Archivo de la etiqueta: standards

Vendor BCM Planning: Don’t Let Your Vendor’s Disaster Become Your Own!

Jerome Ryan

You’ve built your business continuity management program to the highest standards. You faithfully maintain it each year. You’ve performed exercises to ensure everyone’s role is clear. Is it enough? No.

As companies become more comfortable with their own ability to recover from a disaster, they are becoming increasingly uncomfortable with a vendor’s ability to do the same. Regulations and standards — such as, OCC Bulletin 2013-29 (United States), BDDK Official Gazette No: 26333 (Turkey), ISO 22301 (international), and NCEMA 7000 (United Arab Emirates) — are beginning to require companies to extend their continuity plans into the trusted relationships with third-party vendors. In fact, the newest version of the U.S. banking regulation, OCC Bulletin 2013-29, even requires companies to look into fourth-party vendor business continuity. Fourth parties are defined as the critical vendors of your critical vendors (thus extending the trusted relationship of continuity further).

What does all this mean to you? It means that your business continuity management program must include
vendor business continuity management to ensure protection from internal and external hazards. Vendor business continuity management (BCM) is a program that extends internal business continuity protections to critical vendors, suppliers, third parties, and in some cases fourth parties. Common components include:

  • Identifying critical vendors
  • Developing minimum business continuity guidelines and amending master service agreements (MSAs) and service level agreements (SLAs) to include the right to audit BCM programs
  • Developing an internal response plan or the failure of a critical vendor
  • Creating sample tools and templates to support critical vendors (they may not have the internal knowledge or resources to hire a consultant)
  • Implementing an assessment/verification program to ensure critical vendors’ BCM programs are compliant with your minimum BCM guidelines

The Place to Start

The first step in starting a vendor BCM program is to understand which vendors support the company’s critical business processes. This requires the company to perform an analysis of all vendors to determine those that may be:

  • Sole-sourced
  • Have cash flow issues
  • Operating under a lean/just-in-time model
  • Susceptible to other, related risks

If vendors do not fall into any of the aforementioned categories, they may not be categorized as critical or be part of the vendor BCM program. However, it is recommended critical vendors be evaluated annually or sooner if there are major changes/additions to critical vendors.

In some cases, a vendor is more than just critical. Some vendors may provide key components, without which, the company could fail. This is especially true of sole-source vendors. In the cases of manufacturing, consumer products, pharmaceutical, transportation, and other industries, the lead time to replace a critical vendor may be too long. Not having products on the shelf, combined with negative publicity, may effectively shut a company’s product out of the market.

In these special circumstances, a company should consider building an internal recovery plan to prepare for a vendor’s failure. An internal plan should consider available external supply/outsourced manufacturing, lead times to obtain government (i.e. FDA) approval for alternate manufacturing lines, as well as safety stock. The company may decide to identify alternate vendors, begin regulatory approval of second manufacturing lines, or move away from the sole-source vendor altogether.

Next Steps

For critical vendors, establish a set of guidelines that explain the BCM requirements with which they must comply. These guidelines should mirror the company building the vendor BCM program’s BCM methodology to ensure a true extension of the trusted relationship. Common components include:

  • Senior management commitment
  • An established BCM methodology
  • A BIA requirement to identify critical business processes and related impacts
  • Recovery plans
  • Regular exercises
  • Regular maintenance

These guidelines should be part of all new SLAs and MSAs with critical vendors. The company also should use the same contractual language with existing critical vendors as contracts are renewed. This will protect the company and hold vendors contractually liable for their BCM programs.

Smaller vendors may not have the ability, knowledge, or resources to comply with a vendor BCM program. It may be necessary, and certainly would be helpful, to provide vendors with a BCM toolkit to support their efforts. Companies should be careful to include legal language that holds the issuing company harmless and states that use of the BCM toolkit does not implicitly or explicitly guarantee recovery from a disaster.

The final step in the process is to monitor and verify vendors’ compliance with the vendor BCM program. This usually can be part of an annual, or regular, vendor compliance assessment. To be both productive and meaningful, the assessment can be neither overly intrusive nor superficial. Questions should dig deeper than “Was a BIA completed?” and ask about specifics such as the date of the last BIA update or the critical processes and associated recovery times.


In summary, a vendor BCM program is not only another company policy. Rather, it is enhancing and changing the behavior a company takes in selecting, evaluating, and monitoring its collective vendors. Companies must understand that recovery and protection have to extend beyond the company walls. Modern organizations are integrated with and vitally dependent upon many other entities. Even companies in service and financial sectors are vitally dependent on critical vendors. Successful companies focus on their core competencies and rely on partners to fill in the gaps.

So, the next time you’re evaluating your company’s BCM program, remember to look out the door as well as in the mirror.

For Example . . . 

The March 17, 2000 Philips microchip plant fire in Albuquerque, NM is one of the best cases for vendor BCM programs. Nokia and Ericsson, two of the largest mobile phone operators in the world at the time, both sourced critical microchip components from this Philips plant. When a lighting strike caused a small fire, the plant’s clean room was damaged resulting in the loss of production capacity.

Prior to the fire Nokia held about a 32 percent market share while Ericsson held about 12 percent in worldwide mobile phone sales. Post fire, Nokia’s mobile phone shipments increase 10.5 percent over the previous year, while Ericsson’s dropped by 35 percent. Why? Nokia reacted quickly and had already prepared for a critical vendor loss prior to the fire, identifying an alternate supplier of microchips. Ericsson, on the other hand, reacted slowly and believed early reports that the fire was small and posed no long-term supply risk to the supply of microchips.

The total cost to Ericsson was over $400 million USD, including a second quarter 2000 loss of $200 million USD.

BIO: Jerome Ryan is CEO of both GRM Solutions and DRI Istanbul, where he implements and oversees client deliverables in crisis management, business continuity management, emergency response, pandemic planning, and other risk management practices. GRM Solutions has offices in New York and Istanbul. He may be reached at or

DRI’s Interview with Mohammed Al Jenaibi

In a recent interview Mohammed Ahmad Al Jenaibi, CBCP, shared his thoughts and experiences with DRI International. We are pleased to bring you this interview and are very grateful to Mohammed or taking the time to talk with us.

Mohammed is an ex-military search and rescue pilot, as former Chief of SAR Coordination Centre. He joined NCEMA (National Crisis and Emergency Management Authority) in 2008 as a Director of Safety and Prevention. He specializes in quality management, A black belt Six Sigma, he specializes in quality management and is also an EFQM Auditor, as well as a DRI International Certified Business Continuity Professional(CBCP). He is the lead of the committee which developed and published UAE’s BCM Standard and Guideline (AE/HSC 7000:2012) in 2012. This was the very first BCM Standard in the gulf region. He also was the very first BC professional to be awarded a DRI International Award Of excellence as Best Program Leader of the Year for the Public Sector.

DRI: Will you provide a bit of background on NCEMA? 

Mohammed Ahmad al Jenaibi: NCEMA was established in 2007 and by 2011 a resolution by president was issued for its roles and responsibilities. I joined in 2008, and by 2009, we started the business continuity management (BCM) project.

During the beginning we sought to do research, and we wanted to know what we were missing in this country and what we needed. We discovered that BCM was one of the important issues to tackle. (See Sidebar “Meet NCEMA,” page xx) And in August, 2013 I resigned from NCEMA.

DRI: Why Did NCEMA create its own BCM standard?

MJ: BS25999 was the standard at the time, but we thought it was not well-suited to our nation. We started to look at other standards, including the Singapore standard (SS540) , NFPA1600 (USA) and others, and then we decided to write our own standard in Arabic to be more comprehensive for the reader but still matching and using same methodologies in the standards mentioned.

When we started the first few pages, we thought it would work fine because everybody could understand it easily. We completed in one year the writing of the standard, but it took us two years to get consensus from all the federal departments and all the ministries. Finally, in 2012, the first version was issued.

DRI: In what ways is your standard different from the others?

MJ: Thank you, very good question. When I said that [other standards] were not well-suited, what I meant was that the language and the way they assumed the reader had a background in emergency management, but in our standard you can see the engagement of risk assessment taken from the ISO31000 throughout BCM.

For people without a huge background in emergency and crisis management, the format of BS25999 would be difficult. When you talk to a community, some agencies do not even have this management system in place. So, you cannot introduce them immediately to BCM. Our goal was to simplify how we did this in our standard. Within our standard, anyone can start and move from A to Z in very simple language and in very simple steps.

DRI: Can you tell me a little bit more about the state of preparedness in the UAE?

MJ: After establishing NCEMA, one of the first things they did was the National Response Plan (NRP). The NRP is complete and is being distributed to the whole government of the UAE, so all entities have prepared or are preparing their specific plans which can be plugged into the national response plan framework.

DRI: What about private sector businesses?

MJ: NCEMA has signed a mutual agreement with the Chamber of Commerce to involve the private sector, but you know we have huge companies who already have business continuity for their own interests. So, they are way ahead in advance. On the other hand, there are some other smaller businesses that have no idea about emergencies at all. I think this is because we do not have huge catastrophes in this country. Although we do not have big disasters, the private sector should realize the importance of emergency management, how they should be prepared, and how they can have their own plans.

Now NCEMA has started educating the public. There will be a lot of media and publicity by NCEMA supported by the Ministry of Interior, Civil Defense, and all the stakeholders. They will try to straighten out the education and spread the culture of emergency management. This is a challenge but it should happen within the next few years. We are already putting practice in place already and we hope By 2018, end of 2017, we should be done.

For the private sector, to refer to your question, we hope there will be some support from either the government or the other agencies to the private sector to build up their capability, because as you know the capabili- ties require resources and money. There may be some incentives for those businesses, to encourage them to incorporate this program into their firms.

DRI: What type of incentives?

MJ: For example, the government could encourage the relevant agencies in charge for the fees of the renewal of their license every year say if they have emergency plans, then they are category one. Category one would be 30% less or something like that. There is another incentive that was also proposed: the government would not sign with any entity or private entity unless they have BCM in place.

DRI: How would you evaluate those plans?

MJ: We would have to know whether they have plans first, if they are to contract with government. then we would have to review them in NCEMA or the appointed agency for the verification.

DRI: Tell us about the education and training that you provided to these different entities, what forms did it take and how long did it take. Were there exercises and tests involved?

MJ: In fact, NCEMA has been exercising the government agencies since 2010. The first one, of course, was like a surprise for some agencies to understand and it took some time to digest the lessons learned. I can say very proudly that in exercises five and six, everybody knew what they had to do and where they standing in emergency management

In terms of training, I am sure that more than 300 officials were trained in NCEMA. This is separate from the training that is conducted directly from the training providers to the entities because they know that they would need to train in EM.

DRI: What threats do entities in the UAE face?

MJ:. I can simply say that we do not have natural disasters. We do not have it in our history. But you remember the swine flu and the H1N1? Those threats were on the top of the list at that time, those are the kinds of threats we face. But we have practiced and NCEMA staff have gained a lot of experience, but threats are very dynamic, whether political, natural or manmade. But really what is happening inter- nationally could happen in the UAE, without a difference bearing in mind the first rule of Emergency management “always expect the unexpected.”

DRI: You talked about the support that you have from the top people in the country. One of the challenges that I hear from people in other countries is trying to get top management support and to get people to listen when they are talking about business continuity and its importance. How did you get that?

MJ: I can say we are lucky, honestly speaking. Our top leaders, from number one down, they all have been encour- aging. There is no doubt that we should be ready for any type of threat. If you talk about big resources like water, electricity, power, then you can see threats everywhere. And those threats are very devastating. I think because of these threats there was no hesitation of the leadership to give us a green light to go ahead and prepare UAE as much as we could. So it wasn’t as much our effort.

DRI: Finally, what is your hope of working with DRI? How do you think that relationship can help you and how can you help us?

MJ: I would say definitely, DRI could help us. The only words we can say to DRI is thank you for supporting our program.

DRI: You have already helped a lot to DRI through the important work you do and by taking the time to talk with us.

MJ: Thank you. The word from the top was that education is the key to success. So, getting education from DRI on emergency management and specifically on the BCM, and the methodology DRI is following is very valuable to us. I really appreciate the efforts, the cooperation I found with DRI, and I hope this cooperation will continue for a long time.

Screen shot 2014-07-07 at 11.14.47 AM

Continuity in Central Banking: Beyond Compliance — A Social Responsibility

Johanna Gutierrez Clavijo

The Central Bank of Colombia (El Banco de la República) complies with the standard functions of most central banks; its main constitutional objective is to watch over the stability of currency purchasing power. As stated on its website: “the aim of the Banco de la República’s monetary policy is the achievement of coherent inflation rates with the constitutional mandate of guaranteeing price stability in coordination with a general macroeconomic policy that motivates product and employment growth”. It has administrative autonomy over national wealth and its technology. Some of its principal functions are to regulate currency, the international exchange, and credit; to issue legal currency; to administrate international reserves; to act as moneylender of last resort; to act as banker for credit establishments; and to serve as the fiscal agent of the government. The Central Bank of Colombia is an essential part of the operation of the Colombian financial system, which is the group of entities that exert influence on Colombia’s stock market activity, insurance, finance and credit.

To give continuity to these functions, which, among other things, helps to guarantee secure and efficient money circulation both domestically and internationally, the Central Bank of Colombia has been working for twelve years on developing and implementing a system of continuity management (SCM) that is efficient and effective. This system is of high quality and encompasses the critical processes of the bank including clear and open policy, an operation and technology contingency plan, a response and emergency plan as well as a separate crisis management plan, and integration with the financial and government sector.

SCM is known for having the unconditional support of the bank’s senior management, who feel that it is a matter of strategic importance. To continue our operations as the central bank goes beyond constitutional compliance, it is a social responsibility. We are charged with assuring our bank’s continuity in the face of any threat to its ability to operate, including defending such crucial functions as the stability of the payments system and the monitoring of the money supply. Toward this goal, significant human and financial resources have been approved to ensure technological and operations continuity; a total of ten people work exclusively for SCM. Financial resources to construct, supply, and maintain two technical and operations centers have been sanctioned. One of them will have the capacity to recover the entire technical operation in two hours and to continue operating indefinitely; the other will have active operation in one hour and operate for up to eight weeks. It has been an ongoing challenge to maintain the interest and participation of the banking community on these matters. This has been achieved through permanent sensitization and awareness to the point of being a planned and monitored activity with specific indicators of compliance, thus contributing to the rising maturity of SCM at the bank.

Three years ago, we decided to face the challenge of conducting live contingency tests at the Central Bank of Colombia. That is to say, we conducted tests during the business hours of the entire financial community. This matter was supported not only by senior management, but also at the supervisory level and by the financial community in general. Today we can say that the successful tests conducted during business hours included an evacuation simulation of central bank personnel, resulting in a two-hour suspension of the technological and operations services that we offer the financial and governmental sectors. Following the evacuation, operations began again at the exclusive alternate off-site location of the contingency teams.

A big challenge that is still unresolved has been to find the best way to communicate a crisis event to and among employees. Currently, we use cell phones, e-mail, and a custom crisis information portal that activates on our website ( in the event of a crisis. The site contains information on the development of the crisis and the actions that various groups of affected employees, users, and providers should take. In the same way, we are exploring the possibility of acquiring a massive notification tool. For now, we provide information to our employees via the social media site Twitter in order to maintain an alternative method of communication with them.

The Central Bank of Colombia is also involved with promoting continuity management in financial and governmental entities, with the goal of realizing internal management for the whole country. To help achieve this goal, we are vigilant to maintain compliance with the regulations of the Ministry of Finance of Colombia and its mission to preserve public confidence and the stability of the financial system. To this end, the Ministry controls and oversees the system, seeking security and clarity both in financial services provided and in operation fulfilled. Therefore, those who take part in this financial system are obliged to comply with continuity plans that allow us to continue operating critical processes and to guarantee that our critical providers also have and sanction the plans. On the other hand, via the Continuity Committee of the Commercial Bank Association (Asobancaria), we are working on critical aspects that allow us to comply with the SCM regulations, to share experiences in the development of SCM and to obtain integrated tools as plans of crisis management. These will strengthen the coordinated response to events that pose high impact risk to the financial system of the country.

It is evident that the Central Bank of Colombia is aiming for much more than the continuity of its own operation. That mission when pursued alone would make no sense if the rest of its counterparts and users were not also working to the same end. The bank is busy integrating its plans. This effort is not only an organizational challenge, but also a challenge to contribute—even under adverse conditions—to the ongoing development of our country.


Johanna studied at the University of the Andes where she specialized in systems and computer engineering and upper management. She has been certified CBCP since 2001 by the Disaster Recovery Institute and MBCI by BCI since 2008. Johanna has experience in design, development, implementation of risk, and continuity management systems. She has knowledge and experience in the areas of prevention, attention and response to emergencies as well as design and implementation of technology and contingency plans, organizational and inter-institutional crisis management. She has consulted regarding business continuity with Central Banking and public sector organizations in Colombia. Johanna is currently working for the Central Bank of Colombia, where she has been a computer security engineer, director of technology support and continuity and now serves as Director of the Risk and Process Management Department.