10 Steps to Comprehensive Business Resilience

Peter Schumacher: Welcome and thank you for joining our webinar today, 10 steps to comprehensive business resilience featuring prevalence SVP of global products and delivery, Alistair Parr. My name is Peter Schumacher. I’m your webinar host for the day. I’ve got a couple housekeeping items to go over before we get started. So, first of all, this is a reminder that all attendee lines are muted. However, we do want to keep this session interactive. So, please feel free to submit your questions using the the live Zoom console. At the end of the hour, time permitting, we’ll host a live Q&A. Today’s webinar is being recorded, so in the next day or so, you’ll receive a recording via email. I know you didn’t join to hear my voice, so at this point, I’d like to turn things over to Alistair. Thanks so much, and please take it away, Alistair

Alistair Parr: Yeah, thank you very much, Peter. Hello, everybody, and good morning, good afternoon, wherever you are in the world. Uh, unfortunately I don’t have the the rich tonal voice that Peter does, but hopefully you’ll bear with me over the uh the course of the next hour. So, we’ll start off with a brief bit of housekeeping. I know Peter has touched on the key elements, but just to reiterate what we will be talking about, I’ll do some introductions on who we have with me here today before we move into uh the meat of it and covering off some of the detail. So, we will have a section for Q&A. So, if you do have any questions, feel free to use the uh uh the question section of the zoom window and interface itself. Uh we are here for an hour. I will be covering off some of the key topics for about 30 35 minutes. Uh and then we have a couple of guest speakers as well. So we have Adam Kales with us here today. So Adam is one of our managing consultants here at Prevant and has spent a notable amount of time working on business resilience measures on third parties directly with our customer base. Now Adam is kindly going to share with us today about 10 to 15 minutes of an overview of of example content that he’s produced that he’s seen work in action out in the field. So we have this data available and this content is available on the uh the prevalent website. We’ll talk about that at the very very end. There’s no there’s no charges or cost associated to that that’s readily available to you. We’ll give some insights into that uh at the end of the session. We also have with us today Thomas Humphre. Hello Thomas are you there?

Thomas Humphre: Hello. Yes.

Alistair Parr: Hello Thomas. Thank you. So Thomas is our content manager and uh Thomas will be talking a bit about some of the regulations and frameworks that have uh either come out in the recent years or expected to emerge over the next couple of years in regards to business resilience. So to highlight today uh we will be generally talking about good practice around third parties specifically around business resilience. Okay. So to begin I appreciate this is probably quite straightforward for a lot of people. But what is business resilience and why is it valuable? Now, as I’m sure you can see from the screen in front of you now, there is multiple areas that touch on business resilience. It’s not limited to a single factor. A lot of what we tend to focus on is the supply chain resilience piece at the bottom right. And that’s something that’s very often overlooked in day-to-day management of suppliers by and large. A lot of the organizational resilience measures that we’ve seen particularly in the uh in the advent of CO 19 were focused internally. They were looking at in response. They’re looking at business continuity and crisis management, human resources. Yet, very, very few organizations we saw factored in third parties in their pandemic planning, those that have pandemic planning at all. So, when we’re looking at business resilience as we talk over the course of today’s session, we really see it as an amalgamation of of different areas and focus and domains uh which enforce that continuity of service. So, it isn’t just limited to those internal use cases, it is very much external as well. And we appreciate that communications and uh interactions between all of these key facets make up an effective business resilience mechanism. So what is business resilience and why is it valuable? Well, apparently in the last few months, as we’ve all seen, unfortunately, the business does need to prepare for factors which are outside of its control. And that’s not as easy as perhaps a while back where we had somebody sitting there changing backup tapes. Business resilience is a far more encompassing uh environment now where we do have to focus on all these different capabilities and considerations. So where does supply chain factor in the entire business resilience piece? So as a concept most organizations are considering third parties as an external function and rightly so in some respects uh to what they do but the reality is when you actually start looking at third party risk it’s that that blurred line between internal and external isn’t really there. That third party is ultimately on managing systems and assets and enabling us to generate revenue in much the same way as anybody else does in the organization. But the key challenge with it is that we don’t necessarily have the visibility on what they’re doing. We don’t have ownership over how they do it and we have that complexity around integrations. Now a lot of organizations we speak to try and manage that using three key areas. So there’s the communications aspect. So how often do we communicate and how SLAs’s, how do we track success with our third parties and then of course incident management. How do we extrapolate the necessary data that we need from them in the event of an issue? But by and large, most organizations we speak to are still psychologically entwined to that concept of a third party is external and doesn’t necessarily incorporate it into their wider governance uh and business resilience planning. So when we’re looking at mature environments and mature customers, what we typically tend to see now is that every single thing that they apply internally their organization. So the governance aspects of it, the audit and compliance remmits that they mandate, uh the risk management and tracking, the incident management aspects, everything that I showed you a couple of slides ago that needs to be woven into the third party estate as much as it is internal. So this concept of internal external is removed and we are ultimately looking at uh critical assets or critical functions of the organization and that could incorporate contractors, service providers, internal users, assets etc. that that’s The line is certainly blurred now. Okay. So as a tip, what standard processes are typically being used broadly in business resilience? Now what we tend to see is a record, respond, recover concept. So a lot of what we’re focusing on here is is ultimately looking to understand uh how do we manage incidents and events once we’re dealing with all of our critical assets in the business. And that starts of course with with ownership the organizations we deal with who tend to be uh relatively unprepared in the situation they need to really start with that ownership. So who do they need to allocate responsibilities for in the business and this is an endemic issue that we tend to see where the organizations don’t have somebody assigned to manage critical assets and provide visibility to the people who need to know it whether that’s legal procurement infosc uh risk compliance etc. Nobody really tends to understand what is the context around an asset or something. critical for the business, how is it functioning? So, starting with ownership and finding who’ll be able to give us clear answers on on situations is key. And when we start looking at incident management on the whole, we appreciate that we need to do things such as start recording obviously key processes, understand what they’re doing, analyze how they function, build up alternatives wherever we can understand what is truly revenue generating and therefore mandatory, what’s based on regulation is mandatory as well. So, do we need to process data in a particular way? We can’t say transfer all the personal processing to a different third party uh without suitable due diligence or analysis. There’s a lot of complexity involved in identifying and recording what it is that we actually intend to do with that data and that entire data set. Now, in the face of CO 19, a lot of the organizations we dealt with are really starting this whole record process from scratch. They will have business resilience in the form of data outages and shortages, but aren’t necessarily looking at the critical assets and functions of of what they do. Uh for example, is when start looking at sectors uh such as retail where they don’t entirely have the distribution networks available to do say on premise deliveries in the same sense they rely on bricks and mortar stores. Organizations we’re speaking to are a having issues with supply chains understanding how they can source uh the goods that they need and then b in turn focusing on distribution or redistribution as it may be. Now in retail the organizations we’ve spoken to who’ve had the most success have of course considered that from the outset. So they’ve got distribution partners uh for downstream. They’ve been able to scale say with with food deliveries for the food retailers for example, they have those mechanisms in place and that is very much reliant on third parties supporting them. It wasn’t a case of bringing in teams and teams of contractors and short-term while that may help in some brick and mortar stores. It was about understanding how can they work around the issue that they have been presented with. So if a supplier is unable to provide or they’re unable to open say certain sites and facilities, can they think outside the box and other alternative ways of of conducting business in order to drive that revenue. So it’s not just a case here of recording the exact same capability that we would be uh trying to to address. So it’s not a direct mirror. And then finally when we start looking at respond and recover really what we are touching on here is some of the resilience planning for instant response. So once an event has happened how do we communicate effectively and in the face of CO 19 most of the organizations we speak to are really starting to touch now on some of the post invent improvement aspects. Some normalities of course returning to some states in the US and we appreciate now that with uh with that normality comes the ability to start looking at how they can address it for say in the face of COVID a resurgence if if they have to return back to a lockdown situation. How can that be managed effectively without having the same outages that they’ve experienced in the first place? So that ties on recovering, reducing downtime and of course improving uh you know the customer confidence. and being demonstrated as agile and resilient. So, it’s generally a long path, but the key takeaway I’d really share here is that record piece. We need to make sure that we have clear, concise ownership and we’re aware of what it is we’re actually trying to maintain and we focus on critical assets in order to do that. So, what do I actually need in order to make this function and be effective? We need lots of collaboration, clearly work, and certainly luck. I think it’s fair to say most organiz ations we’ve dealt with in the face of COVID 19 for example have been either extremely lucky uh or have in turn had to win and deal with some of the repercussions from a lack of uh resilient planning around business resilience particularly around their third party supply chains and downstream deliverables to customers. So as a brief bit of insight uh there is a resilience gap study that was conducted so 4,000 stakeholders who were responsible and ultimately owned uh the resilience processes in organizations and these ranged from small mom and pop style shops up to large multinationals with hundreds of thousands of employees. But universally, it seems or at least 34% of them blamed complexity as the biggest barrier. So if we look back at our previous process slide here, it’s about the complexity of the working environment. How do we understand what it is we’re actually doing? And I think that shared beyond business resilience, it is again a factor in risk management. compliance audit and so on. 20% of them blamed siloed business units. So a lack of communication internally within the organizations and 24% again blame poor visibility here. So fundamentally complexity and a lack of internal communication is key. So what we generally are recommending here to people is to look inside the organization before you start looking outside at third party resilience. So if we’re looking internally at the business, what types of context ultimately are we looking to uh to consolidate. Now much like data discovery in a whole, it’s the who, the what, the where, the why, the how. So who or what parts of the business have critical information? What is that critical information or services or processes and how they function? Where is it being stored and how is it being stored? And then why? So does it genuinely need to be there? To touch on the point again earlier on, one of the biggest challenges we see when we look at business resilience planning is people try to mirror what they already have and that’s not necessarily the case. Uh we’ve seen situations of co 19 with customers surprisingly where they’ve enforced some robust resilience plans and they’ve realized that they’ve been able to uh function in a in a a less standardized state and they’ve been able to actually maintain some of their resilience plans moving forward. So not actually reverted back. They’ve saved money. There’s some operational expenses is because they’ve been forced into realizing that there are alternatives to how they current function. A good example of that would be the remote working capabilities where we suddenly see reams and reams of uh previously office based workers now suitably working remotely and teams realizing the results of savings by not filling up office space the whole time. So the who the what the where the why and the how. So look at it almost as a data mapping exercise where we want to understand what is critical to the business what is revenue generating and much like when we start looking at uh data mapping again we can start building up visual maps to understand what’s actually happening in the business and letting us prioritize what we need to. The reality is we won’t need to ring fence business resilience around all third parties or around the entire organization. We simply need to be able to classify uh the type of process, identify where it is, how often that we actually tend to conduct that activity, uh whether it’s subject to any governance or oversight. It might be a regulated process for some reason. Does it touch on regulated data? Do they need physical access in order to achieve that and so on. All of that can ultimately be fed into a simple calculator to help you prioritize identify what it is that is most critical and what is ultimately has the uh the highest amount of risk in order to try and maintain it in the event of a uh resilience situation. And to make that effective, of course, organizations change over time. We recommend doing that that internal mapping for business resilience. at least quarterly if you can uh certainly annually for the organizations where quarterly is too aggressive but uh but we would be looking for a regular uh and consistent review on where that data resides. It does need to touch on technology capabilities of course as well. So we need to understand what technologies are necessary in order to make that function happen and then of course you can use things like eiscocovery technologies internally within the business to actually identify if that is truly the case. Quite often one of the issues that we pick up on is that the business will say I am a truly a crisp process. I’m I’m a real necessary function of this organization as they’re naturally going to say but the reality is when you actually start doing things like eiscocovery on what they’re actually doing quite often we find out that reality doesn’t necessarily meet what the business is telling us. So for those who have the capabilities and resources in hand you can certainly work with with teams such as the data loss prevention teams to start actually tracking say key critical information whether it’s business sensitive data uh whether it’s customer information or so on you can usually use to pinpoint some of your resilience uh focus and of course then raising discrepancies to owners and purging uh areas from your resilience planning where necessary. So in the face of naturally co 19 I’m sure we’re all sick and tired of it and in recent months uh this image probably looks like some business centers scattered across the globe but would it have address exceptional circumstances based on COVID 19 and what we’ve seen and appreciate it’s pandemic related but uh the answer is simply well no not necessarily most organizations we’ve spoken to feel that there are things they could have done better uh in the face of say the pandemic but certainly having that additional visibility would have given them the comfort and the insight and the knowledge to be able to react better and that’s ultimately all that we’re trying to do here with business resilience is can we at least try and maintain critical business functions in the best way possible and if we learn a few things along the way we’re all the better for it. So what reporting is important now in order to be prepared for business resilience looking at third parties and internally as coverage visibility ownership and improvement are the key areas that we’ve picked up on. We’ve seen success in using maturity assessments against this. So you can use the Carnegie capability maturity model to self assess yourself between one to five uh across each of these domains and then give you an overall rolled up score. But from a coverage standoint, point is again how frequently are you doing assessments in the business? Do you have comprehensive coverage of the organization? Uh do you have onboarding workflows for the business in order to assess its uh uh the awareness of anything that’s been added or that’s new? And of course, are you including third parties in that piece from a visibility standpoint? Assessment types. Do we look at critical information? Are we focused on outsourcing activities as well? Uh is it limited to just uh data privacy or risk based assessments?. And do we cover resilience and anger, the reporting mechanisms and strength. How do we actually report this back up to the organization and uh of course assessment cadence there again and evidence management. So how do we collect and store evidence and build those plans that enable us to work effectively? Looking at improvement factors. So what audit mechanisms, how do we feed that back to any audit teams that we have? Remediation definition. How do we define what we’re actually going to achieve and what’s viable? And we’ve seen organizations use things such as fair models or their internal own internal calculations to estimate cost versus uh return for business resilience. That certainly is viable. Those program road maps and the steering groups. We do recommend for resilience much like you manage uh risk and you may have risk committees or steering groups or working groups. We’d recommend incorporating business resilience particularly for third parties in some of those sessions. Uh the outages is of course a risk and should get fed into the standard risk models. Now only ship. Something hopefully we’re articulating here clearly is the fact that to manage third party business resilience and internal there is a requirement to own uh to have internal owners within the business who have responsibilities. We won’t be ever successful in managing business resilience. If it’s a small organization, we might be okay because we can generally touch on those processes. But if it’s a large organization or it’s ever evolving, the complexities are there where we need subject matter knowledge experts in the business to feed into our resilience planning. And that feeds into our delegation of duties. The more that we can get uh the various asset or process owners to manage, then the more prepared we’re going to be. We get asked a lot of questions about incident management. Now, incident management is of course pretty key and we saw many many incident management plans come about in the face of CO 19. But any instant management plan really needs to consider uh reporting. So the communications plan needs to understand who we going to talk to and how identification mechanisms do we have simple defined types of incident that we can react accordingly to so we’re invoking the right people the event planning so tied to those cataloged events we should be building those playbooks that are reviewed regularly. Uh we see customers doing things like tabletop sessions to assess their suitability to react to the situations I appreciate some parts of the business see that as a bit of fun but uh the reality is it does actually psychologically start getting people used to this concept of dealing with uh events following playbooks and then of course uh reactions. So coms need to focus on what we doing to fix an issue and overcommunicate. So for those of you who involved in any cutting edge development or technology or anything like that appreciate that the most important thing when you’re offering a service is communicating and overcommunicating is key in an incident. So tied to that timely identification we want to be able to make sure that we are able to identify an event quickly and readily. Uh and part of that is making sure that our third parties have mechanisms to report back to us and say we’ve had an incident where it’s a data breach, a service outage, change of ownership, whatever it may be. There needs to be clear mechanisms internally and externally for highlighting something that’s considered an event. When we’re looking at notifications, appreciate there might be with situations such as GDPR, there might be requirements to notify customers within uh 72 hours of any breaches or issues. So be mindful of time frames whether you have regulatory mandatory time frames or self-imposed time frames. Make sure that anything you build for your resilience plans are embedded into that press release. Something that we’ve we’ve been inundated with again over the last few months is how do we control the talk tracks of piece uh these pieces and something we’ve been exposed to a fair amount here is how do we communicate things well to large volumes of people and quite often you can draw in say obviously the PR teams if you have them. Otherwise, the marketing teams, funnily enough, seem to be very uh very aware on how to effectively communicate a situation. Uh much like you manage third party risk assessments or dealing with third parties where you can speak to your marketing guys because they quite often uh can can support or provide guidance on how to manage these things. Associates. So, inform your providers and partners. Something that gets overlooked very often is uh that lateral communications uh as well as the internal communications. So everybody focuses on in an event speaking to customers and there’s certainly a requirement there to have clear concise guidance for communicating to partners, associates and of course internally. Uh the amount of damage you can see from an incident happening or an outage happening and then not communicating that through the business effectively means you lose lose that internal impetus in order to drive things forward. So uh we we would definitely recommend people focus on that internal communications as well. So moving on then to continuous management. So we’ve spoken about quarterly or annual reviews pulling data from the business as it’s ever evolving and ever changing. Uh something we deem very important here is the cadence on how we manage business resilience. So how do we report it? How do we escalate it? How do we consistently enhance and assess it? So a lot of organizations are dealing with the implementation phase in the last couple of months uh and are now starting to move towards the review and enhancement phases. So for us successful positions Business resilience starts with success criteria. What are we actually trying to achieve? So, not defining too broad a scope is key. It’s got to be very very finite and focused on what we have to uh discovering that within the business, documenting what we need to signing off what that new resilience plan looks like and then getting the stakeholders to self-manage each of their respective elements. Uh and then of course ongoing testing, updates, reporting, uh content alignment as the business evolves and then moving on to general broader business efficiency. So when you look at the continuous management of business resilience on a whole, it’s it’s very much about defining a manageable and accurate scope and then providing the capabilities for the various feeds, whether it’s the internal business users or third parties to update that over time. If it’s a static document sitting on a SharePoint or Teams folder somewhere, then that means we’re halfway already to to losing the battle there. So finally, how resilient should I be of course it’s all about being proportionate. So there are resources of course out there ISO22301 31,000 uh Thomas will be talking a bit about those in in a few minutes but fundamentally it’s about being proportionate. Uh we could certainly use risk management methodologies in order to improve our business resilience capabilities. So speaking to the business understanding what’s happening uh we could focus on being business enabling much like information security it’s very easy for business resilience to start being seen as a blocker as opposed to an enabler when really all it is is making sure that people can get the job done. A costbenefit analysis is naturally very very important to all of this. We need to make sure that any measures we take in order to uh say maintain a hot site that’s available 24/7 may be disproportionate to uh the actual functions that it’s supporting. So we certainly recommend reviewing whatever you’ve built for business resilience to make sure that it’s actually financially viable or justifiable. uh and then of course make sure that from a governance standpoint that you’re not overlooking anything key. We are hearing various conversations of people who have had to make sudden changes in the face of say co 19 uh and are dealing with the potential flack on that downstream. So as regulators etc start querying how people have been reacting to it. Uh the ones we’re talking to generally have a bit of understanding to the situation but nonetheless we are seeing u situations happen where regulators are looking at organizations patients uh to see how their resilience has been in the pandemic situation and for some it has not been looking good and to reiterate the same point there be proportionate everything that I’ve been speaking about conceptually here and we’ll move on to some of the the tactical details in a moment but everything that we’ve been talking about here is about proportionality if we’re dealing with third parties if we’re dealing internally within the business if we’re dealing with business stakeholders etc there’s so many moving parts to this that it’s only effective if we bring fence the very very key and critical aspects of what we need to achieve and work there in order to make it continuous. So finally for me then so business resilience recovery is also important and as we’ve been seeing over the last couple of months that return to normality isn’t as simple as it may have seemed. So we’re seeing as I said certain functions have proven to potentially be more effective in uh in the resilience uh situation. So people working remotely for examp example, there seems to be some continuation of that happening as lockdown is is gradually being used across the globe. Uh but in certain aspects as well, we’re seeing supply chains fall apart as well where entire uh organizations that have been providing core services to some of our customers uh that this just simply disappeared. So there’s been strong efforts to try and find alternatives, backup plans, etc.. Uh and the third party procurement have been back in the fold again to look at alternative providers, backup providers, etc.. So providing things like uh backup lists, etc. for organizations is certainly not a not a bad thing. But by and large, we’re generally seeing that as people revert back from say COVID 19, there have been lessons learned, things that they are taking on board and continuing and of course black holes or situations that they need to fix. So now moving on to some insight into some recommended frameworks. Uh we’re going to talk for about uh five to 10 minutes here. We’ve got Thomas speaking about uh some of the standards and frameworks that he’s been dealing with that could serve as a good foundation for any of your business resilience means. Thomas, are you with us?

Thomas Humphre: Yes. Hi. Thank you, Alistair. Uh can you hear me?

Alistair Parr: I can do. Yes. Thank you.

Thomas Humphre: Excellent. So, yes, I mean certainly thinking about uh business resilience, business continuity. Um obviously one of the key key things to always consider is is there best practice is out there. Are there frameworks? Are there methodologies and models that can be used um that not only can be recognized whether it’s from a a customer, a partner, a regulator perspective, but also something that can help formalize and shape the way we go about um uh managing business continuity. Um certainly one of the most widely used and perhaps uh most well-known uh of these uh stand and best practices from the ISO, the International Standards Organization. That’s a standard 22301 which which replaced the British standards 259 uh many years ago. And I say this is the most widely used standard on on developing, maintaining and improving a a business continuity management system. Now like many ISO standards, uh ISO builds a a a system that enables some level of formal recognition through certification. Also builds a wider family of standards around it. More often using the the initial standard in this case 22301 as the driver, but then offering a wider guidance um whether it’s at a a sector and industry specific or some wider um operational use. Um and again this is something as I have also developed. So there are guideline standards for managing supply chain continuity for example the standard 22318 uh which is also interesting under under current development. What’s also interesting is outside um continuity specific standards uh at an international level which is where ISO will always sit there are other standards particularly at a local level that can either be with local issues or local interests or take some of the best practices from ISO and and and to build up um um more of a national framework. Um so certainly one of the areas that that um Alistair mentioned in the previous slide was the BS65000 uh organizational resilience standard. Um Singapore for a long time has developed a standard uh 50 7 focus purely on disaster recovery for the ICT and ICT sector. And in the United States, the ASUS BCGDL standard uh goes into detail around emergency preparedness, crisis management and disaster recovery being developed in in cooperation with with ANIE, the American National Standards Institute. And so it’s quite common to see localized standards bodies um and even governmental bodies um um shape their own uh uh uh frameworks and best practices. And then on top of this uh just thinking a bit further around ISO themselves, you’ll often find other frameworks and standards that are commonly used such as 27,000 the information security management system standard that also touches on continuity but from a um in a specific way. So to take 27,0001 it looks at how the business businesses uh manage information security requirements when planning for business continuity and resiliency. Quite an interesting topic particularly recently given that when you’re thinking about what’s happened at the start of the pandemic and for many countries across the globe forcing lockdowns forcing companies to very quickly uh shut up shop. Um giving that question was information security a core consideration and was it addressed given the very short turnaround of companies being forced to enable a work from home capability for employees, particularly those employees who may not be used to that type of working scenario um um previously. And so all these standards um uh try to formalize a a an approach to to governance and to setting a framework to enable identifying continuity plans um recovery processes and a methodology to evaluate and continually exercise those plans to make sure that they still remain fit for purpose based on impacts based on disasters that have been identified that are appropriate to the business and continually improving um and and and refining how uh continuity u is is shaped within the business while also taking a look at wider um um critical aspects such as the communication piece that Alice has also touched on earlier. Um, are you effectively communicating to customers to third parties? If you have critical uh uh for third parties, particularly some that are considered single source suppliers, how do they factor into your planning and your planning process? Um, and how closely do you engage with them should that worst case scenario um occur and you need to activate your continuity plan and framework. So, there’s a lot of standards and frameworks out there. Certainly 22301 from ISO which was recently updated in 2019 is perhaps the most widely adopted and well known. But it’s certainly interesting to see that there are say a lot of localized standards such as the Singapore standard SS507 or this uh uh ASUSBC GDL standard from from the American National Standards Institute. Alistister,

Alistair Parr: thank you very very much. Okay, brilliant. Very insightful there. So, we’re going to move now on to uh some examples, some quick start examples. Uh we do have Adam with us today. Adam, are you there with us now?

Adam Kales: Yes. Hello, Alistister.

Alistair Parr: Hi there. So, I just going to pass the screen over to you and hopefully you can give us a bit of insight in some of the content that we typically would like to see for business resilience.

Adam Kales: Perfect. Thank you. So, I’ll share my screen momentarily. Okay, hopefully you should be able to see my screen and business resiliency business resiliency plan. Okay, so what we wanted to do when um all this started with uh COVID 19, we identified that um there may be a number of organizations out there who hadn’t previously concentrated on business resiliency. That wasn’t one of their main focuses. And because of that, they may be considered slightly immature in terms of the documentation, the process and the procedures that they have around business resilience. So we wanted to be able to provide a a suite of templates which are adaptable enough to be used by a range of organizations both in terms of size and type of organization in terms of the services that they deliver and whether they are at the beginning of their business resiliency journey or if they have already got a mature resilience program in place. These documents are designed either to be used as their initial core documentation or certainly elements of it extracted out of it to be um incorporated into their current uh business resiliency program. Uh and the idea of it that this is provided to you as a free resource uh available through our portal through our website of which then you can cherrypick those elements which best suit you and also provide that onward as well to your third parties. If they themselves um need some assistance in improving their business resiliency processes. Uh so what you have in front of you is one of the core documentations that you’d expect to see as part of your business resilience program. So we have the business resiliency plan and this provides those core elements. So certainly I wouldn’t consider this to be the be all and end all but certainly the initial starting point of this um of this template of where you can take this and then start running and start the core ele ments of your business program. Okay. So, it includes things like the business continuity strategy that overarching statements of how you’re going to approach business continuity. Uh the scope responsibilities um plan invocation. So, when is the business resiliency plan and those incident response plans going to be put in place? Who the primary stakeholders are and then falling out of that a number of annexes which will include the business impact assessment, risk assessment, a racy matrix s a critical third party register, critical third party gap analysis and maintenance requirements. So this is certainly one of those core um documents that you would want to see in place. So moving on, we have a third party business continuity gap analysis. So the ability to understand and identify who your critical vendors are. So a critical vendor being somebody who without those in place you would either one not being not be be able to continue uh functioning uh providing the services that you provide or two it would have such a severe impact that it would severely diminish your ability to provide your service and your products. Okay. Um so with that as well as we scroll down um it has some overarching information on how you would approach uh conducting that gap analysis and then u utilizing perhaps some form of automation and and to be able to deliver this at an enterprise level. Okay. Then we have the business impact analysis procedure. Okay. So this lays out in a very short and high level way of the scope responsibilities and the procedure of what you need to follow to conduct a business impact analysis. Okay, including recovery point and time objectives. And as you can see, we have made it adaptable enough that if you wanted to, you can simp simply insert the relevant details to make it specific to yourselves and then you can start using this template uh immediately. What also we have as we linked in with those annexes that we covered on the first uh document that uh business uh continuity plan we have a number of annexes here. So we have the business impact analysis. So a tabular format of where you can identify a critical system or service the process or activity that system um prov provides an impact score. Now, this may be quite subjective or objective depending on the amount of data information that you currently have available to it. And certainly, if you’re able to draw on existing data resources that you may have conducted through any form of information security or data mapping uh process activities, then you can certainly utilize that in determining what the impact and the likelihood of the system failing and if it does fail, the impact that it may have upon your organization. establish RTO and RPO timelines and also uh the minimum um time to um return that service back to full functionality. Okay. Uh the minimum resources needed. So essentially um for these systems and services to continue functioning, what is the minimum requirements you need as an absolute minimum to continue with those systems? Okay. And the priority of what it means to you as an organization. We also incorporated a risk matrix as um uh as some form of guidance as well including a level of terminology. Moving on, we have a template for risk assessments. Okay, being able to conduct a a risk assessment against a particular resource, what that risk the risk description and so on throughout. So in the same manner as you would have a risk register for information security risk for instance, you can have one specifically tailored to business discontinuity requirements. A racing matrix is has been provided and again these are here for uh suggestives as the one of some of the more likely uh areas that you would want to consider but certainly introducing your own or um uh adapting it specifically to how your organization works. We have the critical third party register. So once you have identified those critical third parties being able to record that they are a critical third party and those key contact details of who the service owner is internally, who the external supplier relationship manager is, the supplier contact and any additional doc comments associated with it. So once you’ve conducted a gap analysis, so for instance, if you have a critical third party, if they were to go down, what would be the fallback procedure for that to be? And if you identified that there is a gap, then you’d be able to annotate that in a register such as this. Moving on to maintenance requirements. So this brings into mind so any resources that you would need to use as part of business continuity business resilience. So for instance it was mentioned earlier on about remote working. So certainly before COVID 19 um there may be a number of people who were used to just going into the office and working from the home environment was a rarity more than anything. But suddenly uh you needed all these additional resources uh for instance laptops for instance. and you have these resource of laptops which under normal circumstances wouldn’t be utilized. But what you need to do so for the time that you do need to literally pick them up and run with them as such need to make sure they are in an acceptable condition to be able to you to be able to use straight away. So what that does that what what does that mean? That means that we have antivirus in there, firewalls in there, that software has been updated appropriately simply that they’re charged that they have been checked over recently and all these maintenance requirements whether it’s a laptop some form of generator backup locations or premises whichever the case may be can be stipulated down here and importantly an owner assigned to it so they are aware that they have ownership over that uh and over those particular maintenance requirements. So moving swiftly on a third party discovery template so we mentioned about identifying your critical third parties uh and what are some of the elements wrap around that. So for instance uh we have a number of risk factors associated with it which will help you determine uh if a supplier is considered green, amber or red and a number of highlevel questions of which you may want to consider asking to determine what may uh what may be considered a critical third party and it could be based on type of service uh being delivered. Uh the types of data that they interact with for instance if the supplier is um the sole provider of a service and also um how they transfer data and information across uh including any specifics to you as an organization and any other attributes that you want to include in that which will then start to build up a picture of the criticality of your third parties. Okay. Now what we have designed as well is a number of communications templates. So communication throughout all this process even before this has started communication is key. Communication in terms of understanding what the business resilient plan is what it means not just to uh the organization but to individuals who are key stakeholders in this who have key responsibilities in this as well. But also moving into when we have to enact those business resiliency and those um incident uh response plans for instance in terms of getting the information across directed at the right people at the right level and at the right time and also we have designed a number of communication templates these being just a couple of those examples. both internal. So for instance um to team members to um team leaders uh to those in senior uh management positions for instance we have designed uh a template to fit each requirement. So for instance we have here uh key personnel internal phase one low infection risk. So right at the very beginning um this is something that you may want to consider sending out to the relevant people internally within the organization. Moving on we have a third party email template. So for instance, you want to communicate a clear, concise message directed to the right people in the right manner and in the right format. So whether that’s by email, whether it’s via social media, whether it’s um internal communication, whichever the case may be, you have a template ready to rock and roll so that you can utilize it uh and run with it when you need to. And you’re not scrabbling around in the dark trying to pull something together very quickly. It’s already part of the business resiliency process. What we also have is activation procedures and criteria guidelines. So again certain um prerequisites which um you has predetermined that if these situations occur then you have a clearcut procedure to follow in terms of what is acted what is activated who is activated who is informed and the process to follow that. Okay and those have been laid out in a in a very in a a high level but detailed format. Then we have authorized communication method. So it may be appropriate that actually certain communications may only be appropriate for certain levels of communication or certain types of people that you’re interacting with. And again we have provided a template for you to be able to lay that down and record that as you move forward. So also have escalation paths and we’ve provided some examples here of those various escalation paths for a number of different use cases. Okay. So we have first of all those staff contact numbers of those relevant key stakeholders who need to be informed for office locations for instance critical suppliers. Okay, the information security team and also um uh things like uh security and technology if it’s specifically around that who needs to be informed starting at the CISO for instance and ending with information security analysts and actually all this can be adapted to suit your particular needs. Okay. So again, uh we’ve alluded to a couple of times the fact that one of the big changes that we’ve experienced is the amount of homework in which has had to happen just simply because we have not been able to go into the office locations and that is still continuing very much now and being able to work coherently in the home environment and productively but also ensuring that you’re maintaining good standards. So good data hygiene for instance, making sure that you have the controls, procedures in line um uh in mind um working from the home environment as you would do working in the office environment as well. And what we’ve done is we have designed a um remote working training package for you to either deliver this through some form of online training session or send direct to whichever relevant um users, home workers who are going to benefit from this, which presumably would be the majority of them. And covering topics such as um data hygiene. Um, going down to things like spam and malicious filing uh at the end there, but also covering secure working spaces, making sure that you have those good measures in place. Set up a designated workspace, day-to-day homework, okay, clear desk, clear screen policy, okay, so you can maintain those good working methods at home as you would do in the office environment. And then finally, to accompany that, a remote working policy. So wrapping up that training that you’re um that you can either send or deliver with an actual remote working policy. So you have something that you can actually refer back to and you have guidelines in place for remote working. Okay. So I believe that uh takes me to the end of not not all of that documentation but certainly uh a good representation of what is available to you and as I say as a free resource for you be able to access through our website. So, thank you very much for your attention.

Alistair Parr: Thank you very much, Adam. Appreciate that. Okay. Uh, for the last uh 5 10 minutes or so, we’re just going to go to an open Q&A session. That’s to myself, Adam from content standpoint, what we’ve just seen, and uh, of course, Thomas as well from a standards and frameworks standpoint. So, once again, uh, if you would like to drop any questions you may have into the Q&A section of the Zoom session, we’ll be happy to start answering those. We do have a question here for yourself Thomas uh which is about framework alignments for business uh business resilience. Would you say that it is mandatory to align to a framework like we have to for uh other regulatory requirements or is it more of a nice to have?

Thomas Humphre: Um yeah good question. So it’s actually can be a bit of both. So um often companies may find themselves having to go down the path for a formal certification to something like ISO 22301 um either contractually or um from a regulatory body standpoint. So as we’ve seen through other standards such as 27,01 and some industries and industry bodies have made it uh more of a mandatory uh uh factor in winning tenders and contracts for example. Um there’s every possibility that that uh could happen from a continuity standpoint. Um outside of that uh you it’s it’s not mandatory but I would always say it’s highly recommended particularly under 22301 just mainly given the fact that not only is it the most widely recognized uh best practice but it helps um uh any business whether um anme, MNC or or wider global multi-geometry organizations to set a formal governance framework to help shape build a a a continuity practice in the business and provide a a a framework for continually evaluating and improving um the way you approach um uh continuity and disaster recovery.

Alistair Parr: Thank you very much, Tom. I’ve got a Question here for you Adam in relation to the content. We’ve had actually multiple questions about their particular vertical. So customers are saying that they’re in retail, others work in B2B as opposed to B2C. They’re asking about how much they need to adapt that content for their use case. So Adam, have you had any experience or thoughts or findings from deploying this in different verticals? Does there need to be much changes between B2B and B2C verticals?

Adam Kales: Uh so yeah, very good question. Thank you. So essentially the document presents you with a a starting point. Okay, so ideally what you do need to do um what if you have nothing in place then this documentation gives you those that great starting point of where to take this from. Like I said right at the very beginning though this is not the be all and end all. Okay, this is kind of the minimum of what you would expect to see and ideally yes you do need to adapt it to your specific vertical that you’re working in so that you can make sure that it is tailored to fit to your specific organization. Without that um yes You will still get value from it but you will be getting that additional value that imprinting your own particular way of working your own particular organization will have on that and obviously that will come with a bit of a time cost analysis associated with it as well. If you’ve got the time to invest in doing that research and doing that analysis in identifying where you do need to um add in your own imprint and your own um organization onto it then that will only help you uh when it does come to actually utilize iz in those business resiliency plans in tailoring it specifically for yourself. So yes, I would say you do need to adapt the documentation to get the best out of them, but as a starting point, this is certainly a good way to be.

Alistair Parr: Fantastic. Thank you, Adam. I’ve got a question here to say uh would we suggest that we have detailed contingency plans documented for your critical vendors on top of the process and controls for onboarding and continued monitoring throughout the life cycle? Uh I will answer that one. Yes, we would definitely recommend not necessarily laying them on top but certainly integrating them into your onboarding and monitoring processes. So where we’ve seen success is a good example is where we leverage the PCF the prevalent compliance framework or any alternatives you may have which is where we actually embed the info uh the resilience uh the compliance requirements and obviously data processing privacy requirements all into that initial onboarding process. So we get all the all the pertinent information that we want up front and as we’re doing our typical contractual reviews with the customer that’s sorry with the vendor we would make sure that we are reviewing each of those respectively. So that cont that contingency plan we would make sure that you have in place with critical vendors as part of that on boarding process. Uh it should be a risk in your risk management process if you do not have uh some clear escalation paths and processes. Something that we see quite often is that legacy contracts quite often prohibit what you can actually do with the vendor because you may not necessarily have the right to audit to enforce stringent SLAs and so on. So we are seeing customers updating their standard templates and I appreciate you can’t necessarily push those on to say the Goliath of industry who will just simply shrug and give you their templates but certainly try and push to get terms in your contracts or in the revisions of contracts that include things such as communication paths, escalator uh escalation time frames for communication and so on directly with the vendor for contingency and business continuity. When we look at procurement then we are seeing a trend of organizations starting to have a primary and a secondary backup vendor who they can engage in short term. Appreciate you won’t have terms directly with them but you could at least have some foundation in place so you can pick something up quite quickly. Before I move on to the next question just to say that Peter is going to be putting up a quick poll shortly uh to close things out uh before we as we go through this final question. So please feel free to answer that as we go through this. We’re going to Take one more question before we have to close it off here. This is one for you, Adam. So, the content that we’ve been through today, do you see it as completely transferable as internal and external? Would you see people would you expect us to manage vendors differently to how we’re managing uh the internal business?

Adam Kales: Uh yes, I would say that there is a difference between um the internal management of um the internal stakeholders, the internal business units as opposed to how you’re managing your third parties. Um in terms of the differences, um that is kind of stipulated to how you run yourself as an organization, but certainly uh the fact is that you have a contract in place with your third parties and they’re delivering a service to you. So therefore, you have a much more strengthened position in terms of dealing with them when it comes to expectations of what they should have in place themselves in in terms of in um indifference to your internal uh business units. When it comes to your internal business units that comes down to uh elements such as internal resources available uh in terms of um what they themselves need to get in get in place. So I would say there is a difference uh between um uh how you should treat internal stakeholders as opposed to your um critical third parties or your third parties generally.

Alistair Parr: Fantastic. Thank you very much Adam. Apologies we can’t answer all the questions here today but if you do want to reach out to us because there’s anything you want to query or you’d like more information about some of the content that we’ve made free available free of charge, please feel free to reach out to us. We’d be more than happy to support you there. I’ll just take a moment here to say thank you very much uh Adam for your insights today. It’s been very much appreciated. And thank you very much, Thomas, as well. You’ve both been very insightful there. We will be sending a link out with a recording uh and information on those resources. But again, thank you all for listening and participating today. Hope you have a fantastic day of what you have left.