control

The objective of this professional practice is to identify the risks/threats and vulnerabilities that are both inherent and acquired which can adversely affect the entity and its resources, or impact the entity’s image. Once identified, threats and vulner- abilities will be assessed as to the likelihood that they would occur and the potential level of impact that would result.

3. Business Impact Analysis

During the activities of this professional practice, the entity identifies the likely and potential impacts from events on the entity or its processes and the criteria that will be used to quantify and qualify such impacts.

4. Business Continuity Strategies

The data that was collected during the BIA and Risk Evaluation is used in this professional practice to identify available continuity and recovery strategies for the entity’s operations and technology.

5. Emergency Response and Operations

This professional practice defines the requirements to develop and implement the entity’s plan for response to emergency situations that may impact safety of the entity’s employees, visitors or other assets.

6. Plan Implementation and Documentation

In this phase of the Business Continuity Management Program, the relevant teams design, develop, and implement the continuity strategies approved by the entity and document the recovery plans to be used in response to an incident or event.

7. Awareness and Training Programs

In this professional practice, a program is developed and implemented to establish and maintain corporate awareness about Business Continuity Management (BCM) and to train the entity’s staff so that they are prepared to respond during an event.

8. Business Continuity Plan Exercise, Audit and Maintenance

The goal of this professional practice is to establish an exercise, testing, maintenance and audit program. To continue to be effective, a BCM Program must implement a regular exercise schedule to establish confidence in a predictable and repeatable performance of recovery activities throughout the organization.

9. Crisis Communications

This professional practice provides the framework to identify, develop, communicate, and exercise a crisis communications plan.

10. Coordination with External Agencies

This professional practice defines the need to establish policies and procedures to coordinate response, continuity and recovery activities with external agencies at the local, regional and national levels while ensuring compliance with applicable statutes and regulations.

BIO: Fred Sebren, CHPCP.CBCLA.CBCP.CBCV. MBCI.ITILv3, is Vice-Chair of the DRI International Commission and Chair of the Professional Practices Committee. He also acts as the Commission’s Education Liaison. He can be reached at fred@sebren.com or (972) 442-6985.

Vendor BCM Planning: Don’t Let Your Vendor’s Disaster Become Your Own!

Jerome Ryan

You’ve built your business continuity management program to the highest standards. You faithfully maintain it each year. You’ve performed exercises to ensure everyone’s role is clear. Is it enough? No.

As companies become more comfortable with their own ability to recover from a disaster, they are becoming increasingly uncomfortable with a vendor’s ability to do the same. Regulations and standards — such as, OCC Bulletin 2013-29 (United States), BDDK Official Gazette No: 26333 (Turkey), ISO 22301 (international), and NCEMA 7000 (United Arab Emirates) — are beginning to require companies to extend their continuity plans into the trusted relationships with third-party vendors. In fact, the newest version of the U.S. banking regulation, OCC Bulletin 2013-29, even requires companies to look into fourth-party vendor business continuity. Fourth parties are defined as the critical vendors of your critical vendors (thus extending the trusted relationship of continuity further).

What does all this mean to you? It means that your business continuity management program must include
vendor business continuity management to ensure protection from internal and external hazards. Vendor business continuity management (BCM) is a program that extends internal business continuity protections to critical vendors, suppliers, third parties, and in some cases fourth parties. Common components include:

  • Identifying critical vendors
  • Developing minimum business continuity guidelines and amending master service agreements (MSAs) and service level agreements (SLAs) to include the right to audit BCM programs
  • Developing an internal response plan or the failure of a critical vendor
  • Creating sample tools and templates to support critical vendors (they may not have the internal knowledge or resources to hire a consultant)
  • Implementing an assessment/verification program to ensure critical vendors’ BCM programs are compliant with your minimum BCM guidelines

The Place to Start

The first step in starting a vendor BCM program is to understand which vendors support the company’s critical business processes. This requires the company to perform an analysis of all vendors to determine those that may be:

  • Sole-sourced
  • Have cash flow issues
  • Operating under a lean/just-in-time model
  • Susceptible to other, related risks

If vendors do not fall into any of the aforementioned categories, they may not be categorized as critical or be part of the vendor BCM program. However, it is recommended critical vendors be evaluated annually or sooner if there are major changes/additions to critical vendors.

In some cases, a vendor is more than just critical. Some vendors may provide key components, without which, the company could fail. This is especially true of sole-source vendors. In the cases of manufacturing, consumer products, pharmaceutical, transportation, and other industries, the lead time to replace a critical vendor may be too long. Not having products on the shelf, combined with negative publicity, may effectively shut a company’s product out of the market.

In these special circumstances, a company should consider building an internal recovery plan to prepare for a vendor’s failure. An internal plan should consider available external supply/outsourced manufacturing, lead times to obtain government (i.e. FDA) approval for alternate manufacturing lines, as well as safety stock. The company may decide to identify alternate vendors, begin regulatory approval of second manufacturing lines, or move away from the sole-source vendor altogether.

Next Steps

For critical vendors, establish a set of guidelines that explain the BCM requirements with which they must comply. These guidelines should mirror the company building the vendor BCM program’s BCM methodology to ensure a true extension of the trusted relationship. Common components include:

  • Senior management commitment
  • An established BCM methodology
  • A BIA requirement to identify critical business processes and related impacts
  • Recovery plans
  • Regular exercises
  • Regular maintenance

These guidelines should be part of all new SLAs and MSAs with critical vendors. The company also should use the same contractual language with existing critical vendors as contracts are renewed. This will protect the company and hold vendors contractually liable for their BCM programs.

Smaller vendors may not have the ability, knowledge, or resources to comply with a vendor BCM program. It may be necessary, and certainly would be helpful, to provide vendors with a BCM toolkit to support their efforts. Companies should be careful to include legal language that holds the issuing company harmless and states that use of the BCM toolkit does not implicitly or explicitly guarantee recovery from a disaster.

The final step in the process is to monitor and verify vendors’ compliance with the vendor BCM program. This usually can be part of an annual, or regular, vendor compliance assessment. To be both productive and meaningful, the assessment can be neither overly intrusive nor superficial. Questions should dig deeper than “Was a BIA completed?” and ask about specifics such as the date of the last BIA update or the critical processes and associated recovery times.

Summary

In summary, a vendor BCM program is not only another company policy. Rather, it is enhancing and changing the behavior a company takes in selecting, evaluating, and monitoring its collective vendors. Companies must understand that recovery and protection have to extend beyond the company walls. Modern organizations are integrated with and vitally dependent upon many other entities. Even companies in service and financial sectors are vitally dependent on critical vendors. Successful companies focus on their core competencies and rely on partners to fill in the gaps.

So, the next time you’re evaluating your company’s BCM program, remember to look out the door as well as in the mirror.

For Example . . . 

The March 17, 2000 Philips microchip plant fire in Albuquerque, NM is one of the best cases for vendor BCM programs. Nokia and Ericsson, two of the largest mobile phone operators in the world at the time, both sourced critical microchip components from this Philips plant. When a lighting strike caused a small fire, the plant’s clean room was damaged resulting in the loss of production capacity.

Prior to the fire Nokia held about a 32 percent market share while Ericsson held about 12 percent in worldwide mobile phone sales. Post fire, Nokia’s mobile phone shipments increase 10.5 percent over the previous year, while Ericsson’s dropped by 35 percent. Why? Nokia reacted quickly and had already prepared for a critical vendor loss prior to the fire, identifying an alternate supplier of microchips. Ericsson, on the other hand, reacted slowly and believed early reports that the fire was small and posed no long-term supply risk to the supply of microchips.

The total cost to Ericsson was over $400 million USD, including a second quarter 2000 loss of $200 million USD.

BIO: Jerome Ryan is CEO of both GRM Solutions and DRI Istanbul, where he implements and oversees client deliverables in crisis management, business continuity management, emergency response, pandemic planning, and other risk management practices. GRM Solutions has offices in New York and Istanbul. He may be reached at jryan@grmsolutions.net or http://www.linkedin.com/in/jeromeryan/

BCM in a Country Blessed by God

Alexandre Costa Guindani

Business continuity management (BCM) is still quite a new subject to the people of Brazil. As famous Brazilian singer Jorge Ben Jor said, we live in a country “blessed by God,” where natural disasters, like earthquakes and hurricanes, rarely happen or don’t happen at all.

The lack of these kinds of events makes the people, managers, and companies believe that nothing bad will ever happen, and gives them the feeling of immunity to disasters or other serious interruption. This tends to cause Brazilian enterprises to deny their vulnerabili- ties and to assume they don’t need an effective business continuity management program.

The statement “but this has never happened” or “this will never happen to us” is frequently heard by people who are ultimately responsible for the corporate BCM. And so, since nothing is going to happen, a continuity program looks like a waste of time and money.

What to do? Here are some tips on BCM implementation for those who live in “blessed” countries or companies (or for suppliers and business partners, who may need assistance):

Be a Missionary

Make use of every opportunity to discuss business continuity management, or, if there is one, the corporation’s BCM program. Show everyone the benefits the business continuity can bring to the company, whether they are financial, legal, or related to the company’s reputation or brand. Become a master on the subject. Study, be a certified professional. Base what you know and tell on best practices, and make good use of what BCM organizations have to offer – knowledge sharing.

Start Small

BCM is not one-size-fits-all. What works out for one company may not work for another, even though they might be in the same field. BCM has an intricate cultural component, and its development will need to suit the managers, employees, and corporation’s traditions. Without doubt, the best BCM model is tailor-made and developed by employees and internal resources.

Although BCM is most certainly a process, implementation starts with a project, and like any other project, tasks have to be delivered within the accorded deadlines. How fast you accomplish these tasks will depend on senior administration support and on the availability of resources available.

Depending on the size of the company and the scope defined, the project may take some time to show results. Going slow and steady with small project components is often the best strategy. This keeps the project alive in the eyes of the top management. Start small, think big, and always evolve.

Persuade and Fascinate

Two things may jeopardize the development of a BCM program: the lack of management support and the lack of commitment from the employees. If you want to have success, you need to prove to the management that the implementation of BCM is necessary and that it will bring real gains to the company.

Management support is fundamental for the BCM program. That is why getting the management team involved is a critical factor for success. Make sure they know what BCM is and what it means for the company. Remember that is not possible to develop continuity strategies without that investment and that it is top management that will sign off on expenditures. It is also important to note that employees are more likely to show interest in and support for BCM if they know that top management supports the idea.
Make sure you keep all employees involved during BCM program implementation. No one will develop good plans and keep them updated if they can’t fully understand why they are doing
it. Most people think it is annoying to write down what their activities are and to describe procedures. Some will rebel because they fear that documenting their work will make them unnecessary. Be aware of these potential pitfalls.

Keep It Simple

BCM is a complex process, even for those who master it. It is necessary to make it simple and easy for everyone. Develop easy to understand models and manuals. Remember that extensive and complex plans will be useless in critical situations, where less can mean more.

Keep IT Close

As IT has become a separate entity, with a department of its own in most companies, it also has become distant from the business activities that it supports. This makes it harder to unite the corporate BCM and disaster recovery. The main issue is cultural; in other words, people are the problem, not the technology. Everyone has to know their roles in the corporate BCM and how they can effectively contribute to its success. Making sure business and IT understand each other is the BCM manager’s job, which is best accomplished with serious management support.

Keep On Keeping On

Finally, remember that disasters rarely happen, but smaller incidents that can interrupt the activities and services of an organization for a long time are much more common.

Business continuity must be treated as an indispensable management tool to keep services up and running. BCM must be known as a strategic element of the company, having its directives clearly defined and known by everyone.

BIO: Alexandre Costa Guindani, CBCP, is head of business continuity at CAIXA, the largest public bank in Brazil. He recently published a book about BCM in Portuguese and can be reached at alexandre.guindani@caixa.gov.br.