THE MAGAZINE OF THE BUSINESS CONTINUITY INSTITUTE | SPRING 2018
Dawn of the drones: the latest service in the skies Gianna Detoni FBCI, BCI Industry Personality 2017 Using insight and research in the hunt for talent
NATURAL THREATS The risk of natural threats to a company has risen three fold over the last 10 years
01 BCI1_Cover_FINAL.indd 1
SPRING 2018 | ISSUE 1
12 REGULARS 04 Welcome 06 News
F E AT U R E S
Cyber attack threats, demand for security professionals, social media concerns
16 Service in the sky The application of drones in the arena of business continuity and resilience is only just scratching the surface. We ﬁnd out how quickly the technology is moving
20 SPECIAL REPORT: Storm season
President and founder of Panta Ray and winner of Industry Personality of 2017 at last year’s BCI Global Awards
32 The hunt for talent
12 Interaction Opinion: Oxfam needs greater resilience Expert View: Have your leaders got what it takes?
15 Tech round-up
The 2017 hurricane season devastated large parts of the Caribbean and Southern US. What lessons were learned by businesses that were affected by the storms?
28 PROFILE: Gianna Detoni FBCI
What business continuity issues are keeping you awake at night?
News from: Tripwire, Sungard AS, Tintri, Neverfail, Frontier Communications and AlertMedia
36 BCI news Dates for BCI regional awards, Business Continuity Awareness Week and Good Practice Guidelines 2018
37 Appointments Who’s moved and where in the industry
38 Lightbulb moment Scott Cave from Atlantic Business Continuity Services on Zello
Knowing where to ﬁnd the next business continuity and resilience leader when your experienced head moves on is a problem
COVER PHOTO: HURRICANE IRMA BY NOAA GOES PROJECT VIA GETTY IMAGES
03 BCI1_Contents_v1dt.indd 3
WELCOME JAMES MCALISTER FBCI
An evolving look for the BCI
elcome to the new Continuity & Resilience magazine. We felt that the previous magazine had served us well over the years but as the industry is evolving at such a fast pace, the publication now needs to keep up with moving trends much quicker than ever before. The quarterly will obviously continue to feature business continuity articles but now devote more space to exploring the wider organisational resilience arena. It will still appeal to our existing membership but also offer broader topics to a new more diverse resilience community.
An inclusive and varied group of global BCI members will be encouraged to write debate-stimulating pieces; and articles with a more journalistic approach will be sought from other likeminded industry contributors to stimulate one of the institute’s primary goals of driving thought leadership. The new magazine will be formatted to entice readers to grow their knowledge and understanding by directing them to the BCI website. There, they will be inspired to view its exciting content, visit its continued professional development pages, select suitable training courses, and download our
popular and ground-breaking white papers and reports. The publication will also have a modern, colourful, reader-friendly look and feel in line with the future renovation of the Institute’s overall branding, an example being the superb 2018 Good Practice Guidelines. The magazine has always been viewed by its readers as a massive beneﬁt of BCI membership and long will this continue with the latest reiteration of the Continuity & Resilience magazine. James McAlister FBCI Chairman, BCI
D AV I D T H O R P
he BCI’s vision is “to build a resilient world” and with the launch of our new magazine we wanted to embed the central role business continuity plays in creating resilience. It was in back in 2016 that the BCI issued its statement on the position of business continuity in the context of organisational resilience. The statement also provided the BCI’s perspective on how the development of resilience concepts may impact on the practice of business continuity (BC). We are clear that BC is not the same as organisational resilience and the effective enhancement of organisational resilience will require a collaborative effort between many management disciplines.
This list of contributory disciplines is extensive and includes inter alia emergency management, crisis management, ICT service continuity, occupational health & safety, environment protection, physical security, supply chain management, information security management and various forms of risk management (eg. credit, market, enterprise). Our focus as an organisation representing members who are, in the main, BC professionals is to recognise that no single management discipline or member association can credibly claim ‘ownership’ of organisational resilience, and organisational resilience cannot be described as a subset of another management discipline or standard. As an organisation – and we know this reﬂects the view of the majority of our members – we believe BC principles
P H OTO G RA P H Y: A K I N FALOP E
To build a resilient world
4 C O N TIN UITY & R E S IL IE N C E | S P R IN G 2 0 18
04-05 BCI1_Welcome_v3dt.indd 4
t’s spring in the UK – a time of renewal and refreshment. As the editor of your ‘new look’ Continuity & Resilience, I would like that same energy to resonate within the pages of this magazine, wherever in the world you are. As a truly global concern, the business continuity and resilience community consists of a number of specialists and disciplines, which collaborate to keep the private and public sectors surviving and thriving in the most testing of times. This editorial team is proud to have the privilege of working with you to deliver news and insight that will hopefully inform and enlighten you – as well as encourage conversation and debate on an international basis. In this issue, we spotlight business continuity and resilience lessons learned from last autumn’s horriﬁc hurricanes in the US and the Caribbean and the potential of drones for keeping business and communities around the world running and ticking over. Also featured is the wonderful Gianna Detoni of Italy, winner of the BCI Global Industry Personality of the Year 2017. And we want to get to know you. Do get in touch to share your news from around the world.
and practices are core requirements for an organisation seeking to develop and enhance effective resilience capabilities and the wide range of activities required to develop and enhance organisational resilience capabilities provide an opportunity for BC practitioners to broaden their skills and knowledge, building on the foundation of their BC experience and credentials. For its part the BCI, working with professional bodies in other disciplines along the resilience spectrum, with related partners and industry groups as appropriate, will develop relevant knowledge resources and training to support members who wish to advance their organisational resilience knowledge and skills. Our aim in re-launching your member magazine is to continue to give you the insights on BC you have come to expect, but also to take a cross-functional look at a broader range of perspectives that will contribute to your personal effectiveness as a BC professional.
DeeDee Doke Editor
David Thorp Executive Director, BCI
5 C O N TIN UITY & R E S IL IE N C E | S P R IN G 2 0 18
04-05 BCI1_Welcome_v3dt.indd 5
G L O B A L N E W S U P D AT E
By Colin Cottell The possibility of cyber attack is revealed as the top threat to business, according to the Business Continuity Institute’s (BCI) seventh annual Horizon Scan report. Based on a survey of 657 organisations in 76 countries, the report, supported by BSI, found that 53% of business continuity and resilience professionals are “extremely concerned” about the possibility of a cyber attack. The possibility of a data breach, followed by an IT or telecoms outage (cited by 42% and 36%) respectively are seen as the next greatest threats. However, the report identiﬁes a signiﬁcant gap between the perceived threats and the actual causes of business disruption in the last 12 months. For example, while cyber attack is professionals’ top concern (53%), it ranks only fourth (37%) when it
of German ﬁrms are
of business continuity
likely to involve their boards in the strategy-setting process for cyber-security readiness
and resilience professionals are ‘extremely concerned’ about the possibility of a cyber attack
devices, reafﬁrms the need to build cyber-resilient organisations. Workplace recovery plans can help organisations be more prepared towards physical security critical events, making staff safer and operations less vulnerable. Regulatory issues such the GDPR (General Data Protection Regulation) are a growing threat, and heighten the need for sound horizon scanning analysis to help business continuity professionals understand the threat landscape ahead. The threat of a global pandemic is perceived to be a long-term issue. However, with the number of new diseases per decade increasing nearly fourfold in the last 60 years, the risk is that business
Cyber attack top threat to businesses comes to actual disruptions. The report suggests this “might be due to the fact that cyber attacks can have a very high impact even if striking occasionally, as shown by the WannaCry ransomware campaign that managed alone to affect several organisations worldwide”. It goes on to argue that the gap between perception and reality strengthens the case “for why risk assessments should be part of a business continuity programme”. Following a year that featured many extreme weather events, such as Hurricanes Irma and Harvey, it is not surprising that almost one in ﬁve (18%) express concern about interruption to utility supplies and severe weather.
53% 25% of organisations say they plan to increase investment in business continuity programmes in 2018, compared to 52% who say investment levels will remain the same as in 2017; 11% say they expect to see a cut in investment.
have been adapting business continuity management for longer than ﬁve years, compared with 22% between two and three years, and 10% for one year.
continuity professionals are underestimating this threat. Increased uptake of ISO22301 (Business Continuity Management) and investment in BCM programmes suggest that business continuity is being taken increasingly seriously by organisations.
Key conclusions Large-scale cyber attacks taking place in the past 12 months, as well as the increasing number of internet-connected
6 C O N TIN UITY & R E S IL IE N C E | S P R IN G 2 0 18
06-09 BCI1_News_v4dt.indd 6
VISIT THE WEBSITE FOR MORE NEWS: WWW.BCI.ORG.UK
70% of UK employees believe they are underprepared for their company’s digital journey ahead, ﬁnds a recent Sungard AS survey
Control access: make it clear who can use social media at work and especially who has access to the organisation’s social media channels
Social media’s scarier business risks
By DeeDee Doke A known target for rogue employees and criminal hackers, social media can look like a portal to peril, so should businesses continue to use it? ‘Yes’ is the answer from Ross Thomson, principal consultant of cyber security ﬁrm Amethyst Risk – but with some caveats. “The threat can come from many quarters,” said Thomson. Some of the scarier security risks for businesses include the posting of inappropriate content that leads to reputational damage or even legal corporate liability. Hackers can hijack
accounts, and social media is a way that identity thieves can swot up on their victims. For example, employees with a top-secret security clearance and work at a nuclear weapons facility should not post about it on social media. First, suggested Thomson, take stock of the vulnerabilities. For instance, a business’s social media channels may have insufﬁcient privacy settings in place. That may also be true of key individuals within the business, for example your directors’ personal LinkedIn, Facebook or Twitter proﬁles. “Use strong passwords,” Thomson suggested. He then outlined six further areas for attention (see column, right).
Policy: Have an “acceptable use” policy so employees know for what purposes they can use social media at work, and what would be unacceptable Content: Control publication of content on your social media channels – ensure the marketing team are properly trained to create your social media output and manage your social media channels
Privacy: Review privacy settings across your business’s social media proﬁles and pages
Train people: ensure everyone is aware of the dangers
Have good IT hygiene: make sure Windows or other operating systems are up to date, install security patches for your OS and third party applications such as Adobe and Java.
T E C H N O LO GY
UK employees feel lost on digital journey By DeeDee Doke Around 70% of UK employees believe they are underprepared for their company’s digital journey ahead – a situation that could pose serious business risks for upcoming challenges such as Brexit and the soon-tobe implemented General Data Protection Regulation (GDPR), according to
of employees said they understand completely, while another 50% said they do not understand at all. “Considering that employees are often the weak link in an organisation’s security chain, this lack of understanding about their roles and responsibilities when it comes to security compliance should serve as a wake-up call to businesses,” a
new research by Sungard Availability Services. The Digital Compass research also found that only 32% of employees polled feel like they are being kept up to date with their employer’s digital roadmap. When asked about their understanding of the changes that will come into force as a result of the GDPR, only 3%
Sungard AS statement said. Conducted by technology market research ﬁrm Opinium on Sungard AS’s behalf, the research involved interviews last October with 300 employees in middle management positions and below, 150 ICT decision makers and 150 line of business decision makers, all in companies of 500+ employees in the UK.
7 C O N TIN UITY & R E S IL IE N C E | S P R IN G 2 0 18
06-09 BCI1_News_v4dt.indd 7
Weathering the storm
Responding to the recent mud slides that hit California in January, Santa Barbara Cottage Hospital set up an Incident Command Centre (ICC), implementing a mass casualty protocol as rescues and medical evacuations took place. As a result of the ICC, critical staff were able to get to the hospital and be housed until they could return home again.
Closely monitoring storm guidance reports, ensuring employees kept in contact with management, plus having a dedicated business continuity site were just some of the ways investment management business Eaton Vance kept operational during January’s snow bomb cyclone, which hit Boston and many states of the US.
UK and US ﬁrms top the cyber-ready charts By DeeDee Doke UK and US organisations have emerged as the most cyber-ready in a study of more than 4,100 organisations across ﬁve countries. The second Hiscox Cyber Readiness Report, conducted by Forrester Consulting, covers private and public sectors in the UK, USA, Germany, the Netherlands and Spain. Among other ﬁndings the report, released in February, revealed: Some 30% of US respondents rank as cyber security experts. Nearly half (45%) of the respondents have a formal cyber security strategy and 67% consistently deploy anti-virus or anti-spyware technologies UK ﬁrms have the largest average IT budgets of $13.14m, with 10.5% of that amount devoted to cyber security 64% of German ﬁrms are likely to involve their boards in the strategysetting process but only 38% have a formal cyber security strategy 82% of Dutch organisations rank as cyber security novices, and 47% of organisations will have suffered at least three cyber attacks in the last year Spanish organisations devote 11% of their IT budgets – the largest average among the ﬁve countries – to cyber security, with 67% of Spanish organisations having made changes after a cyber attack. Of the ﬁve countries, Spain is the most heavily targeted, with 57% reporting one or more cyber attacks in the past year.
$2.5m $980k The amount the average cyber expert organisation spends a year on cyber defence
The amount the average cyber novice organisations spends a year on cyber defence Countries with the highest and lowest average costs of organisations’ largest cyber incidents in the last 12 months: Germany has the highest:
$11,918 for companies of 249 or fewer employees,
The USA has the lowest
$4,883 for companies of 249 or fewer employees
for 250-999 employees
for 250-999 employees
for 1,000 and more employees
for 1,000 and more employees
8 C O N TIN UITY & R E S IL IE N C E | S P R IN G 2 0 18
06-09 BCI1_News_v4dt.indd 8
VISIT THE WEBSITE FOR MORE NEWS: WWW.BCI.ORG.UK
Workshop aims to strengthen Paciﬁc Island resilience
Games hack The organisers of the Pyeongchang Winter Olympics issued an apology after admitting the Games had fallen victim to a cyber attack during its opening ceremony. The hack affected some systems, including the internet and TV services, but organisers said it had not compromised any critical part of the Games’ operations.
More than 35 businesses attended a two-day business continuity workshop in Fiji at the end of January. The Training of Trainers course, in Fiji’s capital Suva, was part of the US Agency for International Development’s Ready project, which aims to strengthen the environmental and disaster resilience of Paciﬁc Island countries.
CY B E R H AC K I N G
2017: the rise of security professionals By Graham Simons High profile hacks may have made 2017 the year of the hacker but have also intensified demand for cyber security professionals. In 2017, a number of larger organisations across the globe were hit by hackers. The CIA fell victim to a cyber hack resulting in conﬁdential documents appearing on Wikileaks; cyber security practices at professional services ﬁrm Deloitte gave way to a breach compromising the company’s internal email system; and even the NHS was struck by WannaCry Ransomware, preventing workers from
accessing their computers and delaying vital medical procedures. Organisations have responded, with research from global recruiter Robert Walters’ 2018 Salary Survey showing IT professionals specialising in cyber security are set to enjoy salary increases of 7% in the next year. Explaining the reasons for this salary growth, Ahsan Iqbal, director of technology and business transformation at Robert Walters, told Continuity & Resilience magazine business’ concerns around being hit by hackers is fuelling demand for cyber security experts. “A lot of this is being driven around social media and hacks that have taken
place. Companies have been hit over the last year – even longer than that. This is an area where a lot of organisations, obviously linked to GDPR [General Data Protection Regulation] as well, are looking at their security and more speciﬁcally their security around internet, social media and digital channels.” The GDPR legislation is also creating demand for these professionals, Iqbal says: “Businesses have been reactive in terms of recruiting not just cyber security, but data protection ofﬁcers as well. We’ve seen a massive hike in that – that’s to do with the GDPR, the data piece – so it’s all linked in certain ways.”
Putin Twitter campaign hijacked by loud critics By Graham Simons A crisis communications expert’s advice to businesses caught out by online critics seizing upon hash tags in social media campaigns is to “shout louder”. The advice follows the example of a proVladimir Putin campaign hijacked by critics of the Russian president. The BBC reports a hashtag, which translates as #RussiaNeedsPutin, and began as a choreographed political campaign by accounts linked to the ruling United Russia party ahead of the presidential election this year. The campaign contained tweets praising Putin’s ability to unite the country and his role in guiding Russia through the turbulent postcold war years. However, the president’s critics used the hashtag to highlight issues facing the country and the
restriction of political freedoms within it. One critic wrote: “Russia needs roads, education, medicine, to ﬁght against corruption … freedom of enterprise and free media. This is what Russia needs and not Putin.” When asked what businesses should do when confronted by similar circumstances, Chris Gilmour, crisis director at integrated comms agency Beattie, told Continuity & Resilience businesses face one of two options. “If you transpose this scenario to the world of business, we’d normally look at what the client’s objectives are and take one of two available options – shout louder than your critics or completely ignore them. My preference, in all but the most extreme circumstances, is usually the latter as no one likes a stand-up ﬁght in public. “But in Putin’s shoes, my advice would be to shout louder. The critics will still be vociferous, but his supporters will be equally strident.”
9 C O N TIN UITY & R E S IL IE N C E | S P R IN G 2 0 18
06-09 BCI1_News_v4dt.indd 9
D E BAT E
THE BIG QUESTION
What business continuity issues are keeping you up at night? ANDREW VINCENT
P H OTO G R A PH Y: A L AM Y
BC – the elephant in the room For many organisations, business continuity can be a bit of an elephant in the room. A challenge so big that you can never quite work out where to begin. It’s enough to give anyone sleepless nights. Business continuity can easily assume elephantine proportions because it covers so many important and often urgent areas. Crisis management, risk management, cyber-attack, terrorism, duty of care, business impact assessment, incident management, emergency management, issues management, Twitter storm... the list goes on and on. The terminology alone can be terrifying. And of course fear can lead to paralysis. Business continuity topics naturally gravitate to the ‘too hard’ ﬁling tray – and all too often nothing gets done until a crisis hits. This is always a risk when organisations can’t see the strategic beneﬁt of continuity and business resilience. Why pay for something that you may never use? This mindset
usually persists only until experiencing the disruption, pain and of course costs arising from a serious adverse event. Knee-jerk responses are not enough. Continuity and resilience deserve a strategic commitment with top management investing cultural, personal and ﬁnancial backing. But it’s easier to secure such an investment when continuity and resilience functions can emphasise and market their value in a different way. Yes, of course, we’re here for the nasty things in life: we can help prevent business interruptions, incidents or crises from happening in the ﬁrst place. But we’re also here to help create more resilient organisations: safer, more efﬁcient, less vulnerable, more sustainable places to work. And better equipped to cope with change. People, process, culture and awareness are the foundations of improved business resilience and continuity. Knowing they’re in place is the recipe for sweeter dreams. Andrew Vincent, associate partner in the business resilience team at Instinctif Partners, UK
10 C O N TIN UITY & R E S IL IE N C E | S P R IN G 2 0 18
10-11 BCI1_Bureau_v3dt.indd 10
D E B AT E
CO L I N LO B L E Y
A national infrastructure failure My answer for what keeps me up at night (other than my kids and too many emails!) is a systemic failure of the critical national infrastructure, stemming from a successful cyber-attack. Critical national infrastructure is exceptionally interdependent the world over, so an attack on one is an attack on it all. Many economists and futurists out there would state that it’s a matter of when, not if, an attack of this nature might happen.
Working in the world of cyber security and getting to know the needs of organisations across all sectors, the focus is more on what can we do about it or how we work to prevent these attacks. The whole cyber security industry needs to mature – this involves a better sharing society where we openly work together for the ‘greater good’. That’s why many organisations support what we are doing at Cyber Security
Challenge UK. This also helps to create a thriving cyber security profession, which has as much recognition as more traditional careers (lawyers, doctors, engineers) and helps to overcome the critical skills gap we can see in the marketplace right now. A future generation of cyber defenders can help us all rest easier in years to come. Colin Lobley, CEO, Cyber Security Challenge UK
C H R I S TO P E R H O R N E F B C I
Planning and change concerns Overall resiliency, cyber security and the approach that is taken for planning continues to be prominent in industry discussions. There are two areas that always keep me awake at night, which can be applied to any industry in both the private and public sectors. The ﬁrst area is a general concern any time the planning focus becomes too scenario-based before basic response strategies are in place to address disruptions and outages caused by the loss of sites, technology, disruptions to the workforce and supply chain. Often too much focus is initially placed on the cause of incidents rather than their impact and the effectiveness of available strategies to respond to these four scenarios. The second area is a newer concern in relation to how operating environments are rapidly changing due to automation, AI, robotics and blockchain. Their introduction and increasing use represent material changes to processing and require signiﬁcant consideration. To be effective and efﬁcient, Business Continuity Management Systems (BCMS) and programs need to be involved early as organisations contemplate and introduce
new technology and planning requirements. Tactically, operations are rapidly changing and we need to keep pace. The need to perform risk assessments, identify requirements, select/validate strategies, document plans and train employees remains, but the time available to complete the planning cycle continues to shorten. Ask yourself are your programs adapting quick enough? Strategically, we need to be looking at the changing environment and evaluate what it means for planning in the future. The workforce in traditional roles is reducing as manual processing automates. Planners are losing access to experienced employees who have in the past supported planning and were available to provide support during outages. In their absence, access to meaningful live data to identify processes and their dependencies becomes essential. As these advancements continue, are you prepared? Christopher Horne, assistant vice president, business continuity management and disaster recovery, Great-West Lifeco, Canada
11 C O N TIN UITY & R E S IL IE N C E | S P R IN G 2 0 18
10-11 BCI1_Bureau_v3dt.indd 11
OPINION P E T E R P OW E R H O N F B C I
Oxfam needs greater resilience
ast year the UK-founded international charity Oxfam helped 2m people to get clean drinking water and directly improved the lives of 850,000 others struggling with climate change. This year the news from Oxfam, which now has its global secretariat in Kenya, is slightly different: it is begging for forgiveness after holding Caligula-style orgies in earthquake-torn Haiti seven years ago (and maybe in other disaster regions since then?). Does this demonstrate monumental indifference to the wellbeing of the very people Oxfam was supposed to be helping, or has it primarily revealed blatant hypocrisy and appalling management, quite apart from exploiting vulnerable women? One way or another, this is a major crisis for Oxfam, and that, I suggest, is where the solution exists; it's a case of crisis management more than business continuity as the ingredients of this catastrophe are so different from a supply chain failure, ﬁre or weather disaster. As in all such cases when a crisis erupts it starts with surprise, then confusion and ultimately reputation sliding away. But maybe this is a bit different as Oxfam spends money from individual and government donations. Already UK International Development Secretary Penny Mordaunt has threatened to cut off funding if Oxfam fails to sort itself out. That's why nearly a week after the story erupted, Oxfam International
Executive Director Winnie Byanyima eventually said: “What happened in Haiti and afterwards is a stain on Oxfam that will shame us for years, and rightly so. From the bottom of my heart I am asking for forgiveness.” But just forgiveness won't do it. Fundamentally it’s about the resilience of Oxfam to learn, adapt and recover, not just for its own sake. What really makes me angry is not so much the fate of Oxfam, but the thousands of dedicated workers more concerned with objectives than orgies and the destiny of over 2,850,000 people who need them. Oxfam will recover and lessons would have been learned as a result, but what will be the destiny of these people, especially if donations go the same way as where Oxfam’s reputation is now heading? If they haven't read UK BS Standard 11200 (guidance on crisis management) by now, they should. Oxfam needs to rapidly jump from slow time to quick reactions to not only save its own skin, but the lives of millions of desperate people who depend on the organisation. Oxfam needs morally competent managers and ultimately, much greater resilience.
As in all such cases when a crisis erupts it starts with surprise, then confusion and ultimately reputation sliding away
Peter Power FIRM FBCI is MD of www. visorconsultants.com/peter.power@ visorconsultants.com and an author of BS 11200. He is past chairman of the World Conference on Disaster Management and is an international speaker on such topics.
THIS MONTH’S BEST TWEETS TWITTER @THEBCEYE
Lee O’Sullivan @VentaRisk Feb 10 “Technology is fundamental to business, so it is not a surprise that cyber-attacks, data breaches and unplanned IT outages remain the top threats to business according to research released by the BSI and the Business Continuity Institute.” lnkd.in/eV57EUp
The BCI Chennai Forum @bcichennai Feb 9 Seventh edition of the BCI Horizon Scan Report 2018 presents what the main threats are to organizations www.thebci.org/resource/horizonscan-report-2018.html
Nikki Patel @NikkiPatel Feb 8 #DIGIOFE “attackers are always ahead of defenders” says @AbedGraham on the importance of business continuity plans and ensuring sufﬁcient cybersecurity in the NHS
Cape Town-South Africa Water Crisis by @bridgetti @CPTWaterCrisis Feb 3 Whilst this may be a “fun” experience at home, business needs to seriously take stock of their water resilience plan and how they will implement it. Running a business on 50 litres is almost impossible, so what is your plan?
12 C O N TIN UITY & R E S IL IE N C E | S P R IN G 2 0 18
12-13 BCI1_Interact_v3dt.indd 12
EXPERT VIEW CAROLINE SAPRIEL
P OW E R P O I N TS
Crisis leadership skills
Crisis leadership: have your leaders got what it takes?
Organisational steering in times of crisis
Make sense of the crisis
Craft a mission statement
Map the stakeholders
Plan for the worst-case scenario
Exercise emotional intelligence and empathy
crisis typically involves both limited information and limited time to make decisions. The stakes are extremely high with multiple levels of potential impact that include human life, environmental damage, public and media scrutiny, the ability to carry on doing business and share price. Many leaders believe that their tenure at the top of major international organisations is sufﬁcient preparation for a business crisis. This is simply untrue. Very few individuals are born with the ability to manage crises. Because real crises are rare, executives often only ﬁnd out whether they are true crisis leaders when a crisis strikes. This is a gamble no organisation can afford to take. Businesses that have suffered a serious crisis face an uphill battle toward recovery. Without the leadership of experienced individuals who know how to steer their organisations through crises, such recoveries can be impossible. In the face of an acute crisis with reputation meltdown potential, strong crisis leadership will make all the difference and must be at the core of crisis preparedness and resilience. In a crisis, leaders must be present, visible and consulted on critical subjects, while remaining one step removed from implementing action plans. This helps them retain a strategic overview of the situation. Beyond the hardware of mature crisis readiness – plans, procedures, resources, tools and equipment – a critical but less
tangible aspect is the actual ability of the executive team to lead through a crisis. And to be effective, crisis teams need crisis leaders. So what sort of competencies do leaders need to possess to anticipate, manage crises and help their organisation recover from them? Crisis leadership consists mainly of ‘soft’ skills such as situational analysis, sense-making, decision-making, assertiveness and communication, stakeholder mapping, empathy and emotional intelligence, to name a few. Fundamentally, crisis leadership rests on the right corporate values and principles. The organisation should live and breathe these values on a day-today basis and work hard to protect and sustain them through good and bad times and before, during and after a crisis. An organisation that values and protects transparency, honesty and integrity during a crisis will be able to retain stakeholder trust and possibly emerge from the crisis stronger than before. With practice and dedication, almost any executive can learn the crisis leadership skills that he or she will need to steer their organisation through crises, sustain credibility and overcome adversity. A business leader with solid training in crisis leadership is an asset that no organisation can do without. Caroline Sapriel is founder and managing partner of CS&A International, a leading expert ﬁrm in risk, crisis and business continuity globally.
In addition to being assertive and calm, leaders must possess critical crisis-speciﬁc skills to successfully steer an organisation through a crisis and towards recovery.
Leaders must demonstrate the ability to make sense of the situation, analyse information and assess possible impact, to act effectively and provide purpose to those affected by it. A failure to understand the anatomy of a crisis will seriously impair recovery efforts.
To emerge from a crisis with minimal adverse effects, a business leader must craft a strong mission statement for his organisation at the onset of the crisis.
Executives must understand who has been affected by a crisis and how they should be addressed. Stakeholders may be employees, consumers, stockholders or other organisations.
This involves looking at a given crisis situation and developing a series of escalation factors that may arise from it. Deﬁning the worst-case scenario allows leaders to create a plan of action that will hold up during the toughest of times.
The ability to perceive, assess and take into account the emotions and feelings of one’s self, of others and of stakeholder groups when making decisions and communicating.
13 C O N TIN UITY & R E S IL IE N C E | S P R IN G 2 0 18
12-13 BCI1_Interact_v3dt.indd 13
Alerting the right people at the right time – in one place
Frontier partners to simplify back-up and recovery Frontier Communications’ Total360 Business Continuity & Disaster Recovery Service aims to simplify the back-up and recovery process when an organisation faces a disaster or ransomware attack – it converts data directly from servers into virtual machine-readable ﬁles. These are then recovered from a web interface or virtual machine monitor. Frontier, which provides communication services throughout the US, has partnered with data protection technology specialist Datto to deliver the newly-launched service. www.frontier.com
Cloud platform and service ﬁrms combine for DRaaS Cloud platform provider Tintri and cloud IT service provider Neverfail have joined forces to develop a disaster recovery-as-a-service (DRaaS) platform. It incorporates the Tintri T5000 virtual machine storage system in Neverfail’s data centre, replicating the customer’s own Tintri storage device. Data can be easily and quickly restored over a private cloud in case of disaster or emergency. The asa-service approach aims to reduce purchasing and managing on-site DR solutions. Both companies claim that their shared customers can reduce capital spend by up to 10 times, as well as signiﬁcantly reduce the ongoing costs of maintenance and managing DR infrastructures. www.tintri.com
BEST NEW TECH
Event Pages from AlertMedia aims to instantly link staff to critical information about an incident via a dedicated web page. It is designed to help organisations better manage the lifecycle of an emergency by streamlining and centralising communications rather than sending individual status updates. Documents such as action plans, videos, photographs and paths to resolution can be shared on the page. Employees are alerted to new information via an SMS text, app push notiﬁcation, email or voice message. The Event Pages feature is the newest addition to AlertMedia’s communications platform whose users include major enterprises such as DHL and AT&T. www.alertmedia.com
TECH ROUND UP Best new tech this month
Mobile app offers recovery assurance M
Cyber resilience for industrial control Security and compliance systems provider Tripwire has introduced the ICS Cyber Resiliency Suite, designed to help those operating in industries such as utilities and manufacturing build more security and resilience into their operating environments. Purpose built for industrial control systems (ICS), it allows industrial operators to gain a better understanding of cyber risks, as well as the insight needed to effectively monitor their attack surface. Capabilities include: asset discovery; continuous change monitoring and incident detection; device and system log data collection and event correlation; a ‘no-touch’ approach security assessment for ICS and industrial devices; vulnerability assessment; and industrial dashboards. www.tripwire.com
Su Sungard Availability Services has launched the Act with As Assurance mobile app, which co-ordinates with its Assurance so software platform to provide a more interactive and efﬁcient wa way to manage business continuity. It provides realtim time messaging capabilities at critical times, and delivers ind individualised playbooks to a recovery team for test exercises or an actual event, direct to mobile devices. Incident coor ordinators can assign tasks and monitor progress while those re responding can see customised task lists and provide updates by tapping their smartphone screen. ww www.sungardas.com/en-GB
15 C O N TIN UITY & R E S IL IE N C E | S P R IN G 2 0 18
15 BCI1_Tech_v5dt.indd 15
n public perception, drones have made the seismic leap from being seen as something secretive used by the military to off-the-shelf products and even toys that can be bought from the likes of Amazon. Unmanned aerial vehicles (UAVs) have also proven themselves invaluable in the area of humanitarian aid, transporting medical or emergency supplies. Many industries and sectors are starting to explore how drone technology can play a part in their lives, and it isn’t difﬁcult to see how it could be applied in business continuity, whether it’s needed following a disaster or to help serve businesses in remote locations. And drones aren’t just about delivering supplies but can also restore network connectivity, help with remote monitoring of major assets, map and pinpoint areas where help is needed and, more proactively, can play a signiﬁcant part in resilience planning.
EYES IN THE SKY
The application of drones in the area of business continuity is only just scratching the surface, as Sue Weekes discovers BY SUE WEEKES
C O N TIN UITY & R E S IL IE N C E | S P R IN G 2 0 18
16-19 BCI1_Drones_v2.indd 16
It is early days though and while the drone technology is well developed, governance and regulatory frameworks, coupled with safety issues, still pose challenges. Every nation is responsible for its own skies so integrating drones in the airspace means dealing with national civil aviation authorities. According to Barry Koperberg, a business consultant based in the Netherlands and general manager of the humanitarian Wings for Aid drone project, these issues are being addressed by a number of parties including the International Civil Aviation Organisation. And he adds that ‘corridors’, designated areas for drones to be tested safely, are also being established. “Things are moving quickly now,” he says. “We expect good progress to have been made by 2019.” Indeed, the Northeast UAS (Unmanned Aerial Systems) Airspace Integration Research Alliance activated the USA’s ﬁrst corridor at Grifﬁss International Airport in New York last September. Meanwhile, last June, the Government of Malawi and children’s charity UNICEF opened a drone-testing corridor in Kasungu in the country’s central region. It is the ﬁrst of its kind in Africa and allows ‘beyond visual line of sight’ (BVLOS) testing (where the drone goes out of site of the remote operator) in a territory of over 5,000sq metres and up to 400m above ground level.
Business beneﬁts While his focus is humanitarian aid, Koperberg believes that the exploration work taking place by organisations such as UNICEF has a direct relevance for the business world. Wings for Aid aims to use drone technology in the humanitarian aid chain typically to bridge the ‘last mile’ in remote or hard-to-reach areas and has developed a cargo drone that can travel up to 250km. The aim is to put in place
Every nation is responsible for its own skies so integrating drones in the airspace means dealing with national civil aviation authorities
With the vast majority of ﬁrms relying on the internet to function, the drone’s ability to restore connectivity is a huge positive for the business community
a hub-and-spoke system that can deliver goods to remote villages and communities. “This aims to bring personal and societal beneﬁts but a business could have exactly the same system for delivery of spare parts. After all, not everything can be 3D-printed,” he says, adding that drones are potentially a “cargo internet” in the air. Shipping company Maersk already uses drones to deliver urgent parcels to its vessels and more organisations with similar locational challenges are likely to follow suit. The International
17 C O N TIN UITY & R E S IL IE N C E | S P R IN G 2 0 18
16-19 BCI1_Drones_v2.indd 17
Air Transport Association (IATA) began exploring drone technology as a threat to aviation but recognised its applications for delivering cargo in the future. Céline Hourcade, head of cargo transformation at IATA, explains the aviation industry does everything in a standardised way, such as tagging baggage with its origin and destination, but such standards don’t yet exist for drones. “IATA foresees a need to put standards in place for the use of drones to integrate and facilitate the new branch of aviation,” she says. Hourcade believes it will be drones with payloads of up to 10kg and up to 200kg that will be of most interest to the business continuity community. “They can open up routes that cannot be served by traditional aircraft because the aircraft is too big or the infrastructure needed for a traditional aircraft is too costly,” she says.
Restoring connections While getting supplies quickly is vital, with the vast majority of business functions relying on the internet the drone’s ability to restore connectivity is likely to be one of its unique selling points to the business continuity community in the long run. Currently, tech and telecoms companies are exploring a number of options to enable this, including the use of the high-speed wireless standard LTE
“An incident will impact more badly if business continuity planning updates for these assets have not been frequent or effective” (long-term evolution). AT&T used a drone equipped with LTE technology to reconnect residents in Puerto Rico across an area of 40sq miles after Hurricane Maria last year. This is only a temporary ﬁx since connectivity is determined by how long the drone can stay in the air. A number of big names such as Facebook and Google’s parent company Alphabet with its Project Loon are trying to ﬁnd ways of providing connectivity in hard-to-reach places for longer lengths of time; similar technologies could one day be applied in disaster recovery. Facebook completed the ﬁrst full-scale test ﬂight of its high-altitude and solar-powered unmanned craft, Aquila, last year. Aquila can beam connectivity down from an altitude of more than 60,000ft using laser communications and millimetre wave systems. Facebook’s Connectivity Lab claims it can ﬂy for up to three months at a time. Meanwhile, last year mobile operator EE showcased drone
Drones can be used to remotely monitor hard-to access assets across a number of industries
and balloon air masts that would aim to keep UK communities online in the wake of disasters such as major ﬂooding.
High-rise feedback The ability to feedback high-quality imagery and data from the site of an incident also makes drones an extremely empowering technology for business continuity, especially when it comes to pinpointing and mapping problem areas. A number of cloud-based applications are available to enable data transfer in real-time but some of the heavyweight solutions designed primarily for ﬁrst responders and emergency agencies may also cascade their way down in the future. For example, at the United Arab Emirates Drones for Good event last year, Nokia demonstrated its rapidly deployable 4G Ultra Compact Network, which provides a standalone LTE network to quickly re-establish connectivity to mission-critical applications after a disaster, including video-equipped drones. The drones can stream video and other sensor data in real-time from the disaster site to a control centre, providing inputs such as exact locations and the nature of difﬁculty of reaching that location. Increasingly, drones are also likely to be used to remotely monitor assets across a number of industries, such as oil & gas. Last year IBM entered into an agreement to bring its Watson Internet of Things (IoT) technology to Dutch company Aerialtronics’ unmanned
18 C O N TIN UITY & R E S IL IE N C E | S P R IN G 2 0 18
16-19 BCI1_Drones_v2.indd 18
There is a new dawn for drones in the ﬁeld of business continuity and resilience
P H OTO G RA P H Y: G E T T Y
aircraft systems, which offer highquality inspection services for global organisations across multiple industries, from monitoring city patterns to inspecting wind turbines and oil rigs. Rather than send personnel in to climb towers for inspection purposes and report the ﬁndings back, teams can deploy Aerialtronics’ drones from the ground and, through high-deﬁnition cameras and Watson’s visual recognition application programming interfaces (APIs), can immediately gain a complete 360-deg high resolution overview. Watson will use its artiﬁcial intelligence (AI) capabilities to understand what it is seeing and because it learns over time, can help teams determine when repairs should be made. IBM claims this will increase the number of inspections that can be carried out as well as reduce human error and maintain the safety of workers.
Bird’s-eye information Kate Treen of Sky Revolutions, which uses drones for aerial surveying, says that for businesses with structural assets
They can give a bird’s-eye view of the exercise to more effectively test how robust the plan is such as powerlines, turbines and other infrastructure in hard-to-reach places, drones could be extremely valuable for predictive maintenance and ensuring business continuity plans are up-to-date by regularly collecting data. “An incident will impact more badly if business continuity planning updates for these assets have not been frequent or effective,” she says, adding that she sometimes observes a disconnect between the facilities management function, which is deploying the drones, and business
continuity. “Facilities management are getting fast, accurate data but aren’t feeding it back into business continuity. It is understandable as the main purpose for them is to take action and make repairs but distributing the data to the business continuity function will help make plans far more robust.” Treen would also like to see drone technology used in testing live continuity planning exercises. “They can give a bird’s-eye view of the exercise to more effectively test how robust the plan is,” she says. While exploration of drone technology in business continuity and resilience is in its initial phase, there is no doubt that UAVs are emerging as an extremely valuable tool that can be used across a number of different areas. Drones are likely to become even more powerful when combined with other technologies such as artiﬁcial intelligence, IoT and LTE. Indeed, there may yet be applications for continuity and resilience that haven’t yet been identiﬁed, so now is the time to start exploring their use.
19 C O N TIN UITY & R E S IL IE N C E | S P R IN G 2 0 18
16-19 BCI1_Drones_v2.indd 19
HANDLING THE SPECIAL REPORT BY COLIN COTTELL
20 C O N TIN UITY & R E S IL IE N C E | S P R IN G 2 0 18
20-26 BCI1_Special Report_v3dt.indd 20
The 2017 hurricane season devastated large parts of the Caribbean and Southern US, affecting the majority of businesses in the area. Colin Cottell investigates the lessons learned by some of the organisations who carried on in the aftermath
21 C O N TIN UITY & R E S IL IE N C E | S P R IN G 2 0 18
20-26 BCI1_Special Report_v3dt.indd 21
or business continuity and resilience professionals, the 2017 hurricane season in the Western Hemisphere will long stand out for its ferocity, even within a region where these maelstroms are not irregular occurrences. Hurricane Irma, which made landfall at the Florida Keys on 10 September as a Category 4 hurricane, was one of only ﬁve hurricanes that have ever reached maximum sustained wind speeds of 185mph or greater. In the Caribbean, the island of Barbuda was virtually ﬂattened. In late September, Hurricane Maria became the ﬁrst Category 5 hurricane on record to strike the island of Dominica, before going on to wreak destruction in Puerto Rico. Hurricane Irma caused damage estimated at $64.66bn (£46.57bn) in Florida alone. Bob Myhre, whose responsibilities include business continuity in his role as state director at SBDC Florida Network, a government-supported agency that supports and advises small businesses, says the areas designated as a disaster area covered 93% of all small businesses in the state. Although ﬁgures on business closures are patchy, With entire populations on the move, the ability for ofﬁcial ﬁgures indicated that unemployment businesses to continue to function proved nigh on impossible as a mandatory evacuation took hold in Florida rose by 127,000 in September, primarily as a result of Hurricane Irma. Across large parts of the Caribbean, conditions were equally dire, says Bob Turnbull, co-founder of business continuity planning consultants R & J Turnbull, based in Barbados. While Barbados missed the worst of Hurricane Irma, Turnbull says that in Dominica, Barbuda, Turks & Caicos, Anguilla, the Bahamas and parts of the Dominican Republic, “lots of small business just died”. He adds: “They will never recover.” Business continuity professionals say that a common theme to emerge from last year’s hurricane season was the importance to businesses of being able to continue to communicate effectively. For many businesses in the Florida Keys area, where there was a mandatory evacuation of the population, Myhre says TIMELINE
2017 HURRICANE SEASON AUG 25
Hurricane Harvey hits Texas
Hurricane Irma - winds reach speeds of over 160 mph
Hurricane Jose intensiﬁes to Category 4
Hurricane Katia – highest wind speed reached 105mph
Hurricane Irma makes landfall as a Category 4 Hurricane at Cudjoe Key, Florida
Hurricane Irma transitions to post-tropical cyclone
Hurricane Maria strengthens into a Category 5 hurricane 15 miles East South-East of Dominica
Hurricane Maria devastated Puerto Rico
22 C O N TIN UITY & R E S IL IE N C E | S P R IN G 2 0 18
20-26 BCI1_Special Report_v3dt.indd 22
LESSONS FROM 2017’s HURRICANE SEASON Keep employee contact information up to date. Educate employees that it is important to inform you when their details change. Adopt a ‘belt and braces’ approach by having several communication channels either as back-up and/or running in parallel. Test your communications tools, plans and procedures regularly. The importance of having access to power cannot be overestimated. Consider having your own generator. Use modern technology channels, such as WhatsApp and other messaging services.
PH OTOG R A PH Y: G E T T Y
As power and communication cables were torn down, back-up power generators were an essential item to keep businesses open
the inability of businesses to communicate with their employees was effectively a death sentence: “A lot of the typical workforce housing, trailers and other homes was utterly destroyed, their employers didn’t know how to contact them so they were left without a workforce. This left them with the option of closing their business for a period or of closing it completely.” Turnbull says the situation for businesses across large parts of the Caribbean was equally bad. He explains that it was only through a special communications link between the US Coast Guard and the Department of Emergency Management that businesses in Barbados “were able to get in touch with their key personnel [on the worst affected islands], who were able to
ferry back what the damage to the business infrastructure was, and whether they would be able to continue business”. “In most cases,” Turnbull continues, “the answer was ‘no’ because they had no generators and the electricity was wiped out and the communications towers were all down.” This situation was so dire that even the main airport, Dominica St Maarten Airport, took three weeks to reopen. Scott Cave is principal at Atlantic Business Continuity Services, based in Summerville, South Carolina, where a state of emergency was declared as Hurricane Irma approached. One thing Cave says he found “over and over again” was that many organisations failed to implement the most basic annual preparations for their crisis communications plans.
Other modern technology such as automated call trees can also be invaluable in getting messages out effectively. Use social media such as Facebook – this can be a great source of information. Make use of your organisation’s network to transfer responsibility for communications away from the affected area. Appoint a communications crisis team, but make sure they have the means to communicate effectively.
23 C O N TIN UITY & R E S IL IE N C E | S P R IN G 2 0 18
20-26 BCI1_Special Report_v3dt.indd 23
CLOSED FOR BUSINESS? How many businesses closed temporarily and permanently as a result of last yearâ€™s hurricane season? The evidence on business closures is patchy. While there is much anecdotal evidence, perhaps the most reliable indicator is that unemployment rose by 127,000 in the state of Florida in September, most which has been attributed to Hurricane Irma. In Puerto Rico, the Centro Unido de Detallistas (United Centre of Retailers), a non-proďŹ t advocacy group for small business, estimated that around 45,000 SMEs closed temporarily, of which between 5,000 and 10,000 will never reopen.
24 C O N TIN UITY & R E S IL IE N C E | S P R IN G 2 0 18
20-26 BCI1_Special Report_v3dt.indd 24
In the eye of the storm: Hurricane Matthew caused catastrophic damage and a humanitarian crisis in Haiti in September 2016
According to Cave this included not carrying out the seemingly simple task of keeping their employees’ contact information up to date. “Most organisations found themselves just a few days before the storm trying to quickly update their employees’ contact information,” says Cave. Inaccurate or incomplete employee information had a serious cascading effect on businesses. Not only did it mean that staff didn’t receive the information they needed, such as when to return to work; it also reduced the effectiveness of the business recovery operation. Myhre, who took over responsibility for SBDC’s business continuity just two weeks before Irma struck, admits he was “scrambling as Irma was starting to threaten the state to make sure our employee proﬁle information, both work and home contact information, was up to date”. As Hurricane Irma swept through the region, other ﬂaws in organisations’ crisis communications plans were revealed. According to Bob Alsan, business continuity director at Ultimate Software, headquartered in Weston, Florida, the strength of the wind brought down many mobile phone towers. “So with many organisations having only one mobile vendor, when that vendor’s tower went down they were left without communication,” Alsan explains.
“INACCURATE OR INCOMPLETE EMPLOYEE INFORMATION HAD A SERIOUS CASCADING EFFECT ON BUSINESSES”
And even where towers remained up, Cave adds, widespread power outages resulting in the loss of the internet meant that the pressure on the mobile phone network was simply too much for it to bear. Avoiding reliance on mobile phones is one of the big lessons reinforced by Irma, says Ron Magill, communications director at Zoo Miami. Magill learned from the bitter experience of Hurricane Andrew, a Category 5 hurricane that struck Florida in 1992, that landlines still have their place. When the zoo was destroyed in August 1992, landlines were the only form of communication that worked. “The landline was really a lifeline,” he says. “You can’t communicate in too many different ways. Our staff receives information via email, phone and by radio. We use duplicate and triple levels of back-up to ensure the message gets through.” Turnbull agrees, suggesting these could include satellite phones and CB radio. Other business continuity professionals suggest apps such as WhatsApp have a valuable role to play. Following Irma, Myhre says he intends to update his organisation’s
CATEGORISING HURRICANES 1 CATEGORY 1
Winds moving at speeds 74 to 95 mph (119 to 153km/h) – very dangerous winds will produce some damage
2 2 CATEGORY 96 to 110 mph (154 to 177 km/h) – extremely dangerous winds will cause extensive damage
3 3 CATEGORY 111-129 mph (178 to 208 km/h) – devastating damage will occur
4 CATEGORY 4
130 to 156 mph (209 to 251 km/h) – catastrophic damage will occur
5 5 CATEGORY 157 mph or higher (252 km/h or higher) – catastrophic damage will occur Source: US National Oceanic & Atmospheric Administration
25 C O N TIN UITY & R E S IL IE N C E | S P R IN G 2 0 18
20-26 BCI1_Special Report_v3dt.indd 25
crisis communications plan to include both apps and social media such as Facebook. Banks, credit unions and radio stations are some of the best-prepared businesses in the Caribbean, says Turnbull. Examples of such preparations included two generators, wireless communication, landline communication and a hotline set up with their telecoms provider, based in the telecom company’s hurricane-proof bunker “so they can communicate out”. Unfortunately, with dire economic conditions in the Caribbean, too few organisations are willing to make the investment, even in a business continuity plan, Turnbull says. Another lesson reinforced by Irma, says Magill, is the importance of maintaining power. The zoo now has its own generators for everything. “This enabled employees to continue to communicate by email during Irma – albeit it periodically,” he says. To augment this, the zoo has invested in powerful radios of the type used by the police. These are pre-charged, with spare batteries, and are allocated to staff in the zoo’s different departments. As well as highlighting the necessity of having multiple ways of communicating, business continuity professionals say the 2017 hurricane season focused minds on the need for business to test their communication plans and procedures. Cave says this was brought home to him when one client discovered that failure to test their satellite phones for a year meant that when the storm hit “they had forgotten how to use them, and had trouble ﬁguring out how to make a call”. The value of doing exercises “is that this is when people really
Businesses in Florida have to be prepared as it is one of the ﬁrst places for hurricanes from the Southern Atlantic to make landfall
challenge the assumptions being made – for example, assuming that a supplier will respond by doing X”, says David Teed, who runs Teed, a global business continuity consultancy, and who advised companies in the region before and during last year’s hurricane season. Exercises act as a trigger “to actually to clarify what their recovery plan response is going to be”, Teed says. At the same time, Teed points out, it is important to realise that in situations where employees, their homes and communities are in peril, “the business is not necessarily their highest priority”. So although it is sensible to allocate tasks locally to facilitate communications, when the organisation is large enough it could be a good idea to transfer those responsibilities to its ofﬁces outside the affected area. However, this will mean training up people so they are ready to step in. Following the devastation of 2017, it’s a lesson, among many others, that businesses in hurricane-affected areas would do well to heed.
C A S E S T U DY
FRANK KANE, SUNDOG SOFTWARE The experience of Frank Kane, founder of Sundog Software based in Winter Spring, Florida, which was hit by Hurricane Irma, demonstrates how many of the lessons learnt can pay off for businesses if applied in advance. Kane says last year’s experience highlighted the importance of not relying on high-tech solutions. “When we did lose power, we used our car to keep a cell phone charged, which at least allowed us some internet access for keeping our customers updated. So at least we were able to respond to emails with ‘we are affected by the storm and we appreciate your patience’,” says Kane. “It’s not a high-tech solution but it did the job.” Losing power emphasised the value of using cloud-based services for the company’s email and website. As a result, Kane says: “We were able to maintain a presence and communication even without power at our ofﬁce, and we were able to work seamlessly from home while the roads were closed.” Because of the problems caused by losing power, the company has purchased a small generator. “Even being able to keep a laptop charged and tethered to a cell phone is enough to maintain operations in a pinch,” Kane says. The storms last year also demonstrated the value of social media. This allowed the company to inform its customers before the storm struck that it might be closed while it recovered. The need for contingency planning also came to the fore: a company employee based in New York was primed to handle the company’s communications and customer support, if the need arose.
26 C O N TIN UITY & R E S IL IE N C E | S P R IN G 2 0 18
20-26 BCI1_Special Report_v3dt.indd 26
VALIDA TIO N
EM EN T
PL EM ENT ATION
Health and Safety
G NA A PROGRAMME M
INTERVIEW BY COLIN COTTELL
GIANNA DETONI An experienced business continuity professional, Gianna Detoni FBCI recognises that there is still a long way to go in persuading companies to put risk at the top of the board’s agenda. Colin Cottell found out more
s a relatively young discipline, business continuity – and its partner, resilience – is on an arduous journey in taking its place alongside professions such as law and accountancy. Much of the credit for the profession’s growing recognition and acceptance is through the efforts of outstanding practitioners – like Gianna Detoni FBCI. Originally heading up risk resilience in EMEA for one of the world’s largest banks, she took the business continuity message out to what were then frontier markets, before founding her own company, Milan-based Panta Ray, and spearheading the development of the discipline and the profession in Italy.
Detoni’s work was recognised at the BCI’s Global Awards held in London last November, when she picked up the award for 2017’s Industry Personality. “For me in my profession, it’s like winning the Oscars, the greatest achievement I could hope for. It’s like the end of a run; it’s gratifying because of the difﬁculties, the effort and the hard work I have put in,” she says. The difﬁculties to which Detoni alludes include her personal struggle to accept the sea change in mindset and thinking that is necessary to truly embrace business continuity. “I am an Italian, and Italians do not have a culture of preparation. On the contrary, Italians have a culture of ‘we do whatever we want at the time an issue presents itself ’; we don’t need to get prepared. I wasn’t much different.”
28 C O N TIN UITY & R E S IL IE N C E | S P R IN G 2 0 18
28-31 BCI1_Profile_v1dt.indd 28
For me in my profession, itâ€™s like winning the Oscars, the greatest achievement I could hope for
29 C O N TIN UITY & R E S IL IE N C E | S P R IN G 2 0 18
28-31 BCI1_Profile_v1dt.indd 29
Detoni was awarded Industry Personality of 2017 at BCI’s Global Awards, which were held in London last November
Indeed, she admits that for a long period in her 33-year career at JP Morgan Italy, before the bank started to take business continuity seriously, nothing much changed. She says she spent the ﬁrst 25 years “on the other side of the fence” in the role of the bank’s technology and operations manager as “a user of business continuity, not a business continuity professional”. And, Detoni admits, she was “living the whole cycle of misunderstanding and not appreciating why we have to implement business continuity, and why we need it”. But as the bank, particularly in the US, began to embrace the emerging thinking around crisis management and business analysis, Detoni says her “not-as-enlightened attitude began to change”. Detoni says her own personal conversion began in earnest after she was asked to utilise her “deep knowledge” of the bank, to head up JP Morgan’s risk resiliency division in EMEA, taking the business continuity message to what were then frontier markets. “Europe, Africa and the MiddleEast were not as far advanced in terms of business continuity as [were] the Anglo-Saxon countries of the US and the UK, and the bank wanted someone
“You can acquire a lot of experience in this profession,” she says, and this can be supplemented by training
with my experience to run this big programme to bring EMEA into alignment,” she explains. “It was then that I fell in love with the discipline.” The love affair continued when Detoni launched Panta Ray in 2009. “It was high time to do something different,” she says, explaining that the lack of competition in the Italian market at the time was an added attraction. Although most of the initial work Panta Ray carried out was on the training side, over the years the consultancy side of the business has grown. Nevertheless, she admits it hasn’t been an easy ride. “At the beginning of my consultancy, I got answers like ‘We don’t need it, we have lived without it, we have a disaster recovery plan, we are ﬁne’.” For Detoni, understandably, these were “all the wrong answers”. Getting on for the best part of a decade since establishing Panta Ray, Detoni says things have become easier. “The world has changed. What is a matter of fact is that in the 90s and even at the beginning of this century, the world was not as globalised or as interdependent as it is today.” While losing a component of your business was always serious even then, today it can be “catastrophic”, putting the whole organisation at risk. This in turn is providing business continuity with an environment that is more conducive and receptive to the importance of both of “good protection of your assets and good analysis of the potential impacts [of events]”. While many organisations are more receptive to the concept of business continuity, not all are. According to Detoni, the world is made up of two types of client. The ﬁrst, she says, are those “who want to demonstrate that they have done their homework [a tick box mentality] – those are the worst”. The second are those who, even if they are doing it because they have to, are also doing it “to improve themselves and enhance their business – those are the best”. Beyond working with individual clients, Detoni says huge amounts of work need to be done before the discipline gets to where she would like it to be. And although Detoni admits she is “old enough to retire”, there are no signs that she has lost any of her energy or passion. She is still very much up for the ﬁght. Ultimately, she believes business continuity matters, not just because it protects shareholders from losing money but also because it makes a statement about a company’s values that by protecting companies from today’s myriad threats, “they are thinking about the future of their staff [and their jobs] as well.”
30 C O N TIN UITY & R E S IL IE N C E | S P R IN G 2 0 18
28-31 BCI1_Profile_v1dt.indd 30
“The world has changed. What is a matter of fact is that in the 90s and even at the beginning of this century, the world was not as globalised or as interdependent as it is today.”
Detoni, on winning her BCI Award: “For me in my profession, it’s like winning the Oscars, the greatest achievement I could hope for”
She believes this is something that companies that have good business continuity management systems should shout from the rooftops. “They should show off and make sure that everyone knows they are so advanced that they care about the future of their people,” she says. The political classes and the European Parliament come in for particular criticism from Detoni for ignoring the subject of business continuity, and for not incentivising business to embrace it. In contrast, she says, the US government is encouraging and incentivising companies to build business continuity management systems. “This is the way we need to go, where we are encouraged to do this not just because it is nice to have but because it is essential to have.” With its history of earthquakes, Detoni argues that as a country Italy has to do better, with the aftermath of each earthquake testament both to the country’s “lack of preparedness” and a culture at the political level that fails to encourage preparation. “We never learn the lesson,” continues Detoni. “I hope the political part of the world will take time to understand that BC is about having a healthy and safe world in the future.” Detoni is equally passionate about the future of the profession, which “too often” is seen as something done “at the end of a career” rather than at the beginning. Although she accepts her long experience in banking helped her understand how to apply business continuity in a banking context, she argues that this level of experience “is not needed or required”. “You can acquire a lot of experience in this profession,” she says, and this can be supplemented by training. While Detoni is passionate about opening up the profession to newcomers, she is equally keen that it takes up what she sees as its rightful place at the top table of organisations. “In the wisest and the most proﬁtable companies in the world, and JP Morgan is one of them, the risk resiliency manager reports to the president and to the CEO,” she points out. However, in her view, there just aren’t enough companies like that at the moment, with boards tending to be made up of tax experts and lawyers, and nobody with experience of risk management or business continuity. “This will change in the future, I am sure,” says Detoni, although she accepts it won’t happen overnight. “There is a hell of a lot of culture to change ﬁrst,” she says. If and when that change does come about, then some of the credit must surely go to Detoni herself.
GIANNA DETONI 2009 TO DATE: President and founder, Panta Ray, Italy
2008 – 2009 Partner ethical security practice, Odgers Berndtson, Milan
2008 TO DATE Various roles on industry bodies in Italy
1976 – 2008 Various roles including EMEA risk resiliency manager, JP Morgan Chase, Milan and London
31 C O N TIN UITY & R E S IL IE N C E | S P R IN G 2 0 18
28-31 BCI1_Profile_v1dt.indd 31
TA L E N T R I S K
BY DAVID STEEL AND TIM GLEAVE
THE HUNT FOR TALENT I L LU ST R ATI ON : I KON I M A G E S
Knowing where to ﬁnd the next business continuity and resilience leader when your experienced head moves on is a problem confronting many companies. An insight and research organisation may be key
eing unable to identify and attract the right talent for business continuity and resilience roles is one of the most overlooked risk factors for organisations across any sector. And the increased reliance on IT and the digital environment, as well as the VUCA (volatility, unpredictability, complexity and ambiguity) operating conditions that continue to prevail, make this an even bigger potential threat. Companies understand that they need policies and procedures in place to deal with eventualities such as hacking and other cyber-attacks and power outages. But they won’t necessarily have a succession planning strategy in place if their resilience lead resigns or leaves unexpectedly. This can leave the organisation highly vulnerable, especially in the fast-paced, and always on, 24/7 world. With a scarcity of skills in areas such as cyber security, and each sector having its own particular risk factors that must be understood, securing the right talent to ﬁll these roles for today and the future is a challenge that has to be confronted sooner rather than later.
32 C O N TIN UITY & R E S IL IE N C E | S P R IN G 2 0 18
32-34 BCI1_Talent_v1.5dt.indd 32
TA L E N T R I S K
CASE STUDY 1 THE CHALLENGE: A major professional services ﬁrm was struggling to recruit disaster recovery/business continuity professionals with cyber security IT skills. It had a signiﬁcant IT function on which it relied, and so this situation potentially put the company at risk. THE SOLUTION: The research company was asked to carry out a search-and-mapping exercise to expedite the recruitment process and shortcut the company’s future talent acquisition activity for this business-critical role. One of the difﬁculties was that this is a niche area and a niche skillset. The challenge was further compounded by the company ideally wanting the individual to have experience of the professional services arena. This meant there was only a ﬁnite group of individuals which ﬁtted the proﬁle. Relevant ﬁrms and individuals who worked in this speciﬁc function were identiﬁed. A market map of everyone in the professional services sector that does this job was created. A number of CVs were then obtained and a hire was made. This saved the client considerable money, as there were no placement fees, and the market map could be used in the future to ﬁnd talent. THE RESULT: The company decreased risk in a key area, increased its resilience and had a cost-effective solution for future talent acquisition.
Too many organisations still take a reactive approach, which can cost them dearly in time and money. The common response is to appoint a recruitment agency to source the person who will charge a hefty placement fee. However, does that recruiter have all of the knowledge at their disposal to make such an appointment? They will likely have people on their database or in their networks who appear to ﬁt the proﬁle – but how does the client know that they are the best person for this business-critical role?
A business continuity and resilience function is entirely reliant on gaining intelligence and gathering empirical and scientiﬁc facts on which to base business decisions. So it makes sense that a similar approach is used for talent acquisition. Detailed below are the methods that organisations should use to obtain robust and comprehensive information about a market to enable themselves to make informed and strategic talent and business decisions. In doing so, it mitigates risk by ensuring the company
CASE STUDY 2 THE CHALLENGE: A utilities provider wanted to enhance its contingency planning arrangements in the event of an incident or disaster. The company wanted to assess how it should best respond to this eventuality. THE SOLUTION: The research ﬁrm undertook an insight exercise, agreeing the parameters with the client. The utility was interested in targeting and speaking to people in the petrochemical, chemical, oil & gas and nuclear sectors. The research ﬁrm’s objective was to understand contingency planning processes and procedures in key organisations in those sectors by assessing what they had in place to deal with such emergencies. A number of business continuity, emergency response, health & safety, environmental quality, risk and general plant operations individuals were identiﬁed, and then asked a series of bespoke questions about their own emergency/disaster protocols. Raw data based on this exercise was fed in to a number of charts and graphs so the key themes and responses could be examined, and the client given recommendations on best practice. RESULT: The organisation was able to mitigate risk associated with contingency planning for emergency situations by ensuring it had best practice in place.
has the right skillset and experience to carry out its operations. If an organisation does not have the in-house capability to take on these methods and techniques, it may want to seek out an insight and research organisation to do so. In addition to offering specialist research services, research organisations also encourage their clients to be ahead of the curve when it comes to talent acquisition by taking a proactive rather than reactive approach. This reduces the risk of the company leaving itself vulnerable to skills gaps and talent shortages at a critical time. 1. Insight: real-time research into the external market to reduce business risk and allow smarter decision-making. Applications for this service include: salary benchmarking; location planning; brand perception, pre-acquisition talent due diligence; role benchmarking; and competitor activity. This is achieved by identifying and engaging with individuals in the marketplace by telephone to gather insight and relevant information. Such individuals are usually experts or have strong experience in their ﬁeld or the subject area relevant to the client’s brief. A range of other techniques are used to obtain the insight including onlinebased research methods and extracting
33 C O N TIN UITY & R E S IL IE N C E | S P R IN G 2 0 18
32-34 BCI1_Talent_v1.5dt.indd 33
TA L E N T R I S K
intelligence and data from a wide range of sources such as reports, white papers, surveys, articles, journals and more. 2. Search: comprehensive research to help organisations recruit the best talent available in the market, for an immediate need at a highly competitive cost. While a recruitment agency charges per placement, a good research organisation works on the basis of a daily fee and often
CASE STUDY 3 THE CHALLENGE: A government agency hadn’t recruited in the cyber security domain before and wanted to understand where they could attract individuals. More importantly, it had no knowledge of what people earned or aspired to earn in this area and didn’t want to pitch roles inappropriately and fail to attract the right talent. THE SOLUTION: This was an insight exercise in which a real-time picture of the external market was produced, which helped the client make a better business decision. Relevant individuals were targeted and identiﬁed, and then spoken to in order to understood their aspirations and level of interest in discussing opportunities. RESULT: Crucially, researchers were able to get a feel for pay and reward, and how roles should be pitched from this perspective. In such an exercise, the candidate’s permission must be secured to share this information with clients. Ultimately, it means a large amount of raw data is obtained, which helps shape and base recommendations, and then conclusions: these are the roles you wish to recruit, these are the individuals in the marketplace, these are the types of organisations that have these roles and this is what they earn in the competitor market.
the work carried out can be used in future recruitment campaigns. 3. Pipelining: proactive research to provide small, medium or large candidate pools for future talent needs, supplemented with valuable external market insight. 4. Mapping: detailed research to provide an illuminated view of the talent landscape as a prelude to in-house candidate engagement. Across search, pipelining and mapping, telephone and onlinebased research techniques are used to identify individuals, understand reporting lines and build pictures of department/function structures within a target list of companies. If required, speciﬁc individuals can be approached regarding a role or opportunity. A career conversation can then be conducted with those interested in ﬁnding out more and for the purpose of ultimately building shortlists or candidate pipelines for the client. While historically and predominantly used for talent acquisition, the work of an insight and research organisation can also be used to inform an organisation’s overall business strategy and direction. And look at these real-world case studies, which illustrate how insight and research helped address recruitment and business challenges in four diverse organisations. David Steel and Tim Gleave are joint managing directors of Talent Insight Group
CASE STUDY 4 THE CHALLENGE: The client wanted to hire a new head of operational risk and resilience but didn’t want to recruit at the current time. It was heavily dependent on its incumbent function head who was planning to leave and wanted to be ahead of the curve when the time came to replace him. THE SOLUTION: An insight and research ﬁrm provided a market map of individuals. Researchers spoke them, explaining that a client was involved in succession planning for a speciﬁc role. The conversations also provided valuable insight on pay and reward, and it was found that elsewhere in the market individuals in similar roles commanded a higher basic salary. Not only did the insight and research ﬁrm provide the client with options for recruitment when the time came but also recommended that the company would have to consider recruiting at a higher salary level if it was to compete for high-calibre talent with the necessary experience. RESULT: When the individual announced his departure, the company went back to the market to make a hire and was able to appoint in good time to have a synchronous handover.
34 C O N TIN UITY & R E S IL IE N C E | S P R IN G 2 0 18
32-34 BCI1_Talent_v1.5dt.indd 34
NEWS FROM THE BCI
AWA R E N E S S
Mark the dates for BCI regional awards The BCI will hold regional awards ceremonies throughout 2018 to celebrate the hard work and achievements of members and organisations. Here is a rundown on dates and locations for the regional events: BCI’s Middle East Awards will take place in Dubai on the 12 April 2018 BCI’s Middle East Awards will take place on 12 April in Dubai. Entries are now closed for the The Asia Awards will be held on 23 Middle East Awards, but tickets are still July in Kuala Lumpur. The entry period available for the awards event. will open on 2 April and close on 28 May. The European Awards ceremony Dates and locations will be will take place in Milan on 10 May. announced shortly for the Africa and The deadline for awards submissions India & South Asia Awards ceremonies. is 15 March. These regional awards not only showcase fantastic contributions to the The Americas Awards will take place industry, but also provide the entries for during the Continuity and Resilience the BCI Global Awards taking place on Today Conference in Toronto on 31 May. 6 November in London. The deadline for submissions is 5 April. The Australasian Awards take place in Sydney on 30 July. The entry period will To read about the 2017 Global Awards a ds ews winners, go to www.thebci.org/news open on 2 April and close on 28 May.
Good Practice Guidelines 2018 courseware The BCI was delighted to announce the launch of the Good Practice Guidelines (2018 Edition) in November at BCI World Conference and Exhibition. This revision of the Good Practice Guidelines has also fed into updating of the content and design of the CBCI Certiﬁcation course, which was just released in February. February and March have been a transition period with the option for CBCI candidates to sit either the 2013 or 2018 versions of the examination. This transition period will close on 31 March. From 1 April it will only be possible to sit the CBCI exam based on the Good Practice Guidelines (2018 Edition). For further information about the Good Practice Guidelines (2018 Edition) or BCI’s training course, go to www.thebci.org/training-qualiﬁcations/good-practice-guidelines
Take part in Business Continuity Awareness Week 2018 Business Continuity Awareness Week (BCAW), an annual global event facilitated by the BCI, will be held 14-18 May this year. A key vehicle to raising the awareness of the profession, it is also aimed at demonstrating the value that effective business continuity management can have to all types of organisations. BCAW provides an opportunity for newcomers to the BC discipline to experience ﬁrst-hand how it can beneﬁt their own organisation. Participants will also take away practical and useful information to transform the way risks are dealt with in the future. Also available to BC professionals is a free education platform to continue their efforts as ambassadors for the discipline, as well as a wide range of tools to increase awareness, understanding and develop ownership for BC within their own or clients’ organisations. They in include a wide range of multimedia resources. Also on offer are chances tto win fantastic prizes using BCI social media platforms. Get involved in the activities before and during the week of 14-18 May. For further information about BCAW 2018, go to www.thebci.org/bcaw2018
36 C O N TIN UITY & R E S IL IE N C E | S P R IN G 2 0 18
36-37 BCI1_BCI news_Appointments_v1dt.indd 36
PEOPLE MOVES Colin Lobley Cyber Security Challenge UK welcomes Colin Lobley as its new CEO. Cyber Security Challenge UK is a series of national competitions, learning programmes, and networking initiatives designed to identify, inspire and enable more EU citizens resident in the UK to become cyber security professionals.
TO P M OV E
Chris Fedde joins cyber security software solutions Bandura Systems as its new CEO.
Risk mitigation, investigations, compliance, cyber resilience, security, and incident response solutions specialist Kroll has appointed Benedetto Demonte as North America Leader for its cyber security and investigations practice.
Continuity & Resilience is the magazine of the Business Continuity Institute and is published four times a year. BUSINESS CONTINUITY INSTITUTE 10-11 Southview Park, Marsack Street, Caversham, Berkshire, RG4 5AF tel: +44 (0) 118 947 8215 firstname.lastname@example.org | www.thebci.org
EDITOR DeeDee Doke email@example.com REPORTERS Colin Cottell firstname.lastname@example.org Graham Simons email@example.com CONTRIBUTING WRITER Sue Weekes SENIOR DESIGNER David Twardawa PRODUCTION EDITOR Vanessa Townsend
La Trobe University cybersecurity professor Jill Slay is now the La Trobe University Optus cyber chair. In her new role she will lead the universityâ€™s cyber research drive through a virtual facility.
PICTURE EDITOR Claire Echavarry SENIOR SALES EXECUTIVE Charles Boutwood tel: +44 (0) 20 7880 7661 firstname.lastname@example.org PRODUCTION DIRECTOR Jane Easterman tel: +44 (0) 20 7880 6248 email@example.com
PRINTER Henry Stone Ltd, Banbury, Oxon PUBLISHED BY Redactive Publishing Ltd Level 5, 78 Chamber Street, London, E1 8BL tel: +44 (0) 20 7880 6200 www.redactive.co.uk
PUBLISHING DIRECTOR Aaron Nicholls tel: +44 (0) 20 7880 8547 firstname.lastname@example.org
Richard Bale Disaster recovery, online backup and business continuity solutions provider Databarracks welcomes Richard Bale as business continuity and resiliency principal.
Jimmy Treuting Jimmy Treuting has joined security services provider ADT as senior vice president sales & marketing.
Arthur Wong Telco Singtel has appointed Arthur Wong as its new CEO of global cyber security.
Marcus Alldrick Marcus Alldrick is appointed head of risk at cyber deception solutions developer Cymmetria.
ÂŠ Business Continuity Institute 2018 The views expressed in C&R are not necessarily those of the Business Continuity Institute. All efforts have been taken to ensure the accuracy of the information published in C&R. However, the publisher accepts no responsibility for any inaccuracies or errors and omissions in the information produced in this publication. No information contained in this publication may be used or reproduced without the prior permission of the Business Continuity Institute.
37 C O N TIN UITY & R E S IL IE N C E | S P R IN G 2 0 18
36-37 BCI1_BCI news_Appointments_v1dt.indd 37
W H A T A G R E AT I D E A
113m Downloaded this many times so far
MY LIGHTBULB MOMENT Zello TAKE A LOOK AT IT. The ﬁrst I heard of it was
Scott Cave principal at Atlantic Business Continuity Services
“You can have hundreds or thousands of people using this app to talk real-time with each other”
during Hurricane Harvey. It’s like a group audio walkie-talkie app. You can have hundreds or thousands of people using this app to talk real-time with each other. Almost like a conference call, but it’s more like a late 1990s, early 2000s push-to-talk cell phone that used to exist. It allows real-time communications among a very disparate team of people – it could be a crisis management team. It’s a free app that records every single one of the messages, so if you miss something you can go back and replay it. It gained great favour among the so-called Cajun Navy during Hurricane Harvey – a group of volunteers who self-deployed in all sorts of small boats and craft to rescue people. The Cajun Navy ﬁrst came to public consciousness in the aftermath of Hurricane Katrina in 2005 and was credited with rescuing 10,000 people. During Hurricane Irma, Zello gained even more favour. So far Zello has been downloaded more than 113m times. 38 C O N TIN UITY & R E S IL IE N C E | S P R IN G 2 0 18
38 BCI1_Lightbulb_v2dt.indd 38
EMPOWER YOUR BCMS with the best BC Software worldwide
BCMS Features Plan Management Business Impact Analysis Exercise & Testing Corrective Action Tracking Incident Management / Notification Management Information Dynamic Reporting Mobile & Tablet Enabled
continuity2.com BCI.Spring18.040.indd 40
simplicity power resilience security
0845 094 4402 21/02/2018 15:44
Published on Mar 15, 2018