March enters us into the Business Continuity Awareness Week(BCAW 2013) which takes place from the 18th to 22nd March2013, and this edition is filled with line-up of events presentedby ContinuitySA.

ContinuitySA is hosting breakfast talks in both Johannesburg and CapeTown on the International Standard for Business Continuity, ISO22301 as wellas a host of webinars for you to choose from, covering portable recovery,ICT protection and recovery methods and enterprise migration and adop-tion of the cloud.

ContinuitySA is also facilitating the Good Practice Guidelines eLearningcourse from the BCI so if you want to brush up on the Good PracticeGuidelines or just want to educate yourself then you need to book for this8 hour interactive session.

All the events are free so ensure not to miss out on any of them.

A practical perspective is brought to us by Eugene Taylor around Organi-sation Resilience, where resilience disciplines are highlighted and how they

relate to each other, and of course showing organisations how they can approach and encourage a culture ofresilience building.

We highlight again the complexity that underpins the top business continuity issues for 2013, which focuses on aset of six interrelated risks.

Triple4 discusses backup strategies and the importance of testing as well as how they successfully launched their4CustomerZone.

ContinuitySA was one of the CGF Research Institutes, sponsors at their breakfast event they had on the 21st Feb-ruary and have therefore included the abridged version of the breakfast talk, Looking Back and Going Forward.

As you would have noticed the ContinuitySA website got a facelift and incorporates a Blog and is more inter-active and user friendly.

As a reminder, you are welcome to send us your news, views and articles to be included in our next issue of thechronicles. Thank you again to everyone who has contributed so far.

Editor

Cindy Bodenstein

cindy.bodenstein@continuitysa.co.za

marketing@continuitysa.co.za

www.continuitysa.co.za

Q1 2013Keeping ContinuitySA

clients informed

1

This year has got off to a great start and at a sprint if I mightadd and must be a definite indication of the year ahead.

In this Issue2 Complexity

underpins thetop businesscontinuity issuesfor 20133

4 4CustomerZoneLives

Backup strate-gies and the importance oftesting

6 OrganisationalResilience: Use it- or Lose it!

10 Business Continuity AwarenessWeek

11 ContinuitySAISO22301 Breakfast Talks

12 Webinars

13 Good PracticeGuidelines e-LearningCourse

14 ContinuitySA Training Dates

15 Extracts fromBreakfast talk:Looking Back &Going Forward

Editor’s Note

All Links

now Interactive

and Live!

2

Complexity underpins the topbusiness continuity issues for2013The mere fact that you are reading this article implies that the last days predicted by modern-dayMayans and other apocalyptic have not arrived on schedule. “In fact, the risks we all face as we gointo 2013 are much more complex, and thus much more difficult to counter,” says Michael Davies, CEOof ContinuitySA, Africa’s leading provider of business continuity services.

...Continued on next page

In what has become an annual exer-cise, Davies and members of his exec-utive team met late in 2012 to reviewtheir predictions for the year and pon-

der what the coming year might hold forrisk managers.

“What became very clear is it has be-come almost impossible to consider indi-vidual risks without taking the overall riskinto consideration,” Davies observes.“Globalisation and the profound connect-edness between individuals, companiesand countries promoted by technologymeans that risk, too, must be seenbroadly.”

Bearing this observation in mind, Daviesand the ContinuitySA team have identi-fied the following set of six interrelated risksfor 2013.

1. Social malfunction grows. Across theworld, it is increasingly clear that estab-lished certainties and beliefs about howthe world is structured are becoming fluid.From the Arab Spring to Occupy WallStreet and protests against austerity inGreece and elsewhere, there is an overallloss of faith in society’s institutions and theirability to deliver a just world order.

In South Africa, persistent dissatisfactionwith service delivery has exploded intowidespread and violent protests againstthe very nature of the system. In that re-spect, the miners’ revolt in Marikana hasbeen a watershed event, as it bypassedboth the settlements negotiated by theminers’ own representatives and the nor-mal processes of democracy.

Democratic process, it seems, is either pro-foundly misunderstood or mistrusted.

This impatience with society’s existing insti-tutions and processes appears to bespreading and there are worrying signsthat even the middle class, on whoseshoulders society’s prosperity and stabilityultimately depend, are also losing faith inbasic concepts. The extreme passionsroused by the ongoing e-toll saga in Gaut-eng is an obvious example of this trend. Forthe middle classes, this type of feeling gen-erally translates into a reluctance to paytax, an action that can fatally underminethe state itself.

2. Global economic and financial volatil-ity. It appears that the 2008 financial crisisis both more far-reaching and profoundthan first expected. Markets andeconomies seem unable to regain aneven keel, and many commentators areseeing this volatility as “the new normal”.The flipside is an increasing regulatory bur-den as governments and other institutionsattempt to rein in uncontrolled capitalismand protect investors.

For South African businesses, important as-sociated risks are the volatility of commod-ity prices, greater competition internallyand in export markets, and an unstablecurrency.

3. Environmental risk. If volatility is the neweconomic normal, then there is every indi-cation that climatic volatility is also be-coming a feature of life. For South Africa,climate fluctuations may be expected toincrease the risk of water and even foodshortages. Thus far, global and national en-vironmental initiatives are gaining tractiontoo slowly, and seem likely to add to thecost of doing business in the short term—giving rise to a classic case of how to bal-ance short- and long-term risk.

4. Infrastructural risk. A common Africanbusiness risk is inadequate and poorlymaintained infrastructure.

Water and power are the two obvious risksthat threaten business, but the road andrail networks also present challenges. Gov-ernment efforts to address these problemsare affected by the principle of intercon-nectedness: opposition to e-tolling, onefeels, is more influenced by wider dissatis-factions rather than the principle of “userpays”.

Many South African businesses are takingextraordinary measures to mitigate infra-structural risks by assuming responsibility forall or some of the infrastructure needed fortheir projects.

by Michael Davies – Chief Executive Officer, ContinuitySA

Property developers, for example, areoften providing roads and sewerage, andfactories some of their own energy – andthink of corporate involvement in pointspeople to ameliorate the effects of faultytraffic lights and schemes to fill in potholes.

5. Data risk. Data is becoming more impor-tant as a way for companies to assess riskand compete more effectively—this is thephenomenon of Big Data. It’s probablytrue to say that most companies are stillcoming to terms with the concept and,more importantly, how to use data effec-tively. Nonetheless, data privacy regula-tions have already sprung up to protectpersonal data, creating a set of risks relat-ing to data security. One is the growingmenace of cybercrime.

Another is the whole question of data sov-ereignty – as companies try to safeguardtheir data while reducing costs, they mayopt for the security of cloud solutions. How-ever, when those data centres are lo-cated and/or owned offshore, it becomesdifficult to be sure of data security and ac-countability for lapses.

“Our approach is to use a hybrid publicand private cloud model for our clients forjust these reasons,” comments Davies.“This approach allows clients to retain tightcontrol over sensitive data, as is increas-ingly mandated by law, and to take fulladvantage of the cost and flexibility ofpublic services where appropriate.”

An associated risk is the peaking trend ofIT consumerisation, so-called BYOD (bringyour own device – the use of private mo-bile devices to access corporate data).BYOD offers both advantages and disad-vantages: boards and their CIOs need tothink carefully about how to protect theirdata against potential threats – and howto use the available technology wisely toobtain a competitive advantage.

6. Business continuity remains misunder-stood. Risk management has definitely be-come integrated into the corporateagenda, and is maturing.

This may be seen by the replacement ofthe existing BS25999 standard by ISO22301.The BS25999 standard set the standard forbusiness continuity management, but thenew ISO223301 standard is much more de-tailed in its requirements, and requiresmuch more documentation of theprocesses followed. It also requires com-mitted board-level leadership, thus effec-tively putting risk management into thespotlight.

However, in practical terms, the broaderconcept of business continuity manage-ment is becoming absorbed into the ITbudget, with a concurrent diminishing offocus on operational matters. At the sametime, budgets in general are under pres-sure.

“Ironically, then, the biggest overall risk hasbecome corporate myopia about the truenature of risk – and this at a time when riskhas become much more integrated intocorporate strategy. Boards must resist see-ing risk in terms of technology alone. Busi-ness continuity is a much more usefulconcept, one that takes into account theinterconnectedness of risk today. Whenconsidering risk, business leaders need totake a broad view of organisational re-silience before honing in on their particularcompany’s situation,” Davies concludes.“Risk is now systemic, and so the approachto risk must also be systemic and have op-erational relevance to the organisation.”

3

By Scott Orton, Sales director of Triple4.

4

The first phase of the portal offers management of Triple4’s Hosted Business Resources, Email and related support service manage-ment and other account driven functions; and is completely cross-browser compatible and touch-centric meaning it will workfrom a tablet as well as it works from a desktop browser.

Following phases will see additional services being added, such as Communication, Collaboration and Hosted Virtual Resources aswell as tighter integration with Triple4's customer relationship management platforms for better service delivery.

Customers will be contacted individually, as they are migrated over.

In keeping with the managed cloud theme, Triple4 will always be involved with the creation of the customer and the initial setup.

The portal is accessible by link from the website or directly via https://customerzone.triple4cloud.com

4CustomerZoneLives

Backup strategies andthe importance of testing

By Kevin Mortimer, Manging director of Triple4.

Triple4 have now successfully launched the 4CustomerZone, which allows for themanagement of one's subscribed services. The portal has been designed to belight and effective for typical day-to-day tasks that power-users need to completefor their users.

Most organizations that have an IT environment adding some value to their business are doing backups in some way or another. Some companies will sim-ply copy data to an external drive; others use backup programs to do the same.It is often seen that backups are not really taken seriously until data loss has actually happened, then some serious attention gets put in place. In general,the more serious the IT environment is to a business, the more serious the organ-ization is about backups, well that is how it should be anyway. A backup strategy should be the foremost part of a disaster recovery strategy.

...Continued on next page

5

In our experience at Triple4 throughout theyears, whether a company is taking a riskusing a R 500 external drive or doing back-ups to an expensive tape device andhousing tapes offsite, it is not often seenthat an organization has a workingbackup solution that is actually tested. Aslong as backups are seen as successfulwithin the various backup programs, thesupport team and business seem to behappy to rely on that. It cannot bestressed how important it is to test yourbackups regardless of the strategy youhave in place, yes even if you have an on-line strategy!

We recently did a consulting trip and per-formed an IT business impact analysis foran organization. This involved setting upmeetings with business unit owners about

which business applications are used andthe criticality of them. A Report was thendrawn up against what the business actu-ally needed from IT systems and what wasbeing backed up.

It was quite eye opening to see the resultsand made us realize what an importantexercise it is to perform on your business.

Bottom line it highlighted how important itis not just to rely on IT staff to ensure thecorrect information is backed up andbacked up properly. Business should be in-volved to ensure that all aspects arethought about, no matter how big or smallthe applications may seem. Also the im-portance of ensuring you can actually re-store the data that is part of your backupsets is critical.

So if the data and integrity of business ap-plications is important, we strongly suggestgetting some standby equipment andfully test your backup strategy to ensureyou are safe from a disaster. Or better yetif you don’t have the time, equipment orknow how, we can assist, analyze, testand report back for you.

For more information contact Triple4

or visit www.triple4.co.za

Should you have any enquiries as to how you can make a difference or would like to be included in regularly communication, please contact Louise Theunissen (MBCI)(PMP), BCI Board Member Mobile: +27 82 928 7158 or Mail to: louise.theunissen@continuitysa.co.za

BCI Forum South Africa

Organisational Resilience

6

1. It’s not new – it’s just different

Let’s be practical about OrganisationalResilience and what needs to be consid-ered to get the resilience bit right.

We prefer to use the term Business Resilience but because there is suchimbedded global focus on the term "Organisational Resilience" we will use thetwo references interchangeably in this ar-ticle – but it’s really the resilience piece weare focussing on – and not strictly in linewith the semantics of legal entities or for-mal publications.

It’s fair to say that the manner in whichmodern day businesses are resourced haschanged significantly over the past 10years. For example, we are more reliant onhighly technical equipment and cen-tralised infrastructures. As globalisationmerges previously localised communitiesthere is an upsurge in demand on the supply chain to comply with more strin-gent customer requirements.

Many years back, when we relied more onlocal infrastructure, local resource poolsand localised technology, resilience wassomething a General Manager would lookafter. It might have been called somethingdifferent then but included the mainthemes, for example, disaster contingencyplanning; health and safety; facilities andutilities; warehousing, transport, logisticsand security. These “disciplines” couldgenerally be addressed in slow time.

It’s a very different world now – high speedeverything!

Money travels in milliseconds across theglobe, as do communications and so (al-most) does the next model mobile phone.

Diversity of high tech product develop-ment has seen an unprecedented explo-sion at rates which even competitorsstruggle to keep up with. As a result thesupply chain is now ever more complexwith a multitude of suppliers to choosefrom – some stable, some not – some surviving, some not.

Although there is more speed, higher ratesof technological developments and morecompetition - there are also more people,more governance, more legislation, moremarkets and more compliance require-ments - and more mavericks! Because ofthis modern day evolution many of the resilience disciplines that were pure com-mon sense needed to become more spe-cialised with specialist peer groups andspecialist consultants. These disciplines aregenerally dotted all over a company withvarying degrees of culture, authority, ac-countability and connectivity - dependingon their rating by the executives.

The same threats and risks seek to under-mine business resilience though - just differ-ent looking and a bit more complex tomanage, if you let them be.

2. Why now?Greater awareness of the volatility of therisk environment in recent years, togetherwith the regulatory impetus provided bygovernance requirements, has placed effective organisation resilience develop-ment high on the corporate agenda.

The need to change attitudes to risk management has also resulted in theneed for a more comprehensive andproactive approach in managing expo-sures and vulnerabilities.

During this evolutionary process imple-mentation of management systems hasemerged as an increasingly important requirement of an organisation’s resiliencebuilding strategy. The recent explosion of international management system stan-dards (driven by business) is testimony tothis desire.

Developing out of the modern organisa-tional resilience arena, evolving manage-ment systems such as effective BusinessContinuity, Information Security, Quality,Service Delivery and Enterprise Risk man-agement systems (to name a few) can en-able an organisation to reduce itsvulnerability to disruptive events, improveits efficiencies and cost base, implementmechanisms to limit the impact of inci-dents on business processes and opera-tions, and provide reputational resilienceeven in the most difficult of circumstances.

However, a lack of consistency in approach, disconnected managementsystem approaches, confusion over definitions and terms and the inability tocomprehensively benchmark resiliencestrategies have hindered business from adequately developing and implement-ing suitable management systems in harmony - despite the existence of widelyaccepted published standards.

3. Let's cut to the chase!Based upon proven methodologies andwith a wealth of experience across manymanagement systems I am convincedthat consolidation of resilience disciplinesunder one banner is the way forward.

By Eugene Taylor MBCI, Managing Director, TaGza (RSA & UK)

Durban / Londonwww.TaGza.Biz

Use it - or Lose it!

7

This article will not provide the reader withbackground or academia on why youneed resilience disciplines or the manyevident consequences of not applying re-silience disciplines. These can be obtainedfrom the plethora of publications avail-able. In the future we might even find amanagement system “standard” on re-silience (keep an eye out for BS 45000).There are moves afoot by some standardstechnical committees to go this route. I get chills at the thought.

Resilience development is a strategicproduct of a business and not somethingthat can or should be tested against amanagement system standard. Doingthat would move it from a strategic prod-uct to a compliance product and that'snot a good idea. I don’t want to get tooinvolved in the debate on "why", but in ourexperience management system stan-dards are a framework for requirementscompliance and relatively clinical to im-plement. Developing a resilient businessthrough the right strategy and the righttools demands a lot of intelligence and requires a connected approach in adopt-ing and improving the right business disciplines.

There is a level of bravado needed for thismodern approach.

I hope to leave you with a simple view ofOrganisational Resilience and arm youwith some fundamentals to adopt, matureand measure within your business. I alsohope to give you some insight into stan-dards you can either adopt or reference.These are really great publications to usewhen developing your resilience strategy.(Hopefully those bits won't bore you).

4. The beginning ....No money - no honey!

Arguably the most important resource ispeople – but without adequate liquidity abusiness may not be able to afford to get or keep the right people (or enough ofthem). Any wealthy business with loads ofspare cash and integrity could weathermost disasters, be those reputational orotherwise - but that luxury belongs to a select few.

At the outset it must be understood thatall resilience disciplines need to collec-tively “body guard” the bottom line whilstcontributing to the business “treasurechest” in some way.

4.1A Business needs some basics

Let’s briefly examine the fundamentalproperties of a business and see how wecan go about giving thought to a re-silience strategy - or perhaps just tidyingup what we already have.

4.1.1 Money and Liquidity

It’s basically all about revenues (funding)versus costs, but without sound financialinvestment and healthy business culturethe spare cash won't be there to allow anopportunity to invest in resilience - or toadequately recover from a disaster. Thereis a fundamental need for those responsi-ble for liquidity strategy to engage withthose tasked with delivering the resiliencedisciplines to ensure these are adequatelyfunded - all too often this is not the case.

4.1.2 Quality products and services

Quality products are for those businessesintending to survive the long term – ofcourse.

Quality products and services at the rightprice will maintain demand, but beyondthat will be reliance on the health of therelationship the business has with its stake-holders. If the business collaborates wholeheartedly with stakeholders in developingthe resilience of their businesses - and con-sequently its products and services - thenrelationships are more likely to sustain mul-tiple impacts.

4.1.3 People to do the work, a place towork and “things” to work with

There is a huge amount of informationfrom the Business Continuity and SocietalSecurity professions to guide you in deter-mining which services and supporting re-sources are vital to your business.

Start with the Business Continuity Institute'sGood Practice Guide (GPG) and thenhave a look at SANS/ISO 22301 (The inter-national Business Continuity ManagementSystem standard).

Of all the resilience disciplines BusinessContinuity Management is the one whichmandates covering the entire businesswith many unique requirements facilitat-ing inter-relationships with the other disci-plines.

4.1.4 An efficient "production" environment

Most “production” environments thesedays cannot afford to be without somelevel of technology.

Any quality "production" line that has ro-bust processes and uses robust resourcesefficiently is likely to keep its costs down.

The "production" line will also need to bedesigned so that adaptation to change iscost effective and easy. This requires acloser link with suppliers and consequentlya better understanding of supplier re-silience capability.

4.1.5 Compliance with legislative andstakeholder requirements

Local compliance could be mandatory,strategic, voluntary or customer driven butin many countries these are now beingdriven through legislature. Governments inparticular are beginning to enforce anumber of internationally accepted stan-dards within the public sector – and thiswill ultimately drive compliance require-ments in the private sector.

One would really take resilience adoptionas a given for any business these days butthis is more about looking past the basicrequirements and adopting processesand efficiencies that make complianceand culture second nature even when notmandated by any stakeholder.

4.1.6 Customers and suppliers.

Well, without them you have nobody toprovide anything to - so what’s the pointof your business if you’re not going to lookafter your customers!

Customer responsibility is a massive prod-uct of any business and Customers are theones you need to convince of your resilience (internally and externally). Trustme - a PowerPoint presentation of all yourcompliance and award certificates is justnot going to do the job on its own anymore.

Just a reminder - you are a customer ofyour supplier. Don’t therefore expect yourcustomer to be any less demandingaround your products and services thanyou would be on your suppliers.

8

4.2 That's it then. We have a busi-ness and we want it resilient - yes?

At this point it might be worth a quick notethat the resilience strategy is not to pre-pare for when things go wrong (that's partof Business Continuity - and therefore fitsnicely in that component of the resiliencediscipline suite).

The resilience strategy is there for yourbusiness to withstand impacts, repeatedlyand with varying degrees of severity, withlittle or no change to your supply of prod-ucts and services - but more importantlywith no significant impact to the bottomline, particularly the cost and revenuebase.

You need to develop your resilience com-ponents during Business As Usual (BAU)and not on the fly while dealing with impacts or issues.

5. The resilience suite uncut (getsome coffee for this piece)We now move the focus of this article tolook at some common elements that con-tribute to the resilience suite and for themost part give executives pain – when really there shouldn’t be that pain.

To make a bit more sense of the followingpart of this article it will be easier to startwith the picture below. It’s by no meansthe complete picture but does serve toprovide a platform for discussion andstrategic planning.

Here we have our business made up ofthe parts mentioned earlier. The idea is notto suggest an organogram of the businessbut to rather look at strategic compo-nents – which in most cases are likely tohave multiple owners and reporting lines.

Assume that the executives prefer to focuson sales, keeping the bottom line intactand maintaining a happy work force - yetstill desire business resilience with all thetrimmings – then this approach is for them.

1. This represents the fundamental busi-ness components mentioned earlier inthis article.

2. This represents the centralised compli-ance or governance structure thatlooks after all the resilience disciplinesand could well include an audit arm.It’s depicted as being outside the “busi-ness” in that it should not have any biaswithin the business. For example – itwould be wrong for a functional direc-torate to own this level of strategy,

particularly when their directorate hasto deliver some of the resilience prod-ucts - unless of course the “compli-ance/resilience” unit is firmly placed as a direct component within the ChiefExecutive Office.

3. These represent fundamental resiliencediscipline bands and note how theyspread across the business functions –no exclusions. In each resilience bandare examples of published standards(*or those being developed or consid-ered for development) that could be considered when designing or improving the resilience strategy – andsome of these standards have symbi-otic relationships with multiple disciplinebands.

In addition - previous studies have iden-tified many organisational mechanismsand characteristics embedded ineveryday practices that also contributeto an organisation’s resilience. These in-clude organisational cultures that areflexible, just and promote learning in away that the corresponding behav-ioural manifestations of these culturesare displayed by staff members at alllevels during business as usual.

9

Specifically, behaviours that have beenidentified as being displayed by resilientorganisations include monitoring, de-tecting and reacting to issues thatcould have an impact on the organisa-tion’s performance (thereby buildingawareness), and the promotion of con-tinuous improvement through sensitivityto failures and tolerance of errors.

The existence of these cultures and theiraccompanying behavioural manifesta-tions therefore directly enhance organ-isational resilience by creating, forexample, the following business char-acteristics to a greater or lesser degree:

• Redundancy – Where a businesshas plenty of multiplicity and fall-back options

• Reliability – Where up time, consis-tency and efficiency of service is exemplary

• Anticipation – Where forward think-ing is fine tuned, inventive and cus-tomer focussed

• Preparedness – Where the businesscan accommodate change andevolution

• Adaptive capacity – Where thebusiness can easily adapt tochange – or spurious demandsurges

• Learning capacity – Where the business can measure itself andprogress improvements

Resilience is a concept rather than a discipline, function or process. Organisa-tions strive to achieve it as a goal. Thus ithas key dimensions or capabilities formingthe parts that make it a whole.

In order to expand an understanding oforganisational resilience, those disciplineswhich contribute to development of theabove capabilities need to be identified,and the relationships between those disciplines and business resilience established.

Take Business Continuity for example;there are five brilliant publications thatsupport mechanisms for applying a Busi-ness Continuity Management Systemaligned to ISO 22301 - but these go furtherto encompass other disciplines as is obvi-ous in their titles and content;

• PAS 200: Guidance and Good Practice- Crisis Management

Discipline relationship examples: Security, Quality, Service Delivery,H&S, Environmental, Financial Control

• PD 25111: Guidance - Human Aspects of Business Continuity

Discipline relationship examples: Serv-ice Delivery, H&S, Environmental, RiskManagement (succession planning)

• PD 25222: Guidance - Supply ChainContinuity

Discipline relationship examples:Quality, Service Delivery, FinancialControl

• PD 25666: Guidance - Exercising andTesting for Business Continuity

Discipline relationship examples: Security, Service Delivery, FinancialControl, Crisis Management

• PD 25888: Guidance – Recovery following disruptive incidents

Discipline relationship examples: CrisisManagement, Service Delivery

To maintain successful but separate disci-plines is not enough to create resilience.Disciplines must be integrated and coher-ent to generate the ultimate resilienceproduct.

The current status is that many organisa-tions retain silos of excellence, with very lit-tle cross over in key areas and often notmuch consolidated control within an over-arching approach.

This article should not and does not set outto seek a solution to this situation butrather to demonstrate where the key con-tributions could lie in terms of the disci-plines - and to then consolidate those.

From an initial perspective, by consolidat-ing the disciplines we can establish thoseareas of overlap or inter�connectivity, assuggested with the Business Continuity ex-ample above.

This article is concerned with how inde-pendent yet related disciplines that existwithin organisations may serve to encour-age, create and enhance organisationalresilience.

Those disciplines that contribute to the keydimensions and beneficial organisationalcharacteristics should at least include:

• Business Continuity Management: Benefit: (e.g.) Anticipation, Adaptation,Recovery, Redundancy

• Crisis and Communication Manage-ment: Benefit: (e.g.) Response, Adaptation, Recovery

• Health and Safety Management: Bene-fit: (e.g.) Anticipation, Preparedness

• Information Security Management:Benefit: (e.g.) Anticipation, Protection,Response, Redundancy

• Physical Security Management: Benefit:(e.g.) Protection

• Quality Management: Benefit: (e.g.) Improvement, Reliability, Reputation

• Service Delivery Management: Benefit:(e.g.) Robust, Efficient, Flexible, Reliable, Secure

• Environmental Management: Benefit:(e.g.) Anticipation, Preparedness, Recovery

• Risk Management: Benefit: (e.g.) Preparedness, Learning capacity

6. Summing up!In this article we put together a number ofresilience disciplines and showed how theyought to relate to each other but clearlythere could be a multitude of business subprocesses, particularly with businesses thatare spread across the globe or in diverseparts of their mother country. The contribu-tion of these and other disciplines is subjec-tive and will differ by organisation. Thereare arguments for the inclusion of HumanResources, Financial Management andStrategic Planning as well as other keyareas which will contribute to resilience.For the purposes of this article, it is felt thatthose disciplines outlined in this article areprobably the most relevant and provide agood starting point.

It might take longer for established busi-nesses to suddenly change the way theydo things and implement modern ap-proaches. In some cases this may be adaunting option even in the face of all thebenefits, BUT there is little reason why theycan’t put the approach into long termplans, or at least start encouraging a cul-ture of resilience building.

Use it - or Lose it!It’s your business.

10

The theme for BCAW2013 is” Business Continuity – for the risksyou can see and the ones you can’t”. With a world that isin constant change, organisations are continually con-fronted with an ever growing range of risks that they need

to deal with. The role of Business Continuity in helping organisa-tions to become more resilient has never been greater thaannow.

Closely related to the discipline of Risk Management, BusinessContinuity enables an organisation to increase its capability torespond to any existing, emerging or unknown risk by focussingon mitigating the impact of any disruption on the most urgentand high priority activities.

The challenge organisations face is to fully understand the po-tential impact of any disruption, regardless of its scale or com-plexity. By looking within and across our organisations and byunderstanding what we need to have in place to keep our busi-ness running, we can ensure we are able to continue to operatewhatever the scale or cause of the disruption. With the knowl-edge and strength of our continuity planning to support us, we

can be more confident that we are able to face whatever theworld challenges us with, including the risks we can see and theones we can’t.

In support of BCAW2013, ContinuitySA has scheduled a host ofevents to keep the informative message going. We have abreakfast talk around ISO22301 which will be hosted in both Johannesburg and Cape Town, as well as webinars and we willalso be offering the BCI Good Practice Guidelines eLearningCourse.

Should you wish to know more about Business Continuity or evenhow your organisation can get involved then please feel free tocontact Cindy Bodenstein

BUSINESS CONTINUITY AWARENESS WEEK Business Continuity AwarenessWeek (BCAW2013) is an annualglobal event that is facilitated bythe BCI and takes place from the18th – 22nd March 2013. As a GoldPartner of the BCI, ContinuitySA willbe focusing on a host of events toshowcase the value of businesscontinuity as an integrated part ofany organisation’s strategy.

ContinuitySA is hosting two breakfast events, one in Somerset West, Cape Town onthe 19th March and the other in Midrand, Johannesburg on the 20th March.

The talks are on ISO22301the International Business Continuity standard.

Eugene Taylor, former Chairman of the BCI Partnership Steering Group, who repre-sents the UK Institute of Directors on the TC 223 committee and who has imple-mented certified Business Continuity Management Systems for the past 5 years willcover the following topics:

• Standards: The World and the South African position

• SANS/ ISO22301 – the rationale and what it is – explained in brief

• The framework needed to mature a BCMS to align with or be certified to SANS/ ISO22301

• The benefits of alignment and certification to SANS/ ISO22301

• Other Resilience Discipline Supporting Standards and Publications (Local and International)

• What’s on the horizon with standards development that relate to SANS/ ISO22301and Organisational Resilience in general

Click Here to Register for theJohannesburg Event

Click Here to Register for theSomerset West, Cape Town Event

11

ContinuitySA

ISO22301 Breakfast Talks

Be serious about your organisational resilience capability – Beserious about adopting SANS/ISO 22301 – We can make it easy.

12

ContinuitySA has scheduledthree webinars as additionalinformative sessions forBCAW2013.

Webinars

Sensible ICT Protection and Re-covery Methods

Overview: Overwhelmed by the muddle of conflicting tech-nology terms, jargon, buzzwords and misinformation. CIOs andIT Managers are finding it increasingly difficult to objectivelycompare the different ICT Protection and Recovery Methodsavailable to them and pick an approach that both matchestheir existing requirement and empowers their long term strat-egy. In this webinar we clarify the difference between HighAvailability, Replication, Backup and Archiving and give a rec-ommended approach to entrench resilience into your ICT sys-tems and your business.

Presenter: Bradley Janse van Rensburg Solutions Design Manager, ContinuitySA

Date: Friday 22nd March

Time: 13:00 GMT+2

Mobile RecoveryOverview: Portable recovery solutions for partial disaster situa-tions.

Presenter: Mark BeverleyGeneral Manager: Service Delivery, ContinuitySA

Date: Monday 18th March

Time: 13:00 GMT+2

13

Webinars continued

BCI Good Practice Guidelines eLearning Course

Overview: Analysing the factors which promote migration tocloud based solutions and environments which are bestsuited for cloud.

The webinar will talk around the migration plan for corpo-rates into cloud services, what are the factors to considerand planning that should be looked into when consideringa cloud based solutions. What are the various steps alongthe way and potential pitfalls which are present.

Presenter: Shaheen KallaManager: Managed Services, ContinuitySA

Date: Tuesday 19th March

Time: 13:00 GMT+2

The BCI has opened up its Good Practice Guidelines eLearning Course for FREE for theduration of the week of BCAW2013.

ContinuitySA is offering all our valued readers and clients the opportunity to register andcome through to our facility on Monday 18th March 2013 where Lynn Jackson our trainerwill facilitate the eLearning course. Its 8 hours long and will start from 8am to 4pm.

This introduction to the principles of Business Continuity Management will help those new to the discipline who want an overview ofthe subject matter or those who want support as they revise for the BCI Certificate examination.

Incorporating the BCM lifecycle, this eLearning programme runs to approximately 8 hours and includes built in tests to check progressand an end of course review to assess readiness for those who plan to take the BCI Certificate exam.

Content is based on the six BCM Professional Practices found in the Good Practice Guidelines.

Module 1 – An Introduction – What is Business Continuity Management?

Module 2 – GPG Section 1 – How do I establish and manage Business Continuity?

Module 3 – GPG Section 2 – How do I embed Business Continuity within the organisation?

Module 4 – GPG Section 3 – How do I analyze the organisation?

Module 5 – GPG Section 4 – How do I determine the strategies and tactics to use?

Module 6 – GPG Section 5 – What plans do I develop and how?

Module 7 – GPG Section 6 – How do I improve the organisation’s Business Continuity capability?

Module 8 – End of course Assessment

Enterprise migration and adoption of cloud

The two-day course, the IT Service Continuity Training istargeted at IT and Business Continuity Management (BCM) pro-fessionals responsible for the continued uptime of IT serviceswithin their organisations.

Key elements of the IT Service Continuity Course include:

• The link between BCM and IT Service Continuity Manage-ment;

• The evolution of IT Service Continuity;

• The latest concepts and trends in IT Service Continuity;

• Conducting an Infrastructure Impact Analysis;

• Formulating and implementing cost effective IT Service Con-tinuity strategies to meet business requirements;

• Security management in IT Service Continuity;

• Testing the IT Service Continuity framework; and

• A Continuity-as-a-Service case study.

Attendees will not simply be bombarded with theory, but will betaught skills proven in the real world by active BCM practitionerswith MBCI (Member of the Business Continuity Institute) certifica-tions.

The course is based on the Good Practice Guidelines of the BCIand complies with the British Standard BS 25999 to ensure it is onpar with international best practices.

Dates for the IT Service Continuity course are as follows:

IT Service Continuity Programme (2 Day Training)

13th & 14th March – Cape Town15th & 16th May – Botswana

29th & 30th May – Johannesburg19th & 20th June – Cape Town

The 5 day Complete Continuity® Practitioners Programme is designed to equip business continuity prac-titioners within any organisation in all aspects of implementing,managing and maintaining an effective business continuityframework in their respective environments.

The course is based on the Business Continuity Institute’s GoodPractice guidelines and is fully ISETT SETA accredited with 149credits at NQF Level 6.

Key elements of the 5 day Complete Continuity® PractitionersProgramme include:

• Introduction and Origins of BCM

• Trends and Observations

• Standards and Compliance

• Elements of the BCM Lifecycle

• BCM policy and Programme Management

• Embedding BCM in the Organisations culture

• Understanding the organisation

- Business Impact Analysis

- Continuity Requirements Analysis

- Risk Assessment

• Determining BC Strategy

- Selecting strategies and tactical responses

- Consolidating Resource levels

• Developing and Implementing a BC response

• Exercising, Maintaining and Reviewing

• Measuring BC Maturity

Dates for the 5 day programme are as follows:

Complete Continuity Practitioner Programme (5 Day Training)

4th to 8th March – Botswana6th to 10th May – Johannesburg10th to 14th June – Cape Town

ContinuitySA Training Dates

Africa’s largest Business Continuity service provider, ContinuitySA, has enhanced its Complete Continuity Training Academy

For more information on these courses,contact training@continuitysa.co.za,or call +27 (0)11 554 8000.

14

15

I will be providing a macro-approach inthe world of governance and risk as it per-tains some of the important issues facingSouth African directors and their compa-nies; taking a quick view ‘from the outsidein’ and sketching a scenario which maybeg questions for your organisation’s gen-eral strategic thinking and future direction.

Many a board member may think he’s ontop of matters, only to discover that some-one has changed the rules of the game.Most often, and more so in our rapidlyevolving and highly technical businessworld, the rules are being changed daily.So, the question is; ‘just how prepared arewe really’ as leaders to anticipate futurechange and are we practicing a moreagile way of coping with the new thinkingand its challenges?

Our own journey within CGF has had itsown tribulations and successes as we lookback on these incredible years of learningmore about what good and poor gover-nance entails. As we have learned somuch about our own business, and sharedmany a lesson with our clients through theyears, we realize how much there is still tolearn as we look forward to the futurechallenges that will define our own exis-tence as a company and its sustainability.Indeed, these lessons can be shared withour clients so that we need not “re-inventthe wheel” as the saying goes.

It is on this note that one realizes in life thatto excel in business, it’s not necessarilyabout how hard one works to achieve thegoal, but rather about how smart one isabout achieving the goals at hand. Atthe outset may I suggest -- in real businessterms -- that some business leaders are‘smarter’ than others, and through theirmental agility and stealth strategies, theyperform better than others.

That said, let’s also agree that most of usare all in business to make money -- andhopefully lots of it -- so that we can claimthe end prize. Whilst this statement may

appear somewhat direct, it remains truefor many, even though we don’t want toadmit it.

Now that we have been bold enough toconcede this truth, from a governanceperspective it’s not important how muchmoney was made, but more importantlyhow the money was made and how it isbeing spent that matters. In other words,we need to know that the money wasmade legally and according to ethicalstandards and such where appropriateportions of this money is used to build andstrengthen business and social communi-ties so that the entire supply chain – at global and local levels – remain sustainable.

These are some of the principles con-tained in King III and no doubt containedwithin many business journals and MBAprogrammes worldwide.

So, its about money at the end of the day;it’s about appropriate risk taking, it’sabout knowing how far to push or pullback, it’s about judgement calls, ethics,morality and ‘humanness’ – these are thefactors that we contend with in businesseach day. Some of us are more evolved (or business savvy) to deal with these pa-rameters, others less so and averse to risktaking.

Notwithstanding the levels of our experi-ence, we are all on a journey where real-istically speaking there may be no realbeginning and no real end and these‘truths of business’ have become morevague in recent years with the advent ofe-business, cloud computing and so forth.

Our many types of boundaries – be theseat geographic levels, societal levels, cul-tural, business or legal levels have be-come so blurred, that it’s becomingincreasingly difficult as leaders to survivein business terms, let alone thrive!

Perhaps this is then the right juncture toask whether or not South Africa has clearlyunderstood the difficulty and challengesof these boundaries, and whether its strat-egy could withstand the test and scrutinyof its citizens, South Africa’s stakeholders,regarding the soundness of its strategyand plan?

May I assure you this will not be a govern-ment bashing talk; whilst there are manycritics out there who don’t foresee the Na-tional Development Plan (NDP) achievingits objectives, you will no doubt have al-ready formulated your own opinion re-garding the road South Africa is currentlytravelling.

LOOKING BACK &GOING FORWARD

breakfast talk:

By Terry Booysen, CEO of CGF Research Institutewww.cgfresearchinstitute.com

(Extracts from talk on 21 Feb 2013-02-20)

16

All over the news in SA, and in other partsof the world, SA is being lambasted by itsinvestors - local and foreign - such wherematters such as crime, corruption, unem-ployment get the main focus and brunt.Even the Auditor General has had his sayregarding dysfunction where his 2013 report shows many poor governancepractices within national and local gov-ernment departments and cause formajor concern.

Interestingly, last week I had the occasionto address a high level audience straightafter Clem Sunter - a foxy man - and whilstthis was not the first occasion I have doneso, I have to admit that it was really goodallowing Clem to set my scene for achange.

Normally, I am the person deliveringgloomy messages attached to poor gov-ernance, such as when I predicted in Oc-tober 2011 that SA would see social unrestof epic proportions if the gap betweenthe rich and poor, educated and unedu-cated, employed and unemployed didnot become less.

Expectedly, my critics scoffed the idea;and South Africa’s global ratings still hangin the balance . . .

SA is now generally rated at BBB+ by allthree international rating agencies (Sept’12) and is considered a much higher riskfor foreign investors.

In Clem’s latest talk, he suggests thatSouth Africa is in a fairly rapid decline, andwhat was previously a 10% blip on thegeo-political play card, has now becomea 25% probability of SA becoming a failedstate. Putting this into perspective; 10%predictability scoring at the time probablymeant “let’s keep an eye on this potentialproblem”, whilst 25% now means “whatwill we do to fix the problem?”

We need to however be mindful of thefact that according to recent statistics, SAInc. has lost almost 45% of its FDI in the2011/12 period, and almost 450,000 SMEbusinesses have closed in SA over the last4-5 years! Of course this does not bodewell, particularly knowing that the NDP ofPresident Zuma hopes to build 5m newjobs by 2020. Of course critics have saidwe should rather be talking about creat-ing new businesses (as opposed to simplytrying to get existing businesses to createmore jobs in an already pressurized cook-ing pot). By creating new businessesthrough the appropriate governmentgrants and tax incentives -- particularly in

the SME sectors where currently almost67% of our existing employment comesfrom – new and entrepreneurial growthwill flourish instead of;

• trying to bolster existing State-OwnedOrgansations with even more employ-ees and ineptness (SOEs currently offercirca 22 % employment), and

• placing yet more pressure and burdenupon existing businesses to create ‘decent’ new jobs.

In just the past few weeks it has becomevery evident of the tensions between business and government, through for example;

• the political tensions and uncertaintiesof South Africa’s future

• the drop in SA’s sovereign credit ratings

• the weakening of the Rand

• the lowering of SA’s GDP forecasts bythe IMF for global growth in 2012 to3.3%, from its July forecast of 3.5%, with its 2013 forecast falling to 3.6% from 3.9%

• the social and labour unrest

• increasing unemployment & debt bur-dens at both country and consumerlevels

• lack of clear strategy & growth of thecountry

• drop of local & foreign investor’s confi-dence in SA

• political interferences with business in SA

• greater state involvement in mining,falling short of outright nationalisation

• high demands by labour and radicalunions

Graphic: Fritz Jooste (fritzjooste.com): The Auditor General audited a sample of 8 outof 45 national departments and only 124 contracts worth R5.5 bn were audited. Find-ings were made against all 8 departments

* The World in 2050 The BRICs and Beyond: Prospects, challenges and opportunities– a PwC Report

17

• regulatory uncertainty evidencedthrough the massive resurgence ofBBBEE, EE and LRA (SA has a very poorrecord in terms of LRA. According tothe World Economic Forum's GlobalCompetitiveness Report, SA is the worstof 142 countries assessed in terms of co-operation in labour-employer relations)

• constraining legislation is proposed for the media, civil society, and the Judiciary

• unbalanced and increasing tax bur-dens upon business and high net worthindividuals.

Perhaps, and in additional to the above,South Africa Inc. doesn’t have a clearplan for the road ahead; and many criticsand businesses in SA believe the NDP willamount to nothing more than what GEARtried to achieve and have referred toSouth Africa’s journey ahead as a LongDark Night.

Remember SA Inc. has put together a fewpaper-good strategies/plans (ASGISA,IPAP 1 & 2, NGP and now the NDP) andyet details to achieve any of these illustri-ous plans have fallen short of their marks.Arguably, many also feel that NEDLACand BUSA have failed to achieve the part-nership levels that are so desperately required between government and busi-ness in order to get SA back on the roadto success.

Regrettably, President Zuma’s SONA failedto create inspiration amongst the muchneeded support of business and mistrustmay now have deepened.

So how are SA CEO’s feeling right now?

In the latest PwC 16th Annual Global CEOSurvey (Jan 2013), aptly entitled MakingStrides to Survive & Thrive, CEOs acrossmany industries of 56 publically listed andprivately owned businesses in South Africahad this to say;

• Firstly, there’s a cautious optimism in SA(CEOs: 2012)

• 3%-16% of SA CEOs believe the globaleconomy is showing positive devel-opments across a range of macroeconomic areas, whilst between15%-18% their international counter-parts are more positive

• 90% of SA CEOs are bullish about theirprospects for revenue growth in next

12 months (short-term), but mostCEOs are not confident that they willmake their revenue growth in thenext 3 years

• 98% of SA CEOs have key operationsin other parts of Africa, and 81% of SACEOs expect to grow key operationsin other parts of Africa in next 12months

• Many SA CEOs rate China, Nigeria,India & Brazil ahead of the traditionaleconomic power houses of WesternEurope. 17% of CEOs expect their keyoperations in Western Europe to de-cline in the next 12 months

• The World in 2050 Report* concludesthat emerging economies are set togrow much faster in ave. growth ofGDP than their counterparts overnext 4 decades, with Nigeria in front,followed by Vietnam, India, Indone-sia, China, Saudi Arabia & SouthAfrica

• 75% of SA CEOs expect to see head-count to either increase or stay thesame

BUT then there’s the worries;

Macro risks in SA (CEOs: 2012)

• Availability of key skills (88%)

• Bribery & corruption (75%)

• Uncertain or volatile economicgrowth (75%)

• Exchange rate volatility (70%)

• Social unrest (68%)

• Over-regulation (66%)

• Lack of stability in capital markets(64%)

• Government response to fiscaldeficit & debt burden (63%)

• Energy & raw material costs (59%)

• Protectionist tendencies of na-tional govts.(59%)

• Increasing tax burden (48%)

• Inflation (47%)

• New market entrants (43%)

• Changes to consumer spending & behaviour (41%)

• Inability to finance growth (39%)

• Inadequacy of basic infrastructure(39%)

• Supply chain disruption (32%)

Moving forward, CEO’s in SA and world-wide foresee their strategies including;

• Growing customer base (SA 64%:Global: 51%)

• Improving operational effective-ness (SA 48%:Global 49%)

• Enhancing customer service (SA 43%:Global 38%)

• New M&As / JVs / strategic alliances (SA 34%:Global 33%)

• Filling talent gaps (SA 34%:Global27%)

• Implementing new technology (SA 27%:Global 26%)

• Manufacturing capacity (SA 20%:Global 19%)

• R&D and innovation (SA 18%:Global 32%)

• Securing raw materials or compo-nents (SA 7%:Global 9% )

Let me emphasis this somewhat gloomypicture is in no way the end of the road;SA Inc. is still a new democracy and hasmany issues to address. Somehow, nomatter how worrying the future may be,visitors to our country have generally con-cluded that “it is a lovely place – but thatSA cannot possibly last another 5 years.Time and time again, experience hasproved the pessimists wrong.”

To conclude my presentation, for SA Inc.to resurge and “lift its game to the higherleague”, we will need to see, amongstothers:

• a move towards the deregulation oflabour markets

• reduced excessive legislation linked toemployment equity and empower-ment requirements

• abandon the idea of large-scale stateled industrial and social policy such asa state owned miner or steel makerand the National Health Insurancescheme

• maintain conservative fiscal and monetary policies such as inflation targeting

• provide lucrative incentives for SMEsto develop to absorb large sectors ofthe unemployed.

Thank you.