BCM Institute Resilience Newsletter Q1 2008 Business Continuity Management

8/14/2019 BCM Institute Resilience Newsletter Q1 2008 Business Continuity Management

1/13

Resilience Resources

Global Home Search Jobs Upcoming course

May/June o BCM-100 Macau (20/05/08)

o BCM-200 New Delhi (03/05/08)

Macau ( 21/05/08)

o BCM-300 Singapore (05/05/08)

Kuala Lumpur (07/05/08)Mumbai (12/05/08)

Manila (14/05/08)Beijing (19/05/08)

New Delhi (03/06/08)Bangkok (18/06/08)

Kuala Lumpur (18/06/08)


Beijing (23/06/08)Kuala Lumpur (25/06/08)

o DRP-300 Macau (24/06/08)


o BCM-830 Singapore (29/05/08)Singapore (18/06/08)

o BCM-5000 Mumbai (13/05/08)

o DRP-5000 Hong Kong (05/05/08)

Singapore (09/06/08)

Newsletter Options Unsubscribe Newsletter Contact Us

April 2008, Issue 01

Presidentspeaks

Our mission at BCM Institute, without question, is to create a commonbase knowledge of BC Management and DR Planning, to certify qualifiedindividuals, and to create credibility by raising the professionalism bar of our certified BC and DR experts. As we kick off our e-newsletter,Resilience , we hope that this would be a credible platform to presentand exchange technical revelations, corporate BC/DR experiences as wellas report on the BC/DR community activities in this region.

Dictionaries will explain that having Resilience, or being resilient, is synonymous with hardinessand resourcefulness, and individuals who are said to display resiliency have exhibited positivebehavioural adaptation. And the circumstances in which one is deemed as possessing thispositive attribute is often characterized by stress and catastrophe; adapting to difficult, negativeevents.

As practitioners and advocates of BC and DR, this explanation of resilience would immediatelybring to our minds our professional mandate as we serve in our respective roles the need toprepare ourselves individually and instil such a mindset company-wide so much so that ourcontinuity is not only assured but guaranteed because of our dedication to BCM.

I hope youd enjoy this newsletter, which I commend to your reading pleasure!

Dr Goh Moh HengPresidentBCM Institute

Technicalpapers

Exploring Business Impact Analysis Russel Ghem, BCCS

Looking back at todays organization, it operates and behaves exactly like a human anatomy. Ithas relevant important departments or business units that create the vital organs of anorganization. The blood to an organization in this case is the business processes undertaken byeach staff keep all departments functioning. So the question is, how can we, as a BCprofessional, help to take precautionary steps to ensure survivability of the organization?Learn more

Testing a Disaster Recovery PlanShad Hafeez, BCCS

The business continuity management process and theBusiness Continuity Plan (BCP) need to bring together allsuch elements to ensure they adequately address theorganisation's business interruption risks. Designing an effective business continuity plan usuallystarts with identifying worst possible post disaster situation. Experiences suggest that thecompanies that have experienced a disaster generally divide post disaster activities into twostreams. Learn more
http://www.bcm-institute.org/http://www.bcm-institute.org/http://www.bcm-institute.org/index.php?option=com_jobline&Itemid=23http://www.bcm-institute.org/index.php?option=com_jobline&Itemid=23http://www.bcm-institute.org/index.php?option=com_attend_events&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=3&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=3&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=39&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=39&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=97&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=97&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=8&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=8&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=52&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=52&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=55&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=55&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=10&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=10&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=32&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=32&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=41&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=41&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=54&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=54&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=52&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=52&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=15&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=15&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=59&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=59&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=57&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=57&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=73&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=73&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=20&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=20&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=21&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=21&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=34&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=34&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=67&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=67&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=89&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=89&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=31&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=31&Itemid=7mailto:[email protected]:[email protected]:[email protected]:[email protected]://www.bcm-institute.org/mailto:[email protected]:[email protected]://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=31&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=89&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=67&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=34&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=21&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=20&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=73&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=57&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=59&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=15&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=52&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=54&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=41&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=32&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=10&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=55&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=52&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=8&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=97&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=39&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=3&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&Itemid=7http://www.bcm-institute.org/index.php?option=com_jobline&Itemid=23http://www.bcm-institute.org/


2/13

People&Events

Interview with Mr. John Decruz from Shell Brunei

Mr DeCruz cited his desire to reinforce his BCP skills and to sharpenhis knowledge of BC principles as two of the key reasons for attending therecent BCM-5000 course. He was pleased that he also picked up somenuggets of best practices in BCM from the class interaction. Learn more

Interview with Mr. Wong Mum Thong from Ministry of Home Affairs

BCM Institutes Resilience interviewer also asked BCM 5000 participantWong Mum Thong whether there are any salient differences in the waysactivities for BCP are conducted between government and private sectors.He answered, be it a Business Continuity Management (BCM) or CrisisManagement, both are referring to how to deal with (a) crisis.Learn more

Meet the Experts

On Friday 18th

April, BCM Institute in Singaporeconducted its first Meet The Expert session. Heldat the Furama Riverfront Hotel, the eventattracted 60+ members and their guests who setaside an afternoon to listen to 3 Experts DrDavid Smith, BCM Institutes course instructorand representative in UK and Africa; Mr PhilipKee, Managing Director of British StandardsInstitution; and Mr Anthony Lee, HonoraryChairman of ASIS International.

Learn more | Click here for Photo Gallery

Upcoming CoursesLearning is an ongoing process and BCM Instituteis here to provide you with the latest trainings inBusiness Continuity & Disaster Recovery Best

Practices. BCM-300 Fundamentals of Implementationleading to Business Continuity Certified Specialist (BCCS)certification is a 2 days intermediate course. Followedby the BCM-400 Advanced Best Practices course leadingto Business Continuity Certified Expert (BCCE) certification in 4 days.

ASIS members get 10% discount for upcoming BCM-300 May class.Sign up both BCM-300 & BCM-400 May classes and get SGD100 off!

News&Views

Dr Goh Moh Heng on the RoadBusy as a bee This is an exact description of Dr Gohs schedule. As a professional who isconstantly on top of the latest news and happenings in the Business Continuity and

Disaster Recovery field, Dr Goh is widely known for his skills in conducting informative andinteresting workshops. This is why MNCs from industries across the globe has approached him toshare his knowledge with the aim in enriching their employees with the fundamentals of BC/DR.Learn more
http://www.continuityonline.info/gallery_bcmi/index.phphttp://www.continuityonline.info/gallery_bcmi/index.phphttp://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=8&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=8&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=8&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=15&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=15&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=15&Itemid=7http://www.bcm-institute.org/http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=15&Itemid=7http://www.bcm-institute.org/index.php?option=com_attend_events&task=view&id=8&Itemid=7http://www.continuityonline.info/gallery_bcmi/index.php


3/13

BCM Forum, http://bcmi.collectivex.com

Come and join the new home for all BC and DR professionals in the world. BCM Forum isnow bigger, faster and better on CollectiveX. BCM Institute aims to build an online communityfor the Business Continuity and Disaster Recoverymembers to share industry knowledge, exchangeideas, help one another within the community andawareness of Business Continuity Management. Itwas launched in April 2008 and currently housemore than 330 BC and DR professionals from 22countries and 54 MMCs!Learn more

BCM Institute Live, Podcasts

BCM Institute Live is a podcast programme brought to you by BCM Institute editorialteam. BCM Institute Live analyses the Business Continuity Management (BCM) Planning Processthat forms part of the BCM Institutes training curriculum. In the month of May 2008, a threebrand new weekly podcast series will be released at BCM Forum, 1. BCM-Institute.org series, 2.BCM Planning Methodology series and 3. What is Series, making BCM Institute Live the hub forBC and DR professionals conversations.Learn more

ReadingPleasure

The Top 10 IT Disasters of All Time

While technology wasn't to blame per se in the HMRC data loss, there are plenty of recorded examples where faulty hardware and software have cost the organizations concerneddearly, both financially and in terms of reputation and resulted in some near misses for thepublic. Here's our considered list of some of the worst IT-related disasters and failures. The orderis subjective with number one being the worst.Learn more

Staff&Stuff

Sujoy, Deputy Program Manager BCM Institute India

Our featured staff for this issue of Resilience is Sujoy from BCMI India.He is the Deputy Program Manager and is responsible for managing thesales and logistics for both in-house and public training programs acrossIndia & the Middle East.Learn more

Resilience-Your Feedback NeededIn order to improve your newsletter, we welcome any and all suggestions. Please sendthem to [email protected] .

Copyright 2008 BCM Institute All rights reserved.Selling, re-distributing or reproducing the information on these pages without prior permission from BCM Institute is strictly prohibited. BCM Institute shall not beliable for any errors or delays in the content, or for any actions taken in reliance thereon. Membe rs technical papers and/or articles and their views therein are notnecessarily the views held by BCM Institute.BCM Institute, Resilience Newsletter, 315 Outram Road #15-04 Tan Boon Liat Building Singapore 169074
http://bcmi.collectivex.com/http://bcmi.collectivex.com/http://bcmi.collectivex.com/http://www.bcm-institute.org/index.php?option=com_content&task=view&id=151&Itemid=78http://www.bcm-institute.org/index.php?option=com_content&task=view&id=151&Itemid=78http://www.bcm-institute.org/index.php?option=com_content&task=view&id=151&Itemid=78mailto:[email protected]:[email protected]:[email protected]://www.bcm-institute.org/mailto:[email protected]://www.bcm-institute.org/index.php?option=com_content&task=view&id=151&Itemid=78http://bcmi.collectivex.com/


4/13

Technicalpapers

Exploring Business Impact Analysis Russel Ghem, BCCS

Business Impact Analysis (BIA) is well known to any BC professional as one of the fundamental focus after Risk Assessment. Beforewe start to talk about Business Impact Analysis, we need to know what the purpose of conducting a BIA.

For illustration purposes, a human anatomy is used as an example and reference in this article. We all know that different organswithin a human body perform different critical functions. The heart keeps the blood pumping through the entire body and the lungsbringing oxygen to the body. Blood and the blood vessels in a human body transport nutrients and oxygen across all vital organs.Assuming if there is a deadly virus that attacks a human body, it can cause devastating damage or harm. If the human body is notstrong enough to heal against the virus attack, the human body may succumb to failure and maybe death may occur. Seekingmedical attention will allow a doctor to diagnose the problem and prescribed necessary medication to heal or cure the virus attack.From experience learnt, one may take precautionary steps to immunize the body against virus attack. This is how a human behavesand survive.

Looking back at todays organization, it operates and behaves exactly like a human anatomy. It has relevant important departmentsor business units that create the vital organs of an organization. The blood to an organization in this case is the business processesundertaken by each staff keep all departments functioning. So the question is, how can we, as a BC professional, help to takeprecautionary steps to ensure survivability of the organization? Base to earlier illustration, we must first of all understand what it

takes for an impact to hit an organization and to find out as much information as possible based on such impact on an organization.The process of finding out the information is through a conduct of BIA.

By conducting a BIA, it will enable the BC professional to understand an organizations critical business processes and ranki ng ofcritical processes by time scale. A well structured BIA can further determine business unit or business process workflow and processdependency. From the data and information gathered from BIA, a BC professional can develop necessary strategies to prevent apotential impact to an organization immunization.

Conducting BIA is always a time consuming process, therefore BC professional should plan ahead before attempting to have staff participation. It is definitely important and required to obtain full management support from executives or senior managementbefore a BIA is attempted or carried out. It is very unlikely that mangers or staff will be prepared to dedicate time to this exercise

unless this management support is gained or demonstrated. Depending on the data information exhaustiveness one wish to gatheron BIA, more time is definitely required from the staff.

The data or information obtained from BIA primarily comes from the questionnaire answered by the organization staff. Staffs fromvarious department or business units are usually the key to the provision of authentic data and information through answering theBIA questions. It is very important to have top executive or most senior management group to support the conduct of BIA. Linemanagers or middle management will unlikely be prepared to dedicate their time for this BIA unless executive or seniormanagement support is demonstrated.

There are few areas a BC professional should take note before conducting BIA as to ensure the effectiveness of the BIA survey:

1. Interview method or through questionnaire answering

There are various methods of asking relevant BIA questions and to gather the answer from the staff or end user. Interview method ismuch preferred but on the flip side, it is time consuming. On the other hand, through questionnaire handout to end user, it may be aquick and time efficient way to perform the BIA. Staff can easily answer the questions directly on the handout. Do bear in mind; thequality of information may suffer.


5/13

2. Open ended or close ended questionsOpen ended questions are much preferred if you are adopting interviewing method for your conduct of BIA but never set an openended question in your questionnaire handout. Open ended question in questionnaire handout will yield unwanted or erroneousanswer to the question. Always pose or set close ended question in the questionnaire handout as this will help the end user to focuson the question.

As a rule of thumb, always set or ask question where end user can understand and avoid misleading question or jargon. Do not useindustry lingo or acronyms in the questions. If acronyms have to be used, it must be explained as a footnote or in glossary page.

3. Exhaustive or simple information gathering

As pointed out in point 1, depending on your planning schedule, exhaustive information gathering on BIA is always a good start fororganization that is new to Business Continuity. This will yield a fundamental foundation of information for the BC professional towork on relevant activities and business continuity strategies.

However, depending on the complexity of the department or business unit, a BC professional should decide between practicalitiesversus time factor during BC planning.

4. Mode of data gathering (i.e. off-the-shelf BIA software tool or manual template creation)There are several available tools on market where BC professional can purchase to assist in their BIA conduct. One common toolknown to the BC industry is known as BIA professional by Strohl. Alternatively, one could also develop a simple BIA template out of Microsoft word or excel depending on which is more preferable. There are pros and cons to each method described above but BCprofessional should take an objective view to select what is the most practical approach for the organization.

5. Analyzing BIA dataOnce the BIA data are gathered and consolidated, it must be further analyzed and mapped across system technology. It is advisablethat Information Technology (IT) subject matter experts (SME) are invited to provide relevant important technical guidance,information and advice. The participation from Information Technology is critical to help the BC professional to fully understand thebusiness processes dependency on systems and technology. Unless a particular business process is manual driven, then IT advice iskept minimal.

Above pointers are just some general guidelines and tips that a BC professional may follow as a guide. The degree of complexity onBIA questions depends very much on the organization structure. Complex organization structure will require a more complex andcomprehensive BIA in order to capture the true authenticity of data gathered.

Do not get into a pitfall by setting or asking too many or complicated questions or jargons are used in the questions during theconduct of BIA. BC professional will definitely know what the question is asking but, do take note that end users may not be BCtrained and may not understand the question at all. It is important to note that the questions set or asked should be end useroriented. The trick is to put yourself in the end users environment and help them to understand the questions that you want to ask.Great deal of time is always lost when BIA answers from end user do not yield what you want or if it is in correct. Time is spent againon answer clarifications with the end user.

Before you embark on this time consuming BIA task, do ensure that sufficient time is allocated and proper project management toensure the BIA completes on time. If not, it is going to have a detrimental impact to the rest of the Business Continuity planningactivities.

About the author:

Russell Ghem is a Business Continuity Manager with Visa Inc for Asia Pacific region. He is also a Business Continuity Certified Specialist (BCCS) withBusiness Continuity Management Institute (BCM Institute) and Certified Business Continuity Practitioner (CBCP) with Disaster Recovery Institute (DRI). Heis responsible for 22 regional offices Business Continuity Management program in Asia Pacific. Russel l also ensures the Business ContinuityManagement program is well adopted and implemented for all offices in accordance to companys control objectives and standard s.


6/13

Testing a Disaster Recovery Plan

Shadah Hafeez

A common misconception among most of the companies implementing BCP DRP is that the management tends to relax as soon as aplan is put in place. They begin to feel good about the fact that they are now compliant with some well known regulatory bodies asthey now have a full fledged BC DR plan in place. They are unmindful of the fact that the very plan that they have used to gaincredits and bag new projects has to be TESTED first to check for effectiveness.

Its been observed in one of the opinion polls conducted by Disaster Recovery Journal that over 60% of the respondents had nottested their DR plans since the implementation, and around 22% of the respondents had tested their plans not more than thricepost the implementation. I am certain most of these respondents wouldve begun testing thei r plans post 9/11. However, does oneneed a 9/11, a Katrina or a Tsunami to realize the importance of testing our plans? Sadly, most organizations gave importance to BCDR in the wake of 9/11.

This shift in priority came as the management was now a lot keener on acquiring and implementing the concept of disaster recovery.In other words, CIOs around the world felt that the only way to proceed was to plan for, and ensure continuity in operations underany circumstances. In my opinion, 2001 was the time when DR clearly started moving up the priority list of many organizations

As in many other fields in the business community, management buy-in for any activity is very important. Apart from the financialsupport (which is important), involvement of top tier management in the DR planning entrusts a feeling of seriousness in the entireactivity. This is probably one of the reasons why at the end of each phase in the BC or DR planning, a management sign off issuggested as a requirement. Some of the key factors that push the management in exercising a DR plan are:

Incase of a disaster, an untested plan could actually turn out to be a lot more dangerous as the assumptions mentioned inthe plan were never really weighed out.

DR planning is an ongoing activity and so testing or exercising of plans are always integral parts of the DR planning.

Now, the most important question comes into picture

What do we test first?

To answer this, we would have to get into the core of the planning process. Each process which has been classified as critical shouldbe reassessed based on the findings from the Business Impact Analysis and the Residual Risk (portion of risks remaining after thesecurity measures have been applied) from the Risk Assessment. The personnel responsible for recovery should ideally look atsimplifying the process by introducing some kind of a grading system, based on which the management can take effective decisions.

From the above methodology, you can identify which elements to test. So, our next question would be,

How do we look at putting our theory into practice?

This would be achieved by selecting appropriate testing strategies.

Organizations such as eBRP and Strohl Systems have come out with their full fledged BCP DRP toolkits. These toolkits do have the

capability to prepare different types of testing strategies. This by the way makes the job of BC DR Planners a lot easier. The world of BC DR planning has come a long way from the age of customized templates (I must say which is still widely being used) to the newsophisticated toolkits. But the underlying idea behind the testing strategy remains the same and it is:

The plan should be tested to its maximum extent. There are no service disruptions or minimal service disruptions. Each and every test should given ample reassurance in the recovery capabilities and thereby adding valuable information to

the plan maintenance.


7/13

Let me list some of the most commonly used testing strategies. Some of them can be classified as the most valuable tools for a DRteam.

1. Usage of Check Lists:Check lists are one of the most common and by far the most pocket friendly (I mean inexpensive) tool in DR plannersrepertoire. It can also act as a backbone to the entire testing cycle. To make an effective checklist, try to partition out theareas of responsibility and teams for each business. Its always good to use the people within the business to prepare thechecklist, the primary motivation being that they are aware of all the things that are critical to their business. For example,a checklist for a critical technical helpdesk would comprise of the following:

Call tree verification. Key standard operating procedure validation. List of the hardware and software requirements for the process. Availability of process specific resources during the DR implementation. (Such as login ids, call master ids etc) Recovery plans and all necessary manuals.

2. Conducting Walk Throughs:Walk Throughs are often used in tandem with the checklists used from a prior exercise. The main idea behind a walkthrough is to check for the effectiveness of the plan or identify any gaps in the plan. This type of test allows you to include alarge group of people into the test so that their knowledge and experience can be used to a great extent.

3. Conducting a Simulation:As the name suggests, a simulation of a disaster is used so that normal operations are not interrupted during a testingexercise. Hardware, software, personnel, transportation and alternate site processing should be tested in a simulation test.Moving of equipment or the elimination of voice or data communications may not be practical during a simulated test.

Here you can use checklists, as they provide a reasonable level of assurance for some of the scenarios.

Its considered as a best practice, if the simulation test is implemented only after the checklists and walk through exerciseresults have been validated.

Make sure that you have analyzed the output of the earlier tests carefully before the simulation is done to ensure thechanges proposed after the previous tests have been incorporated into the plan.

4. Conducting a Parallel Test:One of the most critical tests and can be used in tandem with the checklist test or simulation test. In this test, historicaltransactions such as the prior days transactions are processed against preceding days backup at hot site. All the reportsproduced at the alternate site for the current business date should agree with those reports produced at the alternateprocessing site.

5. Conducting a Full Interruption Test:Yes!! You guessed it right. This test activates the entire disaster recovery plan. Let me tell you, this test can be very costlyand can also lead to disruption of normal operations, and therefore should be approached with caution.

In all the different types of tests discussed, one thing remains common - to maintain due diligence with respect to previous phases

of the cycle.

Industry experience also states that there will be huge surprises and unexpected results in the first few tests that you conduct. Themore you refine your testing strategies the better are your chances for reducing any errors. I would prefer extensively using theChecklists and conducting Walk Throughs in the early stages of the cycle.

It isnt necessary that the 5 steps mentioned above have to be followed to conduct an effective exercise. But ideally, the Ch ecklists,Walk Throughs and Simulations should be a part of any testing exercise.

As I close this article (which I presume would be helpful) I would like to reiterate the fact that regular DR testing would always showus whether or not our plan is capable of restoring the business in case of a disaster.


8/13

References:

Disaster Recovery Journal Current Surveys

URL: http://www.drj.com/surveys/robpoll/drj_surveys.htm

Disaster Recovery Journal Glossary

URL: http://www.drj.com/glossary/glossleft.htm

About the Author

Shadah Hafeez is an Information Security Professional working for GENPACT, INDIA. For the last 5.5 years, his activities in BCP/DRP includepreparing analyzing, preparing plans & BIA for clients. He uses 3 rd party s/w like eBRP and Strohl. He also conducts DR tests for clients, andoccasionally teaches at workshops on BC planning. Shah is currently assigned to USA for 2 years, and likes techno trance music, paints occasionallyand hopes one day to learn music.

People&Events

Interview with Mr. John Decruz from Shell Brunei

Mr DeCruz cited his desire to reinforce his BCP skills and to sharpen his knowledge of BC principles astwo of the key reasons for attending the recent BCM-5000 course. He was pleased that he also picked up some

nuggets of best practices in BCM from the class interaction.

When asked about challenges faced as a senior BC practitioner, Mr DeCruz said that it is always important toget senior managements awareness and their approval. A wa y to achieve this, he offered, is to conducting internal awarenessworkshops to get information across for buy-in. It is imperative that key personnel know about the relevance of BCP at all levels, andfoster a top down emphasis with this conviction. In relation to this, he added, roles & responsibilities in each BU are important andshould be honed by conducting annual simulations & exercises

BCM Institutes Resilience interviewer also asked Mr DeCruz about the qualities Shell looks for in a BCP manager / coordinator, towhich he replied, (to succeed)..he/she must be dedicated and with good interpersonal skills and not someone new to theorg.must understand the business function well ...

Interview with Mr. Wong Mum Thong from Ministry of Home Affairs

BCM Institutes Resilience interviewer also asked BCM 5000 participant Wong Mum Thong whether there areany distinct difference in the way activities for BCP are conducted between government and private sectors. Heanswered, be i t a Business Continuity Management (BCM) or Crisis Management, both are referring to howto deal with disruption in the norm and instability in the status quo.

Mr Wong mentioned that from his perspective, Crisis, from a business perspective maybe one of thedisruptions to their critical business function or processes, from the perspective of the government, crisis can mean disruptionsimpacting the whole nation, life and social orders. He further added that it is important for all sectors to be concerned with BCM andin crisis management. He commented further that participating in the program enables him to understand the concept of BCM asapplied in the corporate world and would facilitate his engagement of the corporate sector in crisis management.
http://www.drj.com/surveys/robpoll/drj_surveys.htmhttp://www.drj.com/surveys/robpoll/drj_surveys.htmhttp://www.drj.com/surveys/robpoll/drj_surveys.htmhttp://www.drj.com/glossary/glossleft.htmhttp://www.drj.com/glossary/glossleft.htmhttp://www.drj.com/glossary/glossleft.htmhttp://www.drj.com/glossary/glossleft.htmhttp://www.drj.com/surveys/robpoll/drj_surveys.htm


9/13

Meet the Experts

Meet the Expert event in Singapore Friday 18 th April 2008-04-21

On Friday 18 th April, BCM Institute in Singapore conducted its first Meet The Expert session. Held atthe Furama Waterfront Hotel, the event attracted 60+ members and their guests who set aside anafternoon to listen to 3 Experts Dr David Smith, BCM Institutes course instructor and

representative in UK and Africa; Mr Philip Kee, Managing Director of British Standards Institution;and Mr Anthony Lee, Honorary Chairman of ASIS International.

The objective of this bi-monthly session is to present critical thinking on BC & DR and currentindustry practice from the viewpoint of seasoned practitioners, and for members to engage experts vis a vis their own environment.

Dr Smith (far left) entitled his presentation Flood, Fire and Fraud . It was centred on recentdisasters in the UK, and the extent to which it affected the environment and businesses.Mr Kee (left) talked about BS25999 which is the UK standard equivalent of the TR19standard for BCM. Lastly, Mr Lee brought up the issue, Challenging Environments in Asiarequires Response Planning.

Immediately following the presentations, a Q&A was convened and a 4 memberexpert panel formed, comprised the 3 speakers, with Mr Nicholas Rushton-Young (farright, seated next to Mr Anthony Lee), one of our members and instructor forming the4th expert. Member David Chin challenged the panel with his question Should BCProfessionals be held legally responsible should BC Plans fail when activated (summarized by editor). This prompted lively discussion from both the floor and thepanel.

The event ended with an Awards Ceremony, a regular feature of BCM Institute s gathering , torecognize recent awardees with their certificates. One of the 6 recipients, Ms Carolynn Lock, isshown here receiving her BCCE certificate from Sim Cher Young, BCM Institutes ExecutiveDirector. (Editors note: 28 members were awarded certification, but only 6 could attend theevent that day).

Click here for Photo Gallery
http://www.continuityonline.info/gallery_bcmi/index.phphttp://www.continuityonline.info/gallery_bcmi/index.php


10/13

News&Views

Dr Goh Moh Heng on the Road

Busy as a bee This is an exact description of Dr Gohs schedule. As a professional who is constantly on top of the latest newsand happenings in the Business Continuity and Disaster Recovery field, Dr Goh is widely known for his skills in conductinginformative and interesting workshops. This is why MNCs from industries across the globe has approached him to share hisknowledge with the aim in enriching their employees with the fundamentals of BC/DR.

In this section, the Resilience team would like to share with its readers a few notable events which Dr Goh participated in, namelya Tabletop exercise for Housing Board Development (HDB) based on BCM Institutes BCM-2050: Practical Tools for Conducting theDisaster Simulation Exercise in January (Singapore); receipt of token from the Minister of Manpower at the CEP conference on 1 s

April (Singapore); and last but not least, a Bangkok BCP Seminar conducted in March where Dr Goh was voted 2 nd best speaker outof eighteen presentations.

In addition, Dr Goh is actively involved in conducting in-house courses and has specially flown in to countries like Finland, as well asAsian countries like Thailand, Malaysia, India and Philippines in the first quarter of 2008 for these workshops.

Please tune back to this section on the next issue of Resilience for more updates on Dr Goh and his travels. Till then!

BCM Forum has moved to CollectiveX!http://bcmi.collectivex.com

Come and join the new home for all BC and DR professionals in the world. BCM Forum is nowbigger, faster and better on CollectiveX. BCM Institute aims to build an online community forthe Business Continuity and Disaster Recovery members to share industry knowledge,exchange ideas, help one another within the community and awareness of BusinessContinuity Management. It was launched in April 2008 and currently house more than 340 BC and DR professionals from 22countries and 54 MMCs!

The objectives of this forum are, to keep the online community the latest BC and/or DR news and development, global and localdisasters, events, pandemic flu, standards; one stop site for all BC and DR knowledge and more importantly for BCM Institutemembers to network, share knowledge and learn from global BC and/or DR experts and peers and job opportunities.

If you have not done so, please do so by visiting http://bcmi.collectivex.com/join

BCM Institute Live, Podcasts

BCM Institute Live is a podcast programme brought to you by BCM Institute editorial team. BCM Institute Live analyses theBusiness Continuity Management (BCM) Planning Process that forms part of the BCM Institutes training curriculum. In the mont h ofMay 2008, a three brand new series will be released at BCM Forum , the BCM-Institute.org series, BCM Planning Methodology seriesand What is Series, making BCM Institute Live the hub for BC and DR professionals c onversations.
http://www.bcm-institute.org/index.php?option=com_content&task=view&id=23&Itemid=3http://www.bcm-institute.org/index.php?option=com_content&task=view&id=23&Itemid=3http://www.bcm-institute.org/index.php?option=com_content&task=view&id=23&Itemid=3http://www.bcm-institute.org/index.php?option=com_content&task=view&id=23&Itemid=3http://bcmi.collectivex.com/http://bcmi.collectivex.com/http://bcmi.collectivex.com/joinhttp://bcmi.collectivex.com/joinhttp://bcmi.collectivex.com/joinhttp://www.bcm-institute.org/index.php?option=com_content&task=view&id=151&Itemid=78http://www.bcm-institute.org/index.php?option=com_content&task=view&id=151&Itemid=78http://www.bcm-institute.org/index.php?option=com_content&task=view&id=151&Itemid=78http://bcmi.collectivex.com/http://bcmi.collectivex.com/http://bcmi.collectivex.com/http://bcmi.collectivex.com/http://www.bcm-institute.org/index.php?option=com_content&task=view&id=151&Itemid=78http://bcmi.collectivex.com/joinhttp://bcmi.collectivex.com/http://www.bcm-institute.org/index.php?option=com_content&task=view&id=23&Itemid=3http://www.bcm-institute.org/index.php?option=com_content&task=view&id=23&Itemid=3


11/13

The top 10 IT disasters of all time*

While technology wasn't to blame per se in the HMRC data loss, there are plenty of recorded examples where faulty hardware andsoftware have cost the organizations concerned dearly, both financially and in terms of reputation and resulted in some nearmisses for the public.

Here's our considered list of some of the worst IT-related disasters and failures. The order is subjective with number one beingthe worst.

1. Faulty Soviet early warning system nearly causes WWIII (1983)

The threat of computers purposefully starting World War III is still the stuff of Science Fiction, but accidental software glitches havebrought us worryingly close in the past.

Although there are numerous alleged events of this ilk, the secrecy around military systems makes it hard to sort the urban mythsfrom the real incidents. However, one example that is well recorded happened back in 1983, and was the direct result of a softwarebug in the Soviet early warning system.

The Russians' system told them that the US had launched five ballistic missiles. However, the duty officer for the system, one Lt ColStanislav Petrov, claims he had a "...funny feeling in my gut", and reasoned if the US was really attacking they would launch morethan five missiles.

The trigger for the near apocalyptic disaster was traced to a fault in software that was supposed to filter out false missile detectionscaused by satellites picking up sunlight reflections off cloud-tops.

2. The AT&T network collapse (1990)

In 1990, 75 million phone calls across the US went unanswered after a single switch at one of AT&T's 114 switching centres suffereda minor mechanical problem, which shut down the centre. When the centre came back up soon afterwards, it sent a message toother centres, which in turn caused them to trip and shut down and reset.

The culprit turned out to be an error in a single line of code not hackers, as some claimed at the time that had been addedduring a highly complex software upgrade. American Airlines alone estimated this small error cost it 200,000 reservations.

3. The explosion of the Ariane 5 (1996)

In 1996, Europe's newest and unmanned satellite-launching rocket, the Ariane 5, was intentionally blown up just seconds aftertaking off on its maiden flight from Kourou, French Guiana. The European Space Agency estimated that total development of Ariane5 cost more than $8bn (4bn). On board Ariane 5 was a $500m (240m) set of four scientific satellites created to study how theEarth's magnetic field interacts with Solar Winds.

According to a piece in the New York Times Magazine , the self-destruction was triggered by software trying to stuff "a 64-bit numberinto a 16-bit space"."This shutdown occurred 36.7 seconds after launch, when the guidance system's own computer tried to convertone piece of data the sideways velocity of the rocket from a 64-bit format to a 16-bit format. The number was too big, and anoverflow error resulted.

When the guidance system shut down, it passed control to an identical redundant unit, which was there to provide backup in case of

just such a failure. But the second unit had failed in the identical manner a few milliseconds before. And why not? It was running thesame software," the article stated.

4. Airbus A380 suffers from incompatible software issues (2006)

The Airbus issue of 2006 highlighted a problem many companies can have with software: what happens when one program doesn'ttalk to the another. In this case, the problem was caused by two halves of the same program, the CATIA software that is used todesign and assemble one of the world's largest aircraft, the Airbus A380.

This was a major European undertaking and, according to Business Week , the problem arose with communications between twoorganisations in the group: the French Dassault Aviation and a Hamburg factory.


12/13

Put simply, the German system used an out-of-date version of CATIA and the French system used the latest version. So when Airbuswas bringing together two halves of the aircraft, the different software meant that the wiring on one did not match the wiring in theother. The cables could not meet up without being changed.The problem was eventually fixed, but only at a cost that nobody seems to want to put an absolute figure on. But all agreed it cost alot, and put the project back a year or more.

5. Mars Climate Observer metric problem (1998)

Two spacecraft, the Mars Climate Orbiter and the Mars Polar Lander, were part of a space programme that, in 1998, was supposed

to study the Martian weather, climate, and water and carbon dioxide content of the atmosphere. But a problem occurred when anavigation error caused the lander to fly too low in the atmosphere and it was destroyed.

What caused the error? A sub-contractor on the Nasa programme had used imperial units (as used in the US), rather than the Nasa-specified metric units (as used in Europe).

6. EDS and the Child Support Agency (2004)

Business services giant EDS waded in with this spectacular disaster, which assisted in the destruction of the Child Support Agency(CSA) and cost the taxpayer over a billion pounds.

EDS's CS2 computer system somehow managed to overpay 1.9 million people and underpay around 700,000, partly because theDepartment for Work and Pensions (DWP) decided to reform the CSA at the same time as bringing in CS2.

Edward Leigh, chairman of the Public Accounts Committee, was outraged when the National Audit Office subsequently pickedthrough the wreckage: "Ignoring ample warnings, the DWP, the CSA and IT contractor EDS introduced a large, complex IT system atthe same time as restructuring the agency. The new system was brought in and, as night follows day, stumbled and now hasenormous operational difficulties."

7. The two-digit year-2000 problem (1999/2000)

A lot of IT vendors and contractors did very well out of the billions spent to avoid what many feared would be the disaster related tothe Millennium Bug. Rumours of astronomical contract rates and retainers abounded.

And the sound of clocks striking midnight in time zones around the world was followed by... not panic, not crashing computer

systems, in fact nothing more than new year celebrations.

So why include it here? That the predictions of doom came to naught is irrelevant, as we're not talking about the disaster that wasaverted, but the original disastrous decision to use and keep using for longer than was either necessary or prudent double digits forthe date field in computer programs. A report by the House of Commons Library pegged the cost of fixing the bug at 400bn. Andthat is why the Millennium Bug deserves a place in the top 10.

8. When the laptops exploded (2006)

It all began simply, but certainly not quietly, when a laptop manufactured by Dell burst into flames at a trade show in Japan. Therehad been rumours of laptops catching fire, but the difference here was that the Dell laptop managed to do it in the full glare of publicity and video captured it in full colour. (Unfortunately, the video capturing the incident appears to have vanished from theweb. If you happen to own a copy, please send it to us as it should make interesting viewing again.)

"We have captured the notebook and have begun investigating the event," Dell spokeswoman Anne Camden reported at the time,and investigate Dell did. At the end of these investigations the problem was traced to an issue with the battery/power supply on theindividual laptop that had overheated and caught fire. It was an expensive issue for Dell to sort out. As a result of its investigationDell decided that it would be prudent to recall and replace 4.1m laptop batteries. Company chief executive Michael Dell eventuallylaid the blame the for the faulty batteries with the manufacturer of the battery cells Sony. But that wasnt the end of it.

Apple reported issues for iPods and Macbooks and many PC suppliers reported the same.Matsushita alone has had to recall around54 million devices. Sony estimated at the time that the overall cost of supporting the recall programmes of Apple and Dell wouldamount to between 20bn (90m) and 30bn


13/13

9. Siemens and the passport system (1999)

It was the summer of 1999, and half a million British citizens were less than happy to discover that their new passports couldn't beissued on time because the Passport Agency had brought in a new Siemens computer system without sufficiently testing it andtraining staff first.

Hundreds of people missed their holidays and the Home Office had to pay millions in compensation, staff overtime and umbrellasfor the poor people queuing in the rain for passports. But why such an unexpectedly huge demand for passports? The law had

recently changed to demand, for the first time, that all children under 16 had to get one if they were travelling abroad.

Tory MP Anne Widdecombe summed it up well while berating the then home secretary, Jack Straw, over the fiasco: "Common senseshould have told him that to change the law on child passports at the same time as introducing a new computer system into theagency was storing up trouble for the future."

10. LA Airport flights grounded (2007)

Some 17,000 planes were grounded at Los Angeles International Airport earlier this year because of a software problem. Theproblem that hit systems at United States Customs and Border Protection (USCBP) agency was a simple one caused in a piece of lowly, inexpensive equipment.

The device in question was a network card that, instead of shutting down as perhaps it should have done, persisted in sending theincorrect data out across the network. The data then cascaded out until it hit the entire network at the USCBP and brought it to astandstill. Nobody could be authorised to leave or enter the US through the airport for eight hours. Passengers were not impressed.

[*Written by Colin Barker, ZDNetUK, News.com Posted on ZDNet News : Nov 27, 2007 12:00:00 AM. Also posted as ZDNet UKs list of top 10 IT failures by Michael Krigsman @ 7:39 am]

Staff&Stuff

Sujoy, Deputy Program Manager

BCM Institute India

Sujoy works with BCMI India as a Deputy Program Manager for the last 1 years. He is responsible formanaging the sales and logistics of our in-house and public training programs across India & the MiddleEast.

He gives a description of himself: I was born in early 1984 and graduated with a Bachelor of BusinessStudies (Marketing) from Delhi University in 2005. I am currently single, and intend pursuing an MBA once Ihave gain relevant work experience. .

I believe in making life as exciting as possible, raising my personal standards at every opportunity. Since BCP is still at its growth stagein India, marketing and selling BC programs is exciting and a challenge that I look forward to everyday. Indian companies need BCPexpertise and I view my work in BCM Institute as a valued service to these organizations. It has been a highly satisfying, learningexperience. I feel especially proud whenever we are regarded as domain experts and gurus by some of the worlds most respected

organizations.

I enjoy motorcycling in the mountains, travel, adventure sports like white water rafting, playing computer games and reading bookson military topics.
http://news.zdnet.com/http://news.zdnet.com/http://news.zdnet.com/http://blogs.zdnet.com/projectfailures/?p=502http://blogs.zdnet.com/projectfailures/?p=502http://blogs.zdnet.com/projectfailures/?p=502http://blogs.zdnet.com/projectfailures/?p=502http://blogs.zdnet.com/projectfailures/?p=502http://blogs.zdnet.com/projectfailures/?p=502http://news.zdnet.com/

Documents

BCM Institute Resilience Newsletter Q1 2008 Business Continuity Management