. Continuity for the Rest of Us: BC For SMEs Kathleen A. Lucey [email protected] tel: (1)516.676.9234
Mar 26, 2015
.
Continuity Trends Since 9/11 in the US:
SMEs Need Something Different
.
Part I: Recent Events Raise the Bar
Part II: How Can SMEs Get What They Want... and What They Need?
.
Part I: Recent Events Raise the Bar
.
First, a few effects of 9/11 on downtown Manhattan...
Destroyed Buildings: Tenant Relocation Summary as of September 2003
Midtown New Jersey Elsewhere Downtown Undecided Total
Total Tenants 39 11 7 17 0 74
Damaged Buildings: Tenant Relocation Summary as of September 2003
Midtown New Jersey Elsewhere Downtown Downtown
Existing Undecided Total
Total Tenants 32 1 3 10 64 1 111
Source: Special Report: WTC Tenant Relocation Summary, TenantWise, Inc., 2003
.
And a few more...
Madrid 3/11/2004
London 7/7/2005, 7/21/2005
Katrina: Louisiana and Gulf Coast, 8/2005
Rita: Louisiana and Texas, 9/2005
Earthquake in Pakistan and India: 10/2005
Wilma: Mexico and Florida, 10/2005
New Delhi: 10/2005
.
Post-9/11 Trends
Politicization of Business Continuity
– Homeland Security Department includes FEMA– Patriot Act– Pre-emptive wars: Afghanistan, Iraq
Results-oriented regulation
– Inter-agency White Paper– NASD regs 3610, 3620– Sarbanes-Oxley
California Law 1386 (2003), NY State Information Security Breach and Notification Act (August 2005)
Increased BC awareness across most non-regulated sectors, and especially SMEs
.
What we have learned... Effective response is a complex issue, and much larger
than data center Disaster Recovery.
Small and medium-size businesses are largely unprepared, but worry.
Success = BC + Emergency Management + an ongoing program
External and intra-industry dependencies have been mostly ignored.
Resilience is the most effective strategy...and it is an organizational, not just a technical issue.
.
Trends Today
EFFECTIVE RESULTS?
Compliance with regulatory checklists is NOT enough.
Not all responses can be planned. Tools and information are necessary but
not sufficient.
The most effective 9/11 responses empowered operating-level people.
Testing must become MUCH more serious: greater verisimilitude.
Effective emergency communication is primary: automated notification
systems.
.
Trends Today
SMALL AND MEDIUM-SIZE BUSINESSES ARE VULNERABLE
Widespread awareness and concern.
Traditional BC methods are too expensive and seen as unnecessary.
Tools that are effective AND well-adapted to SME needs are difficult to find.
Clear need to develop SME baseline standards and techniques.
Pressure from large customers and/or suppliers can be a driver.
.
Trends Today
INTER-DISCIPLINARY AND INTER-SECTOR WORK IS NEEDED
Government sets security levels, but the private sector holds 85% of critical infrastructure.
Piecemeal solutions with different mindsets and languages:
– IT: D/R and Technology InfoSec
– Facilities: Infrastructure, Engineering, and Physical Access Control
– Emergency and Crisis Management Planning
– Organizational Planning, Strategic Planning, Social Sciences
– Internal Audit, External Audit
– First Responders: insider jargon and procedures
.
It is not an option to remain where we have been...and where we are.
.
Trends Today
EXTERNAL AND INTER-INDUSTRY DEPENDENCIES
Few businesses accomplish all of their critical functions alone:
– Communications– Transportation, supply and distribution– Outsourcing
Contractual penalties are insufficient to guarantee business survival.
Creativity, planning, and persuasion are all required. WORKING TOGETHER!
Multiple-sector testing is difficult and expensive. Need more public sector support.
.
It is not an option to remain where we have been...and where we are.
.
Trends Today
RESILIENCE
“The power or inherent property of returning to the form from which it is bent, stretched, compressed, or twisted.”
– of objects or substances
“The power or ability to recover quickly from a setback, depression, illness, overwork, or other adversity.”
– of people
“The ability of a system to keep working when one or more of its components malfunctions. Also called fault tolerance.”
- of systems
.
Part II: Where Can SMEs Get What They Want...and What They Need?
.
How do SMEs see Continuity?
Ask them and they will tell you.
.
SME ContinuityRequires the Proper Event
DN
A
Definition, Notification, Action
SME ContinuityRequires the Proper Event
DN
A
Definition, Notification, Action
.
What is DNA?
Includes designed processes and tools for:
Definition of events +
NNotificationotification and communication activities required for immediate response +
Action plans to respond to events.
.
Poor Definition = emergency response tragedies:
Regional Blackout of August 14, 2003 Three Mile Island 9/11
Definition is key
.
Tools and strategies must be:
Carefully designed for feasibility
Understood and rehearsed; UP-TO-DATE
Cover initial interruption management +
recovery + return (move)
Notification
.
IT Recovery Coordination
Business Recovery Coordination
INTERRUPTION MANAGEMENT MODEL
BusinessContinuity
Teams
InformationTechnology
RecoveryTeams
Interruption Management
Team
Executive Oversight Team
Media Relations Team
Command Center Support Team
Business Continuity
Coordination
Initial Interruption Management
Recovery Management
Employee Support
EMT Government
Liaison
Emergency Funding
Physical Security
Transportation, Communications
Site Repair and
Restoration
HAZMAT
Admin.Services
Damage AssessmentE
mer
gen
cy L
og
isti
csSite
Relocation and
Re-creation
Sit
e R
epai
r o
r R
elo
cate
Purchasing
2005 Montague Technology Management, Inc.All rights reserved.
InsuranceLiaison
.
Implemented Actions and strategies should: Be additive: chosen to cover the maximum number of scenarios first. Provide the best response to requirements: the right choice. Provide a continuity capability that increases measurably over time.
Actions
.
ALL DNA processes must be working to achieve effective continuity.
.
Where are MOST of the Continuity Challenges ??
CONTINUITY ISSUES
Catastrophic InterruptionsCatastrophic Interruptions
Minor InterruptionsMinor Interruptions
Everyday BlipsEveryday Blips
Process DysfunctionsProcess Dysfunctions
BCARE SOLUTIONS
CContinuityontinuity
AAvailabilityvailability
RReliabilityeliability
Engineering
Core Business Value Chain
Processes
.
BC Jumpstart for SMEs
Steps 1 thorough 4:
1. Interruption Scenario Class Definitions: Internal and External.
2. Strategies and Tools by Scenario Class: Additive continuity components and interruption avoidance / mitigation measures by scenario class.
3. Gap Analysis: The firm’s current capability vs. the recommended set of continuity components and avoidance / mitigation measures, by scenario class.
4. Project Plan: Timeline and cost estimates to move forward.
.
Interruption Scenario Classes
EXTERNAL SCENARIOS
Classes: 1 - minor (a and b) to 5 - catastrophic
External scenario characteristics:– Day / time (workday hours, non-working hours)
– Geographic scope
– Length of time
– Premises infrastructure services impact
– Firm premises damage
– Injuries to firm personnel
– Effect on workplace
.
External Scenario Classes
DURATION OF INTERRUPTION BY CLASS
Class Length of Interruption
1: Minor less than 1 day
2: Significant 1-3 days
3: Serious 3-5 days
4: Very serious 5-10 days
5: Catastrophic 10 or more days
.
Internal Scenario Classes
Specific to each firm and each site. For example:
Class Description
A Local equipment failureB Local PBX failureC Central network outageD Workplace violenceE Supplier outageF Disclosure of confidential informationG Key staff lossH Reputational Risk
.
Benefits for SMEs
1: Avoid the risk. 2: Lower the risk probability. 3: Recover, reduce damages.
Implement FIRST what is needed for all interruption scenarios.
Pay attention to the obvious.
Spread development and costs over time by building to catastrophic, “worst-case” capability step-by-step.
Make BC capability progress visible, measurable, understandable, and “present-able.”
.
And so what does all of this mean for us as business continuity professionals?
.
We Need to GROW!
Accept that current “best practices” are not the only truth.
Study the concepts of allied fields; stay open to new ideas. Learn!
Connect to related disciplines: emergency management, InfoSec, facilities, infrastructure, equipment reliability and physical security...and organizational theory!
LISTEN....LISTEN.....LISTEN....AND HEAR!
.
References (1)
Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System, Board of Governors of the Federal Reserve System; Office of the Comptroller of the Currency; and Securities and Exchange Commission.Draft (Sep 2002): http://www.sec.gov/rules/concept/34-46432.htm Final (Apr 2003): http://www.sec.gov/news/studies/34-47638.htm
Report: Crisis, recovery, innovation: responsive organization after September 11, John Kelly, David Stark. Center on Organizational Innovation, Columbia University. New York, NY June 2002. http://www.coi.columbia.edu/pdf/kelly_stark_cri.pdf
SEC Approval of NASD Rules 3510 and 3520, including amendments 1-8, as published in the Federal Register, April 7, 2004. http://www.nasdr.com/pdf-text/rf02_108_app.pdf
.
References (2)
Special Report: WTC Tenant Relocation Summary, TenantWise, Inc., 2003. http://www.tenantwise.com/wtc_relocate.asp
*"A Desk on the 20th Floor: Survival and Sense-Making in a Trading Room," Daniel Beunza, David Stark. Working Paper Series, Center on Organizational Innovation, Columbia University. Available online at http://www.coi.columbia.edu/pdf/buenza_stark_d20.pdf
5 Habits of Highly Reliable Organizations, Keith H. Hammonds, “Fast Company Magazine,” Issue 58, May 2002, Page 124. http://www.fastcompany.com/magazine/58/chalktalk.html
*Note extensive bibliography.