10 Schritte zu umfassender Unternehmensresilienz

Peter Schumacher: Willkommen und vielen Dank, dass Sie heute an unserem Webinar „10 Schritte zu umfassender Unternehmensresilienz“ mit Alistair Parr, Senior Vice President of Global Products and Delivery bei Prevalence, teilnehmen. Mein Name ist Peter Schumacher. Ich bin Ihr Webinar-Moderator für heute. Bevor wir beginnen, möchte ich noch einige organisatorische Punkte klären. Zunächst einmal möchte ich Sie daran erinnern, dass alle Teilnehmerleitungen stummgeschaltet sind. Wir möchten diese Sitzung jedoch interaktiv gestalten. Sie können Ihre Fragen daher gerne über die Live-Zoom-Konsole einreichen. Am Ende der Stunde werden wir, sofern es die Zeit erlaubt, eine Live-Fragerunde veranstalten. Das heutige Webinar wird aufgezeichnet, sodass Sie in den nächsten Tagen eine Aufzeichnung per E-Mail erhalten werden. Ich weiß, dass Sie nicht hier sind, um meine Stimme zu hören, daher möchte ich nun das Wort an Alistair übergeben. Vielen Dank und bitte übernehmen Sie, Alistair.

Alistair Parr: Ja, vielen Dank, Peter. Hallo zusammen, guten Morgen, guten Nachmittag, wo auch immer Sie sich gerade auf der Welt befinden. Leider habe ich nicht die sonore Stimme von Peter, aber ich hoffe, Sie haben in der nächsten Stunde etwas Geduld mit mir. Wir beginnen also mit ein paar organisatorischen Hinweisen. Ich weiß, dass Peter bereits die wichtigsten Punkte angesprochen hat, aber um noch einmal zu wiederholen, worüber wir sprechen werden, werde ich zunächst vorstellen, wer heute hier bei mir ist, bevor wir zum Kern der Sache kommen und einige Details besprechen. Wir werden also einen Abschnitt für Fragen und Antworten haben. Wenn Sie also Fragen haben, können Sie gerne den Frageabschnitt des Zoom-Fensters und der Benutzeroberfläche selbst nutzen. Wir sind eine Stunde lang hier. Ich werde etwa 30 bis 35 Minuten lang einige der wichtigsten Themen behandeln. Außerdem haben wir noch ein paar Gastredner. Heute ist Adam Kales bei uns. Adam ist einer unserer Managing Consultants hier bei Prevant und hat viel Zeit damit verbracht, direkt mit unseren Kunden an Maßnahmen zur Stärkung der Geschäftsresilienz bei Dritten zu arbeiten. Adam wird uns heute freundlicherweise in etwa 10 bis 15 Minuten einen Überblick über Beispielinhalte geben, die er erstellt hat und die sich in der Praxis bewährt haben. Diese Daten stehen uns zur Verfügung und sind auf der Prevant-Website abrufbar. Wir werden darüber ganz am Ende sprechen. Es fallen keine Gebühren oder Kosten an, Sie können diese Inhalte jederzeit abrufen. Wir werden am Ende der Sitzung einige Einblicke dazu geben. Wir haben heute auch Thomas Humphre bei uns. Hallo Thomas, bist du da?

Thomas Humphre: Hallo. Ja.

Alistair Parr: Hello Thomas. Thank you. So Thomas is our content manager and uh Thomas will be talking a bit about some of the regulations and frameworks that have uh either come out in the recent years or expected to emerge over the next couple of years in regards to business resilience. So to highlight today uh we will be generally talking about good practice around third parties specifically around business resilience. Okay. So to begin I appreciate this is probably quite straightforward for a lot of people. But what is business resilience and why is it valuable? Now, as I’m sure you can see from the screen in front of you now, there is multiple areas that touch on business resilience. It’s not limited to a single factor. A lot of what we tend to focus on is the supply chain resilience piece at the bottom right. And that’s something that’s very often overlooked in day-to-day management of suppliers by and large. A lot of the organizational resilience measures that we’ve seen particularly in the uh in the advent of CO 19 were focused internally. They were looking at in response. They’re looking at business continuity and crisis management, human resources. Yet, very, very few organizations we saw factored in third parties in their pandemic planning, those that have pandemic planning at all. So, when we’re looking at business resilience as we talk over the course of today’s session, we really see it as an amalgamation of of different areas and focus and domains uh which enforce that continuity of service. So, it isn’t just limited to those internal use cases, it is very much external as well. And we appreciate that communications and uh interactions between all of these key facets make up an effective business resilience mechanism. So what is business resilience and why is it valuable? Well, apparently in the last few months, as we’ve all seen, unfortunately, the business does need to prepare for factors which are outside of its control. And that’s not as easy as perhaps a while back where we had somebody sitting there changing backup tapes. Business resilience is a far more encompassing uh environment now where we do have to focus on all these different capabilities and considerations. So where does supply chain factor in the entire business resilience piece? So as a concept most organizations are considering third parties as an external function and rightly so in some respects uh to what they do but the reality is when you actually start looking at third party risk it’s that that blurred line between internal and external isn’t really there. That third party is ultimately on managing systems and assets and enabling us to generate revenue in much the same way as anybody else does in the organization. But the key challenge with it is that we don’t necessarily have the visibility on what they’re doing. We don’t have ownership over how they do it and we have that complexity around integrations. Now a lot of organizations we speak to try and manage that using three key areas. So there’s the communications aspect. So how often do we communicate and how SLAs’s, how do we track success with our third parties and then of course incident management. How do we extrapolate the necessary data that we need from them in the event of an issue? But by and large, most organizations we speak to are still psychologically entwined to that concept of a third party is external and doesn’t necessarily incorporate it into their wider governance uh and business resilience planning. So when we’re looking at mature environments and mature customers, what we typically tend to see now is that every single thing that they apply internally their organization. So the governance aspects of it, the audit and compliance remmits that they mandate, uh the risk management and tracking, the incident management aspects, everything that I showed you a couple of slides ago that needs to be woven into the third party estate as much as it is internal. So this concept of internal external is removed and we are ultimately looking at uh critical assets or critical functions of the organization and that could incorporate contractors, service providers, internal users, assets etc. that that’s The line is certainly blurred now. Okay. So as a tip, what standard processes are typically being used broadly in business resilience? Now what we tend to see is a record, respond, recover concept. So a lot of what we’re focusing on here is is ultimately looking to understand uh how do we manage incidents and events once we’re dealing with all of our critical assets in the business. And that starts of course with with ownership the organizations we deal with who tend to be uh relatively unprepared in the situation they need to really start with that ownership. So who do they need to allocate responsibilities for in the business and this is an endemic issue that we tend to see where the organizations don’t have somebody assigned to manage critical assets and provide visibility to the people who need to know it whether that’s legal procurement infosc uh risk compliance etc. Nobody really tends to understand what is the context around an asset or something. critical for the business, how is it functioning? So, starting with ownership and finding who’ll be able to give us clear answers on on situations is key. And when we start looking at incident management on the whole, we appreciate that we need to do things such as start recording obviously key processes, understand what they’re doing, analyze how they function, build up alternatives wherever we can understand what is truly revenue generating and therefore mandatory, what’s based on regulation is mandatory as well. So, do we need to process data in a particular way? We can’t say transfer all the personal processing to a different third party uh without suitable due diligence or analysis. There’s a lot of complexity involved in identifying and recording what it is that we actually intend to do with that data and that entire data set. Now, in the face of CO 19, a lot of the organizations we dealt with are really starting this whole record process from scratch. They will have business resilience in the form of data outages and shortages, but aren’t necessarily looking at the critical assets and functions of of what they do. Uh for example, is when start looking at sectors uh such as retail where they don’t entirely have the distribution networks available to do say on premise deliveries in the same sense they rely on bricks and mortar stores. Organizations we’re speaking to are a having issues with supply chains understanding how they can source uh the goods that they need and then b in turn focusing on distribution or redistribution as it may be. Now in retail the organizations we’ve spoken to who’ve had the most success have of course considered that from the outset. So they’ve got distribution partners uh for downstream. They’ve been able to scale say with with food deliveries for the food retailers for example, they have those mechanisms in place and that is very much reliant on third parties supporting them. It wasn’t a case of bringing in teams and teams of contractors and short-term while that may help in some brick and mortar stores. It was about understanding how can they work around the issue that they have been presented with. So if a supplier is unable to provide or they’re unable to open say certain sites and facilities, can they think outside the box and other alternative ways of of conducting business in order to drive that revenue. So it’s not just a case here of recording the exact same capability that we would be uh trying to to address. So it’s not a direct mirror. And then finally when we start looking at respond and recover really what we are touching on here is some of the resilience planning for instant response. So once an event has happened how do we communicate effectively and in the face of CO 19 most of the organizations we speak to are really starting to touch now on some of the post invent improvement aspects. Some normalities of course returning to some states in the US and we appreciate now that with uh with that normality comes the ability to start looking at how they can address it for say in the face of COVID a resurgence if if they have to return back to a lockdown situation. How can that be managed effectively without having the same outages that they’ve experienced in the first place? So that ties on recovering, reducing downtime and of course improving uh you know the customer confidence. and being demonstrated as agile and resilient. So, it’s generally a long path, but the key takeaway I’d really share here is that record piece. We need to make sure that we have clear, concise ownership and we’re aware of what it is we’re actually trying to maintain and we focus on critical assets in order to do that. So, what do I actually need in order to make this function and be effective? We need lots of collaboration, clearly work, and certainly luck. I think it’s fair to say most organiz ations we’ve dealt with in the face of COVID 19 for example have been either extremely lucky uh or have in turn had to win and deal with some of the repercussions from a lack of uh resilient planning around business resilience particularly around their third party supply chains and downstream deliverables to customers. So as a brief bit of insight uh there is a resilience gap study that was conducted so 4,000 stakeholders who were responsible and ultimately owned uh the resilience processes in organizations and these ranged from small mom and pop style shops up to large multinationals with hundreds of thousands of employees. But universally, it seems or at least 34% of them blamed complexity as the biggest barrier. So if we look back at our previous process slide here, it’s about the complexity of the working environment. How do we understand what it is we’re actually doing? And I think that shared beyond business resilience, it is again a factor in risk management. compliance audit and so on. 20% of them blamed siloed business units. So a lack of communication internally within the organizations and 24% again blame poor visibility here. So fundamentally complexity and a lack of internal communication is key. So what we generally are recommending here to people is to look inside the organization before you start looking outside at third party resilience. So if we’re looking internally at the business, what types of context ultimately are we looking to uh to consolidate. Now much like data discovery in a whole, it’s the who, the what, the where, the why, the how. So who or what parts of the business have critical information? What is that critical information or services or processes and how they function? Where is it being stored and how is it being stored? And then why? So does it genuinely need to be there? To touch on the point again earlier on, one of the biggest challenges we see when we look at business resilience planning is people try to mirror what they already have and that’s not necessarily the case. Uh we’ve seen situations of co 19 with customers surprisingly where they’ve enforced some robust resilience plans and they’ve realized that they’ve been able to uh function in a in a a less standardized state and they’ve been able to actually maintain some of their resilience plans moving forward. So not actually reverted back. They’ve saved money. There’s some operational expenses is because they’ve been forced into realizing that there are alternatives to how they current function. A good example of that would be the remote working capabilities where we suddenly see reams and reams of uh previously office based workers now suitably working remotely and teams realizing the results of savings by not filling up office space the whole time. So the who the what the where the why and the how. So look at it almost as a data mapping exercise where we want to understand what is critical to the business what is revenue generating and much like when we start looking at uh data mapping again we can start building up visual maps to understand what’s actually happening in the business and letting us prioritize what we need to. The reality is we won’t need to ring fence business resilience around all third parties or around the entire organization. We simply need to be able to classify uh the type of process, identify where it is, how often that we actually tend to conduct that activity, uh whether it’s subject to any governance or oversight. It might be a regulated process for some reason. Does it touch on regulated data? Do they need physical access in order to achieve that and so on. All of that can ultimately be fed into a simple calculator to help you prioritize identify what it is that is most critical and what is ultimately has the uh the highest amount of risk in order to try and maintain it in the event of a uh resilience situation. And to make that effective, of course, organizations change over time. We recommend doing that that internal mapping for business resilience. at least quarterly if you can uh certainly annually for the organizations where quarterly is too aggressive but uh but we would be looking for a regular uh and consistent review on where that data resides. It does need to touch on technology capabilities of course as well. So we need to understand what technologies are necessary in order to make that function happen and then of course you can use things like eiscocovery technologies internally within the business to actually identify if that is truly the case. Quite often one of the issues that we pick up on is that the business will say I am a truly a crisp process. I’m I’m a real necessary function of this organization as they’re naturally going to say but the reality is when you actually start doing things like eiscocovery on what they’re actually doing quite often we find out that reality doesn’t necessarily meet what the business is telling us. So for those who have the capabilities and resources in hand you can certainly work with with teams such as the data loss prevention teams to start actually tracking say key critical information whether it’s business sensitive data uh whether it’s customer information or so on you can usually use to pinpoint some of your resilience uh focus and of course then raising discrepancies to owners and purging uh areas from your resilience planning where necessary. So in the face of naturally co 19 I’m sure we’re all sick and tired of it and in recent months uh this image probably looks like some business centers scattered across the globe but would it have address exceptional circumstances based on COVID 19 and what we’ve seen and appreciate it’s pandemic related but uh the answer is simply well no not necessarily most organizations we’ve spoken to feel that there are things they could have done better uh in the face of say the pandemic but certainly having that additional visibility would have given them the comfort and the insight and the knowledge to be able to react better and that’s ultimately all that we’re trying to do here with business resilience is can we at least try and maintain critical business functions in the best way possible and if we learn a few things along the way we’re all the better for it. So what reporting is important now in order to be prepared for business resilience looking at third parties and internally as coverage visibility ownership and improvement are the key areas that we’ve picked up on. We’ve seen success in using maturity assessments against this. So you can use the Carnegie capability maturity model to self assess yourself between one to five uh across each of these domains and then give you an overall rolled up score. But from a coverage standoint, point is again how frequently are you doing assessments in the business? Do you have comprehensive coverage of the organization? Uh do you have onboarding workflows for the business in order to assess its uh uh the awareness of anything that’s been added or that’s new? And of course, are you including third parties in that piece from a visibility standpoint? Assessment types. Do we look at critical information? Are we focused on outsourcing activities as well? Uh is it limited to just uh data privacy or risk based assessments?. And do we cover resilience and anger, the reporting mechanisms and strength. How do we actually report this back up to the organization and uh of course assessment cadence there again and evidence management. So how do we collect and store evidence and build those plans that enable us to work effectively? Looking at improvement factors. So what audit mechanisms, how do we feed that back to any audit teams that we have? Remediation definition. How do we define what we’re actually going to achieve and what’s viable? And we’ve seen organizations use things such as fair models or their internal own internal calculations to estimate cost versus uh return for business resilience. That certainly is viable. Those program road maps and the steering groups. We do recommend for resilience much like you manage uh risk and you may have risk committees or steering groups or working groups. We’d recommend incorporating business resilience particularly for third parties in some of those sessions. Uh the outages is of course a risk and should get fed into the standard risk models. Now only ship. Something hopefully we’re articulating here clearly is the fact that to manage third party business resilience and internal there is a requirement to own uh to have internal owners within the business who have responsibilities. We won’t be ever successful in managing business resilience. If it’s a small organization, we might be okay because we can generally touch on those processes. But if it’s a large organization or it’s ever evolving, the complexities are there where we need subject matter knowledge experts in the business to feed into our resilience planning. And that feeds into our delegation of duties. The more that we can get uh the various asset or process owners to manage, then the more prepared we’re going to be. We get asked a lot of questions about incident management. Now, incident management is of course pretty key and we saw many many incident management plans come about in the face of CO 19. But any instant management plan really needs to consider uh reporting. So the communications plan needs to understand who we going to talk to and how identification mechanisms do we have simple defined types of incident that we can react accordingly to so we’re invoking the right people the event planning so tied to those cataloged events we should be building those playbooks that are reviewed regularly. Uh we see customers doing things like tabletop sessions to assess their suitability to react to the situations I appreciate some parts of the business see that as a bit of fun but uh the reality is it does actually psychologically start getting people used to this concept of dealing with uh events following playbooks and then of course uh reactions. So coms need to focus on what we doing to fix an issue and overcommunicate. So for those of you who involved in any cutting edge development or technology or anything like that appreciate that the most important thing when you’re offering a service is communicating and overcommunicating is key in an incident. So tied to that timely identification we want to be able to make sure that we are able to identify an event quickly and readily. Uh and part of that is making sure that our third parties have mechanisms to report back to us and say we’ve had an incident where it’s a data breach, a service outage, change of ownership, whatever it may be. There needs to be clear mechanisms internally and externally for highlighting something that’s considered an event. When we’re looking at notifications, appreciate there might be with situations such as GDPR, there might be requirements to notify customers within uh 72 hours of any breaches or issues. So be mindful of time frames whether you have regulatory mandatory time frames or self-imposed time frames. Make sure that anything you build for your resilience plans are embedded into that press release. Something that we’ve we’ve been inundated with again over the last few months is how do we control the talk tracks of piece uh these pieces and something we’ve been exposed to a fair amount here is how do we communicate things well to large volumes of people and quite often you can draw in say obviously the PR teams if you have them. Otherwise, the marketing teams, funnily enough, seem to be very uh very aware on how to effectively communicate a situation. Uh much like you manage third party risk assessments or dealing with third parties where you can speak to your marketing guys because they quite often uh can can support or provide guidance on how to manage these things. Associates. So, inform your providers and partners. Something that gets overlooked very often is uh that lateral communications uh as well as the internal communications. So everybody focuses on in an event speaking to customers and there’s certainly a requirement there to have clear concise guidance for communicating to partners, associates and of course internally. Uh the amount of damage you can see from an incident happening or an outage happening and then not communicating that through the business effectively means you lose lose that internal impetus in order to drive things forward. So uh we we would definitely recommend people focus on that internal communications as well. So moving on then to continuous management. So we’ve spoken about quarterly or annual reviews pulling data from the business as it’s ever evolving and ever changing. Uh something we deem very important here is the cadence on how we manage business resilience. So how do we report it? How do we escalate it? How do we consistently enhance and assess it? So a lot of organizations are dealing with the implementation phase in the last couple of months uh and are now starting to move towards the review and enhancement phases. So for us successful positions Business resilience starts with success criteria. What are we actually trying to achieve? So, not defining too broad a scope is key. It’s got to be very very finite and focused on what we have to uh discovering that within the business, documenting what we need to signing off what that new resilience plan looks like and then getting the stakeholders to self-manage each of their respective elements. Uh and then of course ongoing testing, updates, reporting, uh content alignment as the business evolves and then moving on to general broader business efficiency. So when you look at the continuous management of business resilience on a whole, it’s it’s very much about defining a manageable and accurate scope and then providing the capabilities for the various feeds, whether it’s the internal business users or third parties to update that over time. If it’s a static document sitting on a SharePoint or Teams folder somewhere, then that means we’re halfway already to to losing the battle there. So finally, how resilient should I be of course it’s all about being proportionate. So there are resources of course out there ISO22301 31,000 uh Thomas will be talking a bit about those in in a few minutes but fundamentally it’s about being proportionate. Uh we could certainly use risk management methodologies in order to improve our business resilience capabilities. So speaking to the business understanding what’s happening uh we could focus on being business enabling much like information security it’s very easy for business resilience to start being seen as a blocker as opposed to an enabler when really all it is is making sure that people can get the job done. A costbenefit analysis is naturally very very important to all of this. We need to make sure that any measures we take in order to uh say maintain a hot site that’s available 24/7 may be disproportionate to uh the actual functions that it’s supporting. So we certainly recommend reviewing whatever you’ve built for business resilience to make sure that it’s actually financially viable or justifiable. uh and then of course make sure that from a governance standpoint that you’re not overlooking anything key. We are hearing various conversations of people who have had to make sudden changes in the face of say co 19 uh and are dealing with the potential flack on that downstream. So as regulators etc start querying how people have been reacting to it. Uh the ones we’re talking to generally have a bit of understanding to the situation but nonetheless we are seeing u situations happen where regulators are looking at organizations patients uh to see how their resilience has been in the pandemic situation and for some it has not been looking good and to reiterate the same point there be proportionate everything that I’ve been speaking about conceptually here and we’ll move on to some of the the tactical details in a moment but everything that we’ve been talking about here is about proportionality if we’re dealing with third parties if we’re dealing internally within the business if we’re dealing with business stakeholders etc there’s so many moving parts to this that it’s only effective if we bring fence the very very key and critical aspects of what we need to achieve and work there in order to make it continuous. So finally for me then so business resilience recovery is also important and as we’ve been seeing over the last couple of months that return to normality isn’t as simple as it may have seemed. So we’re seeing as I said certain functions have proven to potentially be more effective in uh in the resilience uh situation. So people working remotely for examp example, there seems to be some continuation of that happening as lockdown is is gradually being used across the globe. Uh but in certain aspects as well, we’re seeing supply chains fall apart as well where entire uh organizations that have been providing core services to some of our customers uh that this just simply disappeared. So there’s been strong efforts to try and find alternatives, backup plans, etc.. Uh and the third party procurement have been back in the fold again to look at alternative providers, backup providers, etc.. So providing things like uh backup lists, etc. for organizations is certainly not a not a bad thing. But by and large, we’re generally seeing that as people revert back from say COVID 19, there have been lessons learned, things that they are taking on board and continuing and of course black holes or situations that they need to fix. So now moving on to some insight into some recommended frameworks. Uh we’re going to talk for about uh five to 10 minutes here. We’ve got Thomas speaking about uh some of the standards and frameworks that he’s been dealing with that could serve as a good foundation for any of your business resilience means. Thomas, are you with us?

Thomas Humphre: Ja. Hallo. Danke, Alistair. Äh, kannst du mich hören?

Alistair Parr: Das kann ich machen. Ja. Danke.

Thomas Humphre: Ausgezeichnet. Also, ja, ich meine, natürlich muss man über die Widerstandsfähigkeit und Kontinuität von Unternehmen nachdenken. Offensichtlich ist es immer wichtig zu überlegen, ob es bewährte Verfahren gibt. Gibt es Rahmenwerke? Gibt es Methoden und Modelle, die verwendet werden können, die nicht nur aus Sicht eines Kunden, eines Partners oder einer Aufsichtsbehörde anerkannt sind, sondern auch dazu beitragen können, die Art und Weise, wie wir mit der Kontinuität von Unternehmen umgehen, zu formalisieren und zu gestalten. Einer der am weitesten verbreiteten und vielleicht bekanntesten dieser Standards und Best Practices ist sicherlich der von der ISO, der Internationalen Organisation für Normung. Das ist die Norm 22301, die vor vielen Jahren die britische Norm 259 ersetzt hat. Ich würde sagen, dass dies die am weitesten verbreitete Norm für die Entwicklung, Aufrechterhaltung und Verbesserung eines Business-Continuity-Managementsystems ist. Wie viele ISO-Normen baut die ISO ein System auf, das durch Zertifizierung ein gewisses Maß an formaler Anerkennung ermöglicht. Außerdem baut sie eine breitere Familie von Normen darum herum auf. Dabei wird häufig die ursprüngliche Norm, in diesem Fall 22301, als Grundlage verwendet, aber dann werden umfassendere Leitlinien angeboten, sei es für einen bestimmten Sektor und eine bestimmte Branche oder für einen breiteren operativen Einsatz. Auch dies ist etwas, das ich ebenfalls entwickelt habe. Es gibt also Leitlinien für das Management der Lieferkettenkontinuität, zum Beispiel die Norm 22318, die ebenfalls interessant ist und derzeit entwickelt wird. Interessant ist auch, dass es außerhalb der kontinuitätsspezifischen Normen auf internationaler Ebene, wo ISO immer angesiedelt sein wird, andere Normen gibt, insbesondere auf lokaler Ebene, die sich entweder mit lokalen Themen oder lokalen Interessen befassen oder einige der besten Praktiken von ISO übernehmen und eher einen nationalen Rahmen schaffen. Einer der Bereiche, die Alistair in der vorherigen Folie erwähnt hat, war sicherlich der Standard BS65000 zur organisatorischen Resilienz. Singapur hat seit langem einen Standard entwickelt, der sich ausschließlich auf die Notfallwiederherstellung für den IKT- und IKT-Sektor konzentriert. Und in den Vereinigten Staaten befasst sich der ASUS-BCGDL-Standard ausführlich mit Notfallvorsorge, Krisenmanagement und Disaster Recovery und wird in Zusammenarbeit mit ANIE, dem American National Standards Institute, entwickelt. Es ist also durchaus üblich, dass lokale Normungsgremien und sogar Regierungsstellen ihre eigenen Rahmenwerke und bewährten Verfahren entwickeln. Wenn man darüber hinaus noch etwas weiter über die ISO selbst nachdenkt, findet man oft andere Rahmenwerke und Standards, die häufig verwendet werden, wie beispielsweise 27.000, den Standard für Informationssicherheits-Managementsysteme, der ebenfalls die Kontinuität betrifft, jedoch auf eine bestimmte Art und Weise. So befasst sich beispielsweise 27.0001 damit, wie Unternehmen die Anforderungen an die Informationssicherheit bei der Planung der Geschäftskontinuität und -resilienz handhaben. Ein recht interessantes Thema, insbesondere in letzter Zeit, wenn man bedenkt, was zu Beginn der Pandemie passiert ist und dass viele Länder weltweit Lockdowns verhängt haben, die Unternehmen dazu zwangen, sehr schnell zu schließen. War die Informationssicherheit ein zentraler Aspekt und wurde sie angesichts der sehr kurzen Vorlaufzeit berücksichtigt, in der Unternehmen gezwungen waren, ihren Mitarbeitern, insbesondere denen, die zuvor möglicherweise nicht an diese Art von Arbeitsszenario gewöhnt waren, die Möglichkeit zum Homeoffice zu bieten? All diese Standards versuchen also, einen Ansatz für die Governance zu formalisieren und einen Rahmen zu schaffen, der die Identifizierung von Kontinuitätsplänen, Wiederherstellungsprozessen und einer Methodik zur Bewertung und kontinuierlichen Überprüfung dieser Pläne ermöglicht, um sicherzustellen, dass sie aufgrund der identifizierten Auswirkungen von Katastrophen, die für das Unternehmen relevant sind, weiterhin zweckmäßig sind, und um kontinuierlich zu verbessern und zu verfeinern, wie die Kontinuität innerhalb des Unternehmens gestaltet wird, während gleichzeitig auch weiterreichende kritische Aspekte wie die Kommunikation, die Alice bereits zuvor angesprochen hat. Kommunizieren Sie effektiv mit Kunden und Dritten? Wenn Sie kritische Dritte haben, insbesondere solche, die als Alleinlieferanten gelten, wie fließen diese in Ihre Planung und Ihren Planungsprozess ein? Und wie eng arbeiten Sie mit ihnen zusammen, wenn der schlimmste Fall eintritt und Sie Ihren Kontinuitätsplan und Ihr Rahmenwerk aktivieren müssen? Es gibt also eine Vielzahl von Standards und Rahmenwerken. Sicherlich ist die Norm 22301 der ISO, die kürzlich im Jahr 2019 aktualisiert wurde, die am weitesten verbreitete und bekannteste. Aber es ist sicherlich interessant zu sehen, dass es viele lokalisierte Standards gibt, wie beispielsweise den Singapur-Standard SS507 oder diesen ASUSBC GDL-Standard des American National Standards Institute. Alistister,

Alistair Parr: Vielen, vielen Dank. Okay, großartig. Sehr aufschlussreich. Wir kommen nun zu einigen Beispielen, einigen Schnellstart-Beispielen. Adam ist heute bei uns. Adam, bist du jetzt dabei?

Adam Kales: Ja. Hallo, Alistister.

Alistair Parr: Hallo. Ich werde Ihnen nun den Bildschirm übergeben und hoffe, dass Sie uns einen kleinen Einblick in einige der Inhalte geben können, die wir normalerweise im Hinblick auf die Widerstandsfähigkeit von Unternehmen sehen möchten.

Adam Kales: Perfect. Thank you. So, I’ll share my screen momentarily. Okay, hopefully you should be able to see my screen and business resiliency business resiliency plan. Okay, so what we wanted to do when um all this started with uh COVID 19, we identified that um there may be a number of organizations out there who hadn’t previously concentrated on business resiliency. That wasn’t one of their main focuses. And because of that, they may be considered slightly immature in terms of the documentation, the process and the procedures that they have around business resilience. So we wanted to be able to provide a a suite of templates which are adaptable enough to be used by a range of organizations both in terms of size and type of organization in terms of the services that they deliver and whether they are at the beginning of their business resiliency journey or if they have already got a mature resilience program in place. These documents are designed either to be used as their initial core documentation or certainly elements of it extracted out of it to be um incorporated into their current uh business resiliency program. Uh and the idea of it that this is provided to you as a free resource uh available through our portal through our website of which then you can cherrypick those elements which best suit you and also provide that onward as well to your third parties. If they themselves um need some assistance in improving their business resiliency processes. Uh so what you have in front of you is one of the core documentations that you’d expect to see as part of your business resilience program. So we have the business resiliency plan and this provides those core elements. So certainly I wouldn’t consider this to be the be all and end all but certainly the initial starting point of this um of this template of where you can take this and then start running and start the core ele ments of your business program. Okay. So, it includes things like the business continuity strategy that overarching statements of how you’re going to approach business continuity. Uh the scope responsibilities um plan invocation. So, when is the business resiliency plan and those incident response plans going to be put in place? Who the primary stakeholders are and then falling out of that a number of annexes which will include the business impact assessment, risk assessment, a racy matrix s a critical third party register, critical third party gap analysis and maintenance requirements. So this is certainly one of those core um documents that you would want to see in place. So moving on, we have a third party business continuity gap analysis. So the ability to understand and identify who your critical vendors are. So a critical vendor being somebody who without those in place you would either one not being not be be able to continue uh functioning uh providing the services that you provide or two it would have such a severe impact that it would severely diminish your ability to provide your service and your products. Okay. Um so with that as well as we scroll down um it has some overarching information on how you would approach uh conducting that gap analysis and then u utilizing perhaps some form of automation and and to be able to deliver this at an enterprise level. Okay. Then we have the business impact analysis procedure. Okay. So this lays out in a very short and high level way of the scope responsibilities and the procedure of what you need to follow to conduct a business impact analysis. Okay, including recovery point and time objectives. And as you can see, we have made it adaptable enough that if you wanted to, you can simp simply insert the relevant details to make it specific to yourselves and then you can start using this template uh immediately. What also we have as we linked in with those annexes that we covered on the first uh document that uh business uh continuity plan we have a number of annexes here. So we have the business impact analysis. So a tabular format of where you can identify a critical system or service the process or activity that system um prov provides an impact score. Now, this may be quite subjective or objective depending on the amount of data information that you currently have available to it. And certainly, if you’re able to draw on existing data resources that you may have conducted through any form of information security or data mapping uh process activities, then you can certainly utilize that in determining what the impact and the likelihood of the system failing and if it does fail, the impact that it may have upon your organization. establish RTO and RPO timelines and also uh the minimum um time to um return that service back to full functionality. Okay. Uh the minimum resources needed. So essentially um for these systems and services to continue functioning, what is the minimum requirements you need as an absolute minimum to continue with those systems? Okay. And the priority of what it means to you as an organization. We also incorporated a risk matrix as um uh as some form of guidance as well including a level of terminology. Moving on, we have a template for risk assessments. Okay, being able to conduct a a risk assessment against a particular resource, what that risk the risk description and so on throughout. So in the same manner as you would have a risk register for information security risk for instance, you can have one specifically tailored to business discontinuity requirements. A racing matrix is has been provided and again these are here for uh suggestives as the one of some of the more likely uh areas that you would want to consider but certainly introducing your own or um uh adapting it specifically to how your organization works. We have the critical third party register. So once you have identified those critical third parties being able to record that they are a critical third party and those key contact details of who the service owner is internally, who the external supplier relationship manager is, the supplier contact and any additional doc comments associated with it. So once you’ve conducted a gap analysis, so for instance, if you have a critical third party, if they were to go down, what would be the fallback procedure for that to be? And if you identified that there is a gap, then you’d be able to annotate that in a register such as this. Moving on to maintenance requirements. So this brings into mind so any resources that you would need to use as part of business continuity business resilience. So for instance it was mentioned earlier on about remote working. So certainly before COVID 19 um there may be a number of people who were used to just going into the office and working from the home environment was a rarity more than anything. But suddenly uh you needed all these additional resources uh for instance laptops for instance. and you have these resource of laptops which under normal circumstances wouldn’t be utilized. But what you need to do so for the time that you do need to literally pick them up and run with them as such need to make sure they are in an acceptable condition to be able to you to be able to use straight away. So what that does that what what does that mean? That means that we have antivirus in there, firewalls in there, that software has been updated appropriately simply that they’re charged that they have been checked over recently and all these maintenance requirements whether it’s a laptop some form of generator backup locations or premises whichever the case may be can be stipulated down here and importantly an owner assigned to it so they are aware that they have ownership over that uh and over those particular maintenance requirements. So moving swiftly on a third party discovery template so we mentioned about identifying your critical third parties uh and what are some of the elements wrap around that. So for instance uh we have a number of risk factors associated with it which will help you determine uh if a supplier is considered green, amber or red and a number of highlevel questions of which you may want to consider asking to determine what may uh what may be considered a critical third party and it could be based on type of service uh being delivered. Uh the types of data that they interact with for instance if the supplier is um the sole provider of a service and also um how they transfer data and information across uh including any specifics to you as an organization and any other attributes that you want to include in that which will then start to build up a picture of the criticality of your third parties. Okay. Now what we have designed as well is a number of communications templates. So communication throughout all this process even before this has started communication is key. Communication in terms of understanding what the business resilient plan is what it means not just to uh the organization but to individuals who are key stakeholders in this who have key responsibilities in this as well. But also moving into when we have to enact those business resiliency and those um incident uh response plans for instance in terms of getting the information across directed at the right people at the right level and at the right time and also we have designed a number of communication templates these being just a couple of those examples. both internal. So for instance um to team members to um team leaders uh to those in senior uh management positions for instance we have designed uh a template to fit each requirement. So for instance we have here uh key personnel internal phase one low infection risk. So right at the very beginning um this is something that you may want to consider sending out to the relevant people internally within the organization. Moving on we have a third party email template. So for instance, you want to communicate a clear, concise message directed to the right people in the right manner and in the right format. So whether that’s by email, whether it’s via social media, whether it’s um internal communication, whichever the case may be, you have a template ready to rock and roll so that you can utilize it uh and run with it when you need to. And you’re not scrabbling around in the dark trying to pull something together very quickly. It’s already part of the business resiliency process. What we also have is activation procedures and criteria guidelines. So again certain um prerequisites which um you has predetermined that if these situations occur then you have a clearcut procedure to follow in terms of what is acted what is activated who is activated who is informed and the process to follow that. Okay and those have been laid out in a in a very in a a high level but detailed format. Then we have authorized communication method. So it may be appropriate that actually certain communications may only be appropriate for certain levels of communication or certain types of people that you’re interacting with. And again we have provided a template for you to be able to lay that down and record that as you move forward. So also have escalation paths and we’ve provided some examples here of those various escalation paths for a number of different use cases. Okay. So we have first of all those staff contact numbers of those relevant key stakeholders who need to be informed for office locations for instance critical suppliers. Okay, the information security team and also um uh things like uh security and technology if it’s specifically around that who needs to be informed starting at the CISO for instance and ending with information security analysts and actually all this can be adapted to suit your particular needs. Okay. So again, uh we’ve alluded to a couple of times the fact that one of the big changes that we’ve experienced is the amount of homework in which has had to happen just simply because we have not been able to go into the office locations and that is still continuing very much now and being able to work coherently in the home environment and productively but also ensuring that you’re maintaining good standards. So good data hygiene for instance, making sure that you have the controls, procedures in line um uh in mind um working from the home environment as you would do working in the office environment as well. And what we’ve done is we have designed a um remote working training package for you to either deliver this through some form of online training session or send direct to whichever relevant um users, home workers who are going to benefit from this, which presumably would be the majority of them. And covering topics such as um data hygiene. Um, going down to things like spam and malicious filing uh at the end there, but also covering secure working spaces, making sure that you have those good measures in place. Set up a designated workspace, day-to-day homework, okay, clear desk, clear screen policy, okay, so you can maintain those good working methods at home as you would do in the office environment. And then finally, to accompany that, a remote working policy. So wrapping up that training that you’re um that you can either send or deliver with an actual remote working policy. So you have something that you can actually refer back to and you have guidelines in place for remote working. Okay. So I believe that uh takes me to the end of not not all of that documentation but certainly uh a good representation of what is available to you and as I say as a free resource for you be able to access through our website. So, thank you very much for your attention.

Alistair Parr: Vielen Dank, Adam. Das weiß ich zu schätzen. Okay. Äh, für die letzten, äh, 5 bis 10 Minuten oder so werden wir jetzt zu einer offenen Fragerunde übergehen. Das gilt für mich, Adam, aus inhaltlicher Sicht, was wir gerade gesehen haben, und, äh, natürlich auch für Thomas aus Sicht der Standards und Frameworks. Also, noch einmal, wenn Sie Fragen haben, können Sie diese gerne in den Q&A-Bereich der Zoom-Sitzung eingeben, wir werden sie gerne beantworten. Wir haben hier eine Frage an Sie, Thomas, die sich auf die Ausrichtung von Frameworks für die Widerstandsfähigkeit von Unternehmen bezieht. Würden Sie sagen, dass die Ausrichtung an einem Framework obligatorisch ist, wie wir es bei anderen regulatorischen Anforderungen tun müssen, oder ist es eher eine nette Sache?

Thomas Humphre: Ähm, ja, gute Frage. Es kann tatsächlich beides sein. Oftmals sehen sich Unternehmen gezwungen, den Weg einer formellen Zertifizierung nach einer Norm wie ISO 22301 einzuschlagen, entweder aufgrund vertraglicher Verpflichtungen oder aufgrund von Vorschriften einer Aufsichtsbehörde. Wie wir anhand anderer Normen wie 27.01 gesehen haben, haben einige Branchen und Industrieverbände dies zu einem obligatorischen Faktor gemacht, um beispielsweise Ausschreibungen und Verträge zu gewinnen. Aus Sicht der Kontinuität ist es durchaus möglich, dass dies geschieht. Außerhalb dieses Rahmens ist es zwar nicht verpflichtend, aber ich würde immer sagen, dass es sehr empfehlenswert ist, insbesondere im Rahmen von 22301, vor allem angesichts der Tatsache, dass es nicht nur die am weitesten verbreitete Best Practice ist, sondern auch jedem Unternehmen hilft, egal ob es sich um ein MNC oder ein größeres globales Unternehmen mit mehreren Standorten handelt, einen formellen Governance-Rahmen zu schaffen, um eine Kontinuitätspraxis im Unternehmen zu entwickeln und einen Rahmen für die kontinuierliche Bewertung und Verbesserung der Herangehensweise an Kontinuität und Katastrophenhilfe bereitzustellen. MNC oder größere globale Multi-Geometrie-Organisationen, ein formelles Governance-Framework zu etablieren, um eine Kontinuitätspraxis im Unternehmen zu entwickeln und einen Rahmen für die kontinuierliche Bewertung und Verbesserung der Herangehensweise an Kontinuität und Disaster Recovery zu schaffen.

Alistair Parr: Vielen Dank, Tom. Ich habe hier eine Frage an dich, Adam, bezüglich des Inhalts. Wir haben tatsächlich mehrere Fragen zu ihrem speziellen Vertikalmarkt erhalten. Einige Kunden sagen, dass sie im Einzelhandel tätig sind, andere arbeiten im B2B-Bereich und nicht im B2C-Bereich. Sie fragen, inwieweit sie diesen Inhalt für ihren Anwendungsfall anpassen müssen. Adam, hast du Erfahrungen, Gedanken oder Erkenntnisse aus der Umsetzung in verschiedenen Vertikalmärkten? Muss es große Unterschiede zwischen B2B- und B2C-Vertikalmärkten geben?

Adam Kales: Äh, ja, sehr gute Frage. Danke. Im Wesentlichen bietet Ihnen das Dokument einen Ausgangspunkt. Okay, im Idealfall müssen Sie also, wenn Sie noch nichts haben, diese Dokumentation nutzen, die Ihnen einen hervorragenden Ausgangspunkt bietet, von dem aus Sie weitermachen können. Wie ich bereits zu Beginn gesagt habe, ist dies jedoch nicht das A und O. Okay, dies ist sozusagen das Minimum, das Sie erwarten können, und im Idealfall müssen Sie es an Ihre spezifische Branche anpassen, in der Sie tätig sind, damit es genau auf Ihre Organisation zugeschnitten ist. Ohne diese Anpassung werden Sie zwar immer noch einen Nutzen daraus ziehen, aber Sie werden nicht den zusätzlichen Nutzen erzielen, den die Einprägung Ihrer eigenen Arbeitsweise und Ihrer eigenen Organisation mit sich bringt, und natürlich ist damit auch ein gewisser Zeitaufwand verbunden. Wenn Sie die Zeit haben, in diese Recherche und Analyse zu investieren, um herauszufinden, wo Sie Ihre eigene Prägung und Ihre eigene Organisation einbringen müssen, dann wird Ihnen das nur helfen, wenn es darum geht, diese Pläne zur Geschäftskontinuität tatsächlich zu nutzen und sie speziell auf sich selbst zuzuschneiden. Also ja, ich würde sagen, dass Sie die Dokumentation anpassen müssen, um das Beste daraus zu machen, aber als Ausgangspunkt ist dies sicherlich ein guter Weg.

Alistair Parr: Fantastisch. Danke, Adam. Ich habe hier eine Frage: Würden wir empfehlen, dass wir detaillierte Notfallpläne für Ihre kritischen Lieferanten dokumentieren, zusätzlich zu den Prozessen und Kontrollen für die Einarbeitung und kontinuierliche Überwachung während des gesamten Lebenszyklus? Ich werde diese Frage beantworten. Ja, wir würden auf jeden Fall empfehlen, diese nicht unbedingt zusätzlich zu erstellen, sondern sie in Ihre Onboarding- und Überwachungsprozesse zu integrieren. Ein gutes Beispiel für einen erfolgreichen Ansatz ist die Nutzung des PCF (Prevailing Compliance Framework) oder anderer Alternativen, die Sie möglicherweise haben. Dabei integrieren wir die Informationen, die Anforderungen an die Ausfallsicherheit und die Compliance sowie natürlich die Anforderungen an den Datenschutz bei der Datenverarbeitung in den anfänglichen Onboarding-Prozess. So erhalten wir im Voraus alle relevanten Informationen, die wir benötigen, und während wir unsere üblichen Vertragsüberprüfungen mit dem Kunden, pardon, mit dem Anbieter durchführen, stellen wir sicher, dass wir alle diese Punkte jeweils überprüfen. Damit stellen wir sicher, dass Sie im Rahmen dieses Onboarding-Prozesses einen Notfallplan für kritische Anbieter haben. Es sollte ein Risiko in Ihrem Risikomanagementprozess sein, wenn Sie keine klaren Eskalationswege und -prozesse haben. Wir beobachten häufig, dass ältere Verträge oft einschränken, was Sie tatsächlich mit dem Anbieter tun können, da Sie möglicherweise nicht unbedingt das Recht haben, strenge SLAs usw. durchzusetzen. Wir beobachten daher, dass Kunden ihre Standardvorlagen aktualisieren, und ich verstehe, dass Sie diese nicht unbedingt den Branchenriesen aufzwingen können, die einfach nur mit den Schultern zucken und Ihnen ihre Vorlagen geben, aber versuchen Sie auf jeden Fall, in Ihren Verträgen oder in den Vertragsrevisionen Bedingungen durchzusetzen, die Dinge wie Kommunikationswege, Eskalationszeiträume für die Kommunikation usw. direkt mit dem Lieferanten für Notfälle und Geschäftskontinuität enthalten. Wenn wir uns die Beschaffung ansehen, dann beobachten wir einen Trend, dass Unternehmen beginnen, einen primären und einen sekundären Backup-Anbieter zu haben, den sie kurzfristig beauftragen können. Sie haben zwar keine direkten Vereinbarungen mit ihnen, aber Sie könnten zumindest eine Grundlage schaffen, damit Sie recht schnell etwas auswählen können. Bevor ich zur nächsten Frage übergehe, möchte ich nur sagen, dass Peter in Kürze eine kurze Umfrage durchführen wird, um die Sache abzuschließen, bevor wir diese letzte Frage durchgehen. Bitte beantworten Sie diese Frage, während wir das durchgehen. Wir werden noch eine weitere Frage beantworten, bevor wir hier zum Ende kommen. Diese Frage ist für Sie, Adam. Sehen Sie die Inhalte, die wir heute behandelt haben, als vollständig übertragbar auf interne und externe Bereiche? Würden Sie erwarten, dass wir Anbieter anders verwalten als das interne Geschäft?

Adam Kales: Ja, ich würde sagen, dass es einen Unterschied gibt zwischen der internen Verwaltung der internen Stakeholder, den internen Geschäftseinheiten, und der Art und Weise, wie Sie Ihre Drittanbieter verwalten. Was die Unterschiede angeht, hängt das davon ab, wie Sie als Organisation geführt werden, aber Tatsache ist, dass Sie einen Vertrag mit Ihren Drittanbietern haben und diese Ihnen eine Dienstleistung erbringen. Daher haben Sie eine viel stärkere Position im Umgang mit ihnen, wenn es um die Erwartungen geht, die sie selbst in Bezug auf Ihre internen Geschäftseinheiten erfüllen sollten. Bei Ihren internen Geschäftseinheiten kommt es auf Faktoren wie die verfügbaren internen Ressourcen an, die sie selbst benötigen, um ihre Aufgaben zu erfüllen. Ich würde also sagen, dass es einen Unterschied gibt zwischen der Art und Weise, wie Sie interne Stakeholder behandeln sollten, im Gegensatz zu Ihren kritischen Dritten oder Ihren Dritten im Allgemeinen.

Alistair Parr: Fantastisch. Vielen Dank, Adam. Es tut uns leid, dass wir heute nicht alle Fragen beantworten können, aber wenn Sie sich mit uns in Verbindung setzen möchten, weil Sie Fragen haben oder weitere Informationen zu einigen der Inhalte wünschen, die wir kostenlos zur Verfügung gestellt haben, können Sie sich gerne an uns wenden. Wir unterstützen Sie gerne dabei. Ich möchte mich an dieser Stelle ganz herzlich bei Ihnen bedanken, Adam, für Ihre heutigen Einblicke. Wir wissen das sehr zu schätzen. Und vielen Dank auch an Sie, Thomas. Sie beide haben sehr aufschlussreiche Beiträge geleistet. Wir werden Ihnen einen Link mit einer Aufzeichnung und Informationen zu diesen Ressourcen zusenden. Nochmals vielen Dank an alle für Ihr Zuhören und Ihre Teilnahme heute. Ich wünsche Ihnen noch einen fantastischen Tag.