10 étapes pour une résilience globale de l'entreprise

Peter Schumacher : Bienvenue et merci de vous joindre à notre webinaire d'aujourd'hui, « 10 étapes pour une résilience commerciale complète », avec Alistair Parr, vice-président directeur des produits et de la livraison mondiaux chez Prevalence. Je m'appelle Peter Schumacher. Je suis votre animateur pour ce webinaire. Avant de commencer, j'ai quelques points administratifs à aborder. Tout d'abord, je vous rappelle que toutes les lignes des participants sont mises en sourdine. Cependant, nous souhaitons que cette session reste interactive. N'hésitez donc pas à poser vos questions à l'aide de la console Zoom en direct. À la fin de l'heure, si le temps le permet, nous organiserons une séance de questions-réponses en direct. Le webinaire d'aujourd'hui est enregistré, vous recevrez donc l'enregistrement par e-mail dans les prochains jours. Je sais que vous n'êtes pas ici pour écouter ma voix, alors je vais maintenant passer la parole à Alistair. Merci beaucoup, et je vous laisse la parole, Alistair.

Alistair Parr : Oui, merci beaucoup, Peter. Bonjour à tous, et bonjour, bon après-midi, où que vous soyez dans le monde. Euh, malheureusement, je n'ai pas la voix riche et tonale de Peter, mais j'espère que vous me supporterez pendant la prochaine heure. Nous allons donc commencer par quelques informations pratiques. Je sais que Peter a déjà abordé les points essentiels, mais pour récapituler ce dont nous allons parler, je vais vous présenter les personnes qui m'accompagnent aujourd'hui avant de passer au vif du sujet et d'entrer dans les détails. Nous aurons ensuite une session de questions-réponses. Si vous avez des questions, n'hésitez pas à utiliser la section « Questions » de la fenêtre Zoom et de l'interface. Nous sommes ici pour une heure. Je vais aborder certains des sujets clés pendant environ 30 à 35 minutes. Ensuite, nous aurons également deux conférenciers invités. Adam Kales est donc avec nous aujourd'hui. Adam est l'un de nos consultants en gestion chez Prevant et a passé beaucoup de temps à travailler sur des mesures de résilience commerciale auprès de tiers, directement avec notre clientèle. Adam va gentiment nous présenter aujourd'hui, pendant 10 à 15 minutes, un aperçu des exemples de contenu qu'il a produits et qui ont fait leurs preuves sur le terrain. Ces données sont disponibles et ce contenu est accessible sur le site web de Prevant. Nous en parlerons à la toute fin. Il n'y a aucun frais ni coût associé à cela, c'est à votre disposition. Nous vous donnerons quelques informations à ce sujet à la fin de la session. Nous avons également avec nous aujourd'hui Thomas Humphre. Bonjour Thomas, êtes-vous là ?

Thomas Humphre : Bonjour. Oui.

Alistair Parr: Hello Thomas. Thank you. So Thomas is our content manager and uh Thomas will be talking a bit about some of the regulations and frameworks that have uh either come out in the recent years or expected to emerge over the next couple of years in regards to business resilience. So to highlight today uh we will be generally talking about good practice around third parties specifically around business resilience. Okay. So to begin I appreciate this is probably quite straightforward for a lot of people. But what is business resilience and why is it valuable? Now, as I’m sure you can see from the screen in front of you now, there is multiple areas that touch on business resilience. It’s not limited to a single factor. A lot of what we tend to focus on is the supply chain resilience piece at the bottom right. And that’s something that’s very often overlooked in day-to-day management of suppliers by and large. A lot of the organizational resilience measures that we’ve seen particularly in the uh in the advent of CO 19 were focused internally. They were looking at in response. They’re looking at business continuity and crisis management, human resources. Yet, very, very few organizations we saw factored in third parties in their pandemic planning, those that have pandemic planning at all. So, when we’re looking at business resilience as we talk over the course of today’s session, we really see it as an amalgamation of of different areas and focus and domains uh which enforce that continuity of service. So, it isn’t just limited to those internal use cases, it is very much external as well. And we appreciate that communications and uh interactions between all of these key facets make up an effective business resilience mechanism. So what is business resilience and why is it valuable? Well, apparently in the last few months, as we’ve all seen, unfortunately, the business does need to prepare for factors which are outside of its control. And that’s not as easy as perhaps a while back where we had somebody sitting there changing backup tapes. Business resilience is a far more encompassing uh environment now where we do have to focus on all these different capabilities and considerations. So where does supply chain factor in the entire business resilience piece? So as a concept most organizations are considering third parties as an external function and rightly so in some respects uh to what they do but the reality is when you actually start looking at third party risk it’s that that blurred line between internal and external isn’t really there. That third party is ultimately on managing systems and assets and enabling us to generate revenue in much the same way as anybody else does in the organization. But the key challenge with it is that we don’t necessarily have the visibility on what they’re doing. We don’t have ownership over how they do it and we have that complexity around integrations. Now a lot of organizations we speak to try and manage that using three key areas. So there’s the communications aspect. So how often do we communicate and how SLAs’s, how do we track success with our third parties and then of course incident management. How do we extrapolate the necessary data that we need from them in the event of an issue? But by and large, most organizations we speak to are still psychologically entwined to that concept of a third party is external and doesn’t necessarily incorporate it into their wider governance uh and business resilience planning. So when we’re looking at mature environments and mature customers, what we typically tend to see now is that every single thing that they apply internally their organization. So the governance aspects of it, the audit and compliance remmits that they mandate, uh the risk management and tracking, the incident management aspects, everything that I showed you a couple of slides ago that needs to be woven into the third party estate as much as it is internal. So this concept of internal external is removed and we are ultimately looking at uh critical assets or critical functions of the organization and that could incorporate contractors, service providers, internal users, assets etc. that that’s The line is certainly blurred now. Okay. So as a tip, what standard processes are typically being used broadly in business resilience? Now what we tend to see is a record, respond, recover concept. So a lot of what we’re focusing on here is is ultimately looking to understand uh how do we manage incidents and events once we’re dealing with all of our critical assets in the business. And that starts of course with with ownership the organizations we deal with who tend to be uh relatively unprepared in the situation they need to really start with that ownership. So who do they need to allocate responsibilities for in the business and this is an endemic issue that we tend to see where the organizations don’t have somebody assigned to manage critical assets and provide visibility to the people who need to know it whether that’s legal procurement infosc uh risk compliance etc. Nobody really tends to understand what is the context around an asset or something. critical for the business, how is it functioning? So, starting with ownership and finding who’ll be able to give us clear answers on on situations is key. And when we start looking at incident management on the whole, we appreciate that we need to do things such as start recording obviously key processes, understand what they’re doing, analyze how they function, build up alternatives wherever we can understand what is truly revenue generating and therefore mandatory, what’s based on regulation is mandatory as well. So, do we need to process data in a particular way? We can’t say transfer all the personal processing to a different third party uh without suitable due diligence or analysis. There’s a lot of complexity involved in identifying and recording what it is that we actually intend to do with that data and that entire data set. Now, in the face of CO 19, a lot of the organizations we dealt with are really starting this whole record process from scratch. They will have business resilience in the form of data outages and shortages, but aren’t necessarily looking at the critical assets and functions of of what they do. Uh for example, is when start looking at sectors uh such as retail where they don’t entirely have the distribution networks available to do say on premise deliveries in the same sense they rely on bricks and mortar stores. Organizations we’re speaking to are a having issues with supply chains understanding how they can source uh the goods that they need and then b in turn focusing on distribution or redistribution as it may be. Now in retail the organizations we’ve spoken to who’ve had the most success have of course considered that from the outset. So they’ve got distribution partners uh for downstream. They’ve been able to scale say with with food deliveries for the food retailers for example, they have those mechanisms in place and that is very much reliant on third parties supporting them. It wasn’t a case of bringing in teams and teams of contractors and short-term while that may help in some brick and mortar stores. It was about understanding how can they work around the issue that they have been presented with. So if a supplier is unable to provide or they’re unable to open say certain sites and facilities, can they think outside the box and other alternative ways of of conducting business in order to drive that revenue. So it’s not just a case here of recording the exact same capability that we would be uh trying to to address. So it’s not a direct mirror. And then finally when we start looking at respond and recover really what we are touching on here is some of the resilience planning for instant response. So once an event has happened how do we communicate effectively and in the face of CO 19 most of the organizations we speak to are really starting to touch now on some of the post invent improvement aspects. Some normalities of course returning to some states in the US and we appreciate now that with uh with that normality comes the ability to start looking at how they can address it for say in the face of COVID a resurgence if if they have to return back to a lockdown situation. How can that be managed effectively without having the same outages that they’ve experienced in the first place? So that ties on recovering, reducing downtime and of course improving uh you know the customer confidence. and being demonstrated as agile and resilient. So, it’s generally a long path, but the key takeaway I’d really share here is that record piece. We need to make sure that we have clear, concise ownership and we’re aware of what it is we’re actually trying to maintain and we focus on critical assets in order to do that. So, what do I actually need in order to make this function and be effective? We need lots of collaboration, clearly work, and certainly luck. I think it’s fair to say most organiz ations we’ve dealt with in the face of COVID 19 for example have been either extremely lucky uh or have in turn had to win and deal with some of the repercussions from a lack of uh resilient planning around business resilience particularly around their third party supply chains and downstream deliverables to customers. So as a brief bit of insight uh there is a resilience gap study that was conducted so 4,000 stakeholders who were responsible and ultimately owned uh the resilience processes in organizations and these ranged from small mom and pop style shops up to large multinationals with hundreds of thousands of employees. But universally, it seems or at least 34% of them blamed complexity as the biggest barrier. So if we look back at our previous process slide here, it’s about the complexity of the working environment. How do we understand what it is we’re actually doing? And I think that shared beyond business resilience, it is again a factor in risk management. compliance audit and so on. 20% of them blamed siloed business units. So a lack of communication internally within the organizations and 24% again blame poor visibility here. So fundamentally complexity and a lack of internal communication is key. So what we generally are recommending here to people is to look inside the organization before you start looking outside at third party resilience. So if we’re looking internally at the business, what types of context ultimately are we looking to uh to consolidate. Now much like data discovery in a whole, it’s the who, the what, the where, the why, the how. So who or what parts of the business have critical information? What is that critical information or services or processes and how they function? Where is it being stored and how is it being stored? And then why? So does it genuinely need to be there? To touch on the point again earlier on, one of the biggest challenges we see when we look at business resilience planning is people try to mirror what they already have and that’s not necessarily the case. Uh we’ve seen situations of co 19 with customers surprisingly where they’ve enforced some robust resilience plans and they’ve realized that they’ve been able to uh function in a in a a less standardized state and they’ve been able to actually maintain some of their resilience plans moving forward. So not actually reverted back. They’ve saved money. There’s some operational expenses is because they’ve been forced into realizing that there are alternatives to how they current function. A good example of that would be the remote working capabilities where we suddenly see reams and reams of uh previously office based workers now suitably working remotely and teams realizing the results of savings by not filling up office space the whole time. So the who the what the where the why and the how. So look at it almost as a data mapping exercise where we want to understand what is critical to the business what is revenue generating and much like when we start looking at uh data mapping again we can start building up visual maps to understand what’s actually happening in the business and letting us prioritize what we need to. The reality is we won’t need to ring fence business resilience around all third parties or around the entire organization. We simply need to be able to classify uh the type of process, identify where it is, how often that we actually tend to conduct that activity, uh whether it’s subject to any governance or oversight. It might be a regulated process for some reason. Does it touch on regulated data? Do they need physical access in order to achieve that and so on. All of that can ultimately be fed into a simple calculator to help you prioritize identify what it is that is most critical and what is ultimately has the uh the highest amount of risk in order to try and maintain it in the event of a uh resilience situation. And to make that effective, of course, organizations change over time. We recommend doing that that internal mapping for business resilience. at least quarterly if you can uh certainly annually for the organizations where quarterly is too aggressive but uh but we would be looking for a regular uh and consistent review on where that data resides. It does need to touch on technology capabilities of course as well. So we need to understand what technologies are necessary in order to make that function happen and then of course you can use things like eiscocovery technologies internally within the business to actually identify if that is truly the case. Quite often one of the issues that we pick up on is that the business will say I am a truly a crisp process. I’m I’m a real necessary function of this organization as they’re naturally going to say but the reality is when you actually start doing things like eiscocovery on what they’re actually doing quite often we find out that reality doesn’t necessarily meet what the business is telling us. So for those who have the capabilities and resources in hand you can certainly work with with teams such as the data loss prevention teams to start actually tracking say key critical information whether it’s business sensitive data uh whether it’s customer information or so on you can usually use to pinpoint some of your resilience uh focus and of course then raising discrepancies to owners and purging uh areas from your resilience planning where necessary. So in the face of naturally co 19 I’m sure we’re all sick and tired of it and in recent months uh this image probably looks like some business centers scattered across the globe but would it have address exceptional circumstances based on COVID 19 and what we’ve seen and appreciate it’s pandemic related but uh the answer is simply well no not necessarily most organizations we’ve spoken to feel that there are things they could have done better uh in the face of say the pandemic but certainly having that additional visibility would have given them the comfort and the insight and the knowledge to be able to react better and that’s ultimately all that we’re trying to do here with business resilience is can we at least try and maintain critical business functions in the best way possible and if we learn a few things along the way we’re all the better for it. So what reporting is important now in order to be prepared for business resilience looking at third parties and internally as coverage visibility ownership and improvement are the key areas that we’ve picked up on. We’ve seen success in using maturity assessments against this. So you can use the Carnegie capability maturity model to self assess yourself between one to five uh across each of these domains and then give you an overall rolled up score. But from a coverage standoint, point is again how frequently are you doing assessments in the business? Do you have comprehensive coverage of the organization? Uh do you have onboarding workflows for the business in order to assess its uh uh the awareness of anything that’s been added or that’s new? And of course, are you including third parties in that piece from a visibility standpoint? Assessment types. Do we look at critical information? Are we focused on outsourcing activities as well? Uh is it limited to just uh data privacy or risk based assessments?. And do we cover resilience and anger, the reporting mechanisms and strength. How do we actually report this back up to the organization and uh of course assessment cadence there again and evidence management. So how do we collect and store evidence and build those plans that enable us to work effectively? Looking at improvement factors. So what audit mechanisms, how do we feed that back to any audit teams that we have? Remediation definition. How do we define what we’re actually going to achieve and what’s viable? And we’ve seen organizations use things such as fair models or their internal own internal calculations to estimate cost versus uh return for business resilience. That certainly is viable. Those program road maps and the steering groups. We do recommend for resilience much like you manage uh risk and you may have risk committees or steering groups or working groups. We’d recommend incorporating business resilience particularly for third parties in some of those sessions. Uh the outages is of course a risk and should get fed into the standard risk models. Now only ship. Something hopefully we’re articulating here clearly is the fact that to manage third party business resilience and internal there is a requirement to own uh to have internal owners within the business who have responsibilities. We won’t be ever successful in managing business resilience. If it’s a small organization, we might be okay because we can generally touch on those processes. But if it’s a large organization or it’s ever evolving, the complexities are there where we need subject matter knowledge experts in the business to feed into our resilience planning. And that feeds into our delegation of duties. The more that we can get uh the various asset or process owners to manage, then the more prepared we’re going to be. We get asked a lot of questions about incident management. Now, incident management is of course pretty key and we saw many many incident management plans come about in the face of CO 19. But any instant management plan really needs to consider uh reporting. So the communications plan needs to understand who we going to talk to and how identification mechanisms do we have simple defined types of incident that we can react accordingly to so we’re invoking the right people the event planning so tied to those cataloged events we should be building those playbooks that are reviewed regularly. Uh we see customers doing things like tabletop sessions to assess their suitability to react to the situations I appreciate some parts of the business see that as a bit of fun but uh the reality is it does actually psychologically start getting people used to this concept of dealing with uh events following playbooks and then of course uh reactions. So coms need to focus on what we doing to fix an issue and overcommunicate. So for those of you who involved in any cutting edge development or technology or anything like that appreciate that the most important thing when you’re offering a service is communicating and overcommunicating is key in an incident. So tied to that timely identification we want to be able to make sure that we are able to identify an event quickly and readily. Uh and part of that is making sure that our third parties have mechanisms to report back to us and say we’ve had an incident where it’s a data breach, a service outage, change of ownership, whatever it may be. There needs to be clear mechanisms internally and externally for highlighting something that’s considered an event. When we’re looking at notifications, appreciate there might be with situations such as GDPR, there might be requirements to notify customers within uh 72 hours of any breaches or issues. So be mindful of time frames whether you have regulatory mandatory time frames or self-imposed time frames. Make sure that anything you build for your resilience plans are embedded into that press release. Something that we’ve we’ve been inundated with again over the last few months is how do we control the talk tracks of piece uh these pieces and something we’ve been exposed to a fair amount here is how do we communicate things well to large volumes of people and quite often you can draw in say obviously the PR teams if you have them. Otherwise, the marketing teams, funnily enough, seem to be very uh very aware on how to effectively communicate a situation. Uh much like you manage third party risk assessments or dealing with third parties where you can speak to your marketing guys because they quite often uh can can support or provide guidance on how to manage these things. Associates. So, inform your providers and partners. Something that gets overlooked very often is uh that lateral communications uh as well as the internal communications. So everybody focuses on in an event speaking to customers and there’s certainly a requirement there to have clear concise guidance for communicating to partners, associates and of course internally. Uh the amount of damage you can see from an incident happening or an outage happening and then not communicating that through the business effectively means you lose lose that internal impetus in order to drive things forward. So uh we we would definitely recommend people focus on that internal communications as well. So moving on then to continuous management. So we’ve spoken about quarterly or annual reviews pulling data from the business as it’s ever evolving and ever changing. Uh something we deem very important here is the cadence on how we manage business resilience. So how do we report it? How do we escalate it? How do we consistently enhance and assess it? So a lot of organizations are dealing with the implementation phase in the last couple of months uh and are now starting to move towards the review and enhancement phases. So for us successful positions Business resilience starts with success criteria. What are we actually trying to achieve? So, not defining too broad a scope is key. It’s got to be very very finite and focused on what we have to uh discovering that within the business, documenting what we need to signing off what that new resilience plan looks like and then getting the stakeholders to self-manage each of their respective elements. Uh and then of course ongoing testing, updates, reporting, uh content alignment as the business evolves and then moving on to general broader business efficiency. So when you look at the continuous management of business resilience on a whole, it’s it’s very much about defining a manageable and accurate scope and then providing the capabilities for the various feeds, whether it’s the internal business users or third parties to update that over time. If it’s a static document sitting on a SharePoint or Teams folder somewhere, then that means we’re halfway already to to losing the battle there. So finally, how resilient should I be of course it’s all about being proportionate. So there are resources of course out there ISO22301 31,000 uh Thomas will be talking a bit about those in in a few minutes but fundamentally it’s about being proportionate. Uh we could certainly use risk management methodologies in order to improve our business resilience capabilities. So speaking to the business understanding what’s happening uh we could focus on being business enabling much like information security it’s very easy for business resilience to start being seen as a blocker as opposed to an enabler when really all it is is making sure that people can get the job done. A costbenefit analysis is naturally very very important to all of this. We need to make sure that any measures we take in order to uh say maintain a hot site that’s available 24/7 may be disproportionate to uh the actual functions that it’s supporting. So we certainly recommend reviewing whatever you’ve built for business resilience to make sure that it’s actually financially viable or justifiable. uh and then of course make sure that from a governance standpoint that you’re not overlooking anything key. We are hearing various conversations of people who have had to make sudden changes in the face of say co 19 uh and are dealing with the potential flack on that downstream. So as regulators etc start querying how people have been reacting to it. Uh the ones we’re talking to generally have a bit of understanding to the situation but nonetheless we are seeing u situations happen where regulators are looking at organizations patients uh to see how their resilience has been in the pandemic situation and for some it has not been looking good and to reiterate the same point there be proportionate everything that I’ve been speaking about conceptually here and we’ll move on to some of the the tactical details in a moment but everything that we’ve been talking about here is about proportionality if we’re dealing with third parties if we’re dealing internally within the business if we’re dealing with business stakeholders etc there’s so many moving parts to this that it’s only effective if we bring fence the very very key and critical aspects of what we need to achieve and work there in order to make it continuous. So finally for me then so business resilience recovery is also important and as we’ve been seeing over the last couple of months that return to normality isn’t as simple as it may have seemed. So we’re seeing as I said certain functions have proven to potentially be more effective in uh in the resilience uh situation. So people working remotely for examp example, there seems to be some continuation of that happening as lockdown is is gradually being used across the globe. Uh but in certain aspects as well, we’re seeing supply chains fall apart as well where entire uh organizations that have been providing core services to some of our customers uh that this just simply disappeared. So there’s been strong efforts to try and find alternatives, backup plans, etc.. Uh and the third party procurement have been back in the fold again to look at alternative providers, backup providers, etc.. So providing things like uh backup lists, etc. for organizations is certainly not a not a bad thing. But by and large, we’re generally seeing that as people revert back from say COVID 19, there have been lessons learned, things that they are taking on board and continuing and of course black holes or situations that they need to fix. So now moving on to some insight into some recommended frameworks. Uh we’re going to talk for about uh five to 10 minutes here. We’ve got Thomas speaking about uh some of the standards and frameworks that he’s been dealing with that could serve as a good foundation for any of your business resilience means. Thomas, are you with us?

Thomas Humphre : Oui. Bonjour. Merci, Alistair. Euh, vous m'entendez ?

Alistair Parr : Je peux le faire. Oui. Merci.

Thomas Humphre : Excellent. Donc, oui, je pense bien sûr à la résilience et à la continuité des activités. Il est évident que l'un des éléments clés à toujours prendre en compte est l'existence de bonnes pratiques. Existe-t-il des cadres de référence ? Existe-t-il des méthodologies et des modèles qui peuvent être utilisés et qui sont non seulement reconnus par les clients, les partenaires et les régulateurs, mais qui peuvent également aider à formaliser et à façonner la manière dont nous gérons la continuité des activités ? L'une des normes les plus largement utilisées et peut-être la plus connue de ces normes et meilleures pratiques est celle de l'ISO, l'Organisation internationale de normalisation. Il s'agit de la norme 22301, qui a remplacé la norme britannique 259 il y a de nombreuses années. Je dirais que c'est la norme la plus largement utilisée pour développer, maintenir et améliorer un système de gestion de la continuité des activités. Comme beaucoup de normes ISO, l'ISO met en place un système qui permet un certain niveau de reconnaissance formelle par le biais de la certification. Elle élabore également une famille plus large de normes autour de celle-ci. Le plus souvent, elle utilise la norme initiale, en l'occurrence la norme 22301, comme moteur, mais elle propose ensuite des orientations plus larges, qu'il s'agisse d'un secteur ou d'une industrie spécifique ou d'une utilisation opérationnelle plus large. Et là encore, c'est quelque chose que j'ai également développé. Il existe donc des normes directrices pour la gestion de la continuité de la chaîne d'approvisionnement, par exemple la norme 22318, qui est également intéressante et en cours d'élaboration. Ce qui est également intéressant, c'est qu'en dehors des normes spécifiques à la continuité au niveau international, où l'ISO sera toujours présente, il existe d'autres normes, en particulier au niveau local, qui peuvent soit concerner des questions ou des intérêts locaux, soit s'inspirer des meilleures pratiques de l'ISO pour établir un cadre plus national. L'un des domaines mentionnés par Alistair dans la diapositive précédente était certainement la norme BS65000 sur la résilience organisationnelle. Singapour a depuis longtemps développé une norme 50 7 axée uniquement sur la reprise après sinistre pour le secteur des TIC. Aux États-Unis, la norme ASUS BCGDL détaille la préparation aux situations d'urgence, la gestion des crises et la reprise après sinistre. Elle a été élaborée en collaboration avec l'ANIE, l'American National Standards Institute. Il est donc assez courant de voir des organismes de normalisation locaux, voire des organismes gouvernementaux, élaborer leurs propres cadres et meilleures pratiques. En plus de cela, si l'on réfléchit un peu plus loin à l'ISO elle-même, on trouve souvent d'autres cadres et normes couramment utilisés, tels que la norme 27 000 sur les systèmes de gestion de la sécurité de l'information, qui aborde également la continuité, mais d'une manière spécifique. Ainsi, la norme 27 0001 examine la manière dont les entreprises gèrent les exigences en matière de sécurité de l'information lorsqu'elles planifient la continuité et la résilience de leurs activités. C'est un sujet assez intéressant, surtout récemment, si l'on pense à ce qui s'est passé au début de la pandémie et au fait que de nombreux pays à travers le monde ont imposé des confinements, obligeant les entreprises à fermer très rapidement leurs portes. La question était de savoir si la sécurité de l'information était une considération essentielle et si elle avait été prise en compte, étant donné le délai très court dont disposaient les entreprises pour permettre à leurs employés de travailler à domicile, en particulier ceux qui n'étaient peut-être pas habitués à ce type de scénario de travail auparavant. Toutes ces normes tentent donc de formaliser une approche de la gouvernance et de définir un cadre permettant d'identifier les plans de continuité, les processus de reprise et une méthodologie pour évaluer et exercer en permanence ces plans afin de s'assurer qu'ils restent adaptés à leur objectif en fonction des impacts des catastrophes identifiées qui sont pertinentes pour l'entreprise, et d'améliorer et d'affiner en permanence la manière dont la continuité est mise en place au sein de l'entreprise, tout en examinant des aspects critiques plus larges tels que la la communication, qu'Alice a également évoquée précédemment. Communiquez-vous efficacement avec vos clients et les tiers ? Si vous avez des tiers critiques, en particulier ceux qui sont considérés comme des fournisseurs uniques, comment les intégrez-vous dans votre planification et votre processus de planification ? Dans quelle mesure collaborez-vous étroitement avec eux si le pire scénario se produit et que vous devez activer votre plan et votre cadre de continuité ? Il existe donc de nombreuses normes et cadres. La norme ISO 22301, récemment mise à jour en 2019, est certainement la plus largement adoptée et la plus connue. Mais il est intéressant de noter qu'il existe de nombreuses normes localisées, telles que la norme SS507 de Singapour ou la norme ASUSBC GDL de l'American National Standards Institute. Alistister,

Alistair Parr : merci beaucoup. Très bien, excellent. Très perspicace. Nous allons maintenant passer à quelques exemples, quelques exemples rapides. Adam est avec nous aujourd'hui. Adam, êtes-vous là ?

Adam Kales : Oui. Bonjour, Alistister.

Alistair Parr : Bonjour à tous. Je vais vous passer l'écran et j'espère que vous pourrez nous donner un aperçu du type de contenu que nous aimerions généralement voir pour la résilience des entreprises.

Adam Kales: Perfect. Thank you. So, I’ll share my screen momentarily. Okay, hopefully you should be able to see my screen and business resiliency business resiliency plan. Okay, so what we wanted to do when um all this started with uh COVID 19, we identified that um there may be a number of organizations out there who hadn’t previously concentrated on business resiliency. That wasn’t one of their main focuses. And because of that, they may be considered slightly immature in terms of the documentation, the process and the procedures that they have around business resilience. So we wanted to be able to provide a a suite of templates which are adaptable enough to be used by a range of organizations both in terms of size and type of organization in terms of the services that they deliver and whether they are at the beginning of their business resiliency journey or if they have already got a mature resilience program in place. These documents are designed either to be used as their initial core documentation or certainly elements of it extracted out of it to be um incorporated into their current uh business resiliency program. Uh and the idea of it that this is provided to you as a free resource uh available through our portal through our website of which then you can cherrypick those elements which best suit you and also provide that onward as well to your third parties. If they themselves um need some assistance in improving their business resiliency processes. Uh so what you have in front of you is one of the core documentations that you’d expect to see as part of your business resilience program. So we have the business resiliency plan and this provides those core elements. So certainly I wouldn’t consider this to be the be all and end all but certainly the initial starting point of this um of this template of where you can take this and then start running and start the core ele ments of your business program. Okay. So, it includes things like the business continuity strategy that overarching statements of how you’re going to approach business continuity. Uh the scope responsibilities um plan invocation. So, when is the business resiliency plan and those incident response plans going to be put in place? Who the primary stakeholders are and then falling out of that a number of annexes which will include the business impact assessment, risk assessment, a racy matrix s a critical third party register, critical third party gap analysis and maintenance requirements. So this is certainly one of those core um documents that you would want to see in place. So moving on, we have a third party business continuity gap analysis. So the ability to understand and identify who your critical vendors are. So a critical vendor being somebody who without those in place you would either one not being not be be able to continue uh functioning uh providing the services that you provide or two it would have such a severe impact that it would severely diminish your ability to provide your service and your products. Okay. Um so with that as well as we scroll down um it has some overarching information on how you would approach uh conducting that gap analysis and then u utilizing perhaps some form of automation and and to be able to deliver this at an enterprise level. Okay. Then we have the business impact analysis procedure. Okay. So this lays out in a very short and high level way of the scope responsibilities and the procedure of what you need to follow to conduct a business impact analysis. Okay, including recovery point and time objectives. And as you can see, we have made it adaptable enough that if you wanted to, you can simp simply insert the relevant details to make it specific to yourselves and then you can start using this template uh immediately. What also we have as we linked in with those annexes that we covered on the first uh document that uh business uh continuity plan we have a number of annexes here. So we have the business impact analysis. So a tabular format of where you can identify a critical system or service the process or activity that system um prov provides an impact score. Now, this may be quite subjective or objective depending on the amount of data information that you currently have available to it. And certainly, if you’re able to draw on existing data resources that you may have conducted through any form of information security or data mapping uh process activities, then you can certainly utilize that in determining what the impact and the likelihood of the system failing and if it does fail, the impact that it may have upon your organization. establish RTO and RPO timelines and also uh the minimum um time to um return that service back to full functionality. Okay. Uh the minimum resources needed. So essentially um for these systems and services to continue functioning, what is the minimum requirements you need as an absolute minimum to continue with those systems? Okay. And the priority of what it means to you as an organization. We also incorporated a risk matrix as um uh as some form of guidance as well including a level of terminology. Moving on, we have a template for risk assessments. Okay, being able to conduct a a risk assessment against a particular resource, what that risk the risk description and so on throughout. So in the same manner as you would have a risk register for information security risk for instance, you can have one specifically tailored to business discontinuity requirements. A racing matrix is has been provided and again these are here for uh suggestives as the one of some of the more likely uh areas that you would want to consider but certainly introducing your own or um uh adapting it specifically to how your organization works. We have the critical third party register. So once you have identified those critical third parties being able to record that they are a critical third party and those key contact details of who the service owner is internally, who the external supplier relationship manager is, the supplier contact and any additional doc comments associated with it. So once you’ve conducted a gap analysis, so for instance, if you have a critical third party, if they were to go down, what would be the fallback procedure for that to be? And if you identified that there is a gap, then you’d be able to annotate that in a register such as this. Moving on to maintenance requirements. So this brings into mind so any resources that you would need to use as part of business continuity business resilience. So for instance it was mentioned earlier on about remote working. So certainly before COVID 19 um there may be a number of people who were used to just going into the office and working from the home environment was a rarity more than anything. But suddenly uh you needed all these additional resources uh for instance laptops for instance. and you have these resource of laptops which under normal circumstances wouldn’t be utilized. But what you need to do so for the time that you do need to literally pick them up and run with them as such need to make sure they are in an acceptable condition to be able to you to be able to use straight away. So what that does that what what does that mean? That means that we have antivirus in there, firewalls in there, that software has been updated appropriately simply that they’re charged that they have been checked over recently and all these maintenance requirements whether it’s a laptop some form of generator backup locations or premises whichever the case may be can be stipulated down here and importantly an owner assigned to it so they are aware that they have ownership over that uh and over those particular maintenance requirements. So moving swiftly on a third party discovery template so we mentioned about identifying your critical third parties uh and what are some of the elements wrap around that. So for instance uh we have a number of risk factors associated with it which will help you determine uh if a supplier is considered green, amber or red and a number of highlevel questions of which you may want to consider asking to determine what may uh what may be considered a critical third party and it could be based on type of service uh being delivered. Uh the types of data that they interact with for instance if the supplier is um the sole provider of a service and also um how they transfer data and information across uh including any specifics to you as an organization and any other attributes that you want to include in that which will then start to build up a picture of the criticality of your third parties. Okay. Now what we have designed as well is a number of communications templates. So communication throughout all this process even before this has started communication is key. Communication in terms of understanding what the business resilient plan is what it means not just to uh the organization but to individuals who are key stakeholders in this who have key responsibilities in this as well. But also moving into when we have to enact those business resiliency and those um incident uh response plans for instance in terms of getting the information across directed at the right people at the right level and at the right time and also we have designed a number of communication templates these being just a couple of those examples. both internal. So for instance um to team members to um team leaders uh to those in senior uh management positions for instance we have designed uh a template to fit each requirement. So for instance we have here uh key personnel internal phase one low infection risk. So right at the very beginning um this is something that you may want to consider sending out to the relevant people internally within the organization. Moving on we have a third party email template. So for instance, you want to communicate a clear, concise message directed to the right people in the right manner and in the right format. So whether that’s by email, whether it’s via social media, whether it’s um internal communication, whichever the case may be, you have a template ready to rock and roll so that you can utilize it uh and run with it when you need to. And you’re not scrabbling around in the dark trying to pull something together very quickly. It’s already part of the business resiliency process. What we also have is activation procedures and criteria guidelines. So again certain um prerequisites which um you has predetermined that if these situations occur then you have a clearcut procedure to follow in terms of what is acted what is activated who is activated who is informed and the process to follow that. Okay and those have been laid out in a in a very in a a high level but detailed format. Then we have authorized communication method. So it may be appropriate that actually certain communications may only be appropriate for certain levels of communication or certain types of people that you’re interacting with. And again we have provided a template for you to be able to lay that down and record that as you move forward. So also have escalation paths and we’ve provided some examples here of those various escalation paths for a number of different use cases. Okay. So we have first of all those staff contact numbers of those relevant key stakeholders who need to be informed for office locations for instance critical suppliers. Okay, the information security team and also um uh things like uh security and technology if it’s specifically around that who needs to be informed starting at the CISO for instance and ending with information security analysts and actually all this can be adapted to suit your particular needs. Okay. So again, uh we’ve alluded to a couple of times the fact that one of the big changes that we’ve experienced is the amount of homework in which has had to happen just simply because we have not been able to go into the office locations and that is still continuing very much now and being able to work coherently in the home environment and productively but also ensuring that you’re maintaining good standards. So good data hygiene for instance, making sure that you have the controls, procedures in line um uh in mind um working from the home environment as you would do working in the office environment as well. And what we’ve done is we have designed a um remote working training package for you to either deliver this through some form of online training session or send direct to whichever relevant um users, home workers who are going to benefit from this, which presumably would be the majority of them. And covering topics such as um data hygiene. Um, going down to things like spam and malicious filing uh at the end there, but also covering secure working spaces, making sure that you have those good measures in place. Set up a designated workspace, day-to-day homework, okay, clear desk, clear screen policy, okay, so you can maintain those good working methods at home as you would do in the office environment. And then finally, to accompany that, a remote working policy. So wrapping up that training that you’re um that you can either send or deliver with an actual remote working policy. So you have something that you can actually refer back to and you have guidelines in place for remote working. Okay. So I believe that uh takes me to the end of not not all of that documentation but certainly uh a good representation of what is available to you and as I say as a free resource for you be able to access through our website. So, thank you very much for your attention.

Alistair Parr : Merci beaucoup, Adam. Je vous en suis reconnaissant. Bon. Euh, pendant les 5 à 10 dernières minutes environ, nous allons passer à une session de questions-réponses ouverte. Cela s'adresse à moi-même, Adam, du point de vue du contenu, ce que nous venons de voir, et euh, bien sûr, Thomas également, du point de vue des normes et des cadres. Donc, encore une fois, si vous souhaitez poser des questions, vous pouvez les poster dans la section Q&A de la session Zoom, et nous serons heureux d'y répondre. Nous avons ici une question pour vous, Thomas, qui concerne l'alignement des cadres pour la résilience des entreprises. Diriez-vous qu'il est obligatoire de s'aligner sur un cadre comme nous devons le faire pour d'autres exigences réglementaires, ou est-ce plutôt une option souhaitable ?

Thomas Humphre : Hum, oui, bonne question. En fait, cela peut être un peu les deux. Souvent, les entreprises peuvent se retrouver dans l'obligation d'obtenir une certification officielle, telle que la norme ISO 22301, soit d'un point de vue contractuel, soit d'un point de vue réglementaire. Comme nous l'avons vu avec d'autres normes telles que la 2701, certaines industries et certains organismes industriels en ont fait un facteur obligatoire pour remporter des appels d'offres et des contrats, par exemple. Il est tout à fait possible que cela se produise du point de vue de la continuité. En dehors de cela, ce n'est pas obligatoire, mais je dirais toujours que c'est fortement recommandé, en particulier dans le cadre de la norme 22301, principalement parce que non seulement il s'agit de la meilleure pratique la plus largement reconnue, mais aussi parce qu'elle aide toutes les entreprises, qu'il s'agisse de MNC ou d'organisations mondiales à géométrie variable, à mettre en place un cadre de gouvernance officiel pour aider à façonner une pratique de continuité dans l'entreprise et fournir un cadre pour évaluer et améliorer en permanence la manière dont vous abordez la continuité et les catastrophes. multinationale ou organisation mondiale à géométrie variable, à mettre en place un cadre de gouvernance formel pour aider à façonner une pratique de continuité dans l'entreprise et fournir un cadre pour évaluer et améliorer en permanence la manière dont vous abordez la continuité et la reprise après sinistre.

Alistair Parr : Merci beaucoup, Tom. J'ai une question à vous poser, Adam, concernant le contenu. Nous avons reçu plusieurs questions concernant leur secteur d'activité particulier. Certains clients disent qu'ils travaillent dans le commerce de détail, d'autres dans le B2B plutôt que dans le B2C. Ils demandent dans quelle mesure ils doivent adapter ce contenu à leur cas d'utilisation. Adam, avez-vous une expérience, des réflexions ou des conclusions à partager concernant le déploiement de ce contenu dans différents secteurs d'activité ? Faut-il apporter beaucoup de changements entre les secteurs B2B et B2C ?

Adam Kales : Euh, oui, très bonne question. Merci. En gros, ce document vous donne un point de départ. Bon, idéalement, ce que vous devez faire, euh, si vous n'avez rien en place, ce document vous donne un excellent point de départ pour savoir par où commencer. Comme je l'ai dit au tout début, ce n'est pas la panacée. D'accord, c'est en quelque sorte le minimum que vous pouvez espérer voir et, idéalement, oui, vous devez l'adapter à votre secteur d'activité spécifique afin de vous assurer qu'il est adapté à votre organisation particulière. Sans cela, vous en tirerez tout de même de la valeur, mais vous obtiendrez cette valeur supplémentaire que votre propre façon de travailler et votre propre organisation apporteront à ce document, et cela impliquera évidemment une analyse des coûts en termes de temps. Si vous avez le temps d'investir dans cette recherche et cette analyse pour identifier les domaines dans lesquels vous devez ajouter votre propre empreinte et votre propre organisation, cela ne pourra que vous aider lorsque vous devrez réellement utiliser iz dans ces plans de résilience commerciale en l'adaptant spécifiquement à vos besoins. Donc oui, je dirais qu'il faut adapter la documentation pour en tirer le meilleur parti, mais comme point de départ, c'est certainement une bonne méthode.

Alistair Parr : Fantastique. Merci, Adam. J'ai une question à poser : suggérons-nous de disposer de plans d'urgence détaillés et documentés pour vos fournisseurs critiques, en plus du processus et des contrôles d'intégration et de surveillance continue tout au long du cycle de vie ? Je vais répondre à cette question. Oui, nous recommandons vivement de ne pas nécessairement les ajouter en plus, mais plutôt de les intégrer à vos processus d'intégration et de surveillance. Nous avons constaté que cela fonctionnait bien lorsque nous utilisions le PCF, le cadre de conformité courant, ou toute autre alternative dont vous disposez, qui nous permet d'intégrer les informations, la résilience, les exigences de conformité et, bien sûr, les exigences en matière de confidentialité du traitement des données dans le processus d'intégration initial. Nous obtenons ainsi toutes les informations pertinentes dont nous avons besoin dès le départ et, lorsque nous procédons à nos examens contractuels habituels avec le client, pardon, avec le fournisseur, nous nous assurons de les examiner chacune respectivement. Ainsi, dans le cadre de ce processus d'intégration, nous nous assurons que vous avez mis en place un plan d'urgence avec les fournisseurs essentiels. Cela devrait constituer un risque dans votre processus de gestion des risques si vous ne disposez pas de procédures et de processus d'escalade clairs. Nous constatons assez souvent que les contrats existants limitent considérablement ce que vous pouvez réellement faire avec le fournisseur, car vous n'avez pas nécessairement le droit d'effectuer des audits pour faire respecter des accords de niveau de service (SLA) stricts, etc. Nous voyons donc des clients mettre à jour leurs modèles standard, et je comprends que vous ne pouvez pas nécessairement les imposer aux géants de l'industrie, qui se contenteront de hausser les épaules et de vous donner leurs modèles, mais essayez certainement d'insister pour obtenir des clauses dans vos contrats ou dans les révisions de contrats qui incluent des éléments tels que les voies de communication, les délais d'escalade pour la communication, etc. directement avec le fournisseur pour les situations d'urgence et la continuité des activités. En ce qui concerne les achats, nous constatons une tendance des organisations à se doter d'un fournisseur principal et d'un fournisseur secondaire de secours qu'elles peuvent engager à court terme. Vous n'aurez certes pas de clauses contractuelles directes avec eux, mais vous pourrez au moins disposer d'une base vous permettant de faire appel à eux assez rapidement. Avant de passer à la question suivante, je tiens à préciser que Peter va bientôt lancer un petit sondage pour clore la discussion avant que nous passions à la dernière question. N'hésitez pas à y répondre pendant que nous poursuivons. Nous allons prendre une dernière question avant de conclure. Celle-ci s'adresse à vous, Adam. Considérez-vous que le contenu que nous avons abordé aujourd'hui est entièrement transférable à l'interne et à l'externe ? Pensez-vous que nous devrions gérer les fournisseurs différemment de la façon dont nous gérons les activités internes ?

Adam Kales : Euh oui, je dirais qu'il y a une différence entre, euh, la gestion interne des parties prenantes internes, les unités commerciales internes, et la façon dont vous gérez vos tiers. Euh, en termes de différences, euh, cela dépend en quelque sorte de la façon dont vous fonctionnez en tant qu'organisation, mais le fait est que vous avez un contrat avec vos tiers et qu'ils vous fournissent un service. Vous êtes donc dans une position beaucoup plus forte pour traiter avec eux en ce qui concerne vos attentes quant à ce qu'ils devraient mettre en place eux-mêmes, par opposition à vos unités commerciales internes. En ce qui concerne vos unités commerciales internes, cela se résume à des éléments tels que les ressources internes disponibles en termes de ce dont elles ont elles-mêmes besoin pour se mettre en place. Je dirais donc qu'il y a une différence entre la manière dont vous devez traiter les parties prenantes internes et celle dont vous devez traiter vos tiers critiques ou vos tiers en général.

Alistair Parr : Fantastique. Merci beaucoup Adam. Nous sommes désolés de ne pas pouvoir répondre à toutes les questions aujourd'hui, mais si vous souhaitez nous contacter parce que vous avez des questions ou que vous souhaitez obtenir plus d'informations sur certains des contenus que nous mettons gratuitement à votre disposition, n'hésitez pas à nous contacter. Nous serons ravis de vous aider. Je voudrais profiter de cette occasion pour remercier Adam pour ses précieuses informations. Nous lui en sommes très reconnaissants. Merci également à Thomas. Vous avez tous deux apporté des informations très intéressantes. Nous vous enverrons un lien vers l'enregistrement et des informations sur ces ressources. Encore une fois, merci à tous d'avoir écouté et participé aujourd'hui. Je vous souhaite une excellente journée.